./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2255366976 <...> syzkaller syzkaller login: [ 63.141415][ T26] kauditd_printk_skb: 42 callbacks suppressed [ 63.141430][ T26] audit: type=1400 audit(1688962333.440:77): avc: denied { transition } for pid=4866 comm="sshd" path="/bin/sh" dev="sda1" ino=89 scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.170375][ T26] audit: type=1400 audit(1688962333.460:78): avc: denied { noatsecure } for pid=4866 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.190520][ T26] audit: type=1400 audit(1688962333.470:79): avc: denied { write } for pid=4866 comm="sh" path="pipe:[29312]" dev="pipefs" ino=29312 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 63.213521][ T26] audit: type=1400 audit(1688962333.470:80): avc: denied { rlimitinh } for pid=4866 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.233556][ T26] audit: type=1400 audit(1688962333.470:81): avc: denied { siginh } for pid=4866 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 63.789338][ T26] audit: type=1400 audit(1688962334.090:82): avc: denied { read } for pid=4450 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1 Warning: Permanently added '10.128.1.29' (ECDSA) to the list of known hosts. execve("./syz-executor2255366976", ["./syz-executor2255366976"], 0x7ffc61af6e60 /* 10 vars */) = 0 brk(NULL) = 0x555556f15000 brk(0x555556f15c40) = 0x555556f15c40 arch_prctl(ARCH_SET_FS, 0x555556f15300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2255366976", 4096) = 28 brk(0x555556f36c40) = 0x555556f36c40 brk(0x555556f37000) = 0x555556f37000 mprotect(0x7fe30f7be000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 [ 83.345483][ T26] audit: type=1400 audit(1688962353.640:83): avc: denied { write } for pid=5013 comm="strace-static-x" path="pipe:[29465]" dev="pipefs" ino=29465 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 83.373769][ T26] audit: type=1400 audit(1688962353.670:84): avc: denied { execmem } for pid=5016 comm="syz-executor225" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe307300000 [ 83.378744][ T5016] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5016 'syz-executor225' write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 20699119) = 20699119 munmap(0x7fe307300000, 20699119) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./bus", 0777) = 0 [ 83.626610][ T26] audit: type=1400 audit(1688962353.920:85): avc: denied { read write } for pid=5016 comm="syz-executor225" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 83.631403][ T5016] loop0: detected capacity change from 0 to 40427 [ 83.651200][ T26] audit: type=1400 audit(1688962353.920:86): avc: denied { open } for pid=5016 comm="syz-executor225" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 83.651259][ T26] audit: type=1400 audit(1688962353.920:87): avc: denied { ioctl } for pid=5016 comm="syz-executor225" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c00 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 83.670934][ T5016] F2FS-fs (loop0): Invalid log_blocksize (268), supports only 12 [ 83.682781][ T26] audit: type=1400 audit(1688962353.950:88): avc: denied { mounton } for pid=5016 comm="syz-executor225" path="/root/bus" dev="sda1" ino=1927 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 83.708069][ T5016] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 83.717099][ T26] audit: type=1400 audit(1688962354.020:89): avc: denied { append } for pid=4450 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 83.769496][ T26] audit: type=1400 audit(1688962354.020:90): avc: denied { open } for pid=4450 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 83.792184][ T26] audit: type=1400 audit(1688962354.020:91): avc: denied { getattr } for pid=4450 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1 [ 83.798064][ T5016] F2FS-fs (loop0): Found nat_bits in checkpoint mount("/dev/loop0", "./bus", "f2fs", 0, "nobarrier,quota,noflush_merge,quota,flush_merge,nodiscard,active_logs=4,noextent_cache,user_xattr,ac"...) = 0 openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 chdir("./bus") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|FASYNC, 000) = 4 [ 83.860138][ T5016] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 83.867448][ T5016] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 83.876620][ T26] audit: type=1400 audit(1688962354.180:92): avc: denied { mount } for pid=5016 comm="syz-executor225" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 83.889387][ T5016] [ 83.900935][ T5016] ====================================================== [ 83.908102][ T5016] WARNING: possible circular locking dependency detected [ 83.915152][ T5016] 6.4.0-syzkaller-12491-gc192ac735768 #0 Not tainted [ 83.921857][ T5016] ------------------------------------------------------ [ 83.928916][ T5016] syz-executor225/5016 is trying to acquire lock: [ 83.935378][ T5016] ffff888072747888 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_getxattr+0xb96/0xfd0 [ 83.944593][ T5016] [ 83.944593][ T5016] but task is already holding lock: [ 83.952061][ T5016] ffff88807274b668 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_do_tmpfile+0x24/0x1d0 [ 83.961016][ T5016] [ 83.961016][ T5016] which lock already depends on the new lock. [ 83.961016][ T5016] [ 83.971783][ T5016] [ 83.971783][ T5016] the existing dependency chain (in reverse order) is: [ 83.980827][ T5016] [ 83.980827][ T5016] -> #1 (&fi->i_sem){+.+.}-{3:3}: [ 83.988338][ T5016] down_write+0x92/0x200 [ 83.993236][ T5016] f2fs_add_inline_entry+0x2c4/0x6c0 [ 83.999159][ T5016] f2fs_add_dentry+0xa6/0x240 [ 84.004382][ T5016] f2fs_do_add_link+0x183/0x270 [ 84.009779][ T5016] f2fs_create+0x3c1/0x670 [ 84.014776][ T5016] lookup_open.isra.0+0x1050/0x1400 [ 84.020545][ T5016] path_openat+0x969/0x2710 [ 84.025727][ T5016] do_filp_open+0x1ba/0x410 [ 84.030802][ T5016] do_sys_openat2+0x160/0x1c0 [ 84.036035][ T5016] __x64_sys_openat+0x143/0x1f0 [ 84.041440][ T5016] do_syscall_64+0x39/0xb0 [ 84.046417][ T5016] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.052904][ T5016] [ 84.052904][ T5016] -> #0 (&fi->i_xattr_sem){.+.+}-{3:3}: [ 84.060670][ T5016] __lock_acquire+0x2e9d/0x5e20 [ 84.066183][ T5016] lock_acquire+0x1b1/0x520 [ 84.071239][ T5016] down_read+0x9c/0x480 [ 84.077455][ T5016] f2fs_getxattr+0xb96/0xfd0 [ 84.082608][ T5016] __f2fs_get_acl+0x59/0x610 [ 84.087922][ T5016] f2fs_init_acl+0x152/0xb40 [ 84.093148][ T5016] f2fs_init_inode_metadata+0x15d/0x1260 [ 84.099586][ T5016] f2fs_do_tmpfile+0x33/0x1d0 [ 84.104806][ T5016] __f2fs_tmpfile+0x1db/0x440 [ 84.110044][ T5016] f2fs_ioc_start_atomic_write+0xcf4/0x1330 [ 84.116498][ T5016] __f2fs_ioctl+0x317f/0xa5f0 [ 84.121726][ T5016] f2fs_ioctl+0x194/0x220 [ 84.126611][ T5016] __x64_sys_ioctl+0x19d/0x210 [ 84.131947][ T5016] do_syscall_64+0x39/0xb0 [ 84.137006][ T5016] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.143556][ T5016] [ 84.143556][ T5016] other info that might help us debug this: [ 84.143556][ T5016] [ 84.154071][ T5016] Possible unsafe locking scenario: [ 84.154071][ T5016] [ 84.161557][ T5016] CPU0 CPU1 [ 84.167041][ T5016] ---- ---- [ 84.172516][ T5016] lock(&fi->i_sem); [ 84.176541][ T5016] lock(&fi->i_xattr_sem); [ 84.183847][ T5016] lock(&fi->i_sem); [ 84.190576][ T5016] rlock(&fi->i_xattr_sem); [ 84.195297][ T5016] [ 84.195297][ T5016] *** DEADLOCK *** [ 84.195297][ T5016] [ 84.203902][ T5016] 5 locks held by syz-executor225/5016: [ 84.209547][ T5016] #0: ffff88807a306410 (sb_writers#10){.+.+}-{0:0}, at: f2fs_ioc_start_atomic_write+0x1a7/0x1330 [ 84.220255][ T5016] #1: ffff888072749250 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: f2fs_ioc_start_atomic_write+0x1e3/0x1330 [ 84.232162][ T5016] #2: ffff888072749830 (&fi->i_gc_rwsem[WRITE]){+.+.}-{3:3}, at: f2fs_ioc_start_atomic_write+0x2e6/0x1330 [ 84.243622][ T5016] #3: ffff88807ba403b0 (&sbi->cp_rwsem){.+.+}-{3:3}, at: __f2fs_tmpfile+0x1ae/0x440 [ 84.253238][ T5016] #4: ffff88807274b668 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_do_tmpfile+0x24/0x1d0 [ 84.263037][ T5016] [ 84.263037][ T5016] stack backtrace: [ 84.268932][ T5016] CPU: 1 PID: 5016 Comm: syz-executor225 Not tainted 6.4.0-syzkaller-12491-gc192ac735768 #0 [ 84.279232][ T5016] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 [ 84.289483][ T5016] Call Trace: [ 84.292774][ T5016] [ 84.295718][ T5016] dump_stack_lvl+0xd9/0x150 [ 84.300347][ T5016] check_noncircular+0x2df/0x3b0 [ 84.305322][ T5016] ? print_circular_bug+0x740/0x740 [ 84.310555][ T5016] ? print_circular_bug+0x740/0x740 [ 84.315784][ T5016] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 84.321647][ T5016] __lock_acquire+0x2e9d/0x5e20 [ 84.326545][ T5016] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 84.332567][ T5016] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 84.338590][ T5016] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 84.344701][ T5016] ? mark_lock.part.0+0xee/0x1960 [ 84.349881][ T5016] lock_acquire+0x1b1/0x520 [ 84.354426][ T5016] ? f2fs_getxattr+0xb96/0xfd0 [ 84.359229][ T5016] ? lock_sync+0x190/0x190 [ 84.367674][ T5016] down_read+0x9c/0x480 [ 84.371977][ T5016] ? f2fs_getxattr+0xb96/0xfd0 [ 84.376786][ T5016] ? down_write_killable+0x250/0x250 [ 84.382117][ T5016] ? mark_held_locks+0x9f/0xe0 [ 84.386915][ T5016] ? percpu_counter_add_batch+0x199/0x1e0 [ 84.392672][ T5016] f2fs_getxattr+0xb96/0xfd0 [ 84.397378][ T5016] ? f2fs_truncate_xattr_node+0x380/0x380 [ 84.403140][ T5016] ? f2fs_init_security+0x40/0x40 [ 84.408204][ T5016] __f2fs_get_acl+0x59/0x610 [ 84.412838][ T5016] f2fs_init_acl+0x152/0xb40 [ 84.417473][ T5016] ? lock_sync+0x190/0x190 [ 84.421930][ T5016] f2fs_init_inode_metadata+0x15d/0x1260 [ 84.427698][ T5016] ? f2fs_do_make_empty_dir+0x1d0/0x1d0 [ 84.433287][ T5016] ? down_write+0x14f/0x200 [ 84.437915][ T5016] ? rwsem_down_write_slowpath+0x1220/0x1220 [ 84.443933][ T5016] ? do_raw_spin_unlock+0x175/0x230 [ 84.449208][ T5016] f2fs_do_tmpfile+0x33/0x1d0 [ 84.453999][ T5016] __f2fs_tmpfile+0x1db/0x440 [ 84.458708][ T5016] f2fs_ioc_start_atomic_write+0xcf4/0x1330 [ 84.464654][ T5016] __f2fs_ioctl+0x317f/0xa5f0 [ 84.469374][ T5016] ? tomoyo_path_number_perm+0x166/0x570 [ 84.475055][ T5016] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 84.480935][ T5016] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 84.486954][ T5016] ? f2fs_precache_extents+0x220/0x220 [ 84.492450][ T5016] ? vfs_fileattr_set+0xc40/0xc40 [ 84.497512][ T5016] ? ioctl_has_perm.constprop.0.isra.0+0x29b/0x420 [ 84.504067][ T5016] ? ioctl_has_perm.constprop.0.isra.0+0x2a4/0x420 [ 84.510625][ T5016] ? selinux_bprm_creds_for_exec+0xb20/0xb20 [ 84.516663][ T5016] ? find_held_lock+0x2d/0x110 [ 84.521474][ T5016] ? ptrace_notify+0xfe/0x140 [ 84.526197][ T5016] ? lock_downgrade+0x690/0x690 [ 84.531086][ T5016] f2fs_ioctl+0x194/0x220 [ 84.535461][ T5016] ? __f2fs_ioctl+0xa5f0/0xa5f0 [ 84.540881][ T5016] __x64_sys_ioctl+0x19d/0x210 [ 84.545690][ T5016] do_syscall_64+0x39/0xb0 [ 84.550222][ T5016] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.556162][ T5016] RIP: 0033:0x7fe30f74c969 [ 84.560594][ T5016] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 84.580225][ T5016] RSP: 002b:00007ffc55cdfb78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 84.588661][ T5016] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe30f74c969 [ 84.596651][ T5016] RDX: 0000000000000000 RSI: 000000000000f501 RDI: 0000000000000004 [ 84.604641][ T5016] RBP: 00007fe30f70c200 R08: 0000000000000000 R09: 0000000000000000 ioctl(4, F2FS_IOC_START_ATOMIC_WRITE, 0) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 84.612630][ T5016] R10: 0000000000000000 R11: 00000000