Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts. syzkaller login: [ 51.099811] kauditd_printk_skb: 5 callbacks suppressed [ 51.099826] audit: type=1400 audit(1582604629.326:36): avc: denied { map } for pid=8221 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/02/25 04:23:49 parsed 1 programs [ 52.450820] audit: type=1400 audit(1582604630.676:37): avc: denied { map } for pid=8221 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17178 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/02/25 04:23:50 executed programs: 0 [ 52.644387] IPVS: ftp: loaded support on port[0] = 21 [ 52.695649] chnl_net:caif_netlink_parms(): no params data found [ 52.740439] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.746917] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.754807] device bridge_slave_0 entered promiscuous mode [ 52.762103] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.768828] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.775733] device bridge_slave_1 entered promiscuous mode [ 52.791145] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.800141] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.816009] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.823448] team0: Port device team_slave_0 added [ 52.828936] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.836249] team0: Port device team_slave_1 added [ 52.848916] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 52.855227] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 52.880460] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 52.892629] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 52.898960] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 52.924322] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 52.935046] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.942520] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 53.024984] device hsr_slave_0 entered promiscuous mode [ 53.082430] device hsr_slave_1 entered promiscuous mode [ 53.122839] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.129899] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 53.181783] audit: type=1400 audit(1582604631.406:38): avc: denied { create } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 53.206268] audit: type=1400 audit(1582604631.406:39): avc: denied { write } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 53.227573] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.230484] audit: type=1400 audit(1582604631.436:40): avc: denied { read } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 53.236595] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.267115] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.273470] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.306042] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 53.312122] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.321716] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.330368] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.348922] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.356164] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.363601] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 53.374237] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 53.380297] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.389441] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.397098] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.403452] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.413338] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.420937] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.427334] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.441463] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.450688] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.466740] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 53.476683] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 53.486933] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.494541] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.502155] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.509925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.517923] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.530212] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 53.538361] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 53.545108] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 53.555892] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.569186] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 53.578610] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 53.619925] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 53.627664] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 53.634324] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 53.644246] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 53.651591] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 53.658517] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 53.667310] device veth0_vlan entered promiscuous mode [ 53.676381] device veth1_vlan entered promiscuous mode [ 53.682126] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 53.690783] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 53.702943] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 53.710198] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 53.720933] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 53.729998] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 53.736891] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 53.745007] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 53.755098] device veth0_macvtap entered promiscuous mode [ 53.761245] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 53.769707] device veth1_macvtap entered promiscuous mode [ 53.776398] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 53.784971] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 53.794475] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 53.803988] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 53.811058] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 53.818185] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 53.825455] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 53.832922] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 53.840592] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 53.850194] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 53.857426] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 53.864224] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 53.872092] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 53.981339] audit: type=1400 audit(1582604632.206:41): avc: denied { associate } for pid=8239 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 54.129933] ================================================================== [ 54.137432] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 54.143911] Read of size 8 at addr ffff888082f894e0 by task syz-executor.0/8294 [ 54.151353] [ 54.152977] CPU: 1 PID: 8294 Comm: syz-executor.0 Not tainted 4.19.106-syzkaller #0 [ 54.160759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.170131] Call Trace: [ 54.172733] dump_stack+0x197/0x210 [ 54.177922] ? __list_add_valid+0x9a/0xa0 [ 54.182067] print_address_description.cold+0x7c/0x20d [ 54.187372] ? __list_add_valid+0x9a/0xa0 [ 54.191512] kasan_report.cold+0x8c/0x2ba [ 54.195719] __asan_report_load8_noabort+0x14/0x20 [ 54.200658] __list_add_valid+0x9a/0xa0 [ 54.204629] rdma_listen+0x63b/0x8e0 [ 54.208348] ucma_listen+0x14d/0x1c0 [ 54.212083] ? ucma_notify+0x190/0x190 [ 54.215959] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.221584] ? _copy_from_user+0xdd/0x150 [ 54.225724] ucma_write+0x2d7/0x3c0 [ 54.229339] ? ucma_notify+0x190/0x190 [ 54.233218] ? ucma_open+0x290/0x290 [ 54.236939] __vfs_write+0x114/0x810 [ 54.240641] ? ucma_open+0x290/0x290 [ 54.244343] ? kernel_read+0x120/0x120 [ 54.248241] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.253801] ? __inode_security_revalidate+0xda/0x120 [ 54.258991] ? avc_policy_seqno+0xd/0x70 [ 54.263046] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.268066] ? selinux_file_permission+0x92/0x550 [ 54.272911] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.278445] ? security_file_permission+0x89/0x230 [ 54.283364] ? rw_verify_area+0x118/0x360 [ 54.287500] vfs_write+0x20c/0x560 [ 54.291058] ksys_write+0x14f/0x2d0 [ 54.294677] ? __ia32_sys_read+0xb0/0xb0 [ 54.298763] ? do_syscall_64+0x26/0x620 [ 54.302734] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.308132] ? do_syscall_64+0x26/0x620 [ 54.312098] __x64_sys_write+0x73/0xb0 [ 54.315974] do_syscall_64+0xfd/0x620 [ 54.319765] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.324945] RIP: 0033:0x45c449 [ 54.328169] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.347318] RSP: 002b:00007fbcb8534c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.355011] RAX: ffffffffffffffda RBX: 00007fbcb85356d4 RCX: 000000000045c449 [ 54.362267] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 54.369528] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 54.376795] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 54.384051] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 54.391327] [ 54.392941] Allocated by task 8288: [ 54.396558] save_stack+0x45/0xd0 [ 54.399999] kasan_kmalloc+0xce/0xf0 [ 54.403711] kmem_cache_alloc_trace+0x152/0x760 [ 54.408375] __rdma_create_id+0x5e/0x610 [ 54.412436] ucma_create_id+0x1de/0x640 [ 54.416399] ucma_write+0x2d7/0x3c0 [ 54.420023] __vfs_write+0x114/0x810 [ 54.423724] vfs_write+0x20c/0x560 [ 54.427262] ksys_write+0x14f/0x2d0 [ 54.430898] __x64_sys_write+0x73/0xb0 [ 54.434772] do_syscall_64+0xfd/0x620 [ 54.438570] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.443762] [ 54.445396] Freed by task 8288: [ 54.448681] save_stack+0x45/0xd0 [ 54.452137] __kasan_slab_free+0x102/0x150 [ 54.456396] kasan_slab_free+0xe/0x10 [ 54.460183] kfree+0xcf/0x220 [ 54.463276] rdma_destroy_id+0x726/0xab0 [ 54.467322] ucma_close+0x115/0x320 [ 54.470958] __fput+0x2dd/0x8b0 [ 54.474223] ____fput+0x16/0x20 [ 54.477488] task_work_run+0x145/0x1c0 [ 54.481375] exit_to_usermode_loop+0x273/0x2c0 [ 54.485960] do_syscall_64+0x53d/0x620 [ 54.489861] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.495038] [ 54.496675] The buggy address belongs to the object at ffff888082f89300 [ 54.496675] which belongs to the cache kmalloc-2048 of size 2048 [ 54.509585] The buggy address is located 480 bytes inside of [ 54.509585] 2048-byte region [ffff888082f89300, ffff888082f89b00) [ 54.521543] The buggy address belongs to the page: [ 54.526462] page:ffffea00020be200 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 54.536420] flags: 0xfffe0000008100(slab|head) [ 54.541044] raw: 00fffe0000008100 ffffea0002a33e88 ffff88812c314948 ffff88812c31cc40 [ 54.553787] raw: 0000000000000000 ffff888082f88200 0000000100000003 0000000000000000 [ 54.561647] page dumped because: kasan: bad access detected [ 54.567336] [ 54.568962] Memory state around the buggy address: [ 54.573898] ffff888082f89380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.581255] ffff888082f89400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.588614] >ffff888082f89480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.595962] ^ [ 54.602455] ffff888082f89500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.609797] ffff888082f89580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.617137] ================================================================== [ 54.624505] Disabling lock debugging due to kernel taint [ 54.634072] Kernel panic - not syncing: panic_on_warn set ... [ 54.634072] [ 54.641457] CPU: 1 PID: 8294 Comm: syz-executor.0 Tainted: G B 4.19.106-syzkaller #0 [ 54.650636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.659972] Call Trace: [ 54.662565] dump_stack+0x197/0x210 [ 54.666180] ? __list_add_valid+0x9a/0xa0 [ 54.670315] panic+0x26a/0x50e [ 54.673501] ? __warn_printk+0xf3/0xf3 [ 54.677374] ? __list_add_valid+0x9a/0xa0 [ 54.681507] ? preempt_schedule+0x4b/0x60 [ 54.685654] ? ___preempt_schedule+0x16/0x18 [ 54.690049] ? trace_hardirqs_on+0x5e/0x220 [ 54.694361] ? __list_add_valid+0x9a/0xa0 [ 54.698510] kasan_end_report+0x47/0x4f [ 54.702471] kasan_report.cold+0xa9/0x2ba [ 54.706604] __asan_report_load8_noabort+0x14/0x20 [ 54.711516] __list_add_valid+0x9a/0xa0 [ 54.715476] rdma_listen+0x63b/0x8e0 [ 54.719198] ucma_listen+0x14d/0x1c0 [ 54.722934] ? ucma_notify+0x190/0x190 [ 54.726854] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.732383] ? _copy_from_user+0xdd/0x150 [ 54.736531] ucma_write+0x2d7/0x3c0 [ 54.740194] ? ucma_notify+0x190/0x190 [ 54.744105] ? ucma_open+0x290/0x290 [ 54.747815] __vfs_write+0x114/0x810 [ 54.751539] ? ucma_open+0x290/0x290 [ 54.755242] ? kernel_read+0x120/0x120 [ 54.759227] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.764757] ? __inode_security_revalidate+0xda/0x120 [ 54.769935] ? avc_policy_seqno+0xd/0x70 [ 54.774001] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.779917] ? selinux_file_permission+0x92/0x550 [ 54.784783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.790338] ? security_file_permission+0x89/0x230 [ 54.795268] ? rw_verify_area+0x118/0x360 [ 54.799442] vfs_write+0x20c/0x560 [ 54.803006] ksys_write+0x14f/0x2d0 [ 54.806653] ? __ia32_sys_read+0xb0/0xb0 [ 54.810701] ? do_syscall_64+0x26/0x620 [ 54.814663] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.820028] ? do_syscall_64+0x26/0x620 [ 54.824011] __x64_sys_write+0x73/0xb0 [ 54.827899] do_syscall_64+0xfd/0x620 [ 54.831693] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.836867] RIP: 0033:0x45c449 [ 54.840044] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.858955] RSP: 002b:00007fbcb8534c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 54.866651] RAX: ffffffffffffffda RBX: 00007fbcb85356d4 RCX: 000000000045c449 [ 54.873908] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 54.881166] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 54.888425] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 54.895686] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 54.904107] Kernel Offset: disabled [ 54.907748] Rebooting in 86400 seconds..