Warning: Permanently added '10.128.0.72' (ECDSA) to the list of known hosts. [ 56.323607] audit: type=1400 audit(1583350426.242:36): avc: denied { map } for pid=8070 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/04 19:33:46 parsed 1 programs [ 58.125159] audit: type=1400 audit(1583350428.042:37): avc: denied { map } for pid=8070 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1169 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/03/04 19:33:48 executed programs: 0 [ 58.318066] IPVS: ftp: loaded support on port[0] = 21 [ 58.380671] chnl_net:caif_netlink_parms(): no params data found [ 58.431163] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.438135] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.445220] device bridge_slave_0 entered promiscuous mode [ 58.452918] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.459414] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.466396] device bridge_slave_1 entered promiscuous mode [ 58.483296] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.493346] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.510555] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.518620] team0: Port device team_slave_0 added [ 58.524243] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.531627] team0: Port device team_slave_1 added [ 58.545993] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 58.552286] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.577580] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 58.589329] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 58.595597] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.620869] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 58.631632] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 58.639256] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 58.698974] device hsr_slave_0 entered promiscuous mode [ 58.746822] device hsr_slave_1 entered promiscuous mode [ 58.787627] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 58.794894] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 58.848437] audit: type=1400 audit(1583350428.772:38): avc: denied { create } for pid=8087 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.871143] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.872715] audit: type=1400 audit(1583350428.772:39): avc: denied { write } for pid=8087 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.878923] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.903025] audit: type=1400 audit(1583350428.772:40): avc: denied { read } for pid=8087 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 58.909696] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.939406] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.975673] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 58.983114] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.993964] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 59.003022] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 59.021428] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.028821] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.035791] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 59.047130] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 59.053211] 8021q: adding VLAN 0 to HW filter on device team0 [ 59.062745] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 59.070583] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.076972] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.086407] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 59.094749] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.101144] bridge0: port 2(bridge_slave_1) entered forwarding state [ 59.118659] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 59.128304] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 59.135550] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 59.146809] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 59.158650] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 59.169357] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 59.175375] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 59.182992] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 59.198023] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 59.205495] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 59.212938] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 59.224083] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 59.237544] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 59.247342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 59.290056] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 59.297352] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 59.303859] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 59.314241] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 59.322074] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 59.329254] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 59.338886] device veth0_vlan entered promiscuous mode [ 59.349010] device veth1_vlan entered promiscuous mode [ 59.354847] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 59.363588] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 59.375466] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 59.385290] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 59.392805] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 59.400404] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 59.411087] device veth0_macvtap entered promiscuous mode [ 59.420349] device veth1_macvtap entered promiscuous mode [ 59.430208] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 59.440363] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 59.451096] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 59.458581] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 59.465538] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 59.473865] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 59.483877] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 59.490940] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 59.498501] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 59.506291] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 59.612714] audit: type=1400 audit(1583350429.532:41): avc: denied { associate } for pid=8087 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 59.701805] ================================================================== [ 59.709275] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 59.715756] Read of size 8 at addr ffff88808d3d8ba0 by task syz-executor.0/8129 [ 59.723194] [ 59.724827] CPU: 0 PID: 8129 Comm: syz-executor.0 Not tainted 4.19.107-syzkaller #0 [ 59.732600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.741943] Call Trace: [ 59.744528] dump_stack+0x188/0x20d [ 59.748166] ? __list_add_valid+0x93/0xa0 [ 59.752301] print_address_description.cold+0x7c/0x212 [ 59.757567] ? __list_add_valid+0x93/0xa0 [ 59.761701] kasan_report.cold+0x88/0x2b9 [ 59.765848] __list_add_valid+0x93/0xa0 [ 59.769849] rdma_listen+0x609/0x880 [ 59.773551] ucma_listen+0x14d/0x1c0 [ 59.777339] ? ucma_notify+0x190/0x190 [ 59.781212] ? __might_fault+0x192/0x1d0 [ 59.785257] ? _copy_from_user+0xd2/0x140 [ 59.789389] ? ucma_notify+0x190/0x190 [ 59.793259] ucma_write+0x285/0x350 [ 59.796872] ? ucma_open+0x280/0x280 [ 59.800580] ? __fget+0x319/0x510 [ 59.804033] __vfs_write+0xf7/0x760 [ 59.807653] ? ucma_open+0x280/0x280 [ 59.811364] ? kernel_read+0x110/0x110 [ 59.815248] ? __inode_security_revalidate+0xd3/0x120 [ 59.820431] ? avc_policy_seqno+0x9/0x70 [ 59.824483] ? selinux_file_permission+0x87/0x520 [ 59.829344] ? security_file_permission+0x84/0x220 [ 59.834277] vfs_write+0x206/0x550 [ 59.837811] ksys_write+0x12b/0x2a0 [ 59.841424] ? __ia32_sys_read+0xb0/0xb0 [ 59.845472] ? __ia32_sys_clock_settime+0x260/0x260 [ 59.850475] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.855210] ? trace_hardirqs_off_caller+0x55/0x210 [ 59.860220] ? do_syscall_64+0x21/0x620 [ 59.864207] do_syscall_64+0xf9/0x620 [ 59.868038] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.873222] RIP: 0033:0x45c479 [ 59.876465] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.895359] RSP: 002b:00007f3f18d6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.903064] RAX: ffffffffffffffda RBX: 00007f3f18d6e6d4 RCX: 000000000045c479 [ 59.910332] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 59.917598] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 59.924848] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 59.932110] R13: 0000000000000cbe R14: 00000000004cea34 R15: 000000000076bf2c [ 59.939367] [ 59.940977] Allocated by task 8126: [ 59.944592] kasan_kmalloc+0xbf/0xe0 [ 59.948288] kmem_cache_alloc_trace+0x14d/0x7a0 [ 59.952939] __rdma_create_id+0x5b/0x630 [ 59.957023] ucma_create_id+0x1cb/0x5a0 [ 59.961102] ucma_write+0x285/0x350 [ 59.964716] __vfs_write+0xf7/0x760 [ 59.968323] vfs_write+0x206/0x550 [ 59.971842] ksys_write+0x12b/0x2a0 [ 59.975452] do_syscall_64+0xf9/0x620 [ 59.979240] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.984404] [ 59.986010] Freed by task 8121: [ 59.989273] __kasan_slab_free+0xf7/0x140 [ 59.993413] kfree+0xce/0x220 [ 59.996509] ucma_close+0x10b/0x320 [ 60.000122] __fput+0x2cd/0x890 [ 60.003386] task_work_run+0x13f/0x1b0 [ 60.007266] exit_to_usermode_loop+0x25a/0x2b0 [ 60.011832] do_syscall_64+0x538/0x620 [ 60.015704] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.020874] [ 60.022492] The buggy address belongs to the object at ffff88808d3d89c0 [ 60.022492] which belongs to the cache kmalloc-2048 of size 2048 [ 60.035311] The buggy address is located 480 bytes inside of [ 60.035311] 2048-byte region [ffff88808d3d89c0, ffff88808d3d91c0) [ 60.047264] The buggy address belongs to the page: [ 60.052180] page:ffffea000234f600 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 60.062137] flags: 0xfffe0000008100(slab|head) [ 60.066706] raw: 00fffe0000008100 ffffea0002337108 ffffea0002946b08 ffff88812c3dcc40 [ 60.074574] raw: 0000000000000000 ffff88808d3d8140 0000000100000003 0000000000000000 [ 60.082435] page dumped because: kasan: bad access detected [ 60.088285] [ 60.089894] Memory state around the buggy address: [ 60.094806] ffff88808d3d8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.102183] ffff88808d3d8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.109531] >ffff88808d3d8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.116872] ^ [ 60.121268] ffff88808d3d8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.128609] ffff88808d3d8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.135957] ================================================================== [ 60.143294] Disabling lock debugging due to kernel taint [ 60.154177] Kernel panic - not syncing: panic_on_warn set ... [ 60.154177] [ 60.161559] CPU: 0 PID: 8129 Comm: syz-executor.0 Tainted: G B 4.19.107-syzkaller #0 [ 60.170724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.180227] Call Trace: [ 60.182804] dump_stack+0x188/0x20d [ 60.186420] panic+0x26a/0x50e [ 60.189604] ? __warn_printk+0xf3/0xf3 [ 60.193476] ? preempt_schedule_common+0x4a/0xc0 [ 60.198219] ? __list_add_valid+0x93/0xa0 [ 60.202349] ? ___preempt_schedule+0x16/0x18 [ 60.206737] ? trace_hardirqs_on+0x55/0x210 [ 60.211039] ? __list_add_valid+0x93/0xa0 [ 60.215169] kasan_end_report+0x43/0x49 [ 60.219126] kasan_report.cold+0xa4/0x2b9 [ 60.223258] __list_add_valid+0x93/0xa0 [ 60.227233] rdma_listen+0x609/0x880 [ 60.230931] ucma_listen+0x14d/0x1c0 [ 60.234634] ? ucma_notify+0x190/0x190 [ 60.238510] ? __might_fault+0x192/0x1d0 [ 60.242557] ? _copy_from_user+0xd2/0x140 [ 60.246701] ? ucma_notify+0x190/0x190 [ 60.250581] ucma_write+0x285/0x350 [ 60.254192] ? ucma_open+0x280/0x280 [ 60.257888] ? __fget+0x319/0x510 [ 60.261367] __vfs_write+0xf7/0x760 [ 60.264983] ? ucma_open+0x280/0x280 [ 60.268686] ? kernel_read+0x110/0x110 [ 60.272560] ? __inode_security_revalidate+0xd3/0x120 [ 60.277734] ? avc_policy_seqno+0x9/0x70 [ 60.281783] ? selinux_file_permission+0x87/0x520 [ 60.286611] ? security_file_permission+0x84/0x220 [ 60.291536] vfs_write+0x206/0x550 [ 60.295067] ksys_write+0x12b/0x2a0 [ 60.298684] ? __ia32_sys_read+0xb0/0xb0 [ 60.302734] ? __ia32_sys_clock_settime+0x260/0x260 [ 60.307743] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 60.312482] ? trace_hardirqs_off_caller+0x55/0x210 [ 60.317496] ? do_syscall_64+0x21/0x620 [ 60.321491] do_syscall_64+0xf9/0x620 [ 60.325278] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.330449] RIP: 0033:0x45c479 [ 60.333624] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.352511] RSP: 002b:00007f3f18d6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.360205] RAX: ffffffffffffffda RBX: 00007f3f18d6e6d4 RCX: 000000000045c479 [ 60.367457] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 60.374794] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 60.382043] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 60.389294] R13: 0000000000000cbe R14: 00000000004cea34 R15: 000000000076bf2c [ 60.397996] Kernel Offset: disabled [ 60.401667] Rebooting in 86400 seconds..