[ 41.964553] audit: type=1800 audit(1582716264.877:29): pid=7966 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 41.986985] audit: type=1800 audit(1582716264.897:30): pid=7966 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. syzkaller login: [ 52.370252] kauditd_printk_skb: 5 callbacks suppressed [ 52.370268] audit: type=1400 audit(1582716275.287:36): avc: denied { map } for pid=8153 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/02/26 11:24:35 parsed 1 programs [ 53.983923] audit: type=1400 audit(1582716276.897:37): avc: denied { map } for pid=8153 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=79 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/02/26 11:24:37 executed programs: 0 [ 54.178686] IPVS: ftp: loaded support on port[0] = 21 [ 54.232666] chnl_net:caif_netlink_parms(): no params data found [ 54.279653] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.286332] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.293466] device bridge_slave_0 entered promiscuous mode [ 54.301228] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.307617] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.314799] device bridge_slave_1 entered promiscuous mode [ 54.330459] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.339533] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.355147] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.362568] team0: Port device team_slave_0 added [ 54.368212] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.376220] team0: Port device team_slave_1 added [ 54.389132] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 54.395533] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.420893] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 54.432625] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 54.438890] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.464136] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 54.475081] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.482685] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.541595] device hsr_slave_0 entered promiscuous mode [ 54.579684] device hsr_slave_1 entered promiscuous mode [ 54.620330] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.627515] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.673980] audit: type=1400 audit(1582716277.587:38): avc: denied { create } for pid=8171 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.693800] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.699023] audit: type=1400 audit(1582716277.587:39): avc: denied { write } for pid=8171 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.704358] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.729052] audit: type=1400 audit(1582716277.597:40): avc: denied { read } for pid=8171 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.735093] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.764937] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.800686] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.806808] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.815880] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.824941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.844390] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.851819] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.858930] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.870279] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.876440] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.885775] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.893516] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.899887] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.910114] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.917786] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.924265] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.941290] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.949624] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.958474] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.969927] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.980793] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.990847] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.996924] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 55.009847] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 55.018680] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 55.025891] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 55.036679] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 55.050037] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 55.060331] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 55.103880] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 55.111810] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 55.118446] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 55.128343] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 55.135948] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 55.143054] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 55.152490] device veth0_vlan entered promiscuous mode [ 55.161872] device veth1_vlan entered promiscuous mode [ 55.167690] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 55.178175] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 55.191455] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 55.201139] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 55.208485] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 55.216204] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 55.225724] device veth0_macvtap entered promiscuous mode [ 55.234904] device veth1_macvtap entered promiscuous mode [ 55.244716] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 55.254101] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 55.264053] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 55.271520] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 55.278369] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 55.287415] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 55.297770] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 55.306240] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 55.313453] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 55.321399] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 55.433505] audit: type=1400 audit(1582716278.347:41): avc: denied { associate } for pid=8171 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 55.613861] ================================================================== [ 55.621382] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 55.627920] Read of size 8 at addr ffff888094b4d360 by task syz-executor.0/8231 [ 55.635358] [ 55.636993] CPU: 1 PID: 8231 Comm: syz-executor.0 Not tainted 4.19.106-syzkaller #0 [ 55.644786] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.654317] Call Trace: [ 55.656990] dump_stack+0x197/0x210 [ 55.660674] ? __list_add_valid+0x9a/0xa0 [ 55.664817] print_address_description.cold+0x7c/0x20d [ 55.670140] ? __list_add_valid+0x9a/0xa0 [ 55.674449] kasan_report.cold+0x8c/0x2ba [ 55.678622] __asan_report_load8_noabort+0x14/0x20 [ 55.683782] __list_add_valid+0x9a/0xa0 [ 55.687819] rdma_listen+0x63b/0x8e0 [ 55.691543] ucma_listen+0x14d/0x1c0 [ 55.695386] ? ucma_notify+0x190/0x190 [ 55.699289] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.704866] ? _copy_from_user+0xdd/0x150 [ 55.709066] ucma_write+0x2d7/0x3c0 [ 55.712762] ? ucma_notify+0x190/0x190 [ 55.716681] ? ucma_open+0x290/0x290 [ 55.720405] __vfs_write+0x114/0x810 [ 55.724173] ? ucma_open+0x290/0x290 [ 55.728012] ? kernel_read+0x120/0x120 [ 55.731897] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 55.737438] ? __inode_security_revalidate+0xda/0x120 [ 55.742629] ? avc_policy_seqno+0xd/0x70 [ 55.746741] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 55.751768] ? selinux_file_permission+0x92/0x550 [ 55.756612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.762184] ? security_file_permission+0x89/0x230 [ 55.767146] ? rw_verify_area+0x118/0x360 [ 55.771302] vfs_write+0x20c/0x560 [ 55.775025] ksys_write+0x14f/0x2d0 [ 55.778662] ? __ia32_sys_read+0xb0/0xb0 [ 55.782735] ? do_syscall_64+0x26/0x620 [ 55.786705] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.792071] ? do_syscall_64+0x26/0x620 [ 55.796042] __x64_sys_write+0x73/0xb0 [ 55.799966] do_syscall_64+0xfd/0x620 [ 55.803786] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.809019] RIP: 0033:0x45c449 [ 55.812245] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.831143] RSP: 002b:00007f071bd0fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 55.838921] RAX: ffffffffffffffda RBX: 00007f071bd106d4 RCX: 000000000045c449 [ 55.846287] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 55.853556] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 55.861615] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 55.868878] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 55.876152] [ 55.877772] Allocated by task 8225: [ 55.881405] save_stack+0x45/0xd0 [ 55.884866] kasan_kmalloc+0xce/0xf0 [ 55.888576] kmem_cache_alloc_trace+0x152/0x760 [ 55.893252] __rdma_create_id+0x5e/0x610 [ 55.897403] ucma_create_id+0x1de/0x640 [ 55.901407] ucma_write+0x2d7/0x3c0 [ 55.905024] __vfs_write+0x114/0x810 [ 55.908731] vfs_write+0x20c/0x560 [ 55.912260] ksys_write+0x14f/0x2d0 [ 55.915922] __x64_sys_write+0x73/0xb0 [ 55.919806] do_syscall_64+0xfd/0x620 [ 55.923657] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.928836] [ 55.930451] Freed by task 8225: [ 55.933735] save_stack+0x45/0xd0 [ 55.937185] __kasan_slab_free+0x102/0x150 [ 55.941460] kasan_slab_free+0xe/0x10 [ 55.945315] kfree+0xcf/0x220 [ 55.948417] rdma_destroy_id+0x726/0xab0 [ 55.952483] ucma_close+0x115/0x320 [ 55.956104] __fput+0x2dd/0x8b0 [ 55.959479] ____fput+0x16/0x20 [ 55.962752] task_work_run+0x145/0x1c0 [ 55.966637] exit_to_usermode_loop+0x273/0x2c0 [ 55.971222] do_syscall_64+0x53d/0x620 [ 55.975111] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.980380] [ 55.982007] The buggy address belongs to the object at ffff888094b4d180 [ 55.982007] which belongs to the cache kmalloc-2048 of size 2048 [ 55.994838] The buggy address is located 480 bytes inside of [ 55.994838] 2048-byte region [ffff888094b4d180, ffff888094b4d980) [ 56.006801] The buggy address belongs to the page: [ 56.011740] page:ffffea000252d300 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 56.021708] flags: 0xfffe0000008100(slab|head) [ 56.026293] raw: 00fffe0000008100 ffffea00024e6788 ffffea0002254808 ffff88812c31cc40 [ 56.034183] raw: 0000000000000000 ffff888094b4c080 0000000100000003 0000000000000000 [ 56.042056] page dumped because: kasan: bad access detected [ 56.047764] [ 56.049396] Memory state around the buggy address: [ 56.054465] ffff888094b4d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.061831] ffff888094b4d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.069187] >ffff888094b4d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.076597] ^ [ 56.083111] ffff888094b4d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.090477] ffff888094b4d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.097877] ================================================================== [ 56.105348] Disabling lock debugging due to kernel taint [ 56.113076] Kernel panic - not syncing: panic_on_warn set ... [ 56.113076] [ 56.120489] CPU: 0 PID: 8231 Comm: syz-executor.0 Tainted: G B 4.19.106-syzkaller #0 [ 56.130654] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.140159] Call Trace: [ 56.142740] dump_stack+0x197/0x210 [ 56.146406] ? __list_add_valid+0x9a/0xa0 [ 56.150542] panic+0x26a/0x50e [ 56.153762] ? __warn_printk+0xf3/0xf3 [ 56.157665] ? __list_add_valid+0x9a/0xa0 [ 56.161862] ? preempt_schedule+0x4b/0x60 [ 56.165998] ? ___preempt_schedule+0x16/0x18 [ 56.170415] ? trace_hardirqs_on+0x5e/0x220 [ 56.174754] ? __list_add_valid+0x9a/0xa0 [ 56.178967] kasan_end_report+0x47/0x4f [ 56.182960] kasan_report.cold+0xa9/0x2ba [ 56.187111] __asan_report_load8_noabort+0x14/0x20 [ 56.192043] __list_add_valid+0x9a/0xa0 [ 56.196015] rdma_listen+0x63b/0x8e0 [ 56.199718] ucma_listen+0x14d/0x1c0 [ 56.203439] ? ucma_notify+0x190/0x190 [ 56.207366] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.212894] ? _copy_from_user+0xdd/0x150 [ 56.217032] ucma_write+0x2d7/0x3c0 [ 56.220650] ? ucma_notify+0x190/0x190 [ 56.224520] ? ucma_open+0x290/0x290 [ 56.228223] __vfs_write+0x114/0x810 [ 56.231922] ? ucma_open+0x290/0x290 [ 56.235674] ? kernel_read+0x120/0x120 [ 56.239564] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.245103] ? __inode_security_revalidate+0xda/0x120 [ 56.250288] ? avc_policy_seqno+0xd/0x70 [ 56.254341] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 56.259365] ? selinux_file_permission+0x92/0x550 [ 56.264203] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.269727] ? security_file_permission+0x89/0x230 [ 56.274653] ? rw_verify_area+0x118/0x360 [ 56.278813] vfs_write+0x20c/0x560 [ 56.282386] ksys_write+0x14f/0x2d0 [ 56.286009] ? __ia32_sys_read+0xb0/0xb0 [ 56.290075] ? do_syscall_64+0x26/0x620 [ 56.294097] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.299678] ? do_syscall_64+0x26/0x620 [ 56.303644] __x64_sys_write+0x73/0xb0 [ 56.307520] do_syscall_64+0xfd/0x620 [ 56.311312] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.316546] RIP: 0033:0x45c449 [ 56.319734] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.338664] RSP: 002b:00007f071bd0fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 56.346401] RAX: ffffffffffffffda RBX: 00007f071bd106d4 RCX: 000000000045c449 [ 56.353666] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 56.361095] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 56.368355] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 56.375621] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 56.384309] Kernel Offset: disabled [ 56.387953] Rebooting in 86400 seconds..