Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts. 2020/09/02 08:40:15 parsed 1 programs 2020/09/02 08:40:15 executed programs: 0 syzkaller login: [ 38.777588] audit: type=1400 audit(1599036015.365:8): avc: denied { execmem } for pid=6455 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.899730] IPVS: ftp: loaded support on port[0] = 21 [ 40.004587] chnl_net:caif_netlink_parms(): no params data found [ 40.078245] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.084890] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.092948] device bridge_slave_0 entered promiscuous mode [ 40.100530] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.106889] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.115445] device bridge_slave_1 entered promiscuous mode [ 40.133318] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 40.141997] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 40.159621] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 40.167019] team0: Port device team_slave_0 added [ 40.173641] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 40.181181] team0: Port device team_slave_1 added [ 40.195733] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 40.202181] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.228059] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 40.239817] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 40.246053] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.271262] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 40.281851] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.289186] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.309628] device hsr_slave_0 entered promiscuous mode [ 40.315296] device hsr_slave_1 entered promiscuous mode [ 40.321614] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.328588] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.394651] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.401101] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.407792] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.414204] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.445672] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.452652] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.461883] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.470662] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.478825] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.487164] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.494377] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 40.505180] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.511463] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.520907] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.528429] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.534825] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.549869] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.557505] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.563898] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.571497] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.580136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.590401] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.603082] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 40.614798] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 40.625621] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.632330] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.640013] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.647441] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.661498] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.668835] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.676729] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.686729] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.699789] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 40.709399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.743710] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 40.750929] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 40.757367] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 40.766769] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.774693] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.782273] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 40.791509] device veth0_vlan entered promiscuous mode [ 40.800831] device veth1_vlan entered promiscuous mode [ 40.806668] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 40.815817] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.826935] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.836230] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.843811] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.852052] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.861902] device veth0_macvtap entered promiscuous mode [ 40.868007] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 40.875981] device veth1_macvtap entered promiscuous mode [ 40.885012] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 40.894321] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 40.904343] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.911732] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 40.921154] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 40.931782] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.939851] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 41.044472] audit: type=1400 audit(1599036017.636:9): avc: denied { block_suspend } for pid=6691 comm="syz-executor.0" capability=36 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [ 41.929910] Bluetooth: hci0: command 0x0409 tx timeout 2020/09/02 08:40:20 executed programs: 82 [ 44.008736] Bluetooth: hci0: command 0x041b tx timeout [ 44.653974] ================================================================== [ 44.661526] BUG: KASAN: use-after-free in __fput+0x76a/0x890 [ 44.667434] Read of size 2 at addr ffff8880807dd670 by task syz-executor.0/7212 [ 44.675094] [ 44.676723] CPU: 1 PID: 7212 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0 [ 44.684535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.693908] Call Trace: [ 44.696499] dump_stack+0x1fc/0x2fe [ 44.700139] print_address_description.cold+0x54/0x219 [ 44.705514] kasan_report_error.cold+0x8a/0x1c7 [ 44.710165] ? __fput+0x76a/0x890 [ 44.713626] __asan_report_load2_noabort+0x88/0x90 [ 44.718539] ? __fput+0x76a/0x890 [ 44.721989] __fput+0x76a/0x890 [ 44.725277] task_work_run+0x148/0x1c0 [ 44.729157] exit_to_usermode_loop+0x251/0x2a0 [ 44.733727] do_syscall_64+0x538/0x620 [ 44.737620] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.742805] RIP: 0033:0x45d5b9 [ 44.745997] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.764980] RSP: 002b:00007fd34b8bfc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 44.772874] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 44.780127] RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000006 [ 44.787412] RBP: 000000000118d028 R08: 0000000000000000 R09: 0000000000000000 [ 44.794688] R10: 0000000020000000 R11: 0000000000000246 R12: 000000000118cfec [ 44.801940] R13: 00007ffea2347baf R14: 00007fd34b8c09c0 R15: 000000000118cfec [ 44.809197] [ 44.810807] Allocated by task 7212: [ 44.814418] kmem_cache_alloc+0x122/0x370 [ 44.818553] sock_alloc_inode+0x19/0x250 [ 44.822602] alloc_inode+0x5d/0x180 [ 44.826219] new_inode_pseudo+0x14/0xe0 [ 44.830179] sock_alloc+0x3c/0x260 [ 44.833701] __sock_create+0xba/0x740 [ 44.837482] __sys_socket+0xef/0x200 [ 44.841191] __x64_sys_socket+0x6f/0xb0 [ 44.845167] do_syscall_64+0xf9/0x620 [ 44.848949] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.854125] [ 44.855752] Freed by task 7210: [ 44.859023] kmem_cache_free+0x7f/0x260 [ 44.863003] destroy_inode+0xb9/0x110 [ 44.866819] iput+0x4f1/0x860 [ 44.869920] dentry_unlink_inode+0x265/0x320 [ 44.874323] __dentry_kill+0x3c0/0x640 [ 44.878205] dentry_kill+0xc4/0x510 [ 44.881810] dput+0x55f/0x640 [ 44.884895] __fput+0x415/0x890 [ 44.888175] task_work_run+0x148/0x1c0 [ 44.892045] exit_to_usermode_loop+0x251/0x2a0 [ 44.896608] do_syscall_64+0x538/0x620 [ 44.900495] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.905658] [ 44.907274] The buggy address belongs to the object at ffff8880807dd640 [ 44.907274] which belongs to the cache sock_inode_cache of size 992 [ 44.920350] The buggy address is located 48 bytes inside of [ 44.920350] 992-byte region [ffff8880807dd640, ffff8880807dda20) [ 44.932119] The buggy address belongs to the page: [ 44.937061] page:ffffea000201f740 count:1 mapcount:0 mapping:ffff88821b6c6180 index:0xffff8880807ddffd [ 44.946500] flags: 0xfffe0000000100(slab) [ 44.950650] raw: 00fffe0000000100 ffffea000201fd48 ffffea000201fe88 ffff88821b6c6180 [ 44.958510] raw: ffff8880807ddffd ffff8880807dd1c0 0000000100000003 0000000000000000 [ 44.966389] page dumped because: kasan: bad access detected [ 44.972080] [ 44.973691] Memory state around the buggy address: [ 44.978599] ffff8880807dd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.985950] ffff8880807dd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.993311] >ffff8880807dd600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 45.000661] ^ [ 45.007657] ffff8880807dd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.015018] ffff8880807dd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.022357] ================================================================== [ 45.029744] Disabling lock debugging due to kernel taint [ 45.040774] Kernel panic - not syncing: panic_on_warn set ... [ 45.040774] [ 45.048153] CPU: 1 PID: 7212 Comm: syz-executor.0 Tainted: G B 4.19.142-syzkaller #0 [ 45.057328] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.066673] Call Trace: [ 45.069262] dump_stack+0x1fc/0x2fe [ 45.072910] panic+0x26a/0x50e [ 45.076189] ? __warn_printk+0xf3/0xf3 [ 45.080112] ? preempt_schedule_common+0x45/0xc0 [ 45.084873] ? ___preempt_schedule+0x16/0x18 [ 45.089274] ? trace_hardirqs_on+0x55/0x210 [ 45.093580] kasan_end_report+0x43/0x49 [ 45.097564] kasan_report_error.cold+0xa7/0x1c7 [ 45.102222] ? __fput+0x76a/0x890 [ 45.105652] __asan_report_load2_noabort+0x88/0x90 [ 45.110583] ? __fput+0x76a/0x890 [ 45.114014] __fput+0x76a/0x890 [ 45.117273] task_work_run+0x148/0x1c0 [ 45.121157] exit_to_usermode_loop+0x251/0x2a0 [ 45.125718] do_syscall_64+0x538/0x620 [ 45.129586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.134780] RIP: 0033:0x45d5b9 [ 45.137955] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.156838] RSP: 002b:00007fd34b8bfc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 45.164538] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 45.171787] RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000006 [ 45.179057] RBP: 000000000118d028 R08: 0000000000000000 R09: 0000000000000000 [ 45.186305] R10: 0000000020000000 R11: 0000000000000246 R12: 000000000118cfec [ 45.193550] R13: 00007ffea2347baf R14: 00007fd34b8c09c0 R15: 000000000118cfec [ 45.202000] Kernel Offset: disabled [ 45.205625] Rebooting in 86400 seconds..