Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. [ 87.858773][ T26] audit: type=1400 audit(1561616358.307:36): avc: denied { map } for pid=9874 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/27 06:19:19 parsed 1 programs [ 88.883636][ T26] audit: type=1400 audit(1561616359.337:37): avc: denied { map } for pid=9874 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=139 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/27 06:19:21 executed programs: 0 [ 90.793089][ T9889] IPVS: ftp: loaded support on port[0] = 21 [ 90.858226][ T9889] chnl_net:caif_netlink_parms(): no params data found [ 90.887450][ T9889] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.895066][ T9889] bridge0: port 1(bridge_slave_0) entered disabled state [ 90.902936][ T9889] device bridge_slave_0 entered promiscuous mode [ 90.911513][ T9889] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.918609][ T9889] bridge0: port 2(bridge_slave_1) entered disabled state [ 90.926555][ T9889] device bridge_slave_1 entered promiscuous mode [ 90.944311][ T9889] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 90.954707][ T9889] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 90.972467][ T9889] team0: Port device team_slave_0 added [ 90.979729][ T9889] team0: Port device team_slave_1 added [ 91.052522][ T9889] device hsr_slave_0 entered promiscuous mode [ 91.120356][ T9889] device hsr_slave_1 entered promiscuous mode [ 91.199655][ T9889] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.206857][ T9889] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.214620][ T9889] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.221722][ T9889] bridge0: port 1(bridge_slave_0) entered forwarding state [ 91.256654][ T9889] 8021q: adding VLAN 0 to HW filter on device bond0 [ 91.269607][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 91.289788][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 91.298020][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 91.307189][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 91.318592][ T9889] 8021q: adding VLAN 0 to HW filter on device team0 [ 91.329183][ T2964] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 91.338044][ T2964] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.345154][ T2964] bridge0: port 1(bridge_slave_0) entered forwarding state [ 91.361474][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 91.369951][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.377132][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.387986][ T2964] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 91.397604][ T2964] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 91.408475][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 91.422603][ T2964] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 91.434856][ T9889] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 91.446906][ T9889] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 91.455179][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 91.475201][ T9889] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 91.512477][ T26] audit: type=1400 audit(1561616361.967:38): avc: denied { associate } for pid=9889 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 91.741129][ T9891] ================================================================== [ 91.749402][ T9891] BUG: KASAN: use-after-free in xfrm_hash_rebuild+0xfff/0x10f0 [ 91.756948][ T9891] Write of size 8 at addr ffff88808e2c3300 by task kworker/1:3/9891 [ 91.756960][ T9891] [ 91.756974][ T9891] CPU: 1 PID: 9891 Comm: kworker/1:3 Not tainted 5.2.0-rc6+ #34 [ 91.756981][ T9891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.756995][ T9891] Workqueue: events xfrm_hash_rebuild [ 91.757013][ T9891] Call Trace: [ 91.757040][ T9891] dump_stack+0x172/0x1f0 [ 91.757060][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 91.757088][ T9891] print_address_description.cold+0x7c/0x20d [ 91.757098][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 91.816349][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 91.821555][ T9891] __kasan_report.cold+0x1b/0x40 [ 91.826607][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 91.831836][ T9891] kasan_report+0x12/0x20 [ 91.836168][ T9891] __asan_report_store8_noabort+0x17/0x20 [ 91.841896][ T9891] xfrm_hash_rebuild+0xfff/0x10f0 [ 91.846948][ T9891] process_one_work+0x989/0x1790 [ 91.851897][ T9891] ? pwq_dec_nr_in_flight+0x320/0x320 [ 91.857281][ T9891] ? lock_acquire+0x16f/0x3f0 [ 91.861992][ T9891] worker_thread+0x98/0xe40 [ 91.866715][ T9891] ? trace_hardirqs_on+0x67/0x220 [ 91.871756][ T9891] kthread+0x354/0x420 [ 91.875833][ T9891] ? process_one_work+0x1790/0x1790 [ 91.881031][ T9891] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 91.887366][ T9891] ret_from_fork+0x24/0x30 [ 91.891787][ T9891] [ 91.894111][ T9891] Allocated by task 9889: [ 91.898452][ T9891] save_stack+0x23/0x90 [ 91.902606][ T9891] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 91.908249][ T9891] kasan_kmalloc+0x9/0x10 [ 91.912587][ T9891] __kmalloc+0x15c/0x740 [ 91.916832][ T9891] xfrm_hash_alloc+0xd1/0x100 [ 91.921519][ T9891] xfrm_net_init+0x227/0xa30 [ 91.926127][ T9891] ops_init+0xb3/0x410 [ 91.930203][ T9891] setup_net+0x2d3/0x740 [ 91.934451][ T9891] copy_net_ns+0x1df/0x340 [ 91.938961][ T9891] create_new_namespaces+0x400/0x7b0 [ 91.944248][ T9891] unshare_nsproxy_namespaces+0xc2/0x200 [ 91.949898][ T9891] ksys_unshare+0x440/0x980 [ 91.954422][ T9891] __x64_sys_unshare+0x31/0x40 [ 91.959191][ T9891] do_syscall_64+0xfd/0x680 [ 91.963697][ T9891] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.969581][ T9891] [ 91.971906][ T9891] Freed by task 17: [ 91.975725][ T9891] save_stack+0x23/0x90 [ 91.979902][ T9891] __kasan_slab_free+0x102/0x150 [ 91.984867][ T9891] kasan_slab_free+0xe/0x10 [ 91.989366][ T9891] kfree+0xcf/0x220 [ 91.993176][ T9891] xfrm_hash_free+0xc3/0xe0 [ 91.997677][ T9891] xfrm_hash_resize+0x695/0x1600 [ 92.002899][ T9891] process_one_work+0x989/0x1790 [ 92.007840][ T9891] worker_thread+0x98/0xe40 [ 92.012341][ T9891] kthread+0x354/0x420 [ 92.016493][ T9891] ret_from_fork+0x24/0x30 [ 92.020899][ T9891] [ 92.023235][ T9891] The buggy address belongs to the object at ffff88808e2c3300 [ 92.023235][ T9891] which belongs to the cache kmalloc-64 of size 64 [ 92.037227][ T9891] The buggy address is located 0 bytes inside of [ 92.037227][ T9891] 64-byte region [ffff88808e2c3300, ffff88808e2c3340) [ 92.050235][ T9891] The buggy address belongs to the page: [ 92.056127][ T9891] page:ffffea000238b0c0 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 [ 92.065317][ T9891] flags: 0x1fffc0000000200(slab) [ 92.070331][ T9891] raw: 01fffc0000000200 ffffea000294bec8 ffffea00025a90c8 ffff8880aa400340 [ 92.078941][ T9891] raw: 0000000000000000 ffff88808e2c3000 0000000100000020 0000000000000000 [ 92.087519][ T9891] page dumped because: kasan: bad access detected [ 92.093930][ T9891] [ 92.096250][ T9891] Memory state around the buggy address: [ 92.101886][ T9891] ffff88808e2c3200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 92.109945][ T9891] ffff88808e2c3280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 92.118009][ T9891] >ffff88808e2c3300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 92.126149][ T9891] ^ [ 92.130222][ T9891] ffff88808e2c3380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 92.138278][ T9891] ffff88808e2c3400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 92.146330][ T9891] ================================================================== [ 92.154469][ T9891] Disabling lock debugging due to kernel taint [ 92.160681][ T9891] Kernel panic - not syncing: panic_on_warn set ... [ 92.167273][ T9891] CPU: 1 PID: 9891 Comm: kworker/1:3 Tainted: G B 5.2.0-rc6+ #34 [ 92.176279][ T9891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.186343][ T9891] Workqueue: events xfrm_hash_rebuild [ 92.191705][ T9891] Call Trace: [ 92.195085][ T9891] dump_stack+0x172/0x1f0 [ 92.199416][ T9891] panic+0x2cb/0x744 [ 92.203328][ T9891] ? __warn_printk+0xf3/0xf3 [ 92.207913][ T9891] ? retint_kernel+0x2b/0x2b [ 92.212506][ T9891] ? trace_hardirqs_on+0x5e/0x220 [ 92.217536][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 92.222750][ T9891] end_report+0x47/0x4f [ 92.226924][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 92.232121][ T9891] __kasan_report.cold+0xe/0x40 [ 92.236966][ T9891] ? xfrm_hash_rebuild+0xfff/0x10f0 [ 92.242259][ T9891] kasan_report+0x12/0x20 [ 92.246590][ T9891] __asan_report_store8_noabort+0x17/0x20 [ 92.252312][ T9891] xfrm_hash_rebuild+0xfff/0x10f0 [ 92.257348][ T9891] process_one_work+0x989/0x1790 [ 92.262287][ T9891] ? pwq_dec_nr_in_flight+0x320/0x320 [ 92.267654][ T9891] ? lock_acquire+0x16f/0x3f0 [ 92.272348][ T9891] worker_thread+0x98/0xe40 [ 92.277024][ T9891] ? trace_hardirqs_on+0x67/0x220 [ 92.282149][ T9891] kthread+0x354/0x420 [ 92.286249][ T9891] ? process_one_work+0x1790/0x1790 [ 92.291471][ T9891] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 92.297710][ T9891] ret_from_fork+0x24/0x30 [ 92.303136][ T9891] Kernel Offset: disabled [ 92.317558][ T9891] Rebooting in 86400 seconds..