Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts.
syzkaller login: [  975.969947] kauditd_printk_skb: 3 callbacks suppressed
[  975.969959] audit: type=1400 audit(1560618348.214:36): avc:  denied  { map } for  pid=7649 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/06/15 17:05:49 parsed 1 programs
[  976.872223] audit: type=1400 audit(1560618349.114:37): avc:  denied  { map } for  pid=7649 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14209 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/06/15 17:05:50 executed programs: 0
[  978.432570] IPVS: ftp: loaded support on port[0] = 21
[  978.492319] chnl_net:caif_netlink_parms(): no params data found
[  978.524430] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.531349] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.538932] device bridge_slave_0 entered promiscuous mode
[  978.546944] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.553552] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.560998] device bridge_slave_1 entered promiscuous mode
[  978.576553] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  978.585602] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  978.601795] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  978.609624] team0: Port device team_slave_0 added
[  978.615484] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  978.622847] team0: Port device team_slave_1 added
[  978.628388] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[  978.635732] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[  978.688757] device hsr_slave_0 entered promiscuous mode
[  978.756886] device hsr_slave_1 entered promiscuous mode
[  978.838865] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[  978.857584] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[  978.872040] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.878995] bridge0: port 2(bridge_slave_1) entered forwarding state
[  978.886203] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.892636] bridge0: port 1(bridge_slave_0) entered forwarding state
[  978.924055] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  978.930253] 8021q: adding VLAN 0 to HW filter on device bond0
[  978.938401] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  978.947945] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  978.959310] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.967064] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.974254] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  978.986560] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  978.993014] 8021q: adding VLAN 0 to HW filter on device team0
[  979.002759] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  979.010710] bridge0: port 1(bridge_slave_0) entered blocking state
[  979.017333] bridge0: port 1(bridge_slave_0) entered forwarding state
[  979.027308] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  979.034962] bridge0: port 2(bridge_slave_1) entered blocking state
[  979.041372] bridge0: port 2(bridge_slave_1) entered forwarding state
[  979.057656] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  979.065276] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  979.073361] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  979.085289] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  979.095711] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  979.107563] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[  979.114513] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  979.122626] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  979.131498] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  979.144423] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[  979.155195] 8021q: adding VLAN 0 to HW filter on device batadv0
[  979.165161] audit: type=1400 audit(1560618351.404:38): avc:  denied  { associate } for  pid=7666 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
2019/06/15 17:05:55 executed programs: 40
2019/06/15 17:06:00 executed programs: 86
2019/06/15 17:06:05 executed programs: 134
2019/06/15 17:06:10 executed programs: 182
[ 1002.431715] ==================================================================
[ 1002.439488] BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280
[ 1002.446798] Read of size 8 at addr ffff8880a4b27c00 by task syz-executor.0/8554
[ 1002.454237] 
[ 1002.455942] CPU: 1 PID: 8554 Comm: syz-executor.0 Not tainted 4.19.51 #23
[ 1002.462867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1002.472332] Call Trace:
[ 1002.475130]  dump_stack+0x172/0x1f0
[ 1002.479046]  ? pneigh_get_next.isra.0+0x24b/0x280
[ 1002.483969]  print_address_description.cold+0x7c/0x20d
[ 1002.489426]  ? pneigh_get_next.isra.0+0x24b/0x280
[ 1002.494399]  kasan_report.cold+0x8c/0x2ba
[ 1002.498672]  __asan_report_load8_noabort+0x14/0x20
[ 1002.503734]  pneigh_get_next.isra.0+0x24b/0x280
[ 1002.508401]  neigh_seq_next+0xdb/0x210
[ 1002.512365]  seq_read+0x9cf/0x1110
[ 1002.516036]  ? seq_dentry+0x2d0/0x2d0
[ 1002.519997]  proc_reg_read+0x1f8/0x2b0
[ 1002.523961]  ? proc_reg_unlocked_ioctl+0x2a0/0x2a0
[ 1002.528968]  ? security_file_permission+0x89/0x230
[ 1002.533941]  ? rw_verify_area+0x118/0x360
[ 1002.538087]  do_iter_read+0x490/0x640
[ 1002.541930]  ? dup_iter+0x280/0x280
[ 1002.545549]  vfs_readv+0xf0/0x160
[ 1002.548993]  ? compat_rw_copy_check_uvector+0x3f0/0x3f0
[ 1002.554397]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1002.559936]  ? push_pipe+0x417/0x7a0
[ 1002.563720]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1002.569278]  ? iov_iter_get_pages_alloc+0x363/0x11a0
[ 1002.574390]  ? iov_iter_revert+0xa50/0xa50
[ 1002.578677]  ? lockdep_hardirqs_on+0x415/0x5d0
[ 1002.583255]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 1002.588278]  ? iov_iter_pipe+0xbe/0x2f0
[ 1002.592265]  default_file_splice_read+0x478/0x890
[ 1002.597427]  ? free_unref_page+0x474/0x600
[ 1002.601862]  ? __put_page+0x8d/0xd0
[ 1002.605489]  ? iter_file_splice_write+0xbd0/0xbd0
[ 1002.610322]  ? __lock_is_held+0xb6/0x140
[ 1002.614387]  ? security_file_permission+0x89/0x230
[ 1002.619299]  ? iter_file_splice_write+0xbd0/0xbd0
[ 1002.624123]  do_splice_to+0x127/0x180
[ 1002.627913]  splice_direct_to_actor+0x256/0x890
[ 1002.632740]  ? generic_pipe_buf_nosteal+0x10/0x10
[ 1002.637588]  ? do_splice_to+0x180/0x180
[ 1002.641704]  ? security_file_permission+0x89/0x230
[ 1002.646748]  ? rw_verify_area+0x118/0x360
[ 1002.650973]  do_splice_direct+0x1da/0x2a0
[ 1002.655394]  ? splice_direct_to_actor+0x890/0x890
[ 1002.660326]  ? rcu_read_lock_sched_held+0x110/0x130
[ 1002.665450]  ? rcu_sync_lockdep_assert+0x6d/0xb0
[ 1002.670225]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1002.675952]  ? __sb_start_write+0x1ac/0x360
[ 1002.680267]  do_sendfile+0x597/0xce0
[ 1002.684145]  ? do_compat_pwritev64+0x1c0/0x1c0
[ 1002.688832]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1002.694423]  ? put_timespec64+0xda/0x140
[ 1002.698480]  __x64_sys_sendfile64+0x1dd/0x220
[ 1002.702976]  ? __ia32_sys_sendfile+0x230/0x230
[ 1002.707679]  ? do_syscall_64+0x26/0x620
[ 1002.711650]  ? lockdep_hardirqs_on+0x415/0x5d0
[ 1002.716350]  ? trace_hardirqs_on+0x67/0x220
[ 1002.720857]  do_syscall_64+0xfd/0x620
[ 1002.724716]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1002.729896] RIP: 0033:0x4592c9
[ 1002.733077] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1002.751984] RSP: 002b:00007f3a8ac31c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[ 1002.759703] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
[ 1002.766969] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
[ 1002.774333] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1002.781683] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f3a8ac326d4
[ 1002.789238] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
[ 1002.796507] 
[ 1002.798116] Allocated by task 8555:
[ 1002.801744]  save_stack+0x45/0xd0
[ 1002.805301]  kasan_kmalloc+0xce/0xf0
[ 1002.809128]  __kmalloc+0x15d/0x750
[ 1002.812662]  pneigh_lookup+0x19c/0x460
[ 1002.816629]  arp_req_set+0x613/0x720
[ 1002.821958]  arp_ioctl+0x652/0x7f0
[ 1002.834044]  inet_ioctl+0x2a0/0x370
[ 1002.837882]  sock_do_ioctl+0xd8/0x2f0
[ 1002.841680]  sock_ioctl+0x325/0x610
[ 1002.845488]  do_vfs_ioctl+0xd5f/0x1380
[ 1002.849372]  ksys_ioctl+0xab/0xd0
[ 1002.852822]  __x64_sys_ioctl+0x73/0xb0
[ 1002.856844]  do_syscall_64+0xfd/0x620
[ 1002.860643]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1002.865819] 
[ 1002.867600] Freed by task 8552:
[ 1002.870878]  save_stack+0x45/0xd0
[ 1002.874453]  __kasan_slab_free+0x102/0x150
[ 1002.878694]  kasan_slab_free+0xe/0x10
[ 1002.882483]  kfree+0xcf/0x220
[ 1002.885589]  neigh_ifdown+0x22f/0x2f0
[ 1002.889379]  arp_ifdown+0x1d/0x21
[ 1002.892828]  inetdev_event+0xa42/0x1230
[ 1002.897008]  notifier_call_chain+0xc2/0x230
[ 1002.901332]  raw_notifier_call_chain+0x2e/0x40
[ 1002.905936]  call_netdevice_notifiers_info+0x3f/0x90
[ 1002.911039]  rollback_registered_many+0x993/0xf90
[ 1002.916059]  rollback_registered+0x109/0x1d0
[ 1002.920906]  unregister_netdevice_queue+0x1ee/0x2c0
[ 1002.926358]  __tun_detach+0xd8a/0x1040
[ 1002.930246]  tun_chr_close+0xe0/0x180
[ 1002.934053]  __fput+0x2dd/0x8b0
[ 1002.937328]  ____fput+0x16/0x20
[ 1002.940661]  task_work_run+0x145/0x1c0
[ 1002.944867]  exit_to_usermode_loop+0x273/0x2c0
[ 1002.949729]  do_syscall_64+0x53d/0x620
[ 1002.953746]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1002.958925] 
[ 1002.960543] The buggy address belongs to the object at ffff8880a4b27c00
[ 1002.960543]  which belongs to the cache kmalloc-64 of size 64
[ 1002.973884] The buggy address is located 0 bytes inside of
[ 1002.973884]  64-byte region [ffff8880a4b27c00, ffff8880a4b27c40)
[ 1002.985835] The buggy address belongs to the page:
[ 1002.990772] page:ffffea000292c9c0 count:1 mapcount:0 mapping:ffff88812c3f0340 index:0x0
[ 1002.999270] flags: 0x1fffc0000000100(slab)
[ 1003.003513] raw: 01fffc0000000100 ffffea0002613c08 ffff88812c3f1348 ffff88812c3f0340
[ 1003.011521] raw: 0000000000000000 ffff8880a4b27000 0000000100000020 0000000000000000
[ 1003.019558] page dumped because: kasan: bad access detected
[ 1003.025384] 
[ 1003.027004] Memory state around the buggy address:
[ 1003.032058]  ffff8880a4b27b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1003.039537]  ffff8880a4b27b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1003.047012] >ffff8880a4b27c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 1003.054380]                    ^
[ 1003.057893]  ffff8880a4b27c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 1003.065621]  ffff8880a4b27d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 1003.073112] ==================================================================
[ 1003.080687] Disabling lock debugging due to kernel taint
[ 1003.086197] Kernel panic - not syncing: panic_on_warn set ...
[ 1003.086197] 
[ 1003.092352] kobject: 'rx-0' (0000000046f4dddf): kobject_cleanup, parent 00000000c604ad0b
[ 1003.093573] CPU: 1 PID: 8554 Comm: syz-executor.0 Tainted: G    B             4.19.51 #23
[ 1003.101898] kobject: 'rx-0' (0000000046f4dddf): auto cleanup 'remove' event
[ 1003.110084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1003.110088] Call Trace:
[ 1003.110110]  dump_stack+0x172/0x1f0
[ 1003.110128]  ? pneigh_get_next.isra.0+0x24b/0x280
[ 1003.110212]  panic+0x263/0x507
[ 1003.110227]  ? __warn_printk+0xf3/0xf3
[ 1003.118147] kobject: 'rx-0' (0000000046f4dddf): kobject_uevent_env
[ 1003.126660]  ? pneigh_get_next.isra.0+0x24b/0x280
[ 1003.126681]  ? trace_hardirqs_on+0x5e/0x220
[ 1003.126692]  ? trace_hardirqs_on+0x5e/0x220
[ 1003.126708]  ? pneigh_get_next.isra.0+0x24b/0x280
[ 1003.129854] kobject: 'rx-0' (0000000046f4dddf): fill_kobj_path: path = '/devices/virtual/net/ipŽi0/queues/rx-0'
[ 1003.132892]  kasan_end_report+0x47/0x4f
[ 1003.132907]  kasan_report.cold+0xa9/0x2ba
[ 1003.138425] kobject: 'rx-0' (0000000046f4dddf): auto cleanup kobject_del
[ 1003.140914]  __asan_report_load8_noabort+0x14/0x20
[ 1003.141011]  pneigh_get_next.isra.0+0x24b/0x280
[ 1003.144865] kobject: 'rx-0' (0000000046f4dddf): calling ktype release
[ 1003.151117]  neigh_seq_next+0xdb/0x210
[ 1003.151132]  seq_read+0x9cf/0x1110
[ 1003.151149]  ? seq_dentry+0x2d0/0x2d0
[ 1003.151161]  proc_reg_read+0x1f8/0x2b0
[ 1003.151176]  ? proc_reg_unlocked_ioctl+0x2a0/0x2a0
[ 1003.157329] kobject: 'rx-0': free name
[ 1003.160487]  ? security_file_permission+0x89/0x230
[ 1003.160502]  ? rw_verify_area+0x118/0x360
[ 1003.164882] kobject: 'tx-0' (0000000012cb8c3a): kobject_cleanup, parent 00000000c604ad0b
[ 1003.169695]  do_iter_read+0x490/0x640
[ 1003.169709]  ? dup_iter+0x280/0x280
[ 1003.169724]  vfs_readv+0xf0/0x160
[ 1003.169741]  ? compat_rw_copy_check_uvector+0x3f0/0x3f0
[ 1003.180926] kobject: 'tx-0' (0000000012cb8c3a): auto cleanup 'remove' event
[ 1003.184106]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1003.184123]  ? push_pipe+0x417/0x7a0
[ 1003.188520] kobject: 'tx-0' (0000000012cb8c3a): kobject_uevent_env
[ 1003.195098]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1003.195114]  ? iov_iter_get_pages_alloc+0x363/0x11a0
[ 1003.200677] kobject: 'tx-0' (0000000012cb8c3a): fill_kobj_path: path = '/devices/virtual/net/ipŽi0/queues/tx-0'
[ 1003.204688]  ? iov_iter_revert+0xa50/0xa50
[ 1003.204707]  ? lockdep_hardirqs_on+0x415/0x5d0
[ 1003.211616] kobject: 'tx-0' (0000000012cb8c3a): auto cleanup kobject_del
[ 1003.215145]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 1003.215162]  ? iov_iter_pipe+0xbe/0x2f0
[ 1003.219381] kobject: 'tx-0' (0000000012cb8c3a): calling ktype release
[ 1003.222475]  default_file_splice_read+0x478/0x890
[ 1003.222489]  ? free_unref_page+0x474/0x600
[ 1003.226380] kobject: 'tx-0': free name
[ 1003.231278]  ? __put_page+0x8d/0xd0
[ 1003.231296]  ? iter_file_splice_write+0xbd0/0xbd0
[ 1003.231314]  ? __lock_is_held+0xb6/0x140
[ 1003.231344]  ? security_file_permission+0x89/0x230
[ 1003.236067] kobject: 'queues' (00000000c604ad0b): kobject_cleanup, parent           (null)
[ 1003.240117]  ? iter_file_splice_write+0xbd0/0xbd0
[ 1003.240130]  do_splice_to+0x127/0x180
[ 1003.240145]  splice_direct_to_actor+0x256/0x890
[ 1003.240158]  ? generic_pipe_buf_nosteal+0x10/0x10
[ 1003.240172]  ? do_splice_to+0x180/0x180
[ 1003.240185]  ? security_file_permission+0x89/0x230
[ 1003.240200]  ? rw_verify_area+0x118/0x360
[ 1003.245498] kobject: 'queues' (00000000c604ad0b): calling ktype release
[ 1003.252552]  do_splice_direct+0x1da/0x2a0
[ 1003.252567]  ? splice_direct_to_actor+0x890/0x890
[ 1003.252587]  ? rcu_read_lock_sched_held+0x110/0x130
[ 1003.252602]  ? rcu_sync_lockdep_assert+0x6d/0xb0
[ 1003.257296] kobject: 'queues' (00000000c604ad0b): kset_release
[ 1003.260000]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1003.260017]  ? __sb_start_write+0x1ac/0x360
[ 1003.263476] kobject: 'queues': free name
[ 1003.268811]  do_sendfile+0x597/0xce0
[ 1003.268828]  ? do_compat_pwritev64+0x1c0/0x1c0
[ 1003.268841]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1003.268861]  ? put_timespec64+0xda/0x140
[ 1003.276951] kobject: 'ipŽi0' (00000000a0145c62): kobject_uevent_env
[ 1003.281560]  __x64_sys_sendfile64+0x1dd/0x220
[ 1003.281574]  ? __ia32_sys_sendfile+0x230/0x230
[ 1003.286331] kobject: 'ipŽi0' (00000000a0145c62): fill_kobj_path: path = '/devices/virtual/net/ipŽi0'
[ 1003.291581]  ? do_syscall_64+0x26/0x620
[ 1003.291597]  ? lockdep_hardirqs_on+0x415/0x5d0
[ 1003.291612]  ? trace_hardirqs_on+0x67/0x220
[ 1003.291627]  do_syscall_64+0xfd/0x620
[ 1003.523070]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1003.528251] RIP: 0033:0x4592c9
[ 1003.531461] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1003.550786] RSP: 002b:00007f3a8ac31c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[ 1003.558487] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
[ 1003.565931] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
[ 1003.573283] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1003.580631] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f3a8ac326d4
[ 1003.588209] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
[ 1003.597122] Kernel Offset: disabled
[ 1003.600898] Rebooting in 86400 seconds..