Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 27.883224] ================================================================== [ 27.890691] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 27.897167] Read of size 8 at addr ffff8880b2f3dcd8 by task syz-executor403/7980 [ 27.904690] [ 27.906305] CPU: 0 PID: 7980 Comm: syz-executor403 Not tainted 4.14.286-syzkaller #0 [ 27.914613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 27.924178] Call Trace: [ 27.926751] dump_stack+0x1b2/0x281 [ 27.930368] print_address_description.cold+0x54/0x1d3 [ 27.935633] kasan_report_error.cold+0x8a/0x191 [ 27.940291] ? __list_add_valid+0x93/0xa0 [ 27.944443] __asan_report_load8_noabort+0x68/0x70 [ 27.949355] ? __list_add_valid+0x93/0xa0 [ 27.953588] __list_add_valid+0x93/0xa0 [ 27.957573] rdma_listen+0x656/0x9b0 [ 27.961378] ucma_listen+0x10b/0x170 [ 27.965091] ? ucma_bind_ip+0x150/0x150 [ 27.969070] ? _copy_from_user+0x96/0x100 [ 27.973203] ? ucma_bind_ip+0x150/0x150 [ 27.977158] ucma_write+0x206/0x2c0 [ 27.980764] ? ucma_set_ib_path+0x510/0x510 [ 27.985064] ? __switch_to_xtra+0x93/0x12f0 [ 27.989364] ? finish_task_switch+0x178/0x610 [ 27.993846] __vfs_write+0xe4/0x630 [ 27.997450] ? ucma_set_ib_path+0x510/0x510 [ 28.001749] ? lock_downgrade+0x740/0x740 [ 28.005903] ? kernel_read+0x110/0x110 [ 28.009776] ? common_file_perm+0x3ee/0x580 [ 28.014080] ? _raw_spin_unlock_irq+0x5a/0x80 [ 28.018556] ? security_file_permission+0x82/0x1e0 [ 28.023463] ? rw_verify_area+0xe1/0x2a0 [ 28.027500] vfs_write+0x17f/0x4d0 [ 28.031019] SyS_write+0xf2/0x210 [ 28.034454] ? SyS_read+0x210/0x210 [ 28.038061] ? do_syscall_64+0x4c/0x640 [ 28.042013] ? SyS_read+0x210/0x210 [ 28.045622] do_syscall_64+0x1d5/0x640 [ 28.049495] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.054674] RIP: 0033:0x7f642e6e7ec9 [ 28.058369] RSP: 002b:00007ffeb4e13dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 28.066062] RAX: ffffffffffffffda RBX: 0000000000006cfd RCX: 00007f642e6e7ec9 [ 28.073424] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 28.080684] RBP: 0000000000000000 R08: 00007ffeb4e13f78 R09: 00007ffeb4e13f78 [ 28.088026] R10: 00007ffeb4e13f78 R11: 0000000000000246 R12: 00007ffeb4e13dec [ 28.095276] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 28.102966] [ 28.104576] Allocated by task 7976: [ 28.108184] kasan_kmalloc+0xeb/0x160 [ 28.111965] kmem_cache_alloc_trace+0x131/0x3d0 [ 28.116609] rdma_create_id+0x57/0x4c0 [ 28.120473] ucma_create_id+0x18b/0x500 [ 28.124421] ucma_write+0x206/0x2c0 [ 28.128023] __vfs_write+0xe4/0x630 [ 28.131628] vfs_write+0x17f/0x4d0 [ 28.135146] SyS_write+0xf2/0x210 [ 28.138578] do_syscall_64+0x1d5/0x640 [ 28.142444] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.147613] [ 28.149222] Freed by task 7976: [ 28.152488] kasan_slab_free+0xc3/0x1a0 [ 28.156439] kfree+0xc9/0x250 [ 28.159603] ucma_close+0x11a/0x340 [ 28.163296] __fput+0x25f/0x7a0 [ 28.166553] task_work_run+0x11f/0x190 [ 28.170477] do_exit+0xa44/0x2850 [ 28.173947] do_group_exit+0x100/0x2e0 [ 28.177826] SyS_exit_group+0x19/0x20 [ 28.181627] do_syscall_64+0x1d5/0x640 [ 28.185681] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.190852] [ 28.192457] The buggy address belongs to the object at ffff8880b2f3db00 [ 28.192457] which belongs to the cache kmalloc-1024 of size 1024 [ 28.205262] The buggy address is located 472 bytes inside of [ 28.205262] 1024-byte region [ffff8880b2f3db00, ffff8880b2f3df00) [ 28.217198] The buggy address belongs to the page: [ 28.222108] page:ffffea0002cbcf00 count:1 mapcount:0 mapping:ffff8880b2f3c000 index:0x0 compound_mapcount: 0 [ 28.232057] flags: 0xfff00000008100(slab|head) [ 28.236617] raw: 00fff00000008100 ffff8880b2f3c000 0000000000000000 0000000100000007 [ 28.244487] raw: ffffea000273aa20 ffffea00026c8220 ffff88813fe74ac0 0000000000000000 [ 28.252345] page dumped because: kasan: bad access detected [ 28.258030] [ 28.259645] Memory state around the buggy address: [ 28.264558] ffff8880b2f3db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.271897] ffff8880b2f3dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.279384] >ffff8880b2f3dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.286723] ^ [ 28.292939] ffff8880b2f3dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.300276] ffff8880b2f3dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.307613] ================================================================== [ 28.314944] Disabling lock debugging due to kernel taint [ 28.327707] Kernel panic - not syncing: panic_on_warn set ... [ 28.327707] [ 28.335089] CPU: 1 PID: 7980 Comm: syz-executor403 Tainted: G B 4.14.286-syzkaller #0 [ 28.344169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 28.353525] Call Trace: [ 28.356107] dump_stack+0x1b2/0x281 [ 28.359713] panic+0x1f9/0x42d [ 28.362881] ? add_taint.cold+0x16/0x16 [ 28.366832] ? ___preempt_schedule+0x16/0x18 [ 28.371219] kasan_end_report+0x43/0x49 [ 28.375165] kasan_report_error.cold+0xa7/0x191 [ 28.379810] ? __list_add_valid+0x93/0xa0 [ 28.383932] __asan_report_load8_noabort+0x68/0x70 [ 28.388841] ? __list_add_valid+0x93/0xa0 [ 28.392972] __list_add_valid+0x93/0xa0 [ 28.396922] rdma_listen+0x656/0x9b0 [ 28.400621] ucma_listen+0x10b/0x170 [ 28.404308] ? ucma_bind_ip+0x150/0x150 [ 28.408265] ? _copy_from_user+0x96/0x100 [ 28.412388] ? ucma_bind_ip+0x150/0x150 [ 28.416337] ucma_write+0x206/0x2c0 [ 28.419937] ? ucma_set_ib_path+0x510/0x510 [ 28.424234] ? __switch_to_xtra+0x93/0x12f0 [ 28.428530] ? finish_task_switch+0x178/0x610 [ 28.433000] __vfs_write+0xe4/0x630 [ 28.436602] ? ucma_set_ib_path+0x510/0x510 [ 28.440895] ? lock_downgrade+0x740/0x740 [ 28.445020] ? kernel_read+0x110/0x110 [ 28.448881] ? common_file_perm+0x3ee/0x580 [ 28.453177] ? _raw_spin_unlock_irq+0x5a/0x80 [ 28.457656] ? security_file_permission+0x82/0x1e0 [ 28.462564] ? rw_verify_area+0xe1/0x2a0 [ 28.466603] vfs_write+0x17f/0x4d0 [ 28.470121] SyS_write+0xf2/0x210 [ 28.473547] ? SyS_read+0x210/0x210 [ 28.477146] ? do_syscall_64+0x4c/0x640 [ 28.481095] ? SyS_read+0x210/0x210 [ 28.484699] do_syscall_64+0x1d5/0x640 [ 28.488562] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.493728] RIP: 0033:0x7f642e6e7ec9 [ 28.497414] RSP: 002b:00007ffeb4e13dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 28.505112] RAX: ffffffffffffffda RBX: 0000000000006cfd RCX: 00007f642e6e7ec9 [ 28.512359] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 28.519603] RBP: 0000000000000000 R08: 00007ffeb4e13f78 R09: 00007ffeb4e13f78 [ 28.526854] R10: 00007ffeb4e13f78 R11: 0000000000000246 R12: 00007ffeb4e13dec [ 28.534097] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 28.541547] Kernel Offset: disabled [ 28.545165] Rebooting in 86400 seconds..