[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.847932] audit: type=1800 audit(1546567620.232:25): pid=8001 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 44.881041] audit: type=1800 audit(1546567620.242:26): pid=8001 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 44.920279] audit: type=1800 audit(1546567620.242:27): pid=8001 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts. 2019/01/04 02:07:11 parsed 1 programs 2019/01/04 02:07:13 executed programs: 0 syzkaller login: [ 58.113592] IPVS: ftp: loaded support on port[0] = 21 [ 58.181553] chnl_net:caif_netlink_parms(): no params data found [ 58.215064] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.221935] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.228994] device bridge_slave_0 entered promiscuous mode [ 58.236446] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.242948] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.249942] device bridge_slave_1 entered promiscuous mode [ 58.267060] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.276192] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.292658] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.300251] team0: Port device team_slave_0 added [ 58.305794] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.312938] team0: Port device team_slave_1 added [ 58.318144] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 58.325581] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 58.393305] device hsr_slave_0 entered promiscuous mode [ 58.461614] device hsr_slave_1 entered promiscuous mode [ 58.511340] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 58.518220] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 58.532391] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.538796] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.545699] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.552056] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.585442] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 58.591872] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.599685] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.608333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.628848] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.636562] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.645206] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.655671] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.662027] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.670357] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.678313] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.684735] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.702023] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.709705] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.716157] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.728301] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.737270] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.747180] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.758994] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.769765] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.779397] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 58.785947] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.798381] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 58.808343] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 59.221678] [ 59.223370] ===================================== [ 59.228188] WARNING: bad unlock balance detected! [ 59.233010] 4.20.0+ #8 Not tainted [ 59.236523] ------------------------------------- [ 59.241340] syz-executor0/8263 is trying to release lock (&file->mut) at: [ 59.248282] [] ucma_destroy_id+0x269/0x540 [ 59.254058] but there are no more locks to release! [ 59.259062] [ 59.259062] other info that might help us debug this: [ 59.265736] 1 lock held by syz-executor0/8263: [ 59.270304] #0: 00000000c6b64239 (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540 [ 59.278270] [ 59.278270] stack backtrace: [ 59.282763] CPU: 1 PID: 8263 Comm: syz-executor0 Not tainted 4.20.0+ #8 [ 59.289489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.298819] Call Trace: [ 59.301396] dump_stack+0x1db/0x2d0 [ 59.305036] ? dump_stack_print_info.cold+0x20/0x20 [ 59.310064] ? ucma_destroy_id+0x269/0x540 [ 59.314355] ? print_tainted+0x176/0x1e0 [ 59.318399] ? vprintk_func+0x86/0x189 [ 59.322271] ? ucma_destroy_id+0x269/0x540 [ 59.326489] print_unlock_imbalance_bug.cold+0xd0/0xdf [ 59.331762] ? ucma_destroy_id+0x269/0x540 [ 59.335988] lock_release+0x77a/0xc40 [ 59.339771] ? lock_downgrade+0x910/0x910 [ 59.343903] ? __radix_tree_delete+0x27e/0x4e0 [ 59.348467] ? idr_preload+0x50/0x50 [ 59.352163] ? __radix_tree_lookup+0x3aa/0x4f0 [ 59.356726] __mutex_unlock_slowpath+0xe9/0x870 [ 59.361391] ? wait_for_completion+0x810/0x810 [ 59.365954] mutex_unlock+0xd/0x10 [ 59.369483] ucma_destroy_id+0x269/0x540 [ 59.373526] ? ucma_close+0x320/0x320 [ 59.377311] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.382833] ? _copy_from_user+0xdd/0x150 [ 59.386961] ucma_write+0x36b/0x480 [ 59.390572] ? ucma_close+0x320/0x320 [ 59.394356] ? ucma_open+0x400/0x400 [ 59.398052] ? __might_fault+0x12b/0x1e0 [ 59.402097] ? find_held_lock+0x35/0x120 [ 59.406141] __vfs_write+0x116/0xb40 [ 59.409834] ? ucma_open+0x400/0x400 [ 59.413531] ? kernel_read+0x120/0x120 [ 59.417412] ? fget_raw+0x20/0x20 [ 59.420851] ? trace_hardirqs_off_caller+0x300/0x300 [ 59.425950] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.431477] ? security_file_permission+0x94/0x320 [ 59.436390] ? rw_verify_area+0x118/0x360 [ 59.440520] vfs_write+0x20c/0x580 [ 59.444041] ksys_write+0x105/0x260 [ 59.447653] ? __ia32_sys_read+0xb0/0xb0 [ 59.451708] ? trace_hardirqs_off_caller+0x300/0x300 [ 59.456809] ? ret_from_fork+0x15/0x50 [ 59.460678] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.465425] __x64_sys_write+0x73/0xb0 [ 59.469292] do_syscall_64+0x1a3/0x800 [ 59.473178] ? syscall_return_slowpath+0x5f0/0x5f0 [ 59.478101] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 59.483100] ? __switch_to_asm+0x34/0x70 [ 59.487143] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.492003] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.497211] RIP: 0033:0x457ec9 [ 59.500384] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.519281] RSP: 002b:00007f84b0a0bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.526971] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 59.534238] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 59.541488] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 59.548736] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f84b0a0c6d4 [ 59.556003] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff