[....] Starting periodic command[ 40.063988] audit: type=1800 audit(1578320223.318:32): pid=7816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.608022] audit: type=1800 audit(1578320223.858:33): pid=7816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.935935] kauditd_printk_skb: 1 callbacks suppressed [ 45.935951] audit: type=1400 audit(1578320229.188:35): avc: denied { map } for pid=7991 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts. [ 52.553854] audit: type=1400 audit(1578320235.808:36): avc: denied { map } for pid=8003 comm="syz-executor042" path="/root/syz-executor042422457" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.572787] IPVS: ftp: loaded support on port[0] = 21 [ 52.607756] audit: type=1400 audit(1578320235.858:37): avc: denied { create } for pid=8004 comm="syz-executor042" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.633657] audit: type=1400 audit(1578320235.858:38): avc: denied { write } for pid=8004 comm="syz-executor042" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.658367] audit: type=1400 audit(1578320235.858:39): avc: denied { read } for pid=8004 comm="syz-executor042" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 52.718920] chnl_net:caif_netlink_parms(): no params data found [ 52.753366] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.760545] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.768174] device bridge_slave_0 entered promiscuous mode [ 52.776052] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.782760] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.790561] device bridge_slave_1 entered promiscuous mode [ 52.806130] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.817065] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.834160] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.842127] team0: Port device team_slave_0 added [ 52.847626] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.856188] team0: Port device team_slave_1 added [ 52.861894] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.869593] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.921279] device hsr_slave_0 entered promiscuous mode [ 52.959621] device hsr_slave_1 entered promiscuous mode [ 53.000010] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 53.007349] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 53.052387] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.058823] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.065771] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.072318] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.105052] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 53.112486] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.121340] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.131412] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.150414] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.158837] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.166403] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 53.176552] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 53.182902] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.192437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 53.200331] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.206683] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.220696] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 53.228404] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.234824] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.245879] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.253799] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.263962] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.278423] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 53.289250] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 53.300442] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 53.307072] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.315151] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.323239] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.335267] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 53.344115] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 53.351196] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 53.363617] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.376633] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 53.386619] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 53.427328] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 53.434760] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 53.442161] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 53.452663] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 53.460285] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 53.467275] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready executing program [ 53.476135] device veth0_vlan entered promiscuous mode [ 53.486119] device veth1_vlan entered promiscuous mode [ 53.492250] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 53.502138] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 53.529602] protocol 88fb is buggy, dev hsr_slave_0 [ 53.534860] protocol 88fb is buggy, dev hsr_slave_1 [ 53.550386] ================================================================== [ 53.558017] BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x57c/0x660 [ 53.565137] Read of size 4 at addr ffff88808ec93a01 by task syz-executor042/8004 [ 53.572723] [ 53.574411] CPU: 0 PID: 8004 Comm: syz-executor042 Not tainted 4.19.93-syzkaller #0 [ 53.582546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.591981] Call Trace: [ 53.594849] dump_stack+0x197/0x210 [ 53.598478] ? macvlan_broadcast+0x57c/0x660 [ 53.602901] print_address_description.cold+0x7c/0x20d [ 53.608180] ? macvlan_broadcast+0x57c/0x660 [ 53.612590] kasan_report.cold+0x8c/0x2ba [ 53.617176] __asan_report_load_n_noabort+0xf/0x20 [ 53.622109] macvlan_broadcast+0x57c/0x660 [ 53.626484] macvlan_start_xmit+0x408/0x785 [ 53.630955] dev_direct_xmit+0x34d/0x650 [ 53.635069] ? validate_xmit_skb_list+0x130/0x130 [ 53.639910] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.645451] ? skb_copy_datagram_from_iter+0x441/0x660 [ 53.649436] protocol 88fb is buggy, dev hsr_slave_0 [ 53.650733] packet_direct_xmit+0xf9/0x170 [ 53.655986] protocol 88fb is buggy, dev hsr_slave_1 [ 53.660171] packet_sendmsg+0x3bb2/0x6440 [ 53.660208] ? packet_notifier+0x840/0x840 [ 53.660228] ? release_sock+0x156/0x1c0 [ 53.677691] ? selinux_socket_sendmsg+0x36/0x40 [ 53.682363] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.687898] ? security_socket_sendmsg+0x8d/0xc0 [ 53.692651] ? packet_notifier+0x840/0x840 [ 53.696923] sock_sendmsg+0xd7/0x130 [ 53.700639] __sys_sendto+0x262/0x380 [ 53.704438] ? __ia32_sys_getpeername+0xb0/0xb0 [ 53.709105] ? __ia32_sys_socketpair+0xf0/0xf0 [ 53.709670] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 53.713700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.721243] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 53.726006] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.737508] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.742283] ? do_syscall_64+0x26/0x620 [ 53.746378] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.751838] __x64_sys_sendto+0xe1/0x1a0 [ 53.755980] do_syscall_64+0xfd/0x620 [ 53.759916] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.765274] RIP: 0033:0x442529 [ 53.768469] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.769458] protocol 88fb is buggy, dev hsr_slave_0 [ 53.787380] RSP: 002b:00007ffd950789f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.787395] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442529 [ 53.787403] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 53.787411] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 53.787423] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 53.792552] protocol 88fb is buggy, dev hsr_slave_1 [ 53.800198] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000 [ 53.800218] [ 53.800225] Allocated by task 8004: [ 53.800242] save_stack+0x45/0xd0 [ 53.800258] kasan_kmalloc+0xce/0xf0 [ 53.854479] __kmalloc_track_caller+0x159/0x750 [ 53.859363] kmemdup+0x27/0x60 [ 53.862575] __addrconf_sysctl_register+0xae/0x430 [ 53.867503] addrconf_sysctl_register+0x140/0x1e0 [ 53.873318] ipv6_add_dev+0x9d0/0x10a0 [ 53.877278] addrconf_notify+0x960/0x2160 [ 53.881442] notifier_call_chain+0xc2/0x230 [ 53.885757] raw_notifier_call_chain+0x2e/0x40 [ 53.890333] call_netdevice_notifiers_info+0x3f/0x90 [ 53.895429] register_netdevice+0xa4d/0xff0 [ 53.899752] rtnl_newlink+0x13de/0x1600 [ 53.903822] rtnetlink_rcv_msg+0x463/0xb00 [ 53.908051] netlink_rcv_skb+0x17d/0x460 [ 53.912126] rtnetlink_rcv+0x1d/0x30 [ 53.915921] netlink_unicast+0x53a/0x730 [ 53.919979] netlink_sendmsg+0x8ae/0xd70 [ 53.924118] sock_sendmsg+0xd7/0x130 [ 53.927821] __sys_sendto+0x262/0x380 [ 53.931614] __x64_sys_sendto+0xe1/0x1a0 [ 53.935839] do_syscall_64+0xfd/0x620 [ 53.939640] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.944939] [ 53.946559] Freed by task 0: [ 53.949640] (stack is not available) [ 53.953341] [ 53.955026] The buggy address belongs to the object at ffff88808ec92c40 [ 53.955026] which belongs to the cache kmalloc-4096 of size 4096 [ 53.967874] The buggy address is located 3521 bytes inside of [ 53.967874] 4096-byte region [ffff88808ec92c40, ffff88808ec93c40) [ 53.980178] The buggy address belongs to the page: [ 53.985107] page:ffffea00023b2480 count:1 mapcount:0 mapping:ffff88812c31cdc0 index:0x0 compound_mapcount: 0 [ 53.995255] flags: 0xfffe0000008100(slab|head) [ 53.999834] raw: 00fffe0000008100 ffffea00023d5108 ffffea00024a1a88 ffff88812c31cdc0 [ 54.007713] raw: 0000000000000000 ffff88808ec92c40 0000000100000001 0000000000000000 [ 54.015588] page dumped because: kasan: bad access detected [ 54.021289] [ 54.022940] Memory state around the buggy address: [ 54.027894] ffff88808ec93900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 54.035337] ffff88808ec93980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.042736] >ffff88808ec93a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.050095] ^ [ 54.053470] ffff88808ec93a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.060827] ffff88808ec93b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.068173] ================================================================== [ 54.075547] Disabling lock debugging due to kernel taint [ 54.081024] Kernel panic - not syncing: panic_on_warn set ... [ 54.081024] [ 54.088552] CPU: 0 PID: 8004 Comm: syz-executor042 Tainted: G B 4.19.93-syzkaller #0 [ 54.097755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.107173] Call Trace: [ 54.109838] dump_stack+0x197/0x210 [ 54.113535] ? macvlan_broadcast+0x57c/0x660 [ 54.118049] panic+0x26a/0x50e [ 54.121242] ? __warn_printk+0xf3/0xf3 [ 54.125122] ? retint_kernel+0x2d/0x2d [ 54.129178] ? trace_hardirqs_on+0x5e/0x220 [ 54.133503] ? macvlan_broadcast+0x57c/0x660 [ 54.138089] kasan_end_report+0x47/0x4f [ 54.142058] kasan_report.cold+0xa9/0x2ba [ 54.146349] __asan_report_load_n_noabort+0xf/0x20 [ 54.151274] macvlan_broadcast+0x57c/0x660 [ 54.155745] macvlan_start_xmit+0x408/0x785 [ 54.160105] dev_direct_xmit+0x34d/0x650 [ 54.164194] ? validate_xmit_skb_list+0x130/0x130 [ 54.169067] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.174600] ? skb_copy_datagram_from_iter+0x441/0x660 [ 54.179873] packet_direct_xmit+0xf9/0x170 [ 54.184115] packet_sendmsg+0x3bb2/0x6440 [ 54.188295] ? packet_notifier+0x840/0x840 [ 54.192525] ? release_sock+0x156/0x1c0 [ 54.196498] ? selinux_socket_sendmsg+0x36/0x40 [ 54.201160] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.206688] ? security_socket_sendmsg+0x8d/0xc0 [ 54.211531] ? packet_notifier+0x840/0x840 [ 54.215759] sock_sendmsg+0xd7/0x130 [ 54.219471] __sys_sendto+0x262/0x380 [ 54.223266] ? __ia32_sys_getpeername+0xb0/0xb0 [ 54.227929] ? __ia32_sys_socketpair+0xf0/0xf0 [ 54.232781] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.238314] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.243070] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.247853] ? do_syscall_64+0x26/0x620 [ 54.251828] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.257217] __x64_sys_sendto+0xe1/0x1a0 [ 54.261403] do_syscall_64+0xfd/0x620 [ 54.265198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.270377] RIP: 0033:0x442529 [ 54.273653] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.292729] RSP: 002b:00007ffd950789f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 54.300434] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442529 [ 54.307710] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 54.314973] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 54.322242] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 54.329593] R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000 [ 54.338470] Kernel Offset: disabled [ 54.342109] Rebooting in 86400 seconds..