Warning: Permanently added '10.128.0.92' (ECDSA) to the list of known hosts. syzkaller login: [ 49.236701] kauditd_printk_skb: 5 callbacks suppressed [ 49.236719] audit: type=1400 audit(1559763563.307:36): avc: denied { map } for pid=7882 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/05 19:39:24 parsed 1 programs [ 50.056870] audit: type=1400 audit(1559763564.127:37): avc: denied { map } for pid=7882 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14947 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/05 19:39:25 executed programs: 0 [ 51.929332] IPVS: ftp: loaded support on port[0] = 21 [ 51.992368] chnl_net:caif_netlink_parms(): no params data found [ 52.025885] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.032573] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.039733] device bridge_slave_0 entered promiscuous mode [ 52.047033] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.053513] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.060598] device bridge_slave_1 entered promiscuous mode [ 52.076438] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.085973] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.103191] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.111034] team0: Port device team_slave_0 added [ 52.116415] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.124343] team0: Port device team_slave_1 added [ 52.129712] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.136932] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.190341] device hsr_slave_0 entered promiscuous mode [ 52.258091] device hsr_slave_1 entered promiscuous mode [ 52.328702] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.335625] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.349608] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.355998] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.362882] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.369274] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.402457] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.408817] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.416780] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.425616] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.444974] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.452949] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.460826] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.471218] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.477296] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.487309] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.495205] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.501584] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.518438] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.526050] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.532474] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.542805] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.551702] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 52.561361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.575679] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 52.586244] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 52.597370] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 52.604347] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.612532] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 52.620230] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 52.633402] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 52.643557] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 52.654798] audit: type=1400 audit(1559763566.737:38): avc: denied { associate } for pid=7899 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 52.744952] ================================================================== [ 52.752409] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 52.758893] Read of size 8 at addr ffff888094f2eea0 by task syz-executor.0/7912 [ 52.766318] [ 52.767935] CPU: 0 PID: 7912 Comm: syz-executor.0 Not tainted 4.19.48 #20 [ 52.774861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.784203] Call Trace: [ 52.786781] dump_stack+0x172/0x1f0 [ 52.790417] ? __list_add_valid+0x9a/0xa0 [ 52.794581] print_address_description.cold+0x7c/0x20d [ 52.799861] ? __list_add_valid+0x9a/0xa0 [ 52.804010] kasan_report.cold+0x8c/0x2ba [ 52.808151] __asan_report_load8_noabort+0x14/0x20 [ 52.813075] __list_add_valid+0x9a/0xa0 [ 52.817049] rdma_listen+0x63b/0x8e0 [ 52.820756] ucma_listen+0x14d/0x1c0 [ 52.824466] ? ucma_notify+0x190/0x190 [ 52.828358] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.833892] ? _copy_from_user+0xdd/0x150 [ 52.838045] ucma_write+0x2d7/0x3c0 [ 52.841676] ? ucma_notify+0x190/0x190 [ 52.845551] ? ucma_open+0x290/0x290 [ 52.849261] __vfs_write+0x114/0x810 [ 52.852993] ? ucma_open+0x290/0x290 [ 52.856700] ? kernel_read+0x120/0x120 [ 52.860581] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 52.866911] ? __inode_security_revalidate+0xda/0x120 [ 52.872095] ? avc_policy_seqno+0xd/0x70 [ 52.876146] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 52.881161] ? selinux_file_permission+0x92/0x550 [ 52.886017] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.891543] ? security_file_permission+0x89/0x230 [ 52.896462] ? rw_verify_area+0x118/0x360 [ 52.900599] vfs_write+0x20c/0x560 [ 52.904132] ksys_write+0x14f/0x2d0 [ 52.907752] ? __ia32_sys_read+0xb0/0xb0 [ 52.911807] ? do_syscall_64+0x26/0x620 [ 52.915769] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.921122] ? do_syscall_64+0x26/0x620 [ 52.925091] __x64_sys_write+0x73/0xb0 [ 52.928972] do_syscall_64+0xfd/0x620 [ 52.932774] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.937953] RIP: 0033:0x459279 [ 52.941135] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.960130] RSP: 002b:00007f330f4dac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 52.967838] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279 [ 52.975108] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 [ 52.982380] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 52.989653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f330f4db6d4 [ 52.996914] R13: 00000000004c8ca5 R14: 00000000004df850 R15: 00000000ffffffff [ 53.004192] [ 53.005812] Allocated by task 7906: [ 53.009454] save_stack+0x45/0xd0 [ 53.012917] kasan_kmalloc+0xce/0xf0 [ 53.016636] kmem_cache_alloc_trace+0x152/0x760 [ 53.021295] __rdma_create_id+0x5e/0x610 [ 53.025346] ucma_create_id+0x1de/0x640 [ 53.029317] ucma_write+0x2d7/0x3c0 [ 53.032950] __vfs_write+0x114/0x810 [ 53.036651] vfs_write+0x20c/0x560 [ 53.040177] ksys_write+0x14f/0x2d0 [ 53.043808] __x64_sys_write+0x73/0xb0 [ 53.047685] do_syscall_64+0xfd/0x620 [ 53.051486] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.056671] [ 53.058295] Freed by task 7905: [ 53.061581] save_stack+0x45/0xd0 [ 53.065026] __kasan_slab_free+0x102/0x150 [ 53.069279] kasan_slab_free+0xe/0x10 [ 53.073067] kfree+0xcf/0x220 [ 53.076175] rdma_destroy_id+0x729/0xab0 [ 53.080236] ucma_close+0x115/0x320 [ 53.083848] __fput+0x2dd/0x8b0 [ 53.087117] ____fput+0x16/0x20 [ 53.090404] task_work_run+0x145/0x1c0 [ 53.094282] exit_to_usermode_loop+0x273/0x2c0 [ 53.098857] do_syscall_64+0x53d/0x620 [ 53.102746] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.107958] [ 53.109594] The buggy address belongs to the object at ffff888094f2ecc0 [ 53.109594] which belongs to the cache kmalloc-2048 of size 2048 [ 53.122522] The buggy address is located 480 bytes inside of [ 53.122522] 2048-byte region [ffff888094f2ecc0, ffff888094f2f4c0) [ 53.134505] The buggy address belongs to the page: [ 53.139439] page:ffffea000253cb80 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 53.149434] flags: 0x1fffc0000008100(slab|head) [ 53.154105] raw: 01fffc0000008100 ffffea0002509e88 ffffea000255a988 ffff88812c3f0c40 [ 53.161976] raw: 0000000000000000 ffff888094f2e440 0000000100000003 0000000000000000 [ 53.169845] page dumped because: kasan: bad access detected [ 53.175537] [ 53.177152] Memory state around the buggy address: [ 53.182067] ffff888094f2ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.189413] ffff888094f2ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.196759] >ffff888094f2ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.204102] ^ [ 53.208500] ffff888094f2ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.215853] ffff888094f2ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.223195] ================================================================== [ 53.230535] Disabling lock debugging due to kernel taint [ 53.241067] Kernel panic - not syncing: panic_on_warn set ... [ 53.241067] [ 53.248481] CPU: 1 PID: 7912 Comm: syz-executor.0 Tainted: G B 4.19.48 #20 [ 53.256795] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.266132] Call Trace: [ 53.268713] dump_stack+0x172/0x1f0 [ 53.272326] ? __list_add_valid+0x9a/0xa0 [ 53.276480] panic+0x263/0x507 [ 53.279669] ? __warn_printk+0xf3/0xf3 [ 53.283540] ? __list_add_valid+0x9a/0xa0 [ 53.287676] ? preempt_schedule+0x4b/0x60 [ 53.291812] ? ___preempt_schedule+0x16/0x18 [ 53.296211] ? trace_hardirqs_on+0x5e/0x220 [ 53.300517] ? __list_add_valid+0x9a/0xa0 [ 53.304674] kasan_end_report+0x47/0x4f [ 53.308640] kasan_report.cold+0xa9/0x2ba [ 53.312777] __asan_report_load8_noabort+0x14/0x20 [ 53.317687] __list_add_valid+0x9a/0xa0 [ 53.321648] rdma_listen+0x63b/0x8e0 [ 53.325348] ucma_listen+0x14d/0x1c0 [ 53.329049] ? ucma_notify+0x190/0x190 [ 53.332973] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.338517] ? _copy_from_user+0xdd/0x150 [ 53.342653] ucma_write+0x2d7/0x3c0 [ 53.346262] ? ucma_notify+0x190/0x190 [ 53.350134] ? ucma_open+0x290/0x290 [ 53.353836] __vfs_write+0x114/0x810 [ 53.357533] ? ucma_open+0x290/0x290 [ 53.361229] ? kernel_read+0x120/0x120 [ 53.365104] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.370800] ? __inode_security_revalidate+0xda/0x120 [ 53.375973] ? avc_policy_seqno+0xd/0x70 [ 53.380021] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 53.385050] ? selinux_file_permission+0x92/0x550 [ 53.389881] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.395437] ? security_file_permission+0x89/0x230 [ 53.400375] ? rw_verify_area+0x118/0x360 [ 53.404508] vfs_write+0x20c/0x560 [ 53.408034] ksys_write+0x14f/0x2d0 [ 53.411646] ? __ia32_sys_read+0xb0/0xb0 [ 53.415696] ? do_syscall_64+0x26/0x620 [ 53.419659] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.425006] ? do_syscall_64+0x26/0x620 [ 53.428967] __x64_sys_write+0x73/0xb0 [ 53.432865] do_syscall_64+0xfd/0x620 [ 53.436656] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.441830] RIP: 0033:0x459279 [ 53.445011] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.463896] RSP: 002b:00007f330f4dac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.471588] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279 [ 53.478842] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 [ 53.486094] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 53.493348] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f330f4db6d4 [ 53.500603] R13: 00000000004c8ca5 R14: 00000000004df850 R15: 00000000ffffffff [ 53.508888] Kernel Offset: disabled [ 53.512516] Rebooting in 86400 seconds..