[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.249' (ECDSA) to the list of known hosts. 2020/04/17 02:11:01 parsed 1 programs 2020/04/17 02:11:03 executed programs: 0 syzkaller login: [ 36.727603] audit: type=1400 audit(1587089463.121:8): avc: denied { execmem } for pid=6354 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 36.963920] IPVS: ftp: loaded support on port[0] = 21 [ 37.749497] chnl_net:caif_netlink_parms(): no params data found [ 37.843144] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.849747] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.857856] device bridge_slave_0 entered promiscuous mode [ 37.865683] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.872057] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.879549] device bridge_slave_1 entered promiscuous mode [ 37.896918] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.906536] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.924867] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.932042] team0: Port device team_slave_0 added [ 37.937861] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.945388] team0: Port device team_slave_1 added [ 37.960723] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 37.967059] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.992396] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 38.004270] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 38.010548] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.035952] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 38.046692] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 38.054511] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 38.114652] device hsr_slave_0 entered promiscuous mode [ 38.152391] device hsr_slave_1 entered promiscuous mode [ 38.193459] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 38.200605] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 38.265564] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.272175] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.278979] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.285430] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.316886] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.324177] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.333866] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.342860] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.350865] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.368444] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.378889] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.385589] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.394286] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.402505] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.408859] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.429676] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 38.439683] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 38.451154] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 38.458424] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.466547] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.472948] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.480115] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.488052] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.495835] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.503558] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.511617] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 38.518614] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.531981] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 38.539255] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 38.546261] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 38.557272] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 38.609046] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 38.619260] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 38.652247] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 38.659201] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 38.666513] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 38.676339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 38.684286] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 38.691205] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 38.700756] device veth0_vlan entered promiscuous mode [ 38.709889] device veth1_vlan entered promiscuous mode [ 38.716420] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 38.725417] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 38.732959] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.739903] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 38.747373] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 38.758501] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 38.768155] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 38.775522] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 38.783882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 38.793681] device veth0_macvtap entered promiscuous mode [ 38.799951] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 38.808908] device veth1_macvtap entered promiscuous mode [ 38.815370] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 38.824592] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 38.834295] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 38.844621] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 38.852366] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 38.859175] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 38.867090] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 38.874699] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 38.882698] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.893092] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 38.900009] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 38.910171] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 38.918175] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 40.938539] ================================================================== [ 40.946745] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 40.953316] Read of size 8 at addr ffff8880914c4ad8 by task syz-executor.0/6778 [ 40.964048] [ 40.965665] CPU: 1 PID: 6778 Comm: syz-executor.0 Not tainted 4.14.176-syzkaller #0 [ 40.973439] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.982776] Call Trace: [ 40.985400] dump_stack+0x13e/0x194 [ 40.989013] ? __list_add_valid+0x93/0xa0 [ 40.993142] print_address_description.cold+0x7c/0x1e2 [ 40.998402] ? __list_add_valid+0x93/0xa0 [ 41.002640] kasan_report.cold+0xa9/0x2ae [ 41.007310] __list_add_valid+0x93/0xa0 [ 41.011276] rdma_listen+0x580/0x800 [ 41.014989] ucma_listen+0x10b/0x160 [ 41.018689] ? ucma_accept+0x2a0/0x2a0 [ 41.022562] ? _copy_from_user+0x94/0x100 [ 41.026698] ? ucma_accept+0x2a0/0x2a0 [ 41.030784] ucma_write+0x206/0x2c0 [ 41.034403] ? ucma_open+0x280/0x280 [ 41.038104] ? save_trace+0x290/0x290 [ 41.041901] __vfs_write+0xe4/0x630 [ 41.045534] ? ucma_open+0x280/0x280 [ 41.049232] ? kernel_read+0x110/0x110 [ 41.053105] ? __inode_security_revalidate+0xcf/0x120 [ 41.058306] ? avc_policy_seqno+0x5/0x10 [ 41.062372] ? selinux_file_permission+0x7a/0x440 [ 41.067199] ? security_file_permission+0x82/0x1e0 [ 41.072121] ? rw_verify_area+0xe1/0x2a0 [ 41.076167] vfs_write+0x192/0x4e0 [ 41.079689] SyS_write+0xf2/0x210 [ 41.083144] ? SyS_read+0x210/0x210 [ 41.086864] ? SyS_clock_settime+0x1a0/0x1a0 [ 41.091329] ? do_syscall_64+0x4c/0x640 [ 41.095346] ? SyS_read+0x210/0x210 [ 41.099008] do_syscall_64+0x1d5/0x640 [ 41.102923] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.108147] RIP: 0033:0x45c889 [ 41.111331] RSP: 002b:00007f81a6969c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 41.119018] RAX: ffffffffffffffda RBX: 00007f81a696a6d4 RCX: 000000000045c889 [ 41.126284] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 41.133534] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 41.140786] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 41.148050] R13: 0000000000000cc2 R14: 00000000004ceeb6 R15: 000000000076bf0c [ 41.155324] [ 41.156931] Allocated by task 6776: [ 41.160543] save_stack+0x32/0xa0 [ 41.163988] kasan_kmalloc+0xbf/0xe0 [ 41.167681] kmem_cache_alloc_trace+0x14d/0x7b0 [ 41.172336] rdma_create_id+0x57/0x4c0 [ 41.176208] ucma_create_id+0x18b/0x500 [ 41.180178] ucma_write+0x206/0x2c0 [ 41.183786] __vfs_write+0xe4/0x630 [ 41.187393] vfs_write+0x192/0x4e0 [ 41.190911] SyS_write+0xf2/0x210 [ 41.194366] do_syscall_64+0x1d5/0x640 [ 41.198235] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.203414] [ 41.205021] Freed by task 6771: [ 41.208280] save_stack+0x32/0xa0 [ 41.211717] kasan_slab_free+0x75/0xc0 [ 41.215593] kfree+0xcb/0x260 [ 41.218686] ucma_close+0x105/0x300 [ 41.222414] __fput+0x25f/0x790 [ 41.225733] task_work_run+0x113/0x190 [ 41.229605] exit_to_usermode_loop+0x1d6/0x220 [ 41.234236] do_syscall_64+0x4a3/0x640 [ 41.238110] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.243887] [ 41.245504] The buggy address belongs to the object at ffff8880914c4900 [ 41.245504] which belongs to the cache kmalloc-1024 of size 1024 [ 41.258508] The buggy address is located 472 bytes inside of [ 41.258508] 1024-byte region [ffff8880914c4900, ffff8880914c4d00) [ 41.270464] The buggy address belongs to the page: [ 41.275402] page:ffffea0002453100 count:1 mapcount:0 mapping:ffff8880914c4000 index:0x0 compound_mapcount: 0 [ 41.285356] flags: 0xfffe0000008100(slab|head) [ 41.289947] raw: 00fffe0000008100 ffff8880914c4000 0000000000000000 0000000100000007 [ 41.297837] raw: ffffea000246be20 ffffea00024055a0 ffff88812fe56ac0 0000000000000000 [ 41.305724] page dumped because: kasan: bad access detected [ 41.311480] [ 41.313100] Memory state around the buggy address: [ 41.318468] ffff8880914c4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.326002] ffff8880914c4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.333380] >ffff8880914c4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.340808] ^ [ 41.347090] ffff8880914c4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.354520] ffff8880914c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.361965] ================================================================== [ 41.369319] Disabling lock debugging due to kernel taint [ 41.378250] Kernel panic - not syncing: panic_on_warn set ... [ 41.378250] [ 41.385736] CPU: 0 PID: 6778 Comm: syz-executor.0 Tainted: G B 4.14.176-syzkaller #0 [ 41.395529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.404993] Call Trace: [ 41.407592] dump_stack+0x13e/0x194 [ 41.411230] panic+0x1f9/0x42d [ 41.414408] ? add_taint.cold+0x16/0x16 [ 41.418392] ? preempt_schedule_common+0x4a/0xc0 [ 41.423145] ? __list_add_valid+0x93/0xa0 [ 41.427293] ? ___preempt_schedule+0x16/0x18 [ 41.431680] ? __list_add_valid+0x93/0xa0 [ 41.435817] kasan_end_report+0x43/0x49 [ 41.439787] kasan_report.cold+0x12f/0x2ae [ 41.443999] __list_add_valid+0x93/0xa0 [ 41.447954] rdma_listen+0x580/0x800 [ 41.451661] ucma_listen+0x10b/0x160 [ 41.455934] ? ucma_accept+0x2a0/0x2a0 [ 41.459806] ? _copy_from_user+0x94/0x100 [ 41.463931] ? ucma_accept+0x2a0/0x2a0 [ 41.467794] ucma_write+0x206/0x2c0 [ 41.471412] ? ucma_open+0x280/0x280 [ 41.475115] ? save_trace+0x290/0x290 [ 41.478898] __vfs_write+0xe4/0x630 [ 41.482516] ? ucma_open+0x280/0x280 [ 41.486221] ? kernel_read+0x110/0x110 [ 41.490091] ? __inode_security_revalidate+0xcf/0x120 [ 41.495260] ? avc_policy_seqno+0x5/0x10 [ 41.499327] ? selinux_file_permission+0x7a/0x440 [ 41.505079] ? security_file_permission+0x82/0x1e0 [ 41.509996] ? rw_verify_area+0xe1/0x2a0 [ 41.514038] vfs_write+0x192/0x4e0 [ 41.517632] SyS_write+0xf2/0x210 [ 41.521192] ? SyS_read+0x210/0x210 [ 41.524866] ? SyS_clock_settime+0x1a0/0x1a0 [ 41.529253] ? do_syscall_64+0x4c/0x640 [ 41.533208] ? SyS_read+0x210/0x210 [ 41.536901] do_syscall_64+0x1d5/0x640 [ 41.540769] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.545936] RIP: 0033:0x45c889 [ 41.549103] RSP: 002b:00007f81a6969c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 41.556893] RAX: ffffffffffffffda RBX: 00007f81a696a6d4 RCX: 000000000045c889 [ 41.564156] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 41.571405] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 41.578653] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 41.586337] R13: 0000000000000cc2 R14: 00000000004ceeb6 R15: 000000000076bf0c [ 41.595113] Kernel Offset: disabled [ 41.598741] Rebooting in 86400 seconds..