Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts. 2020/09/01 04:25:24 parsed 1 programs 2020/09/01 04:25:24 executed programs: 0 syzkaller login: [ 1048.478478] audit: type=1400 audit(1598934324.630:8): avc: denied { execmem } for pid=6488 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1049.609688] IPVS: ftp: loaded support on port[0] = 21 [ 1049.719612] chnl_net:caif_netlink_parms(): no params data found [ 1049.805607] bridge0: port 1(bridge_slave_0) entered blocking state [ 1049.812164] bridge0: port 1(bridge_slave_0) entered disabled state [ 1049.819747] device bridge_slave_0 entered promiscuous mode [ 1049.827122] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.833581] bridge0: port 2(bridge_slave_1) entered disabled state [ 1049.840468] device bridge_slave_1 entered promiscuous mode [ 1049.857828] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1049.866638] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1049.884812] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1049.893718] team0: Port device team_slave_0 added [ 1049.899106] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1049.906704] team0: Port device team_slave_1 added [ 1049.921259] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1049.927551] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.952752] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1049.964467] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1049.970688] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.996015] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1050.006661] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1050.014393] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1050.033873] device hsr_slave_0 entered promiscuous mode [ 1050.039651] device hsr_slave_1 entered promiscuous mode [ 1050.046049] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1050.053421] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1050.118826] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.125287] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.131981] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.138393] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.171467] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1050.178474] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1050.187864] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1050.196615] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1050.204961] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.211962] bridge0: port 2(bridge_slave_1) entered disabled state [ 1050.219466] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1050.229526] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1050.236080] 8021q: adding VLAN 0 to HW filter on device team0 [ 1050.244997] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1050.252614] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.259003] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.268926] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1050.277149] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.283517] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.304382] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1050.312116] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1050.320229] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1050.330671] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1050.341514] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1050.347727] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1050.355221] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1050.362280] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1050.375736] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1050.383887] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1050.390551] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1050.401997] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1050.415760] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1050.425793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1050.459770] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1050.467387] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1050.474579] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1050.483842] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1050.491203] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1050.498645] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1050.507236] device veth0_vlan entered promiscuous mode [ 1050.516826] device veth1_vlan entered promiscuous mode [ 1050.522605] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1050.531656] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1050.542592] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1050.552126] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1050.560216] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1050.567900] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1050.577157] device veth0_macvtap entered promiscuous mode [ 1050.583694] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1050.592182] device veth1_macvtap entered promiscuous mode [ 1050.601361] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1050.610580] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1050.620765] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1050.627769] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1050.636172] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1050.646153] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1050.653343] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1051.643661] Bluetooth: hci0: command 0x0409 tx timeout 2020/09/01 04:25:29 executed programs: 154 [ 1053.722723] Bluetooth: hci0: command 0x041b tx timeout [ 1055.114946] ================================================================== [ 1055.122574] BUG: KASAN: double-free or invalid-free in vcs_release+0x49/0x60 [ 1055.129750] [ 1055.131359] CPU: 1 PID: 7729 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0 [ 1055.139308] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1055.148638] Call Trace: [ 1055.151269] dump_stack+0x1fc/0x2fe [ 1055.154924] ? vt_ioctl.cold+0x57/0x57 [ 1055.158827] print_address_description.cold+0x54/0x219 [ 1055.164109] ? vcs_release+0x49/0x60 [ 1055.167812] ? vt_ioctl.cold+0x57/0x57 [ 1055.171687] kasan_report_invalid_free+0x61/0xa0 [ 1055.176429] ? vcs_release+0x49/0x60 [ 1055.180122] __kasan_slab_free+0x1d0/0x1f0 [ 1055.184338] ? lock_downgrade+0x720/0x720 [ 1055.188465] ? lock_acquire+0x170/0x3c0 [ 1055.192419] ? __ww_mutex_wound+0x1c0/0x1c0 [ 1055.196766] ? check_preemption_disabled+0x41/0x280 [ 1055.201760] ? check_preemption_disabled+0x41/0x280 [ 1055.206796] ? mark_held_locks+0xf0/0xf0 [ 1055.210916] ? osq_unlock+0x26/0x1e0 [ 1055.214616] ? debug_check_no_obj_freed+0x201/0x482 [ 1055.219615] ? lock_downgrade+0x720/0x720 [ 1055.223742] ? lock_acquire+0x170/0x3c0 [ 1055.227696] ? debug_check_no_obj_freed+0xb5/0x482 [ 1055.232607] ? trace_hardirqs_off+0x64/0x200 [ 1055.237060] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1055.242196] ? debug_check_no_obj_freed+0x201/0x482 [ 1055.247214] ? vcs_release+0x49/0x60 [ 1055.250908] kfree+0xcc/0x210 [ 1055.253995] vcs_release+0x49/0x60 [ 1055.257514] __fput+0x2ce/0x890 [ 1055.260770] task_work_run+0x148/0x1c0 [ 1055.264639] exit_to_usermode_loop+0x251/0x2a0 [ 1055.269203] do_syscall_64+0x538/0x620 [ 1055.273073] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1055.278240] RIP: 0033:0x45d5b9 [ 1055.281411] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1055.300537] RSP: 002b:00007f86f54fcc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 1055.308224] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 1055.315473] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 1055.322722] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 1055.329970] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c [ 1055.337221] R13: 00007ffd98115d4f R14: 00007f86f54fd9c0 R15: 000000000118cf4c [ 1055.344472] [ 1055.346076] Allocated by task 7730: [ 1055.349681] kmem_cache_alloc_trace+0x12f/0x380 [ 1055.354327] vcs_poll_data_get.part.0+0x43/0x230 [ 1055.359065] vcs_poll+0x100/0x130 [ 1055.362516] ep_item_poll+0x14a/0x3e0 [ 1055.366295] __se_sys_epoll_ctl+0xc45/0x2d80 [ 1055.370677] do_syscall_64+0xf9/0x620 [ 1055.374459] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1055.379616] [ 1055.381229] Freed by task 7728: [ 1055.384586] kfree+0xcc/0x210 [ 1055.387763] vcs_release+0x49/0x60 [ 1055.391276] __fput+0x2ce/0x890 [ 1055.394534] task_work_run+0x148/0x1c0 [ 1055.398412] exit_to_usermode_loop+0x251/0x2a0 [ 1055.402970] do_syscall_64+0x538/0x620 [ 1055.406846] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1055.412028] [ 1055.413646] The buggy address belongs to the object at ffff88809e494780 [ 1055.413646] which belongs to the cache kmalloc-128 of size 128 [ 1055.426276] The buggy address is located 0 bytes inside of [ 1055.426276] 128-byte region [ffff88809e494780, ffff88809e494800) [ 1055.437959] The buggy address belongs to the page: [ 1055.442865] page:ffffea0002792500 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 1055.450990] flags: 0xfffe0000000100(slab) [ 1055.455116] raw: 00fffe0000000100 ffffea0002a11648 ffffea00028f9508 ffff88812c39c640 [ 1055.462984] raw: 0000000000000000 ffff88809e494000 0000000100000015 0000000000000000 [ 1055.470837] page dumped because: kasan: bad access detected [ 1055.476516] [ 1055.478117] Memory state around the buggy address: [ 1055.483021] ffff88809e494680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 1055.490353] ffff88809e494700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 1055.497688] >ffff88809e494780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1055.505127] ^ [ 1055.508477] ffff88809e494800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1055.515811] ffff88809e494880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1055.523148] ================================================================== [ 1055.530477] Disabling lock debugging due to kernel taint [ 1055.535898] Kernel panic - not syncing: panic_on_warn set ... [ 1055.535898] [ 1055.543239] CPU: 1 PID: 7729 Comm: syz-executor.0 Tainted: G B 4.19.142-syzkaller #0 [ 1055.552406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1055.561729] Call Trace: [ 1055.564306] dump_stack+0x1fc/0x2fe [ 1055.567910] panic+0x26a/0x50e [ 1055.571080] ? __warn_printk+0xf3/0xf3 [ 1055.574945] ? lock_downgrade+0x720/0x720 [ 1055.579068] ? print_shadow_for_address+0xb8/0x114 [ 1055.583972] ? trace_hardirqs_off+0x64/0x200 [ 1055.588356] ? vcs_release+0x49/0x60 [ 1055.592043] ? vt_ioctl.cold+0x57/0x57 [ 1055.596011] kasan_end_report+0x43/0x49 [ 1055.599960] kasan_report_invalid_free+0x7d/0xa0 [ 1055.604704] ? vcs_release+0x49/0x60 [ 1055.608403] __kasan_slab_free+0x1d0/0x1f0 [ 1055.612616] ? lock_downgrade+0x720/0x720 [ 1055.616739] ? lock_acquire+0x170/0x3c0 [ 1055.620685] ? __ww_mutex_wound+0x1c0/0x1c0 [ 1055.624983] ? check_preemption_disabled+0x41/0x280 [ 1055.629974] ? check_preemption_disabled+0x41/0x280 [ 1055.634964] ? mark_held_locks+0xf0/0xf0 [ 1055.639000] ? osq_unlock+0x26/0x1e0 [ 1055.642702] ? debug_check_no_obj_freed+0x201/0x482 [ 1055.647702] ? lock_downgrade+0x720/0x720 [ 1055.651826] ? lock_acquire+0x170/0x3c0 [ 1055.655776] ? debug_check_no_obj_freed+0xb5/0x482 [ 1055.660680] ? trace_hardirqs_off+0x64/0x200 [ 1055.665068] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1055.670147] ? debug_check_no_obj_freed+0x201/0x482 [ 1055.675144] ? vcs_release+0x49/0x60 [ 1055.678834] kfree+0xcc/0x210 [ 1055.681913] vcs_release+0x49/0x60 [ 1055.685426] __fput+0x2ce/0x890 [ 1055.688696] task_work_run+0x148/0x1c0 [ 1055.692564] exit_to_usermode_loop+0x251/0x2a0 [ 1055.697123] do_syscall_64+0x538/0x620 [ 1055.700998] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1055.706169] RIP: 0033:0x45d5b9 [ 1055.709337] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1055.728213] RSP: 002b:00007f86f54fcc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 1055.735897] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 1055.743156] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 1055.750401] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 1055.757646] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c [ 1055.764891] R13: 00007ffd98115d4f R14: 00007f86f54fd9c0 R15: 000000000118cf4c [ 1055.773485] Kernel Offset: disabled [ 1055.777101] Rebooting in 86400 seconds..