[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. 2021/04/06 02:59:26 parsed 1 programs 2021/04/06 02:59:26 executed programs: 0 syzkaller login: [ 30.476446] IPVS: ftp: loaded support on port[0] = 21 [ 30.571077] chnl_net:caif_netlink_parms(): no params data found [ 30.645719] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.652528] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.659566] device bridge_slave_0 entered promiscuous mode [ 30.667056] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.674137] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.681459] device bridge_slave_1 entered promiscuous mode [ 30.697911] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.706645] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.724523] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.731777] team0: Port device team_slave_0 added [ 30.737168] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.744549] team0: Port device team_slave_1 added [ 30.758720] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 30.765017] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.790250] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 30.801756] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 30.807978] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 30.834407] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 30.844987] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 30.852817] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 30.871135] device hsr_slave_0 entered promiscuous mode [ 30.876729] device hsr_slave_1 entered promiscuous mode [ 30.883012] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 30.890075] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 30.951410] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.957919] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.964910] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.971353] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.998945] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.005209] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.014237] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.022759] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.041738] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.048899] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.059178] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.065874] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.074208] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.082406] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.088759] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.098672] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 31.106445] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.112954] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.130278] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.137951] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.145675] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 31.153884] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 31.163258] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 31.172551] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 31.178635] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 31.190667] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 31.197748] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 31.205400] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 31.215733] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 31.265882] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 31.275593] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 31.304672] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 31.313114] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 31.319701] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 31.328401] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 31.336367] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 31.343595] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 31.352463] device veth0_vlan entered promiscuous mode [ 31.361835] device veth1_vlan entered promiscuous mode [ 31.367686] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 31.376692] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 31.387555] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 31.397212] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 31.404787] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 31.412666] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 31.422088] device veth0_macvtap entered promiscuous mode [ 31.428061] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 31.436061] device veth1_macvtap entered promiscuous mode [ 31.444729] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 31.453570] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 31.462971] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 31.470028] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 31.478765] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 31.488264] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 31.495131] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 31.560126] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.508921] Bluetooth: hci0 command 0x0409 tx timeout 2021/04/06 02:59:31 executed programs: 114 [ 34.591133] Bluetooth: hci0 command 0x041b tx timeout [ 36.676496] Bluetooth: hci0 command 0x040f tx timeout [ 38.745050] Bluetooth: hci0 command 0x0419 tx timeout [ 39.286553] ================================================================== [ 39.294310] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 39.300798] Read of size 8 at addr ffff8880a3b42f58 by task syz-executor.0/10392 [ 39.308308] [ 39.309930] CPU: 1 PID: 10392 Comm: syz-executor.0 Not tainted 4.14.228-syzkaller #0 [ 39.317787] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.327132] Call Trace: [ 39.329722] dump_stack+0x1b2/0x281 [ 39.333338] print_address_description.cold+0x54/0x1d3 [ 39.338597] kasan_report_error.cold+0x8a/0x191 [ 39.343268] ? __list_add_valid+0x93/0xa0 [ 39.347406] __asan_report_load8_noabort+0x68/0x70 [ 39.352313] ? __list_add_valid+0x93/0xa0 [ 39.356461] __list_add_valid+0x93/0xa0 [ 39.360434] rdma_listen+0x656/0x9b0 [ 39.364135] ucma_listen+0x10b/0x170 [ 39.367842] ? ucma_bind_ip+0x150/0x150 [ 39.371799] ? _copy_from_user+0x96/0x100 [ 39.375928] ? ucma_bind_ip+0x150/0x150 [ 39.379883] ucma_write+0x206/0x2c0 [ 39.383541] ? ucma_set_ib_path+0x510/0x510 [ 39.387864] __vfs_write+0xe4/0x630 [ 39.391471] ? ucma_set_ib_path+0x510/0x510 [ 39.395769] ? debug_check_no_obj_freed+0x2c0/0x680 [ 39.400763] ? kernel_read+0x110/0x110 [ 39.404810] ? common_file_perm+0x3ee/0x580 [ 39.409119] ? security_file_permission+0x82/0x1e0 [ 39.414040] ? rw_verify_area+0xe1/0x2a0 [ 39.418108] vfs_write+0x17f/0x4d0 [ 39.421629] SyS_write+0xf2/0x210 [ 39.425066] ? SyS_read+0x210/0x210 [ 39.428681] ? __do_page_fault+0x159/0xad0 [ 39.432899] ? do_syscall_64+0x4c/0x640 [ 39.436869] ? SyS_read+0x210/0x210 [ 39.440577] do_syscall_64+0x1d5/0x640 [ 39.444464] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.449646] RIP: 0033:0x466459 [ 39.452923] RSP: 002b:00007fd2581c5188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 39.460629] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 [ 39.467878] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 [ 39.475215] RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 [ 39.482465] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 39.489728] R13: 00007ffd852ad94f R14: 00007fd2581c5300 R15: 0000000000022000 [ 39.496987] [ 39.498599] Allocated by task 10385: [ 39.502293] kasan_kmalloc+0xeb/0x160 [ 39.506082] kmem_cache_alloc_trace+0x131/0x3d0 [ 39.510731] rdma_create_id+0x57/0x4c0 [ 39.514599] ucma_create_id+0x18b/0x500 [ 39.518582] ucma_write+0x206/0x2c0 [ 39.522245] __vfs_write+0xe4/0x630 [ 39.525852] vfs_write+0x17f/0x4d0 [ 39.529411] SyS_write+0xf2/0x210 [ 39.532848] do_syscall_64+0x1d5/0x640 [ 39.536726] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.541906] [ 39.543594] Freed by task 10384: [ 39.546944] kasan_slab_free+0xc3/0x1a0 [ 39.550899] kfree+0xc9/0x250 [ 39.554006] ucma_close+0x11a/0x340 [ 39.557617] __fput+0x25f/0x7a0 [ 39.560888] task_work_run+0x11f/0x190 [ 39.564766] exit_to_usermode_loop+0x1ad/0x200 [ 39.569328] do_syscall_64+0x4a3/0x640 [ 39.573204] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.578369] [ 39.580255] The buggy address belongs to the object at ffff8880a3b42d80 [ 39.580255] which belongs to the cache kmalloc-1024 of size 1024 [ 39.593066] The buggy address is located 472 bytes inside of [ 39.593066] 1024-byte region [ffff8880a3b42d80, ffff8880a3b43180) [ 39.605005] The buggy address belongs to the page: [ 39.609916] page:ffffea00028ed080 count:1 mapcount:0 mapping:ffff8880a3b42000 index:0xffff8880a3b43b00 compound_mapcount: 0 [ 39.621169] flags: 0xfff00000008100(slab|head) [ 39.625735] raw: 00fff00000008100 ffff8880a3b42000 ffff8880a3b43b00 0000000100000006 [ 39.633608] raw: ffffea0002467b20 ffffea0002d246a0 ffff88813fe80ac0 0000000000000000 [ 39.641466] page dumped because: kasan: bad access detected [ 39.647171] [ 39.648775] Memory state around the buggy address: [ 39.653683] ffff8880a3b42e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.661033] ffff8880a3b42e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.668380] >ffff8880a3b42f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.675725] ^ [ 39.681947] ffff8880a3b42f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.689288] ffff8880a3b43000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.696634] ================================================================== [ 39.703981] Disabling lock debugging due to kernel taint [ 39.710500] Kernel panic - not syncing: panic_on_warn set ... [ 39.710500] [ 39.717872] CPU: 1 PID: 10392 Comm: syz-executor.0 Tainted: G B 4.14.228-syzkaller #0 [ 39.726984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.736338] Call Trace: [ 39.738926] dump_stack+0x1b2/0x281 [ 39.742559] panic+0x1f9/0x42d [ 39.745733] ? add_taint.cold+0x16/0x16 [ 39.749689] ? ___preempt_schedule+0x16/0x18 [ 39.754079] kasan_end_report+0x43/0x49 [ 39.758049] kasan_report_error.cold+0xa7/0x191 [ 39.762702] ? __list_add_valid+0x93/0xa0 [ 39.766934] __asan_report_load8_noabort+0x68/0x70 [ 39.771857] ? __list_add_valid+0x93/0xa0 [ 39.775983] __list_add_valid+0x93/0xa0 [ 39.779937] rdma_listen+0x656/0x9b0 [ 39.783631] ucma_listen+0x10b/0x170 [ 39.787336] ? ucma_bind_ip+0x150/0x150 [ 39.793908] ? _copy_from_user+0x96/0x100 [ 39.798046] ? ucma_bind_ip+0x150/0x150 [ 39.802000] ucma_write+0x206/0x2c0 [ 39.805622] ? ucma_set_ib_path+0x510/0x510 [ 39.809922] __vfs_write+0xe4/0x630 [ 39.813525] ? ucma_set_ib_path+0x510/0x510 [ 39.817832] ? debug_check_no_obj_freed+0x2c0/0x680 [ 39.822826] ? kernel_read+0x110/0x110 [ 39.827067] ? common_file_perm+0x3ee/0x580 [ 39.831381] ? security_file_permission+0x82/0x1e0 [ 39.836302] ? rw_verify_area+0xe1/0x2a0 [ 39.840355] vfs_write+0x17f/0x4d0 [ 39.843892] SyS_write+0xf2/0x210 [ 39.847325] ? SyS_read+0x210/0x210 [ 39.850931] ? __do_page_fault+0x159/0xad0 [ 39.855142] ? do_syscall_64+0x4c/0x640 [ 39.859090] ? SyS_read+0x210/0x210 [ 39.862693] do_syscall_64+0x1d5/0x640 [ 39.866574] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.871740] RIP: 0033:0x466459 [ 39.874907] RSP: 002b:00007fd2581c5188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 39.882702] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000466459 [ 39.889950] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 [ 39.897325] RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 [ 39.904576] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 39.911843] R13: 00007ffd852ad94f R14: 00007fd2581c5300 R15: 0000000000022000 [ 39.919154] Kernel Offset: disabled [ 39.922785] Rebooting in 86400 seconds..