[ 28.705162] audit: type=1800 audit(1545079955.539:27): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 28.737266] audit: type=1800 audit(1545079955.539:28): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.311533] audit: type=1800 audit(1545079956.209:29): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.332064] audit: type=1800 audit(1545079956.219:30): pid=5898 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.845114] sshd (6037) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. 2018/12/17 20:53:14 parsed 1 programs 2018/12/17 20:53:16 executed programs: 0 [ 69.700845] IPVS: ftp: loaded support on port[0] = 21 [ 69.958108] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.965214] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.972228] device bridge_slave_0 entered promiscuous mode [ 69.990460] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.996884] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.004050] device bridge_slave_1 entered promiscuous mode [ 70.020986] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 70.038359] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 70.088385] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 70.109440] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 70.188389] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 70.195923] team0: Port device team_slave_0 added [ 70.213556] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 70.220635] team0: Port device team_slave_1 added [ 70.239493] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.259213] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.278528] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 70.298857] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 70.447063] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.453521] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.460299] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.466701] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.987890] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.041841] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 71.094131] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 71.100258] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.108805] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.156860] 8021q: adding VLAN 0 to HW filter on device team0 2018/12/17 20:53:21 executed programs: 110 [ 74.734613] ================================================================== [ 74.742110] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 74.748609] Read of size 8 at addr ffff8881cef5f7e0 by task syz-executor0/6991 [ 74.755949] [ 74.757583] CPU: 0 PID: 6991 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #278 [ 74.764837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.774192] Call Trace: [ 74.776779] dump_stack+0x244/0x39d [ 74.780395] ? dump_stack_print_info.cold.1+0x20/0x20 [ 74.785572] ? printk+0xa7/0xcf [ 74.788840] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 74.793584] ? kasan_check_read+0x11/0x20 [ 74.797769] print_address_description.cold.7+0x9/0x1ff [ 74.803155] kasan_report.cold.8+0x242/0x309 [ 74.807551] ? __list_add_valid+0x8f/0xac [ 74.811703] __asan_report_load8_noabort+0x14/0x20 [ 74.816633] __list_add_valid+0x8f/0xac [ 74.820598] rdma_listen+0x6dc/0x990 [ 74.824302] ? rdma_resolve_addr+0x2870/0x2870 [ 74.828876] ucma_listen+0x1a4/0x260 [ 74.832594] ? ucma_notify+0x210/0x210 [ 74.836487] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.842023] ? _copy_from_user+0xdf/0x150 [ 74.846194] ? ucma_notify+0x210/0x210 [ 74.850122] ucma_write+0x365/0x460 [ 74.853738] ? ucma_open+0x3f0/0x3f0 [ 74.857440] ? find_held_lock+0x36/0x1c0 [ 74.861517] __vfs_write+0x119/0x9f0 [ 74.865327] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 74.870362] ? ucma_open+0x3f0/0x3f0 [ 74.874088] ? kernel_read+0x120/0x120 [ 74.877979] ? apparmor_path_rmdir+0x30/0x30 [ 74.882413] ? trace_hardirqs_off_caller+0x310/0x310 [ 74.887508] ? apparmor_file_permission+0x24/0x30 [ 74.892350] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.897885] ? security_file_permission+0x1c2/0x220 [ 74.902888] ? rw_verify_area+0x118/0x360 [ 74.907024] vfs_write+0x1fc/0x560 [ 74.910555] ksys_write+0x101/0x260 [ 74.914168] ? __ia32_sys_read+0xb0/0xb0 [ 74.918225] ? trace_hardirqs_off_caller+0x310/0x310 [ 74.923317] __ia32_sys_write+0x71/0xb0 [ 74.927282] do_fast_syscall_32+0x34d/0xfb2 [ 74.931602] ? do_int80_syscall_32+0x890/0x890 [ 74.936193] ? entry_SYSENTER_compat+0x68/0x7f [ 74.940784] ? trace_hardirqs_off_caller+0xbb/0x310 [ 74.945785] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.950614] ? trace_hardirqs_on_caller+0x310/0x310 [ 74.955615] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 74.960618] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 74.967290] ? __switch_to_asm+0x40/0x70 [ 74.971368] ? __switch_to_asm+0x34/0x70 [ 74.975437] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.980280] entry_SYSENTER_compat+0x70/0x7f [ 74.984680] RIP: 0023:0xf7fb4a29 [ 74.988051] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 75.006953] RSP: 002b:00000000f7fb00cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 75.014673] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 75.021954] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.029223] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 75.036479] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 75.043732] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 75.050997] [ 75.052618] Allocated by task 6987: [ 75.056248] save_stack+0x43/0xd0 [ 75.059704] kasan_kmalloc+0xc7/0xe0 [ 75.063404] kmem_cache_alloc_trace+0x152/0x750 [ 75.068058] __rdma_create_id+0xdf/0x650 [ 75.072101] ucma_create_id+0x39b/0x990 [ 75.076076] ucma_write+0x365/0x460 [ 75.079696] __vfs_write+0x119/0x9f0 [ 75.083405] vfs_write+0x1fc/0x560 [ 75.086929] ksys_write+0x101/0x260 [ 75.090539] __ia32_sys_write+0x71/0xb0 [ 75.094510] do_fast_syscall_32+0x34d/0xfb2 [ 75.098831] entry_SYSENTER_compat+0x70/0x7f [ 75.103250] [ 75.104879] Freed by task 6983: [ 75.108150] save_stack+0x43/0xd0 [ 75.111590] __kasan_slab_free+0x102/0x150 [ 75.115809] kasan_slab_free+0xe/0x10 [ 75.119592] kfree+0xcf/0x230 [ 75.122700] rdma_destroy_id+0x835/0xcc0 [ 75.126761] ucma_close+0x114/0x310 [ 75.130391] __fput+0x385/0xa30 [ 75.133656] ____fput+0x15/0x20 [ 75.136921] task_work_run+0x1e8/0x2a0 [ 75.140795] exit_to_usermode_loop+0x318/0x380 [ 75.145383] do_fast_syscall_32+0xcd5/0xfb2 [ 75.149701] entry_SYSENTER_compat+0x70/0x7f [ 75.154085] [ 75.155698] The buggy address belongs to the object at ffff8881cef5f600 [ 75.155698] which belongs to the cache kmalloc-2k of size 2048 [ 75.168341] The buggy address is located 480 bytes inside of [ 75.168341] 2048-byte region [ffff8881cef5f600, ffff8881cef5fe00) [ 75.180289] The buggy address belongs to the page: [ 75.185213] page:ffffea00073bd780 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 75.195163] flags: 0x2fffc0000010200(slab|head) [ 75.199822] raw: 02fffc0000010200 ffffea0007397888 ffffea00073bf388 ffff8881da800c40 [ 75.207701] raw: 0000000000000000 ffff8881cef5e500 0000000100000003 0000000000000000 [ 75.215575] page dumped because: kasan: bad access detected [ 75.221264] [ 75.222873] Memory state around the buggy address: [ 75.227786] ffff8881cef5f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.235157] ffff8881cef5f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.242524] >ffff8881cef5f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.249864] ^ [ 75.256354] ffff8881cef5f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.263698] ffff8881cef5f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.271038] ================================================================== [ 75.278396] Disabling lock debugging due to kernel taint [ 75.284672] Kernel panic - not syncing: panic_on_warn set ... [ 75.290590] CPU: 0 PID: 6991 Comm: syz-executor0 Tainted: G B 4.20.0-rc7+ #278 [ 75.299264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.308599] Call Trace: [ 75.311187] dump_stack+0x244/0x39d [ 75.314807] ? dump_stack_print_info.cold.1+0x20/0x20 [ 75.319990] panic+0x2ad/0x55c [ 75.323205] ? add_taint.cold.5+0x16/0x16 [ 75.327345] ? preempt_schedule+0x4d/0x60 [ 75.331575] ? ___preempt_schedule+0x16/0x18 [ 75.335973] ? trace_hardirqs_on+0xb4/0x310 [ 75.340281] kasan_end_report+0x47/0x4f [ 75.344258] kasan_report.cold.8+0x76/0x309 [ 75.348595] ? __list_add_valid+0x8f/0xac [ 75.352749] __asan_report_load8_noabort+0x14/0x20 [ 75.357666] __list_add_valid+0x8f/0xac [ 75.361644] rdma_listen+0x6dc/0x990 [ 75.365356] ? rdma_resolve_addr+0x2870/0x2870 [ 75.369937] ucma_listen+0x1a4/0x260 [ 75.373632] ? ucma_notify+0x210/0x210 [ 75.377523] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 75.383045] ? _copy_from_user+0xdf/0x150 [ 75.387176] ? ucma_notify+0x210/0x210 [ 75.391064] ucma_write+0x365/0x460 [ 75.394680] ? ucma_open+0x3f0/0x3f0 [ 75.398378] ? find_held_lock+0x36/0x1c0 [ 75.402426] __vfs_write+0x119/0x9f0 [ 75.406155] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 75.411102] ? ucma_open+0x3f0/0x3f0 [ 75.414797] ? kernel_read+0x120/0x120 [ 75.418667] ? apparmor_path_rmdir+0x30/0x30 [ 75.423075] ? trace_hardirqs_off_caller+0x310/0x310 [ 75.428178] ? apparmor_file_permission+0x24/0x30 [ 75.433034] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.438557] ? security_file_permission+0x1c2/0x220 [ 75.443582] ? rw_verify_area+0x118/0x360 [ 75.447715] vfs_write+0x1fc/0x560 [ 75.451255] ksys_write+0x101/0x260 [ 75.454876] ? __ia32_sys_read+0xb0/0xb0 [ 75.458932] ? trace_hardirqs_off_caller+0x310/0x310 [ 75.464019] __ia32_sys_write+0x71/0xb0 [ 75.467993] do_fast_syscall_32+0x34d/0xfb2 [ 75.472309] ? do_int80_syscall_32+0x890/0x890 [ 75.476907] ? entry_SYSENTER_compat+0x68/0x7f [ 75.481499] ? trace_hardirqs_off_caller+0xbb/0x310 [ 75.486510] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 75.491336] ? trace_hardirqs_on_caller+0x310/0x310 [ 75.496350] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 75.501350] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 75.508001] ? __switch_to_asm+0x40/0x70 [ 75.512046] ? __switch_to_asm+0x34/0x70 [ 75.516092] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 75.520954] entry_SYSENTER_compat+0x70/0x7f [ 75.525356] RIP: 0023:0xf7fb4a29 [ 75.528722] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 75.547618] RSP: 002b:00000000f7fb00cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 75.555322] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 75.562587] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.569852] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 75.577116] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 75.584401] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 75.592813] Kernel Offset: disabled [ 75.596438] Rebooting in 86400 seconds..