Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. [ 56.374980] audit: type=1400 audit(1584770045.264:36): avc: denied { map } for pid=8077 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/21 05:54:05 parsed 1 programs [ 57.813874] audit: type=1400 audit(1584770046.704:37): avc: denied { map } for pid=8077 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=2844 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/03/21 05:54:06 executed programs: 0 [ 57.992236] IPVS: ftp: loaded support on port[0] = 21 [ 58.055051] chnl_net:caif_netlink_parms(): no params data found [ 58.108376] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.115023] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.122826] device bridge_slave_0 entered promiscuous mode [ 58.130249] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.136724] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.143723] device bridge_slave_1 entered promiscuous mode [ 58.160816] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.170061] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.187181] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.194853] team0: Port device team_slave_0 added [ 58.200771] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.208168] team0: Port device team_slave_1 added [ 58.222803] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 58.229161] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.254444] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 58.266251] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 58.272509] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.297866] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 58.308613] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 58.316051] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 58.378300] device hsr_slave_0 entered promiscuous mode [ 58.446788] device hsr_slave_1 entered promiscuous mode [ 58.496917] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 58.504073] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 58.556704] audit: type=1400 audit(1584770047.454:38): avc: denied { create } for pid=8094 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.582282] audit: type=1400 audit(1584770047.454:39): avc: denied { write } for pid=8094 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.585237] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.607740] audit: type=1400 audit(1584770047.464:40): avc: denied { read } for pid=8094 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.612594] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.643252] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.649726] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.687928] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 58.694021] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.703980] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.713352] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.732103] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.739994] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.748122] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.759600] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.765676] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.775755] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.783838] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.790215] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.807625] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.815368] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.821888] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.833082] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.841066] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.857512] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.865083] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.872960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.882845] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 58.888957] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.902593] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 58.910938] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 58.918074] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 58.929306] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.944572] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 58.954728] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 58.997765] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 59.005068] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 59.011981] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 59.022780] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 59.030853] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 59.038110] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 59.048213] device veth0_vlan entered promiscuous mode [ 59.057804] device veth1_vlan entered promiscuous mode [ 59.073752] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 59.083573] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 59.091778] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 59.100218] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 59.111046] device veth0_macvtap entered promiscuous mode [ 59.117345] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 59.127414] device veth1_macvtap entered promiscuous mode [ 59.133666] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 59.142653] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 59.151966] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 59.161890] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 59.169387] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 59.176075] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 59.183795] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 59.191223] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 59.199078] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 59.210013] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 59.217669] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 59.225121] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 59.233683] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 59.347574] audit: type=1400 audit(1584770048.244:41): avc: denied { associate } for pid=8094 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 59.861618] ================================================================== [ 59.869265] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 59.875859] Read of size 8 at addr ffff8880a8b80460 by task syz-executor.0/8227 [ 59.883295] [ 59.884920] CPU: 0 PID: 8227 Comm: syz-executor.0 Not tainted 4.19.112-syzkaller #0 [ 59.892741] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.902089] Call Trace: [ 59.904682] dump_stack+0x188/0x20d [ 59.908309] ? __list_add_valid+0x93/0xa0 [ 59.912628] print_address_description.cold+0x7c/0x212 [ 59.917905] ? __list_add_valid+0x93/0xa0 [ 59.922241] kasan_report.cold+0x88/0x2b9 [ 59.926547] __list_add_valid+0x93/0xa0 [ 59.930525] rdma_listen+0x609/0x880 [ 59.934325] ucma_listen+0x14d/0x1c0 [ 59.938035] ? ucma_notify+0x190/0x190 [ 59.942015] ? __might_fault+0x192/0x1d0 [ 59.946075] ? _copy_from_user+0xd2/0x140 [ 59.950216] ? ucma_notify+0x190/0x190 [ 59.954230] ucma_write+0x285/0x350 [ 59.957851] ? ucma_open+0x280/0x280 [ 59.961567] ? __fget+0x319/0x510 [ 59.965143] __vfs_write+0xf7/0x760 [ 59.968792] ? ucma_open+0x280/0x280 [ 59.972507] ? kernel_read+0x110/0x110 [ 59.976395] ? __inode_security_revalidate+0xd3/0x120 [ 59.981581] ? avc_policy_seqno+0x9/0x70 [ 59.985636] ? selinux_file_permission+0x87/0x520 [ 59.990477] ? security_file_permission+0x84/0x220 [ 59.995454] vfs_write+0x206/0x550 [ 59.998992] ksys_write+0x12b/0x2a0 [ 60.002655] ? __ia32_sys_read+0xb0/0xb0 [ 60.006721] ? __ia32_sys_clock_settime+0x260/0x260 [ 60.011852] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.016611] ? trace_hardirqs_off_caller+0x55/0x210 [ 60.021898] ? do_syscall_64+0x21/0x620 [ 60.025989] do_syscall_64+0xf9/0x620 [ 60.029879] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.035068] RIP: 0033:0x45c849 [ 60.038267] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.057368] RSP: 002b:00007f716ef20c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.065073] RAX: ffffffffffffffda RBX: 00007f716ef216d4 RCX: 000000000045c849 [ 60.072388] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 60.079652] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 60.086925] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.094205] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c [ 60.101555] [ 60.103183] Allocated by task 8221: [ 60.106821] kasan_kmalloc+0xbf/0xe0 [ 60.110548] kmem_cache_alloc_trace+0x14d/0x7a0 [ 60.115220] __rdma_create_id+0x5b/0x630 [ 60.119290] ucma_create_id+0x1cb/0x5a0 [ 60.123458] ucma_write+0x285/0x350 [ 60.127096] __vfs_write+0xf7/0x760 [ 60.130730] vfs_write+0x206/0x550 [ 60.134539] ksys_write+0x12b/0x2a0 [ 60.138159] do_syscall_64+0xf9/0x620 [ 60.142162] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.147469] [ 60.149091] Freed by task 8221: [ 60.152369] __kasan_slab_free+0xf7/0x140 [ 60.156514] kfree+0xce/0x220 [ 60.159627] ucma_close+0x10b/0x320 [ 60.163477] __fput+0x2cd/0x890 [ 60.166761] task_work_run+0x13f/0x1b0 [ 60.170739] exit_to_usermode_loop+0x25a/0x2b0 [ 60.175316] do_syscall_64+0x538/0x620 [ 60.179348] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.184525] [ 60.186243] The buggy address belongs to the object at ffff8880a8b80280 [ 60.186243] which belongs to the cache kmalloc-2048 of size 2048 [ 60.199085] The buggy address is located 480 bytes inside of [ 60.199085] 2048-byte region [ffff8880a8b80280, ffff8880a8b80a80) [ 60.211039] The buggy address belongs to the page: [ 60.215966] page:ffffea0002a2e000 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 60.225936] flags: 0xfffe0000008100(slab|head) [ 60.230556] raw: 00fffe0000008100 ffffea00022af808 ffffea0002991788 ffff88812c3dcc40 [ 60.238435] raw: 0000000000000000 ffff8880a8b80280 0000000100000003 0000000000000000 [ 60.246403] page dumped because: kasan: bad access detected [ 60.252253] [ 60.254114] Memory state around the buggy address: [ 60.259040] ffff8880a8b80300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.266412] ffff8880a8b80380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.273930] >ffff8880a8b80400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.281280] ^ [ 60.287775] ffff8880a8b80480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.295163] ffff8880a8b80500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.302642] ================================================================== [ 60.310101] Disabling lock debugging due to kernel taint [ 60.324356] Kernel panic - not syncing: panic_on_warn set ... [ 60.324356] [ 60.331741] CPU: 0 PID: 8227 Comm: syz-executor.0 Tainted: G B 4.19.112-syzkaller #0 [ 60.340915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.350259] Call Trace: [ 60.352845] dump_stack+0x188/0x20d [ 60.356468] panic+0x26a/0x50e [ 60.359657] ? __warn_printk+0xf3/0xf3 [ 60.363541] ? preempt_schedule_common+0x4a/0xc0 [ 60.368313] ? __list_add_valid+0x93/0xa0 [ 60.372619] ? ___preempt_schedule+0x16/0x18 [ 60.377027] ? trace_hardirqs_on+0x55/0x210 [ 60.381474] ? __list_add_valid+0x93/0xa0 [ 60.385622] kasan_end_report+0x43/0x49 [ 60.389600] kasan_report.cold+0xa4/0x2b9 [ 60.393746] __list_add_valid+0x93/0xa0 [ 60.397715] rdma_listen+0x609/0x880 [ 60.401503] ucma_listen+0x14d/0x1c0 [ 60.405240] ? ucma_notify+0x190/0x190 [ 60.409125] ? __might_fault+0x192/0x1d0 [ 60.413267] ? _copy_from_user+0xd2/0x140 [ 60.417409] ? ucma_notify+0x190/0x190 [ 60.421286] ucma_write+0x285/0x350 [ 60.424906] ? ucma_open+0x280/0x280 [ 60.428613] ? __fget+0x319/0x510 [ 60.432106] __vfs_write+0xf7/0x760 [ 60.435727] ? ucma_open+0x280/0x280 [ 60.439438] ? kernel_read+0x110/0x110 [ 60.443325] ? __inode_security_revalidate+0xd3/0x120 [ 60.448507] ? avc_policy_seqno+0x9/0x70 [ 60.452562] ? selinux_file_permission+0x87/0x520 [ 60.457400] ? security_file_permission+0x84/0x220 [ 60.462323] vfs_write+0x206/0x550 [ 60.465859] ksys_write+0x12b/0x2a0 [ 60.469476] ? __ia32_sys_read+0xb0/0xb0 [ 60.473527] ? __ia32_sys_clock_settime+0x260/0x260 [ 60.478533] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.483278] ? trace_hardirqs_off_caller+0x55/0x210 [ 60.488290] ? do_syscall_64+0x21/0x620 [ 60.492258] do_syscall_64+0xf9/0x620 [ 60.496050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.501231] RIP: 0033:0x45c849 [ 60.504411] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.523304] RSP: 002b:00007f716ef20c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.531069] RAX: ffffffffffffffda RBX: 00007f716ef216d4 RCX: 000000000045c849 [ 60.538335] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 60.545596] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 60.552858] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.560272] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c [ 60.568917] Kernel Offset: disabled [ 60.572670] Rebooting in 86400 seconds..