[ 47.148630] audit: type=1800 audit(1583659563.425:30): pid=7864 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 53.057530] kauditd_printk_skb: 4 callbacks suppressed [ 53.057543] audit: type=1400 audit(1583659569.365:35): avc: denied { map } for pid=8037 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. [ 76.934938] audit: type=1400 audit(1583659593.245:36): avc: denied { map } for pid=8049 comm="syz-executor243" path="/root/syz-executor243230951" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 76.963712] IPVS: ftp: loaded support on port[0] = 21 [ 77.026413] chnl_net:caif_netlink_parms(): no params data found [ 77.082977] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.089661] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.097492] device bridge_slave_0 entered promiscuous mode [ 77.105626] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.112929] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.120167] device bridge_slave_1 entered promiscuous mode [ 77.137571] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 77.146704] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 77.164431] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 77.172877] team0: Port device team_slave_0 added [ 77.178557] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 77.186118] team0: Port device team_slave_1 added [ 77.200955] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 77.207210] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.232449] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 77.244565] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 77.250894] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.276151] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 77.287158] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 77.294891] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 77.351314] device hsr_slave_0 entered promiscuous mode [ 77.389336] device hsr_slave_1 entered promiscuous mode [ 77.450063] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 77.457417] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 77.516324] audit: type=1400 audit(1583659593.825:37): avc: denied { create } for pid=8050 comm="syz-executor243" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 77.541031] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.541572] audit: type=1400 audit(1583659593.825:38): avc: denied { write } for pid=8050 comm="syz-executor243" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 77.547518] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.572463] audit: type=1400 audit(1583659593.835:39): avc: denied { read } for pid=8050 comm="syz-executor243" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 77.578580] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.608240] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.646624] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 77.653925] 8021q: adding VLAN 0 to HW filter on device bond0 [ 77.663241] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 77.672497] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 77.691393] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.698531] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.705935] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 77.717100] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 77.723688] 8021q: adding VLAN 0 to HW filter on device team0 [ 77.733470] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 77.741250] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.747622] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.769936] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 77.777645] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.784047] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.792526] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 77.800403] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 77.807962] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 77.816714] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 77.826890] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 77.837796] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 77.844132] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 77.851771] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 77.866150] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 77.880337] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 77.886708] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 77.894095] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 77.912116] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 77.922847] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 77.965034] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 77.972371] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 77.980204] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 77.990735] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 77.998413] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 78.005634] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 78.015087] device veth0_vlan entered promiscuous mode [ 78.025392] device veth1_vlan entered promiscuous mode [ 78.041265] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 78.051685] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 78.059738] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 78.067537] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 78.077567] device veth0_macvtap entered promiscuous mode [ 78.085485] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 78.094347] device veth1_macvtap entered promiscuous mode [ 78.100665] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 78.110865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 78.121084] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 78.131939] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 78.139295] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 78.146111] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 78.153909] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 78.162184] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 78.171492] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 78.183885] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 78.191164] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 78.197886] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 78.206144] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 78.325966] ================================================================== [ 78.333463] BUG: KASAN: use-after-free in tcindex_set_parms+0x17d0/0x19d0 [ 78.340736] Write of size 16 at addr ffff88809f9a2030 by task syz-executor243/8050 [ 78.348439] [ 78.350067] CPU: 0 PID: 8050 Comm: syz-executor243 Not tainted 4.19.108-syzkaller #0 [ 78.358040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.367399] Call Trace: [ 78.369984] dump_stack+0x188/0x20d [ 78.373606] ? tcindex_set_parms+0x17d0/0x19d0 [ 78.378194] print_address_description.cold+0x7c/0x212 [ 78.383483] ? tcindex_set_parms+0x17d0/0x19d0 [ 78.388066] kasan_report.cold+0x88/0x2b9 [ 78.392204] tcindex_set_parms+0x17d0/0x19d0 [ 78.397055] ? avc_has_perm_noaudit+0x316/0x520 [ 78.401794] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 78.407091] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 78.412286] ? validate_nla+0x328/0x800 [ 78.416254] ? tcindex_change+0x200/0x2d3 [ 78.420469] tcindex_change+0x200/0x2d3 [ 78.424500] ? tcindex_set_parms+0x19d0/0x19d0 [ 78.429085] ? tcindex_set_parms+0x19d0/0x19d0 [ 78.433665] tc_new_tfilter+0xa6b/0x1450 [ 78.437787] ? tc_del_tfilter+0xd40/0xd40 [ 78.441929] ? __mutex_lock+0x3cd/0x1300 [ 78.445996] ? selinux_ipv4_output+0x50/0x50 [ 78.450395] ? rtnetlink_rcv_msg+0x3fe/0xaf0 [ 78.454798] ? kfree_skbmem+0xc1/0x140 [ 78.458700] ? tc_del_tfilter+0xd40/0xd40 [ 78.462841] rtnetlink_rcv_msg+0x453/0xaf0 [ 78.467066] ? rtnetlink_put_metrics+0x520/0x520 [ 78.471922] ? netdev_pick_tx+0x2f0/0x2f0 [ 78.476180] ? __copy_skb_header+0x2f0/0x510 [ 78.480592] ? sock_spd_release+0x270/0x270 [ 78.484935] netlink_rcv_skb+0x160/0x410 [ 78.489018] ? rtnetlink_put_metrics+0x520/0x520 [ 78.493837] ? netlink_ack+0xa60/0xa60 [ 78.497845] netlink_unicast+0x4d7/0x6a0 [ 78.501916] ? netlink_attachskb+0x710/0x710 [ 78.506335] netlink_sendmsg+0x80b/0xcd0 [ 78.510391] ? netlink_unicast+0x6a0/0x6a0 [ 78.514709] ? move_addr_to_kernel.part.0+0x110/0x110 [ 78.519991] ? netlink_unicast+0x6a0/0x6a0 [ 78.524230] sock_sendmsg+0xcf/0x120 [ 78.527944] ___sys_sendmsg+0x803/0x920 [ 78.532088] ? copy_msghdr_from_user+0x410/0x410 [ 78.536857] ? find_held_lock+0x2d/0x110 [ 78.540919] ? __might_fault+0x11f/0x1d0 [ 78.545094] ? lock_downgrade+0x740/0x740 [ 78.549239] ? __might_fault+0x192/0x1d0 [ 78.553298] ? _copy_to_user+0xb8/0x100 [ 78.557262] ? move_addr_to_user+0xa8/0x1e0 [ 78.561580] ? __fget_light+0x1a2/0x230 [ 78.565562] __sys_sendmsg+0xec/0x1b0 [ 78.569388] ? __ia32_sys_shutdown+0x70/0x70 [ 78.573817] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.578619] ? trace_hardirqs_off_caller+0x55/0x210 [ 78.583632] ? do_syscall_64+0x21/0x620 [ 78.587596] do_syscall_64+0xf9/0x620 [ 78.591390] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.596578] RIP: 0033:0x443de9 [ 78.599765] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.618683] RSP: 002b:00007ffed4891b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 78.626403] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443de9 [ 78.633658] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 78.640936] RBP: 00007ffed4891be0 R08: 00000000bb1414ac R09: 00000000bb1414ac [ 78.648191] R10: 00000000bb1414ac R11: 0000000000000246 R12: 0000000000000000 [ 78.655446] R13: 0000000000405170 R14: 0000000000000000 R15: 0000000000000000 [ 78.662725] [ 78.664350] Allocated by task 7840: [ 78.667989] kasan_kmalloc+0xbf/0xe0 [ 78.671699] kmem_cache_alloc+0x127/0x710 [ 78.675842] prepare_creds+0x39/0x410 [ 78.679624] do_faccessat+0x94/0x7a0 [ 78.683321] do_syscall_64+0xf9/0x620 [ 78.687136] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.692335] [ 78.693944] Freed by task 7840: [ 78.697208] __kasan_slab_free+0xf7/0x140 [ 78.701353] kmem_cache_free+0x7f/0x260 [ 78.705321] __put_cred+0x1de/0x250 [ 78.708951] do_faccessat+0x64e/0x7a0 [ 78.712753] do_syscall_64+0xf9/0x620 [ 78.716536] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.721832] [ 78.723451] The buggy address belongs to the object at ffff88809f9a2000 [ 78.723451] which belongs to the cache cred_jar of size 184 [ 78.736353] The buggy address is located 48 bytes inside of [ 78.736353] 184-byte region [ffff88809f9a2000, ffff88809f9a20b8) [ 78.748122] The buggy address belongs to the page: [ 78.753145] page:ffffea00027e6880 count:1 mapcount:0 mapping:ffff88812c290b00 index:0x0 [ 78.761285] flags: 0xfffe0000000100(slab) [ 78.765429] raw: 00fffe0000000100 ffffea00027e8988 ffffea000278b988 ffff88812c290b00 [ 78.773303] raw: 0000000000000000 ffff88809f9a2000 0000000100000010 0000000000000000 [ 78.781259] page dumped because: kasan: bad access detected [ 78.786958] [ 78.788584] Memory state around the buggy address: [ 78.793499] ffff88809f9a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.800930] ffff88809f9a1f80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.808269] >ffff88809f9a2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.815614] ^ [ 78.820537] ffff88809f9a2080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 78.828050] ffff88809f9a2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.835387] ================================================================== [ 78.842736] Disabling lock debugging due to kernel taint [ 78.849501] Kernel panic - not syncing: panic_on_warn set ... [ 78.849501] [ 78.856890] CPU: 0 PID: 8050 Comm: syz-executor243 Tainted: G B 4.19.108-syzkaller #0 [ 78.866146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.875666] Call Trace: [ 78.878247] dump_stack+0x188/0x20d [ 78.882028] panic+0x26a/0x50e [ 78.885689] ? __warn_printk+0xf3/0xf3 [ 78.889562] ? preempt_schedule_common+0x4a/0xc0 [ 78.894488] ? tcindex_set_parms+0x17d0/0x19d0 [ 78.899069] ? ___preempt_schedule+0x16/0x18 [ 78.903475] ? trace_hardirqs_on+0x55/0x210 [ 78.907795] ? tcindex_set_parms+0x17d0/0x19d0 [ 78.912386] kasan_end_report+0x43/0x49 [ 78.916352] kasan_report.cold+0xa4/0x2b9 [ 78.920502] tcindex_set_parms+0x17d0/0x19d0 [ 78.924911] ? avc_has_perm_noaudit+0x316/0x520 [ 78.929579] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 78.934773] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 78.939963] ? validate_nla+0x328/0x800 [ 78.943954] ? tcindex_change+0x200/0x2d3 [ 78.948085] tcindex_change+0x200/0x2d3 [ 78.952054] ? tcindex_set_parms+0x19d0/0x19d0 [ 78.956642] ? tcindex_set_parms+0x19d0/0x19d0 [ 78.961219] tc_new_tfilter+0xa6b/0x1450 [ 78.965269] ? tc_del_tfilter+0xd40/0xd40 [ 78.969415] ? __mutex_lock+0x3cd/0x1300 [ 78.973482] ? selinux_ipv4_output+0x50/0x50 [ 78.977878] ? rtnetlink_rcv_msg+0x3fe/0xaf0 [ 78.982276] ? kfree_skbmem+0xc1/0x140 [ 78.986156] ? tc_del_tfilter+0xd40/0xd40 [ 78.990377] rtnetlink_rcv_msg+0x453/0xaf0 [ 78.994597] ? rtnetlink_put_metrics+0x520/0x520 [ 78.999352] ? netdev_pick_tx+0x2f0/0x2f0 [ 79.003503] ? __copy_skb_header+0x2f0/0x510 [ 79.007944] ? sock_spd_release+0x270/0x270 [ 79.012441] netlink_rcv_skb+0x160/0x410 [ 79.016510] ? rtnetlink_put_metrics+0x520/0x520 [ 79.022218] ? netlink_ack+0xa60/0xa60 [ 79.026097] netlink_unicast+0x4d7/0x6a0 [ 79.030148] ? netlink_attachskb+0x710/0x710 [ 79.034551] netlink_sendmsg+0x80b/0xcd0 [ 79.038599] ? netlink_unicast+0x6a0/0x6a0 [ 79.042823] ? move_addr_to_kernel.part.0+0x110/0x110 [ 79.048007] ? netlink_unicast+0x6a0/0x6a0 [ 79.052240] sock_sendmsg+0xcf/0x120 [ 79.055938] ___sys_sendmsg+0x803/0x920 [ 79.059907] ? copy_msghdr_from_user+0x410/0x410 [ 79.064649] ? find_held_lock+0x2d/0x110 [ 79.068702] ? __might_fault+0x11f/0x1d0 [ 79.072760] ? lock_downgrade+0x740/0x740 [ 79.076994] ? __might_fault+0x192/0x1d0 [ 79.081049] ? _copy_to_user+0xb8/0x100 [ 79.085015] ? move_addr_to_user+0xa8/0x1e0 [ 79.089322] ? __fget_light+0x1a2/0x230 [ 79.093280] __sys_sendmsg+0xec/0x1b0 [ 79.097083] ? __ia32_sys_shutdown+0x70/0x70 [ 79.101479] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.106228] ? trace_hardirqs_off_caller+0x55/0x210 [ 79.111315] ? do_syscall_64+0x21/0x620 [ 79.115282] do_syscall_64+0xf9/0x620 [ 79.119082] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.124265] RIP: 0033:0x443de9 [ 79.127450] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.146340] RSP: 002b:00007ffed4891b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.154037] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443de9 [ 79.161297] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 79.168565] RBP: 00007ffed4891be0 R08: 00000000bb1414ac R09: 00000000bb1414ac [ 79.175873] R10: 00000000bb1414ac R11: 0000000000000246 R12: 0000000000000000 [ 79.183129] R13: 0000000000405170 R14: 0000000000000000 R15: 0000000000000000 [ 79.191979] Kernel Offset: disabled [ 79.195610] Rebooting in 86400 seconds..