[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   43.502064] can: request_module (can-proto-0) failed.
[   43.511062] can: request_module (can-proto-0) failed.
[   44.398661] IPVS: ftp: loaded support on port[0] = 21
[   44.968986] 8021q: adding VLAN 0 to HW filter on device bond0
[   45.037851] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   46.561887] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts.
2019/08/13 20:34:50 parsed 1 programs
2019/08/13 20:34:50 executed programs: 0
[   52.423277] IPVS: ftp: loaded support on port[0] = 21
[   52.433821] IPVS: ftp: loaded support on port[0] = 21
[   52.461694] IPVS: ftp: loaded support on port[0] = 21
[   52.470506] IPVS: ftp: loaded support on port[0] = 21
[   52.473211] IPVS: ftp: loaded support on port[0] = 21
[   52.482261] IPVS: ftp: loaded support on port[0] = 21
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
RESULT: signal 0, coverage 0 errno 0
[   53.862777] ==================================================================
[   53.870302] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3
[   53.877329] Read of size 8 at addr ffff8881c75c0ca8 by task syz-executor4/4968
[   53.884691] 
[   53.886325] CPU: 1 PID: 4968 Comm: syz-executor4 Not tainted 5.3.0-rc4+ #1
[   53.893470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.902821] Call Trace:
[   53.905402]  dump_stack+0x115/0x167
[   53.909017]  ? __list_del_entry_valid+0xe7/0xf3
[   53.913672]  print_address_description+0x6f/0x2fe
[   53.918503]  ? __list_del_entry_valid+0xe7/0xf3
[   53.923159]  ? __list_del_entry_valid+0xe7/0xf3
[   53.927816]  __kasan_report.cold.7+0x1b/0x3f
[   53.932215]  ? __list_del_entry_valid+0xe7/0xf3
[   53.936866]  kasan_report+0x12/0x17
[   53.940477]  __asan_report_load8_noabort+0x14/0x20
[   53.945393]  __list_del_entry_valid+0xe7/0xf3
[   53.949981]  cma_cancel_operation+0x2f7/0x9c0
[   53.954516]  ? __kasan_check_read+0x11/0x20
[   53.958917]  rdma_destroy_id+0x8d/0x9c0
[   53.962885]  ? complete+0x62/0x80
[   53.966337]  ucma_close+0x101/0x2d0
[   53.969972]  __fput+0x25a/0x780
[   53.973244]  ? _raw_spin_unlock_irq+0x27/0x70
[   53.977736]  ____fput+0x9/0x10
[   53.980932]  task_work_run+0x10e/0x190
[   53.984917]  do_exit+0x79f/0x2d40
[   53.988358]  ? mm_update_next_owner+0x650/0x650
[   53.993011]  ? get_signal+0x2c4/0x1d10
[   53.996887]  ? lock_downgrade+0x900/0x900
[   54.001125]  ? __kasan_check_write+0x14/0x20
[   54.005519]  ? do_raw_spin_lock+0x123/0x2d0
[   54.009826]  ? _raw_spin_unlock_irq+0x27/0x70
[   54.014304]  ? get_signal+0x2c4/0x1d10
[   54.018375]  do_group_exit+0xf4/0x2e0
[   54.022161]  get_signal+0x368/0x1d10
[   54.025859]  ? __kasan_check_write+0x14/0x20
[   54.030253]  ? _copy_from_user+0xd6/0x110
[   54.034391]  do_signal+0x87/0x16c0
[   54.037912]  ? setup_sigcontext+0x7d0/0x7d0
[   54.042318]  ? __x64_sys_futex+0x1cb/0x390
[   54.046652]  ? exit_to_usermode_loop+0x3a/0x210
[   54.051313]  ? do_syscall_64+0x468/0x550
[   54.055363]  ? lockdep_hardirqs_on+0x424/0x5c0
[   54.059927]  ? exit_to_usermode_loop+0x3a/0x210
[   54.064590]  ? trace_hardirqs_on+0x28/0x180
[   54.068899]  exit_to_usermode_loop+0x114/0x210
[   54.073468]  do_syscall_64+0x468/0x550
[   54.077349]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.082580] RIP: 0033:0x455429
[   54.085920] Code: Bad RIP value.
[   54.089277] RSP: 002b:00007f0031af7ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   54.096973] RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 0000000000455429
[   54.104496] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
[   54.111748] RBP: 000000000072bec8 R08: 0000000000000000 R09: 000000000072bea0
[   54.119023] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   54.126280] R13: 00007ffc3197c72f R14: 00007f0031af89c0 R15: 0000000000000000
[   54.133541] 
[   54.135152] Allocated by task 4968:
[   54.138853]  save_stack+0x21/0x90
[   54.142291]  __kasan_kmalloc.constprop.7+0xc1/0xd0
[   54.147206]  kasan_kmalloc+0x9/0x10
[   54.150831]  kmem_cache_alloc_trace+0x15b/0x760
[   54.155575]  __rdma_create_id+0x5c/0x4d0
[   54.159630]  ucma_create_id+0x199/0x550
[   54.163610]  ucma_write+0x206/0x2e0
[   54.167238]  __vfs_write+0x61/0x110
[   54.171026]  vfs_write+0x191/0x4c0
[   54.174571]  ksys_write+0x197/0x220
[   54.178193]  __x64_sys_write+0x6e/0xb0
[   54.182073]  do_syscall_64+0xd6/0x550
[   54.185892]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.191058] 
[   54.192702] Freed by task 4968:
[   54.195971]  save_stack+0x21/0x90
[   54.199402]  __kasan_slab_free+0x11a/0x170
[   54.203632]  kasan_slab_free+0xe/0x10
[   54.207411]  kfree+0xfa/0x290
[   54.210500]  rdma_destroy_id+0x5f3/0x9c0
[   54.214571]  ucma_close+0x101/0x2d0
[   54.218209]  __fput+0x25a/0x780
[   54.221470]  ____fput+0x9/0x10
[   54.224642]  task_work_run+0x10e/0x190
[   54.228514]  do_exit+0x79f/0x2d40
[   54.231945]  do_group_exit+0xf4/0x2e0
[   54.235722]  get_signal+0x368/0x1d10
[   54.239447]  do_signal+0x87/0x16c0
[   54.242979]  exit_to_usermode_loop+0x114/0x210
[   54.247563]  do_syscall_64+0x468/0x550
[   54.251437]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.256617] 
[   54.258233] The buggy address belongs to the object at ffff8881c75c0ac0
[   54.258233]  which belongs to the cache kmalloc-2k of size 2048
[   54.270954] The buggy address is located 488 bytes inside of
[   54.270954]  2048-byte region [ffff8881c75c0ac0, ffff8881c75c12c0)
[   54.282924] The buggy address belongs to the page:
[   54.287931] page:ffffea00071d7000 refcount:1 mapcount:0 mapping:ffff8881da000e00 index:0x0 compound_mapcount: 0
[   54.298149] flags: 0x2fffc0000010200(slab|head)
[   54.302852] raw: 02fffc0000010200 ffffea00071ccd88 ffffea00071d1c88 ffff8881da000e00
[   54.310725] raw: 0000000000000000 ffff8881c75c0240 0000000100000003 0000000000000000
[   54.318630] page dumped because: kasan: bad access detected
[   54.324332] 
[   54.325953] Memory state around the buggy address:
[   54.330874]  ffff8881c75c0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.338216]  ffff8881c75c0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.345558] >ffff8881c75c0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.352895]                                   ^
[   54.357544]  ffff8881c75c0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.364906]  ffff8881c75c0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   54.372255] ==================================================================
[   54.379608] Disabling lock debugging due to kernel taint
[   54.385228] Kernel panic - not syncing: panic_on_warn set ...
[   54.391116] CPU: 1 PID: 4968 Comm: syz-executor4 Tainted: G    B             5.3.0-rc4+ #1
[   54.399502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.408841] Call Trace:
[   54.411424]  dump_stack+0x115/0x167
[   54.415038]  ? __list_del_entry_valid+0x10/0xf3
[   54.419686]  panic+0x223/0x4ee
[   54.422854]  ? add_taint.cold.7+0x11/0x11
[   54.426978]  ? do_raw_spin_unlock+0x54/0x260
[   54.431372]  ? do_raw_spin_unlock+0x54/0x260
[   54.435786]  ? __list_del_entry_valid+0xe7/0xf3
[   54.440438]  ? __list_del_entry_valid+0xe7/0xf3
[   54.445088]  end_report+0x47/0x4f
[   54.448531]  __kasan_report.cold.7+0xe/0x3f
[   54.452836]  ? __list_del_entry_valid+0xe7/0xf3
[   54.457489]  kasan_report+0x12/0x17
[   54.461098]  __asan_report_load8_noabort+0x14/0x20
[   54.466016]  __list_del_entry_valid+0xe7/0xf3
[   54.470502]  cma_cancel_operation+0x2f7/0x9c0
[   54.474980]  ? __kasan_check_read+0x11/0x20
[   54.479389]  rdma_destroy_id+0x8d/0x9c0
[   54.483345]  ? complete+0x62/0x80
[   54.486784]  ucma_close+0x101/0x2d0
[   54.490389]  __fput+0x25a/0x780
[   54.493648]  ? _raw_spin_unlock_irq+0x27/0x70
[   54.498126]  ____fput+0x9/0x10
[   54.501296]  task_work_run+0x10e/0x190
[   54.505168]  do_exit+0x79f/0x2d40
[   54.508617]  ? mm_update_next_owner+0x650/0x650
[   54.513269]  ? get_signal+0x2c4/0x1d10
[   54.517139]  ? lock_downgrade+0x900/0x900
[   54.521282]  ? __kasan_check_write+0x14/0x20
[   54.525674]  ? do_raw_spin_lock+0x123/0x2d0
[   54.529982]  ? _raw_spin_unlock_irq+0x27/0x70
[   54.534458]  ? get_signal+0x2c4/0x1d10
[   54.538346]  do_group_exit+0xf4/0x2e0
[   54.542135]  get_signal+0x368/0x1d10
[   54.545852]  ? __kasan_check_write+0x14/0x20
[   54.550242]  ? _copy_from_user+0xd6/0x110
[   54.554372]  do_signal+0x87/0x16c0
[   54.557904]  ? setup_sigcontext+0x7d0/0x7d0
[   54.562204]  ? __x64_sys_futex+0x1cb/0x390
[   54.566424]  ? exit_to_usermode_loop+0x3a/0x210
[   54.571075]  ? do_syscall_64+0x468/0x550
[   54.575124]  ? lockdep_hardirqs_on+0x424/0x5c0
[   54.579683]  ? exit_to_usermode_loop+0x3a/0x210
[   54.584352]  ? trace_hardirqs_on+0x28/0x180
[   54.588705]  exit_to_usermode_loop+0x114/0x210
[   54.593283]  do_syscall_64+0x468/0x550
[   54.597178]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.602367] RIP: 0033:0x455429
[   54.605549] Code: Bad RIP value.
[   54.608984] RSP: 002b:00007f0031af7ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   54.616671] RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 0000000000455429
[   54.623921] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
[   54.631171] RBP: 000000000072bec8 R08: 0000000000000000 R09: 000000000072bea0
[   54.638530] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   54.645783] R13: 00007ffc3197c72f R14: 00007f0031af89c0 R15: 0000000000000000
[   54.653898] Kernel Offset: disabled
[   54.657528] Rebooting in 86400 seconds..