INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts.
2018/03/26 03:52:26 parsed 1 programs
2018/03/26 03:52:26 executed programs: 0
syzkaller login: [   23.770358] IPVS: ftp: loaded support on port[0] = 21
[   25.115901] ==================================================================
[   25.123382] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150
[   25.130563] Read of size 8 at addr ffff8801b74ea220 by task syz-executor0/4479
[   25.137895] 
[   25.139498] CPU: 1 PID: 4479 Comm: syz-executor0 Not tainted 4.16.0-rc6+ #276
[   25.146753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.156096] Call Trace:
[   25.158670]  dump_stack+0x194/0x24d
[   25.162289]  ? arch_local_irq_restore+0x53/0x53
[   25.166936]  ? show_regs_print_info+0x18/0x18
[   25.171408]  ? rcu_note_context_switch+0x710/0x710
[   25.176324]  ? __list_del_entry_valid+0x144/0x150
[   25.181159]  print_address_description+0x73/0x250
[   25.185999]  ? __list_del_entry_valid+0x144/0x150
[   25.190822]  kasan_report+0x23c/0x360
[   25.194603]  __asan_report_load8_noabort+0x14/0x20
[   25.199516]  __list_del_entry_valid+0x144/0x150
[   25.204206]  cma_cancel_operation+0x455/0xd60
[   25.208685]  ? finish_task_switch+0x182/0x7e0
[   25.213174]  ? find_held_lock+0x35/0x1d0
[   25.217229]  ? rdma_destroy_id+0xda0/0xda0
[   25.221437]  ? rdma_destroy_id+0xf4/0xda0
[   25.225568]  ? lock_downgrade+0x980/0x980
[   25.229736]  ? lock_release+0xa40/0xa40
[   25.233693]  ? do_raw_spin_trylock+0x190/0x190
[   25.238255]  ? _raw_spin_unlock_irqrestore+0x31/0xc0
[   25.243356]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.248354]  rdma_destroy_id+0xff/0xda0
[   25.252307]  ? lock_release+0xa40/0xa40
[   25.256263]  ? lock_downgrade+0x980/0x980
[   25.260411]  ? cma_release_dev+0x350/0x350
[   25.264626]  ? radix_tree_delete_item+0x146/0x280
[   25.269558]  ucma_close+0x100/0x2f0
[   25.273183]  ? ucma_free_ctx+0xd90/0xd90
[   25.277231]  __fput+0x327/0x7e0
[   25.280766]  ? fput+0x140/0x140
[   25.284020]  ? check_same_owner+0x320/0x320
[   25.288315]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.292797]  ____fput+0x15/0x20
[   25.296050]  task_work_run+0x199/0x270
[   25.299914]  ? task_work_cancel+0x210/0x210
[   25.304219]  ? _raw_spin_unlock+0x22/0x30
[   25.308369]  ? switch_task_namespaces+0x87/0xc0
[   25.313022]  do_exit+0x9bb/0x1ad0
[   25.316450]  ? find_held_lock+0x35/0x1d0
[   25.320491]  ? mm_update_next_owner+0x930/0x930
[   25.325159]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   25.330339]  ? lock_downgrade+0x980/0x980
[   25.334482]  ? __unqueue_futex+0x1c0/0x290
[   25.338690]  ? lock_release+0xa40/0xa40
[   25.342652]  ? fault_in_user_writeable+0x90/0x90
[   25.347386]  ? do_raw_spin_trylock+0x190/0x190
[   25.351942]  ? futex_wake+0x680/0x680
[   25.355729]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   25.360807]  ? futex_wait+0x6a9/0x9a0
[   25.364598]  ? trace_hardirqs_off+0x10/0x10
[   25.368899]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   25.373990]  ? futex_wake+0x2ca/0x680
[   25.377787]  ? memset+0x31/0x40
[   25.381069]  ? find_held_lock+0x35/0x1d0
[   25.385130]  ? get_signal+0x7a9/0x16d0
[   25.389016]  ? lock_downgrade+0x980/0x980
[   25.393182]  do_group_exit+0x149/0x400
[   25.397079]  ? do_raw_spin_trylock+0x190/0x190
[   25.401670]  ? SyS_exit+0x30/0x30
[   25.405120]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.409607]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.414624]  get_signal+0x73a/0x16d0
[   25.418335]  ? ptrace_notify+0x130/0x130
[   25.422379]  ? ucma_put_ctx+0x26/0x30
[   25.426155]  ? ucma_listen+0x182/0x1f0
[   25.430019]  ? ucma_accept+0x970/0x970
[   25.433899]  ? kasan_check_write+0x14/0x20
[   25.438119]  ? _copy_from_user+0x99/0x110
[   25.442251]  ? ucma_write+0x11f/0x3d0
[   25.446035]  ? ucma_accept+0x970/0x970
[   25.449906]  ? ucma_close_id+0x60/0x60
[   25.453783]  do_signal+0x90/0x1e90
[   25.457323]  ? ucma_close_id+0x60/0x60
[   25.461193]  ? __vfs_write+0xf7/0x970
[   25.464970]  ? setup_sigcontext+0x7d0/0x7d0
[   25.469277]  ? kernel_read+0x120/0x120
[   25.473145]  ? fsnotify+0x7b3/0x1140
[   25.476855]  ? exit_to_usermode_loop+0x8c/0x2f0
[   25.481523]  exit_to_usermode_loop+0x258/0x2f0
[   25.486096]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   25.491630]  ? do_fast_syscall_32+0x156/0xf9f
[   25.496119]  do_fast_syscall_32+0xbe6/0xf9f
[   25.500425]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.504908]  ? do_int80_syscall_32+0x9c0/0x9c0
[   25.509489]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.513969]  ? finish_task_switch+0x1c1/0x7e0
[   25.518461]  ? syscall_return_slowpath+0x2ac/0x550
[   25.523471]  ? prepare_exit_to_usermode+0x350/0x350
[   25.528481]  ? sysret32_from_system_call+0x5/0x3c
[   25.533315]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.538152]  entry_SYSENTER_compat+0x70/0x7f
[   25.542535] RIP: 0023:0xf7f8bc99
[   25.545877] RSP: 002b:00000000f7f6610c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0
[   25.553571] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000
[   25.560823] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   25.568067] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   25.575314] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   25.582579] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   25.589850] 
[   25.591462] Allocated by task 4476:
[   25.595074]  save_stack+0x43/0xd0
[   25.598499]  kasan_kmalloc+0xad/0xe0
[   25.602197]  kmem_cache_alloc_trace+0x136/0x740
[   25.606860]  rdma_create_id+0xd0/0x630
[   25.610736]  ucma_create_id+0x35f/0x920
[   25.614701]  ucma_write+0x2d6/0x3d0
[   25.618330]  __vfs_write+0xef/0x970
[   25.621947]  vfs_write+0x189/0x510
[   25.625473]  SyS_write+0xef/0x220
[   25.628911]  do_fast_syscall_32+0x3ec/0xf9f
[   25.633216]  entry_SYSENTER_compat+0x70/0x7f
[   25.637597] 
[   25.639200] Freed by task 4479:
[   25.642459]  save_stack+0x43/0xd0
[   25.645894]  __kasan_slab_free+0x11a/0x170
[   25.650131]  kasan_slab_free+0xe/0x10
[   25.653919]  kfree+0xd9/0x260
[   25.657024]  rdma_destroy_id+0x821/0xda0
[   25.661069]  ucma_close+0x100/0x2f0
[   25.664681]  __fput+0x327/0x7e0
[   25.667947]  ____fput+0x15/0x20
[   25.671213]  task_work_run+0x199/0x270
[   25.675087]  do_exit+0x9bb/0x1ad0
[   25.678523]  do_group_exit+0x149/0x400
[   25.682389]  get_signal+0x73a/0x16d0
[   25.686091]  do_signal+0x90/0x1e90
[   25.689621]  exit_to_usermode_loop+0x258/0x2f0
[   25.694202]  do_fast_syscall_32+0xbe6/0xf9f
[   25.698515]  entry_SYSENTER_compat+0x70/0x7f
[   25.702905] 
[   25.704516] The buggy address belongs to the object at ffff8801b74ea040
[   25.704516]  which belongs to the cache kmalloc-1024 of size 1024
[   25.717326] The buggy address is located 480 bytes inside of
[   25.717326]  1024-byte region [ffff8801b74ea040, ffff8801b74ea440)
[   25.729267] The buggy address belongs to the page:
[   25.734184] page:ffffea0006dd3a80 count:1 mapcount:0 mapping:ffff8801b74ea040 index:0x0 compound_mapcount: 0
[   25.744153] flags: 0x2fffc0000008100(slab|head)
[   25.748798] raw: 02fffc0000008100 ffff8801b74ea040 0000000000000000 0000000100000007
[   25.756660] raw: ffffea0006dd97a0 ffffea0006dd52a0 ffff8801dac00ac0 0000000000000000
[   25.764521] page dumped because: kasan: bad access detected
[   25.770200] 
[   25.771805] Memory state around the buggy address:
[   25.776707]  ffff8801b74ea100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.784047]  ffff8801b74ea180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.791380] >ffff8801b74ea200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.798711]                                ^
[   25.803091]  ffff8801b74ea280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.810774]  ffff8801b74ea300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.818122] ==================================================================
[   25.825470] Disabling lock debugging due to kernel taint
[   25.831025] Kernel panic - not syncing: panic_on_warn set ...
[   25.831025] 
[   25.838367] CPU: 1 PID: 4479 Comm: syz-executor0 Tainted: G    B            4.16.0-rc6+ #276
[   25.846923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.856264] Call Trace:
[   25.858833]  dump_stack+0x194/0x24d
[   25.862452]  ? arch_local_irq_restore+0x53/0x53
[   25.867105]  ? kasan_end_report+0x32/0x50
[   25.871240]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.875980]  ? vsnprintf+0x1ed/0x1900
[   25.879760]  ? __list_del_entry_valid+0xc0/0x150
[   25.884584]  panic+0x1e4/0x41c
[   25.887763]  ? refcount_error_report+0x214/0x214
[   25.892504]  ? add_taint+0x1c/0x50
[   25.896021]  ? add_taint+0x1c/0x50
[   25.899557]  ? __list_del_entry_valid+0x144/0x150
[   25.904463]  kasan_end_report+0x50/0x50
[   25.908430]  kasan_report+0x149/0x360
[   25.912211]  __asan_report_load8_noabort+0x14/0x20
[   25.917387]  __list_del_entry_valid+0x144/0x150
[   25.922045]  cma_cancel_operation+0x455/0xd60
[   25.926525]  ? finish_task_switch+0x182/0x7e0
[   25.931002]  ? find_held_lock+0x35/0x1d0
[   25.935039]  ? rdma_destroy_id+0xda0/0xda0
[   25.939252]  ? rdma_destroy_id+0xf4/0xda0
[   25.943376]  ? lock_downgrade+0x980/0x980
[   25.947499]  ? lock_release+0xa40/0xa40
[   25.951448]  ? do_raw_spin_trylock+0x190/0x190
[   25.956014]  ? _raw_spin_unlock_irqrestore+0x31/0xc0
[   25.961100]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.966105]  rdma_destroy_id+0xff/0xda0
[   25.970076]  ? lock_release+0xa40/0xa40
[   25.974040]  ? lock_downgrade+0x980/0x980
[   25.978179]  ? cma_release_dev+0x350/0x350
[   25.982408]  ? radix_tree_delete_item+0x146/0x280
[   25.987239]  ucma_close+0x100/0x2f0
[   25.990851]  ? ucma_free_ctx+0xd90/0xd90
[   25.994897]  __fput+0x327/0x7e0
[   25.998164]  ? fput+0x140/0x140
[   26.001417]  ? check_same_owner+0x320/0x320
[   26.005716]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.010209]  ____fput+0x15/0x20
[   26.013465]  task_work_run+0x199/0x270
[   26.017328]  ? task_work_cancel+0x210/0x210
[   26.021633]  ? _raw_spin_unlock+0x22/0x30
[   26.025766]  ? switch_task_namespaces+0x87/0xc0
[   26.030419]  do_exit+0x9bb/0x1ad0
[   26.033845]  ? find_held_lock+0x35/0x1d0
[   26.037876]  ? mm_update_next_owner+0x930/0x930
[   26.042517]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   26.047678]  ? lock_downgrade+0x980/0x980
[   26.051799]  ? __unqueue_futex+0x1c0/0x290
[   26.056003]  ? lock_release+0xa40/0xa40
[   26.059949]  ? fault_in_user_writeable+0x90/0x90
[   26.064679]  ? do_raw_spin_trylock+0x190/0x190
[   26.069242]  ? futex_wake+0x680/0x680
[   26.073030]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   26.078123]  ? futex_wait+0x6a9/0x9a0
[   26.081910]  ? trace_hardirqs_off+0x10/0x10
[   26.086207]  ? drop_futex_key_refs.isra.13+0x63/0xb0
[   26.091277]  ? futex_wake+0x2ca/0x680
[   26.095053]  ? memset+0x31/0x40
[   26.098322]  ? find_held_lock+0x35/0x1d0
[   26.102368]  ? get_signal+0x7a9/0x16d0
[   26.106239]  ? lock_downgrade+0x980/0x980
[   26.110374]  do_group_exit+0x149/0x400
[   26.114898]  ? do_raw_spin_trylock+0x190/0x190
[   26.119449]  ? SyS_exit+0x30/0x30
[   26.122878]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.127357]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.132358]  get_signal+0x73a/0x16d0
[   26.136056]  ? ptrace_notify+0x130/0x130
[   26.140090]  ? ucma_put_ctx+0x26/0x30
[   26.143861]  ? ucma_listen+0x182/0x1f0
[   26.147730]  ? ucma_accept+0x970/0x970
[   26.151591]  ? kasan_check_write+0x14/0x20
[   26.155807]  ? _copy_from_user+0x99/0x110
[   26.159941]  ? ucma_write+0x11f/0x3d0
[   26.163727]  ? ucma_accept+0x970/0x970
[   26.167598]  ? ucma_close_id+0x60/0x60
[   26.171470]  do_signal+0x90/0x1e90
[   26.174987]  ? ucma_close_id+0x60/0x60
[   26.178846]  ? __vfs_write+0xf7/0x970
[   26.182620]  ? setup_sigcontext+0x7d0/0x7d0
[   26.186912]  ? kernel_read+0x120/0x120
[   26.190779]  ? fsnotify+0x7b3/0x1140
[   26.194484]  ? exit_to_usermode_loop+0x8c/0x2f0
[   26.199128]  exit_to_usermode_loop+0x258/0x2f0
[   26.203695]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.209212]  ? do_fast_syscall_32+0x156/0xf9f
[   26.213692]  do_fast_syscall_32+0xbe6/0xf9f
[   26.217995]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.222464]  ? do_int80_syscall_32+0x9c0/0x9c0
[   26.227021]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.231494]  ? finish_task_switch+0x1c1/0x7e0
[   26.235970]  ? syscall_return_slowpath+0x2ac/0x550
[   26.240883]  ? prepare_exit_to_usermode+0x350/0x350
[   26.245889]  ? sysret32_from_system_call+0x5/0x3c
[   26.250713]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.255531]  entry_SYSENTER_compat+0x70/0x7f
[   26.259909] RIP: 0023:0xf7f8bc99
[   26.263241] RSP: 002b:00000000f7f6610c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0
[   26.271280] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000
[   26.278523] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   26.285763] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   26.293001] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   26.300249] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   26.307538] Dumping ftrace buffer:
[   26.311053]    (ftrace buffer empty)
[   26.314734] Kernel Offset: disabled
[   26.318337] Rebooting in 86400 seconds..