Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts. [ 52.267632] audit: type=1400 audit(1582624406.107:36): avc: denied { map } for pid=8098 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2020/02/25 09:53:26 parsed 1 programs [ 53.880885] audit: type=1400 audit(1582624407.717:37): avc: denied { map } for pid=8098 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=98 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 2020/02/25 09:53:27 executed programs: 0 [ 54.083505] IPVS: ftp: loaded support on port[0] = 21 [ 54.140297] chnl_net:caif_netlink_parms(): no params data found [ 54.186663] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.193454] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.200648] device bridge_slave_0 entered promiscuous mode [ 54.208569] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.214987] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.222123] device bridge_slave_1 entered promiscuous mode [ 54.237384] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 54.246431] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 54.262758] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 54.270564] team0: Port device team_slave_0 added [ 54.276158] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 54.283425] team0: Port device team_slave_1 added [ 54.297175] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 54.303417] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.328613] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 54.340233] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 54.346483] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.371686] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 54.382936] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 54.390494] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.439125] device hsr_slave_0 entered promiscuous mode [ 54.477026] device hsr_slave_1 entered promiscuous mode [ 54.517574] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.524765] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.570681] audit: type=1400 audit(1582624408.407:38): avc: denied { create } for pid=8114 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.592043] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.596144] audit: type=1400 audit(1582624408.407:39): avc: denied { write } for pid=8114 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.601039] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.601367] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.625946] audit: type=1400 audit(1582624408.407:40): avc: denied { read } for pid=8114 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 54.631437] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.693287] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.700458] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.709262] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.718329] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.737369] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.744458] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.752651] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.762452] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.769227] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.778530] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.786216] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.792591] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.801796] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.809699] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.816075] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.833126] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.840908] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.851929] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.861675] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.871925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.880780] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.887149] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.899501] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 54.907412] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 54.914081] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 54.924800] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.938414] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 54.948248] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 54.988724] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 54.995722] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 55.002697] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 55.012521] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 55.020317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 55.027408] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 55.035809] device veth0_vlan entered promiscuous mode [ 55.045787] device veth1_vlan entered promiscuous mode [ 55.051993] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 55.061104] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 55.072515] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 55.081904] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 55.089310] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 55.096917] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 55.106189] device veth0_macvtap entered promiscuous mode [ 55.113482] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 55.122275] device veth1_macvtap entered promiscuous mode [ 55.130991] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 55.139757] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 55.149405] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 55.159292] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 55.166419] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 55.173772] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 55.181683] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 55.192443] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 55.199440] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 55.206006] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 55.213794] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 55.323693] audit: type=1400 audit(1582624409.157:41): avc: denied { associate } for pid=8114 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 55.804750] ================================================================== [ 55.812289] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 55.818845] Read of size 8 at addr ffff88808f2254e0 by task syz-executor.0/8241 [ 55.826286] [ 55.827918] CPU: 1 PID: 8241 Comm: syz-executor.0 Not tainted 4.19.106-syzkaller #0 [ 55.835719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.845109] Call Trace: [ 55.847717] dump_stack+0x197/0x210 [ 55.851348] ? __list_add_valid+0x9a/0xa0 [ 55.855501] print_address_description.cold+0x7c/0x20d [ 55.860836] ? __list_add_valid+0x9a/0xa0 [ 55.864992] kasan_report.cold+0x8c/0x2ba [ 55.869159] __asan_report_load8_noabort+0x14/0x20 [ 55.874111] __list_add_valid+0x9a/0xa0 [ 55.878096] rdma_listen+0x63b/0x8e0 [ 55.881962] ucma_listen+0x14d/0x1c0 [ 55.885670] ? ucma_notify+0x190/0x190 [ 55.889556] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.895093] ? _copy_from_user+0xdd/0x150 [ 55.899242] ucma_write+0x2d7/0x3c0 [ 55.902868] ? ucma_notify+0x190/0x190 [ 55.906753] ? ucma_open+0x290/0x290 [ 55.910464] __vfs_write+0x114/0x810 [ 55.914178] ? ucma_open+0x290/0x290 [ 55.917895] ? kernel_read+0x120/0x120 [ 55.921797] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 55.927346] ? __inode_security_revalidate+0xda/0x120 [ 55.932548] ? avc_policy_seqno+0xd/0x70 [ 55.936604] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 55.941617] ? selinux_file_permission+0x92/0x550 [ 55.946518] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.952100] ? security_file_permission+0x89/0x230 [ 55.957027] ? rw_verify_area+0x118/0x360 [ 55.961222] vfs_write+0x20c/0x560 [ 55.964754] ksys_write+0x14f/0x2d0 [ 55.968382] ? __ia32_sys_read+0xb0/0xb0 [ 55.972456] ? do_syscall_64+0x26/0x620 [ 55.976425] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.981786] ? do_syscall_64+0x26/0x620 [ 55.985765] __x64_sys_write+0x73/0xb0 [ 55.989650] do_syscall_64+0xfd/0x620 [ 55.993490] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.998811] RIP: 0033:0x45c449 [ 56.001994] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.020895] RSP: 002b:00007f3ed6bbfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 56.028711] RAX: ffffffffffffffda RBX: 00007f3ed6bc06d4 RCX: 000000000045c449 [ 56.036020] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000005 [ 56.043334] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 56.050601] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 56.057918] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 56.065192] [ 56.066811] Allocated by task 8237: [ 56.070441] save_stack+0x45/0xd0 [ 56.073915] kasan_kmalloc+0xce/0xf0 [ 56.077632] kmem_cache_alloc_trace+0x152/0x760 [ 56.082292] __rdma_create_id+0x5e/0x610 [ 56.086346] ucma_create_id+0x1de/0x640 [ 56.090321] ucma_write+0x2d7/0x3c0 [ 56.093949] __vfs_write+0x114/0x810 [ 56.097657] vfs_write+0x20c/0x560 [ 56.101188] ksys_write+0x14f/0x2d0 [ 56.104816] __x64_sys_write+0x73/0xb0 [ 56.108792] do_syscall_64+0xfd/0x620 [ 56.112610] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.117806] [ 56.119455] Freed by task 8234: [ 56.122726] save_stack+0x45/0xd0 [ 56.126299] __kasan_slab_free+0x102/0x150 [ 56.130546] kasan_slab_free+0xe/0x10 [ 56.134337] kfree+0xcf/0x220 [ 56.137436] rdma_destroy_id+0x726/0xab0 [ 56.141488] ucma_close+0x115/0x320 [ 56.145106] __fput+0x2dd/0x8b0 [ 56.148386] ____fput+0x16/0x20 [ 56.151766] task_work_run+0x145/0x1c0 [ 56.155670] exit_to_usermode_loop+0x273/0x2c0 [ 56.160363] do_syscall_64+0x53d/0x620 [ 56.164357] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.169533] [ 56.171154] The buggy address belongs to the object at ffff88808f225300 [ 56.171154] which belongs to the cache kmalloc-2048 of size 2048 [ 56.183990] The buggy address is located 480 bytes inside of [ 56.183990] 2048-byte region [ffff88808f225300, ffff88808f225b00) [ 56.195991] The buggy address belongs to the page: [ 56.200915] page:ffffea00023c8900 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 [ 56.210873] flags: 0xfffe0000008100(slab|head) [ 56.215455] raw: 00fffe0000008100 ffffea00024a5088 ffffea00023a2b88 ffff88812c31cc40 [ 56.223328] raw: 0000000000000000 ffff88808f224200 0000000100000003 0000000000000000 [ 56.231196] page dumped because: kasan: bad access detected [ 56.236892] [ 56.238525] Memory state around the buggy address: [ 56.243453] ffff88808f225380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.250859] ffff88808f225400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.258215] >ffff88808f225480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.265582] ^ [ 56.272065] ffff88808f225500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.279418] ffff88808f225580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.286828] ================================================================== [ 56.294180] Disabling lock debugging due to kernel taint [ 56.302912] Kernel panic - not syncing: panic_on_warn set ... [ 56.302912] [ 56.310309] CPU: 0 PID: 8241 Comm: syz-executor.0 Tainted: G B 4.19.106-syzkaller #0 [ 56.319623] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.329076] Call Trace: [ 56.331666] dump_stack+0x197/0x210 [ 56.335354] ? __list_add_valid+0x9a/0xa0 [ 56.339501] panic+0x26a/0x50e [ 56.342699] ? __warn_printk+0xf3/0xf3 [ 56.346611] ? __list_add_valid+0x9a/0xa0 [ 56.350763] ? preempt_schedule+0x4b/0x60 [ 56.354901] ? ___preempt_schedule+0x16/0x18 [ 56.359321] ? trace_hardirqs_on+0x5e/0x220 [ 56.363688] ? __list_add_valid+0x9a/0xa0 [ 56.367834] kasan_end_report+0x47/0x4f [ 56.372790] kasan_report.cold+0xa9/0x2ba [ 56.376937] __asan_report_load8_noabort+0x14/0x20 [ 56.381914] __list_add_valid+0x9a/0xa0 [ 56.385882] rdma_listen+0x63b/0x8e0 [ 56.389675] ucma_listen+0x14d/0x1c0 [ 56.393442] ? ucma_notify+0x190/0x190 [ 56.397328] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.402866] ? _copy_from_user+0xdd/0x150 [ 56.407008] ucma_write+0x2d7/0x3c0 [ 56.410631] ? ucma_notify+0x190/0x190 [ 56.414508] ? ucma_open+0x290/0x290 [ 56.418218] __vfs_write+0x114/0x810 [ 56.421972] ? ucma_open+0x290/0x290 [ 56.425682] ? kernel_read+0x120/0x120 [ 56.429625] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.435159] ? __inode_security_revalidate+0xda/0x120 [ 56.440408] ? avc_policy_seqno+0xd/0x70 [ 56.444468] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 56.449506] ? selinux_file_permission+0x92/0x550 [ 56.454382] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.459926] ? security_file_permission+0x89/0x230 [ 56.464994] ? rw_verify_area+0x118/0x360 [ 56.469138] vfs_write+0x20c/0x560 [ 56.472698] ksys_write+0x14f/0x2d0 [ 56.476321] ? __ia32_sys_read+0xb0/0xb0 [ 56.480425] ? do_syscall_64+0x26/0x620 [ 56.484388] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.489746] ? do_syscall_64+0x26/0x620 [ 56.493760] __x64_sys_write+0x73/0xb0 [ 56.497644] do_syscall_64+0xfd/0x620 [ 56.501435] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.506625] RIP: 0033:0x45c449 [ 56.509822] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.528806] RSP: 002b:00007f3ed6bbfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 56.536517] RAX: ffffffffffffffda RBX: 00007f3ed6bc06d4 RCX: 000000000045c449 [ 56.543780] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000005 [ 56.551041] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 56.558317] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 56.565592] R13: 0000000000000cbe R14: 00000000004cea14 R15: 000000000076bf2c [ 56.574158] Kernel Offset: disabled [ 56.577793] Rebooting in 86400 seconds..