Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts.
syzkaller login: [ 51.099811] kauditd_printk_skb: 5 callbacks suppressed
[ 51.099826] audit: type=1400 audit(1582604629.326:36): avc: denied { map } for pid=8221 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2020/02/25 04:23:49 parsed 1 programs
[ 52.450820] audit: type=1400 audit(1582604630.676:37): avc: denied { map } for pid=8221 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17178 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2020/02/25 04:23:50 executed programs: 0
[ 52.644387] IPVS: ftp: loaded support on port[0] = 21
[ 52.695649] chnl_net:caif_netlink_parms(): no params data found
[ 52.740439] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.746917] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.754807] device bridge_slave_0 entered promiscuous mode
[ 52.762103] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.768828] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.775733] device bridge_slave_1 entered promiscuous mode
[ 52.791145] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 52.800141] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 52.816009] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 52.823448] team0: Port device team_slave_0 added
[ 52.828936] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 52.836249] team0: Port device team_slave_1 added
[ 52.848916] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 52.855227] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 52.880460] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 52.892629] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 52.898960] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 52.924322] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 52.935046] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 52.942520] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 53.024984] device hsr_slave_0 entered promiscuous mode
[ 53.082430] device hsr_slave_1 entered promiscuous mode
[ 53.122839] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 53.129899] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 53.181783] audit: type=1400 audit(1582604631.406:38): avc: denied { create } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 53.206268] audit: type=1400 audit(1582604631.406:39): avc: denied { write } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 53.227573] bridge0: port 2(bridge_slave_1) entered blocking state
[ 53.230484] audit: type=1400 audit(1582604631.436:40): avc: denied { read } for pid=8239 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 53.236595] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 53.267115] bridge0: port 1(bridge_slave_0) entered blocking state
[ 53.273470] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 53.306042] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 53.312122] 8021q: adding VLAN 0 to HW filter on device bond0
[ 53.321716] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 53.330368] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 53.348922] bridge0: port 1(bridge_slave_0) entered disabled state
[ 53.356164] bridge0: port 2(bridge_slave_1) entered disabled state
[ 53.363601] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 53.374237] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 53.380297] 8021q: adding VLAN 0 to HW filter on device team0
[ 53.389441] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 53.397098] bridge0: port 1(bridge_slave_0) entered blocking state
[ 53.403452] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 53.413338] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 53.420937] bridge0: port 2(bridge_slave_1) entered blocking state
[ 53.427334] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 53.441463] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 53.450688] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 53.466740] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 53.476683] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 53.486933] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 53.494541] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 53.502155] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 53.509925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 53.517923] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 53.530212] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 53.538361] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 53.545108] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 53.555892] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 53.569186] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 53.578610] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 53.619925] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 53.627664] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 53.634324] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 53.644246] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 53.651591] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 53.658517] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 53.667310] device veth0_vlan entered promiscuous mode
[ 53.676381] device veth1_vlan entered promiscuous mode
[ 53.682126] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 53.690783] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 53.702943] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 53.710198] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 53.720933] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 53.729998] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[ 53.736891] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 53.745007] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 53.755098] device veth0_macvtap entered promiscuous mode
[ 53.761245] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[ 53.769707] device veth1_macvtap entered promiscuous mode
[ 53.776398] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[ 53.784971] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 53.794475] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 53.803988] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[ 53.811058] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 53.818185] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 53.825455] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 53.832922] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 53.840592] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 53.850194] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[ 53.857426] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 53.864224] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 53.872092] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 53.981339] audit: type=1400 audit(1582604632.206:41): avc: denied { associate } for pid=8239 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 54.129933] ==================================================================
[ 54.137432] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0
[ 54.143911] Read of size 8 at addr ffff888082f894e0 by task syz-executor.0/8294
[ 54.151353]
[ 54.152977] CPU: 1 PID: 8294 Comm: syz-executor.0 Not tainted 4.19.106-syzkaller #0
[ 54.160759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.170131] Call Trace:
[ 54.172733] dump_stack+0x197/0x210
[ 54.177922] ? __list_add_valid+0x9a/0xa0
[ 54.182067] print_address_description.cold+0x7c/0x20d
[ 54.187372] ? __list_add_valid+0x9a/0xa0
[ 54.191512] kasan_report.cold+0x8c/0x2ba
[ 54.195719] __asan_report_load8_noabort+0x14/0x20
[ 54.200658] __list_add_valid+0x9a/0xa0
[ 54.204629] rdma_listen+0x63b/0x8e0
[ 54.208348] ucma_listen+0x14d/0x1c0
[ 54.212083] ? ucma_notify+0x190/0x190
[ 54.215959] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 54.221584] ? _copy_from_user+0xdd/0x150
[ 54.225724] ucma_write+0x2d7/0x3c0
[ 54.229339] ? ucma_notify+0x190/0x190
[ 54.233218] ? ucma_open+0x290/0x290
[ 54.236939] __vfs_write+0x114/0x810
[ 54.240641] ? ucma_open+0x290/0x290
[ 54.244343] ? kernel_read+0x120/0x120
[ 54.248241] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 54.253801] ? __inode_security_revalidate+0xda/0x120
[ 54.258991] ? avc_policy_seqno+0xd/0x70
[ 54.263046] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 54.268066] ? selinux_file_permission+0x92/0x550
[ 54.272911] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 54.278445] ? security_file_permission+0x89/0x230
[ 54.283364] ? rw_verify_area+0x118/0x360
[ 54.287500] vfs_write+0x20c/0x560
[ 54.291058] ksys_write+0x14f/0x2d0
[ 54.294677] ? __ia32_sys_read+0xb0/0xb0
[ 54.298763] ? do_syscall_64+0x26/0x620
[ 54.302734] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.308132] ? do_syscall_64+0x26/0x620
[ 54.312098] __x64_sys_write+0x73/0xb0
[ 54.315974] do_syscall_64+0xfd/0x620
[ 54.319765] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.324945] RIP: 0033:0x45c449
[ 54.328169] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 54.347318] RSP: 002b:00007fbcb8534c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 54.355011] RAX: ffffffffffffffda RBX: 00007fbcb85356d4 RCX: 000000000045c449
[ 54.362267] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[ 54.369528] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
[ 54.376795] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 54.384051] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c
[ 54.391327]
[ 54.392941] Allocated by task 8288:
[ 54.396558] save_stack+0x45/0xd0
[ 54.399999] kasan_kmalloc+0xce/0xf0
[ 54.403711] kmem_cache_alloc_trace+0x152/0x760
[ 54.408375] __rdma_create_id+0x5e/0x610
[ 54.412436] ucma_create_id+0x1de/0x640
[ 54.416399] ucma_write+0x2d7/0x3c0
[ 54.420023] __vfs_write+0x114/0x810
[ 54.423724] vfs_write+0x20c/0x560
[ 54.427262] ksys_write+0x14f/0x2d0
[ 54.430898] __x64_sys_write+0x73/0xb0
[ 54.434772] do_syscall_64+0xfd/0x620
[ 54.438570] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.443762]
[ 54.445396] Freed by task 8288:
[ 54.448681] save_stack+0x45/0xd0
[ 54.452137] __kasan_slab_free+0x102/0x150
[ 54.456396] kasan_slab_free+0xe/0x10
[ 54.460183] kfree+0xcf/0x220
[ 54.463276] rdma_destroy_id+0x726/0xab0
[ 54.467322] ucma_close+0x115/0x320
[ 54.470958] __fput+0x2dd/0x8b0
[ 54.474223] ____fput+0x16/0x20
[ 54.477488] task_work_run+0x145/0x1c0
[ 54.481375] exit_to_usermode_loop+0x273/0x2c0
[ 54.485960] do_syscall_64+0x53d/0x620
[ 54.489861] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.495038]
[ 54.496675] The buggy address belongs to the object at ffff888082f89300
[ 54.496675] which belongs to the cache kmalloc-2048 of size 2048
[ 54.509585] The buggy address is located 480 bytes inside of
[ 54.509585] 2048-byte region [ffff888082f89300, ffff888082f89b00)
[ 54.521543] The buggy address belongs to the page:
[ 54.526462] page:ffffea00020be200 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0
[ 54.536420] flags: 0xfffe0000008100(slab|head)
[ 54.541044] raw: 00fffe0000008100 ffffea0002a33e88 ffff88812c314948 ffff88812c31cc40
[ 54.553787] raw: 0000000000000000 ffff888082f88200 0000000100000003 0000000000000000
[ 54.561647] page dumped because: kasan: bad access detected
[ 54.567336]
[ 54.568962] Memory state around the buggy address:
[ 54.573898] ffff888082f89380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.581255] ffff888082f89400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.588614] >ffff888082f89480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.595962] ^
[ 54.602455] ffff888082f89500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.609797] ffff888082f89580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 54.617137] ==================================================================
[ 54.624505] Disabling lock debugging due to kernel taint
[ 54.634072] Kernel panic - not syncing: panic_on_warn set ...
[ 54.634072]
[ 54.641457] CPU: 1 PID: 8294 Comm: syz-executor.0 Tainted: G B 4.19.106-syzkaller #0
[ 54.650636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 54.659972] Call Trace:
[ 54.662565] dump_stack+0x197/0x210
[ 54.666180] ? __list_add_valid+0x9a/0xa0
[ 54.670315] panic+0x26a/0x50e
[ 54.673501] ? __warn_printk+0xf3/0xf3
[ 54.677374] ? __list_add_valid+0x9a/0xa0
[ 54.681507] ? preempt_schedule+0x4b/0x60
[ 54.685654] ? ___preempt_schedule+0x16/0x18
[ 54.690049] ? trace_hardirqs_on+0x5e/0x220
[ 54.694361] ? __list_add_valid+0x9a/0xa0
[ 54.698510] kasan_end_report+0x47/0x4f
[ 54.702471] kasan_report.cold+0xa9/0x2ba
[ 54.706604] __asan_report_load8_noabort+0x14/0x20
[ 54.711516] __list_add_valid+0x9a/0xa0
[ 54.715476] rdma_listen+0x63b/0x8e0
[ 54.719198] ucma_listen+0x14d/0x1c0
[ 54.722934] ? ucma_notify+0x190/0x190
[ 54.726854] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 54.732383] ? _copy_from_user+0xdd/0x150
[ 54.736531] ucma_write+0x2d7/0x3c0
[ 54.740194] ? ucma_notify+0x190/0x190
[ 54.744105] ? ucma_open+0x290/0x290
[ 54.747815] __vfs_write+0x114/0x810
[ 54.751539] ? ucma_open+0x290/0x290
[ 54.755242] ? kernel_read+0x120/0x120
[ 54.759227] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 54.764757] ? __inode_security_revalidate+0xda/0x120
[ 54.769935] ? avc_policy_seqno+0xd/0x70
[ 54.774001] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 54.779917] ? selinux_file_permission+0x92/0x550
[ 54.784783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 54.790338] ? security_file_permission+0x89/0x230
[ 54.795268] ? rw_verify_area+0x118/0x360
[ 54.799442] vfs_write+0x20c/0x560
[ 54.803006] ksys_write+0x14f/0x2d0
[ 54.806653] ? __ia32_sys_read+0xb0/0xb0
[ 54.810701] ? do_syscall_64+0x26/0x620
[ 54.814663] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.820028] ? do_syscall_64+0x26/0x620
[ 54.824011] __x64_sys_write+0x73/0xb0
[ 54.827899] do_syscall_64+0xfd/0x620
[ 54.831693] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 54.836867] RIP: 0033:0x45c449
[ 54.840044] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 54.858955] RSP: 002b:00007fbcb8534c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 54.866651] RAX: ffffffffffffffda RBX: 00007fbcb85356d4 RCX: 000000000045c449
[ 54.873908] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[ 54.881166] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
[ 54.888425] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 54.895686] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c
[ 54.904107] Kernel Offset: disabled
[ 54.907748] Rebooting in 86400 seconds..