[info] Using makefile-style concurrent boot in runlevel 2. [ 27.413600] audit: type=1800 audit(1545619312.944:21): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.805780] sshd (6013) used greatest stack depth: 15728 bytes left Warning: Permanently added '10.128.0.70' (ECDSA) to the list of known hosts. 2018/12/24 02:43:04 parsed 1 programs [ 100.624102] collect2 (6040) used greatest stack depth: 15200 bytes left 2018/12/24 02:43:06 executed programs: 0 [ 100.787002] IPVS: ftp: loaded support on port[0] = 21 [ 101.037562] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.044718] bridge0: port 1(bridge_slave_0) entered disabled state [ 101.051702] device bridge_slave_0 entered promiscuous mode [ 101.070545] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.077037] bridge0: port 2(bridge_slave_1) entered disabled state [ 101.083924] device bridge_slave_1 entered promiscuous mode [ 101.102191] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 101.120432] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 101.172248] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 101.193478] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 101.272851] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 101.280366] team0: Port device team_slave_0 added [ 101.297521] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 101.305359] team0: Port device team_slave_1 added [ 101.323312] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 101.347252] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 101.367621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 101.386599] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 101.528565] bridge0: port 2(bridge_slave_1) entered blocking state [ 101.535017] bridge0: port 2(bridge_slave_1) entered forwarding state [ 101.541854] bridge0: port 1(bridge_slave_0) entered blocking state [ 101.548264] bridge0: port 1(bridge_slave_0) entered forwarding state [ 102.072260] 8021q: adding VLAN 0 to HW filter on device bond0 [ 102.125182] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 102.178332] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 102.184626] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 102.191726] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 102.245710] 8021q: adding VLAN 0 to HW filter on device team0 2018/12/24 02:43:11 executed programs: 129 2018/12/24 02:43:16 executed programs: 323 2018/12/24 02:43:21 executed programs: 520 2018/12/24 02:43:26 executed programs: 710 [ 122.217789] ================================================================== [ 122.225340] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 122.231824] Read of size 8 at addr ffff8881b31a2d20 by task syz-executor0/11034 [ 122.239251] [ 122.240867] CPU: 1 PID: 11034 Comm: syz-executor0 Not tainted 4.20.0-rc6-next-20181217+ #172 [ 122.249425] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.258765] Call Trace: [ 122.261344] dump_stack+0x244/0x39d [ 122.264978] ? dump_stack_print_info.cold.1+0x20/0x20 [ 122.270161] ? printk+0xa7/0xcf [ 122.273430] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 122.278186] print_address_description.cold.4+0x9/0x1ff [ 122.283538] ? __list_add_valid+0x8f/0xac [ 122.287679] kasan_report.cold.5+0x1b/0x39 [ 122.291901] ? __list_add_valid+0x8f/0xac [ 122.296045] ? _raw_read_unlock_irqrestore+0x90/0xd0 [ 122.301157] ? __list_add_valid+0x8f/0xac [ 122.305296] __asan_report_load8_noabort+0x14/0x20 [ 122.310214] __list_add_valid+0x8f/0xac [ 122.314182] rdma_listen+0x6dc/0x990 [ 122.317887] ? rdma_resolve_addr+0x2870/0x2870 [ 122.322467] ucma_listen+0x1a4/0x260 [ 122.326182] ? ucma_notify+0x210/0x210 [ 122.330060] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 122.335594] ? _copy_from_user+0xdf/0x150 [ 122.339733] ? ucma_notify+0x210/0x210 [ 122.343611] ucma_write+0x365/0x460 [ 122.347239] ? ucma_open+0x3f0/0x3f0 [ 122.350947] __vfs_write+0x119/0xab0 [ 122.354646] ? common_file_perm+0x236/0x7f0 [ 122.358962] ? __fget_light+0x2e9/0x430 [ 122.362935] ? ucma_open+0x3f0/0x3f0 [ 122.366635] ? kernel_read+0x120/0x120 [ 122.370506] ? apparmor_path_rmdir+0x30/0x30 [ 122.374901] ? posix_ktime_get_ts+0x15/0x20 [ 122.379258] ? trace_hardirqs_off_caller+0x310/0x310 [ 122.384355] ? apparmor_file_permission+0x24/0x30 [ 122.389192] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.394748] ? security_file_permission+0x2bc/0x320 [ 122.399754] ? rw_verify_area+0x118/0x360 [ 122.403904] vfs_write+0x1fc/0x580 [ 122.407441] ksys_write+0x101/0x260 [ 122.411055] ? __ia32_sys_read+0xb0/0xb0 [ 122.415127] ? trace_hardirqs_off_caller+0x310/0x310 [ 122.420245] __x64_sys_write+0x73/0xb0 [ 122.424131] do_syscall_64+0x1b9/0x820 [ 122.428045] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 122.433393] ? syscall_return_slowpath+0x5e0/0x5e0 [ 122.438310] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 122.443139] ? trace_hardirqs_on_caller+0x310/0x310 [ 122.448175] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 122.453183] ? prepare_exit_to_usermode+0x291/0x3b0 [ 122.458206] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 122.463037] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.468210] RIP: 0033:0x457669 [ 122.471390] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 122.490288] RSP: 002b:00007fba69fe9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 122.497997] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 122.505250] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003 [ 122.512504] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 122.519759] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fba69fea6d4 [ 122.527018] R13: 00000000004c5f47 R14: 00000000004daa40 R15: 00000000ffffffff [ 122.534291] [ 122.535906] Allocated by task 11028: [ 122.539612] save_stack+0x43/0xd0 [ 122.543047] kasan_kmalloc+0xcb/0xd0 [ 122.546744] kmem_cache_alloc_trace+0x154/0x740 [ 122.551403] __rdma_create_id+0xdf/0x650 [ 122.555476] ucma_create_id+0x39b/0x990 [ 122.559468] ucma_write+0x365/0x460 [ 122.563198] __vfs_write+0x119/0xab0 [ 122.566897] vfs_write+0x1fc/0x580 [ 122.570427] ksys_write+0x101/0x260 [ 122.574051] __x64_sys_write+0x73/0xb0 [ 122.577951] do_syscall_64+0x1b9/0x820 [ 122.581837] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.587004] [ 122.588615] Freed by task 11027: [ 122.591962] save_stack+0x43/0xd0 [ 122.595401] __kasan_slab_free+0x102/0x150 [ 122.599627] kasan_slab_free+0xe/0x10 [ 122.603416] kfree+0xcf/0x230 [ 122.606522] rdma_destroy_id+0x835/0xcc0 [ 122.610570] ucma_close+0x114/0x310 [ 122.614183] __fput+0x3bc/0xa90 [ 122.617445] ____fput+0x15/0x20 [ 122.620709] task_work_run+0x1e8/0x2a0 [ 122.624582] exit_to_usermode_loop+0x318/0x380 [ 122.629169] do_syscall_64+0x6be/0x820 [ 122.633064] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.638235] [ 122.639869] The buggy address belongs to the object at ffff8881b31a2b40 [ 122.639869] which belongs to the cache kmalloc-2k of size 2048 [ 122.652508] The buggy address is located 480 bytes inside of [ 122.652508] 2048-byte region [ffff8881b31a2b40, ffff8881b31a3340) [ 122.664450] The buggy address belongs to the page: [ 122.669363] page:ffffea0006cc6880 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 122.679314] flags: 0x2fffc0000010200(slab|head) [ 122.683981] raw: 02fffc0000010200 ffffea000761c388 ffffea0007602788 ffff8881da800c40 [ 122.691850] raw: 0000000000000000 ffff8881b31a22c0 0000000100000003 0000000000000000 [ 122.699708] page dumped because: kasan: bad access detected [ 122.705406] [ 122.707043] Memory state around the buggy address: [ 122.711955] ffff8881b31a2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.719299] ffff8881b31a2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.726641] >ffff8881b31a2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.733980] ^ [ 122.738368] ffff8881b31a2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.745713] ffff8881b31a2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 122.753057] ================================================================== [ 122.760399] Disabling lock debugging due to kernel taint [ 122.766621] Kernel panic - not syncing: panic_on_warn set ... [ 122.772523] CPU: 1 PID: 11034 Comm: syz-executor0 Tainted: G B 4.20.0-rc6-next-20181217+ #172 [ 122.782480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.791815] Call Trace: [ 122.794388] dump_stack+0x244/0x39d [ 122.798019] ? dump_stack_print_info.cold.1+0x20/0x20 [ 122.803196] ? __list_del_entry_valid+0xd0/0x100 [ 122.807936] panic+0x2ad/0x632 [ 122.811112] ? add_taint.cold.5+0x16/0x16 [ 122.815270] ? preempt_schedule+0x4d/0x60 [ 122.819415] ? ___preempt_schedule+0x16/0x18 [ 122.823826] ? trace_hardirqs_on+0xb4/0x310 [ 122.828132] ? __list_add_valid+0x8f/0xac [ 122.832286] end_report+0x47/0x4f [ 122.835724] kasan_report.cold.5+0xe/0x39 [ 122.839855] ? __list_add_valid+0x8f/0xac [ 122.844011] ? _raw_read_unlock_irqrestore+0x90/0xd0 [ 122.849125] ? __list_add_valid+0x8f/0xac [ 122.853267] __asan_report_load8_noabort+0x14/0x20 [ 122.858181] __list_add_valid+0x8f/0xac [ 122.862141] rdma_listen+0x6dc/0x990 [ 122.865852] ? rdma_resolve_addr+0x2870/0x2870 [ 122.870423] ucma_listen+0x1a4/0x260 [ 122.874137] ? ucma_notify+0x210/0x210 [ 122.878036] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 122.883568] ? _copy_from_user+0xdf/0x150 [ 122.887703] ? ucma_notify+0x210/0x210 [ 122.891601] ucma_write+0x365/0x460 [ 122.895214] ? ucma_open+0x3f0/0x3f0 [ 122.898922] __vfs_write+0x119/0xab0 [ 122.902638] ? common_file_perm+0x236/0x7f0 [ 122.906965] ? __fget_light+0x2e9/0x430 [ 122.910955] ? ucma_open+0x3f0/0x3f0 [ 122.914685] ? kernel_read+0x120/0x120 [ 122.918582] ? apparmor_path_rmdir+0x30/0x30 [ 122.922976] ? posix_ktime_get_ts+0x15/0x20 [ 122.927281] ? trace_hardirqs_off_caller+0x310/0x310 [ 122.932368] ? apparmor_file_permission+0x24/0x30 [ 122.937194] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.942716] ? security_file_permission+0x2bc/0x320 [ 122.947720] ? rw_verify_area+0x118/0x360 [ 122.951855] vfs_write+0x1fc/0x580 [ 122.955381] ksys_write+0x101/0x260 [ 122.958993] ? __ia32_sys_read+0xb0/0xb0 [ 122.963069] ? trace_hardirqs_off_caller+0x310/0x310 [ 122.968166] __x64_sys_write+0x73/0xb0 [ 122.972039] do_syscall_64+0x1b9/0x820 [ 122.975929] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 122.981276] ? syscall_return_slowpath+0x5e0/0x5e0 [ 122.986191] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 122.991020] ? trace_hardirqs_on_caller+0x310/0x310 [ 122.996034] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 123.001048] ? prepare_exit_to_usermode+0x291/0x3b0 [ 123.006064] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 123.010924] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.016110] RIP: 0033:0x457669 [ 123.019307] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 123.038208] RSP: 002b:00007fba69fe9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 123.045917] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 123.053186] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003 [ 123.060451] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 123.067717] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fba69fea6d4 [ 123.074999] R13: 00000000004c5f47 R14: 00000000004daa40 R15: 00000000ffffffff [ 123.083362] Kernel Offset: disabled [ 123.086984] Rebooting in 86400 seconds..