Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. [ 76.248200] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/07 00:17:51 parsed 1 programs [ 77.429580] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/07 00:17:52 executed programs: 0 [ 78.611423] IPVS: ftp: loaded support on port[0] = 21 [ 78.828707] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.835160] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.842591] device bridge_slave_0 entered promiscuous mode [ 78.859483] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.865864] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.873049] device bridge_slave_1 entered promiscuous mode [ 78.889785] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 78.906342] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 78.950333] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 78.969264] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 79.037990] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 79.045379] team0: Port device team_slave_0 added [ 79.061090] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 79.068251] team0: Port device team_slave_1 added [ 79.085114] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.103555] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.123347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 79.142112] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 79.274365] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.280826] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.287679] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.294031] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.763936] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 79.770268] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.777310] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.818536] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 79.864343] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 79.870497] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 79.877813] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.923090] 8021q: adding VLAN 0 to HW filter on device team0 [ 80.230828] hrtimer: interrupt took 45311 ns 2018/09/07 00:17:57 executed programs: 94 2018/09/07 00:18:02 executed programs: 229 [ 92.564306] ================================================================== [ 92.571855] BUG: KASAN: use-after-free in ucma_put_ctx+0x1d/0x60 [ 92.578005] Write of size 4 at addr ffff8801d6e99ed8 by task syz-executor0/7751 [ 92.585440] [ 92.587073] CPU: 0 PID: 7751 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #2 [ 92.594163] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.603514] Call Trace: [ 92.606140] dump_stack+0x1c9/0x2b4 [ 92.609774] ? dump_stack_print_info.cold.2+0x52/0x52 [ 92.614967] ? printk+0xa7/0xcf [ 92.618252] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 92.623023] ? ucma_put_ctx+0x1d/0x60 [ 92.626837] print_address_description+0x6c/0x20b [ 92.631688] ? ucma_put_ctx+0x1d/0x60 [ 92.635492] kasan_report.cold.7+0x242/0x30d [ 92.639957] check_memory_region+0x13e/0x1b0 [ 92.644370] kasan_check_write+0x14/0x20 [ 92.648438] ucma_put_ctx+0x1d/0x60 [ 92.652072] ucma_resolve_ip+0x24d/0x2a0 [ 92.656138] ? ucma_query+0xb20/0xb20 [ 92.659955] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 92.665495] ? _copy_from_user+0xdf/0x150 [ 92.669658] ? ucma_query+0xb20/0xb20 [ 92.673466] ucma_write+0x336/0x420 [ 92.677102] ? ucma_close_id+0x60/0x60 [ 92.680999] ? lockdep_hardirqs_on+0x421/0x5c0 [ 92.685593] __vfs_write+0x117/0x9d0 [ 92.689312] ? __fget_light+0x2f7/0x440 [ 92.693290] ? ucma_close_id+0x60/0x60 [ 92.697181] ? kernel_read+0x120/0x120 [ 92.701074] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.705838] ? retint_kernel+0x10/0x10 [ 92.709737] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.715281] ? security_file_permission+0x1c2/0x230 [ 92.720301] ? rw_verify_area+0x118/0x360 [ 92.724468] vfs_write+0x1fc/0x560 [ 92.728014] ksys_write+0x101/0x260 [ 92.731652] ? __ia32_sys_read+0xb0/0xb0 [ 92.735720] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 92.740831] __x64_sys_write+0x73/0xb0 [ 92.744725] do_syscall_64+0x1b9/0x820 [ 92.748618] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 92.753988] ? syscall_return_slowpath+0x5e0/0x5e0 [ 92.758917] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 92.763762] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 92.768800] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 92.773826] ? prepare_exit_to_usermode+0x291/0x3b0 [ 92.778853] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 92.783705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.788895] RIP: 0033:0x457099 [ 92.792091] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.811019] RSP: 002b:00007fdc23c4fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 92.818730] RAX: ffffffffffffffda RBX: 00007fdc23c506d4 RCX: 0000000000457099 [ 92.826006] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005 [ 92.833294] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 92.840564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 92.847830] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 92.855110] [ 92.856732] Allocated by task 7751: [ 92.860360] save_stack+0x43/0xd0 [ 92.863812] kasan_kmalloc+0xc4/0xe0 [ 92.867541] kmem_cache_alloc_trace+0x152/0x730 [ 92.872216] ucma_alloc_ctx+0xd5/0x670 [ 92.876099] ucma_create_id+0x276/0x9d0 [ 92.880073] ucma_write+0x336/0x420 [ 92.883700] __vfs_write+0x117/0x9d0 [ 92.887412] vfs_write+0x1fc/0x560 [ 92.890950] ksys_write+0x101/0x260 [ 92.894578] __x64_sys_write+0x73/0xb0 [ 92.898465] do_syscall_64+0x1b9/0x820 [ 92.902353] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.907548] [ 92.909171] Freed by task 7747: [ 92.912448] save_stack+0x43/0xd0 [ 92.915899] __kasan_slab_free+0x11a/0x170 [ 92.920135] kasan_slab_free+0xe/0x10 [ 92.923933] kfree+0xd9/0x210 [ 92.927037] ucma_free_ctx+0x9e2/0xe20 [ 92.930920] ucma_close+0x10d/0x300 [ 92.934555] __fput+0x38a/0xa40 [ 92.937838] ____fput+0x15/0x20 [ 92.941119] task_work_run+0x1e8/0x2a0 [ 92.945010] exit_to_usermode_loop+0x318/0x380 [ 92.949596] do_syscall_64+0x6be/0x820 [ 92.953482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.958663] [ 92.960292] The buggy address belongs to the object at ffff8801d6e99e80 [ 92.960292] which belongs to the cache kmalloc-256 of size 256 [ 92.972950] The buggy address is located 88 bytes inside of [ 92.972950] 256-byte region [ffff8801d6e99e80, ffff8801d6e99f80) [ 92.984731] The buggy address belongs to the page: [ 92.989662] page:ffffea00075ba640 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0x0 [ 92.997806] flags: 0x2fffc0000000100(slab) [ 93.002049] raw: 02fffc0000000100 ffffea0007272788 ffffea0006f48708 ffff8801dac007c0 [ 93.009935] raw: 0000000000000000 ffff8801d6e990c0 000000010000000c 0000000000000000 [ 93.017809] page dumped because: kasan: bad access detected [ 93.023541] [ 93.025181] Memory state around the buggy address: [ 93.030130] ffff8801d6e99d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 93.037483] ffff8801d6e99e00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 93.044842] >ffff8801d6e99e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.052195] ^ [ 93.058493] ffff8801d6e99f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.065867] ffff8801d6e99f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.073219] ================================================================== [ 93.080585] Disabling lock debugging due to kernel taint [ 93.087015] Kernel panic - not syncing: panic_on_warn set ... [ 93.087015] [ 93.094401] CPU: 0 PID: 7751 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #2 [ 93.102884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 93.112218] Call Trace: [ 93.114808] dump_stack+0x1c9/0x2b4 [ 93.118453] ? dump_stack_print_info.cold.2+0x52/0x52 [ 93.123650] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 93.128391] panic+0x238/0x4e7 [ 93.131582] ? add_taint.cold.5+0x16/0x16 [ 93.135715] ? trace_hardirqs_on+0x9a/0x2c0 [ 93.140081] ? trace_hardirqs_on+0xb4/0x2c0 [ 93.144401] ? trace_hardirqs_on+0xb4/0x2c0 [ 93.148704] ? trace_hardirqs_on+0x9a/0x2c0 [ 93.153015] ? ucma_put_ctx+0x1d/0x60 [ 93.156830] kasan_end_report+0x47/0x4f [ 93.160797] kasan_report.cold.7+0x76/0x30d [ 93.165116] check_memory_region+0x13e/0x1b0 [ 93.169507] kasan_check_write+0x14/0x20 [ 93.173569] ucma_put_ctx+0x1d/0x60 [ 93.177196] ucma_resolve_ip+0x24d/0x2a0 [ 93.181240] ? ucma_query+0xb20/0xb20 [ 93.185220] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 93.190743] ? _copy_from_user+0xdf/0x150 [ 93.194879] ? ucma_query+0xb20/0xb20 [ 93.198663] ucma_write+0x336/0x420 [ 93.202286] ? ucma_close_id+0x60/0x60 [ 93.206171] ? lockdep_hardirqs_on+0x421/0x5c0 [ 93.210741] __vfs_write+0x117/0x9d0 [ 93.214439] ? __fget_light+0x2f7/0x440 [ 93.218407] ? ucma_close_id+0x60/0x60 [ 93.222278] ? kernel_read+0x120/0x120 [ 93.226150] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 93.230896] ? retint_kernel+0x10/0x10 [ 93.234788] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 93.240329] ? security_file_permission+0x1c2/0x230 [ 93.245341] ? rw_verify_area+0x118/0x360 [ 93.249475] vfs_write+0x1fc/0x560 [ 93.253003] ksys_write+0x101/0x260 [ 93.256615] ? __ia32_sys_read+0xb0/0xb0 [ 93.260755] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 93.265848] __x64_sys_write+0x73/0xb0 [ 93.269721] do_syscall_64+0x1b9/0x820 [ 93.273592] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 93.278940] ? syscall_return_slowpath+0x5e0/0x5e0 [ 93.283855] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 93.288703] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 93.293718] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 93.298727] ? prepare_exit_to_usermode+0x291/0x3b0 [ 93.303752] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 93.308583] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 93.313752] RIP: 0033:0x457099 [ 93.316928] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 93.335829] RSP: 002b:00007fdc23c4fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 93.343531] RAX: ffffffffffffffda RBX: 00007fdc23c506d4 RCX: 0000000000457099 [ 93.350793] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005 [ 93.358056] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 93.365308] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 93.372560] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 93.380125] Dumping ftrace buffer: [ 93.383654] (ftrace buffer empty) [ 93.387341] Kernel Offset: disabled [ 93.390949] Rebooting in 86400 seconds..