[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.198' (ECDSA) to the list of known hosts. 2021/01/28 14:27:54 parsed 1 programs 2021/01/28 14:27:55 executed programs: 0 syzkaller login: [ 375.728195] IPVS: ftp: loaded support on port[0] = 21 [ 375.838549] chnl_net:caif_netlink_parms(): no params data found [ 375.905713] bridge0: port 1(bridge_slave_0) entered blocking state [ 375.912364] bridge0: port 1(bridge_slave_0) entered disabled state [ 375.919611] device bridge_slave_0 entered promiscuous mode [ 375.928585] bridge0: port 2(bridge_slave_1) entered blocking state [ 375.935493] bridge0: port 2(bridge_slave_1) entered disabled state [ 375.943482] device bridge_slave_1 entered promiscuous mode [ 375.960087] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 375.969165] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 375.987703] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 375.995196] team0: Port device team_slave_0 added [ 376.000613] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 376.008840] team0: Port device team_slave_1 added [ 376.024231] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 376.030468] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 376.056389] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 376.068034] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 376.074661] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 376.100532] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 376.111230] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 376.118831] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 376.138175] device hsr_slave_0 entered promiscuous mode [ 376.144612] device hsr_slave_1 entered promiscuous mode [ 376.150525] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 376.157682] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 376.220229] bridge0: port 2(bridge_slave_1) entered blocking state [ 376.226673] bridge0: port 2(bridge_slave_1) entered forwarding state [ 376.233527] bridge0: port 1(bridge_slave_0) entered blocking state [ 376.239962] bridge0: port 1(bridge_slave_0) entered forwarding state [ 376.271463] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 376.278520] 8021q: adding VLAN 0 to HW filter on device bond0 [ 376.287552] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 376.296441] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 376.305055] bridge0: port 1(bridge_slave_0) entered disabled state [ 376.312104] bridge0: port 2(bridge_slave_1) entered disabled state [ 376.318971] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 376.329201] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 376.335556] 8021q: adding VLAN 0 to HW filter on device team0 [ 376.344730] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 376.352407] bridge0: port 1(bridge_slave_0) entered blocking state [ 376.358743] bridge0: port 1(bridge_slave_0) entered forwarding state [ 376.379740] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 376.389658] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 376.401364] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 376.409031] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 376.417318] bridge0: port 2(bridge_slave_1) entered blocking state [ 376.423719] bridge0: port 2(bridge_slave_1) entered forwarding state [ 376.430927] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 376.438825] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 376.446599] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 376.454308] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 376.461870] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 376.468798] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 376.480706] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 376.488848] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 376.495601] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 376.506654] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 376.521174] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 376.530585] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 376.559476] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 376.566684] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 376.574394] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 376.583766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 376.591284] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 376.598835] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 376.607331] device veth0_vlan entered promiscuous mode [ 376.616205] device veth1_vlan entered promiscuous mode [ 376.622186] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 376.630488] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 376.641221] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 376.651620] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 376.659419] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 376.667239] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 376.676244] device veth0_macvtap entered promiscuous mode [ 376.683687] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 376.691665] device veth1_macvtap entered promiscuous mode [ 376.700538] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 376.710604] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 376.720740] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 376.728021] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 376.736607] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 376.746428] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 376.753765] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 376.861548] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 376.869083] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 376.884717] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 376.894928] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 376.901302] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 376.910389] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 376.918779] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 376.926265] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 376.999398] [ 377.001080] ===================================== [ 377.005911] WARNING: bad unlock balance detected! [ 377.010750] 4.19.171-syzkaller #0 Not tainted [ 377.015231] ------------------------------------- [ 377.020092] syz-executor.0/8426 is trying to release lock (&file->mut) at: [ 377.027089] [] ucma_destroy_id+0x221/0x4a0 [ 377.032859] but there are no more locks to release! [ 377.037847] [ 377.037847] other info that might help us debug this: [ 377.044488] 1 lock held by syz-executor.0/8426: [ 377.049177] #0: 00000000605fed5e (&file->mut){+.+.}, at: ucma_destroy_id+0x1c2/0x4a0 [ 377.057135] [ 377.057135] stack backtrace: [ 377.061619] CPU: 1 PID: 8426 Comm: syz-executor.0 Not tainted 4.19.171-syzkaller #0 [ 377.069386] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 377.078713] Call Trace: [ 377.081284] dump_stack+0x1fc/0x2ef [ 377.084893] ? ucma_destroy_id+0x221/0x4a0 [ 377.089150] lock_release.cold+0xe/0x4a [ 377.093112] ? lock_downgrade+0x720/0x720 [ 377.097236] ? ucma_destroy_id+0x1c2/0x4a0 [ 377.101447] ? __mutex_add_waiter+0x160/0x160 [ 377.105923] __mutex_unlock_slowpath+0x89/0x610 [ 377.110569] ? wait_for_completion_io+0x10/0x10 [ 377.115215] ? __radix_tree_lookup+0x216/0x370 [ 377.119773] ucma_destroy_id+0x221/0x4a0 [ 377.123829] ? ucma_query_route+0xdd0/0xdd0 [ 377.128145] ? __might_fault+0x192/0x1d0 [ 377.132236] ? _copy_from_user+0xd2/0x130 [ 377.136367] ? ucma_query_route+0xdd0/0xdd0 [ 377.140669] ucma_write+0x288/0x350 [ 377.144329] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.148635] ? mark_held_locks+0xf0/0xf0 [ 377.152725] __vfs_write+0xf7/0x770 [ 377.156334] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.160638] ? common_file_perm+0x4e5/0x850 [ 377.164939] ? kernel_read+0x110/0x110 [ 377.168808] ? apparmor_getprocattr+0x11d0/0x11d0 [ 377.173628] ? security_file_permission+0x1c0/0x220 [ 377.178639] vfs_write+0x1f3/0x540 [ 377.182160] ksys_write+0x12b/0x2a0 [ 377.185763] ? __ia32_sys_read+0xb0/0xb0 [ 377.189806] ? trace_hardirqs_off_caller+0x6e/0x210 [ 377.194838] ? do_syscall_64+0x21/0x620 [ 377.198789] do_syscall_64+0xf9/0x620 [ 377.202570] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 377.207785] RIP: 0033:0x45e219 [ 377.210955] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 377.229833] RSP: 002b:00007f8d4394ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 377.237521] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 377.244769] RDX: 0000000000000018 RSI: 0000000020000080 RDI: 0000000000000003 [ 377.252020] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 377.259273] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 377.266519] R13: 00007ffc93ddf79f R14: 00007f8d4394f9c0 R15: 000000000119c034 [ 377.276397] ================================================================== [ 377.283784] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x96/0x610 [ 377.290967] Read of size 8 at addr ffff8880aaa80000 by task syz-executor.0/8426 [ 377.298400] [ 377.300056] CPU: 1 PID: 8426 Comm: syz-executor.0 Not tainted 4.19.171-syzkaller #0 [ 377.307824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 377.317153] Call Trace: [ 377.319772] dump_stack+0x1fc/0x2ef [ 377.323385] print_address_description.cold+0x54/0x219 [ 377.328650] kasan_report_error.cold+0x8a/0x1b9 [ 377.333300] ? __mutex_unlock_slowpath+0x96/0x610 [ 377.338122] kasan_report+0x8f/0xa0 [ 377.341730] ? __mutex_unlock_slowpath+0x96/0x610 [ 377.346551] __mutex_unlock_slowpath+0x96/0x610 [ 377.351201] ? wait_for_completion_io+0x10/0x10 [ 377.355845] ? __radix_tree_lookup+0x216/0x370 [ 377.360406] ucma_destroy_id+0x221/0x4a0 [ 377.364486] ? ucma_query_route+0xdd0/0xdd0 [ 377.368792] ? __might_fault+0x192/0x1d0 [ 377.372845] ? _copy_from_user+0xd2/0x130 [ 377.376970] ? ucma_query_route+0xdd0/0xdd0 [ 377.381269] ucma_write+0x288/0x350 [ 377.384872] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.389174] ? mark_held_locks+0xf0/0xf0 [ 377.393230] __vfs_write+0xf7/0x770 [ 377.396849] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.401149] ? common_file_perm+0x4e5/0x850 [ 377.405557] ? kernel_read+0x110/0x110 [ 377.409424] ? apparmor_getprocattr+0x11d0/0x11d0 [ 377.414245] ? security_file_permission+0x1c0/0x220 [ 377.419241] vfs_write+0x1f3/0x540 [ 377.422760] ksys_write+0x12b/0x2a0 [ 377.426369] ? __ia32_sys_read+0xb0/0xb0 [ 377.430416] ? trace_hardirqs_off_caller+0x6e/0x210 [ 377.435410] ? do_syscall_64+0x21/0x620 [ 377.439361] do_syscall_64+0xf9/0x620 [ 377.443145] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 377.448311] RIP: 0033:0x45e219 [ 377.451485] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 377.470362] RSP: 002b:00007f8d4394ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 377.478052] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 377.485297] RDX: 0000000000000018 RSI: 0000000020000080 RDI: 0000000000000003 [ 377.492544] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 377.499789] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 377.507036] R13: 00007ffc93ddf79f R14: 00007f8d4394f9c0 R15: 000000000119c034 [ 377.514286] [ 377.515889] Allocated by task 8422: [ 377.519496] kmem_cache_alloc_trace+0x12f/0x380 [ 377.524143] ucma_open+0x4a/0x280 [ 377.527574] misc_open+0x372/0x4a0 [ 377.531092] chrdev_open+0x266/0x770 [ 377.534797] do_dentry_open+0x4aa/0x1160 [ 377.538848] path_openat+0x793/0x2df0 [ 377.542623] do_filp_open+0x18c/0x3f0 [ 377.546399] do_sys_open+0x3b3/0x520 [ 377.550087] do_syscall_64+0xf9/0x620 [ 377.553864] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 377.559038] [ 377.560640] Freed by task 8421: [ 377.563895] kfree+0xcc/0x210 [ 377.566977] ucma_close+0x2cf/0x360 [ 377.570580] __fput+0x2ce/0x890 [ 377.573837] task_work_run+0x148/0x1c0 [ 377.577701] exit_to_usermode_loop+0x251/0x2a0 [ 377.582274] do_syscall_64+0x538/0x620 [ 377.586154] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 377.591315] [ 377.592923] The buggy address belongs to the object at ffff8880aaa80000 [ 377.592923] which belongs to the cache kmalloc-256 of size 256 [ 377.605645] The buggy address is located 0 bytes inside of [ 377.605645] 256-byte region [ffff8880aaa80000, ffff8880aaa80100) [ 377.617317] The buggy address belongs to the page: [ 377.622237] page:ffffea0002aaa000 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0 [ 377.630355] flags: 0xfff00000000100(slab) [ 377.634489] raw: 00fff00000000100 ffffea0002d38d88 ffff88813bff1648 ffff88813bff07c0 [ 377.642346] raw: 0000000000000000 ffff8880aaa80000 000000010000000c 0000000000000000 [ 377.650199] page dumped because: kasan: bad access detected [ 377.655880] [ 377.657482] Memory state around the buggy address: [ 377.662386] ffff8880aaa7ff00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 377.669719] ffff8880aaa7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 377.677057] >ffff8880aaa80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 377.684408] ^ [ 377.687750] ffff8880aaa80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 377.695101] ffff8880aaa80100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 377.702440] ================================================================== [ 377.715507] Kernel panic - not syncing: panic_on_warn set ... [ 377.715507] [ 377.722885] CPU: 1 PID: 8426 Comm: syz-executor.0 Tainted: G B 4.19.171-syzkaller #0 [ 377.732060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 377.741406] Call Trace: [ 377.743999] dump_stack+0x1fc/0x2ef [ 377.747624] panic+0x26a/0x50e [ 377.750802] ? __warn_printk+0xf3/0xf3 [ 377.754667] ? preempt_schedule_common+0x45/0xc0 [ 377.759399] ? ___preempt_schedule+0x16/0x18 [ 377.763786] ? trace_hardirqs_on+0x55/0x210 [ 377.768086] kasan_end_report+0x43/0x49 [ 377.772040] kasan_report_error.cold+0xa7/0x1b9 [ 377.776688] ? __mutex_unlock_slowpath+0x96/0x610 [ 377.781507] kasan_report+0x8f/0xa0 [ 377.785113] ? __mutex_unlock_slowpath+0x96/0x610 [ 377.789935] __mutex_unlock_slowpath+0x96/0x610 [ 377.794594] ? wait_for_completion_io+0x10/0x10 [ 377.799255] ? __radix_tree_lookup+0x216/0x370 [ 377.803857] ucma_destroy_id+0x221/0x4a0 [ 377.807940] ? ucma_query_route+0xdd0/0xdd0 [ 377.812258] ? __might_fault+0x192/0x1d0 [ 377.816306] ? _copy_from_user+0xd2/0x130 [ 377.820442] ? ucma_query_route+0xdd0/0xdd0 [ 377.824747] ucma_write+0x288/0x350 [ 377.828369] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.832717] ? mark_held_locks+0xf0/0xf0 [ 377.836761] __vfs_write+0xf7/0x770 [ 377.840429] ? ucma_set_ib_path+0x5a0/0x5a0 [ 377.844784] ? common_file_perm+0x4e5/0x850 [ 377.849084] ? kernel_read+0x110/0x110 [ 377.852954] ? apparmor_getprocattr+0x11d0/0x11d0 [ 377.857813] ? security_file_permission+0x1c0/0x220 [ 377.862812] vfs_write+0x1f3/0x540 [ 377.866333] ksys_write+0x12b/0x2a0 [ 377.869941] ? __ia32_sys_read+0xb0/0xb0 [ 377.873983] ? trace_hardirqs_off_caller+0x6e/0x210 [ 377.878976] ? do_syscall_64+0x21/0x620 [ 377.882944] do_syscall_64+0xf9/0x620 [ 377.886767] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 377.891940] RIP: 0033:0x45e219 [ 377.895152] Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 377.914045] RSP: 002b:00007f8d4394ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 377.921766] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 [ 377.929011] RDX: 0000000000000018 RSI: 0000000020000080 RDI: 0000000000000003 [ 377.936264] RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 [ 377.943517] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 [ 377.950805] R13: 00007ffc93ddf79f R14: 00007f8d4394f9c0 R15: 000000000119c034 [ 377.958817] Kernel Offset: disabled [ 377.962425] Rebooting in 86400 seconds..