Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 97.814022] audit: type=1400 audit(1561632172.922:36): avc: denied { map } for pid=8112 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/27 10:42:53 parsed 1 programs [ 98.794512] audit: type=1400 audit(1561632173.902:37): avc: denied { map } for pid=8112 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1060 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2019/06/27 10:42:55 executed programs: 0 [ 100.742223] IPVS: ftp: loaded support on port[0] = 21 [ 100.806797] chnl_net:caif_netlink_parms(): no params data found [ 100.840609] bridge0: port 1(bridge_slave_0) entered blocking state [ 100.847708] bridge0: port 1(bridge_slave_0) entered disabled state [ 100.855939] device bridge_slave_0 entered promiscuous mode [ 100.864083] bridge0: port 2(bridge_slave_1) entered blocking state [ 100.870788] bridge0: port 2(bridge_slave_1) entered disabled state [ 100.878204] device bridge_slave_1 entered promiscuous mode [ 100.894292] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 100.903680] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 100.921594] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 100.929597] team0: Port device team_slave_0 added [ 100.935638] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 100.943281] team0: Port device team_slave_1 added [ 100.948985] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 100.956880] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 101.010593] device hsr_slave_0 entered promiscuous mode [ 101.069195] device hsr_slave_1 entered promiscuous mode [ 101.119684] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 101.130078] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 101.146125] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.152755] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.160225] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.166772] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.202508] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 101.209782] 8021q: adding VLAN 0 to HW filter on device bond0 [ 101.218640] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 101.231231] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 101.240995] bridge0: port 1(bridge_slave_0) entered disabled state [ 101.249454] bridge0: port 2(bridge_slave_1) entered disabled state [ 101.257610] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 101.269585] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 101.276062] 8021q: adding VLAN 0 to HW filter on device team0 [ 101.287563] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 101.295530] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.302202] bridge0: port 1(bridge_slave_0) entered forwarding state [ 101.312867] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 101.321224] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.328177] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.348722] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 101.361068] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 101.372318] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 101.380189] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 101.389672] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 101.398730] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 101.406889] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 101.415357] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 101.422812] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 101.435096] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 101.445515] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 101.465432] audit: type=1400 audit(1561632176.582:38): avc: denied { associate } for pid=8128 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 105.679777] [ 105.681751] ===================================== [ 105.686595] WARNING: bad unlock balance detected! [ 105.691528] 4.19.56 #28 Not tainted [ 105.695310] ------------------------------------- [ 105.700583] syz-executor.0/9212 is trying to release lock (&file->mut) at: [ 105.707855] [] ucma_destroy_id+0x24c/0x4a0 [ 105.713900] but there are no more locks to release! [ 105.718928] [ 105.718928] other info that might help us debug this: [ 105.725597] 1 lock held by syz-executor.0/9212: [ 105.730273] #0: 0000000062f54a15 (&file->mut){+.+.}, at: ucma_destroy_id+0x1e9/0x4a0 [ 105.738274] [ 105.738274] stack backtrace: [ 105.742958] CPU: 0 PID: 9212 Comm: syz-executor.0 Not tainted 4.19.56 #28 [ 105.749872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.759391] Call Trace: [ 105.762027] dump_stack+0x172/0x1f0 [ 105.765808] ? ucma_destroy_id+0x24c/0x4a0 [ 105.770068] print_unlock_imbalance_bug.cold+0x114/0x123 [ 105.775534] ? ucma_destroy_id+0x24c/0x4a0 [ 105.779874] lock_release+0x6cd/0xa30 [ 105.783705] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 105.789330] ? lock_downgrade+0x810/0x810 [ 105.794001] ? mutex_trylock+0x1e0/0x1e0 [ 105.798091] __mutex_unlock_slowpath+0x8e/0x6b0 [ 105.802757] ? wait_for_completion+0x440/0x440 [ 105.807337] mutex_unlock+0xd/0x10 [ 105.810969] ucma_destroy_id+0x24c/0x4a0 [ 105.815127] ? ucma_close+0x320/0x320 [ 105.818953] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 105.824933] ? _copy_from_user+0xdd/0x150 [ 105.829519] ucma_write+0x2d7/0x3c0 [ 105.833176] ? ucma_close+0x320/0x320 [ 105.837004] ? ucma_open+0x290/0x290 [ 105.840735] __vfs_write+0x114/0x810 [ 105.846458] ? ucma_open+0x290/0x290 [ 105.850167] ? kernel_read+0x120/0x120 [ 105.854048] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 105.859592] ? __inode_security_revalidate+0xda/0x120 [ 105.864850] ? avc_policy_seqno+0xd/0x70 [ 105.868910] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 105.873921] ? selinux_file_permission+0x92/0x550 [ 105.878761] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.884302] ? security_file_permission+0x89/0x230 [ 105.889230] ? rw_verify_area+0x118/0x360 [ 105.893371] vfs_write+0x20c/0x560 [ 105.896953] ksys_write+0x14f/0x2d0 [ 105.900579] ? __ia32_sys_read+0xb0/0xb0 [ 105.904982] ? do_syscall_64+0x26/0x620 [ 105.908958] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.914584] ? do_syscall_64+0x26/0x620 [ 105.918566] __x64_sys_write+0x73/0xb0 [ 105.922453] do_syscall_64+0xfd/0x620 [ 105.926272] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.931470] RIP: 0033:0x459519 [ 105.934681] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.953856] RSP: 002b:00007f97ccf3fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 105.961572] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 105.968864] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 105.976153] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 105.983688] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f97ccf406d4 [ 105.990980] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 106.000236] ================================================================== [ 106.007664] BUG: KASAN: use-after-free in ucma_destroy_id+0x44c/0x4a0 [ 106.014253] Read of size 8 at addr ffff8880a1fd3da8 by task syz-executor.0/9212 [ 106.022452] [ 106.024089] CPU: 0 PID: 9212 Comm: syz-executor.0 Not tainted 4.19.56 #28 [ 106.031006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.040358] Call Trace: [ 106.042949] dump_stack+0x172/0x1f0 [ 106.046585] ? ucma_destroy_id+0x44c/0x4a0 [ 106.050943] print_address_description.cold+0x7c/0x20d [ 106.056233] ? ucma_destroy_id+0x44c/0x4a0 [ 106.060556] kasan_report.cold+0x8c/0x2ba [ 106.064718] __asan_report_load8_noabort+0x14/0x20 [ 106.069825] ucma_destroy_id+0x44c/0x4a0 [ 106.073895] ? ucma_close+0x320/0x320 [ 106.077706] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 106.083250] ? _copy_from_user+0xdd/0x150 [ 106.087410] ucma_write+0x2d7/0x3c0 [ 106.091045] ? ucma_close+0x320/0x320 [ 106.094846] ? ucma_open+0x290/0x290 [ 106.098564] __vfs_write+0x114/0x810 [ 106.102280] ? ucma_open+0x290/0x290 [ 106.106022] ? kernel_read+0x120/0x120 [ 106.109910] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 106.115581] ? __inode_security_revalidate+0xda/0x120 [ 106.120787] ? avc_policy_seqno+0xd/0x70 [ 106.124882] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 106.129946] ? selinux_file_permission+0x92/0x550 [ 106.134805] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.140646] ? security_file_permission+0x89/0x230 [ 106.145697] ? rw_verify_area+0x118/0x360 [ 106.150212] vfs_write+0x20c/0x560 [ 106.153779] ksys_write+0x14f/0x2d0 [ 106.157446] ? __ia32_sys_read+0xb0/0xb0 [ 106.161501] ? do_syscall_64+0x26/0x620 [ 106.165496] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.170869] ? do_syscall_64+0x26/0x620 [ 106.174838] __x64_sys_write+0x73/0xb0 [ 106.178727] do_syscall_64+0xfd/0x620 [ 106.182615] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.187837] RIP: 0033:0x459519 [ 106.191021] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.210625] RSP: 002b:00007f97ccf3fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 106.218331] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 106.225620] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 106.233159] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 106.240446] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f97ccf406d4 [ 106.248346] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 106.255706] [ 106.257331] Allocated by task 9208: [ 106.260981] save_stack+0x45/0xd0 [ 106.264437] kasan_kmalloc+0xce/0xf0 [ 106.268158] kmem_cache_alloc_trace+0x152/0x760 [ 106.273092] ucma_alloc_ctx+0x4e/0x4e0 [ 106.276984] ucma_create_id+0x12d/0x640 [ 106.280961] ucma_write+0x2d7/0x3c0 [ 106.284584] __vfs_write+0x114/0x810 [ 106.288306] vfs_write+0x20c/0x560 [ 106.291996] ksys_write+0x14f/0x2d0 [ 106.295742] __x64_sys_write+0x73/0xb0 [ 106.299635] do_syscall_64+0xfd/0x620 [ 106.303636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.308906] [ 106.310524] Freed by task 9206: [ 106.313855] save_stack+0x45/0xd0 [ 106.317303] __kasan_slab_free+0x102/0x150 [ 106.321553] kasan_slab_free+0xe/0x10 [ 106.325356] kfree+0xcf/0x220 [ 106.328480] ucma_free_ctx+0x801/0xb90 [ 106.332371] ucma_close+0x122/0x320 [ 106.336014] __fput+0x2dd/0x8b0 [ 106.339377] ____fput+0x16/0x20 [ 106.342761] task_work_run+0x145/0x1c0 [ 106.346639] exit_to_usermode_loop+0x273/0x2c0 [ 106.351236] do_syscall_64+0x53d/0x620 [ 106.355129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.360317] [ 106.361951] The buggy address belongs to the object at ffff8880a1fd3d40 [ 106.361951] which belongs to the cache kmalloc-256 of size 256 [ 106.375448] The buggy address is located 104 bytes inside of [ 106.375448] 256-byte region [ffff8880a1fd3d40, ffff8880a1fd3e40) [ 106.387602] The buggy address belongs to the page: [ 106.392703] page:ffffea000287f4c0 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 106.400846] flags: 0x1fffc0000000100(slab) [ 106.405077] raw: 01fffc0000000100 ffffea000287f148 ffffea0002853908 ffff88812c3f07c0 [ 106.413218] raw: 0000000000000000 ffff8880a1fd30c0 000000010000000c 0000000000000000 [ 106.421210] page dumped because: kasan: bad access detected [ 106.426939] [ 106.428581] Memory state around the buggy address: [ 106.433510] ffff8880a1fd3c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.441062] ffff8880a1fd3d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 106.448832] >ffff8880a1fd3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.456369] ^ [ 106.461038] ffff8880a1fd3e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 106.468520] ffff8880a1fd3e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.475883] ================================================================== [ 106.484717] Kernel panic - not syncing: panic_on_warn set ... [ 106.484717] [ 106.492112] CPU: 0 PID: 9212 Comm: syz-executor.0 Tainted: G B 4.19.56 #28 [ 106.500522] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.509893] Call Trace: [ 106.512492] dump_stack+0x172/0x1f0 [ 106.516123] ? ucma_destroy_id+0x44c/0x4a0 [ 106.520418] panic+0x263/0x507 [ 106.523962] ? __warn_printk+0xf3/0xf3 [ 106.527870] ? ucma_destroy_id+0x44c/0x4a0 [ 106.532142] ? preempt_schedule+0x4b/0x60 [ 106.538438] ? ___preempt_schedule+0x16/0x18 [ 106.542852] ? trace_hardirqs_on+0x5e/0x220 [ 106.547212] ? ucma_destroy_id+0x44c/0x4a0 [ 106.551674] kasan_end_report+0x47/0x4f [ 106.555856] kasan_report.cold+0xa9/0x2ba [ 106.560145] __asan_report_load8_noabort+0x14/0x20 [ 106.565569] ucma_destroy_id+0x44c/0x4a0 [ 106.569726] ? ucma_close+0x320/0x320 [ 106.573548] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 106.579417] ? _copy_from_user+0xdd/0x150 [ 106.584021] ucma_write+0x2d7/0x3c0 [ 106.587691] ? ucma_close+0x320/0x320 [ 106.591549] ? ucma_open+0x290/0x290 [ 106.595275] __vfs_write+0x114/0x810 [ 106.599085] ? ucma_open+0x290/0x290 [ 106.602841] ? kernel_read+0x120/0x120 [ 106.606747] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 106.612315] ? __inode_security_revalidate+0xda/0x120 [ 106.617516] ? avc_policy_seqno+0xd/0x70 [ 106.621612] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 106.626635] ? selinux_file_permission+0x92/0x550 [ 106.631578] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.637120] ? security_file_permission+0x89/0x230 [ 106.642044] ? rw_verify_area+0x118/0x360 [ 106.646185] vfs_write+0x20c/0x560 [ 106.649741] ksys_write+0x14f/0x2d0 [ 106.653759] ? __ia32_sys_read+0xb0/0xb0 [ 106.657854] ? do_syscall_64+0x26/0x620 [ 106.661907] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.667267] ? do_syscall_64+0x26/0x620 [ 106.671395] __x64_sys_write+0x73/0xb0 [ 106.675457] do_syscall_64+0xfd/0x620 [ 106.679582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.685078] RIP: 0033:0x459519 [ 106.688651] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.707553] RSP: 002b:00007f97ccf3fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 106.715257] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459519 [ 106.722525] RDX: 0000000020000118 RSI: 0000000020000100 RDI: 0000000000000003 [ 106.729802] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 106.737066] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f97ccf406d4 [ 106.744438] R13: 00000000004d0138 R14: 00000000004e02c8 R15: 00000000ffffffff [ 106.753157] Kernel Offset: disabled [ 106.756860] Rebooting in 86400 seconds..