[ 39.821704] audit: type=1800 audit(1546584485.023:25): pid=7929 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 39.850501] audit: type=1800 audit(1546584485.023:26): pid=7929 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.891491] audit: type=1800 audit(1546584485.033:27): pid=7929 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.32' (ECDSA) to the list of known hosts. 2019/01/04 06:53:36 parsed 1 programs syzkaller login: [ 373.892052] ld (8112) used greatest stack depth: 20008 bytes left 2019/01/04 06:53:39 executed programs: 0 [ 374.068223] IPVS: ftp: loaded support on port[0] = 21 [ 374.148886] chnl_net:caif_netlink_parms(): no params data found [ 374.184532] bridge0: port 1(bridge_slave_0) entered blocking state [ 374.191717] bridge0: port 1(bridge_slave_0) entered disabled state [ 374.199567] device bridge_slave_0 entered promiscuous mode [ 374.207200] bridge0: port 2(bridge_slave_1) entered blocking state [ 374.213611] bridge0: port 2(bridge_slave_1) entered disabled state [ 374.220904] device bridge_slave_1 entered promiscuous mode [ 374.237571] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 374.246765] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 374.264376] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 374.272197] team0: Port device team_slave_0 added [ 374.277559] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 374.284663] team0: Port device team_slave_1 added [ 374.290550] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 374.298049] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 374.348296] device hsr_slave_0 entered promiscuous mode [ 374.416014] device hsr_slave_1 entered promiscuous mode [ 374.475978] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 374.482857] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 374.496913] bridge0: port 2(bridge_slave_1) entered blocking state [ 374.503345] bridge0: port 2(bridge_slave_1) entered forwarding state [ 374.510306] bridge0: port 1(bridge_slave_0) entered blocking state [ 374.516686] bridge0: port 1(bridge_slave_0) entered forwarding state [ 374.552958] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 374.559416] 8021q: adding VLAN 0 to HW filter on device bond0 [ 374.568024] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 374.577160] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 374.596676] bridge0: port 1(bridge_slave_0) entered disabled state [ 374.603853] bridge0: port 2(bridge_slave_1) entered disabled state [ 374.612114] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 374.622320] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 374.628757] 8021q: adding VLAN 0 to HW filter on device team0 [ 374.637242] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 374.644841] bridge0: port 1(bridge_slave_0) entered blocking state [ 374.651254] bridge0: port 1(bridge_slave_0) entered forwarding state [ 374.667703] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 374.675380] bridge0: port 2(bridge_slave_1) entered blocking state [ 374.681794] bridge0: port 2(bridge_slave_1) entered forwarding state [ 374.689200] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 374.697653] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 374.709014] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 374.722304] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 374.732930] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 374.744200] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 374.751673] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 374.759692] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 374.768211] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 374.781610] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 374.791565] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 375.975226] [ 375.976879] ===================================== [ 375.981692] WARNING: bad unlock balance detected! [ 375.986510] 4.20.0+ #8 Not tainted [ 375.990021] ------------------------------------- [ 375.994853] syz-executor0/8424 is trying to release lock (&file->mut) at: [ 376.001862] [] ucma_destroy_id+0x269/0x540 [ 376.007636] but there are no more locks to release! [ 376.012622] [ 376.012622] other info that might help us debug this: [ 376.019293] 1 lock held by syz-executor0/8424: [ 376.023848] #0: 000000003216939b (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540 [ 376.031802] [ 376.031802] stack backtrace: [ 376.036277] CPU: 0 PID: 8424 Comm: syz-executor0 Not tainted 4.20.0+ #8 [ 376.043017] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 376.052362] Call Trace: [ 376.054951] dump_stack+0x1db/0x2d0 [ 376.058564] ? dump_stack_print_info.cold+0x20/0x20 [ 376.063573] ? ucma_destroy_id+0x269/0x540 [ 376.067929] ? print_tainted+0x176/0x1e0 [ 376.072004] ? vprintk_func+0x86/0x189 [ 376.075876] ? ucma_destroy_id+0x269/0x540 [ 376.080108] print_unlock_imbalance_bug.cold+0xd0/0xdf [ 376.085364] ? ucma_destroy_id+0x269/0x540 [ 376.089575] lock_release+0x77a/0xc40 [ 376.093371] ? lock_downgrade+0x910/0x910 [ 376.097499] ? __radix_tree_delete+0x27e/0x4e0 [ 376.102061] ? idr_preload+0x50/0x50 [ 376.105754] ? __radix_tree_lookup+0x3aa/0x4f0 [ 376.110314] __mutex_unlock_slowpath+0xe9/0x870 [ 376.114962] ? wait_for_completion+0x810/0x810 [ 376.119524] mutex_unlock+0xd/0x10 [ 376.123044] ucma_destroy_id+0x269/0x540 [ 376.127097] ? ucma_close+0x320/0x320 [ 376.130898] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 376.136456] ? _copy_from_user+0xdd/0x150 [ 376.140591] ucma_write+0x36b/0x480 [ 376.144193] ? ucma_close+0x320/0x320 [ 376.147970] ? ucma_open+0x400/0x400 [ 376.151721] ? __might_fault+0x12b/0x1e0 [ 376.155762] ? find_held_lock+0x35/0x120 [ 376.159833] __vfs_write+0x116/0xb40 [ 376.163558] ? ucma_open+0x400/0x400 [ 376.167254] ? kernel_read+0x120/0x120 [ 376.171127] ? fget_raw+0x20/0x20 [ 376.174565] ? trace_hardirqs_off_caller+0x300/0x300 [ 376.179676] ? apparmor_file_permission+0x25/0x30 [ 376.184499] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 376.190049] ? security_file_permission+0x94/0x320 [ 376.194962] ? rw_verify_area+0x118/0x360 [ 376.199120] vfs_write+0x20c/0x580 [ 376.202672] ksys_write+0x105/0x260 [ 376.206280] ? __ia32_sys_read+0xb0/0xb0 [ 376.210317] ? trace_hardirqs_off_caller+0x300/0x300 [ 376.215398] __ia32_sys_write+0x71/0xb0 [ 376.219382] do_fast_syscall_32+0x333/0xf98 [ 376.223684] ? do_int80_syscall_32+0x880/0x880 [ 376.228273] ? trace_hardirqs_off+0x310/0x310 [ 376.232789] ? syscall_return_slowpath+0x3b0/0x5f0 [ 376.237696] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 376.242686] ? __switch_to_asm+0x34/0x70 [ 376.246740] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 376.251572] entry_SYSENTER_compat+0x70/0x7f [ 376.255955] RIP: 0023:0xf7f26869 [ 376.259328] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 376.278208] RSP: 002b:00000000f7f010cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 376.285892] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000200002c0 [ 376.293136] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000 [ 376.300384] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 376.307643] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 376.314919] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000