Warning: Permanently added '10.128.0.111' (ECDSA) to the list of known hosts. syzkaller login: [ 54.546160] kauditd_printk_skb: 5 callbacks suppressed [ 54.546177] audit: type=1400 audit(1556268292.461:36): avc: denied { map } for pid=7963 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/04/26 08:44:53 parsed 1 programs [ 55.419350] audit: type=1400 audit(1556268293.331:37): avc: denied { map } for pid=7963 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14985 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/04/26 08:44:55 executed programs: 0 [ 57.467672] IPVS: ftp: loaded support on port[0] = 21 [ 57.533471] chnl_net:caif_netlink_parms(): no params data found [ 57.569804] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.577096] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.585110] device bridge_slave_0 entered promiscuous mode [ 57.593356] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.599939] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.607086] device bridge_slave_1 entered promiscuous mode [ 57.623887] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 57.633642] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 57.650877] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 57.659082] team0: Port device team_slave_0 added [ 57.665116] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 57.672430] team0: Port device team_slave_1 added [ 57.677912] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 57.685419] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 57.766909] device hsr_slave_0 entered promiscuous mode [ 57.815663] device hsr_slave_1 entered promiscuous mode [ 57.855442] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 57.862498] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 57.877304] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.883877] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.890981] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.897377] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.931576] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 57.939127] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.948385] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.957847] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.978180] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.986844] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.994096] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.006750] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.012844] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.023193] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.031363] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.038468] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.049270] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.057355] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.063712] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.087753] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.096799] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.104554] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.112575] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.120576] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.130140] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 58.136274] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.150447] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 58.160937] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.171648] audit: type=1400 audit(1556268296.081:38): avc: denied { associate } for pid=7978 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 59.339774] ================================================================== [ 59.347811] BUG: KASAN: stack-out-of-bounds in ax25_getname+0x58/0x7a0 [ 59.354555] Write of size 72 at addr ffff8880920f7c78 by task syz-executor.0/8074 [ 59.362384] [ 59.364374] CPU: 1 PID: 8074 Comm: syz-executor.0 Not tainted 4.19.36 #4 [ 59.371214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.380893] Call Trace: [ 59.383534] dump_stack+0x172/0x1f0 [ 59.387216] ? ax25_getname+0x58/0x7a0 [ 59.391217] print_address_description.cold+0x7c/0x20d [ 59.396521] ? ax25_getname+0x58/0x7a0 [ 59.400430] kasan_report.cold+0x8c/0x2ba [ 59.404606] check_memory_region+0x123/0x190 [ 59.409028] memset+0x24/0x40 [ 59.412134] ax25_getname+0x58/0x7a0 [ 59.415853] ? fget+0x1b/0x20 [ 59.418989] vhost_net_ioctl+0x120f/0x1900 [ 59.423222] ? handle_rx_kick+0x50/0x50 [ 59.427345] ? cryptoloop_init.cold+0x21/0x21 [ 59.431862] ? __fget+0x340/0x540 [ 59.435337] ? ___might_sleep+0x163/0x280 [ 59.439488] ? __might_sleep+0x95/0x190 [ 59.443494] ? handle_rx_kick+0x50/0x50 [ 59.447498] do_vfs_ioctl+0xd6e/0x1390 [ 59.451394] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.456029] ? selinux_file_ioctl+0x125/0x5e0 [ 59.460541] ? ioctl_preallocate+0x210/0x210 [ 59.465119] ? selinux_file_mprotect+0x620/0x620 [ 59.470007] ? iterate_fd+0x360/0x360 [ 59.473871] ? nsecs_to_jiffies+0x30/0x30 [ 59.478048] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.483598] ? security_file_ioctl+0x93/0xc0 [ 59.488019] ksys_ioctl+0xab/0xd0 [ 59.491489] __x64_sys_ioctl+0x73/0xb0 [ 59.495475] do_syscall_64+0x103/0x610 [ 59.499381] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.504598] RIP: 0033:0x458da9 [ 59.507798] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.526698] RSP: 002b:00007fb972151c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.534415] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9 [ 59.541902] RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003 [ 59.549202] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 59.556479] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb9721526d4 [ 59.563753] R13: 00000000004c37d7 R14: 00000000004d6cb0 R15: 00000000ffffffff [ 59.571087] [ 59.572718] The buggy address belongs to the page: [ 59.577650] page:ffffea0002483dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 59.586229] flags: 0x1fffc0000000000() [ 59.590129] raw: 01fffc0000000000 0000000000000000 ffffffff02480101 0000000000000000 [ 59.598050] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 59.613539] page dumped because: kasan: bad access detected [ 59.619267] [ 59.620902] Memory state around the buggy address: [ 59.627841] ffff8880920f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 59.635201] ffff8880920f7c00: f1 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 [ 59.642584] >ffff8880920f7c80: 00 00 00 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 [ 59.649965] ^ [ 59.654648] ffff8880920f7d00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 59.662018] ffff8880920f7d80: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 [ 59.669391] ================================================================== [ 59.676744] Disabling lock debugging due to kernel taint [ 59.683987] Kernel panic - not syncing: panic_on_warn set ... [ 59.683987] [ 59.691386] CPU: 1 PID: 8074 Comm: syz-executor.0 Tainted: G B 4.19.36 #4 [ 59.699623] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.708968] Call Trace: [ 59.711578] dump_stack+0x172/0x1f0 [ 59.715242] ? ax25_getname+0x58/0x7a0 [ 59.719156] panic+0x263/0x51d [ 59.722350] ? __warn_printk+0xf3/0xf3 [ 59.726235] ? ax25_getname+0x58/0x7a0 [ 59.730132] ? preempt_schedule+0x4b/0x60 [ 59.734393] ? ___preempt_schedule+0x16/0x18 [ 59.738813] ? trace_hardirqs_on+0x5e/0x230 [ 59.743141] ? ax25_getname+0x58/0x7a0 [ 59.747027] kasan_end_report+0x47/0x4f [ 59.751004] kasan_report.cold+0xa9/0x2ba [ 59.755182] check_memory_region+0x123/0x190 [ 59.759607] memset+0x24/0x40 [ 59.762829] ax25_getname+0x58/0x7a0 [ 59.766697] ? fget+0x1b/0x20 [ 59.769802] vhost_net_ioctl+0x120f/0x1900 [ 59.774031] ? handle_rx_kick+0x50/0x50 [ 59.778005] ? cryptoloop_init.cold+0x21/0x21 [ 59.782523] ? __fget+0x340/0x540 [ 59.786018] ? ___might_sleep+0x163/0x280 [ 59.790194] ? __might_sleep+0x95/0x190 [ 59.794206] ? handle_rx_kick+0x50/0x50 [ 59.798205] do_vfs_ioctl+0xd6e/0x1390 [ 59.802092] ? selinux_file_ioctl+0x46f/0x5e0 [ 59.806605] ? selinux_file_ioctl+0x125/0x5e0 [ 59.811112] ? ioctl_preallocate+0x210/0x210 [ 59.815530] ? selinux_file_mprotect+0x620/0x620 [ 59.820298] ? iterate_fd+0x360/0x360 [ 59.824104] ? nsecs_to_jiffies+0x30/0x30 [ 59.828373] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.834398] ? security_file_ioctl+0x93/0xc0 [ 59.838814] ksys_ioctl+0xab/0xd0 [ 59.842270] __x64_sys_ioctl+0x73/0xb0 [ 59.846155] do_syscall_64+0x103/0x610 [ 59.850037] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.855234] RIP: 0033:0x458da9 [ 59.858439] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.877861] RSP: 002b:00007fb972151c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 59.885572] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9 [ 59.892847] RDX: 0000000020d7c000 RSI: 000000004008af30 RDI: 0000000000000003 [ 59.900117] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 59.907399] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb9721526d4 [ 59.914666] R13: 00000000004c37d7 R14: 00000000004d6cb0 R15: 00000000ffffffff [ 59.922398] Kernel Offset: disabled [ 59.926040] Rebooting in 86400 seconds..