[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.719233] audit: type=1800 audit(1546569755.712:25): pid=7924 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.752655] audit: type=1800 audit(1546569755.712:26): pid=7924 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.787303] audit: type=1800 audit(1546569755.712:27): pid=7924 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.389978] sshd (8060) used greatest stack depth: 19848 bytes left Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. 2019/01/04 02:42:47 parsed 1 programs 2019/01/04 02:42:49 executed programs: 0 [ 54.523450] IPVS: ftp: loaded support on port[0] = 21 [ 54.589789] chnl_net:caif_netlink_parms(): no params data found [ 54.619443] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.626142] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.633147] device bridge_slave_0 entered promiscuous mode [ 54.640341] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.646772] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.653946] device bridge_slave_1 entered promiscuous mode [ 54.670726] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.679373] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.695287] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.702689] team0: Port device team_slave_0 added [ 54.707983] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.715202] team0: Port device team_slave_1 added [ 54.720384] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.727682] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.784826] device hsr_slave_0 entered promiscuous mode [ 54.832706] device hsr_slave_1 entered promiscuous mode [ 54.892983] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.899850] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.913770] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.920211] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.927007] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.933373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.966345] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.972725] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.980369] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.988768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.997960] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.005231] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.012488] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 55.022360] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 55.028636] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.037457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.045261] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.051585] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.072171] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 55.082603] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.093272] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 55.100172] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.108489] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.114860] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.122478] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.130081] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.137617] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.145228] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.152712] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.159408] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.171913] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 55.181788] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.798825] [ 58.800493] ===================================== [ 58.805329] WARNING: bad unlock balance detected! [ 58.810172] 4.20.0+ #8 Not tainted [ 58.813692] ------------------------------------- [ 58.818528] syz-executor0/9089 is trying to release lock (&file->mut) at: [ 58.825457] [] ucma_destroy_id+0x269/0x540 [ 58.831229] but there are no more locks to release! [ 58.836222] [ 58.836222] other info that might help us debug this: [ 58.842878] 1 lock held by syz-executor0/9089: [ 58.847447] #0: 000000008dbfbb38 (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540 [ 58.855404] [ 58.855404] stack backtrace: [ 58.859883] CPU: 1 PID: 9089 Comm: syz-executor0 Not tainted 4.20.0+ #8 [ 58.866611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.875946] Call Trace: [ 58.878516] dump_stack+0x1db/0x2d0 [ 58.882143] ? dump_stack_print_info.cold+0x20/0x20 [ 58.887138] ? ucma_destroy_id+0x269/0x540 [ 58.891355] ? print_tainted+0x176/0x1e0 [ 58.895399] ? vprintk_func+0x86/0x189 [ 58.899267] ? ucma_destroy_id+0x269/0x540 [ 58.903484] print_unlock_imbalance_bug.cold+0xd0/0xdf [ 58.908744] ? ucma_destroy_id+0x269/0x540 [ 58.912962] lock_release+0x77a/0xc40 [ 58.916742] ? lock_downgrade+0x910/0x910 [ 58.920875] ? __radix_tree_delete+0x27e/0x4e0 [ 58.925440] ? idr_preload+0x50/0x50 [ 58.929141] ? __radix_tree_lookup+0x3aa/0x4f0 [ 58.933704] __mutex_unlock_slowpath+0xe9/0x870 [ 58.938354] ? wait_for_completion+0x810/0x810 [ 58.942922] mutex_unlock+0xd/0x10 [ 58.946463] ucma_destroy_id+0x269/0x540 [ 58.950506] ? ucma_close+0x320/0x320 [ 58.954292] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.959826] ? _copy_from_user+0xdd/0x150 [ 58.963965] ucma_write+0x36b/0x480 [ 58.967577] ? ucma_close+0x320/0x320 [ 58.971360] ? ucma_open+0x400/0x400 [ 58.975053] ? __might_fault+0x12b/0x1e0 [ 58.979094] ? find_held_lock+0x35/0x120 [ 58.983138] __vfs_write+0x116/0xb40 [ 58.986836] ? ucma_open+0x400/0x400 [ 58.990533] ? kernel_read+0x120/0x120 [ 58.994404] ? fget_raw+0x20/0x20 [ 58.997840] ? trace_hardirqs_off_caller+0x300/0x300 [ 59.002927] ? apparmor_file_permission+0x25/0x30 [ 59.007791] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.013325] ? security_file_permission+0x94/0x320 [ 59.018237] ? rw_verify_area+0x118/0x360 [ 59.022377] vfs_write+0x20c/0x580 [ 59.025908] ksys_write+0x105/0x260 [ 59.029517] ? __ia32_sys_read+0xb0/0xb0 [ 59.033562] ? trace_hardirqs_off_caller+0x300/0x300 [ 59.038681] ? ret_from_fork+0x15/0x50 [ 59.042551] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.047300] __x64_sys_write+0x73/0xb0 [ 59.051192] do_syscall_64+0x1a3/0x800 [ 59.055089] ? syscall_return_slowpath+0x5f0/0x5f0 [ 59.060005] ? prepare_exit_to_usermode+0x232/0x3b0 [ 59.065005] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.070043] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.075230] RIP: 0033:0x457ec9 [ 59.078406] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.097305] RSP: 002b:00007f6450b47c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.104992] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 59.112239] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 59.119490] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 59.126749] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6450b486d4 [ 59.133997] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff