[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.176' (ECDSA) to the list of known hosts. 2020/04/11 20:33:23 parsed 1 programs 2020/04/11 20:33:25 executed programs: 0 syzkaller login: [ 120.690760] audit: type=1400 audit(1586637205.563:8): avc: denied { execmem } for pid=6464 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 120.734168] IPVS: ftp: loaded support on port[0] = 21 [ 120.831356] chnl_net:caif_netlink_parms(): no params data found [ 120.954732] bridge0: port 1(bridge_slave_0) entered blocking state [ 120.961957] bridge0: port 1(bridge_slave_0) entered disabled state [ 120.969236] device bridge_slave_0 entered promiscuous mode [ 120.979559] bridge0: port 2(bridge_slave_1) entered blocking state [ 120.986640] bridge0: port 2(bridge_slave_1) entered disabled state [ 120.994119] device bridge_slave_1 entered promiscuous mode [ 121.013301] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 121.023106] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 121.043842] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 121.052382] team0: Port device team_slave_0 added [ 121.058084] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 121.066141] team0: Port device team_slave_1 added [ 121.083782] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 121.090044] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 121.116026] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 121.128043] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 121.134382] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 121.159704] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 121.170806] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 121.179151] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 121.234630] device hsr_slave_0 entered promiscuous mode [ 121.271961] device hsr_slave_1 entered promiscuous mode [ 121.301987] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 121.309240] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 121.387835] bridge0: port 2(bridge_slave_1) entered blocking state [ 121.394398] bridge0: port 2(bridge_slave_1) entered forwarding state [ 121.401554] bridge0: port 1(bridge_slave_0) entered blocking state [ 121.407949] bridge0: port 1(bridge_slave_0) entered forwarding state [ 121.444827] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 121.452765] 8021q: adding VLAN 0 to HW filter on device bond0 [ 121.463996] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 121.473828] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 121.483825] bridge0: port 1(bridge_slave_0) entered disabled state [ 121.491659] bridge0: port 2(bridge_slave_1) entered disabled state [ 121.499069] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 121.510498] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 121.517578] 8021q: adding VLAN 0 to HW filter on device team0 [ 121.527456] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 121.536249] bridge0: port 1(bridge_slave_0) entered blocking state [ 121.542692] bridge0: port 1(bridge_slave_0) entered forwarding state [ 121.554292] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 121.563758] bridge0: port 2(bridge_slave_1) entered blocking state [ 121.570163] bridge0: port 2(bridge_slave_1) entered forwarding state [ 121.592993] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 121.602656] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 121.610335] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 121.619275] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 121.630685] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 121.640698] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 121.647342] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 121.663912] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 121.671818] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 121.678565] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 121.691805] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 121.705384] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 121.715407] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 121.756498] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 121.764436] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 121.772217] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 121.783657] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 121.791533] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 121.798538] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 121.809154] device veth0_vlan entered promiscuous mode [ 121.820143] device veth1_vlan entered promiscuous mode [ 121.835780] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 121.845307] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 121.853574] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 121.862684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 121.872639] device veth0_macvtap entered promiscuous mode [ 121.878948] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 121.889307] device veth1_macvtap entered promiscuous mode [ 121.896081] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 121.905744] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 121.916339] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 121.926837] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 121.934292] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 121.941515] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 121.948867] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 121.956349] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 121.964635] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 121.977110] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 121.986184] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 121.994123] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 122.003975] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 122.554006] ================================================================== [ 122.561561] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 122.568076] Read of size 8 at addr ffff8880a0168ea0 by task syz-executor.0/6776 [ 122.575511] [ 122.577131] CPU: 0 PID: 6776 Comm: syz-executor.0 Not tainted 4.19.114-syzkaller #0 [ 122.584909] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.594246] Call Trace: [ 122.596840] dump_stack+0x188/0x20d [ 122.600462] ? __list_add_valid+0x93/0xa0 [ 122.604602] print_address_description.cold+0x7c/0x212 [ 122.609894] ? __list_add_valid+0x93/0xa0 [ 122.614039] kasan_report.cold+0x88/0x2b9 [ 122.618182] __list_add_valid+0x93/0xa0 [ 122.622142] rdma_listen+0x609/0x880 [ 122.625856] ucma_listen+0x14d/0x1c0 [ 122.629556] ? ucma_notify+0x190/0x190 [ 122.633433] ? __might_fault+0x192/0x1d0 [ 122.637497] ? _copy_from_user+0xd2/0x140 [ 122.641639] ? ucma_notify+0x190/0x190 [ 122.645526] ucma_write+0x285/0x350 [ 122.649170] ? ucma_open+0x280/0x280 [ 122.652906] ? __fget+0x319/0x510 [ 122.656358] __vfs_write+0xf7/0x760 [ 122.659976] ? ucma_open+0x280/0x280 [ 122.663705] ? kernel_read+0x110/0x110 [ 122.667603] ? __inode_security_revalidate+0xd3/0x120 [ 122.672788] ? avc_policy_seqno+0x9/0x70 [ 122.676845] ? selinux_file_permission+0x87/0x520 [ 122.681793] ? security_file_permission+0x84/0x220 [ 122.686822] vfs_write+0x206/0x550 [ 122.690354] ksys_write+0x12b/0x2a0 [ 122.693975] ? __ia32_sys_read+0xb0/0xb0 [ 122.698027] ? __ia32_sys_clock_settime+0x260/0x260 [ 122.703031] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 122.707772] ? trace_hardirqs_off_caller+0x55/0x210 [ 122.712901] ? do_syscall_64+0x21/0x620 [ 122.716899] do_syscall_64+0xf9/0x620 [ 122.720695] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.725892] RIP: 0033:0x45c889 [ 122.729072] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 122.747974] RSP: 002b:00007f553416ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 122.755792] RAX: ffffffffffffffda RBX: 00007f553416f6d4 RCX: 000000000045c889 [ 122.763057] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 122.770316] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 122.777576] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 122.784902] R13: 0000000000000cc0 R14: 00000000004cee8e R15: 000000000076bf0c [ 122.792220] [ 122.793838] Allocated by task 6768: [ 122.797461] kasan_kmalloc+0xbf/0xe0 [ 122.801167] kmem_cache_alloc_trace+0x14d/0x7a0 [ 122.805833] __rdma_create_id+0x5b/0x630 [ 122.809925] ucma_create_id+0x1cb/0x5a0 [ 122.813884] ucma_write+0x285/0x350 [ 122.817494] __vfs_write+0xf7/0x760 [ 122.821116] vfs_write+0x206/0x550 [ 122.824658] ksys_write+0x12b/0x2a0 [ 122.828270] do_syscall_64+0xf9/0x620 [ 122.832056] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.837224] [ 122.838832] Freed by task 6772: [ 122.842102] __kasan_slab_free+0xf7/0x140 [ 122.846233] kfree+0xce/0x220 [ 122.849340] ucma_close+0x10b/0x320 [ 122.852961] __fput+0x2cd/0x890 [ 122.856228] task_work_run+0x13f/0x1b0 [ 122.860096] get_signal+0x1b83/0x1f90 [ 122.863885] do_signal+0x8f/0x1710 [ 122.867418] exit_to_usermode_loop+0x22b/0x2b0 [ 122.871995] do_syscall_64+0x538/0x620 [ 122.875879] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.881059] [ 122.882742] The buggy address belongs to the object at ffff8880a0168cc0 [ 122.882742] which belongs to the cache kmalloc-2048 of size 2048 [ 122.895628] The buggy address is located 480 bytes inside of [ 122.895628] 2048-byte region [ffff8880a0168cc0, ffff8880a01694c0) [ 122.907595] The buggy address belongs to the page: [ 122.912525] page:ffffea0002805a00 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0 [ 122.922499] flags: 0xfffe0000008100(slab|head) [ 122.927075] raw: 00fffe0000008100 ffffea000212cf88 ffffea0002212c08 ffff88812c3dcc40 [ 122.934963] raw: 0000000000000000 ffff8880a0168440 0000000100000003 0000000000000000 [ 122.942833] page dumped because: kasan: bad access detected [ 122.948524] [ 122.950172] Memory state around the buggy address: [ 122.955111] ffff8880a0168d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.962487] ffff8880a0168e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.969876] >ffff8880a0168e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.977233] ^ [ 122.981649] ffff8880a0168f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.989007] ffff8880a0168f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.996360] ================================================================== [ 123.003702] Disabling lock debugging due to kernel taint [ 123.018940] Kernel panic - not syncing: panic_on_warn set ... [ 123.018940] [ 123.026341] CPU: 0 PID: 6776 Comm: syz-executor.0 Tainted: G B 4.19.114-syzkaller #0 [ 123.035525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 123.044881] Call Trace: [ 123.047487] dump_stack+0x188/0x20d [ 123.051143] panic+0x26a/0x50e [ 123.054328] ? __warn_printk+0xf3/0xf3 [ 123.058204] ? preempt_schedule_common+0x4a/0xc0 [ 123.062992] ? __list_add_valid+0x93/0xa0 [ 123.067140] ? ___preempt_schedule+0x16/0x18 [ 123.071592] ? trace_hardirqs_on+0x55/0x210 [ 123.075906] ? __list_add_valid+0x93/0xa0 [ 123.080047] kasan_end_report+0x43/0x49 [ 123.084031] kasan_report.cold+0xa4/0x2b9 [ 123.088181] __list_add_valid+0x93/0xa0 [ 123.092165] rdma_listen+0x609/0x880 [ 123.095877] ucma_listen+0x14d/0x1c0 [ 123.099574] ? ucma_notify+0x190/0x190 [ 123.103451] ? __might_fault+0x192/0x1d0 [ 123.107543] ? _copy_from_user+0xd2/0x140 [ 123.111733] ? ucma_notify+0x190/0x190 [ 123.115606] ucma_write+0x285/0x350 [ 123.119216] ? ucma_open+0x280/0x280 [ 123.122981] ? __fget+0x319/0x510 [ 123.126426] __vfs_write+0xf7/0x760 [ 123.130052] ? ucma_open+0x280/0x280 [ 123.133796] ? kernel_read+0x110/0x110 [ 123.137669] ? __inode_security_revalidate+0xd3/0x120 [ 123.142856] ? avc_policy_seqno+0x9/0x70 [ 123.146905] ? selinux_file_permission+0x87/0x520 [ 123.151734] ? security_file_permission+0x84/0x220 [ 123.156651] vfs_write+0x206/0x550 [ 123.160192] ksys_write+0x12b/0x2a0 [ 123.163805] ? __ia32_sys_read+0xb0/0xb0 [ 123.167852] ? __ia32_sys_clock_settime+0x260/0x260 [ 123.172875] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 123.177615] ? trace_hardirqs_off_caller+0x55/0x210 [ 123.182633] ? do_syscall_64+0x21/0x620 [ 123.186601] do_syscall_64+0xf9/0x620 [ 123.190397] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.195679] RIP: 0033:0x45c889 [ 123.198867] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 123.217765] RSP: 002b:00007f553416ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 123.225464] RAX: ffffffffffffffda RBX: 00007f553416f6d4 RCX: 000000000045c889 [ 123.232718] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 123.239974] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 123.247228] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 123.254486] R13: 0000000000000cc0 R14: 00000000004cee8e R15: 000000000076bf0c [ 123.263051] Kernel Offset: disabled [ 123.266679] Rebooting in 86400 seconds..