[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. syzkaller login: [ 36.315919] IPVS: ftp: loaded support on port[0] = 21 [ 36.419553] chnl_net:caif_netlink_parms(): no params data found [ 36.513454] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.520155] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.528030] device bridge_slave_0 entered promiscuous mode [ 36.535729] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.542136] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.550074] device bridge_slave_1 entered promiscuous mode [ 36.567589] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.577347] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.595870] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.603340] team0: Port device team_slave_0 added [ 36.609608] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.617432] team0: Port device team_slave_1 added [ 36.632760] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.639114] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.665439] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.677185] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.683419] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.709644] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.720702] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.728784] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.748225] device hsr_slave_0 entered promiscuous mode [ 36.753963] device hsr_slave_1 entered promiscuous mode [ 36.760740] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.768292] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.832358] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.838810] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.845810] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.852183] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.883434] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.889769] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.898874] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.908085] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.916860] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.924192] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.932065] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.942348] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.949218] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.959412] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.967521] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.973962] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.984755] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.992397] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.998816] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.013200] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 37.021953] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 37.032010] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 37.044988] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 37.055821] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 37.066870] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 37.073458] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 37.081848] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 37.089500] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 37.101695] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 37.109076] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 37.116669] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 37.127534] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 37.139674] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 37.149049] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 37.187528] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 37.195813] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 37.202268] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 37.211664] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 37.219657] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 37.226778] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 37.236527] device veth0_vlan entered promiscuous mode [ 37.245381] device veth1_vlan entered promiscuous mode [ 37.251175] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 37.260260] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 37.271149] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 37.281109] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 37.288775] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 37.297430] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.307059] device veth0_macvtap entered promiscuous mode [ 37.313186] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 37.322181] device veth1_macvtap entered promiscuous mode [ 37.330912] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 37.340806] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 37.350987] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 37.358469] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.366877] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 37.377357] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 37.384178] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 37.490691] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 37.497736] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 37.516854] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 37.521496] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 37.528571] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 executing program [ 37.531841] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 37.540580] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 37.550594] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 37.566873] [ 37.568505] ===================================== [ 37.573322] WARNING: bad unlock balance detected! [ 37.578140] 4.19.211-syzkaller #0 Not tainted [ 37.582612] ------------------------------------- [ 37.587429] syz-executor174/8344 is trying to release lock (&file->mut) at: [ 37.594514] [] ucma_destroy_id+0x221/0x4a0 [ 37.600279] but there are no more locks to release! [ 37.605267] [ 37.605267] other info that might help us debug this: [ 37.611954] 1 lock held by syz-executor174/8344: [ 37.616681] #0: 0000000063535aa8 (&file->mut){+.+.}, at: ucma_destroy_id+0x1c2/0x4a0 [ 37.624721] [ 37.624721] stack backtrace: [ 37.629200] CPU: 1 PID: 8344 Comm: syz-executor174 Not tainted 4.19.211-syzkaller #0 [ 37.637061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 37.646508] Call Trace: [ 37.649085] dump_stack+0x1fc/0x2ef [ 37.652710] ? ucma_destroy_id+0x221/0x4a0 [ 37.656934] lock_release.cold+0xe/0x4a [ 37.660902] ? lock_downgrade+0x720/0x720 [ 37.665032] ? ucma_destroy_id+0x1c2/0x4a0 [ 37.669247] ? mutex_trylock+0x1a0/0x1a0 [ 37.673289] __mutex_unlock_slowpath+0x89/0x610 [ 37.677961] ? wait_for_completion_io+0x10/0x10 [ 37.682608] ? __radix_tree_lookup+0x216/0x370 [ 37.687171] ucma_destroy_id+0x221/0x4a0 [ 37.691244] ? ucma_query_route+0xdd0/0xdd0 [ 37.695552] ? __might_fault+0x192/0x1d0 [ 37.699665] ? _copy_from_user+0xd2/0x130 [ 37.703809] ? ucma_query_route+0xdd0/0xdd0 [ 37.708113] ucma_write+0x288/0x350 [ 37.711727] ? ucma_set_ib_path+0x5a0/0x5a0 [ 37.716033] ? __lock_acquire+0x6de/0x3ff0 [ 37.720265] __vfs_write+0xf7/0x770 [ 37.723890] ? ucma_set_ib_path+0x5a0/0x5a0 [ 37.728194] ? common_file_perm+0x4e5/0x850 [ 37.732648] ? kernel_read+0x110/0x110 [ 37.736534] ? apparmor_getprocattr+0x11e0/0x11e0 [ 37.741372] ? security_file_permission+0x1c0/0x220 [ 37.746372] vfs_write+0x1f3/0x540 [ 37.749894] ksys_write+0x12b/0x2a0 [ 37.753505] ? __ia32_sys_read+0xb0/0xb0 [ 37.757550] ? trace_hardirqs_off_caller+0x6e/0x210 [ 37.762549] ? do_syscall_64+0x21/0x620 [ 37.766502] do_syscall_64+0xf9/0x620 [ 37.770281] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.775461] RIP: 0033:0x7f2dc0aec3d9 [ 37.779163] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.798039] RSP: 002b:00007f2dc026f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 37.805786] RAX: ffffffffffffffda RBX: 00007f2dc0b6f4b8 RCX: 00007f2dc0aec3d9 [ 37.813043] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000003 [ 37.820293] RBP: 00007f2dc0b6f4b0 R08: 00007f2dc026f700 R09: 0000000000000000 [ 37.827547] R10: 00007f2dc026f700 R11: 0000000000000246 R12: 00007f2dc0b6f4bc [ 37.834820] R13: 00007ffc5999ab5f R14: 00007f2dc026f300 R15: 0000000000022000 [ 37.845475] ================================================================== [ 37.852936] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x96/0x610 [ 37.860118] Read of size 8 at addr ffff8880b49faac0 by task syz-executor174/8344 [ 37.867742] [ 37.869350] CPU: 1 PID: 8344 Comm: syz-executor174 Not tainted 4.19.211-syzkaller #0 [ 37.877311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 37.886656] Call Trace: [ 37.889292] dump_stack+0x1fc/0x2ef [ 37.892904] print_address_description.cold+0x54/0x219 [ 37.898169] kasan_report_error.cold+0x8a/0x1b9 [ 37.902825] ? __mutex_unlock_slowpath+0x96/0x610 [ 37.907684] kasan_report+0x8f/0xa0 [ 37.911298] ? __mutex_unlock_slowpath+0x96/0x610 [ 37.916126] __mutex_unlock_slowpath+0x96/0x610 [ 37.920786] ? wait_for_completion_io+0x10/0x10 [ 37.925446] ? __radix_tree_lookup+0x216/0x370 [ 37.930018] ucma_destroy_id+0x221/0x4a0 [ 37.934112] ? ucma_query_route+0xdd0/0xdd0 [ 37.938417] ? __might_fault+0x192/0x1d0 [ 37.942464] ? _copy_from_user+0xd2/0x130 [ 37.946617] ? ucma_query_route+0xdd0/0xdd0 [ 37.950918] ucma_write+0x288/0x350 [ 37.954529] ? ucma_set_ib_path+0x5a0/0x5a0 [ 37.958834] ? __lock_acquire+0x6de/0x3ff0 [ 37.963064] __vfs_write+0xf7/0x770 [ 37.966673] ? ucma_set_ib_path+0x5a0/0x5a0 [ 37.971129] ? common_file_perm+0x4e5/0x850 [ 37.975577] ? kernel_read+0x110/0x110 [ 37.979465] ? apparmor_getprocattr+0x11e0/0x11e0 [ 37.984300] ? security_file_permission+0x1c0/0x220 [ 37.989309] vfs_write+0x1f3/0x540 [ 37.992838] ksys_write+0x12b/0x2a0 [ 37.996457] ? __ia32_sys_read+0xb0/0xb0 [ 38.000509] ? trace_hardirqs_off_caller+0x6e/0x210 [ 38.005513] ? do_syscall_64+0x21/0x620 [ 38.009554] do_syscall_64+0xf9/0x620 [ 38.013343] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.018515] RIP: 0033:0x7f2dc0aec3d9 [ 38.022209] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 38.041221] RSP: 002b:00007f2dc026f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 38.048913] RAX: ffffffffffffffda RBX: 00007f2dc0b6f4b8 RCX: 00007f2dc0aec3d9 [ 38.056167] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000003 [ 38.063420] RBP: 00007f2dc0b6f4b0 R08: 00007f2dc026f700 R09: 0000000000000000 [ 38.070673] R10: 00007f2dc026f700 R11: 0000000000000246 R12: 00007f2dc0b6f4bc [ 38.078026] R13: 00007ffc5999ab5f R14: 00007f2dc026f300 R15: 0000000000022000 [ 38.085306] [ 38.086920] Allocated by task 8341: [ 38.090529] kmem_cache_alloc_trace+0x12f/0x380 [ 38.095176] ucma_open+0x4a/0x280 [ 38.098606] misc_open+0x372/0x4a0 [ 38.102120] chrdev_open+0x266/0x770 [ 38.105810] do_dentry_open+0x4aa/0x1160 [ 38.109856] path_openat+0x793/0x2df0 [ 38.113635] do_filp_open+0x18c/0x3f0 [ 38.117425] do_sys_open+0x3b3/0x520 [ 38.121117] do_syscall_64+0xf9/0x620 [ 38.124893] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.130055] [ 38.131659] Freed by task 8082: [ 38.134927] kfree+0xcc/0x210 [ 38.138014] ucma_close+0x2cf/0x360 [ 38.141624] __fput+0x2ce/0x890 [ 38.144885] task_work_run+0x148/0x1c0 [ 38.148751] exit_to_usermode_loop+0x251/0x2a0 [ 38.153309] do_syscall_64+0x538/0x620 [ 38.157178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.162444] [ 38.164052] The buggy address belongs to the object at ffff8880b49faac0 [ 38.164052] which belongs to the cache kmalloc-256 of size 256 [ 38.176685] The buggy address is located 0 bytes inside of [ 38.176685] 256-byte region [ffff8880b49faac0, ffff8880b49fabc0) [ 38.188369] The buggy address belongs to the page: [ 38.193583] page:ffffea0002d27e80 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0 [ 38.201707] flags: 0xfff00000000100(slab) [ 38.205925] raw: 00fff00000000100 ffffea0002bfbd48 ffffea0002d37888 ffff88813bff07c0 [ 38.213784] raw: 0000000000000000 ffff8880b49fa0c0 000000010000000c 0000000000000000 [ 38.221637] page dumped because: kasan: bad access detected [ 38.227318] [ 38.228919] Memory state around the buggy address: [ 38.233826] ffff8880b49fa980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.241199] ffff8880b49faa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 38.248547] >ffff8880b49faa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.255886] ^ [ 38.261318] ffff8880b49fab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.268655] ffff8880b49fab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.275990] ================================================================== [ 38.288741] Kernel panic - not syncing: panic_on_warn set ... [ 38.288741] [ 38.296118] CPU: 1 PID: 8344 Comm: syz-executor174 Tainted: G B 4.19.211-syzkaller #0 [ 38.305384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 38.314912] Call Trace: [ 38.317493] dump_stack+0x1fc/0x2ef [ 38.321099] panic+0x26a/0x50e [ 38.324268] ? __warn_printk+0xf3/0xf3 [ 38.328135] ? preempt_schedule_common+0x45/0xc0 [ 38.332869] ? ___preempt_schedule+0x16/0x18 [ 38.337257] ? trace_hardirqs_on+0x55/0x210 [ 38.341556] kasan_end_report+0x43/0x49 [ 38.345510] kasan_report_error.cold+0xa7/0x1b9 [ 38.350158] ? __mutex_unlock_slowpath+0x96/0x610 [ 38.354975] kasan_report+0x8f/0xa0 [ 38.358579] ? __mutex_unlock_slowpath+0x96/0x610 [ 38.363398] __mutex_unlock_slowpath+0x96/0x610 [ 38.368057] ? wait_for_completion_io+0x10/0x10 [ 38.372702] ? __radix_tree_lookup+0x216/0x370 [ 38.377264] ucma_destroy_id+0x221/0x4a0 [ 38.381301] ? ucma_query_route+0xdd0/0xdd0 [ 38.385602] ? __might_fault+0x192/0x1d0 [ 38.389640] ? _copy_from_user+0xd2/0x130 [ 38.393764] ? ucma_query_route+0xdd0/0xdd0 [ 38.398061] ucma_write+0x288/0x350 [ 38.401666] ? ucma_set_ib_path+0x5a0/0x5a0 [ 38.405963] ? __lock_acquire+0x6de/0x3ff0 [ 38.410177] __vfs_write+0xf7/0x770 [ 38.413799] ? ucma_set_ib_path+0x5a0/0x5a0 [ 38.418097] ? common_file_perm+0x4e5/0x850 [ 38.422397] ? kernel_read+0x110/0x110 [ 38.426263] ? apparmor_getprocattr+0x11e0/0x11e0 [ 38.431087] ? security_file_permission+0x1c0/0x220 [ 38.436082] vfs_write+0x1f3/0x540 [ 38.439599] ksys_write+0x12b/0x2a0 [ 38.443204] ? __ia32_sys_read+0xb0/0xb0 [ 38.447252] ? trace_hardirqs_off_caller+0x6e/0x210 [ 38.452245] ? do_syscall_64+0x21/0x620 [ 38.456195] do_syscall_64+0xf9/0x620 [ 38.459974] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.465139] RIP: 0033:0x7f2dc0aec3d9 [ 38.468829] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 38.487705] RSP: 002b:00007f2dc026f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 38.495386] RAX: ffffffffffffffda RBX: 00007f2dc0b6f4b8 RCX: 00007f2dc0aec3d9 [ 38.502633] RDX: 0000000000000018 RSI: 0000000020000180 RDI: 0000000000000003 [ 38.509988] RBP: 00007f2dc0b6f4b0 R08: 00007f2dc026f700 R09: 0000000000000000 [ 38.517234] R10: 00007f2dc026f700 R11: 0000000000000246 R12: 00007f2dc0b6f4bc [ 38.524478] R13: 00007ffc5999ab5f R14: 00007f2dc026f300 R15: 0000000000022000 [ 38.531899] Kernel Offset: disabled [ 38.535521] Rebooting in 86400 seconds..