[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 66.543138][ T25] audit: type=1800 audit(1575105259.907:25): pid=8864 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 66.562845][ T25] audit: type=1800 audit(1575105259.917:26): pid=8864 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 66.607385][ T25] audit: type=1800 audit(1575105259.917:27): pid=8864 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.59' (ECDSA) to the list of known hosts. 2019/11/30 09:14:29 parsed 1 programs 2019/11/30 09:14:31 executed programs: 0 syzkaller login: [ 78.330662][ T9030] IPVS: ftp: loaded support on port[0] = 21 [ 78.395350][ T9030] chnl_net:caif_netlink_parms(): no params data found [ 78.424992][ T9030] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.433102][ T9030] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.441080][ T9030] device bridge_slave_0 entered promiscuous mode [ 78.449640][ T9030] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.456740][ T9030] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.464638][ T9030] device bridge_slave_1 entered promiscuous mode [ 78.482906][ T9030] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 78.493802][ T9030] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 78.514252][ T9030] team0: Port device team_slave_0 added [ 78.521917][ T9030] team0: Port device team_slave_1 added [ 78.569523][ T9030] device hsr_slave_0 entered promiscuous mode [ 78.618676][ T9030] device hsr_slave_1 entered promiscuous mode [ 78.681130][ T9030] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 78.740006][ T9030] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 78.800263][ T9030] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 78.829403][ T9030] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 78.898336][ T9030] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.905954][ T9030] bridge0: port 2(bridge_slave_1) entered forwarding state [ 78.913888][ T9030] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.921039][ T9030] bridge0: port 1(bridge_slave_0) entered forwarding state [ 78.956760][ T9030] 8021q: adding VLAN 0 to HW filter on device bond0 [ 78.971320][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 78.992347][ T43] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.011149][ T43] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.020435][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.033649][ T9030] 8021q: adding VLAN 0 to HW filter on device team0 [ 79.044466][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 79.053196][ T3693] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.060307][ T3693] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.071147][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 79.080226][ T43] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.087484][ T43] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.109374][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.118689][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.127079][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 79.136444][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 79.145718][ T3693] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 79.156446][ T9030] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 79.173147][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 79.180788][ T43] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 79.193133][ T9030] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 79.452665][ T9064] [ 79.455027][ T9064] ===================================== [ 79.460616][ T9064] WARNING: bad unlock balance detected! [ 79.466138][ T9064] 5.4.0-syzkaller #0 Not tainted [ 79.471060][ T9064] ------------------------------------- [ 79.476576][ T9064] syz-executor.0/9064 is trying to release lock (&file->mut) at: [ 79.484276][ T9064] [] ucma_destroy_id+0x24a/0x490 [ 79.490745][ T9064] but there are no more locks to release! [ 79.496431][ T9064] [ 79.496431][ T9064] other info that might help us debug this: [ 79.504473][ T9064] 1 lock held by syz-executor.0/9064: [ 79.509813][ T9064] #0: ffff888096f19c60 (&file->mut){+.+.}, at: ucma_destroy_id+0x1e7/0x490 [ 79.518467][ T9064] [ 79.518467][ T9064] stack backtrace: [ 79.524333][ T9064] CPU: 1 PID: 9064 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 [ 79.532541][ T9064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.542570][ T9064] Call Trace: [ 79.545846][ T9064] dump_stack+0x197/0x210 [ 79.550151][ T9064] ? ucma_destroy_id+0x24a/0x490 [ 79.555062][ T9064] print_unlock_imbalance_bug.cold+0x114/0x123 [ 79.561194][ T9064] ? ucma_destroy_id+0x24a/0x490 [ 79.566102][ T9064] lock_release+0x5f2/0x960 [ 79.570580][ T9064] ? lock_downgrade+0x920/0x920 [ 79.575400][ T9064] ? ucma_destroy_id+0x1e7/0x490 [ 79.580323][ T9064] ? ucma_destroy_id+0x1c0/0x490 [ 79.585233][ T9064] ? mutex_trylock+0x2f0/0x2f0 [ 79.589972][ T9064] ? ucma_destroy_id+0x1c0/0x490 [ 79.594888][ T9064] __mutex_unlock_slowpath+0x86/0x6a0 [ 79.600232][ T9064] ? lock_downgrade+0x920/0x920 [ 79.605053][ T9064] ? wait_for_completion+0x440/0x440 [ 79.610313][ T9064] mutex_unlock+0x1b/0x30 [ 79.614615][ T9064] ucma_destroy_id+0x24a/0x490 [ 79.619352][ T9064] ? ucma_close+0x310/0x310 [ 79.623831][ T9064] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.630046][ T9064] ? _copy_from_user+0x12c/0x1a0 [ 79.634972][ T9064] ucma_write+0x2d7/0x3c0 [ 79.639276][ T9064] ? ucma_close+0x310/0x310 [ 79.643760][ T9064] ? ucma_open+0x290/0x290 [ 79.648153][ T9064] ? apparmor_file_permission+0x25/0x30 [ 79.653679][ T9064] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.659896][ T9064] ? security_file_permission+0x8f/0x380 [ 79.665501][ T9064] __vfs_write+0x8a/0x110 [ 79.669806][ T9064] ? ucma_open+0x290/0x290 [ 79.674203][ T9064] vfs_write+0x268/0x5d0 [ 79.678418][ T9064] ksys_write+0x220/0x290 [ 79.682728][ T9064] ? __ia32_sys_read+0xb0/0xb0 [ 79.687469][ T9064] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.692900][ T9064] ? do_syscall_64+0x26/0x790 [ 79.697560][ T9064] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.703612][ T9064] ? do_syscall_64+0x26/0x790 [ 79.708290][ T9064] __x64_sys_write+0x73/0xb0 [ 79.712876][ T9064] do_syscall_64+0xfa/0x790 [ 79.717370][ T9064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.723249][ T9064] RIP: 0033:0x45a679 [ 79.727168][ T9064] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.746859][ T9064] RSP: 002b:00007fc30fccfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 79.755260][ T9064] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 79.763226][ T9064] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 79.771174][ T9064] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 79.779120][ T9064] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc30fcd06d4 [ 79.787504][ T9064] R13: 00000000004d2b38 R14: 00000000004e3be0 R15: 00000000ffffffff [ 79.797683][ T9064] ================================================================== [ 79.805783][ T9064] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x93/0x6a0 [ 79.813664][ T9064] Read of size 8 at addr ffff888096f19800 by task syz-executor.0/9064 [ 79.821790][ T9064] [ 79.824109][ T9064] CPU: 1 PID: 9064 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 [ 79.832329][ T9064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.842362][ T9064] Call Trace: [ 79.845663][ T9064] dump_stack+0x197/0x210 [ 79.850062][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.855598][ T9064] print_address_description.constprop.0.cold+0xd4/0x30b [ 79.862649][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.868348][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.873873][ T9064] __kasan_report.cold+0x1b/0x41 [ 79.878796][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.884342][ T9064] kasan_report+0x12/0x20 [ 79.888661][ T9064] check_memory_region+0x134/0x1a0 [ 79.893751][ T9064] __kasan_check_read+0x11/0x20 [ 79.898582][ T9064] __mutex_unlock_slowpath+0x93/0x6a0 [ 79.903932][ T9064] ? lock_downgrade+0x920/0x920 [ 79.908763][ T9064] ? wait_for_completion+0x440/0x440 [ 79.914029][ T9064] mutex_unlock+0x1b/0x30 [ 79.918342][ T9064] ucma_destroy_id+0x24a/0x490 [ 79.923106][ T9064] ? ucma_close+0x310/0x310 [ 79.927639][ T9064] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.933881][ T9064] ? _copy_from_user+0x12c/0x1a0 [ 79.938806][ T9064] ucma_write+0x2d7/0x3c0 [ 79.943208][ T9064] ? ucma_close+0x310/0x310 [ 79.947812][ T9064] ? ucma_open+0x290/0x290 [ 79.952216][ T9064] ? apparmor_file_permission+0x25/0x30 [ 79.957751][ T9064] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.963994][ T9064] ? security_file_permission+0x8f/0x380 [ 79.971181][ T9064] __vfs_write+0x8a/0x110 [ 79.975510][ T9064] ? ucma_open+0x290/0x290 [ 79.979908][ T9064] vfs_write+0x268/0x5d0 [ 79.984132][ T9064] ksys_write+0x220/0x290 [ 79.988440][ T9064] ? __ia32_sys_read+0xb0/0xb0 [ 79.993185][ T9064] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.998640][ T9064] ? do_syscall_64+0x26/0x790 [ 80.003330][ T9064] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.009394][ T9064] ? do_syscall_64+0x26/0x790 [ 80.014067][ T9064] __x64_sys_write+0x73/0xb0 [ 80.018646][ T9064] do_syscall_64+0xfa/0x790 [ 80.023153][ T9064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.029046][ T9064] RIP: 0033:0x45a679 [ 80.033459][ T9064] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 80.053046][ T9064] RSP: 002b:00007fc30fccfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 80.061442][ T9064] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 80.069415][ T9064] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 80.077394][ T9064] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 80.085449][ T9064] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc30fcd06d4 [ 80.093406][ T9064] R13: 00000000004d2b38 R14: 00000000004e3be0 R15: 00000000ffffffff [ 80.101394][ T9064] [ 80.103719][ T9064] Allocated by task 9067: [ 80.108035][ T9064] save_stack+0x23/0x90 [ 80.112185][ T9064] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 80.117795][ T9064] kasan_kmalloc+0x9/0x10 [ 80.122134][ T9064] kmem_cache_alloc_trace+0x158/0x790 [ 80.127484][ T9064] ucma_open+0x4f/0x290 [ 80.131639][ T9064] misc_open+0x395/0x4c0 [ 80.135866][ T9064] chrdev_open+0x245/0x6b0 [ 80.140339][ T9064] do_dentry_open+0x4e6/0x1380 [ 80.145147][ T9064] vfs_open+0xa0/0xd0 [ 80.149180][ T9064] path_openat+0x10e4/0x46d0 [ 80.153753][ T9064] do_filp_open+0x1a1/0x280 [ 80.158248][ T9064] do_sys_open+0x3fe/0x5d0 [ 80.162659][ T9064] __x64_sys_openat+0x9d/0x100 [ 80.167421][ T9064] do_syscall_64+0xfa/0x790 [ 80.171914][ T9064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.177781][ T9064] [ 80.180086][ T9064] Freed by task 9058: [ 80.184399][ T9064] save_stack+0x23/0x90 [ 80.188554][ T9064] __kasan_slab_free+0x102/0x150 [ 80.193490][ T9064] kasan_slab_free+0xe/0x10 [ 80.197977][ T9064] kfree+0x10a/0x2c0 [ 80.201868][ T9064] ucma_close+0x275/0x310 [ 80.206193][ T9064] __fput+0x2ff/0x890 [ 80.210187][ T9064] ____fput+0x16/0x20 [ 80.214192][ T9064] task_work_run+0x145/0x1c0 [ 80.218815][ T9064] exit_to_usermode_loop+0x316/0x380 [ 80.224091][ T9064] do_syscall_64+0x676/0x790 [ 80.228678][ T9064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.234697][ T9064] [ 80.237023][ T9064] The buggy address belongs to the object at ffff888096f19800 [ 80.237023][ T9064] which belongs to the cache kmalloc-256 of size 256 [ 80.251059][ T9064] The buggy address is located 0 bytes inside of [ 80.251059][ T9064] 256-byte region [ffff888096f19800, ffff888096f19900) [ 80.266400][ T9064] The buggy address belongs to the page: [ 80.272030][ T9064] page:ffffea00025bc640 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0 [ 80.281380][ T9064] raw: 00fffe0000000200 ffffea00025bed08 ffff8880aa401648 ffff8880aa4008c0 [ 80.290161][ T9064] raw: 0000000000000000 ffff888096f19000 0000000100000008 0000000000000000 [ 80.298738][ T9064] page dumped because: kasan: bad access detected [ 80.305131][ T9064] [ 80.307449][ T9064] Memory state around the buggy address: [ 80.313061][ T9064] ffff888096f19700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.321107][ T9064] ffff888096f19780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.329162][ T9064] >ffff888096f19800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.337201][ T9064] ^ [ 80.341267][ T9064] ffff888096f19880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.349394][ T9064] ffff888096f19900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.357485][ T9064] ================================================================== [ 80.368839][ T9064] Kernel panic - not syncing: panic_on_warn set ... [ 80.375472][ T9064] CPU: 1 PID: 9064 Comm: syz-executor.0 Tainted: G B 5.4.0-syzkaller #0 [ 80.385439][ T9064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.395504][ T9064] Call Trace: [ 80.398790][ T9064] dump_stack+0x197/0x210 [ 80.403104][ T9064] panic+0x2e3/0x75c [ 80.406982][ T9064] ? add_taint.cold+0x16/0x16 [ 80.411648][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 80.417182][ T9064] ? preempt_schedule+0x4b/0x60 [ 80.422015][ T9064] ? ___preempt_schedule+0x16/0x18 [ 80.427110][ T9064] ? trace_hardirqs_on+0x5e/0x240 [ 80.432115][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 80.437655][ T9064] end_report+0x47/0x4f [ 80.441812][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 80.447349][ T9064] __kasan_report.cold+0xe/0x41 [ 80.452183][ T9064] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 80.457779][ T9064] kasan_report+0x12/0x20 [ 80.462197][ T9064] check_memory_region+0x134/0x1a0 [ 80.467473][ T9064] __kasan_check_read+0x11/0x20 [ 80.472348][ T9064] __mutex_unlock_slowpath+0x93/0x6a0 [ 80.477831][ T9064] ? lock_downgrade+0x920/0x920 [ 80.482699][ T9064] ? wait_for_completion+0x440/0x440 [ 80.487978][ T9064] mutex_unlock+0x1b/0x30 [ 80.492305][ T9064] ucma_destroy_id+0x24a/0x490 [ 80.497573][ T9064] ? ucma_close+0x310/0x310 [ 80.502081][ T9064] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 80.508560][ T9064] ? _copy_from_user+0x12c/0x1a0 [ 80.513580][ T9064] ucma_write+0x2d7/0x3c0 [ 80.517909][ T9064] ? ucma_close+0x310/0x310 [ 80.522402][ T9064] ? ucma_open+0x290/0x290 [ 80.526806][ T9064] ? apparmor_file_permission+0x25/0x30 [ 80.532342][ T9064] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 80.538933][ T9064] ? security_file_permission+0x8f/0x380 [ 80.544675][ T9064] __vfs_write+0x8a/0x110 [ 80.549125][ T9064] ? ucma_open+0x290/0x290 [ 80.554331][ T9064] vfs_write+0x268/0x5d0 [ 80.558594][ T9064] ksys_write+0x220/0x290 [ 80.562925][ T9064] ? __ia32_sys_read+0xb0/0xb0 [ 80.568046][ T9064] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 80.573653][ T9064] ? do_syscall_64+0x26/0x790 [ 80.578644][ T9064] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.584862][ T9064] ? do_syscall_64+0x26/0x790 [ 80.589547][ T9064] __x64_sys_write+0x73/0xb0 [ 80.594136][ T9064] do_syscall_64+0xfa/0x790 [ 80.598858][ T9064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.604758][ T9064] RIP: 0033:0x45a679 [ 80.608658][ T9064] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 80.628351][ T9064] RSP: 002b:00007fc30fccfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 80.636748][ T9064] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 80.644717][ T9064] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 80.653132][ T9064] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 80.661197][ T9064] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc30fcd06d4 [ 80.669296][ T9064] R13: 00000000004d2b38 R14: 00000000004e3be0 R15: 00000000ffffffff [ 80.678843][ T9064] Kernel Offset: disabled [ 80.683206][ T9064] Rebooting in 86400 seconds..