Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts. 2020/04/03 08:01:20 parsed 1 programs 2020/04/03 08:01:22 executed programs: 0 [ 44.967103] audit: type=1400 audit(1585900882.212:8): avc: denied { execmem } for pid=6456 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 45.004614] IPVS: ftp: loaded support on port[0] = 21 [ 45.097094] chnl_net:caif_netlink_parms(): no params data found [ 45.187202] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.194403] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.203451] device bridge_slave_0 entered promiscuous mode [ 45.211315] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.217703] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.225343] device bridge_slave_1 entered promiscuous mode [ 45.243528] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 45.252685] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 45.272679] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 45.280865] team0: Port device team_slave_0 added [ 45.286425] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 45.294160] team0: Port device team_slave_1 added [ 45.310791] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 45.317073] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 45.342427] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 45.354135] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 45.360501] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 45.385746] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 45.396463] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 45.404194] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 45.472688] device hsr_slave_0 entered promiscuous mode [ 45.510192] device hsr_slave_1 entered promiscuous mode [ 45.550499] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 45.557880] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 45.638860] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.645342] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.652325] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.658710] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.695092] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 45.701274] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.711315] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 45.721562] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.730847] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.737976] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.746681] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 45.758104] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 45.764493] 8021q: adding VLAN 0 to HW filter on device team0 [ 45.781528] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.789158] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.795618] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.803817] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.812210] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.818550] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.831863] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 45.840157] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.855136] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 45.865989] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 45.877809] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 45.885027] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 45.893444] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.901772] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.911175] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.925516] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 45.934215] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 45.942015] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 45.955452] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.968735] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 45.979695] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.018218] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 46.025667] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 46.033346] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 46.043808] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.052017] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 46.058848] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 46.068508] device veth0_vlan entered promiscuous mode [ 46.078213] device veth1_vlan entered promiscuous mode [ 46.084631] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 46.092521] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 46.109905] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 46.119231] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 46.126767] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 46.135018] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 46.145283] device veth0_macvtap entered promiscuous mode [ 46.152659] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 46.161471] device veth1_macvtap entered promiscuous mode [ 46.167644] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 46.177418] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 46.187207] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 46.196931] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 46.204287] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 46.211498] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 46.218993] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 46.226401] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 46.234445] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.245878] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 46.255409] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 46.262790] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 46.271793] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 46.545711] ================================================================== [ 46.554283] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 46.560777] Read of size 8 at addr ffff8880887177a0 by task syz-executor.0/6705 [ 46.568464] [ 46.570085] CPU: 0 PID: 6705 Comm: syz-executor.0 Not tainted 4.19.114-syzkaller #0 [ 46.577880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.587223] Call Trace: [ 46.590073] dump_stack+0x188/0x20d [ 46.593705] ? __list_add_valid+0x93/0xa0 [ 46.597841] print_address_description.cold+0x7c/0x212 [ 46.603118] ? __list_add_valid+0x93/0xa0 [ 46.607290] kasan_report.cold+0x88/0x2b9 [ 46.611429] __list_add_valid+0x93/0xa0 [ 46.615396] rdma_listen+0x609/0x880 [ 46.619099] ucma_listen+0x14d/0x1c0 [ 46.622815] ? ucma_notify+0x190/0x190 [ 46.626755] ? __might_fault+0x192/0x1d0 [ 46.630818] ? _copy_from_user+0xd2/0x140 [ 46.634963] ? ucma_notify+0x190/0x190 [ 46.638837] ucma_write+0x285/0x350 [ 46.642453] ? ucma_open+0x280/0x280 [ 46.646155] ? __fget+0x319/0x510 [ 46.649604] __vfs_write+0xf7/0x760 [ 46.653220] ? ucma_open+0x280/0x280 [ 46.656941] ? kernel_read+0x110/0x110 [ 46.660822] ? __inode_security_revalidate+0xd3/0x120 [ 46.666007] ? avc_policy_seqno+0x9/0x70 [ 46.670072] ? selinux_file_permission+0x87/0x520 [ 46.675027] ? security_file_permission+0x84/0x220 [ 46.679951] vfs_write+0x206/0x550 [ 46.683485] ksys_write+0x12b/0x2a0 [ 46.687111] ? __ia32_sys_read+0xb0/0xb0 [ 46.691159] ? __ia32_sys_clock_settime+0x260/0x260 [ 46.696173] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.700925] ? trace_hardirqs_off_caller+0x55/0x210 [ 46.705956] ? do_syscall_64+0x21/0x620 [ 46.709918] do_syscall_64+0xf9/0x620 [ 46.713709] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.718915] RIP: 0033:0x45c849 [ 46.722104] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.741009] RSP: 002b:00007f5170bc5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 46.748745] RAX: ffffffffffffffda RBX: 00007f5170bc66d4 RCX: 000000000045c849 [ 46.756039] RDX: 0000000000000010 RSI: 0000000020000380 RDI: 0000000000000003 [ 46.763307] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 46.770717] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 46.777989] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bfac [ 46.785262] [ 46.786906] Allocated by task 6698: [ 46.790530] kasan_kmalloc+0xbf/0xe0 [ 46.794244] kmem_cache_alloc_trace+0x14d/0x7a0 [ 46.798898] __rdma_create_id+0x5b/0x630 [ 46.802944] ucma_create_id+0x1cb/0x5a0 [ 46.806901] ucma_write+0x285/0x350 [ 46.810513] __vfs_write+0xf7/0x760 [ 46.814122] vfs_write+0x206/0x550 [ 46.817651] ksys_write+0x12b/0x2a0 [ 46.821291] do_syscall_64+0xf9/0x620 [ 46.825079] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.830247] [ 46.831869] Freed by task 6694: [ 46.835136] __kasan_slab_free+0xf7/0x140 [ 46.839266] kfree+0xce/0x220 [ 46.842357] ucma_close+0x10b/0x320 [ 46.845972] __fput+0x2cd/0x890 [ 46.849236] task_work_run+0x13f/0x1b0 [ 46.853126] exit_to_usermode_loop+0x25a/0x2b0 [ 46.857693] do_syscall_64+0x538/0x620 [ 46.861581] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.866750] [ 46.868375] The buggy address belongs to the object at ffff8880887175c0 [ 46.868375] which belongs to the cache kmalloc-2048 of size 2048 [ 46.881195] The buggy address is located 480 bytes inside of [ 46.881195] 2048-byte region [ffff8880887175c0, ffff888088717dc0) [ 46.893156] The buggy address belongs to the page: [ 46.898087] page:ffffea000221c580 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 46.908053] flags: 0xfffe0000008100(slab|head) [ 46.912719] raw: 00fffe0000008100 ffffea000232cc08 ffffea0002825188 ffff88812c3dcc40 [ 46.920594] raw: 0000000000000000 ffff8880887164c0 0000000100000003 0000000000000000 [ 46.928458] page dumped because: kasan: bad access detected [ 46.934151] [ 46.935764] Memory state around the buggy address: [ 46.940727] ffff888088717680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.948081] ffff888088717700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.955439] >ffff888088717780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.962804] ^ [ 46.967200] ffff888088717800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.974551] ffff888088717880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.981982] ================================================================== [ 46.989343] Disabling lock debugging due to kernel taint [ 47.003112] Kernel panic - not syncing: panic_on_warn set ... [ 47.003112] [ 47.010523] CPU: 1 PID: 6705 Comm: syz-executor.0 Tainted: G B 4.19.114-syzkaller #0 [ 47.019717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.029071] Call Trace: [ 47.031677] dump_stack+0x188/0x20d [ 47.035319] panic+0x26a/0x50e [ 47.038528] ? __warn_printk+0xf3/0xf3 [ 47.042424] ? preempt_schedule_common+0x4a/0xc0 [ 47.047173] ? __list_add_valid+0x93/0xa0 [ 47.051332] ? ___preempt_schedule+0x16/0x18 [ 47.055751] ? trace_hardirqs_on+0x55/0x210 [ 47.060069] ? __list_add_valid+0x93/0xa0 [ 47.064213] kasan_end_report+0x43/0x49 [ 47.068182] kasan_report.cold+0xa4/0x2b9 [ 47.072349] __list_add_valid+0x93/0xa0 [ 47.076321] rdma_listen+0x609/0x880 [ 47.080024] ucma_listen+0x14d/0x1c0 [ 47.083729] ? ucma_notify+0x190/0x190 [ 47.087609] ? __might_fault+0x192/0x1d0 [ 47.091673] ? _copy_from_user+0xd2/0x140 [ 47.095823] ? ucma_notify+0x190/0x190 [ 47.099706] ucma_write+0x285/0x350 [ 47.103318] ? ucma_open+0x280/0x280 [ 47.107059] ? __fget+0x319/0x510 [ 47.110502] __vfs_write+0xf7/0x760 [ 47.114125] ? ucma_open+0x280/0x280 [ 47.117857] ? kernel_read+0x110/0x110 [ 47.121737] ? __inode_security_revalidate+0xd3/0x120 [ 47.126917] ? avc_policy_seqno+0x9/0x70 [ 47.130990] ? selinux_file_permission+0x87/0x520 [ 47.135842] ? security_file_permission+0x84/0x220 [ 47.140760] vfs_write+0x206/0x550 [ 47.144284] ksys_write+0x12b/0x2a0 [ 47.147901] ? __ia32_sys_read+0xb0/0xb0 [ 47.151953] ? __ia32_sys_clock_settime+0x260/0x260 [ 47.157022] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 47.161784] ? trace_hardirqs_off_caller+0x55/0x210 [ 47.166790] ? do_syscall_64+0x21/0x620 [ 47.170750] do_syscall_64+0xf9/0x620 [ 47.174546] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.179719] RIP: 0033:0x45c849 [ 47.183337] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.202758] RSP: 002b:00007f5170bc5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 47.210467] RAX: ffffffffffffffda RBX: 00007f5170bc66d4 RCX: 000000000045c849 [ 47.217768] RDX: 0000000000000010 RSI: 0000000020000380 RDI: 0000000000000003 [ 47.225065] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 47.232323] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 47.239660] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bfac [ 47.248094] Kernel Offset: disabled [ 47.251742] Rebooting in 86400 seconds..