Warning: Permanently added '10.128.0.176' (ECDSA) to the list of known hosts. 2019/01/19 10:25:22 parsed 1 programs 2019/01/19 10:25:24 executed programs: 0 syzkaller login: [ 53.740395] IPVS: ftp: loaded support on port[0] = 21 [ 53.802590] chnl_net:caif_netlink_parms(): no params data found [ 53.838045] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.844648] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.852049] device bridge_slave_0 entered promiscuous mode [ 53.859345] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.865831] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.872729] device bridge_slave_1 entered promiscuous mode [ 53.889808] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.898874] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.914856] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.922486] team0: Port device team_slave_0 added [ 53.927876] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.935018] team0: Port device team_slave_1 added [ 53.940373] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 53.947640] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 54.027077] device hsr_slave_0 entered promiscuous mode [ 54.075641] device hsr_slave_1 entered promiscuous mode [ 54.135791] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 54.142740] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 54.156928] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.163326] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.170199] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.176558] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.208502] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 54.214581] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.224134] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.232723] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.243161] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.250788] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.257928] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 54.268206] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 54.274263] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.283459] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 54.293414] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.299799] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.317576] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 54.325315] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.331699] bridge0: port 2(bridge_slave_1) entered forwarding state [ 54.339571] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 54.347275] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 54.356126] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 54.365710] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 54.376541] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 54.387037] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 54.393039] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 54.406489] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 54.418029] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 54.779343] ================================================================== [ 54.786807] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 54.793282] Read of size 8 at addr ffff8880881405e0 by task syz-executor0/8088 [ 54.800619] [ 54.802233] CPU: 0 PID: 8088 Comm: syz-executor0 Not tainted 5.0.0-rc2+ #33 [ 54.809310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.818644] Call Trace: [ 54.821319] dump_stack+0x1db/0x2d0 [ 54.825062] ? dump_stack_print_info.cold+0x20/0x20 [ 54.830081] ? trace_hardirqs_on+0xbd/0x310 [ 54.834419] ? __list_add_valid+0x9a/0xa0 [ 54.838558] print_address_description.cold+0x7c/0x20d [ 54.843838] ? __list_add_valid+0x9a/0xa0 [ 54.847976] ? __list_add_valid+0x9a/0xa0 [ 54.852110] kasan_report.cold+0x1b/0x40 [ 54.856185] ? __list_add_valid+0x9a/0xa0 [ 54.860351] __asan_report_load8_noabort+0x14/0x20 [ 54.865271] __list_add_valid+0x9a/0xa0 [ 54.869238] rdma_listen+0x6c9/0xa10 [ 54.872941] ? rdma_resolve_addr+0x2720/0x2720 [ 54.877522] ucma_listen+0x1bf/0x250 [ 54.881222] ? ucma_notify+0x220/0x220 [ 54.885113] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.890643] ? _copy_from_user+0xdd/0x150 [ 54.894781] ucma_write+0x36b/0x480 [ 54.898394] ? ucma_notify+0x220/0x220 [ 54.902289] ? ucma_open+0x400/0x400 [ 54.905988] ? __might_fault+0x12b/0x1e0 [ 54.910033] ? find_held_lock+0x35/0x120 [ 54.914082] __vfs_write+0x116/0xb40 [ 54.917779] ? ucma_open+0x400/0x400 [ 54.921490] ? kernel_read+0x120/0x120 [ 54.925360] ? fget_raw+0x20/0x20 [ 54.928816] ? trace_hardirqs_off_caller+0x300/0x300 [ 54.933910] ? apparmor_file_permission+0x25/0x30 [ 54.938739] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.944264] ? security_file_permission+0x94/0x320 [ 54.949229] ? rw_verify_area+0x118/0x360 [ 54.953363] vfs_write+0x20c/0x580 [ 54.956910] ksys_write+0x105/0x260 [ 54.960525] ? __ia32_sys_read+0xb0/0xb0 [ 54.964570] ? trace_hardirqs_off_caller+0x300/0x300 [ 54.969686] __ia32_sys_write+0x71/0xb0 [ 54.973709] do_fast_syscall_32+0x333/0xf98 [ 54.978019] ? do_int80_syscall_32+0x880/0x880 [ 54.982581] ? trace_hardirqs_off+0x310/0x310 [ 54.987075] ? syscall_return_slowpath+0x3b0/0x5f0 [ 54.992020] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.997051] ? __switch_to_asm+0x34/0x70 [ 55.001099] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.005945] entry_SYSENTER_compat+0x70/0x7f [ 55.010340] RIP: 0023:0xf7f07869 [ 55.013700] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.032584] RSP: 002b:00000000f7f030cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 55.040273] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 55.047528] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.054781] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.062034] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.069288] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.076548] [ 55.078173] Allocated by task 8082: [ 55.081798] save_stack+0x45/0xd0 [ 55.085265] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 55.090183] kasan_kmalloc+0x9/0x10 [ 55.093794] kmem_cache_alloc_trace+0x151/0x760 [ 55.098455] __rdma_create_id+0xce/0x630 [ 55.102509] ucma_create_id+0x30f/0x910 [ 55.106468] ucma_write+0x36b/0x480 [ 55.110081] __vfs_write+0x116/0xb40 [ 55.113776] vfs_write+0x20c/0x580 [ 55.117306] ksys_write+0x105/0x260 [ 55.120927] __ia32_sys_write+0x71/0xb0 [ 55.124889] do_fast_syscall_32+0x333/0xf98 [ 55.129197] entry_SYSENTER_compat+0x70/0x7f [ 55.133594] [ 55.135213] Freed by task 8081: [ 55.138486] save_stack+0x45/0xd0 [ 55.141941] __kasan_slab_free+0x102/0x150 [ 55.146164] kasan_slab_free+0xe/0x10 [ 55.149946] kfree+0xcf/0x230 [ 55.153049] rdma_destroy_id+0x8be/0xd80 [ 55.157105] ucma_close+0x115/0x320 [ 55.160733] __fput+0x3c5/0xb10 [ 55.164008] ____fput+0x16/0x20 [ 55.167282] task_work_run+0x1f4/0x2b0 [ 55.171155] exit_to_usermode_loop+0x32a/0x3b0 [ 55.175730] do_fast_syscall_32+0xc97/0xf98 [ 55.180046] entry_SYSENTER_compat+0x70/0x7f [ 55.184431] [ 55.186044] The buggy address belongs to the object at ffff888088140400 [ 55.186044] which belongs to the cache kmalloc-2k of size 2048 [ 55.198705] The buggy address is located 480 bytes inside of [ 55.198705] 2048-byte region [ffff888088140400, ffff888088140c00) [ 55.210657] The buggy address belongs to the page: [ 55.215594] page:ffffea0002205000 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 55.225564] flags: 0x1fffc0000010200(slab|head) [ 55.230221] raw: 01fffc0000010200 ffffea0002a14e08 ffffea00025e6d88 ffff88812c3f0c40 [ 55.238100] raw: 0000000000000000 ffff888088140400 0000000100000003 0000000000000000 [ 55.245969] page dumped because: kasan: bad access detected [ 55.251656] [ 55.253265] Memory state around the buggy address: [ 55.258175] ffff888088140480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.265514] ffff888088140500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.272871] >ffff888088140580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.280251] ^ [ 55.286725] ffff888088140600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.294073] ffff888088140680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.301409] ================================================================== [ 55.308760] Disabling lock debugging due to kernel taint [ 55.318920] Kernel panic - not syncing: panic_on_warn set ... [ 55.324824] CPU: 0 PID: 8088 Comm: syz-executor0 Tainted: G B 5.0.0-rc2+ #33 [ 55.333298] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.342628] Call Trace: [ 55.345201] dump_stack+0x1db/0x2d0 [ 55.348811] ? dump_stack_print_info.cold+0x20/0x20 [ 55.353812] panic+0x2cb/0x65c [ 55.356987] ? add_taint.cold+0x16/0x16 [ 55.360944] ? __list_add_valid+0x9a/0xa0 [ 55.365085] ? preempt_schedule+0x4b/0x60 [ 55.369227] ? ___preempt_schedule+0x16/0x18 [ 55.373616] ? trace_hardirqs_on+0xb4/0x310 [ 55.377936] ? __list_add_valid+0x9a/0xa0 [ 55.382096] end_report+0x47/0x4f [ 55.385534] ? __list_add_valid+0x9a/0xa0 [ 55.389665] kasan_report.cold+0xe/0x40 [ 55.393623] ? __list_add_valid+0x9a/0xa0 [ 55.397770] __asan_report_load8_noabort+0x14/0x20 [ 55.402699] __list_add_valid+0x9a/0xa0 [ 55.406681] rdma_listen+0x6c9/0xa10 [ 55.410390] ? rdma_resolve_addr+0x2720/0x2720 [ 55.414966] ucma_listen+0x1bf/0x250 [ 55.418677] ? ucma_notify+0x220/0x220 [ 55.422559] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.428076] ? _copy_from_user+0xdd/0x150 [ 55.432226] ucma_write+0x36b/0x480 [ 55.435847] ? ucma_notify+0x220/0x220 [ 55.439719] ? ucma_open+0x400/0x400 [ 55.443414] ? __might_fault+0x12b/0x1e0 [ 55.447473] ? find_held_lock+0x35/0x120 [ 55.451526] __vfs_write+0x116/0xb40 [ 55.455244] ? ucma_open+0x400/0x400 [ 55.458962] ? kernel_read+0x120/0x120 [ 55.462841] ? fget_raw+0x20/0x20 [ 55.466304] ? trace_hardirqs_off_caller+0x300/0x300 [ 55.471394] ? apparmor_file_permission+0x25/0x30 [ 55.476224] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.481748] ? security_file_permission+0x94/0x320 [ 55.486671] ? rw_verify_area+0x118/0x360 [ 55.490837] vfs_write+0x20c/0x580 [ 55.494388] ksys_write+0x105/0x260 [ 55.498019] ? __ia32_sys_read+0xb0/0xb0 [ 55.502086] ? trace_hardirqs_off_caller+0x300/0x300 [ 55.507172] __ia32_sys_write+0x71/0xb0 [ 55.511142] do_fast_syscall_32+0x333/0xf98 [ 55.515505] ? do_int80_syscall_32+0x880/0x880 [ 55.520104] ? trace_hardirqs_off+0x310/0x310 [ 55.524608] ? syscall_return_slowpath+0x3b0/0x5f0 [ 55.529521] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 55.534522] ? __switch_to_asm+0x34/0x70 [ 55.538586] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.543416] entry_SYSENTER_compat+0x70/0x7f [ 55.547807] RIP: 0023:0xf7f07869 [ 55.551171] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 55.570060] RSP: 002b:00000000f7f030cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 55.577763] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 55.585024] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 [ 55.592282] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 55.599541] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 55.606831] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 55.615028] Kernel Offset: disabled [ 55.618651] Rebooting in 86400 seconds..