INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. 2018/04/03 02:23:43 parsed 1 programs 2018/04/03 02:23:43 executed programs: 0 syzkaller login: [ 28.324636] IPVS: ftp: loaded support on port[0] = 21 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 28.905773] ================================================================== [ 28.913312] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 28.920475] Read of size 8 at addr ffff8801d9b8f860 by task syz-executor0/4719 [ 28.927803] [ 28.929407] CPU: 1 PID: 4719 Comm: syz-executor0 Not tainted 4.16.0+ #286 [ 28.936304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.945632] Call Trace: [ 28.948209] dump_stack+0x1a7/0x27d [ 28.951813] ? arch_local_irq_restore+0x53/0x53 [ 28.956453] ? show_regs_print_info+0x18/0x18 [ 28.960921] ? rcu_note_context_switch+0x710/0x710 [ 28.965828] ? kasan_check_write+0x14/0x20 [ 28.970042] ? __list_del_entry_valid+0x144/0x150 [ 28.974860] print_address_description+0x73/0x250 [ 28.979698] ? __list_del_entry_valid+0x144/0x150 [ 28.984523] kasan_report+0x23c/0x360 [ 28.988308] __asan_report_load8_noabort+0x14/0x20 [ 28.993207] __list_del_entry_valid+0x144/0x150 [ 28.997851] cma_cancel_operation+0x455/0xd60 [ 29.002332] ? finish_task_switch+0x29f/0x810 [ 29.006807] ? find_held_lock+0x35/0x1d0 [ 29.010845] ? rdma_destroy_id+0xda0/0xda0 [ 29.015062] ? rdma_destroy_id+0xf4/0xda0 [ 29.019186] ? lock_downgrade+0x980/0x980 [ 29.023315] ? ucma_close+0xe1/0x2f0 [ 29.027004] ? lock_release+0xa40/0xa40 [ 29.030957] ? kasan_check_read+0x11/0x20 [ 29.035085] ? do_raw_spin_unlock+0x9e/0x310 [ 29.039463] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.044023] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 29.049107] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.054106] rdma_destroy_id+0xff/0xda0 [ 29.058056] ? __mutex_unlock_slowpath+0x181/0x7e0 [ 29.062964] ? cma_release_dev+0x350/0x350 [ 29.067174] ? radix_tree_delete_item+0x146/0x280 [ 29.071999] ucma_close+0x100/0x2f0 [ 29.075702] ? ucma_free_ctx+0xd90/0xd90 [ 29.079735] __fput+0x327/0x7f0 [ 29.082989] ? fput+0x150/0x150 [ 29.086242] ? check_same_owner+0x320/0x320 [ 29.090544] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.095029] ____fput+0x15/0x20 [ 29.098282] task_work_run+0x1ab/0x280 [ 29.102140] ? task_work_cancel+0x240/0x240 [ 29.106442] ? kasan_check_write+0x14/0x20 [ 29.110652] ? switch_task_namespaces+0x94/0xc0 [ 29.115299] do_exit+0x1986/0x2700 [ 29.118814] ? print_irqtrace_events+0x241/0x270 [ 29.123546] ? mm_update_next_owner+0x960/0x960 [ 29.128205] ? trace_hardirqs_off+0x10/0x10 [ 29.132500] ? rcu_note_context_switch+0x710/0x710 [ 29.137403] ? __lock_acquire+0x638/0x3c30 [ 29.141611] ? __might_sleep+0x95/0x190 [ 29.145575] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 29.150738] ? lock_downgrade+0x980/0x980 [ 29.154861] ? kasan_check_write+0x14/0x20 [ 29.159073] ? __unqueue_futex+0x1e2/0x2b0 [ 29.163289] ? lock_release+0xa40/0xa40 [ 29.167235] ? kasan_check_read+0x11/0x20 [ 29.171355] ? do_raw_spin_unlock+0x9e/0x310 [ 29.175736] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.180298] ? kasan_check_write+0x14/0x20 [ 29.184503] ? do_raw_spin_lock+0xc1/0x230 [ 29.188717] ? kasan_check_write+0x14/0x20 [ 29.192925] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.198000] ? futex_wait+0x6a9/0x9a0 [ 29.201782] ? futex_wait_setup+0x400/0x400 [ 29.206080] ? trace_hardirqs_off+0x10/0x10 [ 29.210380] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.215461] ? futex_wake+0x2d7/0x680 [ 29.219235] ? memset+0x31/0x40 [ 29.222488] ? find_held_lock+0x35/0x1d0 [ 29.226524] ? get_signal+0x7bb/0x16e0 [ 29.230994] ? lock_downgrade+0x980/0x980 [ 29.235123] do_group_exit+0x149/0x400 [ 29.238982] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.243534] ? SyS_exit+0x30/0x30 [ 29.246965] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.251432] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.256422] get_signal+0x74c/0x16e0 [ 29.260111] ? ptrace_notify+0x130/0x130 [ 29.264145] ? ucma_query+0x230/0x230 [ 29.267922] ? kasan_check_write+0x14/0x20 [ 29.272134] ? ucma_write+0x11f/0x3d0 [ 29.275913] ? ucma_query+0x230/0x230 [ 29.279685] ? ucma_close_id+0x60/0x60 [ 29.283551] do_signal+0x90/0x1e90 [ 29.287071] ? ucma_close_id+0x60/0x60 [ 29.290935] ? __vfs_write+0xf7/0x970 [ 29.294712] ? setup_sigcontext+0x7d0/0x7d0 [ 29.299005] ? kernel_read+0x120/0x120 [ 29.302895] ? security_mmap_file+0x143/0x180 [ 29.307374] ? schedule+0xf5/0x430 [ 29.310886] ? vm_mmap_pgoff+0x13b/0x280 [ 29.314922] ? __schedule+0x1ef0/0x1ef0 [ 29.318874] ? exit_to_usermode_loop+0x8c/0x2f0 [ 29.323524] exit_to_usermode_loop+0x258/0x2f0 [ 29.328091] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 29.333601] ? do_fast_syscall_32+0x156/0xf9f [ 29.338079] do_fast_syscall_32+0xbe6/0xf9f [ 29.342372] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.346850] ? do_int80_syscall_32+0x9c0/0x9c0 [ 29.351409] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.355877] ? finish_task_switch+0x1c1/0x810 [ 29.360350] ? syscall_return_slowpath+0x2ac/0x550 [ 29.365254] ? prepare_exit_to_usermode+0x350/0x350 [ 29.370244] ? sysret32_from_system_call+0x5/0x3c [ 29.375066] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.379885] entry_SYSENTER_compat+0x70/0x7f [ 29.384265] RIP: 0023:0xf7fb6c99 [ 29.387600] RSP: 002b:00000000f7f9110c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 29.395290] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 29.402536] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 29.409779] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.417027] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.424276] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.431528] [ 29.433130] Allocated by task 4716: [ 29.436745] save_stack+0x43/0xd0 [ 29.440176] kasan_kmalloc+0xad/0xe0 [ 29.443864] kmem_cache_alloc_trace+0x136/0x740 [ 29.448512] rdma_create_id+0xd0/0x640 [ 29.452379] ucma_create_id+0x35f/0x920 [ 29.456325] ucma_write+0x2d6/0x3d0 [ 29.459923] __vfs_write+0xef/0x970 [ 29.463521] vfs_write+0x189/0x510 [ 29.467038] SyS_write+0xef/0x220 [ 29.470466] do_fast_syscall_32+0x3ec/0xf9f [ 29.474769] entry_SYSENTER_compat+0x70/0x7f [ 29.479147] [ 29.480744] Freed by task 4719: [ 29.483999] save_stack+0x43/0xd0 [ 29.487431] __kasan_slab_free+0x11a/0x170 [ 29.491637] kasan_slab_free+0xe/0x10 [ 29.495408] kfree+0xd9/0x260 [ 29.498487] rdma_destroy_id+0x821/0xda0 [ 29.502536] ucma_close+0x100/0x2f0 [ 29.506141] __fput+0x327/0x7f0 [ 29.509396] ____fput+0x15/0x20 [ 29.512666] task_work_run+0x1ab/0x280 [ 29.516529] do_exit+0x1986/0x2700 [ 29.520045] do_group_exit+0x149/0x400 [ 29.524168] get_signal+0x74c/0x16e0 [ 29.527857] do_signal+0x90/0x1e90 [ 29.531387] exit_to_usermode_loop+0x258/0x2f0 [ 29.535942] do_fast_syscall_32+0xbe6/0xf9f [ 29.540241] entry_SYSENTER_compat+0x70/0x7f [ 29.544630] [ 29.546232] The buggy address belongs to the object at ffff8801d9b8f680 [ 29.546232] which belongs to the cache kmalloc-1024 of size 1024 [ 29.559122] The buggy address is located 480 bytes inside of [ 29.559122] 1024-byte region [ffff8801d9b8f680, ffff8801d9b8fa80) [ 29.571059] The buggy address belongs to the page: [ 29.575963] page:ffffea000766e380 count:1 mapcount:0 mapping:ffff8801d9b8e000 index:0x0 compound_mapcount: 0 [ 29.585910] flags: 0x2fffc0000008100(slab|head) [ 29.590563] raw: 02fffc0000008100 ffff8801d9b8e000 0000000000000000 0000000100000007 [ 29.598417] raw: ffffea0007678720 ffffea000766f420 ffff8801dac00ac0 0000000000000000 [ 29.606271] page dumped because: kasan: bad access detected [ 29.611953] [ 29.613553] Memory state around the buggy address: [ 29.618459] ffff8801d9b8f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.625789] ffff8801d9b8f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.633123] >ffff8801d9b8f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.640455] ^ [ 29.646931] ffff8801d9b8f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.654267] ffff8801d9b8f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.661594] ================================================================== [ 29.668922] Disabling lock debugging due to kernel taint [ 29.674441] Kernel panic - not syncing: panic_on_warn set ... [ 29.674441] [ 29.681808] CPU: 1 PID: 4719 Comm: syz-executor0 Tainted: G B 4.16.0+ #286 [ 29.690096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.699422] Call Trace: [ 29.701989] dump_stack+0x1a7/0x27d [ 29.705595] ? arch_local_irq_restore+0x53/0x53 [ 29.710252] ? kasan_end_report+0x32/0x50 [ 29.714374] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.719103] ? vsnprintf+0x1ed/0x1900 [ 29.722881] ? __list_del_entry_valid+0xe0/0x150 [ 29.727612] panic+0x1f8/0x42c [ 29.730781] ? refcount_error_report+0x214/0x214 [ 29.735515] ? do_raw_spin_unlock+0x9e/0x310 [ 29.739898] ? do_raw_spin_unlock+0x9e/0x310 [ 29.744288] ? __list_del_entry_valid+0x144/0x150 [ 29.749106] kasan_end_report+0x50/0x50 [ 29.753056] kasan_report+0x149/0x360 [ 29.756832] __asan_report_load8_noabort+0x14/0x20 [ 29.761730] __list_del_entry_valid+0x144/0x150 [ 29.766375] cma_cancel_operation+0x455/0xd60 [ 29.770855] ? finish_task_switch+0x29f/0x810 [ 29.775335] ? find_held_lock+0x35/0x1d0 [ 29.779368] ? rdma_destroy_id+0xda0/0xda0 [ 29.783578] ? rdma_destroy_id+0xf4/0xda0 [ 29.787710] ? lock_downgrade+0x980/0x980 [ 29.791830] ? ucma_close+0xe1/0x2f0 [ 29.795517] ? lock_release+0xa40/0xa40 [ 29.799465] ? kasan_check_read+0x11/0x20 [ 29.803585] ? do_raw_spin_unlock+0x9e/0x310 [ 29.807965] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.812523] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 29.817601] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.822594] rdma_destroy_id+0xff/0xda0 [ 29.826546] ? __mutex_unlock_slowpath+0x181/0x7e0 [ 29.831447] ? cma_release_dev+0x350/0x350 [ 29.835658] ? radix_tree_delete_item+0x146/0x280 [ 29.840481] ucma_close+0x100/0x2f0 [ 29.844103] ? ucma_free_ctx+0xd90/0xd90 [ 29.848145] __fput+0x327/0x7f0 [ 29.851396] ? fput+0x150/0x150 [ 29.854648] ? check_same_owner+0x320/0x320 [ 29.858942] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.863412] ____fput+0x15/0x20 [ 29.866666] task_work_run+0x1ab/0x280 [ 29.870526] ? task_work_cancel+0x240/0x240 [ 29.874828] ? kasan_check_write+0x14/0x20 [ 29.879038] ? switch_task_namespaces+0x94/0xc0 [ 29.883680] do_exit+0x1986/0x2700 [ 29.887204] ? print_irqtrace_events+0x241/0x270 [ 29.891937] ? mm_update_next_owner+0x960/0x960 [ 29.896578] ? trace_hardirqs_off+0x10/0x10 [ 29.900872] ? rcu_note_context_switch+0x710/0x710 [ 29.905772] ? __lock_acquire+0x638/0x3c30 [ 29.909977] ? __might_sleep+0x95/0x190 [ 29.913931] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 29.919091] ? lock_downgrade+0x980/0x980 [ 29.923213] ? kasan_check_write+0x14/0x20 [ 29.927417] ? __unqueue_futex+0x1e2/0x2b0 [ 29.931624] ? lock_release+0xa40/0xa40 [ 29.935570] ? kasan_check_read+0x11/0x20 [ 29.939686] ? do_raw_spin_unlock+0x9e/0x310 [ 29.944065] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.948617] ? kasan_check_write+0x14/0x20 [ 29.952821] ? do_raw_spin_lock+0xc1/0x230 [ 29.957030] ? kasan_check_write+0x14/0x20 [ 29.961239] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.966311] ? futex_wait+0x6a9/0x9a0 [ 29.970084] ? futex_wait_setup+0x400/0x400 [ 29.974377] ? trace_hardirqs_off+0x10/0x10 [ 29.978688] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.983771] ? futex_wake+0x2d7/0x680 [ 29.987548] ? memset+0x31/0x40 [ 29.990801] ? find_held_lock+0x35/0x1d0 [ 29.994833] ? get_signal+0x7bb/0x16e0 [ 29.998705] ? lock_downgrade+0x980/0x980 [ 30.002827] do_group_exit+0x149/0x400 [ 30.006683] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 30.011234] ? SyS_exit+0x30/0x30 [ 30.014659] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.019126] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.024112] get_signal+0x74c/0x16e0 [ 30.027796] ? ptrace_notify+0x130/0x130 [ 30.031831] ? ucma_query+0x230/0x230 [ 30.035614] ? kasan_check_write+0x14/0x20 [ 30.039819] ? ucma_write+0x11f/0x3d0 [ 30.043591] ? ucma_query+0x230/0x230 [ 30.047360] ? ucma_close_id+0x60/0x60 [ 30.051221] do_signal+0x90/0x1e90 [ 30.054735] ? ucma_close_id+0x60/0x60 [ 30.058599] ? __vfs_write+0xf7/0x970 [ 30.062371] ? setup_sigcontext+0x7d0/0x7d0 [ 30.066661] ? kernel_read+0x120/0x120 [ 30.070528] ? security_mmap_file+0x143/0x180 [ 30.074997] ? schedule+0xf5/0x430 [ 30.078513] ? vm_mmap_pgoff+0x13b/0x280 [ 30.082545] ? __schedule+0x1ef0/0x1ef0 [ 30.086496] ? exit_to_usermode_loop+0x8c/0x2f0 [ 30.091138] exit_to_usermode_loop+0x258/0x2f0 [ 30.096225] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 30.101733] ? do_fast_syscall_32+0x156/0xf9f [ 30.106216] do_fast_syscall_32+0xbe6/0xf9f [ 30.110523] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.115013] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.119577] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.124047] ? finish_task_switch+0x1c1/0x810 [ 30.128514] ? syscall_return_slowpath+0x2ac/0x550 [ 30.133417] ? prepare_exit_to_usermode+0x350/0x350 [ 30.138409] ? sysret32_from_system_call+0x5/0x3c [ 30.143223] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.148060] entry_SYSENTER_compat+0x70/0x7f [ 30.152439] RIP: 0023:0xf7fb6c99 [ 30.155773] RSP: 002b:00000000f7f9110c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 30.163449] RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 [ 30.170690] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.177947] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.185191] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.192432] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.200143] Dumping ftrace buffer: [ 30.203652] (ftrace buffer empty) [ 30.207333] Kernel Offset: disabled [ 30.210931] Rebooting in 86400 seconds..