[ 28.530945] audit: type=1800 audit(1544781216.601:27): pid=5930 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 28.552628] audit: type=1800 audit(1544781216.601:28): pid=5930 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.278899] audit: type=1800 audit(1544781217.411:29): pid=5930 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.300165] audit: type=1800 audit(1544781217.411:30): pid=5930 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. 2018/12/14 09:54:53 parsed 1 programs 2018/12/14 09:54:54 executed programs: 0 syzkaller login: [ 106.684721] IPVS: ftp: loaded support on port[0] = 21 [ 106.933051] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.940118] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.947186] device bridge_slave_0 entered promiscuous mode [ 106.966123] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.972608] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.979668] device bridge_slave_1 entered promiscuous mode [ 106.996919] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 107.014987] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 107.066419] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 107.087585] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 107.163189] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 107.170692] team0: Port device team_slave_0 added [ 107.188132] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 107.195722] team0: Port device team_slave_1 added [ 107.212668] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.231767] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.251000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.270448] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.420196] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.426779] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.433557] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.439963] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.963302] 8021q: adding VLAN 0 to HW filter on device bond0 [ 108.014496] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 108.065999] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 108.072101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 108.080765] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 108.129883] 8021q: adding VLAN 0 to HW filter on device team0 2018/12/14 09:54:59 executed programs: 122 [ 112.342608] ================================================================== [ 112.350126] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 112.356603] Read of size 8 at addr ffff8881b4f2aea0 by task syz-executor0/7254 [ 112.363939] [ 112.365567] CPU: 0 PID: 7254 Comm: syz-executor0 Not tainted 4.20.0-rc6-next-20181214+ #171 [ 112.374036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.383397] Call Trace: [ 112.385993] dump_stack+0x244/0x39d [ 112.389640] ? dump_stack_print_info.cold.1+0x20/0x20 [ 112.394825] ? printk+0xa7/0xcf [ 112.398093] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 112.402845] print_address_description.cold.4+0x9/0x1ff [ 112.408207] ? __list_add_valid+0x8f/0xac [ 112.412340] kasan_report.cold.5+0x1b/0x39 [ 112.416573] ? __list_add_valid+0x8f/0xac [ 112.420708] ? _raw_spin_unlock_irqrestore+0x20/0xd0 [ 112.425823] ? __list_add_valid+0x8f/0xac [ 112.429956] __asan_report_load8_noabort+0x14/0x20 [ 112.434870] __list_add_valid+0x8f/0xac [ 112.438833] rdma_listen+0x6dc/0x990 [ 112.442533] ? rdma_resolve_addr+0x2870/0x2870 [ 112.447102] ucma_listen+0x1a4/0x260 [ 112.450799] ? ucma_notify+0x210/0x210 [ 112.454671] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 112.460255] ? _copy_from_user+0xdf/0x150 [ 112.464399] ? ucma_notify+0x210/0x210 [ 112.468271] ucma_write+0x365/0x460 [ 112.471886] ? ucma_open+0x3f0/0x3f0 [ 112.475608] __vfs_write+0x119/0xab0 [ 112.479306] ? common_file_perm+0x236/0x7f0 [ 112.483614] ? __fget_light+0x2e9/0x430 [ 112.487590] ? ucma_open+0x3f0/0x3f0 [ 112.491289] ? kernel_read+0x120/0x120 [ 112.495189] ? apparmor_path_rmdir+0x30/0x30 [ 112.499603] ? posix_ktime_get_ts+0x15/0x20 [ 112.503924] ? trace_hardirqs_off_caller+0x310/0x310 [ 112.509090] ? apparmor_file_permission+0x24/0x30 [ 112.513948] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 112.519479] ? security_file_permission+0x2bc/0x320 [ 112.524491] ? rw_verify_area+0x118/0x360 [ 112.528622] vfs_write+0x1fc/0x580 [ 112.532148] ksys_write+0x101/0x260 [ 112.535761] ? __ia32_sys_read+0xb0/0xb0 [ 112.539819] ? trace_hardirqs_off_caller+0x310/0x310 [ 112.544946] __x64_sys_write+0x73/0xb0 [ 112.548843] do_syscall_64+0x1b9/0x820 [ 112.552757] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 112.558123] ? syscall_return_slowpath+0x5e0/0x5e0 [ 112.563033] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 112.567864] ? trace_hardirqs_on_caller+0x310/0x310 [ 112.572861] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 112.577858] ? prepare_exit_to_usermode+0x291/0x3b0 [ 112.582934] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 112.587766] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 112.592944] RIP: 0033:0x457679 [ 112.596138] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 112.615038] RSP: 002b:00007ff51c29cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 112.622746] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457679 [ 112.629998] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 112.637250] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 112.644514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff51c29d6d4 [ 112.651810] R13: 00000000004c5f30 R14: 00000000004da9f0 R15: 00000000ffffffff [ 112.659092] [ 112.660701] Allocated by task 7251: [ 112.664344] save_stack+0x43/0xd0 [ 112.667792] kasan_kmalloc+0xcb/0xd0 [ 112.671500] kmem_cache_alloc_trace+0x154/0x740 [ 112.676166] __rdma_create_id+0xdf/0x650 [ 112.680224] ucma_create_id+0x39b/0x990 [ 112.684179] ucma_write+0x365/0x460 [ 112.687810] __vfs_write+0x119/0xab0 [ 112.691516] vfs_write+0x1fc/0x580 [ 112.695079] ksys_write+0x101/0x260 [ 112.698705] __x64_sys_write+0x73/0xb0 [ 112.702574] do_syscall_64+0x1b9/0x820 [ 112.706446] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 112.711626] [ 112.713235] Freed by task 7247: [ 112.716495] save_stack+0x43/0xd0 [ 112.719931] __kasan_slab_free+0x102/0x150 [ 112.724173] kasan_slab_free+0xe/0x10 [ 112.727971] kfree+0xcf/0x230 [ 112.731076] rdma_destroy_id+0x835/0xcc0 [ 112.735147] ucma_close+0x114/0x310 [ 112.738772] __fput+0x3bc/0xa90 [ 112.742030] ____fput+0x15/0x20 [ 112.745308] task_work_run+0x1e8/0x2a0 [ 112.749208] exit_to_usermode_loop+0x318/0x380 [ 112.753784] do_syscall_64+0x6be/0x820 [ 112.757656] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 112.762823] [ 112.764436] The buggy address belongs to the object at ffff8881b4f2acc0 [ 112.764436] which belongs to the cache kmalloc-2k of size 2048 [ 112.777090] The buggy address is located 480 bytes inside of [ 112.777090] 2048-byte region [ffff8881b4f2acc0, ffff8881b4f2b4c0) [ 112.789032] The buggy address belongs to the page: [ 112.793976] page:ffffea0006d3ca80 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 112.803920] flags: 0x2fffc0000010200(slab|head) [ 112.808584] raw: 02fffc0000010200 ffffea000738b408 ffffea0007375488 ffff8881da800c40 [ 112.816449] raw: 0000000000000000 ffff8881b4f2a440 0000000100000003 0000000000000000 [ 112.824306] page dumped because: kasan: bad access detected [ 112.829996] [ 112.831614] Memory state around the buggy address: [ 112.836542] ffff8881b4f2ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.843900] ffff8881b4f2ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.851241] >ffff8881b4f2ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.858606] ^ [ 112.862992] ffff8881b4f2af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.870332] ffff8881b4f2af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.877665] ================================================================== [ 112.885001] Disabling lock debugging due to kernel taint [ 112.891394] Kernel panic - not syncing: panic_on_warn set ... [ 112.897314] CPU: 0 PID: 7254 Comm: syz-executor0 Tainted: G B 4.20.0-rc6-next-20181214+ #171 [ 112.907221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.916550] Call Trace: [ 112.919126] dump_stack+0x244/0x39d [ 112.922737] ? dump_stack_print_info.cold.1+0x20/0x20 [ 112.927912] ? __list_add_valid+0x20/0xac [ 112.932041] panic+0x2ad/0x632 [ 112.935236] ? add_taint.cold.5+0x16/0x16 [ 112.939384] ? preempt_schedule+0x4d/0x60 [ 112.943511] ? ___preempt_schedule+0x16/0x18 [ 112.947900] ? trace_hardirqs_on+0xb4/0x310 [ 112.952221] ? __list_add_valid+0x8f/0xac [ 112.956360] end_report+0x47/0x4f [ 112.959792] kasan_report.cold.5+0xe/0x39 [ 112.963937] ? __list_add_valid+0x8f/0xac [ 112.968079] ? _raw_spin_unlock_irqrestore+0x20/0xd0 [ 112.973183] ? __list_add_valid+0x8f/0xac [ 112.977312] __asan_report_load8_noabort+0x14/0x20 [ 112.982229] __list_add_valid+0x8f/0xac [ 112.986191] rdma_listen+0x6dc/0x990 [ 112.989890] ? rdma_resolve_addr+0x2870/0x2870 [ 112.994489] ucma_listen+0x1a4/0x260 [ 112.998187] ? ucma_notify+0x210/0x210 [ 113.002070] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 113.007590] ? _copy_from_user+0xdf/0x150 [ 113.011719] ? ucma_notify+0x210/0x210 [ 113.015603] ucma_write+0x365/0x460 [ 113.019236] ? ucma_open+0x3f0/0x3f0 [ 113.022950] __vfs_write+0x119/0xab0 [ 113.026662] ? common_file_perm+0x236/0x7f0 [ 113.030988] ? __fget_light+0x2e9/0x430 [ 113.034950] ? ucma_open+0x3f0/0x3f0 [ 113.038673] ? kernel_read+0x120/0x120 [ 113.042549] ? apparmor_path_rmdir+0x30/0x30 [ 113.047062] ? posix_ktime_get_ts+0x15/0x20 [ 113.051372] ? trace_hardirqs_off_caller+0x310/0x310 [ 113.056461] ? apparmor_file_permission+0x24/0x30 [ 113.061287] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.066818] ? security_file_permission+0x2bc/0x320 [ 113.071819] ? rw_verify_area+0x118/0x360 [ 113.075950] vfs_write+0x1fc/0x580 [ 113.079488] ksys_write+0x101/0x260 [ 113.083116] ? __ia32_sys_read+0xb0/0xb0 [ 113.087183] ? trace_hardirqs_off_caller+0x310/0x310 [ 113.092409] __x64_sys_write+0x73/0xb0 [ 113.096282] do_syscall_64+0x1b9/0x820 [ 113.100154] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 113.105503] ? syscall_return_slowpath+0x5e0/0x5e0 [ 113.110459] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 113.115284] ? trace_hardirqs_on_caller+0x310/0x310 [ 113.120293] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 113.125307] ? prepare_exit_to_usermode+0x291/0x3b0 [ 113.130328] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 113.135209] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.140399] RIP: 0033:0x457679 [ 113.143590] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 113.162490] RSP: 002b:00007ff51c29cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 113.170194] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457679 [ 113.177484] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 113.184748] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 113.192010] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff51c29d6d4 [ 113.199278] R13: 00000000004c5f30 R14: 00000000004da9f0 R15: 00000000ffffffff [ 113.207435] Kernel Offset: disabled [ 113.211063] Rebooting in 86400 seconds..