[ 38.249452][ T25] audit: type=1800 audit(1554216794.494:26): pid=7669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.279959][ T25] audit: type=1800 audit(1554216794.494:27): pid=7669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.302479][ T25] audit: type=1800 audit(1554216794.494:28): pid=7669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.191301][ T25] audit: type=1800 audit(1554216795.464:29): pid=7669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 65.694301][ T7822] ================================================================== [ 65.702647][ T7822] BUG: KASAN: use-after-free in cma_check_port+0x8ce/0x8f0 [ 65.709829][ T7822] Read of size 8 at addr ffff8880a7d7ac48 by task syz-executor333/7822 [ 65.718269][ T7822] [ 65.720638][ T7822] CPU: 1 PID: 7822 Comm: syz-executor333 Not tainted 5.1.0-rc3-next-20190402 #16 [ 65.729744][ T7822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.739792][ T7822] Call Trace: [ 65.743074][ T7822] dump_stack+0x172/0x1f0 [ 65.747390][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 65.752256][ T7822] print_address_description.cold+0x7c/0x20d [ 65.758234][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 65.763083][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 65.767939][ T7822] kasan_report.cold+0x1b/0x40 [ 65.772775][ T7822] ? __xa_insert+0x210/0x2a0 [ 65.777372][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 65.782223][ T7822] __asan_report_load8_noabort+0x14/0x20 [ 65.787862][ T7822] cma_check_port+0x8ce/0x8f0 [ 65.792648][ T7822] rdma_bind_addr+0x19c3/0x1f80 [ 65.797492][ T7822] ? refcount_inc_not_zero_checked+0x144/0x200 [ 65.803720][ T7822] ? cma_ndev_work_handler+0x1c0/0x1c0 [ 65.809186][ T7822] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 65.815529][ T7822] ? refcount_inc_checked+0x2b/0x70 [ 65.820804][ T7822] ? __rdma_create_id+0x40b/0x4e0 [ 65.825908][ T7822] rdma_create_trans+0x9ad/0x1390 [ 65.830936][ T7822] ? legacy_get_tree+0xf2/0x200 [ 65.835799][ T7822] ? post_recv.isra.0+0x550/0x550 [ 65.840913][ T7822] ? find_held_lock+0x35/0x130 [ 65.846071][ T7822] ? debug_check_no_obj_freed+0x211/0x444 [ 65.851832][ T7822] ? kasan_check_write+0x14/0x20 [ 65.856802][ T7822] ? lock_downgrade+0x880/0x880 [ 65.861644][ T7822] ? trace_hardirqs_off+0x62/0x220 [ 65.866749][ T7822] ? kfree+0x173/0x230 [ 65.870802][ T7822] ? p9_client_create+0x82c/0x1400 [ 65.875955][ T7822] ? lockdep_hardirqs_on+0x418/0x5d0 [ 65.881244][ T7822] ? trace_hardirqs_on+0x67/0x230 [ 65.886276][ T7822] ? p9_client_create+0x82c/0x1400 [ 65.891881][ T7822] p9_client_create+0x89c/0x1400 [ 65.897053][ T7822] ? azx_pcm_close+0x290/0x520 [ 65.901830][ T7822] ? p9_client_zc_rpc.constprop.0+0x10c0/0x10c0 [ 65.908066][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 65.913790][ T7822] ? ksys_mount+0xdb/0x150 [ 65.918209][ T7822] ? lockdep_init_map+0x1be/0x6d0 [ 65.923231][ T7822] v9fs_session_init+0x1e7/0x1960 [ 65.928257][ T7822] ? v9fs_session_init+0x1e7/0x1960 [ 65.933459][ T7822] ? find_held_lock+0x35/0x130 [ 65.938236][ T7822] ? fs_reclaim_acquire.part.0+0x30/0x30 [ 65.943878][ T7822] ? azx_pcm_close+0x290/0x520 [ 65.948649][ T7822] ? v9fs_show_options+0x7e0/0x7e0 [ 65.953810][ T7822] ? v9fs_mount+0x5e/0x920 [ 65.958224][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 65.963939][ T7822] ? kmem_cache_alloc_trace+0x354/0x760 [ 65.969493][ T7822] ? vfs_parse_fs_string+0x111/0x170 [ 65.974843][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 65.980571][ T7822] v9fs_mount+0x7d/0x920 [ 65.985415][ T7822] ? vfs_parse_fs_param+0x510/0x510 [ 65.990634][ T7822] ? v9fs_write_inode+0x70/0x70 [ 65.995497][ T7822] legacy_get_tree+0xf2/0x200 [ 66.000278][ T7822] vfs_get_tree+0x123/0x450 [ 66.004828][ T7822] do_mount+0x1436/0x2c40 [ 66.009155][ T7822] ? copy_mount_string+0x40/0x40 [ 66.014076][ T7822] ? _copy_from_user+0xdd/0x150 [ 66.018926][ T7822] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.025158][ T7822] ? copy_mount_options+0x280/0x3a0 [ 66.030458][ T7822] ksys_mount+0xdb/0x150 [ 66.034711][ T7822] __x64_sys_mount+0xbe/0x150 [ 66.039391][ T7822] do_syscall_64+0x103/0x610 [ 66.043969][ T7822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.049859][ T7822] RIP: 0033:0x441209 [ 66.053888][ T7822] Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.073652][ T7822] RSP: 002b:00007fff651fe848 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 66.082066][ T7822] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441209 [ 66.090098][ T7822] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000000 [ 66.098078][ T7822] RBP: 000000000001008e R08: 0000000020000340 R09: 00000000004002c8 [ 66.106047][ T7822] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402030 [ 66.114020][ T7822] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000 [ 66.122178][ T7822] [ 66.124503][ T7822] Allocated by task 7821: [ 66.128960][ T7822] save_stack+0x45/0xd0 [ 66.133110][ T7822] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 66.138738][ T7822] kasan_kmalloc+0x9/0x10 [ 66.143055][ T7822] kmem_cache_alloc_trace+0x151/0x760 [ 66.148408][ T7822] cma_alloc_port+0x4f/0x1a0 [ 66.152978][ T7822] rdma_bind_addr+0x1bc0/0x1f80 [ 66.157813][ T7822] rdma_create_trans+0x9ad/0x1390 [ 66.162869][ T7822] p9_client_create+0x89c/0x1400 [ 66.167844][ T7822] v9fs_session_init+0x1e7/0x1960 [ 66.172871][ T7822] v9fs_mount+0x7d/0x920 [ 66.177107][ T7822] legacy_get_tree+0xf2/0x200 [ 66.181896][ T7822] vfs_get_tree+0x123/0x450 [ 66.186516][ T7822] do_mount+0x1436/0x2c40 [ 66.190836][ T7822] ksys_mount+0xdb/0x150 [ 66.195198][ T7822] __x64_sys_mount+0xbe/0x150 [ 66.199864][ T7822] do_syscall_64+0x103/0x610 [ 66.204461][ T7822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.210383][ T7822] [ 66.212702][ T7822] Freed by task 7821: [ 66.216816][ T7822] save_stack+0x45/0xd0 [ 66.220974][ T7822] __kasan_slab_free+0x102/0x150 [ 66.225914][ T7822] kasan_slab_free+0xe/0x10 [ 66.230423][ T7822] kfree+0xcf/0x230 [ 66.234235][ T7822] rdma_destroy_id+0x7fc/0xaa0 [ 66.238994][ T7822] rdma_destroy_trans+0x179/0x1c0 [ 66.244021][ T7822] rdma_create_trans+0xffc/0x1390 [ 66.249051][ T7822] p9_client_create+0x89c/0x1400 [ 66.253990][ T7822] v9fs_session_init+0x1e7/0x1960 [ 66.259000][ T7822] v9fs_mount+0x7d/0x920 [ 66.263224][ T7822] legacy_get_tree+0xf2/0x200 [ 66.267888][ T7822] vfs_get_tree+0x123/0x450 [ 66.272489][ T7822] do_mount+0x1436/0x2c40 [ 66.276801][ T7822] ksys_mount+0xdb/0x150 [ 66.281034][ T7822] __x64_sys_mount+0xbe/0x150 [ 66.285706][ T7822] do_syscall_64+0x103/0x610 [ 66.290293][ T7822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.296173][ T7822] [ 66.298497][ T7822] The buggy address belongs to the object at ffff8880a7d7ac40 [ 66.298497][ T7822] which belongs to the cache kmalloc-32 of size 32 [ 66.312377][ T7822] The buggy address is located 8 bytes inside of [ 66.312377][ T7822] 32-byte region [ffff8880a7d7ac40, ffff8880a7d7ac60) [ 66.325483][ T7822] The buggy address belongs to the page: [ 66.331113][ T7822] page:ffffea00029f5e80 count:1 mapcount:0 mapping:ffff88812c3f01c0 index:0xffff8880a7d7afc1 [ 66.341381][ T7822] flags: 0x1fffc0000000200(slab) [ 66.346323][ T7822] raw: 01fffc0000000200 ffffea000267ea08 ffffea000267ec08 ffff88812c3f01c0 [ 66.355166][ T7822] raw: ffff8880a7d7afc1 ffff8880a7d7a000 0000000100000009 0000000000000000 [ 66.363790][ T7822] page dumped because: kasan: bad access detected [ 66.370200][ T7822] [ 66.372509][ T7822] Memory state around the buggy address: [ 66.378174][ T7822] ffff8880a7d7ab00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 66.386241][ T7822] ffff8880a7d7ab80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 66.394308][ T7822] >ffff8880a7d7ac00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 66.402369][ T7822] ^ [ 66.408822][ T7822] ffff8880a7d7ac80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 66.416888][ T7822] ffff8880a7d7ad00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 66.425038][ T7822] ================================================================== [ 66.433280][ T7822] Disabling lock debugging due to kernel taint [ 66.439852][ T7822] Kernel panic - not syncing: panic_on_warn set ... [ 66.446450][ T7822] CPU: 1 PID: 7822 Comm: syz-executor333 Tainted: G B 5.1.0-rc3-next-20190402 #16 [ 66.456937][ T7822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.467134][ T7822] Call Trace: [ 66.470414][ T7822] dump_stack+0x172/0x1f0 [ 66.474771][ T7822] panic+0x2cb/0x65c [ 66.478710][ T7822] ? __warn_printk+0xf3/0xf3 [ 66.483285][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 66.488115][ T7822] ? preempt_schedule+0x4b/0x60 [ 66.492955][ T7822] ? ___preempt_schedule+0x16/0x18 [ 66.498053][ T7822] ? trace_hardirqs_on+0x5e/0x230 [ 66.503063][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 66.507889][ T7822] end_report+0x47/0x4f [ 66.512023][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 66.516856][ T7822] kasan_report.cold+0xe/0x40 [ 66.521517][ T7822] ? __xa_insert+0x210/0x2a0 [ 66.526088][ T7822] ? cma_check_port+0x8ce/0x8f0 [ 66.530916][ T7822] __asan_report_load8_noabort+0x14/0x20 [ 66.536526][ T7822] cma_check_port+0x8ce/0x8f0 [ 66.541232][ T7822] rdma_bind_addr+0x19c3/0x1f80 [ 66.546087][ T7822] ? refcount_inc_not_zero_checked+0x144/0x200 [ 66.558358][ T7822] ? cma_ndev_work_handler+0x1c0/0x1c0 [ 66.563803][ T7822] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.570020][ T7822] ? refcount_inc_checked+0x2b/0x70 [ 66.575304][ T7822] ? __rdma_create_id+0x40b/0x4e0 [ 66.580310][ T7822] rdma_create_trans+0x9ad/0x1390 [ 66.585704][ T7822] ? legacy_get_tree+0xf2/0x200 [ 66.590538][ T7822] ? post_recv.isra.0+0x550/0x550 [ 66.595542][ T7822] ? find_held_lock+0x35/0x130 [ 66.600287][ T7822] ? debug_check_no_obj_freed+0x211/0x444 [ 66.605991][ T7822] ? kasan_check_write+0x14/0x20 [ 66.610910][ T7822] ? lock_downgrade+0x880/0x880 [ 66.615742][ T7822] ? trace_hardirqs_off+0x62/0x220 [ 66.620875][ T7822] ? kfree+0x173/0x230 [ 66.624937][ T7822] ? p9_client_create+0x82c/0x1400 [ 66.630026][ T7822] ? lockdep_hardirqs_on+0x418/0x5d0 [ 66.635289][ T7822] ? trace_hardirqs_on+0x67/0x230 [ 66.640287][ T7822] ? p9_client_create+0x82c/0x1400 [ 66.645373][ T7822] p9_client_create+0x89c/0x1400 [ 66.650324][ T7822] ? azx_pcm_close+0x290/0x520 [ 66.655078][ T7822] ? p9_client_zc_rpc.constprop.0+0x10c0/0x10c0 [ 66.661298][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.667152][ T7822] ? ksys_mount+0xdb/0x150 [ 66.671620][ T7822] ? lockdep_init_map+0x1be/0x6d0 [ 66.676631][ T7822] v9fs_session_init+0x1e7/0x1960 [ 66.681633][ T7822] ? v9fs_session_init+0x1e7/0x1960 [ 66.686805][ T7822] ? find_held_lock+0x35/0x130 [ 66.691549][ T7822] ? fs_reclaim_acquire.part.0+0x30/0x30 [ 66.697161][ T7822] ? azx_pcm_close+0x290/0x520 [ 66.701990][ T7822] ? v9fs_show_options+0x7e0/0x7e0 [ 66.707085][ T7822] ? v9fs_mount+0x5e/0x920 [ 66.711668][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.717419][ T7822] ? kmem_cache_alloc_trace+0x354/0x760 [ 66.722963][ T7822] ? vfs_parse_fs_string+0x111/0x170 [ 66.728228][ T7822] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.733965][ T7822] v9fs_mount+0x7d/0x920 [ 66.738196][ T7822] ? vfs_parse_fs_param+0x510/0x510 [ 66.743460][ T7822] ? v9fs_write_inode+0x70/0x70 [ 66.748299][ T7822] legacy_get_tree+0xf2/0x200 [ 66.752957][ T7822] vfs_get_tree+0x123/0x450 [ 66.757450][ T7822] do_mount+0x1436/0x2c40 [ 66.761765][ T7822] ? copy_mount_string+0x40/0x40 [ 66.766684][ T7822] ? _copy_from_user+0xdd/0x150 [ 66.771527][ T7822] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.777753][ T7822] ? copy_mount_options+0x280/0x3a0 [ 66.782928][ T7822] ksys_mount+0xdb/0x150 [ 66.787147][ T7822] __x64_sys_mount+0xbe/0x150 [ 66.791955][ T7822] do_syscall_64+0x103/0x610 [ 66.796529][ T7822] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.802402][ T7822] RIP: 0033:0x441209 [ 66.806273][ T7822] Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.825855][ T7822] RSP: 002b:00007fff651fe848 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 66.834250][ T7822] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441209 [ 66.842199][ T7822] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000000 [ 66.850151][ T7822] RBP: 000000000001008e R08: 0000000020000340 R09: 00000000004002c8 [ 66.858099][ T7822] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402030 [ 66.866050][ T7822] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000 [ 66.874851][ T7822] Kernel Offset: disabled [ 66.879360][ T7822] Rebooting in 86400 seconds..