[   36.795558] audit: type=1800 audit(1546570302.516:28): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   37.650726] audit: type=1800 audit(1546570303.446:29): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   37.670113] audit: type=1800 audit(1546570303.446:30): pid=7550 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
[....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts.
2019/01/04 02:52:50 parsed 1 programs
2019/01/04 02:52:52 executed programs: 0
syzkaller login: [  106.563009] IPVS: ftp: loaded support on port[0] = 21
[  106.622703] chnl_net:caif_netlink_parms(): no params data found
[  106.652897] bridge0: port 1(bridge_slave_0) entered blocking state
[  106.659765] bridge0: port 1(bridge_slave_0) entered disabled state
[  106.666894] device bridge_slave_0 entered promiscuous mode
[  106.674188] bridge0: port 2(bridge_slave_1) entered blocking state
[  106.680892] bridge0: port 2(bridge_slave_1) entered disabled state
[  106.687981] device bridge_slave_1 entered promiscuous mode
[  106.703504] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  106.712139] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  106.728206] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  106.735591] team0: Port device team_slave_0 added
[  106.740918] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  106.748027] team0: Port device team_slave_1 added
[  106.753176] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  106.760425] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  106.818157] device hsr_slave_0 entered promiscuous mode
[  106.855753] device hsr_slave_1 entered promiscuous mode
[  106.925880] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  106.932744] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  106.946301] bridge0: port 2(bridge_slave_1) entered blocking state
[  106.952940] bridge0: port 2(bridge_slave_1) entered forwarding state
[  106.959819] bridge0: port 1(bridge_slave_0) entered blocking state
[  106.966186] bridge0: port 1(bridge_slave_0) entered forwarding state
[  106.997446] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  107.003626] 8021q: adding VLAN 0 to HW filter on device bond0
[  107.011861] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  107.020749] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  107.040715] bridge0: port 1(bridge_slave_0) entered disabled state
[  107.048179] bridge0: port 2(bridge_slave_1) entered disabled state
[  107.056173] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  107.066312] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  107.072405] 8021q: adding VLAN 0 to HW filter on device team0
[  107.081342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  107.089050] bridge0: port 1(bridge_slave_0) entered blocking state
[  107.095373] bridge0: port 1(bridge_slave_0) entered forwarding state
[  107.104546] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  107.112495] bridge0: port 2(bridge_slave_1) entered blocking state
[  107.118868] bridge0: port 2(bridge_slave_1) entered forwarding state
[  107.138644] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  107.146457] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  107.153951] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  107.161719] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  107.171112] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  107.180123] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  107.186324] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  107.198107] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[  107.208209] 8021q: adding VLAN 0 to HW filter on device batadv0
2019/01/04 02:52:57 executed programs: 163
[  116.446479] 
[  116.448164] =====================================
[  116.453016] WARNING: bad unlock balance detected!
[  116.457848] 4.20.0+ #8 Not tainted
[  116.461370] -------------------------------------
[  116.466218] syz-executor0/10382 is trying to release lock (&file->mut) at:
[  116.473235] [<ffffffff85acc319>] ucma_destroy_id+0x269/0x540
[  116.479003] but there are no more locks to release!
[  116.483991] 
[  116.483991] other info that might help us debug this:
[  116.490634] 1 lock held by syz-executor0/10382:
[  116.495274]  #0: 0000000096336888 (&file->mut){+.+.}, at: ucma_destroy_id+0x209/0x540
[  116.503228] 
[  116.503228] stack backtrace:
[  116.507701] CPU: 1 PID: 10382 Comm: syz-executor0 Not tainted 4.20.0+ #8
[  116.514511] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  116.523835] Call Trace:
[  116.526400]  dump_stack+0x1db/0x2d0
[  116.530004]  ? dump_stack_print_info.cold+0x20/0x20
[  116.534995]  ? ucma_destroy_id+0x269/0x540
[  116.539209]  ? print_tainted+0x176/0x1e0
[  116.543264]  ? vprintk_func+0x86/0x189
[  116.547130]  ? ucma_destroy_id+0x269/0x540
[  116.551359]  print_unlock_imbalance_bug.cold+0xd0/0xdf
[  116.556615]  ? ucma_destroy_id+0x269/0x540
[  116.560842]  lock_release+0x77a/0xc40
[  116.564629]  ? lock_downgrade+0x910/0x910
[  116.568785]  ? __radix_tree_delete+0x27e/0x4e0
[  116.573350]  ? idr_preload+0x50/0x50
[  116.577045]  ? __radix_tree_lookup+0x3aa/0x4f0
[  116.581606]  __mutex_unlock_slowpath+0xe9/0x870
[  116.586256]  ? wait_for_completion+0x810/0x810
[  116.590818]  mutex_unlock+0xd/0x10
[  116.594340]  ucma_destroy_id+0x269/0x540
[  116.598381]  ? ucma_close+0x320/0x320
[  116.602161]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  116.607688]  ? _copy_from_user+0xdd/0x150
[  116.611815]  ucma_write+0x36b/0x480
[  116.615443]  ? ucma_close+0x320/0x320
[  116.619226]  ? ucma_open+0x400/0x400
[  116.622920]  ? __might_fault+0x12b/0x1e0
[  116.626962]  ? find_held_lock+0x35/0x120
[  116.631008]  __vfs_write+0x116/0xb40
[  116.634698]  ? ucma_open+0x400/0x400
[  116.638387]  ? kernel_read+0x120/0x120
[  116.642287]  ? fget_raw+0x20/0x20
[  116.645718]  ? trace_hardirqs_off_caller+0x300/0x300
[  116.650801]  ? apparmor_file_permission+0x25/0x30
[  116.655641]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  116.661161]  ? security_file_permission+0x94/0x320
[  116.666062]  ? rw_verify_area+0x118/0x360
[  116.670191]  vfs_write+0x20c/0x580
[  116.673716]  ksys_write+0x105/0x260
[  116.677368]  ? __ia32_sys_read+0xb0/0xb0
[  116.681404]  ? trace_hardirqs_off_caller+0x300/0x300
[  116.686483]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  116.691212]  __x64_sys_write+0x73/0xb0
[  116.695071]  do_syscall_64+0x1a3/0x800
[  116.698934]  ? syscall_return_slowpath+0x5f0/0x5f0
[  116.703874]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  116.708873]  ? __switch_to_asm+0x34/0x70
[  116.712913]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  116.717733]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  116.722896] RIP: 0033:0x457ec9
[  116.726070] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  116.744973] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  116.752652] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
[  116.759917] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005
[  116.767158] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
[  116.774399] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4
[  116.781640] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff
[  116.791535] ==================================================================
[  116.798890] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xf6/0x870
[  116.806052] Read of size 8 at addr ffff8880879d8040 by task syz-executor0/10382
[  116.813470] 
[  116.815082] CPU: 1 PID: 10382 Comm: syz-executor0 Not tainted 4.20.0+ #8
[  116.821896] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  116.831227] Call Trace:
[  116.833791]  dump_stack+0x1db/0x2d0
[  116.837396]  ? dump_stack_print_info.cold+0x20/0x20
[  116.842401]  ? __mutex_unlock_slowpath+0xf6/0x870
[  116.847236]  print_address_description.cold+0x7c/0x20d
[  116.852491]  ? __mutex_unlock_slowpath+0xf6/0x870
[  116.857308]  ? __mutex_unlock_slowpath+0xf6/0x870
[  116.862132]  kasan_report.cold+0x1b/0x40
[  116.866172]  ? __mutex_unlock_slowpath+0xf6/0x870
[  116.871010]  check_memory_region+0x123/0x190
[  116.875400]  kasan_check_read+0x11/0x20
[  116.879403]  __mutex_unlock_slowpath+0xf6/0x870
[  116.884067]  ? wait_for_completion+0x810/0x810
[  116.888633]  mutex_unlock+0xd/0x10
[  116.892155]  ucma_destroy_id+0x269/0x540
[  116.896194]  ? ucma_close+0x320/0x320
[  116.899975]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  116.905489]  ? _copy_from_user+0xdd/0x150
[  116.909613]  ucma_write+0x36b/0x480
[  116.913215]  ? ucma_close+0x320/0x320
[  116.916996]  ? ucma_open+0x400/0x400
[  116.920686]  ? __might_fault+0x12b/0x1e0
[  116.924722]  ? find_held_lock+0x35/0x120
[  116.928782]  __vfs_write+0x116/0xb40
[  116.932475]  ? ucma_open+0x400/0x400
[  116.936171]  ? kernel_read+0x120/0x120
[  116.940039]  ? fget_raw+0x20/0x20
[  116.943483]  ? trace_hardirqs_off_caller+0x300/0x300
[  116.948586]  ? apparmor_file_permission+0x25/0x30
[  116.953407]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  116.958926]  ? security_file_permission+0x94/0x320
[  116.963840]  ? rw_verify_area+0x118/0x360
[  116.967966]  vfs_write+0x20c/0x580
[  116.971502]  ksys_write+0x105/0x260
[  116.975119]  ? __ia32_sys_read+0xb0/0xb0
[  116.979178]  ? trace_hardirqs_off_caller+0x300/0x300
[  116.984264]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  116.988996]  __x64_sys_write+0x73/0xb0
[  116.992859]  do_syscall_64+0x1a3/0x800
[  116.996721]  ? syscall_return_slowpath+0x5f0/0x5f0
[  117.001628]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  117.006633]  ? __switch_to_asm+0x34/0x70
[  117.010721]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  117.015541]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  117.020717] RIP: 0033:0x457ec9
[  117.023889] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  117.042768] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  117.050452] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
[  117.057699] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005
[  117.064974] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
[  117.072228] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4
[  117.079495] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff
[  117.086759] 
[  117.088383] Allocated by task 10382:
[  117.092085]  save_stack+0x45/0xd0
[  117.095519]  kasan_kmalloc+0xcf/0xe0
[  117.099211]  kmem_cache_alloc_trace+0x151/0x760
[  117.103863]  ucma_open+0xac/0x400
[  117.107293]  misc_open+0x398/0x4c0
[  117.110811]  chrdev_open+0x270/0x7c0
[  117.114512]  do_dentry_open+0x48a/0x1210
[  117.118550]  vfs_open+0xa0/0xd0
[  117.121847]  path_openat+0x144f/0x5650
[  117.125715]  do_filp_open+0x26f/0x370
[  117.129492]  do_sys_open+0x59a/0x7c0
[  117.133182]  __x64_sys_openat+0x9d/0x100
[  117.137220]  do_syscall_64+0x1a3/0x800
[  117.141083]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  117.146251] 
[  117.147857] Freed by task 10376:
[  117.151222]  save_stack+0x45/0xd0
[  117.154661]  __kasan_slab_free+0x102/0x150
[  117.158890]  kasan_slab_free+0xe/0x10
[  117.162688]  kfree+0xcf/0x230
[  117.165769]  ucma_close+0x291/0x320
[  117.169371]  __fput+0x3c5/0xb10
[  117.172625]  ____fput+0x16/0x20
[  117.175882]  task_work_run+0x1f4/0x2b0
[  117.179749]  exit_to_usermode_loop+0x32a/0x3b0
[  117.184308]  do_syscall_64+0x696/0x800
[  117.188178]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  117.193394] 
[  117.195009] The buggy address belongs to the object at ffff8880879d8040
[  117.195009]  which belongs to the cache kmalloc-256 of size 256
[  117.207651] The buggy address is located 0 bytes inside of
[  117.207651]  256-byte region [ffff8880879d8040, ffff8880879d8140)
[  117.219319] The buggy address belongs to the page:
[  117.224225] page:ffffea00021e7600 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0
[  117.232349] flags: 0x1fffc0000000200(slab)
[  117.236562] raw: 01fffc0000000200 ffffea00027b7c48 ffffea0002a3e108 ffff88812c3f07c0
[  117.244418] raw: 0000000000000000 ffff8880879d8040 000000010000000c 0000000000000000
[  117.252268] page dumped because: kasan: bad access detected
[  117.257950] 
[  117.259549] Memory state around the buggy address:
[  117.264454]  ffff8880879d7f00: fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc fb
[  117.271787]  ffff8880879d7f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[  117.279128] >ffff8880879d8000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  117.286487]                                            ^
[  117.291920]  ffff8880879d8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  117.299261]  ffff8880879d8100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  117.306596] ==================================================================
[  117.314472] Kernel panic - not syncing: panic_on_warn set ...
[  117.320357] CPU: 1 PID: 10382 Comm: syz-executor0 Tainted: G    B             4.20.0+ #8
[  117.328569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  117.337933] Call Trace:
[  117.340500]  dump_stack+0x1db/0x2d0
[  117.344139]  ? dump_stack_print_info.cold+0x20/0x20
[  117.349143]  panic+0x2cb/0x589
[  117.352316]  ? add_taint.cold+0x16/0x16
[  117.356294]  ? __mutex_unlock_slowpath+0xf6/0x870
[  117.361117]  ? preempt_schedule+0x4b/0x60
[  117.365262]  ? ___preempt_schedule+0x16/0x18
[  117.369650]  ? trace_hardirqs_on+0xb4/0x310
[  117.373964]  ? __mutex_unlock_slowpath+0xf6/0x870
[  117.378786]  end_report+0x47/0x4f
[  117.382217]  ? __mutex_unlock_slowpath+0xf6/0x870
[  117.387040]  kasan_report.cold+0xe/0x40
[  117.391002]  ? __mutex_unlock_slowpath+0xf6/0x870
[  117.395842]  check_memory_region+0x123/0x190
[  117.400240]  kasan_check_read+0x11/0x20
[  117.404199]  __mutex_unlock_slowpath+0xf6/0x870
[  117.408851]  ? wait_for_completion+0x810/0x810
[  117.413415]  mutex_unlock+0xd/0x10
[  117.416961]  ucma_destroy_id+0x269/0x540
[  117.421048]  ? ucma_close+0x320/0x320
[  117.424834]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  117.430353]  ? _copy_from_user+0xdd/0x150
[  117.434483]  ucma_write+0x36b/0x480
[  117.438091]  ? ucma_close+0x320/0x320
[  117.441883]  ? ucma_open+0x400/0x400
[  117.445584]  ? __might_fault+0x12b/0x1e0
[  117.449628]  ? find_held_lock+0x35/0x120
[  117.453680]  __vfs_write+0x116/0xb40
[  117.457376]  ? ucma_open+0x400/0x400
[  117.461083]  ? kernel_read+0x120/0x120
[  117.464950]  ? fget_raw+0x20/0x20
[  117.468383]  ? trace_hardirqs_off_caller+0x300/0x300
[  117.473470]  ? apparmor_file_permission+0x25/0x30
[  117.478300]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.483821]  ? security_file_permission+0x94/0x320
[  117.488761]  ? rw_verify_area+0x118/0x360
[  117.492897]  vfs_write+0x20c/0x580
[  117.496431]  ksys_write+0x105/0x260
[  117.500039]  ? __ia32_sys_read+0xb0/0xb0
[  117.504083]  ? trace_hardirqs_off_caller+0x300/0x300
[  117.509168]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  117.513905]  __x64_sys_write+0x73/0xb0
[  117.517774]  do_syscall_64+0x1a3/0x800
[  117.521642]  ? syscall_return_slowpath+0x5f0/0x5f0
[  117.526569]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  117.531567]  ? __switch_to_asm+0x34/0x70
[  117.535619]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  117.540449]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  117.545633] RIP: 0033:0x457ec9
[  117.548805] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  117.567685] RSP: 002b:00007fd39c497c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  117.575370] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
[  117.582620] RDX: 0000000000000018 RSI: 00000000200002c0 RDI: 0000000000000005
[  117.589873] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
[  117.597120] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd39c4986d4
[  117.604365] R13: 00000000004cd3c8 R14: 00000000004dc1c0 R15: 00000000ffffffff
[  117.612576] Kernel Offset: disabled
[  117.616204] Rebooting in 86400 seconds..