[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.407887] audit: type=1800 audit(1547935664.618:25): pid=7966 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 41.437187] audit: type=1800 audit(1547935664.618:26): pid=7966 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 41.457391] audit: type=1800 audit(1547935664.618:27): pid=7966 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. 2019/01/19 22:07:53 parsed 1 programs 2019/01/19 22:07:54 executed programs: 0 syzkaller login: [ 51.787415] IPVS: ftp: loaded support on port[0] = 21 [ 51.854669] chnl_net:caif_netlink_parms(): no params data found [ 51.889256] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.896080] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.903208] device bridge_slave_0 entered promiscuous mode [ 51.910771] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.917182] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.924336] device bridge_slave_1 entered promiscuous mode [ 51.940905] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.949729] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 51.967541] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 51.975314] team0: Port device team_slave_0 added [ 51.980873] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 51.988020] team0: Port device team_slave_1 added [ 51.993390] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.000708] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.052572] device hsr_slave_0 entered promiscuous mode [ 52.120235] device hsr_slave_1 entered promiscuous mode [ 52.170889] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.177770] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.191961] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.198364] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.205266] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.211630] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.245046] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.252971] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.261050] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.269343] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.290036] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.297694] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.305649] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.315988] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.322210] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.331600] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.339196] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.345644] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.355119] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.363218] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.369572] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.386759] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.394676] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 52.407402] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.419369] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.430729] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 52.439948] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 52.446244] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 52.459197] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 52.469261] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 52.979988] ================================================================== [ 52.987509] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 52.993994] Read of size 8 at addr ffff8880a8641760 by task syz-executor0/8233 [ 53.001344] [ 53.002974] CPU: 0 PID: 8233 Comm: syz-executor0 Not tainted 5.0.0-rc2+ #33 [ 53.010081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.019432] Call Trace: [ 53.022030] dump_stack+0x1db/0x2d0 [ 53.025658] ? dump_stack_print_info.cold+0x20/0x20 [ 53.030672] ? trace_hardirqs_on+0xbd/0x310 [ 53.035026] ? __list_add_valid+0x9a/0xa0 [ 53.039181] print_address_description.cold+0x7c/0x20d [ 53.044470] ? __list_add_valid+0x9a/0xa0 [ 53.048612] ? __list_add_valid+0x9a/0xa0 [ 53.052761] kasan_report.cold+0x1b/0x40 [ 53.056839] ? __list_add_valid+0x9a/0xa0 [ 53.060999] __asan_report_load8_noabort+0x14/0x20 [ 53.065936] __list_add_valid+0x9a/0xa0 [ 53.069907] rdma_listen+0x6c9/0xa10 [ 53.073626] ? rdma_resolve_addr+0x2720/0x2720 [ 53.078235] ucma_listen+0x1bf/0x250 [ 53.081956] ? ucma_notify+0x220/0x220 [ 53.085853] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.091383] ? _copy_from_user+0xdd/0x150 [ 53.095535] ucma_write+0x36b/0x480 [ 53.099160] ? ucma_notify+0x220/0x220 [ 53.103048] ? ucma_open+0x400/0x400 [ 53.106769] ? __might_fault+0x12b/0x1e0 [ 53.110861] ? find_held_lock+0x35/0x120 [ 53.114920] __vfs_write+0x116/0xb40 [ 53.118669] ? ucma_open+0x400/0x400 [ 53.122380] ? kernel_read+0x120/0x120 [ 53.126262] ? fget_raw+0x20/0x20 [ 53.129713] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.134847] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.140403] ? security_file_permission+0x94/0x320 [ 53.145341] ? rw_verify_area+0x118/0x360 [ 53.149484] vfs_write+0x20c/0x580 [ 53.153021] ksys_write+0x105/0x260 [ 53.156643] ? __ia32_sys_read+0xb0/0xb0 [ 53.160715] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.165845] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.170598] __x64_sys_write+0x73/0xb0 [ 53.174482] do_syscall_64+0x1a3/0x800 [ 53.178404] ? syscall_return_slowpath+0x5f0/0x5f0 [ 53.183342] ? prepare_exit_to_usermode+0x232/0x3b0 [ 53.188367] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.193219] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.198412] RIP: 0033:0x458099 [ 53.201604] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.220505] RSP: 002b:00007f206d2a3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.228213] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099 [ 53.235474] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 53.242748] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 53.250025] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f206d2a46d4 [ 53.257342] R13: 00000000004c71fe R14: 00000000004dca18 R15: 00000000ffffffff [ 53.264613] [ 53.266236] Allocated by task 8227: [ 53.269859] save_stack+0x45/0xd0 [ 53.273304] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 53.278285] kasan_kmalloc+0x9/0x10 [ 53.281923] kmem_cache_alloc_trace+0x151/0x760 [ 53.286590] __rdma_create_id+0xce/0x630 [ 53.290645] ucma_create_id+0x30f/0x910 [ 53.294611] ucma_write+0x36b/0x480 [ 53.298239] __vfs_write+0x116/0xb40 [ 53.301957] vfs_write+0x20c/0x580 [ 53.305488] ksys_write+0x105/0x260 [ 53.309117] __x64_sys_write+0x73/0xb0 [ 53.313008] do_syscall_64+0x1a3/0x800 [ 53.316891] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.322070] [ 53.323687] Freed by task 8225: [ 53.326959] save_stack+0x45/0xd0 [ 53.330408] __kasan_slab_free+0x102/0x150 [ 53.334633] kasan_slab_free+0xe/0x10 [ 53.338427] kfree+0xcf/0x230 [ 53.341528] rdma_destroy_id+0x8be/0xd80 [ 53.345594] ucma_close+0x115/0x320 [ 53.349226] __fput+0x3c5/0xb10 [ 53.352507] ____fput+0x16/0x20 [ 53.355792] task_work_run+0x1f4/0x2b0 [ 53.359701] exit_to_usermode_loop+0x32a/0x3b0 [ 53.364273] do_syscall_64+0x696/0x800 [ 53.368213] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.373391] [ 53.375011] The buggy address belongs to the object at ffff8880a8641580 [ 53.375011] which belongs to the cache kmalloc-2k of size 2048 [ 53.387699] The buggy address is located 480 bytes inside of [ 53.387699] 2048-byte region [ffff8880a8641580, ffff8880a8641d80) [ 53.399648] The buggy address belongs to the page: [ 53.404576] page:ffffea0002a19000 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 53.414539] flags: 0x1fffc0000010200(slab|head) [ 53.419204] raw: 01fffc0000010200 ffffea0002948088 ffffea00029fe408 ffff88812c3f0c40 [ 53.427082] raw: 0000000000000000 ffff8880a8640480 0000000100000003 0000000000000000 [ 53.434951] page dumped because: kasan: bad access detected [ 53.440652] [ 53.442283] Memory state around the buggy address: [ 53.447207] ffff8880a8641600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.454558] ffff8880a8641680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.461915] >ffff8880a8641700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.469263] ^ [ 53.475744] ffff8880a8641780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.483097] ffff8880a8641800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.490441] ================================================================== [ 53.497789] Disabling lock debugging due to kernel taint [ 53.506945] Kernel panic - not syncing: panic_on_warn set ... [ 53.512858] CPU: 1 PID: 8233 Comm: syz-executor0 Tainted: G B 5.0.0-rc2+ #33 [ 53.521331] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.530669] Call Trace: [ 53.533249] dump_stack+0x1db/0x2d0 [ 53.536866] ? dump_stack_print_info.cold+0x20/0x20 [ 53.541878] panic+0x2cb/0x65c [ 53.545066] ? add_taint.cold+0x16/0x16 [ 53.549032] ? __list_add_valid+0x9a/0xa0 [ 53.553170] ? preempt_schedule+0x4b/0x60 [ 53.557343] ? ___preempt_schedule+0x16/0x18 [ 53.561745] ? trace_hardirqs_on+0xb4/0x310 [ 53.566063] ? __list_add_valid+0x9a/0xa0 [ 53.570204] end_report+0x47/0x4f [ 53.573650] ? __list_add_valid+0x9a/0xa0 [ 53.577788] kasan_report.cold+0xe/0x40 [ 53.581772] ? __list_add_valid+0x9a/0xa0 [ 53.585913] __asan_report_load8_noabort+0x14/0x20 [ 53.590845] __list_add_valid+0x9a/0xa0 [ 53.594827] rdma_listen+0x6c9/0xa10 [ 53.598535] ? rdma_resolve_addr+0x2720/0x2720 [ 53.603110] ucma_listen+0x1bf/0x250 [ 53.606839] ? ucma_notify+0x220/0x220 [ 53.610718] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.616280] ? _copy_from_user+0xdd/0x150 [ 53.620418] ucma_write+0x36b/0x480 [ 53.624036] ? ucma_notify+0x220/0x220 [ 53.627920] ? ucma_open+0x400/0x400 [ 53.631624] ? __might_fault+0x12b/0x1e0 [ 53.635676] ? find_held_lock+0x35/0x120 [ 53.639728] __vfs_write+0x116/0xb40 [ 53.643435] ? ucma_open+0x400/0x400 [ 53.647179] ? kernel_read+0x120/0x120 [ 53.651090] ? fget_raw+0x20/0x20 [ 53.654537] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.659635] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.665164] ? security_file_permission+0x94/0x320 [ 53.670086] ? rw_verify_area+0x118/0x360 [ 53.674223] vfs_write+0x20c/0x580 [ 53.677753] ksys_write+0x105/0x260 [ 53.681406] ? __ia32_sys_read+0xb0/0xb0 [ 53.685631] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.690728] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.695472] __x64_sys_write+0x73/0xb0 [ 53.699349] do_syscall_64+0x1a3/0x800 [ 53.703228] ? syscall_return_slowpath+0x5f0/0x5f0 [ 53.708147] ? prepare_exit_to_usermode+0x232/0x3b0 [ 53.713156] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.717993] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.723169] RIP: 0033:0x458099 [ 53.726354] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.745291] RSP: 002b:00007f206d2a3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.752989] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099 [ 53.760247] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 53.767506] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 53.774762] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f206d2a46d4 [ 53.782061] R13: 00000000004c71fe R14: 00000000004dca18 R15: 00000000ffffffff [ 53.790365] Kernel Offset: disabled [ 53.793995] Rebooting in 86400 seconds..