[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.669074] kauditd_printk_skb: 7 callbacks suppressed [ 29.669085] audit: type=1800 audit(1545088546.392:29): pid=5897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.695051] audit: type=1800 audit(1545088546.392:30): pid=5897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. 2018/12/17 23:16:57 parsed 1 programs 2018/12/17 23:16:58 executed programs: 0 syzkaller login: [ 101.848136] IPVS: ftp: loaded support on port[0] = 21 [ 102.107162] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.114006] bridge0: port 1(bridge_slave_0) entered disabled state [ 102.121231] device bridge_slave_0 entered promiscuous mode [ 102.140143] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.146525] bridge0: port 2(bridge_slave_1) entered disabled state [ 102.153516] device bridge_slave_1 entered promiscuous mode [ 102.171275] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 102.190434] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 102.241630] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 102.262924] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 102.342875] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 102.350357] team0: Port device team_slave_0 added [ 102.367174] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 102.375995] team0: Port device team_slave_1 added [ 102.393807] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 102.416162] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 102.435295] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 102.454971] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 102.610951] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.617366] bridge0: port 2(bridge_slave_1) entered forwarding state [ 102.624177] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.630564] bridge0: port 1(bridge_slave_0) entered forwarding state [ 103.178614] 8021q: adding VLAN 0 to HW filter on device bond0 [ 103.235600] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 103.291279] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 103.297424] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 103.304956] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 103.352484] 8021q: adding VLAN 0 to HW filter on device team0 [ 103.796558] ================================================================== [ 103.804136] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 103.810619] Read of size 8 at addr ffff8881b91154a0 by task syz-executor0/6349 [ 103.817963] [ 103.819579] CPU: 1 PID: 6349 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #154 [ 103.826833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.836166] Call Trace: [ 103.838746] dump_stack+0x244/0x39d [ 103.842368] ? dump_stack_print_info.cold.1+0x20/0x20 [ 103.847551] ? printk+0xa7/0xcf [ 103.850818] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 103.855572] ? kasan_check_read+0x11/0x20 [ 103.859722] print_address_description.cold.7+0x9/0x1ff [ 103.865076] kasan_report.cold.8+0x242/0x309 [ 103.869559] ? __list_add_valid+0x8f/0xac [ 103.873703] __asan_report_load8_noabort+0x14/0x20 [ 103.878775] __list_add_valid+0x8f/0xac [ 103.882743] rdma_listen+0x6dc/0x990 [ 103.886447] ? rdma_resolve_addr+0x2870/0x2870 [ 103.891029] ucma_listen+0x1a4/0x260 [ 103.894745] ? ucma_notify+0x210/0x210 [ 103.898633] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.904163] ? _copy_from_user+0xdf/0x150 [ 103.908319] ? ucma_notify+0x210/0x210 [ 103.912211] ucma_write+0x365/0x460 [ 103.915830] ? ucma_open+0x3f0/0x3f0 [ 103.919542] __vfs_write+0x119/0x9f0 [ 103.923254] ? __fget_light+0x2e9/0x430 [ 103.927238] ? ucma_open+0x3f0/0x3f0 [ 103.930941] ? kernel_read+0x120/0x120 [ 103.934813] ? lock_release+0xa00/0xa00 [ 103.938778] ? perf_trace_sched_process_exec+0x860/0x860 [ 103.944220] ? posix_ktime_get_ts+0x15/0x20 [ 103.948532] ? trace_hardirqs_off_caller+0x310/0x310 [ 103.953633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.959259] ? security_file_permission+0x1c2/0x220 [ 103.964262] ? rw_verify_area+0x118/0x360 [ 103.968508] vfs_write+0x1fc/0x560 [ 103.972044] ksys_write+0x101/0x260 [ 103.975659] ? __ia32_sys_read+0xb0/0xb0 [ 103.979720] ? trace_hardirqs_off_caller+0x310/0x310 [ 103.984845] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.990381] __x64_sys_write+0x73/0xb0 [ 103.994263] do_syscall_64+0x1b9/0x820 [ 103.998143] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 104.003500] ? syscall_return_slowpath+0x5e0/0x5e0 [ 104.008453] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 104.013295] ? trace_hardirqs_on_caller+0x310/0x310 [ 104.018304] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 104.023317] ? prepare_exit_to_usermode+0x291/0x3b0 [ 104.028343] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 104.033188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.038435] RIP: 0033:0x457669 [ 104.041624] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 104.060525] RSP: 002b:00007fef1cd0ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 104.068243] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 104.075510] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 104.082892] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 104.090155] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fef1cd0b6d4 [ 104.097422] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff [ 104.104685] [ 104.106307] Allocated by task 6344: [ 104.109924] save_stack+0x43/0xd0 [ 104.113372] kasan_kmalloc+0xc7/0xe0 [ 104.117089] kmem_cache_alloc_trace+0x152/0x750 [ 104.121809] __rdma_create_id+0xdf/0x650 [ 104.125866] ucma_create_id+0x39b/0x990 [ 104.129836] ucma_write+0x365/0x460 [ 104.133452] __vfs_write+0x119/0x9f0 [ 104.137153] vfs_write+0x1fc/0x560 [ 104.140681] ksys_write+0x101/0x260 [ 104.144296] __x64_sys_write+0x73/0xb0 [ 104.148169] do_syscall_64+0x1b9/0x820 [ 104.152150] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.157331] [ 104.158941] Freed by task 6340: [ 104.162213] save_stack+0x43/0xd0 [ 104.165647] __kasan_slab_free+0x102/0x150 [ 104.169869] kasan_slab_free+0xe/0x10 [ 104.173654] kfree+0xcf/0x230 [ 104.176742] rdma_destroy_id+0x835/0xcc0 [ 104.180793] ucma_close+0x114/0x310 [ 104.184404] __fput+0x385/0xa30 [ 104.187664] ____fput+0x15/0x20 [ 104.190933] task_work_run+0x1e8/0x2a0 [ 104.194846] exit_to_usermode_loop+0x318/0x380 [ 104.199766] do_syscall_64+0x6be/0x820 [ 104.203703] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.208890] [ 104.210503] The buggy address belongs to the object at ffff8881b91152c0 [ 104.210503] which belongs to the cache kmalloc-2k of size 2048 [ 104.223267] The buggy address is located 480 bytes inside of [ 104.223267] 2048-byte region [ffff8881b91152c0, ffff8881b9115ac0) [ 104.235215] The buggy address belongs to the page: [ 104.240136] page:ffffea0006e44500 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 104.250086] flags: 0x2fffc0000010200(slab|head) [ 104.254909] raw: 02fffc0000010200 ffffea0006e5e888 ffffea0006f9af88 ffff8881da800c40 [ 104.262789] raw: 0000000000000000 ffff8881b91141c0 0000000100000003 0000000000000000 [ 104.270769] page dumped because: kasan: bad access detected [ 104.276596] [ 104.278209] Memory state around the buggy address: [ 104.283121] ffff8881b9115380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.290467] ffff8881b9115400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.297814] >ffff8881b9115480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.305195] ^ [ 104.309600] ffff8881b9115500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.316961] ffff8881b9115580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.324309] ================================================================== [ 104.331665] Disabling lock debugging due to kernel taint [ 104.339810] Kernel panic - not syncing: panic_on_warn set ... [ 104.345716] CPU: 0 PID: 6349 Comm: syz-executor0 Tainted: G B 4.20.0-rc7+ #154 [ 104.354360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.363694] Call Trace: [ 104.366269] dump_stack+0x244/0x39d [ 104.369896] ? dump_stack_print_info.cold.1+0x20/0x20 [ 104.375088] panic+0x2ad/0x55c [ 104.378296] ? add_taint.cold.5+0x16/0x16 [ 104.382431] ? preempt_schedule+0x4d/0x60 [ 104.386575] ? ___preempt_schedule+0x16/0x18 [ 104.390972] ? trace_hardirqs_on+0xb4/0x310 [ 104.395279] kasan_end_report+0x47/0x4f [ 104.399237] kasan_report.cold.8+0x76/0x309 [ 104.403543] ? __list_add_valid+0x8f/0xac [ 104.407675] __asan_report_load8_noabort+0x14/0x20 [ 104.412585] __list_add_valid+0x8f/0xac [ 104.416562] rdma_listen+0x6dc/0x990 [ 104.420275] ? rdma_resolve_addr+0x2870/0x2870 [ 104.424842] ucma_listen+0x1a4/0x260 [ 104.428556] ? ucma_notify+0x210/0x210 [ 104.432457] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 104.437976] ? _copy_from_user+0xdf/0x150 [ 104.442107] ? ucma_notify+0x210/0x210 [ 104.446085] ucma_write+0x365/0x460 [ 104.449730] ? ucma_open+0x3f0/0x3f0 [ 104.453446] __vfs_write+0x119/0x9f0 [ 104.457141] ? __fget_light+0x2e9/0x430 [ 104.461112] ? ucma_open+0x3f0/0x3f0 [ 104.464809] ? kernel_read+0x120/0x120 [ 104.468682] ? lock_release+0xa00/0xa00 [ 104.472670] ? perf_trace_sched_process_exec+0x860/0x860 [ 104.478108] ? posix_ktime_get_ts+0x15/0x20 [ 104.482415] ? trace_hardirqs_off_caller+0x310/0x310 [ 104.487502] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 104.493032] ? security_file_permission+0x1c2/0x220 [ 104.498033] ? rw_verify_area+0x118/0x360 [ 104.502541] vfs_write+0x1fc/0x560 [ 104.506066] ksys_write+0x101/0x260 [ 104.509693] ? __ia32_sys_read+0xb0/0xb0 [ 104.513754] ? trace_hardirqs_off_caller+0x310/0x310 [ 104.518842] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 104.524378] __x64_sys_write+0x73/0xb0 [ 104.528264] do_syscall_64+0x1b9/0x820 [ 104.532136] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 104.537484] ? syscall_return_slowpath+0x5e0/0x5e0 [ 104.542397] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 104.547234] ? trace_hardirqs_on_caller+0x310/0x310 [ 104.552239] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 104.557249] ? prepare_exit_to_usermode+0x291/0x3b0 [ 104.562251] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 104.567079] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.572248] RIP: 0033:0x457669 [ 104.575425] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 104.594311] RSP: 002b:00007fef1cd0ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 104.602002] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 104.609255] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 104.616506] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 104.623756] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fef1cd0b6d4 [ 104.631011] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff [ 104.639302] Kernel Offset: disabled [ 104.642930] Rebooting in 86400 seconds..