./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1902307351 <...> [ 29.597192][ T3177] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.608282][ T3177] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 40.416189][ T27] kauditd_printk_skb: 37 callbacks suppressed [ 40.416200][ T27] audit: type=1400 audit(1653035457.012:73): avc: denied { transition } for pid=3392 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 40.450129][ T27] audit: type=1400 audit(1653035457.042:74): avc: denied { write } for pid=3392 comm="sh" path="pipe:[27312]" dev="pipefs" ino=27312 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. execve("./syz-executor1902307351", ["./syz-executor1902307351"], 0x7ffc21c43b00 /* 10 vars */) = 0 brk(NULL) = 0x5555562e3000 brk(0x5555562e3d40) = 0x5555562e3d40 arch_prctl(ARCH_SET_FS, 0x5555562e3400) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555562e36d0) = 3605 set_robust_list(0x5555562e36e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7ff74834ce90, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7ff74834c3e0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7ff74834cf30, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff74834c3e0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1902307351", 4096) = 28 brk(0x555556304d40) = 0x555556304d40 brk(0x555556305000) = 0x555556305000 mprotect(0x7ff74840e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 chmod("/dev/raw-gadget", 0666) = 0 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7ff7483475b0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff74834c3e0}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7ff7483475b0, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7ff74834c3e0}, NULL, 8) = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555562e36d0) = 3606 ./strace-static-x86_64: Process 3606 attached [pid 3606] set_robust_list(0x5555562e36e0, 24) = 0 [pid 3606] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 3606] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 3606] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 3606] dup2(4, 202) = 202 [pid 3606] close(4) = 0 [ 51.368846][ T27] audit: type=1400 audit(1653035467.962:75): avc: denied { execmem } for pid=3605 comm="syz-executor190" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 51.388902][ T27] audit: type=1400 audit(1653035467.982:76): avc: denied { setattr } for pid=3605 comm="syz-executor190" name="raw-gadget" dev="devtmpfs" ino=730 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 51.412693][ T27] audit: type=1400 audit(1653035467.992:77): avc: denied { mounton } for pid=3606 comm="syz-executor190" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 51.436790][ T27] audit: type=1400 audit(1653035467.992:78): avc: denied { mount } for pid=3606 comm="syz-executor190" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 51.459507][ T27] audit: type=1400 audit(1653035467.992:79): avc: denied { create } for pid=3606 comm="syz-executor190" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 51.479895][ T27] audit: type=1400 audit(1653035467.992:80): avc: denied { read write } for pid=3606 comm="syz-executor190" name="vhci" dev="devtmpfs" ino=1072 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 51.503812][ T27] audit: type=1400 audit(1653035467.992:81): avc: denied { open } for pid=3606 comm="syz-executor190" path="/dev/vhci" dev="devtmpfs" ino=1072 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [pid 3606] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 3606] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff747b3c000 [pid 3606] mprotect(0x7ff747b3d000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 3606] clone(child_stack=0x7ff74833c2f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7ff74833c700, child_tidptr=0x7ff74833c9d0) = 2 [pid 3606] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 3609 attached [pid 3609] set_robust_list(0x7ff74833c9e0, 24) = 0 [pid 3609] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 3609] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 3609] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [ 52.417258][ T27] audit: type=1400 audit(1653035469.012:82): avc: denied { ioctl } for pid=3606 comm="syz-executor190" path="socket:[27432]" dev="sockfs" ino=27432 ioctlcmd=0x48c9 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 52.427960][ T3610] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 52.451460][ T3610] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 52.459590][ T3610] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [pid 3609] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 3609] read(202, [pid 3606] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 3606] ioctl(3, HCISETSCAN [pid 3609] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 3609] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4 [pid 3606] <... ioctl resumed>, 0x7ffcf4f58394) = 0 [pid 3606] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13 [pid 3606] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14 [pid 3606] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [pid 3606] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 3606] futex(0x7ff74833c9d0, FUTEX_WAIT, 2, NULL [pid 3609] <... writev resumed>) = 7 [pid 3609] madvise(0x7ff747b3c000, 8372224, MADV_DONTNEED) = 0 [pid 3609] exit(0) = ? [pid 3609] +++ exited with 0 +++ [pid 3606] <... futex resumed>) = 0 [pid 3606] close(3) = 0 [pid 3606] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3606] setsid() = 1 [pid 3606] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 3606] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 3606] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 3606] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 3606] prlimit64(0, RLIMIT_CORE, {rlim_cur=0, rlim_max=0}, NULL) = 0 [pid 3606] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 3606] unshare(CLONE_NEWNS) = 0 [ 52.469281][ T3610] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 52.478007][ T3610] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 52.485812][ T3610] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 3606] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 3606] unshare(CLONE_NEWIPC) = 0 [pid 3606] unshare(CLONE_NEWCGROUP) = 0 [pid 3606] unshare(CLONE_NEWUTS) = 0 [pid 3606] unshare(CLONE_SYSVSEM) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "16777216", 8) = 8 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "536870912", 9) = 9 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "1024", 4) = 4 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "8192", 4) = 4 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "1024", 4) = 4 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "1024", 4) = 4 [pid 3606] close(3) = 0 [pid 3606] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 3606] write(3, "1024 1048576 500 1024", 21) = 21 [pid 3606] close(3) = 0 [pid 3606] getpid() = 1 [pid 3606] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<lock){-.-.}-{2:2}, at: pty_write+0xea/0x1e0 [ 52.617846][ T3606] [ 52.617846][ T3606] which lock already depends on the new lock. [ 52.617846][ T3606] [ 52.617850][ T3606] [ 52.617850][ T3606] the existing dependency chain (in reverse order) is: [ 52.617855][ T3606] [ 52.617855][ T3606] -> #2 (&port->lock){-.-.}-{2:2}: [ 52.617878][ T3606] _raw_spin_lock_irqsave+0x39/0x50 [ 52.617907][ T3606] tty_port_tty_get+0x1f/0x100 [ 52.617925][ T3606] tty_port_default_wakeup+0x11/0x40 [ 52.617942][ T3606] serial8250_tx_chars+0x4f3/0xa50 [ 52.617973][ T3606] serial8250_handle_irq.part.0+0x328/0x3d0 [ 52.617996][ T3606] serial8250_default_handle_irq+0xb2/0x220 [ 52.618018][ T3606] serial8250_interrupt+0xfd/0x200 [ 52.618035][ T3606] __handle_irq_event_percpu+0x22b/0x880 [ 52.618054][ T3606] handle_irq_event+0xa7/0x1e0 [ 52.618070][ T3606] handle_edge_irq+0x25f/0xd00 [ 52.618091][ T3606] __common_interrupt+0x9d/0x210 [ 52.618109][ T3606] common_interrupt+0xa4/0xc0 [ 52.618127][ T3606] asm_common_interrupt+0x1e/0x40 [ 52.618150][ T3606] acpi_idle_do_entry+0x1c6/0x250 [ 52.618170][ T3606] acpi_idle_enter+0x361/0x500 [ 52.618199][ T3606] cpuidle_enter_state+0x1b1/0xc80 [ 52.618217][ T3606] cpuidle_enter+0x4a/0xa0 [ 52.618234][ T3606] do_idle+0x3e8/0x590 [ 52.618249][ T3606] cpu_startup_entry+0x14/0x20 [ 52.618266][ T3606] rest_init+0x169/0x270 [ 52.618286][ T3606] arch_call_rest_init+0xf/0x14 [ 52.618303][ T3606] start_kernel+0x47f/0x4a0 [ 52.618317][ T3606] secondary_startup_64_no_verify+0xc3/0xcb [ 52.618339][ T3606] [ 52.618339][ T3606] -> #1 (&port_lock_key){-.-.}-{2:2}: [ 52.618361][ T3606] _raw_spin_lock_irqsave+0x39/0x50 [ 52.618382][ T3606] serial8250_console_write+0x9cb/0xc30 [ 52.618402][ T3606] console_unlock+0x9bc/0xdd0 [ 52.618421][ T3606] vprintk_emit+0x1b4/0x5f0 [ 52.618441][ T3606] vprintk+0x80/0x90 [ 52.618460][ T3606] _printk+0xba/0xed [ 52.618481][ T3606] register_console+0x410/0x7c0 [ 52.618503][ T3606] univ8250_console_init+0x3a/0x46 [ 52.618526][ T3606] console_init+0x3c1/0x58d [ 52.618549][ T3606] start_kernel+0x30b/0x4a0 [ 52.618566][ T3606] secondary_startup_64_no_verify+0xc3/0xcb [ 52.618589][ T3606] [ 52.618589][ T3606] -> #0 (console_owner){....}-{0:0}: [ 52.618613][ T3606] __lock_acquire+0x2ac6/0x56c0 [ 52.618636][ T3606] lock_acquire+0x1ab/0x510 [ 52.618656][ T3606] vprintk_emit+0x353/0x5f0 [ 52.618676][ T3606] vprintk+0x80/0x90 [ 52.618697][ T3606] _printk+0xba/0xed [ 52.618715][ T3606] should_fail+0x472/0x5a0 [ 52.618739][ T3606] should_failslab+0x5/0x10 [ 52.618764][ T3606] __kmalloc+0x7b/0x4d0 [ 52.618787][ T3606] tty_buffer_alloc+0x23f/0x2a0 [ 52.618812][ T3606] __tty_buffer_request_room+0x156/0x2a0 [ 52.618839][ T3606] tty_insert_flip_string_fixed_flag+0x8c/0x240 [ 52.618867][ T3606] pty_write+0x11c/0x1e0 [ 52.618886][ T3606] n_tty_write+0xa7a/0xfc0 [ 52.618908][ T3606] file_tty_write.constprop.0+0x520/0x900 [ 52.618931][ T3606] new_sync_write+0x38a/0x560 [ 52.618953][ T3606] vfs_write+0x7c0/0xac0 [ 52.618975][ T3606] ksys_write+0x127/0x250 [ 52.618997][ T3606] do_syscall_64+0x35/0xb0 [ 52.619014][ T3606] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.619039][ T3606] [ 52.619039][ T3606] other info that might help us debug this: [ 52.619039][ T3606] [ 52.619043][ T3606] Chain exists of: [ 52.619043][ T3606] console_owner --> &port_lock_key --> &port->lock [ 52.619043][ T3606] [ 52.619070][ T3606] Possible unsafe locking scenario: [ 52.619070][ T3606] [ 52.619074][ T3606] CPU0 CPU1 [ 52.619078][ T3606] ---- ---- [ 52.619082][ T3606] lock(&port->lock); [ 52.619091][ T3606] lock(&port_lock_key); [ 52.619102][ T3606] lock(&port->lock); [ 52.619112][ T3606] lock(console_owner); [ 52.619122][ T3606] [ 52.619122][ T3606] *** DEADLOCK *** [ 52.619122][ T3606] [ 52.619125][ T3606] 5 locks held by syz-executor190/3606: [ 52.619137][ T3606] #0: ffff88801fd9c098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x22/0x80 [ 52.619190][ T3606] #1: ffff88801fd9c130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: file_tty_write.constprop.0+0x299/0x900 [ 52.619229][ T3606] #2: ffff88801fd9c2e8 (&tty->termios_rwsem){++++}-{3:3}, at: n_tty_write+0x1bf/0xfc0 [ 52.619258][ T3606] #3: ffffc900013ec378 (&ldata->output_lock){+.+.}-{3:3}, at: n_tty_write+0xa47/0xfc0 [ 52.619286][ T3606] #4: ffff88801fd9d958 (&port->lock){-.-.}-{2:2}, at: pty_write+0xea/0x1e0 [ 52.619313][ T3606] [ 52.619313][ T3606] stack backtrace: [ 52.619316][ T3606] CPU: 1 PID: 3606 Comm: syz-executor190 Not tainted 5.18.0-rc7-syzkaller-00119-gb015dcd62b86 #0 [ 52.619330][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.619337][ T3606] Call Trace: [ 52.619341][ T3606] [ 52.619345][ T3606] dump_stack_lvl+0xcd/0x134 [ 52.619362][ T3606] check_noncircular+0x25f/0x2e0 [ 52.619376][ T3606] ? filter_irq_stacks+0x90/0x90 [ 52.619391][ T3606] ? print_circular_bug+0x1e0/0x1e0 [ 52.619404][ T3606] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 52.619418][ T3606] ? add_lock_to_list.constprop.0+0x185/0x370 [ 52.619433][ T3606] __lock_acquire+0x2ac6/0x56c0 [ 52.619447][ T3606] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 52.619462][ T3606] lock_acquire+0x1ab/0x510 [ 52.619475][ T3606] ? vprintk_emit+0x316/0x5f0 [ 52.619488][ T3606] ? lock_release+0x720/0x720 [ 52.619501][ T3606] ? lock_downgrade+0x6e0/0x6e0 [ 52.619514][ T3606] ? do_raw_spin_lock+0x120/0x2a0 [ 52.619527][ T3606] ? rwlock_bug.part.0+0x90/0x90 [ 52.619541][ T3606] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 52.619555][ T3606] vprintk_emit+0x353/0x5f0 [ 52.619569][ T3606] ? vprintk_emit+0x316/0x5f0 [ 52.619582][ T3606] vprintk+0x80/0x90 [ 52.619595][ T3606] _printk+0xba/0xed [ 52.619607][ T3606] ? record_print_text.cold+0x16/0x16 [ 52.619621][ T3606] ? ___ratelimit+0x222/0x4b0 [ 52.619635][ T3606] should_fail+0x472/0x5a0 [ 52.619650][ T3606] should_failslab+0x5/0x10 [ 52.619664][ T3606] __kmalloc+0x7b/0x4d0 [ 52.619677][ T3606] ? tty_buffer_alloc+0x23f/0x2a0 [ 52.619692][ T3606] tty_buffer_alloc+0x23f/0x2a0 [ 52.619707][ T3606] __tty_buffer_request_room+0x156/0x2a0 [ 52.619722][ T3606] tty_insert_flip_string_fixed_flag+0x8c/0x240 [ 52.619739][ T3606] pty_write+0x11c/0x1e0 [ 52.619751][ T3606] n_tty_write+0xa7a/0xfc0 [ 52.619764][ T3606] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 52.619776][ T3606] ? _copy_from_iter+0x12b/0x15a0 [ 52.619792][ T3606] ? n_tty_check_unthrottle+0x440/0x440 [ 52.619807][ T3606] ? __init_waitqueue_head+0xd0/0xd0 [ 52.619821][ T3606] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 52.619833][ T3606] ? __phys_addr_symbol+0x2c/0x70 [ 52.619848][ T3606] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 52.619859][ T3606] ? __check_object_size+0x16c/0x4f0 [ 52.619871][ T3606] file_tty_write.constprop.0+0x520/0x900 [ 52.619885][ T3606] ? n_tty_check_unthrottle+0x440/0x440 [ 52.619900][ T3606] new_sync_write+0x38a/0x560 [ 52.619913][ T3606] ? new_sync_read+0x5f0/0x5f0 [ 52.619926][ T3606] ? inode_security+0x105/0x130 [ 52.619940][ T3606] ? avc_policy_seqno+0x9/0x70 [ 52.619954][ T3606] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 52.619966][ T3606] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 52.619978][ T3606] ? security_file_permission+0xab/0xd0 [ 52.619991][ T3606] vfs_write+0x7c0/0xac0 [ 52.620004][ T3606] ksys_write+0x127/0x250 [ 52.620017][ T3606] ? __ia32_sys_read+0xb0/0xb0 [ 52.620030][ T3606] ? lockdep_hardirqs_on+0x79/0x100 [ 52.620043][ T3606] ? _raw_spin_unlock_irq+0x2a/0x40 [ 52.620056][ T3606] ? ptrace_notify+0xfa/0x140 [ 52.620071][ T3606] do_syscall_64+0x35/0xb0 [ 52.620082][ T3606] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.620097][ T3606] RIP: 0033:0x7ff74838b229 [ 52.620106][ T3606] Code: 28 c3 e8 aa 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 52.620118][ T3606] RSP: 002b:00007ffcf4f58338 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 52.620130][ T3606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff74838b229 [ 52.620139][ T3606] RDX: 0000000000000060 RSI: 0000000020000380 RDI: 0000000000000003 [ 52.620146][ T3606] RBP: 00007ffcf4f58350 R08: 0000000000000001 R09: 00007ffcf4f5833d [ 52.620154][ T3606] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 52.620161][ T3606] R13: 00007ff74840ee10 R14: 00007ffcf4f583a8 R15: 0000000000000000 [ 52.620170][ T3606] [ 53.527356][ T3606] CPU: 1 PID: 3606 Comm: syz-executor190 Not tainted 5.18.0-rc7-syzkaller-00119-gb015dcd62b86 #0 [ 53.537843][ T3606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.547884][ T3606] Call Trace: [ 53.551149][ T3606] [ 53.554070][ T3606] dump_stack_lvl+0xcd/0x134 [ 53.558658][ T3606] should_fail.cold+0x5/0xa [ 53.563155][ T3606] should_failslab+0x5/0x10 [ 53.567657][ T3606] __kmalloc+0x7b/0x4d0 [ 53.571808][ T3606] ? tty_buffer_alloc+0x23f/0x2a0 [ 53.576831][ T3606] tty_buffer_alloc+0x23f/0x2a0 [ 53.581679][ T3606] __tty_buffer_request_room+0x156/0x2a0 [ 53.587310][ T3606] tty_insert_flip_string_fixed_flag+0x8c/0x240 [ 53.593549][ T3606] pty_write+0x11c/0x1e0 [ 53.597785][ T3606] n_tty_write+0xa7a/0xfc0 [ 53.602195][ T3606] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 53.608426][ T3606] ? _copy_from_iter+0x12b/0x15a0 [ 53.613446][ T3606] ? n_tty_check_unthrottle+0x440/0x440 [ 53.618984][ T3606] ? __init_waitqueue_head+0xd0/0xd0 [ 53.624269][ T3606] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 53.630497][ T3606] ? __phys_addr_symbol+0x2c/0x70 [ 53.635523][ T3606] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 53.641232][ T3606] ? __check_object_size+0x16c/0x4f0 [ 53.646505][ T3606] file_tty_write.constprop.0+0x520/0x900 [ 53.652218][ T3606] ? n_tty_check_unthrottle+0x440/0x440 [ 53.657760][ T3606] new_sync_write+0x38a/0x560 [ 53.662430][ T3606] ? new_sync_read+0x5f0/0x5f0 [ 53.667186][ T3606] ? inode_security+0x105/0x130 [ 53.672031][ T3606] ? avc_policy_seqno+0x9/0x70 [ 53.676788][ T3606] ? __sanitizer_cov_trace_cmp4+0x1c/0x70 [ 53.682496][ T3606] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 53.688727][ T3606] ? security_file_permission+0xab/0xd0 [ 53.694263][ T3606] vfs_write+0x7c0/0xac0 [ 53.698497][ T3606] ksys_write+0x127/0x250 [ 53.702820][ T3606] ? __ia32_sys_read+0xb0/0xb0 [ 53.707577][ T3606] ? lockdep_hardirqs_on+0x79/0x100 [ 53.712772][ T3606] ? _raw_spin_unlock_irq+0x2a/0x40 [ 53.717964][ T3606] ? ptrace_notify+0xfa/0x140 [ 53.722638][ T3606] do_syscall_64+0x35/0xb0 [ 53.727042][ T3606] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 53.732931][ T3606] RIP: 0033:0x7ff74838b229 [ 53.737332][ T3606] Code: 28 c3 e8 aa 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 53.756926][ T3606] RSP: 002b:00007ffcf4f58338 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.765327][ T3606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff74838b229 [ 53.773284][ T3606] RDX: 0000000000000060 RSI: 0000000020000380 RDI: 0000000000000003 [ 53.781241][ T3606] RBP: 00007ffcf4f58350 R08: 0000000000000001 R09: 00007ffcf4f5833d [ 53.789203][ T3606] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 53.797162][ T3606] R13: 00007ff74840ee10 R14: 00007ffcf4f583a8 R15: 0000000000000000 [ 53.805124][ T3606] [ 54.564808][ T14] Bluetooth: hci0: command 0x0409 tx timeout [ 56.644790][ T14] Bluetooth: hci0: command 0x041b tx timeout [ 58.724805][ T14] Bluetooth: hci0: command 0x040f tx timeout [ 60.805031][ T14] Bluetooth: hci0: command 0x0419 tx timeout