Warning: Permanently added '10.128.0.111' (ECDSA) to the list of known hosts. 2020/04/13 02:36:16 parsed 1 programs 2020/04/13 02:36:18 executed programs: 0 syzkaller login: [ 43.904284] audit: type=1400 audit(1586745378.598:8): avc: denied { execmem } for pid=6468 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 43.941062] IPVS: ftp: loaded support on port[0] = 21 [ 44.031013] chnl_net:caif_netlink_parms(): no params data found [ 44.118173] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.124795] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.133054] device bridge_slave_0 entered promiscuous mode [ 44.141353] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.148286] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.155335] device bridge_slave_1 entered promiscuous mode [ 44.175320] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 44.184640] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 44.205190] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 44.212914] team0: Port device team_slave_0 added [ 44.219912] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 44.228335] team0: Port device team_slave_1 added [ 44.245010] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 44.251350] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.277522] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 44.289593] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 44.295844] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.322930] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 44.334195] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 44.342383] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 44.398911] device hsr_slave_0 entered promiscuous mode [ 44.456452] device hsr_slave_1 entered promiscuous mode [ 44.497081] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 44.504358] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 44.580612] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.587232] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.594083] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.600527] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.635634] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 44.642824] 8021q: adding VLAN 0 to HW filter on device bond0 [ 44.652372] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 44.662011] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.670897] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.678652] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.685777] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 44.697723] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 44.703946] 8021q: adding VLAN 0 to HW filter on device team0 [ 44.714136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 44.722326] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.728888] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.746736] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 44.754658] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.761127] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.775989] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 44.783749] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 44.795265] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 44.811139] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 44.821560] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 44.832996] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 44.840004] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 44.849498] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 44.857666] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 44.872115] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 44.880038] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 44.887740] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 44.899968] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 44.912714] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 44.923173] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 44.958384] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 44.965598] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 44.974213] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 44.985285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 44.993524] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.001163] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.011237] device veth0_vlan entered promiscuous mode [ 45.021924] device veth1_vlan entered promiscuous mode [ 45.036510] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 45.046260] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 45.053253] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 45.062793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.073230] device veth0_macvtap entered promiscuous mode [ 45.081796] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 45.091253] device veth1_macvtap entered promiscuous mode [ 45.099384] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 45.108846] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 45.120156] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 45.130605] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 45.138885] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 45.146633] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 45.154013] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 45.162790] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 45.171115] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.183112] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 45.190314] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 45.197403] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 45.205234] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.457959] ================================================================== [ 45.465534] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 45.472187] Read of size 8 at addr ffff88808acd6460 by task syz-executor.0/6717 [ 45.479687] [ 45.481395] CPU: 1 PID: 6717 Comm: syz-executor.0 Not tainted 4.19.114-syzkaller #0 [ 45.489281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.498641] Call Trace: [ 45.501237] dump_stack+0x188/0x20d [ 45.504879] ? __list_add_valid+0x93/0xa0 [ 45.509019] print_address_description.cold+0x7c/0x212 [ 45.514288] ? __list_add_valid+0x93/0xa0 [ 45.518440] kasan_report.cold+0x88/0x2b9 [ 45.522579] __list_add_valid+0x93/0xa0 [ 45.526565] rdma_listen+0x609/0x880 [ 45.530270] ucma_listen+0x14d/0x1c0 [ 45.533971] ? ucma_notify+0x190/0x190 [ 45.537866] ? __might_fault+0x192/0x1d0 [ 45.542336] ? _copy_from_user+0xd2/0x140 [ 45.546485] ? ucma_notify+0x190/0x190 [ 45.550424] ucma_write+0x285/0x350 [ 45.554044] ? ucma_open+0x280/0x280 [ 45.557765] ? __fget+0x319/0x510 [ 45.561298] __vfs_write+0xf7/0x760 [ 45.564927] ? ucma_open+0x280/0x280 [ 45.568637] ? kernel_read+0x110/0x110 [ 45.572519] ? __inode_security_revalidate+0xd3/0x120 [ 45.577797] ? avc_policy_seqno+0x9/0x70 [ 45.581848] ? selinux_file_permission+0x87/0x520 [ 45.586709] ? security_file_permission+0x84/0x220 [ 45.591630] vfs_write+0x206/0x550 [ 45.595181] ksys_write+0x12b/0x2a0 [ 45.598817] ? __ia32_sys_read+0xb0/0xb0 [ 45.602890] ? __ia32_sys_clock_settime+0x260/0x260 [ 45.607918] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.612676] ? trace_hardirqs_off_caller+0x55/0x210 [ 45.617689] ? do_syscall_64+0x21/0x620 [ 45.621657] do_syscall_64+0xf9/0x620 [ 45.625461] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.630647] RIP: 0033:0x45c889 [ 45.633824] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.653006] RSP: 002b:00007f4439047c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 45.660705] RAX: ffffffffffffffda RBX: 00007f44390486d4 RCX: 000000000045c889 [ 45.667987] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 45.675420] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 45.682697] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 45.689972] R13: 0000000000000cc2 R14: 00000000004ceeb6 R15: 000000000076bf0c [ 45.697235] [ 45.698848] Allocated by task 6709: [ 45.702468] kasan_kmalloc+0xbf/0xe0 [ 45.706338] kmem_cache_alloc_trace+0x14d/0x7a0 [ 45.711006] __rdma_create_id+0x5b/0x630 [ 45.715064] ucma_create_id+0x1cb/0x5a0 [ 45.719037] ucma_write+0x285/0x350 [ 45.722658] __vfs_write+0xf7/0x760 [ 45.726279] vfs_write+0x206/0x550 [ 45.729814] ksys_write+0x12b/0x2a0 [ 45.733432] do_syscall_64+0xf9/0x620 [ 45.737225] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.742535] [ 45.744156] Freed by task 6708: [ 45.747509] __kasan_slab_free+0xf7/0x140 [ 45.751725] kfree+0xce/0x220 [ 45.754832] ucma_close+0x10b/0x320 [ 45.758451] __fput+0x2cd/0x890 [ 45.761722] task_work_run+0x13f/0x1b0 [ 45.765636] exit_to_usermode_loop+0x25a/0x2b0 [ 45.770205] do_syscall_64+0x538/0x620 [ 45.774217] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.779410] [ 45.781030] The buggy address belongs to the object at ffff88808acd6280 [ 45.781030] which belongs to the cache kmalloc-2048 of size 2048 [ 45.794988] The buggy address is located 480 bytes inside of [ 45.794988] 2048-byte region [ffff88808acd6280, ffff88808acd6a80) [ 45.807548] The buggy address belongs to the page: [ 45.812476] page:ffffea00022b3580 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 45.822546] flags: 0xfffe0000008100(slab|head) [ 45.827118] raw: 00fffe0000008100 ffffea0002118088 ffffea0002212b08 ffff88812c3dcc40 [ 45.835031] raw: 0000000000000000 ffff88808acd6280 0000000100000003 0000000000000000 [ 45.842920] page dumped because: kasan: bad access detected [ 45.848633] [ 45.850267] Memory state around the buggy address: [ 45.855183] ffff88808acd6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.862566] ffff88808acd6380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.869927] >ffff88808acd6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.877269] ^ [ 45.883775] ffff88808acd6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.891187] ffff88808acd6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.898536] ================================================================== [ 45.906016] Disabling lock debugging due to kernel taint [ 45.916550] Kernel panic - not syncing: panic_on_warn set ... [ 45.916550] [ 45.923980] CPU: 1 PID: 6717 Comm: syz-executor.0 Tainted: G B 4.19.114-syzkaller #0 [ 45.933165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.942565] Call Trace: [ 45.945202] dump_stack+0x188/0x20d [ 45.948859] panic+0x26a/0x50e [ 45.952063] ? __warn_printk+0xf3/0xf3 [ 45.956041] ? preempt_schedule_common+0x4a/0xc0 [ 45.960903] ? __list_add_valid+0x93/0xa0 [ 45.965187] ? ___preempt_schedule+0x16/0x18 [ 45.969709] ? trace_hardirqs_on+0x55/0x210 [ 45.974146] ? __list_add_valid+0x93/0xa0 [ 45.978354] kasan_end_report+0x43/0x49 [ 45.982460] kasan_report.cold+0xa4/0x2b9 [ 45.986597] __list_add_valid+0x93/0xa0 [ 45.990698] rdma_listen+0x609/0x880 [ 45.994422] ucma_listen+0x14d/0x1c0 [ 45.998133] ? ucma_notify+0x190/0x190 [ 46.002026] ? __might_fault+0x192/0x1d0 [ 46.006113] ? _copy_from_user+0xd2/0x140 [ 46.010276] ? ucma_notify+0x190/0x190 [ 46.014175] ucma_write+0x285/0x350 [ 46.017923] ? ucma_open+0x280/0x280 [ 46.021643] ? __fget+0x319/0x510 [ 46.025086] __vfs_write+0xf7/0x760 [ 46.028729] ? ucma_open+0x280/0x280 [ 46.032511] ? kernel_read+0x110/0x110 [ 46.036427] ? __inode_security_revalidate+0xd3/0x120 [ 46.041624] ? avc_policy_seqno+0x9/0x70 [ 46.045678] ? selinux_file_permission+0x87/0x520 [ 46.050528] ? security_file_permission+0x84/0x220 [ 46.055447] vfs_write+0x206/0x550 [ 46.058979] ksys_write+0x12b/0x2a0 [ 46.062592] ? __ia32_sys_read+0xb0/0xb0 [ 46.066641] ? __ia32_sys_clock_settime+0x260/0x260 [ 46.071642] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.076577] ? trace_hardirqs_off_caller+0x55/0x210 [ 46.081586] ? do_syscall_64+0x21/0x620 [ 46.085612] do_syscall_64+0xf9/0x620 [ 46.089492] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.094674] RIP: 0033:0x45c889 [ 46.097859] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.117359] RSP: 002b:00007f4439047c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 46.125069] RAX: ffffffffffffffda RBX: 00007f44390486d4 RCX: 000000000045c889 [ 46.132393] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 46.139662] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 46.147035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 46.154299] R13: 0000000000000cc2 R14: 00000000004ceeb6 R15: 000000000076bf0c [ 46.162958] Kernel Offset: disabled [ 46.166617] Rebooting in 86400 seconds..