Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. 2019/11/29 23:13:59 parsed 1 programs 2019/11/29 23:14:01 executed programs: 0 syzkaller login: [ 76.796310][ T8881] IPVS: ftp: loaded support on port[0] = 21 [ 76.859870][ T8881] chnl_net:caif_netlink_parms(): no params data found [ 76.888920][ T8881] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.896563][ T8881] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.904790][ T8881] device bridge_slave_0 entered promiscuous mode [ 76.914117][ T8881] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.921444][ T8881] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.929393][ T8881] device bridge_slave_1 entered promiscuous mode [ 76.948416][ T8881] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 76.959109][ T8881] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 76.979832][ T8881] team0: Port device team_slave_0 added [ 76.986914][ T8881] team0: Port device team_slave_1 added [ 77.056415][ T8881] device hsr_slave_0 entered promiscuous mode [ 77.094213][ T8881] device hsr_slave_1 entered promiscuous mode [ 77.160349][ T8881] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 77.225963][ T8881] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 77.306265][ T8881] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 77.376689][ T8881] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 77.424415][ T8881] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.431718][ T8881] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.440485][ T8881] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.447653][ T8881] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.486830][ T8881] 8021q: adding VLAN 0 to HW filter on device bond0 [ 77.499813][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 77.520506][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.541192][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.549456][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 77.562816][ T8881] 8021q: adding VLAN 0 to HW filter on device team0 [ 77.573030][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 77.582412][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.591596][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.602707][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 77.611551][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.618654][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.635317][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 77.644856][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 77.657898][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 77.672695][ T8881] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 77.672715][ T8881] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 77.706719][ T8881] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 77.730792][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 77.738247][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 77.746057][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 77.754908][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 77.765322][ T8883] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 78.676883][ T9050] [ 78.679246][ T9050] ===================================== [ 78.684953][ T9050] WARNING: bad unlock balance detected! [ 78.690487][ T9050] 5.4.0-syzkaller #0 Not tainted [ 78.695408][ T9050] ------------------------------------- [ 78.700939][ T9050] syz-executor.0/9050 is trying to release lock (&file->mut) at: [ 78.708640][ T9050] [] ucma_destroy_id+0x24a/0x490 [ 78.715139][ T9050] but there are no more locks to release! [ 78.720840][ T9050] [ 78.720840][ T9050] other info that might help us debug this: [ 78.728898][ T9050] 1 lock held by syz-executor.0/9050: [ 78.734245][ T9050] #0: ffff88808d565260 (&file->mut){+.+.}, at: ucma_destroy_id+0x1e7/0x490 [ 78.743283][ T9050] [ 78.743283][ T9050] stack backtrace: [ 78.749157][ T9050] CPU: 1 PID: 9050 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 [ 78.757406][ T9050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.767530][ T9050] Call Trace: [ 78.770810][ T9050] dump_stack+0x197/0x210 [ 78.775135][ T9050] ? ucma_destroy_id+0x24a/0x490 [ 78.780064][ T9050] print_unlock_imbalance_bug.cold+0x114/0x123 [ 78.786211][ T9050] ? ucma_destroy_id+0x24a/0x490 [ 78.791136][ T9050] lock_release+0x5f2/0x960 [ 78.795625][ T9050] ? lock_downgrade+0x920/0x920 [ 78.800459][ T9050] ? ucma_destroy_id+0x1e7/0x490 [ 78.805392][ T9050] ? ucma_destroy_id+0x1c0/0x490 [ 78.810318][ T9050] ? mutex_trylock+0x2f0/0x2f0 [ 78.815065][ T9050] ? ucma_destroy_id+0x1c0/0x490 [ 78.820003][ T9050] __mutex_unlock_slowpath+0x86/0x6a0 [ 78.825382][ T9050] ? lock_downgrade+0x920/0x920 [ 78.830210][ T9050] ? wait_for_completion+0x440/0x440 [ 78.835532][ T9050] mutex_unlock+0x1b/0x30 [ 78.839954][ T9050] ucma_destroy_id+0x24a/0x490 [ 78.844749][ T9050] ? ucma_close+0x310/0x310 [ 78.849243][ T9050] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 78.857205][ T9050] ? _copy_from_user+0x12c/0x1a0 [ 78.862219][ T9050] ucma_write+0x2d7/0x3c0 [ 78.866524][ T9050] ? ucma_close+0x310/0x310 [ 78.871005][ T9050] ? ucma_open+0x290/0x290 [ 78.875412][ T9050] ? apparmor_file_permission+0x25/0x30 [ 78.880954][ T9050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.888753][ T9050] ? security_file_permission+0x8f/0x380 [ 78.894375][ T9050] __vfs_write+0x8a/0x110 [ 78.898699][ T9050] ? ucma_open+0x290/0x290 [ 78.903095][ T9050] vfs_write+0x268/0x5d0 [ 78.907325][ T9050] ksys_write+0x220/0x290 [ 78.911651][ T9050] ? __ia32_sys_read+0xb0/0xb0 [ 78.916393][ T9050] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.921925][ T9050] ? do_syscall_64+0x26/0x790 [ 78.926578][ T9050] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.932806][ T9050] ? do_syscall_64+0x26/0x790 [ 78.937478][ T9050] __x64_sys_write+0x73/0xb0 [ 78.942058][ T9050] do_syscall_64+0xfa/0x790 [ 78.946536][ T9050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.952415][ T9050] RIP: 0033:0x45a679 [ 78.956308][ T9050] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.975892][ T9050] RSP: 002b:00007fb8b8f72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 78.984292][ T9050] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 78.992262][ T9050] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 79.000294][ T9050] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 79.008242][ T9050] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb8b8f736d4 [ 79.017156][ T9050] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 79.027984][ T9050] ================================================================== [ 79.036612][ T9050] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x93/0x6a0 [ 79.044482][ T9050] Read of size 8 at addr ffff88808d4dee00 by task syz-executor.0/9050 [ 79.052603][ T9050] [ 79.054919][ T9050] CPU: 1 PID: 9050 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 [ 79.063135][ T9050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.073180][ T9050] Call Trace: [ 79.076464][ T9050] dump_stack+0x197/0x210 [ 79.080838][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.086375][ T9050] print_address_description.constprop.0.cold+0xd4/0x30b [ 79.093425][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.099164][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.104738][ T9050] __kasan_report.cold+0x1b/0x41 [ 79.109664][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.115194][ T9050] kasan_report+0x12/0x20 [ 79.119522][ T9050] check_memory_region+0x134/0x1a0 [ 79.124618][ T9050] __kasan_check_read+0x11/0x20 [ 79.130144][ T9050] __mutex_unlock_slowpath+0x93/0x6a0 [ 79.135510][ T9050] ? lock_downgrade+0x920/0x920 [ 79.140364][ T9050] ? wait_for_completion+0x440/0x440 [ 79.145642][ T9050] mutex_unlock+0x1b/0x30 [ 79.151273][ T9050] ucma_destroy_id+0x24a/0x490 [ 79.156016][ T9050] ? ucma_close+0x310/0x310 [ 79.160504][ T9050] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.167353][ T9050] ? _copy_from_user+0x12c/0x1a0 [ 79.172270][ T9050] ucma_write+0x2d7/0x3c0 [ 79.176682][ T9050] ? ucma_close+0x310/0x310 [ 79.181165][ T9050] ? ucma_open+0x290/0x290 [ 79.185562][ T9050] ? apparmor_file_permission+0x25/0x30 [ 79.191826][ T9050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.198046][ T9050] ? security_file_permission+0x8f/0x380 [ 79.203667][ T9050] __vfs_write+0x8a/0x110 [ 79.208137][ T9050] ? ucma_open+0x290/0x290 [ 79.212541][ T9050] vfs_write+0x268/0x5d0 [ 79.216773][ T9050] ksys_write+0x220/0x290 [ 79.221088][ T9050] ? __ia32_sys_read+0xb0/0xb0 [ 79.225852][ T9050] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.231291][ T9050] ? do_syscall_64+0x26/0x790 [ 79.235972][ T9050] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.242022][ T9050] ? do_syscall_64+0x26/0x790 [ 79.246689][ T9050] __x64_sys_write+0x73/0xb0 [ 79.251348][ T9050] do_syscall_64+0xfa/0x790 [ 79.255845][ T9050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.261801][ T9050] RIP: 0033:0x45a679 [ 79.265689][ T9050] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.285641][ T9050] RSP: 002b:00007fb8b8f72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 79.294041][ T9050] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 79.302019][ T9050] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 79.309984][ T9050] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 79.318046][ T9050] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb8b8f736d4 [ 79.326016][ T9050] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 79.333984][ T9050] [ 79.336291][ T9050] Allocated by task 9053: [ 79.340623][ T9050] save_stack+0x23/0x90 [ 79.344758][ T9050] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.350384][ T9050] kasan_kmalloc+0x9/0x10 [ 79.355239][ T9050] kmem_cache_alloc_trace+0x158/0x790 [ 79.360608][ T9050] ucma_open+0x4f/0x290 [ 79.364764][ T9050] misc_open+0x395/0x4c0 [ 79.369508][ T9050] chrdev_open+0x245/0x6b0 [ 79.373910][ T9050] do_dentry_open+0x4e6/0x1380 [ 79.378674][ T9050] vfs_open+0xa0/0xd0 [ 79.382638][ T9050] path_openat+0x10e4/0x46d0 [ 79.387226][ T9050] do_filp_open+0x1a1/0x280 [ 79.391708][ T9050] do_sys_open+0x3fe/0x5d0 [ 79.396125][ T9050] __x64_sys_openat+0x9d/0x100 [ 79.400868][ T9050] do_syscall_64+0xfa/0x790 [ 79.405350][ T9050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.411233][ T9050] [ 79.413540][ T9050] Freed by task 9044: [ 79.417508][ T9050] save_stack+0x23/0x90 [ 79.421903][ T9050] __kasan_slab_free+0x102/0x150 [ 79.426833][ T9050] kasan_slab_free+0xe/0x10 [ 79.431314][ T9050] kfree+0x10a/0x2c0 [ 79.435187][ T9050] ucma_close+0x275/0x310 [ 79.439509][ T9050] __fput+0x2ff/0x890 [ 79.443472][ T9050] ____fput+0x16/0x20 [ 79.447433][ T9050] task_work_run+0x145/0x1c0 [ 79.452097][ T9050] exit_to_usermode_loop+0x316/0x380 [ 79.457382][ T9050] do_syscall_64+0x676/0x790 [ 79.461961][ T9050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.467845][ T9050] [ 79.470215][ T9050] The buggy address belongs to the object at ffff88808d4dee00 [ 79.470215][ T9050] which belongs to the cache kmalloc-256 of size 256 [ 79.484269][ T9050] The buggy address is located 0 bytes inside of [ 79.484269][ T9050] 256-byte region [ffff88808d4dee00, ffff88808d4def00) [ 79.497972][ T9050] The buggy address belongs to the page: [ 79.504392][ T9050] page:ffffea0002353780 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0 [ 79.513483][ T9050] raw: 00fffe0000000200 ffffea000266f4c8 ffff8880aa401648 ffff8880aa4008c0 [ 79.522055][ T9050] raw: 0000000000000000 ffff88808d4de000 0000000100000008 0000000000000000 [ 79.531486][ T9050] page dumped because: kasan: bad access detected [ 79.537965][ T9050] [ 79.540280][ T9050] Memory state around the buggy address: [ 79.545916][ T9050] ffff88808d4ded00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.554043][ T9050] ffff88808d4ded80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.562171][ T9050] >ffff88808d4dee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.571077][ T9050] ^ [ 79.575124][ T9050] ffff88808d4dee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.583595][ T9050] ffff88808d4def00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.591631][ T9050] ================================================================== [ 79.602128][ T9050] Kernel panic - not syncing: panic_on_warn set ... [ 79.608729][ T9050] CPU: 1 PID: 9050 Comm: syz-executor.0 Tainted: G B 5.4.0-syzkaller #0 [ 79.618341][ T9050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.628384][ T9050] Call Trace: [ 79.631667][ T9050] dump_stack+0x197/0x210 [ 79.636681][ T9050] panic+0x2e3/0x75c [ 79.640574][ T9050] ? add_taint.cold+0x16/0x16 [ 79.645235][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.650758][ T9050] ? preempt_schedule+0x4b/0x60 [ 79.655588][ T9050] ? ___preempt_schedule+0x16/0x18 [ 79.660679][ T9050] ? trace_hardirqs_on+0x5e/0x240 [ 79.665753][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.671295][ T9050] end_report+0x47/0x4f [ 79.675449][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.680980][ T9050] __kasan_report.cold+0xe/0x41 [ 79.685838][ T9050] ? __mutex_unlock_slowpath+0x93/0x6a0 [ 79.691377][ T9050] kasan_report+0x12/0x20 [ 79.695690][ T9050] check_memory_region+0x134/0x1a0 [ 79.700890][ T9050] __kasan_check_read+0x11/0x20 [ 79.705812][ T9050] __mutex_unlock_slowpath+0x93/0x6a0 [ 79.711227][ T9050] ? lock_downgrade+0x920/0x920 [ 79.716076][ T9050] ? wait_for_completion+0x440/0x440 [ 79.721346][ T9050] mutex_unlock+0x1b/0x30 [ 79.725676][ T9050] ucma_destroy_id+0x24a/0x490 [ 79.730433][ T9050] ? ucma_close+0x310/0x310 [ 79.734939][ T9050] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.741165][ T9050] ? _copy_from_user+0x12c/0x1a0 [ 79.746084][ T9050] ucma_write+0x2d7/0x3c0 [ 79.750394][ T9050] ? ucma_close+0x310/0x310 [ 79.754889][ T9050] ? ucma_open+0x290/0x290 [ 79.759288][ T9050] ? apparmor_file_permission+0x25/0x30 [ 79.764812][ T9050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.771044][ T9050] ? security_file_permission+0x8f/0x380 [ 79.776748][ T9050] __vfs_write+0x8a/0x110 [ 79.781058][ T9050] ? ucma_open+0x290/0x290 [ 79.785468][ T9050] vfs_write+0x268/0x5d0 [ 79.790316][ T9050] ksys_write+0x220/0x290 [ 79.794670][ T9050] ? __ia32_sys_read+0xb0/0xb0 [ 79.799689][ T9050] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.805198][ T9050] ? do_syscall_64+0x26/0x790 [ 79.809864][ T9050] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.816010][ T9050] ? do_syscall_64+0x26/0x790 [ 79.820681][ T9050] __x64_sys_write+0x73/0xb0 [ 79.825301][ T9050] do_syscall_64+0xfa/0x790 [ 79.829849][ T9050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.835725][ T9050] RIP: 0033:0x45a679 [ 79.839775][ T9050] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.863616][ T9050] RSP: 002b:00007fb8b8f72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 79.872010][ T9050] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 79.879964][ T9050] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 79.887935][ T9050] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 79.895905][ T9050] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb8b8f736d4 [ 79.904128][ T9050] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 79.913375][ T9050] Kernel Offset: disabled [ 79.917725][ T9050] Rebooting in 86400 seconds..