Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. [ 48.502507] kauditd_printk_skb: 2 callbacks suppressed [ 48.502522] audit: type=1400 audit(1575068152.013:36): avc: denied { map } for pid=7685 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/11/29 22:55:52 parsed 1 programs [ 50.300632] audit: type=1400 audit(1575068153.813:37): avc: denied { map } for pid=7685 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=113 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/11/29 22:55:53 executed programs: 0 [ 50.485013] IPVS: ftp: loaded support on port[0] = 21 [ 50.547462] chnl_net:caif_netlink_parms(): no params data found [ 50.580949] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.588176] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.595959] device bridge_slave_0 entered promiscuous mode [ 50.604751] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.616326] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.625128] device bridge_slave_1 entered promiscuous mode [ 50.641866] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 50.652330] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 50.670293] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 50.679787] team0: Port device team_slave_0 added [ 50.685561] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 50.693164] team0: Port device team_slave_1 added [ 50.698920] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.707199] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.775939] device hsr_slave_0 entered promiscuous mode [ 50.834170] device hsr_slave_1 entered promiscuous mode [ 50.874584] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 50.883073] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 50.898484] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.905927] bridge0: port 2(bridge_slave_1) entered forwarding state [ 50.914890] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.922109] bridge0: port 1(bridge_slave_0) entered forwarding state [ 50.957223] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 50.964158] 8021q: adding VLAN 0 to HW filter on device bond0 [ 50.972674] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 50.981864] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.001967] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.010457] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.019445] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 51.030615] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 51.037767] 8021q: adding VLAN 0 to HW filter on device team0 [ 51.048092] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 51.059187] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.066046] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.084670] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 51.092922] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.099568] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.107845] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 51.116574] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 51.127069] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 51.142379] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 51.153686] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 51.165674] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 51.172882] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 51.180925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 51.189293] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 51.205003] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 51.213207] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 51.220533] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 51.232295] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 51.243652] audit: type=1400 audit(1575068154.753:38): avc: denied { associate } for pid=7703 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 51.309107] audit: type=1400 audit(1575068154.823:39): avc: denied { create } for pid=7710 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 51.334304] audit: type=1400 audit(1575068154.823:40): avc: denied { write } for pid=7710 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 51.359276] audit: type=1400 audit(1575068154.833:41): avc: denied { read } for pid=7710 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 53.540643] [ 53.542314] ===================================== [ 53.547146] WARNING: bad unlock balance detected! [ 53.552767] 4.19.86-syzkaller #0 Not tainted [ 53.557183] ------------------------------------- [ 53.562101] syz-executor.0/8276 is trying to release lock (&file->mut) at: [ 53.569119] [] ucma_destroy_id+0x24c/0x4a0 [ 53.574890] but there are no more locks to release! [ 53.579879] [ 53.579879] other info that might help us debug this: [ 53.586526] 1 lock held by syz-executor.0/8276: [ 53.591172] #0: 00000000299867f7 (&file->mut){+.+.}, at: ucma_destroy_id+0x1e9/0x4a0 [ 53.599278] [ 53.599278] stack backtrace: [ 53.603773] CPU: 0 PID: 8276 Comm: syz-executor.0 Not tainted 4.19.86-syzkaller #0 [ 53.611476] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.620821] Call Trace: [ 53.623569] dump_stack+0x197/0x210 [ 53.627200] ? ucma_destroy_id+0x24c/0x4a0 [ 53.631508] print_unlock_imbalance_bug.cold+0x114/0x123 [ 53.636952] ? ucma_destroy_id+0x24c/0x4a0 [ 53.641177] lock_release+0x6cd/0xa30 [ 53.644962] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.650481] ? lock_downgrade+0x880/0x880 [ 53.654624] ? mutex_trylock+0x1e0/0x1e0 [ 53.658722] __mutex_unlock_slowpath+0x8e/0x6b0 [ 53.663381] ? wait_for_completion+0x440/0x440 [ 53.667947] mutex_unlock+0xd/0x10 [ 53.671515] ucma_destroy_id+0x24c/0x4a0 [ 53.675570] ? ucma_close+0x320/0x320 [ 53.679352] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.684882] ? _copy_from_user+0xdd/0x150 [ 53.689271] ucma_write+0x2d7/0x3c0 [ 53.692878] ? ucma_close+0x320/0x320 [ 53.696744] ? ucma_open+0x290/0x290 [ 53.700537] __vfs_write+0x114/0x810 [ 53.704233] ? ucma_open+0x290/0x290 [ 53.707934] ? kernel_read+0x120/0x120 [ 53.711811] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.717337] ? __inode_security_revalidate+0xda/0x120 [ 53.722517] ? avc_policy_seqno+0xd/0x70 [ 53.726558] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 53.731552] ? selinux_file_permission+0x92/0x550 [ 53.736384] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.741912] ? security_file_permission+0x89/0x230 [ 53.746821] ? rw_verify_area+0x118/0x360 [ 53.750947] vfs_write+0x20c/0x560 [ 53.754467] ksys_write+0x14f/0x2d0 [ 53.758077] ? __ia32_sys_read+0xb0/0xb0 [ 53.762120] ? do_syscall_64+0x26/0x620 [ 53.766091] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.771438] ? do_syscall_64+0x26/0x620 [ 53.775393] __x64_sys_write+0x73/0xb0 [ 53.779261] do_syscall_64+0xfd/0x620 [ 53.783044] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.788239] RIP: 0033:0x45a679 [ 53.791440] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.810997] RSP: 002b:00007f5b9a6bdc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.818707] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 53.826088] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 53.833351] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 53.840602] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5b9a6be6d4 [ 53.847852] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 53.856541] ================================================================== [ 53.864026] BUG: KASAN: use-after-free in ucma_destroy_id+0x44c/0x4a0 [ 53.870604] Read of size 8 at addr ffff8880a9aace68 by task syz-executor.0/8276 [ 53.878031] [ 53.879646] CPU: 0 PID: 8276 Comm: syz-executor.0 Not tainted 4.19.86-syzkaller #0 [ 53.887606] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.897305] Call Trace: [ 53.899894] dump_stack+0x197/0x210 [ 53.903522] ? ucma_destroy_id+0x44c/0x4a0 [ 53.907777] print_address_description.cold+0x7c/0x20d [ 53.913040] ? ucma_destroy_id+0x44c/0x4a0 [ 53.917259] kasan_report.cold+0x8c/0x2ba [ 53.921569] __asan_report_load8_noabort+0x14/0x20 [ 53.926483] ucma_destroy_id+0x44c/0x4a0 [ 53.930537] ? ucma_close+0x320/0x320 [ 53.934331] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.939874] ? _copy_from_user+0xdd/0x150 [ 53.944006] ucma_write+0x2d7/0x3c0 [ 53.947618] ? ucma_close+0x320/0x320 [ 53.951408] ? ucma_open+0x290/0x290 [ 53.955120] __vfs_write+0x114/0x810 [ 53.958826] ? ucma_open+0x290/0x290 [ 53.962534] ? kernel_read+0x120/0x120 [ 53.966584] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.972104] ? __inode_security_revalidate+0xda/0x120 [ 53.977303] ? avc_policy_seqno+0xd/0x70 [ 53.981344] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 53.986352] ? selinux_file_permission+0x92/0x550 [ 53.991190] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.996710] ? security_file_permission+0x89/0x230 [ 54.001627] ? rw_verify_area+0x118/0x360 [ 54.005761] vfs_write+0x20c/0x560 [ 54.009317] ksys_write+0x14f/0x2d0 [ 54.012928] ? __ia32_sys_read+0xb0/0xb0 [ 54.016974] ? do_syscall_64+0x26/0x620 [ 54.020955] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.026317] ? do_syscall_64+0x26/0x620 [ 54.030291] __x64_sys_write+0x73/0xb0 [ 54.034166] do_syscall_64+0xfd/0x620 [ 54.038079] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.043359] RIP: 0033:0x45a679 [ 54.046542] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.065621] RSP: 002b:00007f5b9a6bdc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.073333] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 54.080951] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 54.088237] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 54.095549] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5b9a6be6d4 [ 54.102876] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 54.110670] [ 54.112304] Allocated by task 8276: [ 54.115925] save_stack+0x45/0xd0 [ 54.119777] kasan_kmalloc+0xce/0xf0 [ 54.123890] kmem_cache_alloc_trace+0x152/0x760 [ 54.128554] ucma_alloc_ctx+0x4e/0x4e0 [ 54.132515] ucma_create_id+0x12d/0x640 [ 54.136547] ucma_write+0x2d7/0x3c0 [ 54.140183] __vfs_write+0x114/0x810 [ 54.144059] vfs_write+0x20c/0x560 [ 54.147688] ksys_write+0x14f/0x2d0 [ 54.151404] __x64_sys_write+0x73/0xb0 [ 54.155290] do_syscall_64+0xfd/0x620 [ 54.159129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.164324] [ 54.165937] Freed by task 8271: [ 54.169212] save_stack+0x45/0xd0 [ 54.172649] __kasan_slab_free+0x102/0x150 [ 54.176887] kasan_slab_free+0xe/0x10 [ 54.180697] kfree+0xcf/0x220 [ 54.184328] ucma_free_ctx+0x801/0xb90 [ 54.188213] ucma_close+0x122/0x320 [ 54.191848] __fput+0x2dd/0x8b0 [ 54.195133] ____fput+0x16/0x20 [ 54.198416] task_work_run+0x145/0x1c0 [ 54.202303] exit_to_usermode_loop+0x273/0x2c0 [ 54.206893] do_syscall_64+0x53d/0x620 [ 54.210773] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.216758] [ 54.218392] The buggy address belongs to the object at ffff8880a9aace00 [ 54.218392] which belongs to the cache kmalloc-256 of size 256 [ 54.231531] The buggy address is located 104 bytes inside of [ 54.231531] 256-byte region [ffff8880a9aace00, ffff8880a9aacf00) [ 54.245026] The buggy address belongs to the page: [ 54.249952] page:ffffea0002a6ab00 count:1 mapcount:0 mapping:ffff88812c3f67c0 index:0x0 [ 54.258190] flags: 0xfffe0000000100(slab) [ 54.263117] raw: 00fffe0000000100 ffffea000242ef88 ffffea000243fc88 ffff88812c3f67c0 [ 54.271196] raw: 0000000000000000 ffff8880a9aac040 000000010000000c 0000000000000000 [ 54.279131] page dumped because: kasan: bad access detected [ 54.284842] [ 54.286635] Memory state around the buggy address: [ 54.291817] ffff8880a9aacd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.299342] ffff8880a9aacd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 54.308115] >ffff8880a9aace00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.315839] ^ [ 54.324163] ffff8880a9aace80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.332917] ffff8880a9aacf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.340681] ================================================================== [ 54.348960] Kernel panic - not syncing: panic_on_warn set ... [ 54.348960] [ 54.356511] CPU: 0 PID: 8276 Comm: syz-executor.0 Tainted: G B 4.19.86-syzkaller #0 [ 54.365720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.375312] Call Trace: [ 54.378373] dump_stack+0x197/0x210 [ 54.382126] ? ucma_destroy_id+0x44c/0x4a0 [ 54.386526] panic+0x26a/0x50e [ 54.390092] ? __warn_printk+0xf3/0xf3 [ 54.393969] ? ucma_destroy_id+0x44c/0x4a0 [ 54.398330] ? preempt_schedule+0x4b/0x60 [ 54.402643] ? ___preempt_schedule+0x16/0x18 [ 54.407331] ? trace_hardirqs_on+0x5e/0x220 [ 54.411749] ? ucma_destroy_id+0x44c/0x4a0 [ 54.416006] kasan_end_report+0x47/0x4f [ 54.420104] kasan_report.cold+0xa9/0x2ba [ 54.424354] __asan_report_load8_noabort+0x14/0x20 [ 54.429567] ucma_destroy_id+0x44c/0x4a0 [ 54.433715] ? ucma_close+0x320/0x320 [ 54.437509] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.443052] ? _copy_from_user+0xdd/0x150 [ 54.447206] ucma_write+0x2d7/0x3c0 [ 54.450837] ? ucma_close+0x320/0x320 [ 54.454624] ? ucma_open+0x290/0x290 [ 54.458345] __vfs_write+0x114/0x810 [ 54.462188] ? ucma_open+0x290/0x290 [ 54.465915] ? kernel_read+0x120/0x120 [ 54.470078] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.475607] ? __inode_security_revalidate+0xda/0x120 [ 54.480809] ? avc_policy_seqno+0xd/0x70 [ 54.484896] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.489923] ? selinux_file_permission+0x92/0x550 [ 54.494810] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.500336] ? security_file_permission+0x89/0x230 [ 54.505298] ? rw_verify_area+0x118/0x360 [ 54.509436] vfs_write+0x20c/0x560 [ 54.512993] ksys_write+0x14f/0x2d0 [ 54.516803] ? __ia32_sys_read+0xb0/0xb0 [ 54.520861] ? do_syscall_64+0x26/0x620 [ 54.524839] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.530199] ? do_syscall_64+0x26/0x620 [ 54.534430] __x64_sys_write+0x73/0xb0 [ 54.538320] do_syscall_64+0xfd/0x620 [ 54.542113] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.547302] RIP: 0033:0x45a679 [ 54.550502] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.569404] RSP: 002b:00007f5b9a6bdc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.577108] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 54.584822] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 54.592781] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 54.600053] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5b9a6be6d4 [ 54.607330] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 54.615917] Kernel Offset: disabled [ 54.620523] Rebooting in 86400 seconds..