[ 44.501368] audit: type=1800 audit(1585460505.296:31): pid=7937 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2469 res=0 [ 44.522937] audit: type=1800 audit(1585460505.296:32): pid=7937 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.118' (ECDSA) to the list of known hosts. syzkaller login: [ 53.637709] kauditd_printk_skb: 3 callbacks suppressed [ 53.637724] audit: type=1400 audit(1585460514.486:36): avc: denied { map } for pid=8121 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/03/29 05:41:54 parsed 1 programs [ 54.830347] audit: type=1400 audit(1585460515.686:37): avc: denied { map } for pid=8121 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=17185 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/03/29 05:41:55 executed programs: 0 [ 55.030750] IPVS: ftp: loaded support on port[0] = 21 [ 55.102130] chnl_net:caif_netlink_parms(): no params data found [ 55.154065] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.161928] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.170321] device bridge_slave_0 entered promiscuous mode [ 55.178155] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.184972] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.192232] device bridge_slave_1 entered promiscuous mode [ 55.208864] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 55.219223] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 55.237510] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 55.245461] team0: Port device team_slave_0 added [ 55.251373] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 55.258652] team0: Port device team_slave_1 added [ 55.275118] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 55.281466] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.308009] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 55.320745] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 55.327307] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 55.355561] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 55.366756] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 55.375249] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 55.461553] device hsr_slave_0 entered promiscuous mode [ 55.509700] device hsr_slave_1 entered promiscuous mode [ 55.560687] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 55.568274] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 55.622037] audit: type=1400 audit(1585460516.476:38): avc: denied { create } for pid=8139 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 55.646556] audit: type=1400 audit(1585460516.476:39): avc: denied { write } for pid=8139 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 55.669072] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.672524] audit: type=1400 audit(1585460516.496:40): avc: denied { read } for pid=8139 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 55.677946] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.709059] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.727111] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.764850] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 55.773789] 8021q: adding VLAN 0 to HW filter on device bond0 [ 55.782342] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 55.791648] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 55.801892] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.820408] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.827754] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 55.839831] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 55.846073] 8021q: adding VLAN 0 to HW filter on device team0 [ 55.856485] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 55.864372] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.871033] bridge0: port 1(bridge_slave_0) entered forwarding state [ 55.882191] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 55.890160] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.896667] bridge0: port 2(bridge_slave_1) entered forwarding state [ 55.912487] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 55.921123] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 55.932299] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 55.946244] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 55.957500] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 55.968710] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 55.975744] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 55.984445] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 55.992591] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 56.007320] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 56.017244] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 56.025197] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 56.038704] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 56.053689] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 56.065258] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 56.106225] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 56.115067] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 56.123275] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 56.133372] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready [ 56.140637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 56.148365] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 56.157713] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 56.165376] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 56.174546] device veth0_vlan entered promiscuous mode [ 56.185055] device veth1_vlan entered promiscuous mode [ 56.192324] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 56.203421] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 56.216387] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 56.226837] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 56.234452] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 56.242475] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 56.250195] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 56.259689] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 56.270519] device veth0_macvtap entered promiscuous mode [ 56.277036] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 56.285648] device veth1_macvtap entered promiscuous mode [ 56.292546] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 56.302439] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 56.314795] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 56.325760] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 56.333476] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 56.340902] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 56.349254] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 56.357912] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 56.367060] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 56.380198] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 56.387386] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 56.395000] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 56.403308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 56.515789] audit: type=1400 audit(1585460517.366:41): avc: denied { associate } for pid=8139 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 56.778963] ================================================================== [ 56.786755] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 56.793412] Read of size 8 at addr ffff88808239a5a0 by task syz-executor.0/8218 [ 56.801023] [ 56.802754] CPU: 0 PID: 8218 Comm: syz-executor.0 Not tainted 4.19.113-syzkaller #0 [ 56.812295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.823326] Call Trace: [ 56.825984] dump_stack+0x188/0x20d [ 56.830685] ? __list_add_valid+0x93/0xa0 [ 56.835010] print_address_description.cold+0x7c/0x212 [ 56.840604] ? __list_add_valid+0x93/0xa0 [ 56.844803] kasan_report.cold+0x88/0x2b9 [ 56.849096] __list_add_valid+0x93/0xa0 [ 56.853344] rdma_listen+0x609/0x880 [ 56.857071] ucma_listen+0x14d/0x1c0 [ 56.860817] ? ucma_notify+0x190/0x190 [ 56.864832] ? __might_fault+0x192/0x1d0 [ 56.869259] ? _copy_from_user+0xd2/0x140 [ 56.873707] ? ucma_notify+0x190/0x190 [ 56.877892] ucma_write+0x285/0x350 [ 56.881980] ? ucma_open+0x280/0x280 [ 56.885794] ? __fget+0x319/0x510 [ 56.889523] __vfs_write+0xf7/0x760 [ 56.893182] ? ucma_open+0x280/0x280 [ 56.896902] ? kernel_read+0x110/0x110 [ 56.901041] ? __inode_security_revalidate+0xd3/0x120 [ 56.906329] ? avc_policy_seqno+0x9/0x70 [ 56.910430] ? selinux_file_permission+0x87/0x520 [ 56.915459] ? security_file_permission+0x84/0x220 [ 56.920433] vfs_write+0x206/0x550 [ 56.924026] ksys_write+0x12b/0x2a0 [ 56.927740] ? __ia32_sys_read+0xb0/0xb0 [ 56.931796] ? __ia32_sys_clock_settime+0x260/0x260 [ 56.937443] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.942298] ? trace_hardirqs_off_caller+0x55/0x210 [ 56.947718] ? do_syscall_64+0x21/0x620 [ 56.952780] do_syscall_64+0xf9/0x620 [ 56.957349] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.963004] RIP: 0033:0x45c849 [ 56.966806] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.986431] RSP: 002b:00007f5334509c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 56.994537] RAX: ffffffffffffffda RBX: 00007f533450a6d4 RCX: 000000000045c849 [ 57.001968] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000005 [ 57.009239] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 57.016513] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 57.025074] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 57.032942] [ 57.034587] Allocated by task 8211: [ 57.038332] kasan_kmalloc+0xbf/0xe0 [ 57.042088] kmem_cache_alloc_trace+0x14d/0x7a0 [ 57.046775] __rdma_create_id+0x5b/0x630 [ 57.051000] ucma_create_id+0x1cb/0x5a0 [ 57.055330] ucma_write+0x285/0x350 [ 57.059002] __vfs_write+0xf7/0x760 [ 57.062675] vfs_write+0x206/0x550 [ 57.066242] ksys_write+0x12b/0x2a0 [ 57.069897] do_syscall_64+0xf9/0x620 [ 57.073719] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.078898] [ 57.080553] Freed by task 8210: [ 57.083954] __kasan_slab_free+0xf7/0x140 [ 57.088255] kfree+0xce/0x220 [ 57.091445] ucma_close+0x10b/0x320 [ 57.095226] __fput+0x2cd/0x890 [ 57.098530] task_work_run+0x13f/0x1b0 [ 57.102552] exit_to_usermode_loop+0x25a/0x2b0 [ 57.107357] do_syscall_64+0x538/0x620 [ 57.111528] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.116819] [ 57.118449] The buggy address belongs to the object at ffff88808239a3c0 [ 57.118449] which belongs to the cache kmalloc-2048 of size 2048 [ 57.131934] The buggy address is located 480 bytes inside of [ 57.131934] 2048-byte region [ffff88808239a3c0, ffff88808239abc0) [ 57.147178] The buggy address belongs to the page: [ 57.153284] page:ffffea000208e680 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 57.163507] flags: 0xfffe0000008100(slab|head) [ 57.168178] raw: 00fffe0000008100 ffffea0002088b88 ffffea000225a388 ffff88812c3dcc40 [ 57.176057] raw: 0000000000000000 ffff88808239a3c0 0000000100000003 0000000000000000 [ 57.184199] page dumped because: kasan: bad access detected [ 57.189935] [ 57.191600] Memory state around the buggy address: [ 57.197458] ffff88808239a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.204909] ffff88808239a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.219699] >ffff88808239a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.228146] ^ [ 57.232560] ffff88808239a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.239956] ffff88808239a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.248580] ================================================================== [ 57.256217] Disabling lock debugging due to kernel taint [ 57.268755] Kernel panic - not syncing: panic_on_warn set ... [ 57.268755] [ 57.279125] CPU: 0 PID: 8218 Comm: syz-executor.0 Tainted: G B 4.19.113-syzkaller #0 [ 57.288902] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.299206] Call Trace: [ 57.301798] dump_stack+0x188/0x20d [ 57.305604] panic+0x26a/0x50e [ 57.308887] ? __warn_printk+0xf3/0xf3 [ 57.312776] ? preempt_schedule_common+0x4a/0xc0 [ 57.317647] ? __list_add_valid+0x93/0xa0 [ 57.321939] ? ___preempt_schedule+0x16/0x18 [ 57.326735] ? trace_hardirqs_on+0x55/0x210 [ 57.331354] ? __list_add_valid+0x93/0xa0 [ 57.335784] kasan_end_report+0x43/0x49 [ 57.339760] kasan_report.cold+0xa4/0x2b9 [ 57.343907] __list_add_valid+0x93/0xa0 [ 57.347879] rdma_listen+0x609/0x880 [ 57.351727] ucma_listen+0x14d/0x1c0 [ 57.355576] ? ucma_notify+0x190/0x190 [ 57.359638] ? __might_fault+0x192/0x1d0 [ 57.363791] ? _copy_from_user+0xd2/0x140 [ 57.367948] ? ucma_notify+0x190/0x190 [ 57.372362] ucma_write+0x285/0x350 [ 57.376007] ? ucma_open+0x280/0x280 [ 57.379721] ? __fget+0x319/0x510 [ 57.383171] __vfs_write+0xf7/0x760 [ 57.386806] ? ucma_open+0x280/0x280 [ 57.390611] ? kernel_read+0x110/0x110 [ 57.394514] ? __inode_security_revalidate+0xd3/0x120 [ 57.399834] ? avc_policy_seqno+0x9/0x70 [ 57.403979] ? selinux_file_permission+0x87/0x520 [ 57.408830] ? security_file_permission+0x84/0x220 [ 57.413768] vfs_write+0x206/0x550 [ 57.417439] ksys_write+0x12b/0x2a0 [ 57.421062] ? __ia32_sys_read+0xb0/0xb0 [ 57.425156] ? __ia32_sys_clock_settime+0x260/0x260 [ 57.430167] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.435097] ? trace_hardirqs_off_caller+0x55/0x210 [ 57.440459] ? do_syscall_64+0x21/0x620 [ 57.444564] do_syscall_64+0xf9/0x620 [ 57.448486] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.453878] RIP: 0033:0x45c849 [ 57.457438] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.476839] RSP: 002b:00007f5334509c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 57.484594] RAX: ffffffffffffffda RBX: 00007f533450a6d4 RCX: 000000000045c849 [ 57.491864] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000005 [ 57.499286] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 57.507150] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 57.514414] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 57.523225] Kernel Offset: disabled [ 57.526912] Rebooting in 86400 seconds..