Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts. syzkaller login: [ 975.969947] kauditd_printk_skb: 3 callbacks suppressed [ 975.969959] audit: type=1400 audit(1560618348.214:36): avc: denied { map } for pid=7649 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/15 17:05:49 parsed 1 programs [ 976.872223] audit: type=1400 audit(1560618349.114:37): avc: denied { map } for pid=7649 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14209 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/15 17:05:50 executed programs: 0 [ 978.432570] IPVS: ftp: loaded support on port[0] = 21 [ 978.492319] chnl_net:caif_netlink_parms(): no params data found [ 978.524430] bridge0: port 1(bridge_slave_0) entered blocking state [ 978.531349] bridge0: port 1(bridge_slave_0) entered disabled state [ 978.538932] device bridge_slave_0 entered promiscuous mode [ 978.546944] bridge0: port 2(bridge_slave_1) entered blocking state [ 978.553552] bridge0: port 2(bridge_slave_1) entered disabled state [ 978.560998] device bridge_slave_1 entered promiscuous mode [ 978.576553] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 978.585602] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 978.601795] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 978.609624] team0: Port device team_slave_0 added [ 978.615484] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 978.622847] team0: Port device team_slave_1 added [ 978.628388] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 978.635732] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 978.688757] device hsr_slave_0 entered promiscuous mode [ 978.756886] device hsr_slave_1 entered promiscuous mode [ 978.838865] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 978.857584] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 978.872040] bridge0: port 2(bridge_slave_1) entered blocking state [ 978.878995] bridge0: port 2(bridge_slave_1) entered forwarding state [ 978.886203] bridge0: port 1(bridge_slave_0) entered blocking state [ 978.892636] bridge0: port 1(bridge_slave_0) entered forwarding state [ 978.924055] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 978.930253] 8021q: adding VLAN 0 to HW filter on device bond0 [ 978.938401] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 978.947945] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 978.959310] bridge0: port 1(bridge_slave_0) entered disabled state [ 978.967064] bridge0: port 2(bridge_slave_1) entered disabled state [ 978.974254] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 978.986560] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 978.993014] 8021q: adding VLAN 0 to HW filter on device team0 [ 979.002759] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 979.010710] bridge0: port 1(bridge_slave_0) entered blocking state [ 979.017333] bridge0: port 1(bridge_slave_0) entered forwarding state [ 979.027308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 979.034962] bridge0: port 2(bridge_slave_1) entered blocking state [ 979.041372] bridge0: port 2(bridge_slave_1) entered forwarding state [ 979.057656] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 979.065276] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 979.073361] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 979.085289] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 979.095711] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 979.107563] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 979.114513] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 979.122626] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 979.131498] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 979.144423] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 979.155195] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 979.165161] audit: type=1400 audit(1560618351.404:38): avc: denied { associate } for pid=7666 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/06/15 17:05:55 executed programs: 40 2019/06/15 17:06:00 executed programs: 86 2019/06/15 17:06:05 executed programs: 134 2019/06/15 17:06:10 executed programs: 182 [ 1002.431715] ================================================================== [ 1002.439488] BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 [ 1002.446798] Read of size 8 at addr ffff8880a4b27c00 by task syz-executor.0/8554 [ 1002.454237] [ 1002.455942] CPU: 1 PID: 8554 Comm: syz-executor.0 Not tainted 4.19.51 #23 [ 1002.462867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1002.472332] Call Trace: [ 1002.475130] dump_stack+0x172/0x1f0 [ 1002.479046] ? pneigh_get_next.isra.0+0x24b/0x280 [ 1002.483969] print_address_description.cold+0x7c/0x20d [ 1002.489426] ? pneigh_get_next.isra.0+0x24b/0x280 [ 1002.494399] kasan_report.cold+0x8c/0x2ba [ 1002.498672] __asan_report_load8_noabort+0x14/0x20 [ 1002.503734] pneigh_get_next.isra.0+0x24b/0x280 [ 1002.508401] neigh_seq_next+0xdb/0x210 [ 1002.512365] seq_read+0x9cf/0x1110 [ 1002.516036] ? seq_dentry+0x2d0/0x2d0 [ 1002.519997] proc_reg_read+0x1f8/0x2b0 [ 1002.523961] ? proc_reg_unlocked_ioctl+0x2a0/0x2a0 [ 1002.528968] ? security_file_permission+0x89/0x230 [ 1002.533941] ? rw_verify_area+0x118/0x360 [ 1002.538087] do_iter_read+0x490/0x640 [ 1002.541930] ? dup_iter+0x280/0x280 [ 1002.545549] vfs_readv+0xf0/0x160 [ 1002.548993] ? compat_rw_copy_check_uvector+0x3f0/0x3f0 [ 1002.554397] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1002.559936] ? push_pipe+0x417/0x7a0 [ 1002.563720] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1002.569278] ? iov_iter_get_pages_alloc+0x363/0x11a0 [ 1002.574390] ? iov_iter_revert+0xa50/0xa50 [ 1002.578677] ? lockdep_hardirqs_on+0x415/0x5d0 [ 1002.583255] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1002.588278] ? iov_iter_pipe+0xbe/0x2f0 [ 1002.592265] default_file_splice_read+0x478/0x890 [ 1002.597427] ? free_unref_page+0x474/0x600 [ 1002.601862] ? __put_page+0x8d/0xd0 [ 1002.605489] ? iter_file_splice_write+0xbd0/0xbd0 [ 1002.610322] ? __lock_is_held+0xb6/0x140 [ 1002.614387] ? security_file_permission+0x89/0x230 [ 1002.619299] ? iter_file_splice_write+0xbd0/0xbd0 [ 1002.624123] do_splice_to+0x127/0x180 [ 1002.627913] splice_direct_to_actor+0x256/0x890 [ 1002.632740] ? generic_pipe_buf_nosteal+0x10/0x10 [ 1002.637588] ? do_splice_to+0x180/0x180 [ 1002.641704] ? security_file_permission+0x89/0x230 [ 1002.646748] ? rw_verify_area+0x118/0x360 [ 1002.650973] do_splice_direct+0x1da/0x2a0 [ 1002.655394] ? splice_direct_to_actor+0x890/0x890 [ 1002.660326] ? rcu_read_lock_sched_held+0x110/0x130 [ 1002.665450] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 1002.670225] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1002.675952] ? __sb_start_write+0x1ac/0x360 [ 1002.680267] do_sendfile+0x597/0xce0 [ 1002.684145] ? do_compat_pwritev64+0x1c0/0x1c0 [ 1002.688832] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1002.694423] ? put_timespec64+0xda/0x140 [ 1002.698480] __x64_sys_sendfile64+0x1dd/0x220 [ 1002.702976] ? __ia32_sys_sendfile+0x230/0x230 [ 1002.707679] ? do_syscall_64+0x26/0x620 [ 1002.711650] ? lockdep_hardirqs_on+0x415/0x5d0 [ 1002.716350] ? trace_hardirqs_on+0x67/0x220 [ 1002.720857] do_syscall_64+0xfd/0x620 [ 1002.724716] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1002.729896] RIP: 0033:0x4592c9 [ 1002.733077] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1002.751984] RSP: 002b:00007f3a8ac31c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 1002.759703] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 [ 1002.766969] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 [ 1002.774333] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 1002.781683] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f3a8ac326d4 [ 1002.789238] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff [ 1002.796507] [ 1002.798116] Allocated by task 8555: [ 1002.801744] save_stack+0x45/0xd0 [ 1002.805301] kasan_kmalloc+0xce/0xf0 [ 1002.809128] __kmalloc+0x15d/0x750 [ 1002.812662] pneigh_lookup+0x19c/0x460 [ 1002.816629] arp_req_set+0x613/0x720 [ 1002.821958] arp_ioctl+0x652/0x7f0 [ 1002.834044] inet_ioctl+0x2a0/0x370 [ 1002.837882] sock_do_ioctl+0xd8/0x2f0 [ 1002.841680] sock_ioctl+0x325/0x610 [ 1002.845488] do_vfs_ioctl+0xd5f/0x1380 [ 1002.849372] ksys_ioctl+0xab/0xd0 [ 1002.852822] __x64_sys_ioctl+0x73/0xb0 [ 1002.856844] do_syscall_64+0xfd/0x620 [ 1002.860643] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1002.865819] [ 1002.867600] Freed by task 8552: [ 1002.870878] save_stack+0x45/0xd0 [ 1002.874453] __kasan_slab_free+0x102/0x150 [ 1002.878694] kasan_slab_free+0xe/0x10 [ 1002.882483] kfree+0xcf/0x220 [ 1002.885589] neigh_ifdown+0x22f/0x2f0 [ 1002.889379] arp_ifdown+0x1d/0x21 [ 1002.892828] inetdev_event+0xa42/0x1230 [ 1002.897008] notifier_call_chain+0xc2/0x230 [ 1002.901332] raw_notifier_call_chain+0x2e/0x40 [ 1002.905936] call_netdevice_notifiers_info+0x3f/0x90 [ 1002.911039] rollback_registered_many+0x993/0xf90 [ 1002.916059] rollback_registered+0x109/0x1d0 [ 1002.920906] unregister_netdevice_queue+0x1ee/0x2c0 [ 1002.926358] __tun_detach+0xd8a/0x1040 [ 1002.930246] tun_chr_close+0xe0/0x180 [ 1002.934053] __fput+0x2dd/0x8b0 [ 1002.937328] ____fput+0x16/0x20 [ 1002.940661] task_work_run+0x145/0x1c0 [ 1002.944867] exit_to_usermode_loop+0x273/0x2c0 [ 1002.949729] do_syscall_64+0x53d/0x620 [ 1002.953746] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1002.958925] [ 1002.960543] The buggy address belongs to the object at ffff8880a4b27c00 [ 1002.960543] which belongs to the cache kmalloc-64 of size 64 [ 1002.973884] The buggy address is located 0 bytes inside of [ 1002.973884] 64-byte region [ffff8880a4b27c00, ffff8880a4b27c40) [ 1002.985835] The buggy address belongs to the page: [ 1002.990772] page:ffffea000292c9c0 count:1 mapcount:0 mapping:ffff88812c3f0340 index:0x0 [ 1002.999270] flags: 0x1fffc0000000100(slab) [ 1003.003513] raw: 01fffc0000000100 ffffea0002613c08 ffff88812c3f1348 ffff88812c3f0340 [ 1003.011521] raw: 0000000000000000 ffff8880a4b27000 0000000100000020 0000000000000000 [ 1003.019558] page dumped because: kasan: bad access detected [ 1003.025384] [ 1003.027004] Memory state around the buggy address: [ 1003.032058] ffff8880a4b27b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1003.039537] ffff8880a4b27b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1003.047012] >ffff8880a4b27c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1003.054380] ^ [ 1003.057893] ffff8880a4b27c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 1003.065621] ffff8880a4b27d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 1003.073112] ================================================================== [ 1003.080687] Disabling lock debugging due to kernel taint [ 1003.086197] Kernel panic - not syncing: panic_on_warn set ... [ 1003.086197] [ 1003.092352] kobject: 'rx-0' (0000000046f4dddf): kobject_cleanup, parent 00000000c604ad0b [ 1003.093573] CPU: 1 PID: 8554 Comm: syz-executor.0 Tainted: G B 4.19.51 #23 [ 1003.101898] kobject: 'rx-0' (0000000046f4dddf): auto cleanup 'remove' event [ 1003.110084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1003.110088] Call Trace: [ 1003.110110] dump_stack+0x172/0x1f0 [ 1003.110128] ? pneigh_get_next.isra.0+0x24b/0x280 [ 1003.110212] panic+0x263/0x507 [ 1003.110227] ? __warn_printk+0xf3/0xf3 [ 1003.118147] kobject: 'rx-0' (0000000046f4dddf): kobject_uevent_env [ 1003.126660] ? pneigh_get_next.isra.0+0x24b/0x280 [ 1003.126681] ? trace_hardirqs_on+0x5e/0x220 [ 1003.126692] ? trace_hardirqs_on+0x5e/0x220 [ 1003.126708] ? pneigh_get_next.isra.0+0x24b/0x280 [ 1003.129854] kobject: 'rx-0' (0000000046f4dddf): fill_kobj_path: path = '/devices/virtual/net/ipŽi0/queues/rx-0' [ 1003.132892] kasan_end_report+0x47/0x4f [ 1003.132907] kasan_report.cold+0xa9/0x2ba [ 1003.138425] kobject: 'rx-0' (0000000046f4dddf): auto cleanup kobject_del [ 1003.140914] __asan_report_load8_noabort+0x14/0x20 [ 1003.141011] pneigh_get_next.isra.0+0x24b/0x280 [ 1003.144865] kobject: 'rx-0' (0000000046f4dddf): calling ktype release [ 1003.151117] neigh_seq_next+0xdb/0x210 [ 1003.151132] seq_read+0x9cf/0x1110 [ 1003.151149] ? seq_dentry+0x2d0/0x2d0 [ 1003.151161] proc_reg_read+0x1f8/0x2b0 [ 1003.151176] ? proc_reg_unlocked_ioctl+0x2a0/0x2a0 [ 1003.157329] kobject: 'rx-0': free name [ 1003.160487] ? security_file_permission+0x89/0x230 [ 1003.160502] ? rw_verify_area+0x118/0x360 [ 1003.164882] kobject: 'tx-0' (0000000012cb8c3a): kobject_cleanup, parent 00000000c604ad0b [ 1003.169695] do_iter_read+0x490/0x640 [ 1003.169709] ? dup_iter+0x280/0x280 [ 1003.169724] vfs_readv+0xf0/0x160 [ 1003.169741] ? compat_rw_copy_check_uvector+0x3f0/0x3f0 [ 1003.180926] kobject: 'tx-0' (0000000012cb8c3a): auto cleanup 'remove' event [ 1003.184106] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1003.184123] ? push_pipe+0x417/0x7a0 [ 1003.188520] kobject: 'tx-0' (0000000012cb8c3a): kobject_uevent_env [ 1003.195098] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1003.195114] ? iov_iter_get_pages_alloc+0x363/0x11a0 [ 1003.200677] kobject: 'tx-0' (0000000012cb8c3a): fill_kobj_path: path = '/devices/virtual/net/ipŽi0/queues/tx-0' [ 1003.204688] ? iov_iter_revert+0xa50/0xa50 [ 1003.204707] ? lockdep_hardirqs_on+0x415/0x5d0 [ 1003.211616] kobject: 'tx-0' (0000000012cb8c3a): auto cleanup kobject_del [ 1003.215145] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 1003.215162] ? iov_iter_pipe+0xbe/0x2f0 [ 1003.219381] kobject: 'tx-0' (0000000012cb8c3a): calling ktype release [ 1003.222475] default_file_splice_read+0x478/0x890 [ 1003.222489] ? free_unref_page+0x474/0x600 [ 1003.226380] kobject: 'tx-0': free name [ 1003.231278] ? __put_page+0x8d/0xd0 [ 1003.231296] ? iter_file_splice_write+0xbd0/0xbd0 [ 1003.231314] ? __lock_is_held+0xb6/0x140 [ 1003.231344] ? security_file_permission+0x89/0x230 [ 1003.236067] kobject: 'queues' (00000000c604ad0b): kobject_cleanup, parent (null) [ 1003.240117] ? iter_file_splice_write+0xbd0/0xbd0 [ 1003.240130] do_splice_to+0x127/0x180 [ 1003.240145] splice_direct_to_actor+0x256/0x890 [ 1003.240158] ? generic_pipe_buf_nosteal+0x10/0x10 [ 1003.240172] ? do_splice_to+0x180/0x180 [ 1003.240185] ? security_file_permission+0x89/0x230 [ 1003.240200] ? rw_verify_area+0x118/0x360 [ 1003.245498] kobject: 'queues' (00000000c604ad0b): calling ktype release [ 1003.252552] do_splice_direct+0x1da/0x2a0 [ 1003.252567] ? splice_direct_to_actor+0x890/0x890 [ 1003.252587] ? rcu_read_lock_sched_held+0x110/0x130 [ 1003.252602] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 1003.257296] kobject: 'queues' (00000000c604ad0b): kset_release [ 1003.260000] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 1003.260017] ? __sb_start_write+0x1ac/0x360 [ 1003.263476] kobject: 'queues': free name [ 1003.268811] do_sendfile+0x597/0xce0 [ 1003.268828] ? do_compat_pwritev64+0x1c0/0x1c0 [ 1003.268841] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 1003.268861] ? put_timespec64+0xda/0x140 [ 1003.276951] kobject: 'ipŽi0' (00000000a0145c62): kobject_uevent_env [ 1003.281560] __x64_sys_sendfile64+0x1dd/0x220 [ 1003.281574] ? __ia32_sys_sendfile+0x230/0x230 [ 1003.286331] kobject: 'ipŽi0' (00000000a0145c62): fill_kobj_path: path = '/devices/virtual/net/ipŽi0' [ 1003.291581] ? do_syscall_64+0x26/0x620 [ 1003.291597] ? lockdep_hardirqs_on+0x415/0x5d0 [ 1003.291612] ? trace_hardirqs_on+0x67/0x220 [ 1003.291627] do_syscall_64+0xfd/0x620 [ 1003.523070] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1003.528251] RIP: 0033:0x4592c9 [ 1003.531461] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1003.550786] RSP: 002b:00007f3a8ac31c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 1003.558487] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 [ 1003.565931] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 [ 1003.573283] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 1003.580631] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f3a8ac326d4 [ 1003.588209] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff [ 1003.597122] Kernel Offset: disabled [ 1003.600898] Rebooting in 86400 seconds..