Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. 2019/07/17 07:03:24 parsed 1 programs 2019/07/17 07:03:25 executed programs: 0 syzkaller login: [ 75.436744][ T9307] IPVS: ftp: loaded support on port[0] = 21 [ 75.500726][ T9307] chnl_net:caif_netlink_parms(): no params data found [ 75.530487][ T9307] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.538571][ T9307] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.546620][ T9307] device bridge_slave_0 entered promiscuous mode [ 75.554582][ T9307] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.562088][ T9307] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.569824][ T9307] device bridge_slave_1 entered promiscuous mode [ 75.586214][ T9307] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 75.596545][ T9307] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 75.614329][ T9307] team0: Port device team_slave_0 added [ 75.621808][ T9307] team0: Port device team_slave_1 added [ 75.678017][ T9307] device hsr_slave_0 entered promiscuous mode [ 75.715354][ T9307] device hsr_slave_1 entered promiscuous mode [ 75.763863][ T9307] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.771037][ T9307] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.778846][ T9307] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.785949][ T9307] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.820948][ T9307] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.832495][ T2980] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.842482][ T2980] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.850887][ T2980] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.858926][ T2980] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 75.871893][ T9307] 8021q: adding VLAN 0 to HW filter on device team0 [ 75.882500][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 75.891177][ T3511] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.898320][ T3511] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.915673][ T2980] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 75.923984][ T2980] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.931386][ T2980] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.939436][ T2980] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 75.948753][ T9309] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 75.959829][ T2980] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 75.972937][ T9307] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 75.984461][ T9307] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 75.997141][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.006311][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.014668][ T3511] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.029841][ T9307] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/07/17 07:03:30 executed programs: 9 2019/07/17 07:03:36 executed programs: 16 [ 87.847428][ T9803] [ 87.849811][ T9803] ========================= [ 87.854307][ T9803] WARNING: held lock freed! [ 87.858808][ T9803] 5.2.0-next-20190717 #40 Not tainted [ 87.864177][ T9803] ------------------------- [ 87.868722][ T9803] syz-executor.0/9803 is freeing memory ffff8880a839e100-ffff8880a839e8ff, with a lock still held there! [ 87.879928][ T9803] 000000009d01f55d (sk_lock-AF_NETROM){+.+.}, at: nr_release+0x130/0x3e0 [ 87.888363][ T9803] 2 locks held by syz-executor.0/9803: [ 87.893827][ T9803] #0: 000000005a2da2bd (&sb->s_type->i_mutex_key#12){+.+.}, at: __sock_release+0x89/0x280 [ 87.903867][ T9803] #1: 000000009d01f55d (sk_lock-AF_NETROM){+.+.}, at: nr_release+0x130/0x3e0 [ 87.912742][ T9803] [ 87.912742][ T9803] stack backtrace: [ 87.918912][ T9803] CPU: 1 PID: 9803 Comm: syz-executor.0 Not tainted 5.2.0-next-20190717 #40 [ 87.927587][ T9803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.937658][ T9803] Call Trace: [ 87.941084][ T9803] dump_stack+0x172/0x1f0 [ 87.945434][ T9803] debug_check_no_locks_freed.cold+0x9d/0xa9 [ 87.951429][ T9803] ? trace_hardirqs_off+0x62/0x240 [ 87.956558][ T9803] kfree+0xec/0x2c0 [ 87.960377][ T9803] __sk_destruct+0x4f7/0x6e0 [ 87.965076][ T9803] sk_destruct+0x86/0xa0 [ 87.969343][ T9803] __sk_free+0xfb/0x360 [ 87.973521][ T9803] sk_free+0x42/0x50 [ 87.977437][ T9803] nr_destroy_socket+0x3ea/0x4a0 [ 87.982472][ T9803] nr_release+0x347/0x3e0 [ 87.986823][ T9803] __sock_release+0xce/0x280 [ 87.991431][ T9803] sock_close+0x1e/0x30 [ 87.995595][ T9803] __fput+0x2ff/0x890 [ 87.999591][ T9803] ? __sock_release+0x280/0x280 [ 88.004450][ T9803] ____fput+0x16/0x20 [ 88.008445][ T9803] task_work_run+0x145/0x1c0 [ 88.013051][ T9803] exit_to_usermode_loop+0x316/0x380 [ 88.018459][ T9803] do_syscall_64+0x5a9/0x6a0 [ 88.023070][ T9803] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 88.029227][ T9803] RIP: 0033:0x413501 [ 88.033140][ T9803] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 88.052940][ T9803] RSP: 002b:00007fff96b119c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 88.061541][ T9803] RAX: 0000000000000000 RBX: 0000000000000009 RCX: 0000000000413501 [ 88.069534][ T9803] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 [ 88.077521][ T9803] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 88.085591][ T9803] R10: 00007fff96b11aa0 R11: 0000000000000293 R12: 000000000075c9a0 [ 88.093573][ T9803] R13: 000000000075c9a0 R14: 0000000000760ef0 R15: ffffffffffffffff [ 88.185677][ T9803] ================================================================== [ 88.193836][ T9803] BUG: KASAN: use-after-free in do_raw_spin_lock+0x28a/0x2e0 [ 88.201220][ T9803] Read of size 4 at addr ffff8880a839e18c by task syz-executor.0/9803 [ 88.209406][ T9803] [ 88.211747][ T9803] CPU: 0 PID: 9803 Comm: syz-executor.0 Not tainted 5.2.0-next-20190717 #40 [ 88.220426][ T9803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.231996][ T9803] Call Trace: [ 88.235302][ T9803] dump_stack+0x172/0x1f0 [ 88.239648][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.244699][ T9803] print_address_description.cold+0xd4/0x306 [ 88.258014][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.263395][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.268427][ T9803] __kasan_report.cold+0x1b/0x36 [ 88.273374][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.278410][ T9803] kasan_report+0x12/0x17 [ 88.282753][ T9803] __asan_report_load4_noabort+0x14/0x20 [ 88.288394][ T9803] do_raw_spin_lock+0x28a/0x2e0 [ 88.293254][ T9803] ? rwlock_bug.part.0+0x90/0x90 [ 88.298207][ T9803] ? lock_acquire+0x190/0x410 [ 88.302897][ T9803] ? release_sock+0x20/0x1c0 [ 88.307497][ T9803] ? __sk_free+0x100/0x360 [ 88.311922][ T9803] _raw_spin_lock_bh+0x3b/0x50 [ 88.316696][ T9803] ? release_sock+0x20/0x1c0 [ 88.321399][ T9803] release_sock+0x20/0x1c0 [ 88.325822][ T9803] nr_release+0x303/0x3e0 [ 88.330161][ T9803] __sock_release+0xce/0x280 [ 88.334764][ T9803] sock_close+0x1e/0x30 [ 88.338924][ T9803] __fput+0x2ff/0x890 [ 88.342920][ T9803] ? __sock_release+0x280/0x280 [ 88.347774][ T9803] ____fput+0x16/0x20 [ 88.351760][ T9803] task_work_run+0x145/0x1c0 [ 88.356370][ T9803] exit_to_usermode_loop+0x316/0x380 [ 88.361690][ T9803] do_syscall_64+0x5a9/0x6a0 [ 88.366320][ T9803] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 88.372221][ T9803] RIP: 0033:0x413501 [ 88.376120][ T9803] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 88.396005][ T9803] RSP: 002b:00007fff96b119c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 88.404432][ T9803] RAX: 0000000000000000 RBX: 0000000000000009 RCX: 0000000000413501 [ 88.412414][ T9803] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 [ 88.420484][ T9803] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 88.428496][ T9803] R10: 00007fff96b11aa0 R11: 0000000000000293 R12: 000000000075c9a0 [ 88.436570][ T9803] R13: 000000000075c9a0 R14: 0000000000760ef0 R15: ffffffffffffffff [ 88.444554][ T9803] [ 88.446885][ T9803] Allocated by task 3900: [ 88.451227][ T9803] save_stack+0x23/0x90 [ 88.455396][ T9803] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 88.461039][ T9803] kasan_kmalloc+0x9/0x10 [ 88.465376][ T9803] __kmalloc+0x163/0x770 [ 88.469687][ T9803] sk_prot_alloc+0x23a/0x310 [ 88.474535][ T9803] sk_alloc+0x39/0xf70 [ 88.478614][ T9803] nr_rx_frame+0x733/0x1e73 [ 88.483320][ T9803] nr_loopback_timer+0x7b/0x170 [ 88.488173][ T9803] call_timer_fn+0x1ac/0x780 [ 88.492773][ T9803] run_timer_softirq+0x697/0x17a0 [ 88.498001][ T9803] __do_softirq+0x262/0x98c [ 88.502493][ T9803] [ 88.504822][ T9803] Freed by task 9803: [ 88.508817][ T9803] save_stack+0x23/0x90 [ 88.513150][ T9803] __kasan_slab_free+0x102/0x150 [ 88.518107][ T9803] kasan_slab_free+0xe/0x10 [ 88.522612][ T9803] kfree+0x10a/0x2c0 [ 88.526507][ T9803] __sk_destruct+0x4f7/0x6e0 [ 88.531107][ T9803] sk_destruct+0x86/0xa0 [ 88.535461][ T9803] __sk_free+0xfb/0x360 [ 88.539637][ T9803] sk_free+0x42/0x50 [ 88.543537][ T9803] nr_destroy_socket+0x3ea/0x4a0 [ 88.548478][ T9803] nr_release+0x347/0x3e0 [ 88.552814][ T9803] __sock_release+0xce/0x280 [ 88.557404][ T9803] sock_close+0x1e/0x30 [ 88.561566][ T9803] __fput+0x2ff/0x890 [ 88.565548][ T9803] ____fput+0x16/0x20 [ 88.569533][ T9803] task_work_run+0x145/0x1c0 [ 88.574129][ T9803] exit_to_usermode_loop+0x316/0x380 [ 88.579413][ T9803] do_syscall_64+0x5a9/0x6a0 [ 88.584013][ T9803] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 88.589983][ T9803] [ 88.592348][ T9803] The buggy address belongs to the object at ffff8880a839e100 [ 88.592348][ T9803] which belongs to the cache kmalloc-2k of size 2048 [ 88.606404][ T9803] The buggy address is located 140 bytes inside of [ 88.606404][ T9803] 2048-byte region [ffff8880a839e100, ffff8880a839e900) [ 88.619942][ T9803] The buggy address belongs to the page: [ 88.625587][ T9803] page:ffffea0002a0e780 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 88.636525][ T9803] flags: 0x1fffc0000010200(slab|head) [ 88.641911][ T9803] raw: 01fffc0000010200 ffffea00023d8d08 ffffea0002818008 ffff8880aa400e00 [ 88.650507][ T9803] raw: 0000000000000000 ffff8880a839e100 0000000100000003 0000000000000000 [ 88.659093][ T9803] page dumped because: kasan: bad access detected [ 88.665530][ T9803] [ 88.667856][ T9803] Memory state around the buggy address: [ 88.673581][ T9803] ffff8880a839e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 88.681678][ T9803] ffff8880a839e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.689750][ T9803] >ffff8880a839e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.697984][ T9803] ^ [ 88.702324][ T9803] ffff8880a839e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.710414][ T9803] ffff8880a839e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 88.718477][ T9803] ================================================================== [ 88.726627][ T9803] Kernel panic - not syncing: panic_on_warn set ... [ 88.733232][ T9803] CPU: 0 PID: 9803 Comm: syz-executor.0 Tainted: G B 5.2.0-next-20190717 #40 [ 88.743329][ T9803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.753393][ T9803] Call Trace: [ 88.756697][ T9803] dump_stack+0x172/0x1f0 [ 88.761039][ T9803] panic+0x2dc/0x755 [ 88.764940][ T9803] ? add_taint.cold+0x16/0x16 [ 88.769627][ T9803] ? trace_hardirqs_on+0x5e/0x240 [ 88.774661][ T9803] ? trace_hardirqs_on+0x5e/0x240 [ 88.779702][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.784740][ T9803] end_report+0x47/0x4f [ 88.788921][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.793953][ T9803] __kasan_report.cold+0xe/0x36 [ 88.798811][ T9803] ? do_raw_spin_lock+0x28a/0x2e0 [ 88.804114][ T9803] kasan_report+0x12/0x17 [ 88.808450][ T9803] __asan_report_load4_noabort+0x14/0x20 [ 88.814094][ T9803] do_raw_spin_lock+0x28a/0x2e0 [ 88.818954][ T9803] ? rwlock_bug.part.0+0x90/0x90 [ 88.823950][ T9803] ? lock_acquire+0x190/0x410 [ 88.828662][ T9803] ? release_sock+0x20/0x1c0 [ 88.833262][ T9803] ? __sk_free+0x100/0x360 [ 88.837907][ T9803] _raw_spin_lock_bh+0x3b/0x50 [ 88.842683][ T9803] ? release_sock+0x20/0x1c0 [ 88.847284][ T9803] release_sock+0x20/0x1c0 [ 88.851752][ T9803] nr_release+0x303/0x3e0 [ 88.856100][ T9803] __sock_release+0xce/0x280 [ 88.860698][ T9803] sock_close+0x1e/0x30 [ 88.865652][ T9803] __fput+0x2ff/0x890 [ 88.869646][ T9803] ? __sock_release+0x280/0x280 [ 88.874499][ T9803] ____fput+0x16/0x20 [ 88.878509][ T9803] task_work_run+0x145/0x1c0 [ 88.883110][ T9803] exit_to_usermode_loop+0x316/0x380 [ 88.888404][ T9803] do_syscall_64+0x5a9/0x6a0 [ 88.893000][ T9803] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 88.899099][ T9803] RIP: 0033:0x413501 [ 88.903004][ T9803] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 88.922623][ T9803] RSP: 002b:00007fff96b119c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 88.931040][ T9803] RAX: 0000000000000000 RBX: 0000000000000009 RCX: 0000000000413501 [ 88.939112][ T9803] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008 [ 88.947176][ T9803] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 88.955159][ T9803] R10: 00007fff96b11aa0 R11: 0000000000000293 R12: 000000000075c9a0 [ 88.963146][ T9803] R13: 000000000075c9a0 R14: 0000000000760ef0 R15: ffffffffffffffff [ 88.972234][ T9803] Kernel Offset: disabled [ 88.976573][ T9803] Rebooting in 86400 seconds..