Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 50.622827] sshd (8493) used greatest stack depth: 19480 bytes left [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 54.667898] kauditd_printk_skb: 4 callbacks suppressed [ 54.667913] audit: type=1400 audit(1546626116.718:35): avc: denied { map } for pid=8600 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 84.599625] audit: type=1400 audit(1546626146.648:36): avc: denied { map } for pid=8612 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/01/04 18:22:27 parsed 1 programs [ 85.357742] audit: type=1400 audit(1546626147.408:37): avc: denied { map } for pid=8612 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1115 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/01/04 18:22:28 executed programs: 0 [ 86.977224] IPVS: ftp: loaded support on port[0] = 21 [ 87.043519] chnl_net:caif_netlink_parms(): no params data found [ 87.080519] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.087972] bridge0: port 1(bridge_slave_0) entered disabled state [ 87.095342] device bridge_slave_0 entered promiscuous mode [ 87.102463] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.108901] bridge0: port 2(bridge_slave_1) entered disabled state [ 87.115850] device bridge_slave_1 entered promiscuous mode [ 87.132080] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 87.141601] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 87.159744] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 87.167553] team0: Port device team_slave_0 added [ 87.172910] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 87.180152] team0: Port device team_slave_1 added [ 87.185383] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 87.192603] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 87.275771] device hsr_slave_0 entered promiscuous mode [ 87.354041] device hsr_slave_1 entered promiscuous mode [ 87.434249] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 87.441118] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 87.455817] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.462206] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.469080] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.475495] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.511200] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 87.517817] 8021q: adding VLAN 0 to HW filter on device bond0 [ 87.526514] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 87.536211] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 87.546040] bridge0: port 1(bridge_slave_0) entered disabled state [ 87.553407] bridge0: port 2(bridge_slave_1) entered disabled state [ 87.561597] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 87.572457] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 87.578825] 8021q: adding VLAN 0 to HW filter on device team0 [ 87.587288] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 87.595510] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.601873] bridge0: port 1(bridge_slave_0) entered forwarding state [ 87.624915] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 87.632447] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.638840] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.646991] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 87.654857] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 87.662391] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 87.670340] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 87.678425] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 87.686266] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 87.692255] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 87.706285] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 87.718163] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 87.728294] audit: type=1400 audit(1546626149.778:38): avc: denied { associate } for pid=8625 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/01/04 18:22:34 executed programs: 139 [ 94.512761] [ 94.514423] ===================================== [ 94.519237] WARNING: bad unlock balance detected! [ 94.524058] 4.20.0+ #9 Not tainted [ 94.527577] ------------------------------------- [ 94.532392] syz-executor0/10396 is trying to release lock (&file->mut) at: [ 94.539394] [] ucma_destroy_id+0x269/0x540 [ 94.545165] but there are no more locks to release! [ 94.550155] [ 94.550155] other info that might help us debug this: [ 94.556832] 1 lock held by syz-executor0/10396: [ 94.561487] #0: 000000008fb5d1c5 (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540 [ 94.569438] [ 94.569438] stack backtrace: [ 94.573913] CPU: 0 PID: 10396 Comm: syz-executor0 Not tainted 4.20.0+ #9 [ 94.580728] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 94.590077] Call Trace: [ 94.592683] dump_stack+0x1db/0x2d0 [ 94.596324] ? dump_stack_print_info.cold+0x20/0x20 [ 94.601320] ? ucma_destroy_id+0x269/0x540 [ 94.605576] ? print_tainted+0x176/0x1e0 [ 94.609632] ? vprintk_func+0x86/0x189 [ 94.613503] ? ucma_destroy_id+0x269/0x540 [ 94.617730] print_unlock_imbalance_bug.cold+0xd0/0xdf [ 94.623003] ? ucma_destroy_id+0x269/0x540 [ 94.627219] lock_release+0x77a/0xc40 [ 94.631007] ? lock_downgrade+0x910/0x910 [ 94.635141] ? __radix_tree_delete+0x27e/0x4e0 [ 94.639738] ? idr_preload+0x50/0x50 [ 94.643443] ? __radix_tree_lookup+0x3aa/0x4f0 [ 94.648008] __mutex_unlock_slowpath+0xe9/0x870 [ 94.652682] ? wait_for_completion+0x810/0x810 [ 94.657249] mutex_unlock+0xd/0x10 [ 94.660771] ucma_destroy_id+0x269/0x540 [ 94.664815] ? ucma_close+0x320/0x320 [ 94.668618] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 94.674151] ? _copy_from_user+0xdd/0x150 [ 94.678286] ucma_write+0x36b/0x480 [ 94.681912] ? ucma_close+0x320/0x320 [ 94.685696] ? ucma_open+0x400/0x400 [ 94.689422] ? __might_fault+0x12b/0x1e0 [ 94.693466] ? arch_local_save_flags+0x50/0x50 [ 94.698041] ? find_held_lock+0x35/0x120 [ 94.702103] __vfs_write+0x116/0xb40 [ 94.705837] ? ucma_open+0x400/0x400 [ 94.709550] ? kernel_read+0x120/0x120 [ 94.713419] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 94.718940] ? __inode_security_revalidate+0xda/0x120 [ 94.724111] ? avc_policy_seqno+0xd/0x70 [ 94.728161] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 94.733158] ? selinux_file_permission+0x92/0x550 [ 94.737983] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.743524] ? security_file_permission+0x94/0x320 [ 94.748454] ? rw_verify_area+0x118/0x360 [ 94.752585] vfs_write+0x20c/0x580 [ 94.756123] ksys_write+0x105/0x260 [ 94.759733] ? __ia32_sys_read+0xb0/0xb0 [ 94.763778] ? trace_hardirqs_off_caller+0x300/0x300 [ 94.768879] ? ret_from_fork+0x15/0x50 [ 94.772747] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 94.777483] __x64_sys_write+0x73/0xb0 [ 94.781352] do_syscall_64+0x1a3/0x800 [ 94.785221] ? syscall_return_slowpath+0x5f0/0x5f0 [ 94.790133] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 94.795145] ? __switch_to_asm+0x34/0x70 [ 94.799188] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 94.804016] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 94.809187] RIP: 0033:0x457ec9 [ 94.812363] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 94.831247] RSP: 002b:00007fe028b73c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 94.838940] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 94.846194] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 94.853445] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 94.860707] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe028b746d4 [ 94.867959] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff