[ 40.439921] audit: type=1800 audit(1551625683.846:31): pid=7739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 40.464877] audit: type=1800 audit(1551625683.846:32): pid=7739 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.71' (ECDSA) to the list of known hosts. syzkaller login: [ 48.437334] kauditd_printk_skb: 3 callbacks suppressed [ 48.437349] audit: type=1400 audit(1551625691.896:36): avc: denied { map } for pid=7927 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/03/03 15:08:12 parsed 1 programs [ 49.270049] audit: type=1400 audit(1551625692.726:37): avc: denied { map } for pid=7927 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=107 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/03/03 15:08:15 executed programs: 0 [ 51.704926] IPVS: ftp: loaded support on port[0] = 21 [ 51.714466] IPVS: ftp: loaded support on port[0] = 21 [ 51.732750] IPVS: ftp: loaded support on port[0] = 21 [ 51.732998] IPVS: ftp: loaded support on port[0] = 21 [ 51.744354] IPVS: ftp: loaded support on port[0] = 21 [ 51.801517] IPVS: ftp: loaded support on port[0] = 21 [ 51.993967] chnl_net:caif_netlink_parms(): no params data found [ 52.075750] chnl_net:caif_netlink_parms(): no params data found [ 52.091975] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.098334] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.106139] device bridge_slave_0 entered promiscuous mode [ 52.116154] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.122628] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.129757] device bridge_slave_1 entered promiscuous mode [ 52.176722] chnl_net:caif_netlink_parms(): no params data found [ 52.220466] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.234583] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.280468] chnl_net:caif_netlink_parms(): no params data found [ 52.299474] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.306001] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.313746] device bridge_slave_0 entered promiscuous mode [ 52.332871] chnl_net:caif_netlink_parms(): no params data found [ 52.346445] team0: Port device team_slave_0 added [ 52.352971] team0: Port device team_slave_1 added [ 52.358030] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.364779] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.371794] device bridge_slave_1 entered promiscuous mode [ 52.380510] chnl_net:caif_netlink_parms(): no params data found [ 52.421872] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.428240] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.435180] device bridge_slave_0 entered promiscuous mode [ 52.442452] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.448800] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.456518] device bridge_slave_1 entered promiscuous mode [ 52.488836] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.519318] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.581553] device hsr_slave_0 entered promiscuous mode [ 52.620416] device hsr_slave_1 entered promiscuous mode [ 52.661658] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.677882] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.724028] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.733908] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.741002] device bridge_slave_0 entered promiscuous mode [ 52.747978] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.754575] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.761800] device bridge_slave_1 entered promiscuous mode [ 52.774180] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.781451] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.788273] device bridge_slave_0 entered promiscuous mode [ 52.813169] team0: Port device team_slave_0 added [ 52.823316] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.829758] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.837133] device bridge_slave_1 entered promiscuous mode [ 52.843498] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.850540] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.857407] device bridge_slave_0 entered promiscuous mode [ 52.865275] team0: Port device team_slave_0 added [ 52.874309] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.883351] team0: Port device team_slave_1 added [ 52.889623] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.906917] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.913470] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.920498] device bridge_slave_1 entered promiscuous mode [ 52.927922] team0: Port device team_slave_1 added [ 52.941383] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.947833] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.954867] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.961260] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.973631] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.063690] device hsr_slave_0 entered promiscuous mode [ 53.100226] device hsr_slave_1 entered promiscuous mode [ 53.172496] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.184293] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.191323] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.206216] team0: Port device team_slave_0 added [ 53.217148] team0: Port device team_slave_1 added [ 53.239342] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.303526] device hsr_slave_0 entered promiscuous mode [ 53.340291] device hsr_slave_1 entered promiscuous mode [ 53.390154] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.421702] device hsr_slave_0 entered promiscuous mode [ 53.460181] device hsr_slave_1 entered promiscuous mode [ 53.503066] team0: Port device team_slave_0 added [ 53.533075] team0: Port device team_slave_1 added [ 53.539074] team0: Port device team_slave_0 added [ 53.569243] team0: Port device team_slave_1 added [ 53.661798] device hsr_slave_0 entered promiscuous mode [ 53.710320] device hsr_slave_1 entered promiscuous mode [ 53.852995] device hsr_slave_0 entered promiscuous mode [ 53.910286] device hsr_slave_1 entered promiscuous mode [ 53.983492] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.992718] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.006958] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.036471] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.045035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.052520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.059338] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.072377] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.082904] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.098285] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.118151] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.125446] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.132842] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.140703] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.148209] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.154587] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.161630] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.169294] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.176922] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.183281] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.190194] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.197866] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.205520] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.211868] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.218913] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 54.227142] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 54.264744] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.273418] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.283553] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.289957] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.296988] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.305356] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.313134] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.319471] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.326774] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 54.335399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 54.343304] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 54.351593] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 54.359213] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.366937] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.374985] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.382843] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.389168] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.396054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 54.404049] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.419464] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.443578] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 54.451659] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.458560] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 54.469244] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 54.477295] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 54.485381] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.494343] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 54.502305] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.509692] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 54.517532] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.524975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 54.532941] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.555633] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.565996] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.573779] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.581335] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 54.588919] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.596571] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 54.604327] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.621299] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 54.631217] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 54.653856] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 54.661833] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.669440] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 54.678146] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.685913] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.696938] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.722094] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.728559] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.735646] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.742812] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 54.751159] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.762745] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.776432] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.785091] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 54.793657] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.801322] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 54.808959] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.816680] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.823085] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.830437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 54.838387] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.855079] audit: type=1400 audit(1551625698.316:38): avc: denied { associate } for pid=7947 comm="syz-executor.5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 54.894902] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.908931] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.918687] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.926847] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.933239] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.940732] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.947581] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.979048] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.007551] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 55.025353] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 55.037685] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.050317] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.056674] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.063676] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 55.071749] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.079679] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.086074] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.093797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 55.129658] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.158855] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 55.170946] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 55.186262] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 55.194169] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.202321] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 55.215846] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.235649] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 55.253335] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.261502] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 55.269301] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 55.277471] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.285587] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 55.293904] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.302267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 55.310157] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.327392] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.348637] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.364039] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.374719] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.388304] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.398736] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.407448] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.416638] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 55.426508] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.443285] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 55.454309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.465179] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 55.477605] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.531386] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 55.539247] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.555741] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.562205] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.569207] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 55.577233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.585002] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.591405] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.599948] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.622881] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.637204] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 55.645882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 55.654427] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 55.662773] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 55.671489] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.700897] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.707998] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 55.733924] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.746803] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 55.754898] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.772204] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 55.779984] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.795042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.839431] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/03/03 15:08:20 executed programs: 46 [ 56.708475] ================================================================== [ 56.715996] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 56.722508] Read of size 8 at addr ffff88809a8327a0 by task syz-executor.5/8251 [ 56.729940] [ 56.731590] CPU: 1 PID: 8251 Comm: syz-executor.5 Not tainted 5.0.0-rc8+ #3 [ 56.738686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.738695] Call Trace: [ 56.738716] dump_stack+0x172/0x1f0 [ 56.738732] ? __list_add_valid+0x9a/0xa0 [ 56.738751] print_address_description.cold+0x7c/0x20d [ 56.758425] ? __list_add_valid+0x9a/0xa0 [ 56.758440] ? __list_add_valid+0x9a/0xa0 [ 56.758457] kasan_report.cold+0x1b/0x40 [ 56.758474] ? __list_add_valid+0x9a/0xa0 [ 56.758494] __asan_report_load8_noabort+0x14/0x20 [ 56.758508] __list_add_valid+0x9a/0xa0 [ 56.758525] rdma_listen+0x63b/0x8e0 [ 56.758543] ucma_listen+0x14d/0x1c0 [ 56.796569] ? ucma_notify+0x190/0x190 [ 56.800467] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.806012] ? _copy_from_user+0xdd/0x150 [ 56.810172] ucma_write+0x2da/0x3c0 [ 56.810188] ? ucma_notify+0x190/0x190 [ 56.810203] ? ucma_open+0x290/0x290 [ 56.810228] __vfs_write+0x116/0x8e0 [ 56.810244] ? ucma_open+0x290/0x290 [ 56.810259] ? kernel_read+0x120/0x120 [ 56.810272] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.810287] ? __inode_security_revalidate+0xda/0x120 [ 56.810302] ? avc_policy_seqno+0xd/0x70 [ 56.810314] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 56.810332] ? selinux_file_permission+0x92/0x550 [ 56.817837] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.817854] ? security_file_permission+0x94/0x320 [ 56.817880] ? rw_verify_area+0x118/0x360 [ 56.817899] vfs_write+0x20c/0x580 [ 56.817918] ksys_write+0xea/0x1f0 [ 56.817937] ? __ia32_sys_read+0xb0/0xb0 [ 56.883135] ? do_syscall_64+0x26/0x610 [ 56.887128] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.892496] ? do_syscall_64+0x26/0x610 [ 56.892519] __x64_sys_write+0x73/0xb0 [ 56.892537] do_syscall_64+0x103/0x610 [ 56.892556] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.892568] RIP: 0033:0x457e29 [ 56.892583] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.892591] RSP: 002b:00007f9659273c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 56.892604] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 56.892612] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 0000000000000003 [ 56.892620] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 56.892629] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f96592746d4 [ 56.892637] R13: 00000000004cd9b8 R14: 00000000004dcc38 R15: 00000000ffffffff [ 56.892655] [ 56.896859] kobject: 'loop4' (00000000e1642c6e): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 56.900495] Allocated by task 8242: [ 56.900510] save_stack+0x45/0xd0 [ 56.900524] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 56.900537] kasan_kmalloc+0x9/0x10 [ 56.900550] kmem_cache_alloc_trace+0x151/0x760 [ 56.900563] __rdma_create_id+0x5f/0x4e0 [ 56.900577] ucma_create_id+0x1de/0x640 [ 56.900589] ucma_write+0x2da/0x3c0 [ 56.900600] __vfs_write+0x116/0x8e0 [ 56.900611] vfs_write+0x20c/0x580 [ 56.900622] ksys_write+0xea/0x1f0 [ 56.900634] __x64_sys_write+0x73/0xb0 [ 56.900645] do_syscall_64+0x103/0x610 [ 56.900657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.900660] [ 56.900666] Freed by task 8215: [ 56.900678] save_stack+0x45/0xd0 [ 56.900689] __kasan_slab_free+0x102/0x150 [ 56.900700] kasan_slab_free+0xe/0x10 [ 56.900711] kfree+0xcf/0x230 [ 56.900721] rdma_destroy_id+0x723/0xab0 [ 56.900731] ucma_close+0x115/0x320 [ 56.900742] __fput+0x2df/0x8d0 [ 56.900752] ____fput+0x16/0x20 [ 56.900762] task_work_run+0x14a/0x1c0 [ 56.900773] exit_to_usermode_loop+0x273/0x2c0 [ 56.900785] do_syscall_64+0x52d/0x610 [ 56.900794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.900797] [ 56.900806] The buggy address belongs to the object at ffff88809a8325c0 [ 56.900806] which belongs to the cache kmalloc-2k of size 2048 [ 56.900815] The buggy address is located 480 bytes inside of [ 56.900815] 2048-byte region [ffff88809a8325c0, ffff88809a832dc0) [ 56.900818] The buggy address belongs to the page: [ 56.900828] page:ffffea00026a0c80 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 56.900839] flags: 0x1fffc0000010200(slab|head) [ 56.900853] raw: 01fffc0000010200 ffffea00026a0508 ffffea00026a1988 ffff88812c3f0c40 [ 56.900874] raw: 0000000000000000 ffff88809a8325c0 0000000100000003 0000000000000000 [ 56.900880] page dumped because: kasan: bad access detected [ 56.900883] [ 56.900886] Memory state around the buggy address: [ 56.900896] ffff88809a832680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.900904] ffff88809a832700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.900912] >ffff88809a832780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.900916] ^ [ 56.900925] ffff88809a832800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.900933] ffff88809a832880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.900937] ================================================================== [ 56.900941] Disabling lock debugging due to kernel taint [ 56.908014] Kernel panic - not syncing: panic_on_warn set ... [ 56.936450] kobject: 'loop2' (0000000042dea664): kobject_uevent_env [ 56.939979] CPU: 1 PID: 8251 Comm: syz-executor.5 Tainted: G B 5.0.0-rc8+ #3 [ 56.939987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.939992] Call Trace: [ 56.940012] dump_stack+0x172/0x1f0 [ 56.940030] panic+0x2cb/0x65c [ 56.940044] ? __warn_printk+0xf3/0xf3 [ 56.940060] ? __list_add_valid+0x9a/0xa0 [ 56.949188] kobject: 'loop2' (0000000042dea664): fill_kobj_path: path = '/devices/virtual/block/loop2' [ 56.954588] ? preempt_schedule+0x4b/0x60 [ 56.954604] ? ___preempt_schedule+0x16/0x18 [ 56.954618] ? trace_hardirqs_on+0x5e/0x230 [ 56.954632] ? __list_add_valid+0x9a/0xa0 [ 56.954647] end_report+0x47/0x4f [ 56.954659] ? __list_add_valid+0x9a/0xa0 [ 56.954670] kasan_report.cold+0xe/0x40 [ 56.954685] ? __list_add_valid+0x9a/0xa0 [ 56.988169] kobject: 'loop3' (000000007ea97ac1): kobject_uevent_env [ 56.991213] __asan_report_load8_noabort+0x14/0x20 [ 56.991228] __list_add_valid+0x9a/0xa0 [ 56.991243] rdma_listen+0x63b/0x8e0 [ 56.991262] ucma_listen+0x14d/0x1c0 [ 56.999664] kobject: 'loop3' (000000007ea97ac1): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 57.003242] ? ucma_notify+0x190/0x190 [ 57.003258] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 57.003273] ? _copy_from_user+0xdd/0x150 [ 57.003288] ucma_write+0x2da/0x3c0 [ 57.003301] ? ucma_notify+0x190/0x190 [ 57.003313] ? ucma_open+0x290/0x290 [ 57.003330] __vfs_write+0x116/0x8e0 [ 57.053486] kobject: 'loop0' (0000000069103532): kobject_uevent_env [ 57.055790] ? ucma_open+0x290/0x290 [ 57.069004] kobject: 'loop0' (0000000069103532): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 57.070327] ? kernel_read+0x120/0x120 [ 57.070342] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 57.070358] ? __inode_security_revalidate+0xda/0x120 [ 57.070369] ? avc_policy_seqno+0xd/0x70 [ 57.070380] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 57.070395] ? selinux_file_permission+0x92/0x550 [ 57.070409] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.070422] ? security_file_permission+0x94/0x320 [ 57.070436] ? rw_verify_area+0x118/0x360 [ 57.070450] vfs_write+0x20c/0x580 [ 57.070465] ksys_write+0xea/0x1f0 [ 57.070479] ? __ia32_sys_read+0xb0/0xb0 [ 57.070495] ? do_syscall_64+0x26/0x610 [ 57.092191] kobject: 'loop4' (00000000e1642c6e): kobject_uevent_env [ 57.094521] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.094536] ? do_syscall_64+0x26/0x610 [ 57.094555] __x64_sys_write+0x73/0xb0 [ 57.094570] do_syscall_64+0x103/0x610 [ 57.094585] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.098590] kobject: 'loop4' (00000000e1642c6e): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 57.108878] RIP: 0033:0x457e29 [ 57.108894] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.108901] RSP: 002b:00007f9659273c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 57.108914] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29 [ 57.108921] RDX: 0000000000000048 RSI: 0000000020000000 RDI: 0000000000000003 [ 57.108928] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 57.108936] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f96592746d4 [ 57.108943] R13: 00000000004cd9b8 R14: 00000000004dcc38 R15: 00000000ffffffff [ 57.109894] Kernel Offset: disabled [ 57.558262] Rebooting in 86400 seconds..