syzkaller login: [   80.499678][   T26] audit: type=1400 audit(1560616980.768:35): avc:  denied  { map } for  pid=9743 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts.
[  975.339798][   T26] audit: type=1400 audit(1560617875.608:36): avc:  denied  { map } for  pid=9755 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/06/15 16:57:56 parsed 1 programs
[  976.286812][   T26] audit: type=1400 audit(1560617876.548:37): avc:  denied  { map } for  pid=9755 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=2792 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/06/15 16:57:58 executed programs: 0
[  977.913284][ T9770] IPVS: ftp: loaded support on port[0] = 21
[  977.985665][ T9770] chnl_net:caif_netlink_parms(): no params data found
[  978.016848][ T9770] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.024348][ T9770] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.032262][ T9770] device bridge_slave_0 entered promiscuous mode
[  978.040893][ T9770] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.048121][ T9770] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.055798][ T9770] device bridge_slave_1 entered promiscuous mode
[  978.074215][ T9770] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  978.084305][ T9770] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  978.103875][ T9770] team0: Port device team_slave_0 added
[  978.111393][ T9770] team0: Port device team_slave_1 added
[  978.180434][ T9770] device hsr_slave_0 entered promiscuous mode
[  978.248012][ T9770] device hsr_slave_1 entered promiscuous mode
[  978.307657][ T9770] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.314880][ T9770] bridge0: port 2(bridge_slave_1) entered forwarding state
[  978.322799][ T9770] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.329887][ T9770] bridge0: port 1(bridge_slave_0) entered forwarding state
[  978.370883][ T9770] 8021q: adding VLAN 0 to HW filter on device bond0
[  978.384267][ T9773] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  978.405237][ T9773] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.414096][ T9773] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.423180][ T9773] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  978.434854][ T9770] 8021q: adding VLAN 0 to HW filter on device team0
[  978.445639][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  978.454246][ T3489] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.461306][ T3489] bridge0: port 1(bridge_slave_0) entered forwarding state
[  978.473797][ T9773] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  978.482536][ T9773] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.489630][ T9773] bridge0: port 2(bridge_slave_1) entered forwarding state
[  978.510968][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  978.519861][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  978.536558][ T9770] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  978.548518][ T9770] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  978.560884][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  978.569237][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  978.578213][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  978.586915][ T3489] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  978.608458][ T9770] 8021q: adding VLAN 0 to HW filter on device batadv0
[  978.647164][   T26] audit: type=1400 audit(1560617878.908:38): avc:  denied  { associate } for  pid=9770 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[  980.553334][ T9844] ==================================================================
[  980.561612][ T9844] BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280
[  980.569490][ T9844] Read of size 8 at addr ffff88808e58cf00 by task syz-executor.0/9844
[  980.577612][ T9844] 
[  980.579928][ T9844] CPU: 1 PID: 9844 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #25
[  980.587832][ T9844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  980.597892][ T9844] Call Trace:
[  980.601216][ T9844]  dump_stack+0x172/0x1f0
[  980.605529][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  980.611063][ T9844]  print_address_description.cold+0x7c/0x20d
[  980.617143][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  980.622676][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  980.628339][ T9844]  __kasan_report.cold+0x1b/0x40
[  980.633270][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  980.638960][ T9844]  kasan_report+0x12/0x20
[  980.643278][ T9844]  __asan_report_load8_noabort+0x14/0x20
[  980.648897][ T9844]  pneigh_get_next.isra.0+0x24b/0x280
[  980.654405][ T9844]  neigh_seq_next+0xdb/0x210
[  980.659031][ T9844]  seq_read+0x9cf/0x1110
[  980.663264][ T9844]  ? seq_dentry+0x2d0/0x2d0
[  980.667752][ T9844]  proc_reg_read+0x1fc/0x2c0
[  980.672445][ T9844]  ? proc_reg_compat_ioctl+0x2a0/0x2a0
[  980.677892][ T9844]  ? rw_verify_area+0x126/0x360
[  980.682719][ T9844]  do_iter_read+0x4a4/0x660
[  980.687202][ T9844]  ? dup_iter+0x260/0x260
[  980.691520][ T9844]  vfs_readv+0xf0/0x160
[  980.695654][ T9844]  ? alloc_pages_current+0x10f/0x210
[  980.700916][ T9844]  ? compat_rw_copy_check_uvector+0x3f0/0x3f0
[  980.706969][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  980.713333][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  980.719566][ T9844]  ? iov_iter_get_pages_alloc+0x3ae/0x12f0
[  980.725367][ T9844]  ? iov_iter_revert+0xaa0/0xaa0
[  980.730292][ T9844]  ? lockdep_hardirqs_on+0x418/0x5d0
[  980.735557][ T9844]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  980.741252][ T9844]  ? iov_iter_pipe+0xba/0x2f0
[  980.745921][ T9844]  default_file_splice_read+0x475/0x890
[  980.751455][ T9844]  ? free_unref_page+0x474/0x600
[  980.756379][ T9844]  ? __put_page+0x8d/0xd0
[  980.760694][ T9844]  ? iter_file_splice_write+0xbd0/0xbd0
[  980.766237][ T9844]  ? __put_page+0x92/0xd0
[  980.770875][ T9844]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  980.777283][ T9844]  ? security_file_permission+0x8f/0x380
[  980.782912][ T9844]  ? default_file_splice_write+0x72/0x90
[  980.788522][ T9844]  ? iter_file_splice_write+0xbd0/0xbd0
[  980.794057][ T9844]  do_splice_to+0x127/0x180
[  980.798545][ T9844]  splice_direct_to_actor+0x2d2/0x970
[  980.803905][ T9844]  ? generic_pipe_buf_nosteal+0x10/0x10
[  980.809439][ T9844]  ? do_splice_to+0x180/0x180
[  980.814096][ T9844]  ? rw_verify_area+0x126/0x360
[  980.819033][ T9844]  do_splice_direct+0x1da/0x2a0
[  980.823867][ T9844]  ? splice_direct_to_actor+0x970/0x970
[  980.829390][ T9844]  ? rcu_read_lock_sched_held+0x110/0x130
[  980.835092][ T9844]  ? rcu_sync_lockdep_assert+0x6d/0xb0
[  980.841333][ T9844]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  980.847553][ T9844]  ? __sb_start_write+0x1ac/0x360
[  980.852553][ T9844]  do_sendfile+0x597/0xd00
[  980.857005][ T9844]  ? do_compat_pwritev64+0x1c0/0x1c0
[  980.862446][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  980.868755][ T9844]  ? put_timespec64+0xda/0x140
[  980.873508][ T9844]  __x64_sys_sendfile64+0x1dd/0x220
[  980.878692][ T9844]  ? __ia32_sys_sendfile+0x230/0x230
[  980.883993][ T9844]  ? do_syscall_64+0x26/0x680
[  980.888659][ T9844]  ? lockdep_hardirqs_on+0x418/0x5d0
[  980.893927][ T9844]  ? trace_hardirqs_on+0x67/0x220
[  980.898937][ T9844]  do_syscall_64+0xfd/0x680
[  980.903499][ T9844]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  980.909382][ T9844] RIP: 0033:0x4592c9
[  980.913258][ T9844] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  980.932956][ T9844] RSP: 002b:00007f1a95f13c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  980.941392][ T9844] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
[  980.949346][ T9844] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
[  980.957300][ T9844] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  980.965343][ T9844] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f1a95f146d4
[  980.973294][ T9844] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
[  980.981635][ T9844] 
[  980.983949][ T9844] Allocated by task 9846:
[  980.988259][ T9844]  save_stack+0x23/0x90
[  980.992392][ T9844]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  980.998526][ T9844]  kasan_kmalloc+0x9/0x10
[  981.002834][ T9844]  __kmalloc+0x15c/0x740
[  981.007105][ T9844]  pneigh_lookup+0x19c/0x4a0
[  981.011733][ T9844]  arp_req_set+0x613/0x720
[  981.016493][ T9844]  arp_ioctl+0x652/0x7f0
[  981.020823][ T9844]  inet_ioctl+0x2a0/0x340
[  981.025178][ T9844]  sock_do_ioctl+0xd8/0x2f0
[  981.029660][ T9844]  sock_ioctl+0x3ed/0x780
[  981.033975][ T9844]  do_vfs_ioctl+0xd5f/0x1380
[  981.038647][ T9844]  ksys_ioctl+0xab/0xd0
[  981.042779][ T9844]  __x64_sys_ioctl+0x73/0xb0
[  981.047353][ T9844]  do_syscall_64+0xfd/0x680
[  981.051896][ T9844]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  981.057783][ T9844] 
[  981.060109][ T9844] Freed by task 9843:
[  981.064070][ T9844]  save_stack+0x23/0x90
[  981.068202][ T9844]  __kasan_slab_free+0x102/0x150
[  981.073128][ T9844]  kasan_slab_free+0xe/0x10
[  981.077895][ T9844]  kfree+0xcf/0x220
[  981.081696][ T9844]  __neigh_ifdown+0x236/0x2f0
[  981.086348][ T9844]  neigh_ifdown+0x20/0x30
[  981.090662][ T9844]  arp_ifdown+0x1d/0x21
[  981.094803][ T9844]  inetdev_event+0xa14/0x11f0
[  981.099466][ T9844]  notifier_call_chain+0xc2/0x230
[  981.104471][ T9844]  raw_notifier_call_chain+0x2e/0x40
[  981.109794][ T9844]  call_netdevice_notifiers_info+0x3f/0x90
[  981.115698][ T9844]  rollback_registered_many+0x9b9/0xfc0
[  981.121223][ T9844]  rollback_registered+0x109/0x1d0
[  981.126319][ T9844]  unregister_netdevice_queue+0x1ee/0x2c0
[  981.132032][ T9844]  __tun_detach+0xd8a/0x1040
[  981.136613][ T9844]  tun_chr_close+0xe0/0x180
[  981.141097][ T9844]  __fput+0x2ff/0x890
[  981.145093][ T9844]  ____fput+0x16/0x20
[  981.149066][ T9844]  task_work_run+0x145/0x1c0
[  981.153660][ T9844]  exit_to_usermode_loop+0x273/0x2c0
[  981.158940][ T9844]  do_syscall_64+0x58e/0x680
[  981.163511][ T9844]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  981.169601][ T9844] 
[  981.171916][ T9844] The buggy address belongs to the object at ffff88808e58cf00
[  981.171916][ T9844]  which belongs to the cache kmalloc-64 of size 64
[  981.186179][ T9844] The buggy address is located 0 bytes inside of
[  981.186179][ T9844]  64-byte region [ffff88808e58cf00, ffff88808e58cf40)
[  981.199172][ T9844] The buggy address belongs to the page:
[  981.204790][ T9844] page:ffffea0002396300 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
[  981.213877][ T9844] flags: 0x1fffc0000000200(slab)
[  981.218800][ T9844] raw: 01fffc0000000200 ffffea000281be48 ffff8880aa401348 ffff8880aa400340
[  981.227828][ T9844] raw: 0000000000000000 ffff88808e58c000 0000000100000020 0000000000000000
[  981.236394][ T9844] page dumped because: kasan: bad access detected
[  981.242806][ T9844] 
[  981.245121][ T9844] Memory state around the buggy address:
[  981.250735][ T9844]  ffff88808e58ce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  981.258809][ T9844]  ffff88808e58ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  981.267045][ T9844] >ffff88808e58cf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  981.275180][ T9844]                    ^
[  981.279232][ T9844]  ffff88808e58cf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  981.287432][ T9844]  ffff88808e58d000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
[  981.295473][ T9844] ==================================================================
[  981.310671][ T9844] Disabling lock debugging due to kernel taint
[  981.316953][ T9844] Kernel panic - not syncing: panic_on_warn set ...
[  981.323633][ T9844] CPU: 1 PID: 9844 Comm: syz-executor.0 Tainted: G    B             5.2.0-rc4+ #25
[  981.333064][ T9844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  981.343108][ T9844] Call Trace:
[  981.346396][ T9844]  dump_stack+0x172/0x1f0
[  981.350717][ T9844]  panic+0x2cb/0x744
[  981.354858][ T9844]  ? __warn_printk+0xf3/0xf3
[  981.359431][ T9844]  ? retint_kernel+0x2b/0x2b
[  981.364022][ T9844]  ? trace_hardirqs_on+0x5e/0x220
[  981.369037][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  981.375160][ T9844]  end_report+0x47/0x4f
[  981.379323][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  981.384867][ T9844]  __kasan_report.cold+0xe/0x40
[  981.389709][ T9844]  ? pneigh_get_next.isra.0+0x24b/0x280
[  981.395605][ T9844]  kasan_report+0x12/0x20
[  981.399931][ T9844]  __asan_report_load8_noabort+0x14/0x20
[  981.405551][ T9844]  pneigh_get_next.isra.0+0x24b/0x280
[  981.410967][ T9844]  neigh_seq_next+0xdb/0x210
[  981.415859][ T9844]  seq_read+0x9cf/0x1110
[  981.420091][ T9844]  ? seq_dentry+0x2d0/0x2d0
[  981.424579][ T9844]  proc_reg_read+0x1fc/0x2c0
[  981.429151][ T9844]  ? proc_reg_compat_ioctl+0x2a0/0x2a0
[  981.434599][ T9844]  ? rw_verify_area+0x126/0x360
[  981.439431][ T9844]  do_iter_read+0x4a4/0x660
[  981.443919][ T9844]  ? dup_iter+0x260/0x260
[  981.448246][ T9844]  vfs_readv+0xf0/0x160
[  981.452391][ T9844]  ? alloc_pages_current+0x10f/0x210
[  981.457665][ T9844]  ? compat_rw_copy_check_uvector+0x3f0/0x3f0
[  981.463777][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  981.470018][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  981.476245][ T9844]  ? iov_iter_get_pages_alloc+0x3ae/0x12f0
[  981.482037][ T9844]  ? iov_iter_revert+0xaa0/0xaa0
[  981.486969][ T9844]  ? lockdep_hardirqs_on+0x418/0x5d0
[  981.492650][ T9844]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  981.498353][ T9844]  ? iov_iter_pipe+0xba/0x2f0
[  981.503017][ T9844]  default_file_splice_read+0x475/0x890
[  981.508546][ T9844]  ? free_unref_page+0x474/0x600
[  981.513600][ T9844]  ? __put_page+0x8d/0xd0
[  981.517931][ T9844]  ? iter_file_splice_write+0xbd0/0xbd0
[  981.523587][ T9844]  ? __put_page+0x92/0xd0
[  981.528050][ T9844]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  981.534285][ T9844]  ? security_file_permission+0x8f/0x380
[  981.539900][ T9844]  ? default_file_splice_write+0x72/0x90
[  981.545519][ T9844]  ? iter_file_splice_write+0xbd0/0xbd0
[  981.551171][ T9844]  do_splice_to+0x127/0x180
[  981.555671][ T9844]  splice_direct_to_actor+0x2d2/0x970
[  981.561024][ T9844]  ? generic_pipe_buf_nosteal+0x10/0x10
[  981.566548][ T9844]  ? do_splice_to+0x180/0x180
[  981.571208][ T9844]  ? rw_verify_area+0x126/0x360
[  981.576044][ T9844]  do_splice_direct+0x1da/0x2a0
[  981.580876][ T9844]  ? splice_direct_to_actor+0x970/0x970
[  981.586494][ T9844]  ? rcu_read_lock_sched_held+0x110/0x130
[  981.592435][ T9844]  ? rcu_sync_lockdep_assert+0x6d/0xb0
[  981.597883][ T9844]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  981.604120][ T9844]  ? __sb_start_write+0x1ac/0x360
[  981.609238][ T9844]  do_sendfile+0x597/0xd00
[  981.613639][ T9844]  ? do_compat_pwritev64+0x1c0/0x1c0
[  981.618902][ T9844]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  981.625207][ T9844]  ? put_timespec64+0xda/0x140
[  981.629952][ T9844]  __x64_sys_sendfile64+0x1dd/0x220
[  981.635138][ T9844]  ? __ia32_sys_sendfile+0x230/0x230
[  981.640406][ T9844]  ? do_syscall_64+0x26/0x680
[  981.645060][ T9844]  ? lockdep_hardirqs_on+0x418/0x5d0
[  981.650442][ T9844]  ? trace_hardirqs_on+0x67/0x220
[  981.655458][ T9844]  do_syscall_64+0xfd/0x680
[  981.659950][ T9844]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  981.665819][ T9844] RIP: 0033:0x4592c9
[  981.669697][ T9844] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  981.689293][ T9844] RSP: 002b:00007f1a95f13c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[  981.697702][ T9844] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
[  981.705665][ T9844] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
[  981.713613][ T9844] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[  981.721566][ T9844] R10: 0000000080000000 R11: 0000000000000246 R12: 00007f1a95f146d4
[  981.729514][ T9844] R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
[  981.738548][ T9844] Kernel Offset: disabled
[  981.742916][ T9844] Rebooting in 86400 seconds..