[ 46.104539] audit: type=1800 audit(1585792402.461:30): pid=8007 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 51.797643] kauditd_printk_skb: 4 callbacks suppressed [ 51.797656] audit: type=1400 audit(1585792408.171:35): avc: denied { map } for pid=8182 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.24' (ECDSA) to the list of known hosts. [ 95.649917] audit: type=1400 audit(1585792452.021:36): avc: denied { map } for pid=8194 comm="syz-executor516" path="/root/syz-executor516463260" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 95.671931] IPVS: ftp: loaded support on port[0] = 21 [ 95.706365] audit: type=1400 audit(1585792452.071:37): avc: denied { create } for pid=8195 comm="syz-executor516" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 95.731278] audit: type=1400 audit(1585792452.081:38): avc: denied { write } for pid=8195 comm="syz-executor516" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 95.755914] audit: type=1400 audit(1585792452.081:39): avc: denied { read } for pid=8195 comm="syz-executor516" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 95.774055] chnl_net:caif_netlink_parms(): no params data found [ 95.833327] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.840807] bridge0: port 1(bridge_slave_0) entered disabled state [ 95.848485] device bridge_slave_0 entered promiscuous mode [ 95.855804] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.862417] bridge0: port 2(bridge_slave_1) entered disabled state [ 95.869466] device bridge_slave_1 entered promiscuous mode [ 95.885828] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 95.895040] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 95.912327] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 95.920142] team0: Port device team_slave_0 added [ 95.926845] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 95.935412] team0: Port device team_slave_1 added [ 95.950298] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 95.957056] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 95.982831] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 95.994519] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 96.000820] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 96.026065] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 96.037024] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 96.044499] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 96.098494] device hsr_slave_0 entered promiscuous mode [ 96.136516] device hsr_slave_1 entered promiscuous mode [ 96.207133] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 96.214489] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 96.283693] bridge0: port 2(bridge_slave_1) entered blocking state [ 96.290397] bridge0: port 2(bridge_slave_1) entered forwarding state [ 96.297421] bridge0: port 1(bridge_slave_0) entered blocking state [ 96.303805] bridge0: port 1(bridge_slave_0) entered forwarding state [ 96.342752] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 96.349224] 8021q: adding VLAN 0 to HW filter on device bond0 [ 96.358387] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 96.367758] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 96.376017] bridge0: port 1(bridge_slave_0) entered disabled state [ 96.384016] bridge0: port 2(bridge_slave_1) entered disabled state [ 96.391317] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 96.403408] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 96.409844] 8021q: adding VLAN 0 to HW filter on device team0 [ 96.419280] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 96.427351] bridge0: port 1(bridge_slave_0) entered blocking state [ 96.433696] bridge0: port 1(bridge_slave_0) entered forwarding state [ 96.447444] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 96.455245] bridge0: port 2(bridge_slave_1) entered blocking state [ 96.461663] bridge0: port 2(bridge_slave_1) entered forwarding state [ 96.472112] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 96.481015] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 96.490861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 96.502441] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 96.514581] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 96.525443] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 96.531930] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 96.539166] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 96.553506] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 96.562022] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 96.569214] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 96.581184] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 96.594098] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 96.604333] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 96.645017] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 96.652304] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 96.660501] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 96.670270] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 96.678393] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 96.685314] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 96.694590] device veth0_vlan entered promiscuous mode [ 96.704328] device veth1_vlan entered promiscuous mode [ 96.710566] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 96.719309] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 96.732433] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 96.742125] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 96.749588] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 96.757581] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 96.768263] device veth0_macvtap entered promiscuous mode [ 96.777998] device veth1_macvtap entered promiscuous mode [ 96.788096] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 96.798180] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 96.808149] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 96.815251] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 96.823066] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 96.831006] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 96.841236] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 96.848871] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 96.855891] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 96.863832] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 96.985979] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 96.998598] audit: type=1400 audit(1585792453.371:40): avc: denied { associate } for pid=8195 comm="syz-executor516" name="file0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 106.368344] NOHZ: local_softirq_pending 08 [ 126.848242] NOHZ: local_softirq_pending 08 [ 128.845511] ================================================================== [ 128.853236] BUG: KASAN: use-after-free in get_block+0x1047/0x1300 [ 128.859476] Read of size 2 at addr ffff88808fbd1130 by task syz-executor516/8195 [ 128.867009] [ 128.868654] CPU: 0 PID: 8195 Comm: syz-executor516 Not tainted 4.19.113-syzkaller #0 [ 128.876518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 128.885870] Call Trace: [ 128.888468] dump_stack+0x188/0x20d [ 128.892185] ? get_block+0x1047/0x1300 [ 128.896075] print_address_description.cold+0x7c/0x212 [ 128.901340] ? get_block+0x1047/0x1300 [ 128.905219] kasan_report.cold+0x88/0x2b9 [ 128.909391] get_block+0x1047/0x1300 [ 128.913097] ? block_to_path.isra.0+0x300/0x300 [ 128.917762] ? create_page_buffers+0x212/0x380 [ 128.922330] ? block_invalidatepage+0x22a/0x540 [ 128.927001] ? lock_downgrade+0x740/0x740 [ 128.931145] ? do_raw_spin_lock+0xcb/0x240 [ 128.935395] ? create_empty_buffers+0x52e/0x830 [ 128.940050] ? do_raw_spin_unlock+0x171/0x260 [ 128.944545] minix_get_block+0xe5/0x110 [ 128.948871] block_read_full_page+0x28e/0xef0 [ 128.953712] ? minix_rename+0x8c0/0x8c0 [ 128.957676] ? __bread_gfp+0x2f0/0x2f0 [ 128.961620] ? add_to_page_cache_lru+0x2ab/0x810 [ 128.966371] ? add_to_page_cache_locked+0x40/0x40 [ 128.971247] ? __page_cache_alloc+0x12d/0x450 [ 128.975766] do_read_cache_page+0x916/0x1700 [ 128.980202] ? minix_bmap+0x30/0x30 [ 128.983819] ? grab_cache_page_write_begin+0xa0/0xa0 [ 128.989002] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 128.993766] ? __lock_is_held+0xad/0x140 [ 128.997833] dir_get_page.isra.0+0x62/0xb0 [ 129.002070] minix_find_entry+0x200/0x7b0 [ 129.006219] ? selinux_determine_inode_label+0x1a9/0x360 [ 129.011670] minix_inode_by_name+0x6d/0x452 [ 129.016163] ? minix_dotdot+0x170/0x170 [ 129.020139] minix_lookup+0x103/0x190 [ 129.023943] ? minix_link+0xb0/0xb0 [ 129.027569] lookup_open+0x681/0x19b0 [ 129.031361] ? vfs_link+0xb50/0xb50 [ 129.035104] ? __lock_is_held+0xad/0x140 [ 129.039162] path_openat+0x13cb/0x4200 [ 129.043039] ? __lock_acquire+0x6d1/0x49c0 [ 129.047260] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 129.052612] ? mark_held_locks+0xf0/0xf0 [ 129.056677] ? __isolate_free_page+0x4c0/0x4c0 [ 129.061349] ? path_lookupat.isra.0+0x8d0/0x8d0 [ 129.066020] ? __lock_is_held+0xad/0x140 [ 129.070939] do_filp_open+0x1a1/0x280 [ 129.074727] ? may_open_dev+0xf0/0xf0 [ 129.078513] ? find_held_lock+0x2d/0x110 [ 129.082565] ? lock_downgrade+0x740/0x740 [ 129.086696] ? __lock_is_held+0xad/0x140 [ 129.090829] ? do_raw_spin_unlock+0x171/0x260 [ 129.095345] ? _raw_spin_unlock+0x29/0x40 [ 129.099578] ? __alloc_fd+0x43c/0x550 [ 129.103378] do_sys_open+0x3c0/0x500 [ 129.107104] ? filp_open+0x70/0x70 [ 129.110627] ? fput+0x2b/0x190 [ 129.113805] ? filp_close+0x129/0x160 [ 129.117591] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 129.122342] ? trace_hardirqs_off_caller+0x55/0x210 [ 129.127355] ? do_syscall_64+0x21/0x620 [ 129.131340] do_syscall_64+0xf9/0x620 [ 129.135143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 129.140420] RIP: 0033:0x4481b9 [ 129.143621] Code: dd d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 129.162596] RSP: 002b:00007ffc05065848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 129.170290] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004481b9 [ 129.177630] RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040 [ 129.184883] RBP: 00007ffc05065870 R08: 00007ffc05065870 R09: 0000000000000000 [ 129.192333] R10: 00007ffc05065730 R11: 0000000000000246 R12: 00007ffc050658a0 [ 129.199609] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 129.206871] [ 129.208490] The buggy address belongs to the page: [ 129.213517] page:ffffea00023ef440 count:0 mapcount:0 mapping:0000000000000000 index:0x1 [ 129.221692] flags: 0xfffe0000000000() [ 129.225514] raw: 00fffe0000000000 dead000000000100 dead000000000200 0000000000000000 [ 129.233391] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 129.241428] page dumped because: kasan: bad access detected [ 129.247133] [ 129.248741] Memory state around the buggy address: [ 129.253656] ffff88808fbd1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 129.261019] ffff88808fbd1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 129.268713] >ffff88808fbd1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 129.276156] ^ [ 129.281095] ffff88808fbd1180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 129.288439] ffff88808fbd1200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 129.295790] ================================================================== [ 129.303836] Disabling lock debugging due to kernel taint [ 129.309390] Kernel panic - not syncing: panic_on_warn set ... [ 129.309390] [ 129.316791] CPU: 0 PID: 8195 Comm: syz-executor516 Tainted: G B 4.19.113-syzkaller #0 [ 129.327272] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 129.336618] Call Trace: [ 129.339211] dump_stack+0x188/0x20d [ 129.342823] panic+0x26a/0x50e [ 129.345997] ? __warn_printk+0xf3/0xf3 [ 129.349869] ? retint_kernel+0x2d/0x2d [ 129.353740] ? trace_hardirqs_on+0x55/0x210 [ 129.358060] ? get_block+0x1047/0x1300 [ 129.361945] kasan_end_report+0x43/0x49 [ 129.365917] kasan_report.cold+0xa4/0x2b9 [ 129.370050] get_block+0x1047/0x1300 [ 129.373751] ? block_to_path.isra.0+0x300/0x300 [ 129.378402] ? create_page_buffers+0x212/0x380 [ 129.382966] ? block_invalidatepage+0x22a/0x540 [ 129.387664] ? lock_downgrade+0x740/0x740 [ 129.391800] ? do_raw_spin_lock+0xcb/0x240 [ 129.396061] ? create_empty_buffers+0x52e/0x830 [ 129.400727] ? do_raw_spin_unlock+0x171/0x260 [ 129.405208] minix_get_block+0xe5/0x110 [ 129.409172] block_read_full_page+0x28e/0xef0 [ 129.413656] ? minix_rename+0x8c0/0x8c0 [ 129.417630] ? __bread_gfp+0x2f0/0x2f0 [ 129.421525] ? add_to_page_cache_lru+0x2ab/0x810 [ 129.426267] ? add_to_page_cache_locked+0x40/0x40 [ 129.431096] ? __page_cache_alloc+0x12d/0x450 [ 129.435574] do_read_cache_page+0x916/0x1700 [ 129.439983] ? minix_bmap+0x30/0x30 [ 129.443663] ? grab_cache_page_write_begin+0xa0/0xa0 [ 129.448758] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 129.453549] ? __lock_is_held+0xad/0x140 [ 129.457645] dir_get_page.isra.0+0x62/0xb0 [ 129.461867] minix_find_entry+0x200/0x7b0 [ 129.466010] ? selinux_determine_inode_label+0x1a9/0x360 [ 129.471986] minix_inode_by_name+0x6d/0x452 [ 129.476311] ? minix_dotdot+0x170/0x170 [ 129.480320] minix_lookup+0x103/0x190 [ 129.484116] ? minix_link+0xb0/0xb0 [ 129.487727] lookup_open+0x681/0x19b0 [ 129.491514] ? vfs_link+0xb50/0xb50 [ 129.495139] ? __lock_is_held+0xad/0x140 [ 129.499212] path_openat+0x13cb/0x4200 [ 129.503095] ? __lock_acquire+0x6d1/0x49c0 [ 129.507331] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 129.512679] ? mark_held_locks+0xf0/0xf0 [ 129.516736] ? __isolate_free_page+0x4c0/0x4c0 [ 129.521304] ? path_lookupat.isra.0+0x8d0/0x8d0 [ 129.526494] ? __lock_is_held+0xad/0x140 [ 129.530639] do_filp_open+0x1a1/0x280 [ 129.534426] ? may_open_dev+0xf0/0xf0 [ 129.538210] ? find_held_lock+0x2d/0x110 [ 129.542255] ? lock_downgrade+0x740/0x740 [ 129.546389] ? __lock_is_held+0xad/0x140 [ 129.550439] ? do_raw_spin_unlock+0x171/0x260 [ 129.554919] ? _raw_spin_unlock+0x29/0x40 [ 129.559065] ? __alloc_fd+0x43c/0x550 [ 129.562869] do_sys_open+0x3c0/0x500 [ 129.566577] ? filp_open+0x70/0x70 [ 129.570110] ? fput+0x2b/0x190 [ 129.573305] ? filp_close+0x129/0x160 [ 129.577106] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 129.581858] ? trace_hardirqs_off_caller+0x55/0x210 [ 129.586867] ? do_syscall_64+0x21/0x620 [ 129.590825] do_syscall_64+0xf9/0x620 [ 129.594619] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 129.599794] RIP: 0033:0x4481b9 [ 129.602973] Code: dd d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 129.623133] RSP: 002b:00007ffc05065848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 129.630841] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004481b9 [ 129.638278] RDX: 0000000000000000 RSI: 0000000000020040 RDI: 0000000020000040 [ 129.645540] RBP: 00007ffc05065870 R08: 00007ffc05065870 R09: 0000000000000000 [ 129.652832] R10: 00007ffc05065730 R11: 0000000000000246 R12: 00007ffc050658a0 [ 129.660087] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 129.668890] Kernel Offset: disabled [ 129.672515] Rebooting in 86400 seconds..