[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 54.234252][ T26] audit: type=1800 audit(1582047774.567:25): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 54.253272][ T26] audit: type=1800 audit(1582047774.577:26): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 54.288724][ T26] audit: type=1800 audit(1582047774.577:27): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. 2020/02/18 17:43:12 parsed 1 programs 2020/02/18 17:43:14 executed programs: 0 syzkaller login: [ 74.107956][ T8761] IPVS: ftp: loaded support on port[0] = 21 [ 74.156340][ T8761] chnl_net:caif_netlink_parms(): no params data found [ 74.189528][ T8761] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.197257][ T8761] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.204952][ T8761] device bridge_slave_0 entered promiscuous mode [ 74.213303][ T8761] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.220459][ T8761] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.228442][ T8761] device bridge_slave_1 entered promiscuous mode [ 74.243392][ T8761] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 74.254436][ T8761] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 74.271981][ T8761] team0: Port device team_slave_0 added [ 74.279134][ T8761] team0: Port device team_slave_1 added [ 74.291953][ T8761] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 74.299015][ T8761] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 74.326232][ T8761] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 74.338738][ T8761] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 74.345728][ T8761] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 74.371692][ T8761] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 74.478258][ T8761] device hsr_slave_0 entered promiscuous mode [ 74.556879][ T8761] device hsr_slave_1 entered promiscuous mode [ 74.678952][ T8761] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 74.729363][ T8761] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 74.778838][ T8761] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 74.818767][ T8761] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 74.869665][ T8761] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.877186][ T8761] bridge0: port 2(bridge_slave_1) entered forwarding state [ 74.885408][ T8761] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.892731][ T8761] bridge0: port 1(bridge_slave_0) entered forwarding state [ 74.930823][ T8761] 8021q: adding VLAN 0 to HW filter on device bond0 [ 74.942121][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 74.951870][ T3033] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.959831][ T3033] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.968478][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 74.981202][ T8761] 8021q: adding VLAN 0 to HW filter on device team0 [ 74.991259][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 75.000482][ T2734] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.007593][ T2734] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.018457][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 75.027411][ T3033] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.034477][ T3033] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.058178][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 75.067264][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 75.076524][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 75.085187][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 75.093956][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 75.102948][ T8761] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 75.118500][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 75.125889][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 75.139447][ T8761] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 75.154863][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 75.172528][ T8761] device veth0_vlan entered promiscuous mode [ 75.180188][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 75.189634][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 75.198966][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 75.206700][ T2734] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 75.219005][ T8761] device veth1_vlan entered promiscuous mode [ 75.238956][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 75.247777][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 75.255718][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 75.264658][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 75.275516][ T8761] device veth0_macvtap entered promiscuous mode [ 75.287040][ T8761] device veth1_macvtap entered promiscuous mode [ 75.301410][ T8761] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 75.309377][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 75.318169][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 75.325996][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 75.334841][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 75.345373][ T8761] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 75.353645][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 75.362573][ T3033] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 76.014148][ T8852] [ 76.016624][ T8852] ===================================== [ 76.022196][ T8852] WARNING: bad unlock balance detected! [ 76.027836][ T8852] 5.6.0-rc2-syzkaller #0 Not tainted [ 76.033098][ T8852] ------------------------------------- [ 76.038823][ T8852] syz-executor.0/8852 is trying to release lock (&file->mut) at: [ 76.046531][ T8852] [] ucma_destroy_id+0x212/0x400 [ 76.053162][ T8852] but there are no more locks to release! [ 76.058883][ T8852] [ 76.058883][ T8852] other info that might help us debug this: [ 76.066924][ T8852] 1 lock held by syz-executor.0/8852: [ 76.072274][ T8852] #0: ffff88808a765860 (&file->mut){+.+.}, at: ucma_destroy_id+0x1d1/0x400 [ 76.080935][ T8852] [ 76.080935][ T8852] stack backtrace: [ 76.086812][ T8852] CPU: 0 PID: 8852 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0 [ 76.095365][ T8852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.105616][ T8852] Call Trace: [ 76.108890][ T8852] dump_stack+0x1fb/0x318 [ 76.113222][ T8852] ? ucma_destroy_id+0x212/0x400 [ 76.118143][ T8852] print_unlock_imbalance_bug+0x20b/0x240 [ 76.123836][ T8852] ? mutex_optimistic_spin+0x32a/0x470 [ 76.129282][ T8852] lock_release+0x469/0x710 [ 76.133758][ T8852] ? ucma_destroy_id+0x212/0x400 [ 76.138719][ T8852] ? ucma_destroy_id+0x212/0x400 [ 76.143638][ T8852] __mutex_unlock_slowpath+0x80/0x5b0 [ 76.148987][ T8852] mutex_unlock+0xd/0x10 [ 76.153235][ T8852] ucma_destroy_id+0x212/0x400 [ 76.157987][ T8852] ? ucma_create_id+0x540/0x540 [ 76.162817][ T8852] ucma_write+0x2da/0x360 [ 76.167123][ T8852] ? ucma_get_global_nl_info+0x70/0x70 [ 76.172556][ T8852] __vfs_write+0xb8/0x740 [ 76.176874][ T8852] ? security_file_permission+0x147/0x340 [ 76.182575][ T8852] ? rw_verify_area+0x1c2/0x360 [ 76.187466][ T8852] vfs_write+0x270/0x580 [ 76.191687][ T8852] ksys_write+0x117/0x220 [ 76.196035][ T8852] __x64_sys_write+0x7b/0x90 [ 76.200603][ T8852] do_syscall_64+0xf7/0x1c0 [ 76.205099][ T8852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.210979][ T8852] RIP: 0033:0x45c449 [ 76.214872][ T8852] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.234457][ T8852] RSP: 002b:00007f538ab4ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.242885][ T8852] RAX: ffffffffffffffda RBX: 00007f538ab4f6d4 RCX: 000000000045c449 [ 76.250920][ T8852] RDX: 0000000000000018 RSI: 0000000020001380 RDI: 0000000000000003 [ 76.258873][ T8852] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 76.266823][ T8852] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 76.274781][ T8852] R13: 0000000000000c8a R14: 00000000004d7660 R15: 000000000076bfcc [ 76.288581][ T8852] ================================================================== [ 76.296673][ T8852] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x8d/0x5b0 [ 76.304677][ T8852] Read of size 8 at addr ffff888094ca3a00 by task syz-executor.0/8852 [ 76.312890][ T8852] [ 76.315587][ T8852] CPU: 0 PID: 8852 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0 [ 76.324305][ T8852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.334751][ T8852] Call Trace: [ 76.338642][ T8852] dump_stack+0x1fb/0x318 [ 76.343130][ T8852] print_address_description+0x74/0x5c0 [ 76.348877][ T8852] ? vprintk_func+0x158/0x170 [ 76.353718][ T8852] ? printk+0x62/0x8d [ 76.357685][ T8852] ? vprintk_emit+0x2d4/0x3a0 [ 76.362464][ T8852] __kasan_report+0x149/0x1c0 [ 76.367294][ T8852] ? lock_release+0x420/0x710 [ 76.371950][ T8852] ? __mutex_unlock_slowpath+0x8d/0x5b0 [ 76.379033][ T8852] kasan_report+0x26/0x50 [ 76.383442][ T8852] check_memory_region+0x2b6/0x2f0 [ 76.388670][ T8852] ? ucma_destroy_id+0x212/0x400 [ 76.393824][ T8852] __kasan_check_read+0x11/0x20 [ 76.398678][ T8852] __mutex_unlock_slowpath+0x8d/0x5b0 [ 76.404472][ T8852] mutex_unlock+0xd/0x10 [ 76.408861][ T8852] ucma_destroy_id+0x212/0x400 [ 76.413610][ T8852] ? ucma_create_id+0x540/0x540 [ 76.418459][ T8852] ucma_write+0x2da/0x360 [ 76.422776][ T8852] ? ucma_get_global_nl_info+0x70/0x70 [ 76.428288][ T8852] __vfs_write+0xb8/0x740 [ 76.432610][ T8852] ? security_file_permission+0x147/0x340 [ 76.438318][ T8852] ? rw_verify_area+0x1c2/0x360 [ 76.443198][ T8852] vfs_write+0x270/0x580 [ 76.447496][ T8852] ksys_write+0x117/0x220 [ 76.451949][ T8852] __x64_sys_write+0x7b/0x90 [ 76.456522][ T8852] do_syscall_64+0xf7/0x1c0 [ 76.461022][ T8852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.466897][ T8852] RIP: 0033:0x45c449 [ 76.470769][ T8852] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.490795][ T8852] RSP: 002b:00007f538ab4ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.499231][ T8852] RAX: ffffffffffffffda RBX: 00007f538ab4f6d4 RCX: 000000000045c449 [ 76.507386][ T8852] RDX: 0000000000000018 RSI: 0000000020001380 RDI: 0000000000000003 [ 76.515352][ T8852] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 76.523542][ T8852] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 76.531534][ T8852] R13: 0000000000000c8a R14: 00000000004d7660 R15: 000000000076bfcc [ 76.539494][ T8852] [ 76.541889][ T8852] Allocated by task 8852: [ 76.546600][ T8852] __kasan_kmalloc+0x118/0x1c0 [ 76.551346][ T8852] kasan_kmalloc+0x9/0x10 [ 76.555658][ T8852] kmem_cache_alloc_trace+0x221/0x2f0 [ 76.561058][ T8852] ucma_open+0x57/0x1f0 [ 76.565190][ T8852] misc_open+0x3ea/0x440 [ 76.569412][ T8852] chrdev_open+0x509/0x590 [ 76.573859][ T8852] do_dentry_open+0x85b/0x10c0 [ 76.578608][ T8852] vfs_open+0x73/0x80 [ 76.582580][ T8852] path_openat+0x16f1/0x4380 [ 76.587251][ T8852] do_filp_open+0x192/0x3d0 [ 76.596212][ T8852] do_sys_openat2+0x42b/0x6f0 [ 76.600870][ T8852] __x64_sys_openat+0x1e6/0x210 [ 76.605735][ T8852] do_syscall_64+0xf7/0x1c0 [ 76.610224][ T8852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.616114][ T8852] [ 76.618498][ T8852] Freed by task 8846: [ 76.622486][ T8852] __kasan_slab_free+0x12e/0x1e0 [ 76.627437][ T8852] kasan_slab_free+0xe/0x10 [ 76.632091][ T8852] kfree+0x10d/0x220 [ 76.636048][ T8852] ucma_close+0x2b3/0x2d0 [ 76.640792][ T8852] __fput+0x2e4/0x740 [ 76.645341][ T8852] ____fput+0x15/0x20 [ 76.649412][ T8852] task_work_run+0x176/0x1b0 [ 76.654199][ T8852] prepare_exit_to_usermode+0x480/0x5b0 [ 76.659840][ T8852] syscall_return_slowpath+0x113/0x4a0 [ 76.665608][ T8852] do_syscall_64+0x11f/0x1c0 [ 76.670202][ T8852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.676158][ T8852] [ 76.678466][ T8852] The buggy address belongs to the object at ffff888094ca3a00 [ 76.678466][ T8852] which belongs to the cache kmalloc-256 of size 256 [ 76.692768][ T8852] The buggy address is located 0 bytes inside of [ 76.692768][ T8852] 256-byte region [ffff888094ca3a00, ffff888094ca3b00) [ 76.705992][ T8852] The buggy address belongs to the page: [ 76.711637][ T8852] page:ffffea00025328c0 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0 [ 76.721016][ T8852] flags: 0xfffe0000000200(slab) [ 76.725846][ T8852] raw: 00fffe0000000200 ffffea000229d948 ffff8880aa401648 ffff8880aa4008c0 [ 76.734421][ T8852] raw: 0000000000000000 ffff888094ca3000 0000000100000008 0000000000000000 [ 76.743040][ T8852] page dumped because: kasan: bad access detected [ 76.749426][ T8852] [ 76.751738][ T8852] Memory state around the buggy address: [ 76.757351][ T8852] ffff888094ca3900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.765396][ T8852] ffff888094ca3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.773440][ T8852] >ffff888094ca3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.781662][ T8852] ^ [ 76.785734][ T8852] ffff888094ca3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.793979][ T8852] ffff888094ca3b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.802025][ T8852] ================================================================== [ 76.813656][ T8852] Kernel panic - not syncing: panic_on_warn set ... [ 76.820274][ T8852] CPU: 0 PID: 8852 Comm: syz-executor.0 Tainted: G B 5.6.0-rc2-syzkaller #0 [ 76.830375][ T8852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.840417][ T8852] Call Trace: [ 76.843695][ T8852] dump_stack+0x1fb/0x318 [ 76.848153][ T8852] panic+0x264/0x7a9 [ 76.852090][ T8852] ? __kasan_report+0x193/0x1c0 [ 76.857109][ T8852] ? trace_hardirqs_on+0x34/0x80 [ 76.862431][ T8852] ? __kasan_report+0x193/0x1c0 [ 76.867267][ T8852] __kasan_report+0x1b9/0x1c0 [ 76.871929][ T8852] ? lock_release+0x420/0x710 [ 76.876690][ T8852] ? __mutex_unlock_slowpath+0x8d/0x5b0 [ 76.882317][ T8852] kasan_report+0x26/0x50 [ 76.886629][ T8852] check_memory_region+0x2b6/0x2f0 [ 76.891721][ T8852] ? ucma_destroy_id+0x212/0x400 [ 76.896645][ T8852] __kasan_check_read+0x11/0x20 [ 76.901609][ T8852] __mutex_unlock_slowpath+0x8d/0x5b0 [ 76.906970][ T8852] mutex_unlock+0xd/0x10 [ 76.911262][ T8852] ucma_destroy_id+0x212/0x400 [ 76.916018][ T8852] ? ucma_create_id+0x540/0x540 [ 76.920855][ T8852] ucma_write+0x2da/0x360 [ 76.925166][ T8852] ? ucma_get_global_nl_info+0x70/0x70 [ 76.935568][ T8852] __vfs_write+0xb8/0x740 [ 76.939886][ T8852] ? security_file_permission+0x147/0x340 [ 76.945591][ T8852] ? rw_verify_area+0x1c2/0x360 [ 76.950486][ T8852] vfs_write+0x270/0x580 [ 76.954730][ T8852] ksys_write+0x117/0x220 [ 76.959129][ T8852] __x64_sys_write+0x7b/0x90 [ 76.963703][ T8852] do_syscall_64+0xf7/0x1c0 [ 76.968243][ T8852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.974121][ T8852] RIP: 0033:0x45c449 [ 76.978013][ T8852] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 76.997708][ T8852] RSP: 002b:00007f538ab4ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 77.006098][ T8852] RAX: ffffffffffffffda RBX: 00007f538ab4f6d4 RCX: 000000000045c449 [ 77.014060][ T8852] RDX: 0000000000000018 RSI: 0000000020001380 RDI: 0000000000000003 [ 77.022018][ T8852] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 77.029976][ T8852] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 77.037930][ T8852] R13: 0000000000000c8a R14: 00000000004d7660 R15: 000000000076bfcc [ 77.046728][ T8852] Kernel Offset: disabled [ 77.051059][ T8852] Rebooting in 86400 seconds..