[ 43.921640] audit: type=1800 audit(1582666764.950:30): pid=8072 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 48.675846] kauditd_printk_skb: 4 callbacks suppressed [ 48.675862] audit: type=1400 audit(1582666769.710:35): avc: denied { map } for pid=8246 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. [ 55.700240] audit: type=1400 audit(1582666776.730:36): avc: denied { map } for pid=8258 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/02/25 21:39:36 parsed 1 programs [ 57.414396] audit: type=1400 audit(1582666778.450:37): avc: denied { map } for pid=8258 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=16934 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/02/25 21:39:38 executed programs: 0 [ 57.627768] IPVS: ftp: loaded support on port[0] = 21 [ 57.687392] chnl_net:caif_netlink_parms(): no params data found [ 57.742947] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.749683] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.757004] device bridge_slave_0 entered promiscuous mode [ 57.764726] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.771122] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.778301] device bridge_slave_1 entered promiscuous mode [ 57.793392] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 57.802832] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 57.820172] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 57.827734] team0: Port device team_slave_0 added [ 57.833472] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 57.840660] team0: Port device team_slave_1 added [ 57.854360] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 57.860621] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 57.886337] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 57.898285] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 57.904595] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 57.929854] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 57.940666] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 57.948300] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 58.004190] device hsr_slave_0 entered promiscuous mode [ 58.042292] device hsr_slave_1 entered promiscuous mode [ 58.082722] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 58.089976] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 58.139045] audit: type=1400 audit(1582666779.170:38): avc: denied { create } for pid=8274 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.163983] audit: type=1400 audit(1582666779.170:39): avc: denied { write } for pid=8274 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.165061] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.188010] audit: type=1400 audit(1582666779.180:40): avc: denied { read } for pid=8274 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.194277] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.225077] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.231484] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.266917] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 58.275219] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.284338] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.293578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.312985] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.320552] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.329134] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.339766] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.346141] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.355554] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.363319] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.369683] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.379589] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.388068] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.394475] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.411138] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.418944] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.428491] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.440816] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.452749] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 58.464020] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 58.470083] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.477492] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.493475] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 58.501152] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 58.508087] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 58.519345] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.532908] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 58.542989] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 58.585607] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 58.593694] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 58.600759] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 58.610657] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 58.618424] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 58.627219] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 58.636239] device veth0_vlan entered promiscuous mode [ 58.646701] device veth1_vlan entered promiscuous mode [ 58.652712] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 58.661594] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 58.674781] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 58.682372] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 58.689799] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 58.700432] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 58.708303] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 58.716141] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 58.726150] device veth0_macvtap entered promiscuous mode [ 58.732811] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 58.741226] device veth1_macvtap entered promiscuous mode [ 58.747851] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 58.757338] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 58.766801] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 58.776395] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 58.783701] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 58.790493] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 58.798089] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 58.805865] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 58.813795] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 58.824636] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 58.831517] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 58.838201] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 58.846102] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 58.959390] audit: type=1400 audit(1582666779.990:41): avc: denied { associate } for pid=8274 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 59.060195] ================================================================== [ 59.067911] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 59.074411] Read of size 8 at addr ffff8880a88d0720 by task syz-executor.0/8316 [ 59.081860] [ 59.083495] CPU: 1 PID: 8316 Comm: syz-executor.0 Not tainted 4.19.106-syzkaller #0 [ 59.091288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.100757] Call Trace: [ 59.103375] dump_stack+0x197/0x210 [ 59.107026] ? __list_add_valid+0x9a/0xa0 [ 59.111197] print_address_description.cold+0x7c/0x20d [ 59.116499] ? __list_add_valid+0x9a/0xa0 [ 59.120701] kasan_report.cold+0x8c/0x2ba [ 59.124862] __asan_report_load8_noabort+0x14/0x20 [ 59.129788] __list_add_valid+0x9a/0xa0 [ 59.133759] rdma_listen+0x63b/0x8e0 [ 59.137464] ucma_listen+0x14d/0x1c0 [ 59.141181] ? ucma_notify+0x190/0x190 [ 59.145070] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.150621] ? _copy_from_user+0xdd/0x150 [ 59.154787] ucma_write+0x2d7/0x3c0 [ 59.158424] ? ucma_notify+0x190/0x190 [ 59.162307] ? ucma_open+0x290/0x290 [ 59.166016] __vfs_write+0x114/0x810 [ 59.169735] ? ucma_open+0x290/0x290 [ 59.173451] ? kernel_read+0x120/0x120 [ 59.177353] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 59.182938] ? __inode_security_revalidate+0xda/0x120 [ 59.188136] ? avc_policy_seqno+0xd/0x70 [ 59.192209] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 59.197239] ? selinux_file_permission+0x92/0x550 [ 59.202083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.207619] ? security_file_permission+0x89/0x230 [ 59.212554] ? rw_verify_area+0x118/0x360 [ 59.216695] vfs_write+0x20c/0x560 [ 59.220250] ksys_write+0x14f/0x2d0 [ 59.223871] ? __ia32_sys_read+0xb0/0xb0 [ 59.227926] ? do_syscall_64+0x26/0x620 [ 59.231891] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.237257] ? do_syscall_64+0x26/0x620 [ 59.241289] __x64_sys_write+0x73/0xb0 [ 59.245289] do_syscall_64+0xfd/0x620 [ 59.249087] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.254275] RIP: 0033:0x45c449 [ 59.257484] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.276500] RSP: 002b:00007f891ff5bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.284217] RAX: ffffffffffffffda RBX: 00007f891ff5c6d4 RCX: 000000000045c449 [ 59.291489] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 59.298766] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.306110] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 59.313386] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 59.320759] [ 59.322375] Allocated by task 8310: [ 59.325999] save_stack+0x45/0xd0 [ 59.329438] kasan_kmalloc+0xce/0xf0 [ 59.333138] kmem_cache_alloc_trace+0x152/0x760 [ 59.337793] __rdma_create_id+0x5e/0x610 [ 59.341846] ucma_create_id+0x1de/0x640 [ 59.345812] ucma_write+0x2d7/0x3c0 [ 59.349423] __vfs_write+0x114/0x810 [ 59.353132] vfs_write+0x20c/0x560 [ 59.356658] ksys_write+0x14f/0x2d0 [ 59.360280] __x64_sys_write+0x73/0xb0 [ 59.364163] do_syscall_64+0xfd/0x620 [ 59.367963] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.373145] [ 59.374806] Freed by task 8310: [ 59.378091] save_stack+0x45/0xd0 [ 59.381537] __kasan_slab_free+0x102/0x150 [ 59.385791] kasan_slab_free+0xe/0x10 [ 59.389607] kfree+0xcf/0x220 [ 59.392710] rdma_destroy_id+0x726/0xab0 [ 59.396759] ucma_close+0x115/0x320 [ 59.400392] __fput+0x2dd/0x8b0 [ 59.403668] ____fput+0x16/0x20 [ 59.406938] task_work_run+0x145/0x1c0 [ 59.410858] exit_to_usermode_loop+0x273/0x2c0 [ 59.415429] do_syscall_64+0x53d/0x620 [ 59.419320] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.424509] [ 59.426136] The buggy address belongs to the object at ffff8880a88d0540 [ 59.426136] which belongs to the cache kmalloc-2048 of size 2048 [ 59.438979] The buggy address is located 480 bytes inside of [ 59.438979] 2048-byte region [ffff8880a88d0540, ffff8880a88d0d40) [ 59.451052] The buggy address belongs to the page: [ 59.455989] page:ffffea0002a23400 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 59.465958] flags: 0xfffe0000008100(slab|head) [ 59.470670] raw: 00fffe0000008100 ffffea0002278488 ffffea000225c588 ffff88812c31cc40 [ 59.478580] raw: 0000000000000000 ffff8880a88d0540 0000000100000003 0000000000000000 [ 59.486459] page dumped because: kasan: bad access detected [ 59.492167] [ 59.493789] Memory state around the buggy address: [ 59.498710] ffff8880a88d0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.506076] ffff8880a88d0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.513432] >ffff8880a88d0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.520786] ^ [ 59.525195] ffff8880a88d0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.532554] ffff8880a88d0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.539911] ================================================================== [ 59.547472] Disabling lock debugging due to kernel taint [ 59.555732] Kernel panic - not syncing: panic_on_warn set ... [ 59.555732] [ 59.563133] CPU: 0 PID: 8316 Comm: syz-executor.0 Tainted: G B 4.19.106-syzkaller #0 [ 59.572301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.581657] Call Trace: [ 59.584289] dump_stack+0x197/0x210 [ 59.587925] ? __list_add_valid+0x9a/0xa0 [ 59.592110] panic+0x26a/0x50e [ 59.595292] ? __warn_printk+0xf3/0xf3 [ 59.599179] ? __list_add_valid+0x9a/0xa0 [ 59.603325] ? preempt_schedule+0x4b/0x60 [ 59.607468] ? ___preempt_schedule+0x16/0x18 [ 59.611877] ? trace_hardirqs_on+0x5e/0x220 [ 59.616189] ? __list_add_valid+0x9a/0xa0 [ 59.620322] kasan_end_report+0x47/0x4f [ 59.624279] kasan_report.cold+0xa9/0x2ba [ 59.628448] __asan_report_load8_noabort+0x14/0x20 [ 59.633480] __list_add_valid+0x9a/0xa0 [ 59.637446] rdma_listen+0x63b/0x8e0 [ 59.641150] ucma_listen+0x14d/0x1c0 [ 59.644853] ? ucma_notify+0x190/0x190 [ 59.648728] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.654251] ? _copy_from_user+0xdd/0x150 [ 59.658386] ucma_write+0x2d7/0x3c0 [ 59.662011] ? ucma_notify+0x190/0x190 [ 59.665893] ? ucma_open+0x290/0x290 [ 59.669596] __vfs_write+0x114/0x810 [ 59.673300] ? ucma_open+0x290/0x290 [ 59.677005] ? kernel_read+0x120/0x120 [ 59.680878] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 59.686411] ? __inode_security_revalidate+0xda/0x120 [ 59.691581] ? avc_policy_seqno+0xd/0x70 [ 59.695628] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 59.700645] ? selinux_file_permission+0x92/0x550 [ 59.705482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.711002] ? security_file_permission+0x89/0x230 [ 59.715927] ? rw_verify_area+0x118/0x360 [ 59.720071] vfs_write+0x20c/0x560 [ 59.723596] ksys_write+0x14f/0x2d0 [ 59.727208] ? __ia32_sys_read+0xb0/0xb0 [ 59.731251] ? do_syscall_64+0x26/0x620 [ 59.735212] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.740559] ? do_syscall_64+0x26/0x620 [ 59.744515] __x64_sys_write+0x73/0xb0 [ 59.748384] do_syscall_64+0xfd/0x620 [ 59.752170] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.757345] RIP: 0033:0x45c449 [ 59.760521] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.779402] RSP: 002b:00007f891ff5bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.787105] RAX: ffffffffffffffda RBX: 00007f891ff5c6d4 RCX: 000000000045c449 [ 59.794354] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 59.801604] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.808870] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 59.816119] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 59.824509] Kernel Offset: disabled [ 59.828134] Rebooting in 86400 seconds..