Starting mcstransd: [ 91.894528][ T27] audit: type=1400 audit(1578436340.465:37): avc: denied { watch } for pid=10988 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [ 91.905651][T10988] restorecond (10988) used greatest stack depth: 22888 bytes left [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 95.431837][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 95.431854][ T27] audit: type=1400 audit(1578436344.005:41): avc: denied { map } for pid=11080 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. [ 102.213420][ T27] audit: type=1400 audit(1578436350.785:42): avc: denied { map } for pid=11092 comm="syz-executor984" path="/root/syz-executor984248200" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 102.243640][T11093] IPVS: ftp: loaded support on port[0] = 21 [ 102.307178][T11093] chnl_net:caif_netlink_parms(): no params data found [ 102.342858][T11093] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.357342][T11093] bridge0: port 1(bridge_slave_0) entered disabled state [ 102.365769][T11093] device bridge_slave_0 entered promiscuous mode [ 102.376650][T11093] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.384136][T11093] bridge0: port 2(bridge_slave_1) entered disabled state [ 102.392520][T11093] device bridge_slave_1 entered promiscuous mode [ 102.415979][T11093] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 102.427976][T11093] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 102.451751][T11093] team0: Port device team_slave_0 added [ 102.459455][T11093] team0: Port device team_slave_1 added [ 102.542790][T11093] device hsr_slave_0 entered promiscuous mode [ 102.591222][T11093] device hsr_slave_1 entered promiscuous mode [ 102.707087][ T27] audit: type=1400 audit(1578436351.275:43): avc: denied { create } for pid=11093 comm="syz-executor984" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 102.734010][ T27] audit: type=1400 audit(1578436351.305:44): avc: denied { write } for pid=11093 comm="syz-executor984" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 102.736403][T11093] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 102.761957][ T27] audit: type=1400 audit(1578436351.305:45): avc: denied { read } for pid=11093 comm="syz-executor984" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 102.833222][T11093] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 102.903013][T11093] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 102.962965][T11093] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 103.025514][T11093] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.033121][T11093] bridge0: port 2(bridge_slave_1) entered forwarding state [ 103.041519][T11093] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.049142][T11093] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.104335][T11093] 8021q: adding VLAN 0 to HW filter on device bond0 [ 103.119308][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 103.132189][ T2839] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.141159][ T2839] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.149341][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 103.164416][T11093] 8021q: adding VLAN 0 to HW filter on device team0 [ 103.176315][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 103.185977][ T2716] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.193213][ T2716] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.206677][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 103.216572][ T2839] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.224097][ T2839] bridge0: port 2(bridge_slave_1) entered forwarding state [ 103.250454][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 103.259422][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 103.270807][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 103.283374][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 103.298536][T11093] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 103.313010][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 103.321929][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 103.344360][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 103.352623][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 103.366391][T11093] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 103.388075][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 103.396958][ T2716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 103.417789][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 103.426691][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 103.436437][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready executing program [ 103.444775][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 103.455270][T11093] device veth0_vlan entered promiscuous mode [ 103.468164][T11093] device veth1_vlan entered promiscuous mode [ 103.581442][T11093] ================================================================== [ 103.589994][T11093] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 [ 103.597568][T11093] Read of size 4 at addr ffff88808b39f001 by task syz-executor984/11093 [ 103.606825][T11093] [ 103.609246][T11093] CPU: 1 PID: 11093 Comm: syz-executor984 Not tainted 5.5.0-rc5-syzkaller #0 [ 103.618522][T11093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.628731][T11093] Call Trace: [ 103.632030][T11093] dump_stack+0x197/0x210 [ 103.636368][T11093] ? macvlan_broadcast+0x547/0x620 [ 103.641863][T11093] print_address_description.constprop.0.cold+0xd4/0x30b [ 103.649016][T11093] ? macvlan_broadcast+0x547/0x620 [ 103.654404][T11093] ? macvlan_broadcast+0x547/0x620 [ 103.659517][T11093] __kasan_report.cold+0x1b/0x41 [ 103.664455][T11093] ? validate_xmit_xfrm+0x3d0/0xf10 [ 103.670261][T11093] ? macvlan_broadcast+0x547/0x620 [ 103.675831][T11093] kasan_report+0x12/0x20 [ 103.680457][T11093] __asan_report_load_n_noabort+0xf/0x20 [ 103.686444][T11093] macvlan_broadcast+0x547/0x620 [ 103.691517][T11093] ? validate_xmit_skb+0x81f/0xe50 [ 103.696776][T11093] macvlan_start_xmit+0x402/0x77f [ 103.701989][T11093] dev_direct_xmit+0x419/0x630 [ 103.707062][T11093] ? __check_heap_object+0x51/0xb3 [ 103.712670][T11093] ? validate_xmit_skb_list+0x150/0x150 [ 103.718969][T11093] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.726656][T11093] ? netdev_pick_tx+0x14e/0xb00 [ 103.732078][T11093] packet_direct_xmit+0x1a9/0x250 [ 103.737659][T11093] packet_sendmsg+0x260d/0x6220 [ 103.742549][T11093] ? mark_held_locks+0xf0/0xf0 [ 103.747358][T11093] ? tomoyo_mount_permission+0x200/0x400 [ 103.753070][T11093] ? packet_notifier+0x880/0x880 [ 103.758034][T11093] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.764564][T11093] ? security_socket_sendmsg+0x8d/0xc0 [ 103.770741][T11093] ? packet_notifier+0x880/0x880 [ 103.775944][T11093] sock_sendmsg+0xd7/0x130 [ 103.780851][T11093] __sys_sendto+0x262/0x380 [ 103.786217][T11093] ? __ia32_sys_getpeername+0xb0/0xb0 [ 103.791941][T11093] ? __ia32_sys_socketpair+0xf0/0xf0 [ 103.797331][T11093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.802925][T11093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.808394][T11093] ? do_syscall_64+0x26/0x790 [ 103.813103][T11093] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.819177][T11093] __x64_sys_sendto+0xe1/0x1a0 [ 103.824146][T11093] do_syscall_64+0xfa/0x790 [ 103.828984][T11093] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.834893][T11093] RIP: 0033:0x442469 [ 103.838806][T11093] Code: 45 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 103.861661][T11093] RSP: 002b:00007ffcf7c5c4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 103.870679][T11093] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442469 [ 103.879228][T11093] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 103.888039][T11093] RBP: 00007ffcf7c5c500 R08: 0000000000000000 R09: 0000000000000000 [ 103.896127][T11093] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 103.904185][T11093] R13: 00000000004039a0 R14: 0000000000000000 R15: 0000000000000000 [ 103.914453][T11093] [ 103.917395][T11093] Allocated by task 9251: [ 103.924568][T11093] save_stack+0x23/0x90 [ 103.931152][T11093] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 103.938816][T11093] kasan_slab_alloc+0xf/0x20 [ 103.945094][T11093] kmem_cache_alloc+0x121/0x710 [ 103.950653][T11093] vm_area_dup+0x21/0x170 [ 103.955474][T11093] dup_mm+0x549/0x1430 [ 103.959702][T11093] copy_process+0x2ad6/0x7230 [ 103.965704][T11093] _do_fork+0x146/0x1090 [ 103.975637][T11093] __x64_sys_clone+0x19a/0x260 [ 103.983416][T11093] do_syscall_64+0xfa/0x790 [ 103.990748][T11093] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.999906][T11093] [ 104.003576][T11093] Freed by task 10170: [ 104.010556][T11093] save_stack+0x23/0x90 [ 104.018864][T11093] __kasan_slab_free+0x102/0x150 [ 104.025096][T11093] kasan_slab_free+0xe/0x10 [ 104.030180][T11093] kmem_cache_free+0x86/0x320 [ 104.036385][T11093] vm_area_free+0x1d/0x30 [ 104.040999][T11093] remove_vma+0x13f/0x180 [ 104.046992][T11093] exit_mmap+0x361/0x530 [ 104.052760][T11093] mmput+0x179/0x4d0 [ 104.060138][T11093] do_exit+0xac2/0x2f50 [ 104.064907][T11093] do_group_exit+0x135/0x360 [ 104.071199][T11093] __x64_sys_exit_group+0x44/0x50 [ 104.078392][T11093] do_syscall_64+0xfa/0x790 [ 104.084440][T11093] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.092749][T11093] [ 104.097464][T11093] The buggy address belongs to the object at ffff88808b39f000 [ 104.097464][T11093] which belongs to the cache vm_area_struct of size 200 [ 104.121234][T11093] The buggy address is located 1 bytes inside of [ 104.121234][T11093] 200-byte region [ffff88808b39f000, ffff88808b39f0c8) [ 104.140590][T11093] The buggy address belongs to the page: [ 104.148442][T11093] page:ffffea00022ce7c0 refcount:1 mapcount:0 mapping:ffff88821bc46c40 index:0xffff88808b39f210 [ 104.160384][T11093] raw: 00fffe0000000200 ffffea0002842cc8 ffffea00029a6088 ffff88821bc46c40 [ 104.169736][T11093] raw: ffff88808b39f210 ffff88808b39f000 0000000100000005 0000000000000000 [ 104.184222][T11093] page dumped because: kasan: bad access detected [ 104.193706][T11093] [ 104.196727][T11093] Memory state around the buggy address: [ 104.203109][T11093] ffff88808b39ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 104.211965][T11093] ffff88808b39ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 104.220562][T11093] >ffff88808b39f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.229263][T11093] ^ [ 104.234866][T11093] ffff88808b39f080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 104.244030][T11093] ffff88808b39f100: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.252893][T11093] ================================================================== [ 104.261802][T11093] Disabling lock debugging due to kernel taint [ 104.268558][T11093] Kernel panic - not syncing: panic_on_warn set ... [ 104.276134][T11093] CPU: 1 PID: 11093 Comm: syz-executor984 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 104.288401][T11093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.300136][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 104.300800][T11093] Call Trace: [ 104.309551][ T2839] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 104.312747][T11093] dump_stack+0x197/0x210 [ 104.312765][T11093] panic+0x2e3/0x75c [ 104.312776][T11093] ? add_taint.cold+0x16/0x16 [ 104.312795][T11093] ? trace_hardirqs_on+0x5e/0x240 [ 104.312806][T11093] ? trace_hardirqs_on+0x5e/0x240 [ 104.312820][T11093] ? macvlan_broadcast+0x547/0x620 [ 104.312834][T11093] end_report+0x47/0x4f [ 104.312845][T11093] ? macvlan_broadcast+0x547/0x620 [ 104.312856][T11093] __kasan_report.cold+0xe/0x41 [ 104.312869][T11093] ? validate_xmit_xfrm+0x3d0/0xf10 [ 104.312878][T11093] ? macvlan_broadcast+0x547/0x620 [ 104.312897][T11093] kasan_report+0x12/0x20 [ 104.382262][T11093] __asan_report_load_n_noabort+0xf/0x20 [ 104.388509][T11093] macvlan_broadcast+0x547/0x620 [ 104.394171][T11093] ? validate_xmit_skb+0x81f/0xe50 [ 104.399709][T11093] macvlan_start_xmit+0x402/0x77f [ 104.405122][T11093] dev_direct_xmit+0x419/0x630 [ 104.410358][T11093] ? __check_heap_object+0x51/0xb3 [ 104.415812][T11093] ? validate_xmit_skb_list+0x150/0x150 [ 104.421373][T11093] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 104.428184][T11093] ? netdev_pick_tx+0x14e/0xb00 [ 104.433220][T11093] packet_direct_xmit+0x1a9/0x250 [ 104.439290][T11093] packet_sendmsg+0x260d/0x6220 [ 104.444977][T11093] ? mark_held_locks+0xf0/0xf0 [ 104.450372][T11093] ? tomoyo_mount_permission+0x200/0x400 [ 104.456049][T11093] ? packet_notifier+0x880/0x880 [ 104.461108][T11093] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 104.467385][T11093] ? security_socket_sendmsg+0x8d/0xc0 [ 104.473519][T11093] ? packet_notifier+0x880/0x880 [ 104.478591][T11093] sock_sendmsg+0xd7/0x130 [ 104.483303][T11093] __sys_sendto+0x262/0x380 [ 104.487802][T11093] ? __ia32_sys_getpeername+0xb0/0xb0 [ 104.493207][T11093] ? __ia32_sys_socketpair+0xf0/0xf0 [ 104.498491][T11093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 104.503994][T11093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 104.509698][T11093] ? do_syscall_64+0x26/0x790 [ 104.516076][T11093] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.522498][T11093] __x64_sys_sendto+0xe1/0x1a0 [ 104.527457][T11093] do_syscall_64+0xfa/0x790 [ 104.531980][T11093] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.538501][T11093] RIP: 0033:0x442469 [ 104.542407][T11093] Code: 45 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 104.562886][T11093] RSP: 002b:00007ffcf7c5c4d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 104.571311][T11093] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442469 [ 104.579778][T11093] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 104.592558][T11093] RBP: 00007ffcf7c5c500 R08: 0000000000000000 R09: 0000000000000000 [ 104.603557][T11093] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 104.613148][T11093] R13: 00000000004039a0 R14: 0000000000000000 R15: 0000000000000000 [ 104.623110][T11093] Kernel Offset: disabled [ 104.627912][T11093] Rebooting in 86400 seconds..