[info] Using makefile-style concurrent boot in runlevel 2. [ 26.497015] audit: type=1800 audit(1545630095.760:21): pid=5857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.204028] sshd (6016) used greatest stack depth: 15424 bytes left Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. 2018/12/24 05:42:51 parsed 1 programs [ 103.642707] collect2 (6043) used greatest stack depth: 15200 bytes left 2018/12/24 05:42:53 executed programs: 0 [ 103.804455] IPVS: ftp: loaded support on port[0] = 21 [ 104.040931] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.047564] bridge0: port 1(bridge_slave_0) entered disabled state [ 104.054928] device bridge_slave_0 entered promiscuous mode [ 104.073622] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.079989] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.087001] device bridge_slave_1 entered promiscuous mode [ 104.103515] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 104.121449] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 104.169298] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 104.189436] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 104.259554] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 104.266798] team0: Port device team_slave_0 added [ 104.283073] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 104.290118] team0: Port device team_slave_1 added [ 104.306136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 104.325797] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 104.345303] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 104.365563] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 104.509926] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.516472] bridge0: port 2(bridge_slave_1) entered forwarding state [ 104.523399] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.529732] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.028066] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.080394] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 105.131686] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 105.137799] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 105.145473] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 105.193837] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.659080] ================================================================== [ 105.666608] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 105.673084] Read of size 8 at addr ffff8881be048ee0 by task syz-executor0/6335 [ 105.680420] [ 105.682044] CPU: 0 PID: 6335 Comm: syz-executor0 Not tainted 4.20.0-rc6-next-20181217+ #172 [ 105.690513] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.699851] Call Trace: [ 105.702425] dump_stack+0x244/0x39d [ 105.706071] ? dump_stack_print_info.cold.1+0x20/0x20 [ 105.711255] ? printk+0xa7/0xcf [ 105.714525] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 105.719274] print_address_description.cold.4+0x9/0x1ff [ 105.724623] ? __list_add_valid+0x8f/0xac [ 105.728770] kasan_report.cold.5+0x1b/0x39 [ 105.732987] ? __list_add_valid+0x8f/0xac [ 105.737122] ? _raw_read_unlock_irqrestore+0x90/0xd0 [ 105.742214] ? __list_add_valid+0x8f/0xac [ 105.746364] __asan_report_load8_noabort+0x14/0x20 [ 105.751286] __list_add_valid+0x8f/0xac [ 105.755264] rdma_listen+0x6dc/0x990 [ 105.758966] ? rdma_resolve_addr+0x2870/0x2870 [ 105.763541] ucma_listen+0x1a4/0x260 [ 105.767242] ? ucma_notify+0x210/0x210 [ 105.771121] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 105.776684] ? _copy_from_user+0xdf/0x150 [ 105.780852] ? ucma_notify+0x210/0x210 [ 105.784738] ucma_write+0x365/0x460 [ 105.788352] ? ucma_open+0x3f0/0x3f0 [ 105.792062] __vfs_write+0x119/0xab0 [ 105.795770] ? common_file_perm+0x236/0x7f0 [ 105.800083] ? __fget_light+0x2e9/0x430 [ 105.804055] ? ucma_open+0x3f0/0x3f0 [ 105.807754] ? kernel_read+0x120/0x120 [ 105.811648] ? apparmor_path_rmdir+0x30/0x30 [ 105.816050] ? posix_ktime_get_ts+0x15/0x20 [ 105.820360] ? trace_hardirqs_off_caller+0x310/0x310 [ 105.825455] ? apparmor_file_permission+0x24/0x30 [ 105.830283] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.835808] ? security_file_permission+0x2bc/0x320 [ 105.840820] ? rw_verify_area+0x118/0x360 [ 105.844971] vfs_write+0x1fc/0x580 [ 105.848500] ksys_write+0x101/0x260 [ 105.852118] ? __ia32_sys_read+0xb0/0xb0 [ 105.856167] ? trace_hardirqs_off_caller+0x310/0x310 [ 105.861262] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 105.866786] __x64_sys_write+0x73/0xb0 [ 105.870675] do_syscall_64+0x1b9/0x820 [ 105.874565] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 105.879919] ? syscall_return_slowpath+0x5e0/0x5e0 [ 105.884834] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 105.889686] ? trace_hardirqs_on_caller+0x310/0x310 [ 105.894718] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 105.899745] ? prepare_exit_to_usermode+0x291/0x3b0 [ 105.904763] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 105.909591] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.914762] RIP: 0033:0x457669 [ 105.917949] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.936847] RSP: 002b:00007f30eebddc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 105.944536] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 105.951791] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 105.959043] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 105.966296] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f30eebde6d4 [ 105.973549] R13: 00000000004c5f47 R14: 00000000004daa40 R15: 00000000ffffffff [ 105.980826] [ 105.982452] Allocated by task 6330: [ 105.986061] save_stack+0x43/0xd0 [ 105.989497] kasan_kmalloc+0xcb/0xd0 [ 105.993209] kmem_cache_alloc_trace+0x154/0x740 [ 105.997890] __rdma_create_id+0xdf/0x650 [ 106.001940] ucma_create_id+0x39b/0x990 [ 106.005899] ucma_write+0x365/0x460 [ 106.009513] __vfs_write+0x119/0xab0 [ 106.013210] vfs_write+0x1fc/0x580 [ 106.016751] ksys_write+0x101/0x260 [ 106.020380] __x64_sys_write+0x73/0xb0 [ 106.024261] do_syscall_64+0x1b9/0x820 [ 106.028144] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.033309] [ 106.034919] Freed by task 6327: [ 106.038178] save_stack+0x43/0xd0 [ 106.041614] __kasan_slab_free+0x102/0x150 [ 106.045858] kasan_slab_free+0xe/0x10 [ 106.049668] kfree+0xcf/0x230 [ 106.052774] rdma_destroy_id+0x835/0xcc0 [ 106.056847] ucma_close+0x114/0x310 [ 106.060465] __fput+0x3bc/0xa90 [ 106.063740] ____fput+0x15/0x20 [ 106.067006] task_work_run+0x1e8/0x2a0 [ 106.070904] exit_to_usermode_loop+0x318/0x380 [ 106.075489] do_syscall_64+0x6be/0x820 [ 106.079358] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.084524] [ 106.086148] The buggy address belongs to the object at ffff8881be048d00 [ 106.086148] which belongs to the cache kmalloc-2k of size 2048 [ 106.098826] The buggy address is located 480 bytes inside of [ 106.098826] 2048-byte region [ffff8881be048d00, ffff8881be049500) [ 106.110780] The buggy address belongs to the page: [ 106.115695] page:ffffea0006f81200 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 106.125659] flags: 0x2fffc0000010200(slab|head) [ 106.130328] raw: 02fffc0000010200 ffffea0007001788 ffffea0006ebed88 ffff8881da800c40 [ 106.138192] raw: 0000000000000000 ffff8881be048480 0000000100000003 0000000000000000 [ 106.146049] page dumped because: kasan: bad access detected [ 106.151738] [ 106.153343] Memory state around the buggy address: [ 106.158255] ffff8881be048d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.165605] ffff8881be048e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.172977] >ffff8881be048e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.180345] ^ [ 106.186816] ffff8881be048f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.194186] ffff8881be048f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.201526] ================================================================== [ 106.208862] Disabling lock debugging due to kernel taint [ 106.217473] Kernel panic - not syncing: panic_on_warn set ... [ 106.223367] CPU: 0 PID: 6335 Comm: syz-executor0 Tainted: G B 4.20.0-rc6-next-20181217+ #172 [ 106.233221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.242553] Call Trace: [ 106.245124] dump_stack+0x244/0x39d [ 106.248739] ? dump_stack_print_info.cold.1+0x20/0x20 [ 106.253920] ? __list_del_entry_valid+0xd0/0x100 [ 106.258700] panic+0x2ad/0x632 [ 106.261896] ? add_taint.cold.5+0x16/0x16 [ 106.266033] ? preempt_schedule+0x4d/0x60 [ 106.270162] ? ___preempt_schedule+0x16/0x18 [ 106.274556] ? trace_hardirqs_on+0xb4/0x310 [ 106.278864] ? __list_add_valid+0x8f/0xac [ 106.282994] end_report+0x47/0x4f [ 106.286429] kasan_report.cold.5+0xe/0x39 [ 106.290557] ? __list_add_valid+0x8f/0xac [ 106.294696] ? _raw_read_unlock_irqrestore+0x90/0xd0 [ 106.299782] ? __list_add_valid+0x8f/0xac [ 106.303919] __asan_report_load8_noabort+0x14/0x20 [ 106.308857] __list_add_valid+0x8f/0xac [ 106.312815] rdma_listen+0x6dc/0x990 [ 106.316514] ? rdma_resolve_addr+0x2870/0x2870 [ 106.321092] ucma_listen+0x1a4/0x260 [ 106.324828] ? ucma_notify+0x210/0x210 [ 106.328699] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 106.334220] ? _copy_from_user+0xdf/0x150 [ 106.338367] ? ucma_notify+0x210/0x210 [ 106.342241] ucma_write+0x365/0x460 [ 106.345852] ? ucma_open+0x3f0/0x3f0 [ 106.349550] __vfs_write+0x119/0xab0 [ 106.353263] ? common_file_perm+0x236/0x7f0 [ 106.357569] ? __fget_light+0x2e9/0x430 [ 106.361526] ? ucma_open+0x3f0/0x3f0 [ 106.365253] ? kernel_read+0x120/0x120 [ 106.369151] ? apparmor_path_rmdir+0x30/0x30 [ 106.373555] ? posix_ktime_get_ts+0x15/0x20 [ 106.377860] ? trace_hardirqs_off_caller+0x310/0x310 [ 106.382960] ? apparmor_file_permission+0x24/0x30 [ 106.387797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.393316] ? security_file_permission+0x2bc/0x320 [ 106.398336] ? rw_verify_area+0x118/0x360 [ 106.402478] vfs_write+0x1fc/0x580 [ 106.406001] ksys_write+0x101/0x260 [ 106.409617] ? __ia32_sys_read+0xb0/0xb0 [ 106.413690] ? trace_hardirqs_off_caller+0x310/0x310 [ 106.418779] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 106.424301] __x64_sys_write+0x73/0xb0 [ 106.428175] do_syscall_64+0x1b9/0x820 [ 106.432059] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 106.437413] ? syscall_return_slowpath+0x5e0/0x5e0 [ 106.442344] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 106.447185] ? trace_hardirqs_on_caller+0x310/0x310 [ 106.452397] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 106.457416] ? prepare_exit_to_usermode+0x291/0x3b0 [ 106.462433] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 106.467299] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.472479] RIP: 0033:0x457669 [ 106.475673] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.494569] RSP: 002b:00007f30eebddc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 106.502273] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 106.509535] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 106.516817] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 106.524084] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f30eebde6d4 [ 106.531350] R13: 00000000004c5f47 R14: 00000000004daa40 R15: 00000000ffffffff [ 106.539470] Kernel Offset: disabled [ 106.543090] Rebooting in 86400 seconds..