Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts. 2020/03/29 19:49:08 parsed 1 programs syzkaller login: [ 60.089899][ T7022] ld (7022) used greatest stack depth: 23248 bytes left 2020/03/29 19:49:11 executed programs: 0 [ 60.297149][ T7027] IPVS: ftp: loaded support on port[0] = 21 [ 60.390432][ T7027] chnl_net:caif_netlink_parms(): no params data found [ 60.442398][ T7027] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.449960][ T7027] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.458785][ T7027] device bridge_slave_0 entered promiscuous mode [ 60.469227][ T7027] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.477146][ T7027] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.485239][ T7027] device bridge_slave_1 entered promiscuous mode [ 60.505363][ T7027] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 60.517041][ T7027] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 60.540254][ T7027] team0: Port device team_slave_0 added [ 60.547686][ T7027] team0: Port device team_slave_1 added [ 60.565518][ T7027] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 60.572585][ T7027] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 60.598746][ T7027] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 60.611136][ T7027] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 60.618209][ T7027] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 60.644229][ T7027] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 60.705595][ T7027] device hsr_slave_0 entered promiscuous mode [ 60.742792][ T7027] device hsr_slave_1 entered promiscuous mode [ 60.895818][ T7027] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 60.955398][ T7027] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 61.014919][ T7027] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 61.064802][ T7027] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 61.138104][ T7027] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.145369][ T7027] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.153423][ T7027] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.161397][ T7027] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.208883][ T7027] 8021q: adding VLAN 0 to HW filter on device bond0 [ 61.225099][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 61.235944][ T2692] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.245029][ T2692] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.254055][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 61.269183][ T7027] 8021q: adding VLAN 0 to HW filter on device team0 [ 61.280668][ T3394] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 61.290575][ T3394] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.297893][ T3394] bridge0: port 1(bridge_slave_0) entered forwarding state [ 61.309897][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 61.320439][ T2692] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.327716][ T2692] bridge0: port 2(bridge_slave_1) entered forwarding state [ 61.353979][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 61.363534][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 61.373765][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 61.386327][ T7027] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 61.398962][ T7027] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 61.409013][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 61.416948][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 61.437129][ T3394] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 61.444879][ T3394] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 61.459039][ T7027] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 61.484419][ T3394] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 61.493612][ T3394] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 61.513376][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 61.522879][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 61.533363][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 61.541131][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 61.551099][ T7027] device veth0_vlan entered promiscuous mode [ 61.563077][ T7027] device veth1_vlan entered promiscuous mode [ 61.586554][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 61.595585][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 61.604447][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 61.613772][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 61.624880][ T7027] device veth0_macvtap entered promiscuous mode [ 61.637968][ T7027] device veth1_macvtap entered promiscuous mode [ 61.655863][ T7027] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 61.664683][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 61.674207][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 61.683908][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 61.692940][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 61.707130][ T7027] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 61.715747][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 61.725182][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 61.957247][ T7244] ================================================================== [ 61.965586][ T7244] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 61.972795][ T7244] Read of size 8 at addr ffff8880a24e11e0 by task syz-executor.0/7244 [ 61.980925][ T7244] [ 61.983258][ T7244] CPU: 1 PID: 7244 Comm: syz-executor.0 Not tainted 5.6.0-rc7-syzkaller #0 [ 61.991820][ T7244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.001943][ T7244] Call Trace: [ 62.005225][ T7244] dump_stack+0x188/0x20d [ 62.009650][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.014598][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.019436][ T7244] print_address_description.constprop.0.cold+0xd3/0x315 [ 62.026442][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.031289][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.036129][ T7244] __kasan_report.cold+0x1a/0x32 [ 62.041055][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.045898][ T7244] kasan_report+0xe/0x20 [ 62.050148][ T7244] __list_add_valid+0x93/0xa0 [ 62.054815][ T7244] rdma_listen+0x681/0x910 [ 62.059217][ T7244] ucma_listen+0x14d/0x1c0 [ 62.063617][ T7244] ? ucma_notify+0x190/0x190 [ 62.068192][ T7244] ? __might_fault+0x190/0x1d0 [ 62.074342][ T7244] ? _copy_from_user+0x123/0x190 [ 62.079389][ T7244] ? ucma_notify+0x190/0x190 [ 62.083965][ T7244] ucma_write+0x285/0x350 [ 62.088278][ T7244] ? ucma_open+0x270/0x270 [ 62.092682][ T7244] ? security_file_permission+0x8a/0x370 [ 62.098374][ T7244] ? ucma_open+0x270/0x270 [ 62.102782][ T7244] __vfs_write+0x76/0x100 [ 62.107125][ T7244] vfs_write+0x262/0x5c0 [ 62.111356][ T7244] ksys_write+0x1e8/0x250 [ 62.115674][ T7244] ? __ia32_sys_read+0xb0/0xb0 [ 62.120420][ T7244] ? __ia32_sys_clock_settime+0x260/0x260 [ 62.126123][ T7244] ? trace_hardirqs_off_caller+0x55/0x230 [ 62.131837][ T7244] do_syscall_64+0xf6/0x7d0 [ 62.136331][ T7244] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.142211][ T7244] RIP: 0033:0x45c849 [ 62.146114][ T7244] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.166371][ T7244] RSP: 002b:00007f642e37bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 62.174771][ T7244] RAX: ffffffffffffffda RBX: 00007f642e37c6d4 RCX: 000000000045c849 [ 62.182733][ T7244] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 62.190690][ T7244] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 62.198673][ T7244] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.207996][ T7244] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 62.215991][ T7244] [ 62.218307][ T7244] Allocated by task 7237: [ 62.222634][ T7244] save_stack+0x1b/0x80 [ 62.226784][ T7244] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.232413][ T7244] kmem_cache_alloc_trace+0x153/0x7d0 [ 62.237765][ T7244] __rdma_create_id+0x5b/0x850 [ 62.242509][ T7244] ucma_create_id+0x1cb/0x580 [ 62.247171][ T7244] ucma_write+0x285/0x350 [ 62.251483][ T7244] __vfs_write+0x76/0x100 [ 62.256051][ T7244] vfs_write+0x262/0x5c0 [ 62.260275][ T7244] ksys_write+0x1e8/0x250 [ 62.264689][ T7244] do_syscall_64+0xf6/0x7d0 [ 62.269175][ T7244] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.275056][ T7244] [ 62.277365][ T7244] Freed by task 7237: [ 62.281341][ T7244] save_stack+0x1b/0x80 [ 62.285482][ T7244] __kasan_slab_free+0xf7/0x140 [ 62.290327][ T7244] kfree+0x109/0x2b0 [ 62.294223][ T7244] ucma_close+0x10b/0x300 [ 62.298545][ T7244] __fput+0x2da/0x850 [ 62.302517][ T7244] task_work_run+0x13f/0x1b0 [ 62.307136][ T7244] exit_to_usermode_loop+0x2fa/0x360 [ 62.312441][ T7244] do_syscall_64+0x6b1/0x7d0 [ 62.317040][ T7244] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.322925][ T7244] [ 62.325239][ T7244] The buggy address belongs to the object at ffff8880a24e1000 [ 62.325239][ T7244] which belongs to the cache kmalloc-2k of size 2048 [ 62.339277][ T7244] The buggy address is located 480 bytes inside of [ 62.339277][ T7244] 2048-byte region [ffff8880a24e1000, ffff8880a24e1800) [ 62.352670][ T7244] The buggy address belongs to the page: [ 62.358292][ T7244] page:ffffea0002893840 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 62.367415][ T7244] flags: 0xfffe0000000200(slab) [ 62.372268][ T7244] raw: 00fffe0000000200 ffffea00028a4908 ffffea0002898dc8 ffff8880aa000e00 [ 62.380903][ T7244] raw: 0000000000000000 ffff8880a24e1000 0000000100000001 0000000000000000 [ 62.389486][ T7244] page dumped because: kasan: bad access detected [ 62.395961][ T7244] [ 62.398275][ T7244] Memory state around the buggy address: [ 62.403889][ T7244] ffff8880a24e1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.411941][ T7244] ffff8880a24e1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.419994][ T7244] >ffff8880a24e1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.428070][ T7244] ^ [ 62.435256][ T7244] ffff8880a24e1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.443434][ T7244] ffff8880a24e1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.451530][ T7244] ================================================================== [ 62.459585][ T7244] Disabling lock debugging due to kernel taint [ 62.470157][ T7244] Kernel panic - not syncing: panic_on_warn set ... [ 62.476782][ T7244] CPU: 1 PID: 7244 Comm: syz-executor.0 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 62.486753][ T7244] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.496924][ T7244] Call Trace: [ 62.500225][ T7244] dump_stack+0x188/0x20d [ 62.504580][ T7244] panic+0x2e3/0x75c [ 62.508616][ T7244] ? add_taint.cold+0x16/0x16 [ 62.513289][ T7244] ? preempt_schedule_common+0x5e/0xc0 [ 62.518742][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.523612][ T7244] ? ___preempt_schedule+0x16/0x18 [ 62.528728][ T7244] ? trace_hardirqs_on+0x55/0x220 [ 62.533747][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.538585][ T7244] end_report+0x43/0x49 [ 62.542731][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.550962][ T7244] __kasan_report.cold+0xd/0x32 [ 62.556293][ T7244] ? __list_add_valid+0x93/0xa0 [ 62.561188][ T7244] kasan_report+0xe/0x20 [ 62.565422][ T7244] __list_add_valid+0x93/0xa0 [ 62.570097][ T7244] rdma_listen+0x681/0x910 [ 62.574516][ T7244] ucma_listen+0x14d/0x1c0 [ 62.578931][ T7244] ? ucma_notify+0x190/0x190 [ 62.583579][ T7244] ? __might_fault+0x190/0x1d0 [ 62.588397][ T7244] ? _copy_from_user+0x123/0x190 [ 62.593399][ T7244] ? ucma_notify+0x190/0x190 [ 62.597982][ T7244] ucma_write+0x285/0x350 [ 62.602299][ T7244] ? ucma_open+0x270/0x270 [ 62.606720][ T7244] ? security_file_permission+0x8a/0x370 [ 62.612786][ T7244] ? ucma_open+0x270/0x270 [ 62.617200][ T7244] __vfs_write+0x76/0x100 [ 62.621588][ T7244] vfs_write+0x262/0x5c0 [ 62.625844][ T7244] ksys_write+0x1e8/0x250 [ 62.630199][ T7244] ? __ia32_sys_read+0xb0/0xb0 [ 62.634960][ T7244] ? __ia32_sys_clock_settime+0x260/0x260 [ 62.640800][ T7244] ? trace_hardirqs_off_caller+0x55/0x230 [ 62.646656][ T7244] do_syscall_64+0xf6/0x7d0 [ 62.651181][ T7244] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.657127][ T7244] RIP: 0033:0x45c849 [ 62.661006][ T7244] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.680690][ T7244] RSP: 002b:00007f642e37bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 62.689094][ T7244] RAX: ffffffffffffffda RBX: 00007f642e37c6d4 RCX: 000000000045c849 [ 62.697100][ T7244] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 62.705110][ T7244] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 62.713072][ T7244] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.721091][ T7244] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 62.730511][ T7244] Kernel Offset: disabled [ 62.734854][ T7244] Rebooting in 86400 seconds..