[ 36.795558] audit: type=1800 audit(1546570302.516:28): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.650726] audit: type=1800 audit(1546570303.446:29): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 37.670113] audit: type=1800 audit(1546570303.446:30): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. 2019/01/04 02:52:50 parsed 1 programs 2019/01/04 02:52:52 executed programs: 0 syzkaller login: [ 106.563009] IPVS: ftp: loaded support on port[0] = 21 [ 106.622703] chnl_net:caif_netlink_parms(): no params data found [ 106.652897] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.659765] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.666894] device bridge_slave_0 entered promiscuous mode [ 106.674188] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.680892] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.687981] device bridge_slave_1 entered promiscuous mode [ 106.703504] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.712139] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 106.728206] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 106.735591] team0: Port device team_slave_0 added [ 106.740918] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 106.748027] team0: Port device team_slave_1 added [ 106.753176] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 106.760425] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 106.818157] device hsr_slave_0 entered promiscuous mode [ 106.855753] device hsr_slave_1 entered promiscuous mode [ 106.925880] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 106.932744] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 106.946301] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.952940] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.959819] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.966186] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.997446] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 107.003626] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.011861] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.020749] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.040715] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.048179] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.056173] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 107.066312] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 107.072405] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.081342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.089050] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.095373] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.104546] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.112495] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.118868] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.138644] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.146457] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.153951] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 107.161719] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 107.171112] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 107.180123] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 107.186324] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 107.198107] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 107.208209] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/01/04 02:52:57 executed programs: 163 [ 116.446479] [ 116.448164] ===================================== [ 116.453016] WARNING: bad unlock balance detected! [ 116.457848] 4.20.0+ #8 Not tainted [ 116.461370] ------------------------------------- [ 116.466218] syz-executor0/10382 is trying to release lock (&file->mut) at: [ 116.473235] [] ucma_destroy_id+0x269/0x540 [ 116.479003] but there are no more locks to release! [ 116.483991] [ 116.483991] other info that might help us debug this: [ 116.490634] 1 lock held by syz-executor0/10382: [ 116.495274] #0: 0000000096336888 (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540 [ 116.503228] [ 116.503228] stack backtrace: [ 116.507701] CPU: 1 PID: 10382 Comm: syz-executor0 Not tainted 4.20.0+ #8 [ 116.514511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 116.523835] Call Trace: [ 116.526400] dump_stack+0x1db/0x2d0 [ 116.530004] ? dump_stack_print_info.cold+0x20/0x20 [ 116.534995] ? ucma_destroy_id+0x269/0x540 [ 116.539209] ? print_tainted+0x176/0x1e0 [ 116.543264] ? vprintk_func+0x86/0x189 [ 116.547130] ? ucma_destroy_id+0x269/0x540 [ 116.551359] print_unlock_imbalance_bug.cold+0xd0/0xdf [ 116.556615] ? ucma_destroy_id+0x269/0x540 [ 116.560842] lock_release+0x77a/0xc40 [ 116.564629] ? lock_downgrade+0x910/0x910 [ 116.568785] ? __radix_tree_delete+0x27e/0x4e0 [ 116.573350] ? idr_preload+0x50/0x50 [ 116.577045] ? __radix_tree_lookup+0x3aa/0x4f0 [ 116.581606] __mutex_unlock_slowpath+0xe9/0x870 [ 116.586256] ? wait_for_completion+0x810/0x810 [ 116.590818] mutex_unlock+0xd/0x10 [ 116.594340] ucma_destroy_id+0x269/0x540 [ 116.598381] ? ucma_close+0x320/0x320 [ 116.602161] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 116.607688] ? _copy_from_user+0xdd/0x150 [ 116.611815] ucma_write+0x36b/0x480 [ 116.615443] ? ucma_close+0x320/0x320 [ 116.619226] ? ucma_open+0x400/0x400 [ 116.622920] ? __might_fault+0x12b/0x1e0 [ 116.626962] ? find_held_lock+0x35/0x120 [ 116.631008] __vfs_write+0x116/0xb40 [ 116.634698] ? ucma_open+0x400/0x400 [ 116.638387] ? kernel_read+0x120/0x120 [ 116.642287] ? fget_raw+0x20/0x20 [ 116.645718] ? trace_hardirqs_off_caller+0x300/0x300 [ 116.650801] ? apparmor_file_permission+0x25/0x30 [ 116.655641] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 116.661161] ? security_file_permission+0x94/0x320 [ 116.666062] ? rw_verify_area+0x118/0x360 [ 116.670191] vfs_write+0x20c/0x580 [ 116.673716] ksys_write+0x105/0x260 [ 116.677368] ? __ia32_sys_read+0xb0/0xb0 [ 116.681404] ? trace_hardirqs_off_caller+0x300/0x300 [ 116.686483] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 116.691212] __x64_sys_write+0x73/0xb0 [ 116.695071] do_syscall_64+0x1a3/0x800 [ 116.698934] ? syscall_return_slowpath+0x5f0/0x5f0 [ 116.703874] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 116.708873] ? __switch_to_asm+0x34/0x70 [ 116.712913] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 116.717733] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 116.722896] RIP: 0033:0x457ec9 [ 116.726070] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 116.744973] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 116.752652] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 116.759917] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 116.767158] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 116.774399] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4 [ 116.781640] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff [ 116.791535] ================================================================== [ 116.798890] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xf6/0x870 [ 116.806052] Read of size 8 at addr ffff8880879d8040 by task syz-executor0/10382 [ 116.813470] [ 116.815082] CPU: 1 PID: 10382 Comm: syz-executor0 Not tainted 4.20.0+ #8 [ 116.821896] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 116.831227] Call Trace: [ 116.833791] dump_stack+0x1db/0x2d0 [ 116.837396] ? dump_stack_print_info.cold+0x20/0x20 [ 116.842401] ? __mutex_unlock_slowpath+0xf6/0x870 [ 116.847236] print_address_description.cold+0x7c/0x20d [ 116.852491] ? __mutex_unlock_slowpath+0xf6/0x870 [ 116.857308] ? __mutex_unlock_slowpath+0xf6/0x870 [ 116.862132] kasan_report.cold+0x1b/0x40 [ 116.866172] ? __mutex_unlock_slowpath+0xf6/0x870 [ 116.871010] check_memory_region+0x123/0x190 [ 116.875400] kasan_check_read+0x11/0x20 [ 116.879403] __mutex_unlock_slowpath+0xf6/0x870 [ 116.884067] ? wait_for_completion+0x810/0x810 [ 116.888633] mutex_unlock+0xd/0x10 [ 116.892155] ucma_destroy_id+0x269/0x540 [ 116.896194] ? ucma_close+0x320/0x320 [ 116.899975] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 116.905489] ? _copy_from_user+0xdd/0x150 [ 116.909613] ucma_write+0x36b/0x480 [ 116.913215] ? ucma_close+0x320/0x320 [ 116.916996] ? ucma_open+0x400/0x400 [ 116.920686] ? __might_fault+0x12b/0x1e0 [ 116.924722] ? find_held_lock+0x35/0x120 [ 116.928782] __vfs_write+0x116/0xb40 [ 116.932475] ? ucma_open+0x400/0x400 [ 116.936171] ? kernel_read+0x120/0x120 [ 116.940039] ? fget_raw+0x20/0x20 [ 116.943483] ? trace_hardirqs_off_caller+0x300/0x300 [ 116.948586] ? apparmor_file_permission+0x25/0x30 [ 116.953407] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 116.958926] ? security_file_permission+0x94/0x320 [ 116.963840] ? rw_verify_area+0x118/0x360 [ 116.967966] vfs_write+0x20c/0x580 [ 116.971502] ksys_write+0x105/0x260 [ 116.975119] ? __ia32_sys_read+0xb0/0xb0 [ 116.979178] ? trace_hardirqs_off_caller+0x300/0x300 [ 116.984264] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 116.988996] __x64_sys_write+0x73/0xb0 [ 116.992859] do_syscall_64+0x1a3/0x800 [ 116.996721] ? syscall_return_slowpath+0x5f0/0x5f0 [ 117.001628] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 117.006633] ? __switch_to_asm+0x34/0x70 [ 117.010721] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 117.015541] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 117.020717] RIP: 0033:0x457ec9 [ 117.023889] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 117.042768] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 117.050452] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 117.057699] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 117.064974] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 117.072228] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4 [ 117.079495] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff [ 117.086759] [ 117.088383] Allocated by task 10382: [ 117.092085] save_stack+0x45/0xd0 [ 117.095519] kasan_kmalloc+0xcf/0xe0 [ 117.099211] kmem_cache_alloc_trace+0x151/0x760 [ 117.103863] ucma_open+0xac/0x400 [ 117.107293] misc_open+0x398/0x4c0 [ 117.110811] chrdev_open+0x270/0x7c0 [ 117.114512] do_dentry_open+0x48a/0x1210 [ 117.118550] vfs_open+0xa0/0xd0 [ 117.121847] path_openat+0x144f/0x5650 [ 117.125715] do_filp_open+0x26f/0x370 [ 117.129492] do_sys_open+0x59a/0x7c0 [ 117.133182] __x64_sys_openat+0x9d/0x100 [ 117.137220] do_syscall_64+0x1a3/0x800 [ 117.141083] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 117.146251] [ 117.147857] Freed by task 10376: [ 117.151222] save_stack+0x45/0xd0 [ 117.154661] __kasan_slab_free+0x102/0x150 [ 117.158890] kasan_slab_free+0xe/0x10 [ 117.162688] kfree+0xcf/0x230 [ 117.165769] ucma_close+0x291/0x320 [ 117.169371] __fput+0x3c5/0xb10 [ 117.172625] ____fput+0x16/0x20 [ 117.175882] task_work_run+0x1f4/0x2b0 [ 117.179749] exit_to_usermode_loop+0x32a/0x3b0 [ 117.184308] do_syscall_64+0x696/0x800 [ 117.188178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 117.193394] [ 117.195009] The buggy address belongs to the object at ffff8880879d8040 [ 117.195009] which belongs to the cache kmalloc-256 of size 256 [ 117.207651] The buggy address is located 0 bytes inside of [ 117.207651] 256-byte region [ffff8880879d8040, ffff8880879d8140) [ 117.219319] The buggy address belongs to the page: [ 117.224225] page:ffffea00021e7600 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 117.232349] flags: 0x1fffc0000000200(slab) [ 117.236562] raw: 01fffc0000000200 ffffea00027b7c48 ffffea0002a3e108 ffff88812c3f07c0 [ 117.244418] raw: 0000000000000000 ffff8880879d8040 000000010000000c 0000000000000000 [ 117.252268] page dumped because: kasan: bad access detected [ 117.257950] [ 117.259549] Memory state around the buggy address: [ 117.264454] ffff8880879d7f00: fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc fb [ 117.271787] ffff8880879d7f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 117.279128] >ffff8880879d8000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 117.286487] ^ [ 117.291920] ffff8880879d8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.299261] ffff8880879d8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 117.306596] ================================================================== [ 117.314472] Kernel panic - not syncing: panic_on_warn set ... [ 117.320357] CPU: 1 PID: 10382 Comm: syz-executor0 Tainted: G B 4.20.0+ #8 [ 117.328569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 117.337933] Call Trace: [ 117.340500] dump_stack+0x1db/0x2d0 [ 117.344139] ? dump_stack_print_info.cold+0x20/0x20 [ 117.349143] panic+0x2cb/0x589 [ 117.352316] ? add_taint.cold+0x16/0x16 [ 117.356294] ? __mutex_unlock_slowpath+0xf6/0x870 [ 117.361117] ? preempt_schedule+0x4b/0x60 [ 117.365262] ? ___preempt_schedule+0x16/0x18 [ 117.369650] ? trace_hardirqs_on+0xb4/0x310 [ 117.373964] ? __mutex_unlock_slowpath+0xf6/0x870 [ 117.378786] end_report+0x47/0x4f [ 117.382217] ? __mutex_unlock_slowpath+0xf6/0x870 [ 117.387040] kasan_report.cold+0xe/0x40 [ 117.391002] ? __mutex_unlock_slowpath+0xf6/0x870 [ 117.395842] check_memory_region+0x123/0x190 [ 117.400240] kasan_check_read+0x11/0x20 [ 117.404199] __mutex_unlock_slowpath+0xf6/0x870 [ 117.408851] ? wait_for_completion+0x810/0x810 [ 117.413415] mutex_unlock+0xd/0x10 [ 117.416961] ucma_destroy_id+0x269/0x540 [ 117.421048] ? ucma_close+0x320/0x320 [ 117.424834] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 117.430353] ? _copy_from_user+0xdd/0x150 [ 117.434483] ucma_write+0x36b/0x480 [ 117.438091] ? ucma_close+0x320/0x320 [ 117.441883] ? ucma_open+0x400/0x400 [ 117.445584] ? __might_fault+0x12b/0x1e0 [ 117.449628] ? find_held_lock+0x35/0x120 [ 117.453680] __vfs_write+0x116/0xb40 [ 117.457376] ? ucma_open+0x400/0x400 [ 117.461083] ? kernel_read+0x120/0x120 [ 117.464950] ? fget_raw+0x20/0x20 [ 117.468383] ? trace_hardirqs_off_caller+0x300/0x300 [ 117.473470] ? apparmor_file_permission+0x25/0x30 [ 117.478300] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 117.483821] ? security_file_permission+0x94/0x320 [ 117.488761] ? rw_verify_area+0x118/0x360 [ 117.492897] vfs_write+0x20c/0x580 [ 117.496431] ksys_write+0x105/0x260 [ 117.500039] ? __ia32_sys_read+0xb0/0xb0 [ 117.504083] ? trace_hardirqs_off_caller+0x300/0x300 [ 117.509168] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 117.513905] __x64_sys_write+0x73/0xb0 [ 117.517774] do_syscall_64+0x1a3/0x800 [ 117.521642] ? syscall_return_slowpath+0x5f0/0x5f0 [ 117.526569] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 117.531567] ? __switch_to_asm+0x34/0x70 [ 117.535619] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 117.540449] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 117.545633] RIP: 0033:0x457ec9 [ 117.548805] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 117.567685] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 117.575370] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 117.582620] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005 [ 117.589873] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 117.597120] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4 [ 117.604365] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff [ 117.612576] Kernel Offset: disabled [ 117.616204] Rebooting in 86400 seconds..