Warning: Permanently added '10.128.0.177' (ECDSA) to the list of known hosts. 2020/08/31 16:10:53 parsed 1 programs 2020/08/31 16:10:53 executed programs: 0 syzkaller login: [ 1048.249749] audit: type=1400 audit(1598890253.728:8): avc: denied { execmem } for pid=6492 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1049.362365] IPVS: ftp: loaded support on port[0] = 21 [ 1049.486355] chnl_net:caif_netlink_parms(): no params data found [ 1049.653559] bridge0: port 1(bridge_slave_0) entered blocking state [ 1049.660699] bridge0: port 1(bridge_slave_0) entered disabled state [ 1049.669039] device bridge_slave_0 entered promiscuous mode [ 1049.677210] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.683663] bridge0: port 2(bridge_slave_1) entered disabled state [ 1049.691628] device bridge_slave_1 entered promiscuous mode [ 1049.711045] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1049.720688] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1049.739791] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1049.747413] team0: Port device team_slave_0 added [ 1049.752959] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1049.761058] team0: Port device team_slave_1 added [ 1049.777843] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1049.785915] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.811427] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1049.823037] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1049.829447] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.855875] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1049.868028] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1049.876149] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1049.896828] device hsr_slave_0 entered promiscuous mode [ 1049.902691] device hsr_slave_1 entered promiscuous mode [ 1049.909495] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1049.916923] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1049.989320] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.996524] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.003462] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.010454] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.048723] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1050.058062] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1050.068207] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1050.078029] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1050.088341] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.096872] bridge0: port 2(bridge_slave_1) entered disabled state [ 1050.105503] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1050.116407] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1050.122598] 8021q: adding VLAN 0 to HW filter on device team0 [ 1050.136142] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1050.143780] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.150235] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.157925] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1050.167680] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.174189] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.190403] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1050.199156] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1050.209733] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1050.219826] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1050.231939] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1050.243352] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1050.249479] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1050.257458] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1050.270863] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1050.280610] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1050.288479] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1050.299922] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1050.313907] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1050.323891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1050.362293] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1050.370948] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1050.378636] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1050.389063] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1050.397207] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1050.404934] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1050.415863] device veth0_vlan entered promiscuous mode [ 1050.425692] device veth1_vlan entered promiscuous mode [ 1050.431619] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1050.440580] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1050.452198] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1050.462772] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1050.470612] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1050.478614] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1050.489834] device veth0_macvtap entered promiscuous mode [ 1050.498668] device veth1_macvtap entered promiscuous mode [ 1050.509012] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1050.518787] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1050.528628] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1050.536386] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1050.543065] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1050.551687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1050.562963] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1050.570691] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1050.577893] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1050.586759] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1051.394943] Bluetooth: hci0: command 0x0409 tx timeout 2020/08/31 16:10:58 executed programs: 110 [ 1053.464449] Bluetooth: hci0: command 0x041b tx timeout [ 1055.544495] Bluetooth: hci0: command 0x040f tx timeout [ 1057.634069] Bluetooth: hci0: command 0x0419 tx timeout 2020/08/31 16:11:03 executed programs: 325 2020/08/31 16:11:08 executed programs: 553 2020/08/31 16:11:13 executed programs: 769 2020/08/31 16:11:18 executed programs: 988 2020/08/31 16:11:23 executed programs: 1199 [ 1079.726950] ================================================================== [ 1079.737207] BUG: KASAN: use-after-free in ex_handler_refcount+0x18f/0x1c0 [ 1079.744263] Write of size 4 at addr ffff888092db2b00 by task syz-executor.0/11983 [ 1079.754977] [ 1079.757131] CPU: 0 PID: 11983 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0 [ 1079.768418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1079.783699] Call Trace: [ 1079.786771] dump_stack+0x1fc/0x2fe [ 1079.790978] print_address_description.cold+0x54/0x219 [ 1079.797333] kasan_report_error.cold+0x8a/0x1c7 [ 1079.802890] ? ex_handler_refcount+0x18f/0x1c0 [ 1079.808931] __asan_report_store4_noabort+0x88/0x90 [ 1079.815584] ? ex_handler_refcount+0x18f/0x1c0 [ 1079.821131] ex_handler_refcount+0x18f/0x1c0 [ 1079.826654] ? ex_handler_clear_fs+0xb0/0xb0 [ 1079.831581] fixup_exception+0x8a/0xc3 [ 1079.836801] do_trap+0x61/0x250 [ 1079.841189] do_error_trap+0x15d/0x310 [ 1079.846987] ? math_error+0x310/0x310 [ 1079.851975] ? csum_partial_copy_generic+0x54b/0x7820 [ 1079.859863] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1079.865374] invalid_op+0x14/0x20 [ 1079.869611] RIP: 0010:csum_partial_copy_generic+0x54b/0x7820 [ 1079.876876] Code: 0b 48 8d 4d 08 0f 0b 48 8d 4b 04 0f 0b 48 8d 4d 04 0f 0b 49 8d 4c 24 04 0f 0b 49 8d 0c 24 0f 0b 49 8d 0c 24 0f 0b 48 8d 4d 00 <0f> 0b 49 8d 0c 24 0f 0b 48 8d 88 c0 00 00 00 0f 0b 48 8d 8b 80 00 [ 1079.901602] RSP: 0018:ffff88809310fe08 EFLAGS: 00010297 [ 1079.907976] RAX: ffff8880a7eee0c0 RBX: ffff88809d23f7c0 RCX: ffff888092db2b00 [ 1079.915793] RDX: 0000000000000000 RSI: ffffffff81bcf76a RDI: ffff888092db2b00 [ 1079.924733] RBP: ffff888092db2b00 R08: 0000000000000000 R09: 0000000000000000 [ 1079.936570] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809d23f83c [ 1079.945950] R13: ffff88809d23f7e8 R14: ffffffff81bcfc80 R15: ffff88821b6a9c20 [ 1079.957061] ? eventfd_show_fdinfo+0x90/0x90 [ 1079.967091] ? eventfd_ctx_put+0xa/0x40 [ 1079.975707] ? eventfd_ctx_put+0xa/0x40 [ 1079.987266] eventfd_release+0x4f/0x60 [ 1079.994041] __fput+0x2ce/0x890 [ 1079.998902] task_work_run+0x148/0x1c0 [ 1080.004555] exit_to_usermode_loop+0x251/0x2a0 [ 1080.009868] do_syscall_64+0x538/0x620 [ 1080.015105] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1080.023904] RIP: 0033:0x45d5b9 [ 1080.035102] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1080.062258] RSP: 002b:00007f5f0dd1ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 1080.072972] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 1080.087271] RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005 [ 1080.095196] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 1080.104752] R10: 0000000020fe0ff4 R11: 0000000000000246 R12: 000000000118cf4c [ 1080.114208] R13: 00007ffe116d6b8f R14: 00007f5f0dd1b9c0 R15: 000000000118cf4c [ 1080.123302] [ 1080.125341] Allocated by task 11983: [ 1080.129934] kmem_cache_alloc_trace+0x12f/0x380 [ 1080.136182] do_eventfd+0x61/0x1a0 [ 1080.142820] __x64_sys_eventfd2+0x50/0x70 [ 1080.150260] do_syscall_64+0xf9/0x620 [ 1080.157239] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1080.164767] [ 1080.167102] Freed by task 11982: [ 1080.171212] kfree+0xcc/0x210 [ 1080.174802] eventfd_ctx_put+0x31/0x40 [ 1080.179057] eventfd_release+0x4f/0x60 [ 1080.183210] __fput+0x2ce/0x890 [ 1080.187293] task_work_run+0x148/0x1c0 [ 1080.192196] exit_to_usermode_loop+0x251/0x2a0 [ 1080.197840] do_syscall_64+0x538/0x620 [ 1080.201913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1080.207613] [ 1080.209258] The buggy address belongs to the object at ffff888092db2b00 [ 1080.209258] which belongs to the cache kmalloc-96 of size 96 [ 1080.223240] The buggy address is located 0 bytes inside of [ 1080.223240] 96-byte region [ffff888092db2b00, ffff888092db2b60) [ 1080.237369] The buggy address belongs to the page: [ 1080.243271] page:ffffea00024b6c80 count:1 mapcount:0 mapping:ffff88812c39c4c0 index:0x0 [ 1080.252385] flags: 0xfffe0000000100(slab) [ 1080.257345] raw: 00fffe0000000100 ffffea00023992c8 ffffea00024e6f48 ffff88812c39c4c0 [ 1080.266487] raw: 0000000000000000 ffff888092db2000 0000000100000020 0000000000000000 [ 1080.276254] page dumped because: kasan: bad access detected [ 1080.284853] [ 1080.287272] Memory state around the buggy address: [ 1080.293620] ffff888092db2a00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 1080.303579] ffff888092db2a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 1080.312088] >ffff888092db2b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 1080.320158] ^ [ 1080.324335] ffff888092db2b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 1080.333913] ffff888092db2c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 1080.342471] ================================================================== [ 1080.351443] Disabling lock debugging due to kernel taint [ 1080.364829] Kernel panic - not syncing: panic_on_warn set ... [ 1080.364829] [ 1080.373974] CPU: 1 PID: 11983 Comm: syz-executor.0 Tainted: G B 4.19.142-syzkaller #0 [ 1080.384862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1080.395041] Call Trace: [ 1080.397642] dump_stack+0x1fc/0x2fe [ 1080.402385] panic+0x26a/0x50e [ 1080.405949] ? __warn_printk+0xf3/0xf3 [ 1080.410016] ? preempt_schedule_common+0x45/0xc0 [ 1080.414844] ? ___preempt_schedule+0x16/0x18 [ 1080.419280] ? trace_hardirqs_on+0x55/0x210 [ 1080.423598] kasan_end_report+0x43/0x49 [ 1080.427602] kasan_report_error.cold+0xa7/0x1c7 [ 1080.432262] ? ex_handler_refcount+0x18f/0x1c0 [ 1080.436868] __asan_report_store4_noabort+0x88/0x90 [ 1080.441880] ? ex_handler_refcount+0x18f/0x1c0 [ 1080.446577] ex_handler_refcount+0x18f/0x1c0 [ 1080.450983] ? ex_handler_clear_fs+0xb0/0xb0 [ 1080.455519] fixup_exception+0x8a/0xc3 [ 1080.459413] do_trap+0x61/0x250 [ 1080.462697] do_error_trap+0x15d/0x310 [ 1080.466580] ? math_error+0x310/0x310 [ 1080.470383] ? csum_partial_copy_generic+0x54b/0x7820 [ 1080.475584] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1080.480669] invalid_op+0x14/0x20 [ 1080.484156] RIP: 0010:csum_partial_copy_generic+0x54b/0x7820 [ 1080.490077] Code: 0b 48 8d 4d 08 0f 0b 48 8d 4b 04 0f 0b 48 8d 4d 04 0f 0b 49 8d 4c 24 04 0f 0b 49 8d 0c 24 0f 0b 49 8d 0c 24 0f 0b 48 8d 4d 00 <0f> 0b 49 8d 0c 24 0f 0b 48 8d 88 c0 00 00 00 0f 0b 48 8d 8b 80 00 [ 1080.509239] RSP: 0018:ffff88809310fe08 EFLAGS: 00010297 [ 1080.514603] RAX: ffff8880a7eee0c0 RBX: ffff88809d23f7c0 RCX: ffff888092db2b00 [ 1080.521880] RDX: 0000000000000000 RSI: ffffffff81bcf76a RDI: ffff888092db2b00 [ 1080.529418] RBP: ffff888092db2b00 R08: 0000000000000000 R09: 0000000000000000 [ 1080.536675] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809d23f83c [ 1080.543988] R13: ffff88809d23f7e8 R14: ffffffff81bcfc80 R15: ffff88821b6a9c20 [ 1080.551308] ? eventfd_show_fdinfo+0x90/0x90 [ 1080.555724] ? eventfd_ctx_put+0xa/0x40 [ 1080.559717] ? eventfd_ctx_put+0xa/0x40 [ 1080.563696] eventfd_release+0x4f/0x60 [ 1080.567613] __fput+0x2ce/0x890 [ 1080.570892] task_work_run+0x148/0x1c0 [ 1080.575130] exit_to_usermode_loop+0x251/0x2a0 [ 1080.579844] do_syscall_64+0x538/0x620 [ 1080.583729] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1080.588925] RIP: 0033:0x45d5b9 [ 1080.592104] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1080.611144] RSP: 002b:00007f5f0dd1ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 1080.618868] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 1080.626159] RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005 [ 1080.633585] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 1080.640864] R10: 0000000020fe0ff4 R11: 0000000000000246 R12: 000000000118cf4c [ 1080.648135] R13: 00007ffe116d6b8f R14: 00007f5f0dd1b9c0 R15: 000000000118cf4c [ 1080.656582] Kernel Offset: disabled [ 1080.660238] Rebooting in 86400 seconds..