[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 53.294388][ T27] audit: type=1800 audit(1582784866.102:25): pid=8906 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 53.313394][ T27] audit: type=1800 audit(1582784866.102:26): pid=8906 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 53.339093][ T27] audit: type=1800 audit(1582784866.102:27): pid=8906 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. 2020/02/27 06:29:15 parsed 1 programs 2020/02/27 06:29:17 executed programs: 0 syzkaller login: [ 144.432980][ T9073] IPVS: ftp: loaded support on port[0] = 21 [ 144.485432][ T9073] chnl_net:caif_netlink_parms(): no params data found [ 144.521761][ T9073] bridge0: port 1(bridge_slave_0) entered blocking state [ 144.529237][ T9073] bridge0: port 1(bridge_slave_0) entered disabled state [ 144.536993][ T9073] device bridge_slave_0 entered promiscuous mode [ 144.545768][ T9073] bridge0: port 2(bridge_slave_1) entered blocking state [ 144.553148][ T9073] bridge0: port 2(bridge_slave_1) entered disabled state [ 144.561297][ T9073] device bridge_slave_1 entered promiscuous mode [ 144.577316][ T9073] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 144.588317][ T9073] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 144.607294][ T9073] team0: Port device team_slave_0 added [ 144.615352][ T9073] team0: Port device team_slave_1 added [ 144.628795][ T9073] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 144.635953][ T9073] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 144.662097][ T9073] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 144.674812][ T9073] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 144.681969][ T9073] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 144.707963][ T9073] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 144.781662][ T9073] device hsr_slave_0 entered promiscuous mode [ 144.819489][ T9073] device hsr_slave_1 entered promiscuous mode [ 144.942512][ T9073] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 144.991439][ T9073] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 145.041444][ T9073] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 145.081871][ T9073] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 145.143732][ T9073] bridge0: port 2(bridge_slave_1) entered blocking state [ 145.151099][ T9073] bridge0: port 2(bridge_slave_1) entered forwarding state [ 145.158863][ T9073] bridge0: port 1(bridge_slave_0) entered blocking state [ 145.166086][ T9073] bridge0: port 1(bridge_slave_0) entered forwarding state [ 145.205182][ T9073] 8021q: adding VLAN 0 to HW filter on device bond0 [ 145.218571][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 145.228620][ T2712] bridge0: port 1(bridge_slave_0) entered disabled state [ 145.237481][ T2712] bridge0: port 2(bridge_slave_1) entered disabled state [ 145.245650][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 145.258595][ T9073] 8021q: adding VLAN 0 to HW filter on device team0 [ 145.268612][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 145.277947][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 145.285083][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 145.296102][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 145.305273][ T2712] bridge0: port 2(bridge_slave_1) entered blocking state [ 145.312439][ T2712] bridge0: port 2(bridge_slave_1) entered forwarding state [ 145.331187][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 145.347745][ T9073] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 145.359517][ T9073] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 145.371748][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 145.381407][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 145.389881][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 145.398732][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 145.407243][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 145.426677][ T9073] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 145.434104][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 145.442134][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 145.460366][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 145.481560][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 145.490054][ T2731] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 145.498503][ T9073] device veth0_vlan entered promiscuous mode [ 145.507266][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 145.515712][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 145.530039][ T9073] device veth1_vlan entered promiscuous mode [ 145.548478][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 145.558147][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 145.566503][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 145.575369][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 145.585722][ T9073] device veth0_macvtap entered promiscuous mode [ 145.598742][ T9073] device veth1_macvtap entered promiscuous mode [ 145.613462][ T9073] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 145.622062][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 145.630249][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 145.638190][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 145.647165][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 145.658865][ T9073] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 145.666311][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 145.675649][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/02/27 06:29:22 executed programs: 67 [ 153.147413][T10662] [ 153.149843][T10662] ===================================== [ 153.155381][T10662] WARNING: bad unlock balance detected! [ 153.160948][T10662] 5.6.0-rc3-syzkaller #0 Not tainted [ 153.166363][T10662] ------------------------------------- [ 153.171902][T10662] syz-executor.0/10662 is trying to release lock ( [ 153.171906][T10662] ================================================================== [ 153.186553][T10662] BUG: KASAN: use-after-free in print_unlock_imbalance_bug+0x16f/0x240 [ 153.194784][T10662] Read of size 8 at addr ffff888097b80478 by task syz-executor.0/10662 [ 153.203111][T10662] [ 153.205432][T10662] CPU: 1 PID: 10662 Comm: syz-executor.0 Not tainted 5.6.0-rc3-syzkaller #0 [ 153.214086][T10662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 153.224134][T10662] Call Trace: [ 153.227463][T10662] dump_stack+0x1fb/0x318 [ 153.231785][T10662] print_address_description+0x74/0x5c0 [ 153.237370][T10662] ? vprintk_default+0x28/0x30 [ 153.242119][T10662] ? vprintk_func+0x158/0x170 [ 153.246789][T10662] ? printk+0x62/0x8d [ 153.250763][T10662] __kasan_report+0x149/0x1c0 [ 153.255429][T10662] ? print_unlock_imbalance_bug+0x16f/0x240 [ 153.261538][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.266599][T10662] kasan_report+0x26/0x50 [ 153.270928][T10662] __asan_report_load8_noabort+0x14/0x20 [ 153.276555][T10662] print_unlock_imbalance_bug+0x16f/0x240 [ 153.282486][T10662] ? mutex_optimistic_spin+0x32a/0x470 [ 153.287939][T10662] lock_release+0x469/0x710 [ 153.292431][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.297356][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.302409][T10662] __mutex_unlock_slowpath+0x80/0x5b0 [ 153.307776][T10662] mutex_unlock+0xd/0x10 [ 153.312164][T10662] ucma_destroy_id+0x212/0x400 [ 153.316919][T10662] ? ucma_create_id+0x540/0x540 [ 153.321755][T10662] ucma_write+0x2da/0x360 [ 153.326083][T10662] ? ucma_get_global_nl_info+0x70/0x70 [ 153.331542][T10662] __vfs_write+0xb8/0x740 [ 153.335883][T10662] ? security_file_permission+0x147/0x340 [ 153.341602][T10662] ? rw_verify_area+0x1c2/0x360 [ 153.346456][T10662] vfs_write+0x270/0x580 [ 153.350699][T10662] ksys_write+0x117/0x220 [ 153.355019][T10662] __x64_sys_write+0x7b/0x90 [ 153.359593][T10662] do_syscall_64+0xf7/0x1c0 [ 153.364098][T10662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 153.369977][T10662] RIP: 0033:0x45c449 [ 153.373859][T10662] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 153.393489][T10662] RSP: 002b:00007fac5454ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 153.401884][T10662] RAX: ffffffffffffffda RBX: 00007fac5454f6d4 RCX: 000000000045c449 [ 153.409991][T10662] RDX: 0000000000000018 RSI: 0000000020000200 RDI: 0000000000000006 [ 153.417952][T10662] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 153.425911][T10662] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 153.433869][T10662] R13: 0000000000000cb7 R14: 00000000004d7b10 R15: 000000000076bf2c [ 153.441850][T10662] [ 153.444163][T10662] Allocated by task 10666: [ 153.448558][T10662] __kasan_kmalloc+0x118/0x1c0 [ 153.453302][T10662] kasan_kmalloc+0x9/0x10 [ 153.457606][T10662] kmem_cache_alloc_trace+0x221/0x2f0 [ 153.462961][T10662] ucma_open+0x57/0x1f0 [ 153.467215][T10662] misc_open+0x3ea/0x440 [ 153.471554][T10662] chrdev_open+0x509/0x590 [ 153.475955][T10662] do_dentry_open+0x85b/0x10c0 [ 153.480838][T10662] vfs_open+0x73/0x80 [ 153.484800][T10662] path_openat+0x16f1/0x4380 [ 153.489610][T10662] do_filp_open+0x192/0x3d0 [ 153.494102][T10662] do_sys_openat2+0x42b/0x6f0 [ 153.498796][T10662] __x64_sys_openat+0x1e6/0x210 [ 153.503720][T10662] do_syscall_64+0xf7/0x1c0 [ 153.508264][T10662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 153.514138][T10662] [ 153.516452][T10662] Freed by task 10661: [ 153.520564][T10662] __kasan_slab_free+0x12e/0x1e0 [ 153.525521][T10662] kasan_slab_free+0xe/0x10 [ 153.530092][T10662] kfree+0x10d/0x220 [ 153.534064][T10662] ucma_close+0x2b3/0x2d0 [ 153.538442][T10662] __fput+0x2e4/0x740 [ 153.542483][T10662] ____fput+0x15/0x20 [ 153.547497][T10662] task_work_run+0x176/0x1b0 [ 153.552141][T10662] prepare_exit_to_usermode+0x480/0x5b0 [ 153.557801][T10662] syscall_return_slowpath+0x113/0x4a0 [ 153.563265][T10662] do_syscall_64+0x11f/0x1c0 [ 153.567862][T10662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 153.574634][T10662] [ 153.577081][T10662] The buggy address belongs to the object at ffff888097b80400 [ 153.577081][T10662] which belongs to the cache kmalloc-256 of size 256 [ 153.591312][T10662] The buggy address is located 120 bytes inside of [ 153.591312][T10662] 256-byte region [ffff888097b80400, ffff888097b80500) [ 153.604603][T10662] The buggy address belongs to the page: [ 153.610237][T10662] page:ffffea00025ee000 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0 [ 153.619335][T10662] flags: 0xfffe0000000200(slab) [ 153.624300][T10662] raw: 00fffe0000000200 ffffea0002606988 ffffea0002699848 ffff8880aa4008c0 [ 153.633003][T10662] raw: 0000000000000000 ffff888097b80000 0000000100000008 0000000000000000 [ 153.641607][T10662] page dumped because: kasan: bad access detected [ 153.648032][T10662] [ 153.650353][T10662] Memory state around the buggy address: [ 153.656092][T10662] ffff888097b80300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 153.664405][T10662] ffff888097b80380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 153.672752][T10662] >ffff888097b80400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 153.680943][T10662] ^ [ 153.688960][T10662] ffff888097b80480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 153.697038][T10662] ffff888097b80500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 153.705203][T10662] ================================================================== [ 153.713307][T10662] Kernel panic - not syncing: panic_on_warn set ... [ 153.719890][T10662] CPU: 1 PID: 10662 Comm: syz-executor.0 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 153.730038][T10662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 153.740099][T10662] Call Trace: [ 153.743397][T10662] dump_stack+0x1fb/0x318 [ 153.747748][T10662] panic+0x264/0x7a9 [ 153.751642][T10662] ? do_raw_spin_unlock+0x142/0x950 [ 153.756859][T10662] ? trace_hardirqs_off+0x1a/0x80 [ 153.761899][T10662] __kasan_report+0x1b9/0x1c0 [ 153.766580][T10662] ? print_unlock_imbalance_bug+0x16f/0x240 [ 153.772524][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.777513][T10662] kasan_report+0x26/0x50 [ 153.781901][T10662] __asan_report_load8_noabort+0x14/0x20 [ 153.787655][T10662] print_unlock_imbalance_bug+0x16f/0x240 [ 153.793419][T10662] ? mutex_optimistic_spin+0x32a/0x470 [ 153.798883][T10662] lock_release+0x469/0x710 [ 153.803618][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.808560][T10662] ? ucma_destroy_id+0x212/0x400 [ 153.814037][T10662] __mutex_unlock_slowpath+0x80/0x5b0 [ 153.819589][T10662] mutex_unlock+0xd/0x10 [ 153.823947][T10662] ucma_destroy_id+0x212/0x400 [ 153.828885][T10662] ? ucma_create_id+0x540/0x540 [ 153.833733][T10662] ucma_write+0x2da/0x360 [ 153.838061][T10662] ? ucma_get_global_nl_info+0x70/0x70 [ 153.843521][T10662] __vfs_write+0xb8/0x740 [ 153.847856][T10662] ? security_file_permission+0x147/0x340 [ 153.853722][T10662] ? rw_verify_area+0x1c2/0x360 [ 153.858722][T10662] vfs_write+0x270/0x580 [ 153.863216][T10662] ksys_write+0x117/0x220 [ 153.867845][T10662] __x64_sys_write+0x7b/0x90 [ 153.872462][T10662] do_syscall_64+0xf7/0x1c0 [ 153.877095][T10662] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 153.883050][T10662] RIP: 0033:0x45c449 [ 153.886939][T10662] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 153.906739][T10662] RSP: 002b:00007fac5454ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 153.915135][T10662] RAX: ffffffffffffffda RBX: 00007fac5454f6d4 RCX: 000000000045c449 [ 153.923112][T10662] RDX: 0000000000000018 RSI: 0000000020000200 RDI: 0000000000000006 [ 153.931111][T10662] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 153.939222][T10662] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 153.947274][T10662] R13: 0000000000000cb7 R14: 00000000004d7b10 R15: 000000000076bf2c [ 153.956424][T10662] Kernel Offset: disabled [ 153.960818][T10662] Rebooting in 86400 seconds..