Warning: Permanently added '10.128.1.57' (ECDSA) to the list of known hosts. 2019/12/04 18:28:20 parsed 1 programs syzkaller login: [ 47.382832] kauditd_printk_skb: 2 callbacks suppressed [ 47.382846] audit: type=1400 audit(1575484100.252:36): avc: denied { map } for pid=7733 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 49.067017] audit: type=1400 audit(1575484101.932:37): avc: denied { map } for pid=7733 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17102 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/12/04 18:28:22 executed programs: 0 [ 49.246216] IPVS: ftp: loaded support on port[0] = 21 [ 49.306476] chnl_net:caif_netlink_parms(): no params data found [ 49.340096] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.346789] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.354208] device bridge_slave_0 entered promiscuous mode [ 49.361762] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.368342] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.375986] device bridge_slave_1 entered promiscuous mode [ 49.391823] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 49.401029] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 49.417433] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 49.425126] team0: Port device team_slave_0 added [ 49.430839] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 49.437987] team0: Port device team_slave_1 added [ 49.443636] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 49.451381] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 49.501662] device hsr_slave_0 entered promiscuous mode [ 49.569198] device hsr_slave_1 entered promiscuous mode [ 49.609566] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 49.616693] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 49.632850] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.639417] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.646331] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.652735] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.685204] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 49.692416] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.700720] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 49.711040] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.730163] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.737546] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.745455] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.755409] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 49.762152] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.772061] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.780067] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.786518] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.795974] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.803882] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.810314] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.826371] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.834386] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.844155] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.856021] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 49.866184] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.876172] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 49.882516] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.896174] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 49.903746] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 49.910667] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.922283] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.933778] audit: type=1400 audit(1575484102.802:38): avc: denied { associate } for pid=7749 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 50.787644] ================================================================== [ 50.787675] BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 [ 50.787683] Read of size 2 at addr ffff8880857c63c0 by task syz-executor.0/7758 [ 50.787684] [ 50.787694] CPU: 0 PID: 7758 Comm: syz-executor.0 Not tainted 4.19.87-syzkaller #0 [ 50.787699] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.787702] Call Trace: [ 50.787714] dump_stack+0x197/0x210 [ 50.787724] ? vcs_scr_readw+0xc2/0xd0 [ 50.787735] print_address_description.cold+0x7c/0x20d [ 50.787744] ? vcs_scr_readw+0xc2/0xd0 [ 50.787752] kasan_report.cold+0x8c/0x2ba [ 50.787763] __asan_report_load2_noabort+0x14/0x20 [ 50.787771] vcs_scr_readw+0xc2/0xd0 [ 50.787780] vcs_write+0x646/0xcf0 [ 50.787795] ? vcs_size+0x240/0x240 [ 50.787811] __vfs_write+0x114/0x810 [ 50.787819] ? vcs_size+0x240/0x240 [ 50.787827] ? kernel_read+0x120/0x120 [ 50.787837] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 50.787846] ? __inode_security_revalidate+0xda/0x120 [ 50.787856] ? avc_policy_seqno+0xd/0x70 [ 50.787863] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 50.787872] ? selinux_file_permission+0x92/0x550 [ 50.787882] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.787889] ? security_file_permission+0x89/0x230 [ 50.787899] ? rw_verify_area+0x118/0x360 [ 50.787908] vfs_write+0x20c/0x560 [ 50.787918] ksys_write+0x14f/0x2d0 [ 50.787928] ? __ia32_sys_read+0xb0/0xb0 [ 50.787939] ? do_syscall_64+0x26/0x620 [ 50.787948] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.787955] ? do_syscall_64+0x26/0x620 [ 50.787965] __x64_sys_write+0x73/0xb0 [ 50.787974] do_syscall_64+0xfd/0x620 [ 50.787984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.787991] RIP: 0033:0x45a679 [ 50.787999] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.788004] RSP: 002b:00007fbafbf8bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 50.788011] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 50.788016] RDX: 00000000ffffff78 RSI: 00000000200000c0 RDI: 0000000000000004 [ 50.788021] RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 [ 50.788025] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbafbf8c6d4 [ 50.788030] R13: 00000000004cba69 R14: 00000000004e5670 R15: 00000000ffffffff [ 50.788040] [ 50.788045] Allocated by task 7709: [ 50.788053] save_stack+0x45/0xd0 [ 50.788060] kasan_kmalloc+0xce/0xf0 [ 50.788066] __kmalloc+0x15d/0x750 [ 50.788073] vc_allocate+0x3f5/0x760 [ 50.788079] con_install+0x52/0x410 [ 50.788085] tty_init_dev+0xf7/0x460 [ 50.788090] tty_open+0x4bf/0xb70 [ 50.788097] chrdev_open+0x245/0x6b0 [ 50.788103] do_dentry_open+0x4c3/0x1210 [ 50.788109] vfs_open+0xa0/0xd0 [ 50.788117] path_openat+0x10d7/0x45e0 [ 50.788123] do_filp_open+0x1a1/0x280 [ 50.788129] do_sys_open+0x3fe/0x550 [ 50.788135] __x64_sys_open+0x7e/0xc0 [ 50.788142] do_syscall_64+0xfd/0x620 [ 50.788148] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.788151] [ 50.788154] Freed by task 0: [ 50.788156] (stack is not available) [ 50.788158] [ 50.788163] The buggy address belongs to the object at ffff8880857c5100 [ 50.788163] which belongs to the cache kmalloc-8192 of size 8192 [ 50.788170] The buggy address is located 4800 bytes inside of [ 50.788170] 8192-byte region [ffff8880857c5100, ffff8880857c7100) [ 50.788172] The buggy address belongs to the page: [ 50.788179] page:ffffea000215f100 count:1 mapcount:0 mapping:ffff88812c315080 index:0x0 compound_mapcount: 0 [ 50.788188] flags: 0xfffe0000008100(slab|head) [ 50.788199] raw: 00fffe0000008100 ffffea0002151508 ffffea00021b8108 ffff88812c315080 [ 50.788207] raw: 0000000000000000 ffff8880857c5100 0000000100000001 0000000000000000 [ 50.788211] page dumped because: kasan: bad access detected [ 50.788213] [ 50.788215] Memory state around the buggy address: [ 50.788221] ffff8880857c6280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.788227] ffff8880857c6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.788233] >ffff8880857c6380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 50.788236] ^ [ 50.788241] ffff8880857c6400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.788247] ffff8880857c6480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 50.788250] ================================================================== [ 50.788252] Disabling lock debugging due to kernel taint [ 50.788256] Kernel panic - not syncing: panic_on_warn set ... [ 50.788256] [ 50.788264] CPU: 0 PID: 7758 Comm: syz-executor.0 Tainted: G B 4.19.87-syzkaller #0 [ 50.788268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.788270] Call Trace: [ 50.788277] dump_stack+0x197/0x210 [ 50.788285] ? vcs_scr_readw+0xc2/0xd0 [ 50.788292] panic+0x26a/0x50e [ 50.788298] ? __warn_printk+0xf3/0xf3 [ 50.788308] ? lock_downgrade+0x880/0x880 [ 50.788323] ? trace_hardirqs_on+0x67/0x220 [ 50.788330] ? trace_hardirqs_on+0x5e/0x220 [ 50.788338] ? vcs_scr_readw+0xc2/0xd0 [ 50.788345] kasan_end_report+0x47/0x4f [ 50.788352] kasan_report.cold+0xa9/0x2ba [ 50.788361] __asan_report_load2_noabort+0x14/0x20 [ 50.788368] vcs_scr_readw+0xc2/0xd0 [ 50.788375] vcs_write+0x646/0xcf0 [ 50.788385] ? vcs_size+0x240/0x240 [ 50.788396] __vfs_write+0x114/0x810 [ 50.788403] ? vcs_size+0x240/0x240 [ 50.788410] ? kernel_read+0x120/0x120 [ 50.788417] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 50.788424] ? __inode_security_revalidate+0xda/0x120 [ 50.788431] ? avc_policy_seqno+0xd/0x70 [ 50.788438] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 50.788445] ? selinux_file_permission+0x92/0x550 [ 50.788453] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.788460] ? security_file_permission+0x89/0x230 [ 50.788467] ? rw_verify_area+0x118/0x360 [ 50.788475] vfs_write+0x20c/0x560 [ 50.788483] ksys_write+0x14f/0x2d0 [ 50.788491] ? __ia32_sys_read+0xb0/0xb0 [ 50.788498] ? do_syscall_64+0x26/0x620 [ 50.788505] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.788512] ? do_syscall_64+0x26/0x620 [ 50.788521] __x64_sys_write+0x73/0xb0 [ 50.788528] do_syscall_64+0xfd/0x620 [ 50.788537] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.788542] RIP: 0033:0x45a679 [ 50.788548] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.788552] RSP: 002b:00007fbafbf8bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 50.788558] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 50.788562] RDX: 00000000ffffff78 RSI: 00000000200000c0 RDI: 0000000000000004 [ 50.788566] RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 [ 50.788570] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbafbf8c6d4 [ 50.788575] R13: 00000000004cba69 R14: 00000000004e5670 R15: 00000000ffffffff [ 50.789914] Kernel Offset: disabled [ 51.465562] Rebooting in 86400 seconds..