[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.892728] IPVS: ftp: loaded support on port[0] = 21 [ 58.037259] can: request_module (can-proto-0) failed. [ 58.046488] can: request_module (can-proto-0) failed. Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. 2019/08/22 22:41:20 parsed 1 programs 2019/08/22 22:41:20 executed programs: 0 [ 66.611693] IPVS: ftp: loaded support on port[0] = 21 [ 66.615175] IPVS: ftp: loaded support on port[0] = 21 [ 66.624166] IPVS: ftp: loaded support on port[0] = 21 [ 66.636714] IPVS: ftp: loaded support on port[0] = 21 [ 66.652468] IPVS: ftp: loaded support on port[0] = 21 [ 66.660599] IPVS: ftp: loaded support on port[0] = 21 [ 67.368002] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.374770] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.390588] device bridge_slave_0 entered promiscuous mode [ 67.399870] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.406408] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.414070] device bridge_slave_0 entered promiscuous mode [ 67.444590] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.451423] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.464307] device bridge_slave_1 entered promiscuous mode [ 67.473732] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.480372] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.487807] device bridge_slave_1 entered promiscuous mode [ 67.495943] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.502663] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.509840] device bridge_slave_0 entered promiscuous mode [ 67.517914] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.524393] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.533031] device bridge_slave_0 entered promiscuous mode [ 67.541709] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.548289] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.556444] device bridge_slave_0 entered promiscuous mode [ 67.573785] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.580485] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.591504] device bridge_slave_1 entered promiscuous mode [ 67.599795] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.606770] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.614397] device bridge_slave_1 entered promiscuous mode [ 67.623105] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.629607] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.637241] device bridge_slave_0 entered promiscuous mode [ 67.644820] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.651372] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.658819] device bridge_slave_1 entered promiscuous mode [ 67.678160] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.684600] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.699728] device bridge_slave_1 entered promiscuous mode [ 67.774350] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.827823] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.840939] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.856048] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.879191] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.889522] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.907408] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.935178] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.961322] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.973354] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.986337] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.036055] team0: Port device team_slave_0 added [ 68.059980] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.099398] team0: Port device team_slave_1 added [ 68.164774] team0: Port device team_slave_0 added [ 68.173763] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 68.195052] team0: Port device team_slave_0 added [ 68.208501] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 68.223850] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.237507] team0: Port device team_slave_1 added [ 68.244815] team0: Port device team_slave_0 added [ 68.253655] team0: Port device team_slave_0 added [ 68.270442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 68.283971] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.297469] team0: Port device team_slave_1 added [ 68.310880] team0: Port device team_slave_1 added [ 68.325426] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 68.344220] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.352091] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.360705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.373890] team0: Port device team_slave_1 added [ 68.382255] team0: Port device team_slave_0 added [ 68.392553] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 68.401748] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.414189] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 68.423374] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.431472] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.440301] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 68.457771] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.476577] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.488758] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 68.496404] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.504180] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 68.512248] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.523140] team0: Port device team_slave_1 added [ 68.540063] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 68.562401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.570483] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.579267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.587637] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.595366] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 68.603734] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 68.613020] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.628756] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.650728] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 68.660370] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.673477] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.686408] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.694836] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.715612] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.729327] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.741115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 68.751299] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.759527] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.785964] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.807947] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.816312] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.824754] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 68.841088] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.858218] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 69.135820] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.142622] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.149822] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.156576] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.168744] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 69.188909] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.195589] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.202834] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.209412] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.226163] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.240974] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.247681] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.255672] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.310879] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.318642] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.325411] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.331804] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.353012] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.359956] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.366628] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.373222] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.481916] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.488517] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.495476] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.501978] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.225015] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 70.232760] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 70.247398] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 70.254600] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 70.262114] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 71.000078] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.022207] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.049802] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.060590] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.075639] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.093808] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.322031] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.340097] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.359245] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.367429] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.379733] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.390586] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.413223] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.421190] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.490724] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.500336] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.519639] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.539325] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.548986] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.560840] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.574212] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.592693] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.685121] 8021q: adding VLAN 0 to HW filter on device team0 [ 71.701484] 8021q: adding VLAN 0 to HW filter on device team0 2019/08/22 22:41:26 executed programs: 6 [ 74.854994] [ 74.856875] ===================================== [ 74.862230] WARNING: bad unlock balance detected! [ 74.867324] 5.3.0-rc5+ #1 Not tainted [ 74.871478] ------------------------------------- [ 74.876404] syz-executor2/6873 is trying to release lock (&file->mut) at: [ 74.883552] [] ucma_destroy_id+0x23e/0x400 [ 74.889344] but there are no more locks to release! [ 74.894367] [ 74.894367] other info that might help us debug this: [ 74.901380] 1 lock held by syz-executor2/6873: [ 74.906145] #0: 00000000522dfda4 (&file->mut){+.+.}, at: ucma_destroy_id+0x1de/0x400 [ 74.914129] [ 74.914129] stack backtrace: [ 74.918770] CPU: 1 PID: 6873 Comm: syz-executor2 Not tainted 5.3.0-rc5+ #1 [ 74.925865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.935644] Call Trace: [ 74.938253] dump_stack+0x115/0x167 [ 74.942044] ? ucma_destroy_id+0x23e/0x400 [ 74.946289] ? ucma_destroy_id+0x23e/0x400 [ 74.950704] print_unlock_imbalance_bug.cold.54+0x114/0x123 [ 74.957414] lock_release+0x5f6/0x900 [ 74.961222] ? lock_downgrade+0x900/0x900 [ 74.965375] ? ucma_destroy_id+0x1b8/0x400 [ 74.969752] __mutex_unlock_slowpath+0x8f/0x6a0 [ 74.974621] ? wait_for_completion+0x460/0x460 [ 74.979368] mutex_unlock+0xd/0x10 [ 74.982908] ucma_destroy_id+0x23e/0x400 [ 74.987140] ? ucma_close+0x2d0/0x2d0 [ 74.990951] ? __kasan_check_write+0x14/0x20 [ 74.995355] ucma_write+0x206/0x2e0 [ 74.999548] ? ucma_open+0x250/0x250 [ 75.003810] ? apparmor_file_permission+0x15/0x20 [ 75.009384] ? security_file_permission+0x52/0x2a0 [ 75.014751] __vfs_write+0x61/0x110 [ 75.018369] vfs_write+0x191/0x4c0 [ 75.021906] ksys_write+0x197/0x220 [ 75.025607] ? __ia32_sys_read+0xa0/0xa0 [ 75.030075] ? do_syscall_64+0x21/0x550 [ 75.034125] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.039719] __x64_sys_write+0x6e/0xb0 [ 75.043599] do_syscall_64+0xd6/0x550 [ 75.047468] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.052653] RIP: 0033:0x4571d9 [ 75.055916] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.075483] RSP: 002b:00007f3c52ceac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 75.083292] RAX: ffffffffffffffda RBX: 00007f3c52ceb6d4 RCX: 00000000004571d9 [ 75.090660] RDX: 0000000000000018 RSI: 0000000020000480 RDI: 0000000000000005 [ 75.098140] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 75.105398] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 75.112831] R13: 00000000004d7510 R14: 00000000004c1848 R15: 0000000000000001 [ 75.122081] ================================================================== [ 75.129714] BUG: KASAN: use-after-free in ucma_destroy_id+0x38c/0x400 [ 75.136480] Read of size 4 at addr ffff8881c69b49e0 by task syz-executor2/6873 [ 75.144246] [ 75.145945] CPU: 1 PID: 6873 Comm: syz-executor2 Not tainted 5.3.0-rc5+ #1 [ 75.153117] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.162899] Call Trace: [ 75.165527] dump_stack+0x115/0x167 [ 75.169271] ? ucma_destroy_id+0x38c/0x400 [ 75.173669] print_address_description+0x6f/0x2fe [ 75.178617] ? ucma_destroy_id+0x38c/0x400 [ 75.182841] ? ucma_destroy_id+0x38c/0x400 [ 75.187318] __kasan_report.cold.7+0x1b/0x3f [ 75.191838] ? ucma_destroy_id+0x38c/0x400 [ 75.196058] kasan_report+0x12/0x17 [ 75.199674] __asan_report_load4_noabort+0x14/0x20 [ 75.204679] ucma_destroy_id+0x38c/0x400 [ 75.208849] ? ucma_close+0x2d0/0x2d0 [ 75.212715] ? __kasan_check_write+0x14/0x20 [ 75.217898] ucma_write+0x206/0x2e0 [ 75.232666] ? ucma_open+0x250/0x250 [ 75.236832] ? apparmor_file_permission+0x15/0x20 [ 75.241800] ? security_file_permission+0x52/0x2a0 [ 75.246867] __vfs_write+0x61/0x110 [ 75.250675] vfs_write+0x191/0x4c0 [ 75.254249] ksys_write+0x197/0x220 [ 75.257958] ? __ia32_sys_read+0xa0/0xa0 [ 75.262014] ? do_syscall_64+0x21/0x550 [ 75.266368] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.271875] __x64_sys_write+0x6e/0xb0 [ 75.275752] do_syscall_64+0xd6/0x550 [ 75.279544] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.284812] RIP: 0033:0x4571d9 [ 75.288270] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.308293] RSP: 002b:00007f3c52ceac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 75.316165] RAX: ffffffffffffffda RBX: 00007f3c52ceb6d4 RCX: 00000000004571d9 [ 75.323430] RDX: 0000000000000018 RSI: 0000000020000480 RDI: 0000000000000005 [ 75.330908] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 75.338184] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 75.345442] R13: 00000000004d7510 R14: 00000000004c1848 R15: 0000000000000001 [ 75.352706] [ 75.354342] Allocated by task 6860: [ 75.358056] save_stack+0x21/0x90 [ 75.361499] __kasan_kmalloc.constprop.7+0xc1/0xd0 [ 75.366422] kasan_kmalloc+0x9/0x10 [ 75.370130] kmem_cache_alloc_trace+0x15b/0x760 [ 75.374794] ucma_alloc_ctx+0x4c/0x430 [ 75.378671] ucma_create_id+0xeb/0x550 [ 75.382546] ucma_write+0x206/0x2e0 [ 75.386167] __vfs_write+0x61/0x110 [ 75.389794] vfs_write+0x191/0x4c0 [ 75.393538] ksys_write+0x197/0x220 [ 75.397408] __x64_sys_write+0x6e/0xb0 [ 75.401289] do_syscall_64+0xd6/0x550 [ 75.405083] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.410400] [ 75.412018] Freed by task 6858: [ 75.415559] save_stack+0x21/0x90 [ 75.419003] __kasan_slab_free+0x11a/0x170 [ 75.423299] kasan_slab_free+0xe/0x10 [ 75.427092] kfree+0xfa/0x290 [ 75.430246] ucma_free_ctx+0x7a0/0xd50 [ 75.434380] ucma_close+0x109/0x2d0 [ 75.438113] __fput+0x25a/0x780 [ 75.441439] ____fput+0x9/0x10 [ 75.444619] task_work_run+0x10e/0x190 [ 75.448556] exit_to_usermode_loop+0x1be/0x210 [ 75.453478] do_syscall_64+0x468/0x550 [ 75.457350] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.462522] [ 75.464159] The buggy address belongs to the object at ffff8881c69b4940 [ 75.464159] which belongs to the cache kmalloc-256 of size 256 [ 75.476972] The buggy address is located 160 bytes inside of [ 75.476972] 256-byte region [ffff8881c69b4940, ffff8881c69b4a40) [ 75.489031] The buggy address belongs to the page: [ 75.494072] page:ffffea00071a6d00 refcount:1 mapcount:0 mapping:ffff8881da0008c0 index:0x0 [ 75.502772] flags: 0x2fffc0000000200(slab) [ 75.507083] raw: 02fffc0000000200 ffffea000726b208 ffffea000748b1c8 ffff8881da0008c0 [ 75.515088] raw: 0000000000000000 ffff8881c69b4080 000000010000000c 0000000000000000 [ 75.522951] page dumped because: kasan: bad access detected [ 75.528646] [ 75.530261] Memory state around the buggy address: [ 75.535457] ffff8881c69b4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.542936] ffff8881c69b4900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 75.550666] >ffff8881c69b4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.558191] ^ [ 75.564963] ffff8881c69b4a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 75.572436] ffff8881c69b4a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.579953] ================================================================== [ 75.587878] Kernel panic - not syncing: panic_on_warn set ... [ 75.593901] CPU: 1 PID: 6873 Comm: syz-executor2 Tainted: G B 5.3.0-rc5+ #1 [ 75.602289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.611968] Call Trace: [ 75.614557] dump_stack+0x115/0x167 [ 75.618181] ? ucma_destroy_id+0x360/0x400 [ 75.622400] panic+0x223/0x4ee [ 75.625662] ? add_taint.cold.7+0x11/0x11 [ 75.629976] ? do_raw_spin_unlock+0x54/0x260 [ 75.634550] ? do_raw_spin_unlock+0x54/0x260 [ 75.638950] ? ucma_destroy_id+0x38c/0x400 [ 75.643179] ? ucma_destroy_id+0x38c/0x400 [ 75.647400] end_report+0x47/0x4f [ 75.650837] __kasan_report.cold.7+0xe/0x3f [ 75.655146] ? ucma_destroy_id+0x38c/0x400 [ 75.659378] kasan_report+0x12/0x17 [ 75.663005] __asan_report_load4_noabort+0x14/0x20 [ 75.667942] ucma_destroy_id+0x38c/0x400 [ 75.672087] ? ucma_close+0x2d0/0x2d0 [ 75.675883] ? __kasan_check_write+0x14/0x20 [ 75.680297] ucma_write+0x206/0x2e0 [ 75.683998] ? ucma_open+0x250/0x250 [ 75.687817] ? apparmor_file_permission+0x15/0x20 [ 75.692945] ? security_file_permission+0x52/0x2a0 [ 75.698174] __vfs_write+0x61/0x110 [ 75.701801] vfs_write+0x191/0x4c0 [ 75.705331] ksys_write+0x197/0x220 [ 75.709501] ? __ia32_sys_read+0xa0/0xa0 [ 75.713588] ? do_syscall_64+0x21/0x550 [ 75.717557] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.723041] __x64_sys_write+0x6e/0xb0 [ 75.726913] do_syscall_64+0xd6/0x550 [ 75.730715] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.736443] RIP: 0033:0x4571d9 [ 75.739619] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.759158] RSP: 002b:00007f3c52ceac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 75.767117] RAX: ffffffffffffffda RBX: 00007f3c52ceb6d4 RCX: 00000000004571d9 [ 75.774489] RDX: 0000000000000018 RSI: 0000000020000480 RDI: 0000000000000005 [ 75.781886] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 75.789139] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 75.796555] R13: 00000000004d7510 R14: 00000000004c1848 R15: 0000000000000001 [ 75.804882] Kernel Offset: disabled [ 75.808687] Rebooting in 86400 seconds..