[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 37.338526] audit: type=1400 audit(1602146344.353:8): avc: denied { execmem } for pid=6382 comm="syz-executor127" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 37.386907] ================================================================== [ 37.394351] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 37.400831] Read of size 8 at addr ffff8880a0491898 by task syz-executor127/6399 [ 37.408336] [ 37.409939] CPU: 0 PID: 6399 Comm: syz-executor127 Not tainted 4.14.198-syzkaller #0 [ 37.417790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.427117] Call Trace: [ 37.429682] dump_stack+0x1b2/0x283 [ 37.433289] print_address_description.cold+0x54/0x1d3 [ 37.438541] kasan_report_error.cold+0x8a/0x194 [ 37.443188] ? __list_add_valid+0x93/0xa0 [ 37.447351] __asan_report_load8_noabort+0x68/0x70 [ 37.452261] ? __list_add_valid+0x93/0xa0 [ 37.456385] __list_add_valid+0x93/0xa0 [ 37.460336] rdma_listen+0x656/0x9b0 [ 37.464026] ucma_listen+0x10b/0x170 [ 37.467728] ? ucma_bind_ip+0x150/0x150 [ 37.471682] ? _copy_from_user+0x96/0x100 [ 37.475808] ? ucma_bind_ip+0x150/0x150 [ 37.479755] ucma_write+0x206/0x2c0 [ 37.483358] ? ucma_set_ib_path+0x510/0x510 [ 37.487655] __vfs_write+0xe4/0x630 [ 37.491256] ? ucma_set_ib_path+0x510/0x510 [ 37.495553] ? kernel_read+0x110/0x110 [ 37.499415] ? avc_policy_seqno+0x5/0x10 [ 37.503451] ? selinux_file_permission+0x7e/0x530 [ 37.508276] ? security_file_permission+0x82/0x1e0 [ 37.513179] ? rw_verify_area+0xe1/0x2a0 [ 37.517212] vfs_write+0x17f/0x4d0 [ 37.520727] SyS_write+0xf2/0x210 [ 37.524162] ? SyS_read+0x210/0x210 [ 37.527771] ? do_syscall_64+0x4c/0x640 [ 37.531717] ? SyS_read+0x210/0x210 [ 37.535320] do_syscall_64+0x1d5/0x640 [ 37.539184] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.544349] RIP: 0033:0x441489 [ 37.547523] RSP: 002b:00007fffebf8a5d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 37.555223] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441489 [ 37.562465] RDX: 0000000000000010 RSI: 0000000020002b80 RDI: 0000000000000004 [ 37.569709] RBP: 0000000000009223 R08: 00000000004002c8 R09: 00000000004002c8 [ 37.576964] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402230 [ 37.584209] R13: 00000000004022c0 R14: 0000000000000000 R15: 0000000000000000 [ 37.591458] [ 37.593060] Allocated by task 6383: [ 37.596663] kasan_kmalloc+0xeb/0x160 [ 37.600443] kmem_cache_alloc_trace+0x131/0x3d0 [ 37.605091] rdma_create_id+0x57/0x4c0 [ 37.609905] ucma_create_id+0x18b/0x500 [ 37.613850] ucma_write+0x206/0x2c0 [ 37.617448] __vfs_write+0xe4/0x630 [ 37.621045] vfs_write+0x17f/0x4d0 [ 37.624572] SyS_write+0xf2/0x210 [ 37.627999] do_syscall_64+0x1d5/0x640 [ 37.631859] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.637017] [ 37.638619] Freed by task 6383: [ 37.641874] kasan_slab_free+0xc3/0x1a0 [ 37.645823] kfree+0xc9/0x250 [ 37.648912] ucma_close+0x11a/0x340 [ 37.652556] __fput+0x25f/0x7a0 [ 37.655811] task_work_run+0x11f/0x190 [ 37.659674] do_exit+0xa08/0x27f0 [ 37.663100] do_group_exit+0x100/0x2e0 [ 37.666964] SyS_exit_group+0x19/0x20 [ 37.670736] do_syscall_64+0x1d5/0x640 [ 37.674600] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.679759] [ 37.681362] The buggy address belongs to the object at ffff8880a04916c0 [ 37.681362] which belongs to the cache kmalloc-1024 of size 1024 [ 37.694283] The buggy address is located 472 bytes inside of [ 37.694283] 1024-byte region [ffff8880a04916c0, ffff8880a0491ac0) [ 37.706222] The buggy address belongs to the page: [ 37.711125] page:ffffea0002812400 count:1 mapcount:0 mapping:ffff8880a0490040 index:0x0 compound_mapcount: 0 [ 37.721064] flags: 0xfffe0000008100(slab|head) [ 37.725619] raw: 00fffe0000008100 ffff8880a0490040 0000000000000000 0000000100000007 [ 37.733473] raw: ffffea0002a95620 ffffea00027ff3a0 ffff88812fe50ac0 0000000000000000 [ 37.741323] page dumped because: kasan: bad access detected [ 37.747004] [ 37.748601] Memory state around the buggy address: [ 37.753513] ffff8880a0491780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.760857] ffff8880a0491800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.768191] >ffff8880a0491880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.775522] ^ [ 37.779643] ffff8880a0491900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.786989] ffff8880a0491980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.794325] ================================================================== [ 37.801660] Disabling lock debugging due to kernel taint [ 37.807356] Kernel panic - not syncing: panic_on_warn set ... [ 37.807356] [ 37.814710] CPU: 0 PID: 6399 Comm: syz-executor127 Tainted: G B 4.14.198-syzkaller #0 [ 37.823790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.833127] Call Trace: [ 37.835696] dump_stack+0x1b2/0x283 [ 37.839302] panic+0x1f9/0x42d [ 37.842522] ? add_taint.cold+0x16/0x16 [ 37.846471] ? ___preempt_schedule+0x16/0x18 [ 37.850855] kasan_end_report+0x43/0x49 [ 37.854823] kasan_report_error.cold+0xa7/0x194 [ 37.859465] ? __list_add_valid+0x93/0xa0 [ 37.863625] __asan_report_load8_noabort+0x68/0x70 [ 37.868529] ? __list_add_valid+0x93/0xa0 [ 37.872649] __list_add_valid+0x93/0xa0 [ 37.876599] rdma_listen+0x656/0x9b0 [ 37.880341] ucma_listen+0x10b/0x170 [ 37.884029] ? ucma_bind_ip+0x150/0x150 [ 37.887987] ? _copy_from_user+0x96/0x100 [ 37.892113] ? ucma_bind_ip+0x150/0x150 [ 37.896065] ucma_write+0x206/0x2c0 [ 37.899667] ? ucma_set_ib_path+0x510/0x510 [ 37.903964] __vfs_write+0xe4/0x630 [ 37.907560] ? ucma_set_ib_path+0x510/0x510 [ 37.911853] ? kernel_read+0x110/0x110 [ 37.915714] ? avc_policy_seqno+0x5/0x10 [ 37.919758] ? selinux_file_permission+0x7e/0x530 [ 37.924582] ? security_file_permission+0x82/0x1e0 [ 37.929489] ? rw_verify_area+0xe1/0x2a0 [ 37.933533] vfs_write+0x17f/0x4d0 [ 37.937059] SyS_write+0xf2/0x210 [ 37.940493] ? SyS_read+0x210/0x210 [ 37.944104] ? do_syscall_64+0x4c/0x640 [ 37.948050] ? SyS_read+0x210/0x210 [ 37.951650] do_syscall_64+0x1d5/0x640 [ 37.955516] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.960675] RIP: 0033:0x441489 [ 37.963836] RSP: 002b:00007fffebf8a5d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 37.971527] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441489 [ 37.978777] RDX: 0000000000000010 RSI: 0000000020002b80 RDI: 0000000000000004 [ 37.986019] RBP: 0000000000009223 R08: 00000000004002c8 R09: 00000000004002c8 [ 37.993265] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402230 [ 38.000553] R13: 00000000004022c0 R14: 0000000000000000 R15: 0000000000000000 [ 38.009140] Kernel Offset: disabled [ 38.012787] Rebooting in 86400 seconds..