[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   67.496543][   T27] audit: type=1800 audit(1578316280.347:25): pid=9326 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   67.516464][   T27] audit: type=1800 audit(1578316280.347:26): pid=9326 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   67.537245][   T27] audit: type=1800 audit(1578316280.357:27): pid=9326 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
syzkaller login: [   77.013826][ T9493] ==================================================================
[   77.022115][ T9493] BUG: KASAN: use-after-free in __list_del_entry_valid+0xdc/0xf5
[   77.029828][ T9493] Read of size 8 at addr ffff8880a73c61e8 by task syz-executor988/9493
[   77.038037][ T9493] 
[   77.040353][ T9493] CPU: 1 PID: 9493 Comm: syz-executor988 Not tainted 5.5.0-rc2-next-20191220-syzkaller #0
[   77.050222][ T9493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.060264][ T9493] Call Trace:
[   77.063593][ T9493]  dump_stack+0x197/0x210
[   77.067909][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.073268][ T9493]  print_address_description.constprop.0.cold+0xd4/0x30b
[   77.080315][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.085705][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.091060][ T9493]  __kasan_report.cold+0x1b/0x41
[   77.095993][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.101351][ T9493]  kasan_report+0x12/0x20
[   77.105682][ T9493]  __asan_report_load8_noabort+0x14/0x20
[   77.111303][ T9493]  __list_del_entry_valid+0xdc/0xf5
[   77.116495][ T9493]  cma_cancel_operation+0x2d0/0xa00
[   77.121677][ T9493]  rdma_destroy_id+0x8d/0xb00
[   77.126334][ T9493]  ? _raw_spin_unlock_irqrestore+0x9f/0xe0
[   77.132123][ T9493]  ? complete+0x61/0x80
[   77.136263][ T9493]  ucma_close+0x115/0x310
[   77.140577][ T9493]  __fput+0x2ff/0x890
[   77.144541][ T9493]  ? ucma_free_ctx+0xbc0/0xbc0
[   77.149304][ T9493]  ____fput+0x16/0x20
[   77.153270][ T9493]  task_work_run+0x145/0x1c0
[   77.157844][ T9493]  do_exit+0x909/0x2f20
[   77.161991][ T9493]  ? get_signal+0x2c1/0x24f0
[   77.166563][ T9493]  ? mm_update_next_owner+0x7c0/0x7c0
[   77.171919][ T9493]  ? lock_downgrade+0x920/0x920
[   77.176754][ T9493]  ? _raw_spin_unlock_irq+0x23/0x80
[   77.181931][ T9493]  ? get_signal+0x392/0x24f0
[   77.186500][ T9493]  ? _raw_spin_unlock_irq+0x23/0x80
[   77.191684][ T9493]  do_group_exit+0x135/0x360
[   77.196254][ T9493]  get_signal+0x47c/0x24f0
[   77.200656][ T9493]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.206900][ T9493]  ? fsnotify+0x7fd/0xbb0
[   77.211218][ T9493]  do_signal+0x87/0x1700
[   77.215458][ T9493]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.221679][ T9493]  ? debug_smp_processor_id+0x33/0x18a
[   77.227121][ T9493]  ? rcu_lockdep_current_cpu_online+0xe3/0x130
[   77.233254][ T9493]  ? setup_sigcontext+0x7d0/0x7d0
[   77.238265][ T9493]  ? exit_to_usermode_loop+0x43/0x380
[   77.243621][ T9493]  ? do_syscall_64+0x676/0x790
[   77.248365][ T9493]  ? exit_to_usermode_loop+0x43/0x380
[   77.253728][ T9493]  ? lockdep_hardirqs_on+0x421/0x5e0
[   77.259006][ T9493]  ? trace_hardirqs_on+0x67/0x240
[   77.264016][ T9493]  exit_to_usermode_loop+0x286/0x380
[   77.269288][ T9493]  do_syscall_64+0x676/0x790
[   77.273861][ T9493]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.279740][ T9493] RIP: 0033:0x446da9
[   77.283631][ T9493] Code: Bad RIP value.
[   77.287677][ T9493] RSP: 002b:00007f32fbf32d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   77.296067][ T9493] RAX: fffffffffffffe00 RBX: 00000000006dbc98 RCX: 0000000000446da9
[   77.304024][ T9493] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc98
[   77.311982][ T9493] RBP: 00000000006dbc90 R08: 65732f636f72702f R09: 65732f636f72702f
[   77.319937][ T9493] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c
[   77.327892][ T9493] R13: 00007f32fbf32d10 R14: 00007f32fbf32d10 R15: 0000000000000000
[   77.335866][ T9493] 
[   77.338175][ T9493] Allocated by task 9493:
[   77.342506][ T9493]  save_stack+0x23/0x90
[   77.346645][ T9493]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   77.352266][ T9493]  kasan_kmalloc+0x9/0x10
[   77.356598][ T9493]  kmem_cache_alloc_trace+0x158/0x790
[   77.361960][ T9493]  __rdma_create_id+0x5e/0x560
[   77.366700][ T9493]  ucma_create_id+0x1de/0x620
[   77.371370][ T9493]  ucma_write+0x2d7/0x3c0
[   77.375682][ T9493]  __vfs_write+0x8a/0x110
[   77.379989][ T9493]  vfs_write+0x268/0x5d0
[   77.384211][ T9493]  ksys_write+0x220/0x290
[   77.388525][ T9493]  __x64_sys_write+0x73/0xb0
[   77.393192][ T9493]  do_syscall_64+0xfa/0x790
[   77.397673][ T9493]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.403544][ T9493] 
[   77.405854][ T9493] Freed by task 9493:
[   77.409818][ T9493]  save_stack+0x23/0x90
[   77.413962][ T9493]  __kasan_slab_free+0x102/0x150
[   77.418879][ T9493]  kasan_slab_free+0xe/0x10
[   77.423369][ T9493]  kfree+0x10a/0x2c0
[   77.427285][ T9493]  rdma_destroy_id+0x75a/0xb00
[   77.432029][ T9493]  ucma_close+0x115/0x310
[   77.436444][ T9493]  __fput+0x2ff/0x890
[   77.440430][ T9493]  ____fput+0x16/0x20
[   77.444412][ T9493]  task_work_run+0x145/0x1c0
[   77.448983][ T9493]  do_exit+0x909/0x2f20
[   77.453122][ T9493]  do_group_exit+0x135/0x360
[   77.457691][ T9493]  get_signal+0x47c/0x24f0
[   77.462104][ T9493]  do_signal+0x87/0x1700
[   77.466328][ T9493]  exit_to_usermode_loop+0x286/0x380
[   77.471597][ T9493]  do_syscall_64+0x676/0x790
[   77.476168][ T9493]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.482034][ T9493] 
[   77.484388][ T9493] The buggy address belongs to the object at ffff8880a73c6000
[   77.484388][ T9493]  which belongs to the cache kmalloc-2k of size 2048
[   77.503808][ T9493] The buggy address is located 488 bytes inside of
[   77.503808][ T9493]  2048-byte region [ffff8880a73c6000, ffff8880a73c6800)
[   77.517142][ T9493] The buggy address belongs to the page:
[   77.522756][ T9493] page:ffffea00029cf180 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
[   77.531842][ T9493] raw: 00fffe0000000200 ffffea00029cf148 ffffea00029cbac8 ffff8880aa400e00
[   77.540413][ T9493] raw: 0000000000000000 ffff8880a73c6000 0000000100000001 0000000000000000
[   77.549003][ T9493] page dumped because: kasan: bad access detected
[   77.555401][ T9493] 
[   77.557709][ T9493] Memory state around the buggy address:
[   77.563328][ T9493]  ffff8880a73c6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.571371][ T9493]  ffff8880a73c6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.579412][ T9493] >ffff8880a73c6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.587452][ T9493]                                                           ^
[   77.594894][ T9493]  ffff8880a73c6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.602944][ T9493]  ffff8880a73c6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.610990][ T9493] ==================================================================
[   77.619045][ T9493] Disabling lock debugging due to kernel taint
[   77.627105][ T9493] Kernel panic - not syncing: panic_on_warn set ...
[   77.633696][ T9493] CPU: 0 PID: 9493 Comm: syz-executor988 Tainted: G    B             5.5.0-rc2-next-20191220-syzkaller #0
[   77.644944][ T9493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.654982][ T9493] Call Trace:
[   77.658263][ T9493]  dump_stack+0x197/0x210
[   77.662572][ T9493]  panic+0x2e3/0x75c
[   77.666441][ T9493]  ? add_taint.cold+0x16/0x16
[   77.671105][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.676454][ T9493]  ? preempt_schedule+0x4b/0x60
[   77.681285][ T9493]  ? ___preempt_schedule+0x16/0x18
[   77.686373][ T9493]  ? trace_hardirqs_on+0x5e/0x240
[   77.691377][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.696727][ T9493]  end_report+0x47/0x4f
[   77.700859][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.706206][ T9493]  __kasan_report.cold+0xe/0x41
[   77.711032][ T9493]  ? __list_del_entry_valid+0xdc/0xf5
[   77.716381][ T9493]  kasan_report+0x12/0x20
[   77.720687][ T9493]  __asan_report_load8_noabort+0x14/0x20
[   77.726297][ T9493]  __list_del_entry_valid+0xdc/0xf5
[   77.731489][ T9493]  cma_cancel_operation+0x2d0/0xa00
[   77.736664][ T9493]  rdma_destroy_id+0x8d/0xb00
[   77.741315][ T9493]  ? _raw_spin_unlock_irqrestore+0x9f/0xe0
[   77.747112][ T9493]  ? complete+0x61/0x80
[   77.751251][ T9493]  ucma_close+0x115/0x310
[   77.755585][ T9493]  __fput+0x2ff/0x890
[   77.759550][ T9493]  ? ucma_free_ctx+0xbc0/0xbc0
[   77.764305][ T9493]  ____fput+0x16/0x20
[   77.768271][ T9493]  task_work_run+0x145/0x1c0
[   77.773005][ T9493]  do_exit+0x909/0x2f20
[   77.777143][ T9493]  ? get_signal+0x2c1/0x24f0
[   77.781715][ T9493]  ? mm_update_next_owner+0x7c0/0x7c0
[   77.787079][ T9493]  ? lock_downgrade+0x920/0x920
[   77.791908][ T9493]  ? _raw_spin_unlock_irq+0x23/0x80
[   77.797094][ T9493]  ? get_signal+0x392/0x24f0
[   77.801660][ T9493]  ? _raw_spin_unlock_irq+0x23/0x80
[   77.806846][ T9493]  do_group_exit+0x135/0x360
[   77.811424][ T9493]  get_signal+0x47c/0x24f0
[   77.815821][ T9493]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.822056][ T9493]  ? fsnotify+0x7fd/0xbb0
[   77.826367][ T9493]  do_signal+0x87/0x1700
[   77.830608][ T9493]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.836834][ T9493]  ? debug_smp_processor_id+0x33/0x18a
[   77.842274][ T9493]  ? rcu_lockdep_current_cpu_online+0xe3/0x130
[   77.848418][ T9493]  ? setup_sigcontext+0x7d0/0x7d0
[   77.853436][ T9493]  ? exit_to_usermode_loop+0x43/0x380
[   77.858797][ T9493]  ? do_syscall_64+0x676/0x790
[   77.863539][ T9493]  ? exit_to_usermode_loop+0x43/0x380
[   77.868903][ T9493]  ? lockdep_hardirqs_on+0x421/0x5e0
[   77.874167][ T9493]  ? trace_hardirqs_on+0x67/0x240
[   77.879169][ T9493]  exit_to_usermode_loop+0x286/0x380
[   77.884432][ T9493]  do_syscall_64+0x676/0x790
[   77.889016][ T9493]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.894890][ T9493] RIP: 0033:0x446da9
[   77.898770][ T9493] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   77.918360][ T9493] RSP: 002b:00007f32fbf32d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   77.926752][ T9493] RAX: fffffffffffffe00 RBX: 00000000006dbc98 RCX: 0000000000446da9
[   77.934710][ T9493] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc98
[   77.942663][ T9493] RBP: 00000000006dbc90 R08: 65732f636f72702f R09: 65732f636f72702f
[   77.950621][ T9493] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c
[   77.958572][ T9493] R13: 00007f32fbf32d10 R14: 00007f32fbf32d10 R15: 0000000000000000
[   77.967949][ T9493] Kernel Offset: disabled
[   77.972277][ T9493] Rebooting in 86400 seconds..