[ 45.553975] audit: type=1800 audit(1559608925.748:30): pid=7755 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 59.459975] kauditd_printk_skb: 4 callbacks suppressed [ 59.459999] audit: type=1400 audit(1559608939.688:35): avc: denied { map } for pid=7929 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.28' (ECDSA) to the list of known hosts. 2019/06/04 00:42:27 fuzzer started [ 67.175141] audit: type=1400 audit(1559608947.398:36): avc: denied { map } for pid=7938 comm="syz-fuzzer" path="/root/syz-fuzzer" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/04 00:42:30 dialing manager at 10.128.0.105:38735 2019/06/04 00:42:30 syscalls: 2460 2019/06/04 00:42:30 code coverage: enabled 2019/06/04 00:42:30 comparison tracing: enabled 2019/06/04 00:42:30 extra coverage: extra coverage is not supported by the kernel 2019/06/04 00:42:30 setuid sandbox: enabled 2019/06/04 00:42:30 namespace sandbox: enabled 2019/06/04 00:42:30 Android sandbox: /sys/fs/selinux/policy does not exist 2019/06/04 00:42:30 fault injection: enabled 2019/06/04 00:42:30 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/06/04 00:42:30 net packet injection: enabled 2019/06/04 00:42:30 net device setup: enabled 00:42:31 executing program 0: r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000000000)="2400000043001f00ff03f4f9002364cd84ff8e00f37c0100020100020800038001000000", 0x24) [ 71.727712] audit: type=1400 audit(1559608951.958:37): avc: denied { map } for pid=7957 comm="syz-executor.0" path="/sys/kernel/debug/kcov" dev="debugfs" ino=14986 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 71.843925] IPVS: ftp: loaded support on port[0] = 21 [ 71.855246] NET: Registered protocol family 30 [ 71.860008] Failed to register TIPC socket type 00:42:32 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f0000000300)) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 72.185441] IPVS: ftp: loaded support on port[0] = 21 [ 72.195150] NET: Registered protocol family 30 [ 72.200216] Failed to register TIPC socket type 00:42:32 executing program 2: r0 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0xe, 0x4, 0x4, 0x8}, 0x2c) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") bpf$MAP_LOOKUP_ELEM(0x4, &(0x7f0000000040)={r0, &(0x7f0000000000), 0x0}, 0x18) [ 72.543750] IPVS: ftp: loaded support on port[0] = 21 [ 72.570180] NET: Registered protocol family 30 [ 72.574792] Failed to register TIPC socket type 00:42:33 executing program 3: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0xe, 0x4, 0x4, 0x1}, 0x3c) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f0000000080)={r0, &(0x7f00000004c0), 0x0}, 0x18) [ 73.104052] IPVS: ftp: loaded support on port[0] = 21 [ 73.120662] NET: Registered protocol family 30 [ 73.125264] Failed to register TIPC socket type 00:42:33 executing program 4: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x484b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000140)='/dev/nullb0\x00', 0x24800, 0x0) preadv(r0, &(0x7f0000000040)=[{&(0x7f0000000400)=""/4096, 0x50000}], 0x1, 0x0) [ 73.773828] IPVS: ftp: loaded support on port[0] = 21 [ 73.790656] NET: Registered protocol family 30 [ 73.795280] Failed to register TIPC socket type 00:42:34 executing program 5: r0 = getpgrp(0x0) ptrace$setopts(0x4206, r0, 0xc6, 0x0) [ 74.669310] IPVS: ftp: loaded support on port[0] = 21 [ 74.690493] NET: Registered protocol family 30 [ 74.695202] Failed to register TIPC socket type [ 74.705359] chnl_net:caif_netlink_parms(): no params data found [ 75.140772] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.216694] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.325742] device bridge_slave_0 entered promiscuous mode [ 75.447568] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.454052] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.650009] device bridge_slave_1 entered promiscuous mode [ 76.150264] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 76.429003] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 77.138410] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 77.330642] team0: Port device team_slave_0 added [ 77.661159] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 77.797584] team0: Port device team_slave_1 added [ 77.997181] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.168393] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.712383] device hsr_slave_0 entered promiscuous mode [ 78.918521] device hsr_slave_1 entered promiscuous mode [ 79.069134] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 79.242960] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 79.529119] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 80.246875] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.439081] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 80.633864] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 80.748759] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 80.787217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 80.906843] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 80.984612] 8021q: adding VLAN 0 to HW filter on device team0 [ 81.130758] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 81.240158] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 81.280242] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 81.377274] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.384158] bridge0: port 1(bridge_slave_0) entered forwarding state [ 81.530704] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 81.612557] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 81.630358] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 81.696468] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 81.775531] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.782033] bridge0: port 2(bridge_slave_1) entered forwarding state [ 81.909057] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 81.986785] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 82.075675] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 82.107788] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 82.186298] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 82.264649] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 82.285396] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 82.368713] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 82.449763] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 82.460790] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 82.526469] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 82.614080] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 82.768107] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 82.780293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 82.806341] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 82.898138] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 82.976365] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 83.000370] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 83.076840] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 83.229807] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 83.377054] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 83.514018] audit: type=1400 audit(1559608963.738:38): avc: denied { associate } for pid=7958 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 85.055956] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. 00:42:47 executing program 0: r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000000000)="2400000043001f00ff03f4f9002364cd84ff8e00f37c0100020100020800038001000000", 0x24) [ 87.476855] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. 00:42:48 executing program 0: r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000000000)="2400000043001f00ff03f4f9002364cd84ff8e00f37c0100020100020800038001000000", 0x24) [ 88.309678] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. 00:42:49 executing program 0: r0 = socket(0x10, 0x2, 0x0) write(r0, &(0x7f0000000000)="2400000043001f00ff03f4f9002364cd84ff8e00f37c0100020100020800038001000000", 0x24) [ 88.831876] IPVS: ftp: loaded support on port[0] = 21 [ 88.859204] NET: Registered protocol family 30 [ 88.863866] Failed to register TIPC socket type [ 88.871679] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. 00:42:49 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x80001000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000280)='proc\x00', 0x0, 0x0) r1 = open$dir(&(0x7f00000003c0)='./file0\x00', 0x0, 0x0) getdents(r1, &(0x7f0000000180)=""/106, 0x6a) getdents64(r1, &(0x7f0000000440)=""/186, 0x760) [ 88.980878] IPVS: ftp: loaded support on port[0] = 21 [ 88.993448] IPVS: ftp: loaded support on port[0] = 21 [ 89.002921] NET: Registered protocol family 30 [ 89.012163] list_add double add: new=ffffffff892e7630, prev=ffffffff890f3140, next=ffffffff892e7630. [ 89.032144] Failed to register TIPC socket type [ 89.039515] ------------[ cut here ]------------ [ 89.041084] IPVS: ftp: loaded support on port[0] = 21 [ 89.044346] kernel BUG at lib/list_debug.c:29! [ 89.070055] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 89.075472] CPU: 0 PID: 8615 Comm: syz-executor.4 Not tainted 4.19.47 #19 [ 89.082398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.091861] RIP: 0010:__list_add_valid.cold+0x26/0x3c [ 89.097090] Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b [ 89.116261] RSP: 0018:ffff88806e447b88 EFLAGS: 00010282 [ 89.121722] RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000 [ 89.129013] RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed100dc88f63 [ 89.136288] RBP: ffff88806e447ba0 R08: 0000000000000058 R09: ffffed1015d03ee3 [ 89.143561] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630 [ 89.150837] R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0 [ 89.158111] FS: 0000000000e22940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 89.166775] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 89.172661] CR2: 000000000075c000 CR3: 00000000a3ca6000 CR4: 00000000001406f0 [ 89.179936] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 89.187209] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 89.194501] Call Trace: [ 89.197139] ? mutex_lock_nested+0x16/0x20 [ 89.201423] proto_register+0x459/0x8e0 [ 89.205435] tipc_socket_init+0x1c/0x70 [ 89.209418] tipc_init_net+0x2ed/0x570 [ 89.213325] ? tipc_exit_net+0x40/0x40 [ 89.217221] ops_init+0xb3/0x410 [ 89.220687] setup_net+0x2d3/0x740 [ 89.224272] ? lock_acquire+0x16f/0x3f0 [ 89.228273] ? ops_init+0x410/0x410 [ 89.231909] copy_net_ns+0x1df/0x340 [ 89.235727] create_new_namespaces+0x400/0x7b0 [ 89.240356] unshare_nsproxy_namespaces+0xc2/0x200 [ 89.245306] ksys_unshare+0x440/0x980 [ 89.249119] ? walk_process_tree+0x2c0/0x2c0 [ 89.253549] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 89.258310] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.263677] ? do_syscall_64+0x26/0x620 [ 89.267659] ? lockdep_hardirqs_on+0x415/0x5d0 [ 89.272254] __x64_sys_unshare+0x31/0x40 [ 89.276319] do_syscall_64+0xfd/0x620 [ 89.280124] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.285313] RIP: 0033:0x45bd47 [ 89.288506] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d 8d fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fd 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 89.315580] RSP: 002b:00007ffd23df94b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000110 [ 89.323310] RAX: ffffffffffffffda RBX: 000000000075c9a8 RCX: 000000000045bd47 [ 89.330592] RDX: 0000000000000000 RSI: 00007ffd23df9460 RDI: 0000000040000000 [ 89.337871] RBP: 00000000000000f8 R08: 0000000000000000 R09: 0000000000000005 [ 89.345145] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000075c9a8 [ 89.352523] R13: 00007ffd23df9728 R14: 0000000000000000 R15: 0000000000000000 [ 89.362309] Modules linked in: [ 89.373726] ---[ end trace 67865fa6b86c9e83 ]--- 00:42:49 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x80001000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f0000000280)='proc\x00', 0x0, 0x0) r1 = open$dir(&(0x7f00000003c0)='./file0\x00', 0x0, 0x0) getdents(r1, &(0x7f0000000180)=""/106, 0x6a) getdents64(r1, &(0x7f0000000440)=""/186, 0x760) [ 89.379741] RIP: 0010:__list_add_valid.cold+0x26/0x3c [ 89.384960] Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b [ 89.404071] RSP: 0018:ffff88806e447b88 EFLAGS: 00010282 [ 89.409531] RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000 [ 89.416921] RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed100dc88f63 [ 89.424320] RBP: ffff88806e447ba0 R08: 0000000000000058 R09: ffffed1015d03ee3 [ 89.431788] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630 [ 89.439272] R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0 [ 89.444398] kobject: 'loop0' (0000000034e686f6): kobject_uevent_env [ 89.446634] FS: 0000000000e22940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 89.446649] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 89.453835] kobject: 'loop0' (0000000034e686f6): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 89.461607] CR2: 000000c420052000 CR3: 00000000a3ca6000 CR4: 00000000001406f0 [ 89.461618] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 89.461625] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 89.461634] Kernel panic - not syncing: Fatal exception [ 89.462793] Kernel Offset: disabled [ 89.508809] Rebooting in 86400 seconds..