[ 38.233672] audit: type=1800 audit(1549128103.952:29): pid=7613 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 48.561336] ================================================================== [ 48.568925] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 48.575412] Read of size 8 at addr ffff88808f7cd5a0 by task syz-executor437/7770 [ 48.582921] [ 48.584538] CPU: 1 PID: 7770 Comm: syz-executor437 Not tainted 5.0.0-rc4+ #57 [ 48.591892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.601234] Call Trace: [ 48.603944] dump_stack+0x172/0x1f0 [ 48.607560] ? __list_add_valid+0x9a/0xa0 [ 48.611706] print_address_description.cold+0x7c/0x20d [ 48.616968] ? __list_add_valid+0x9a/0xa0 [ 48.621102] ? __list_add_valid+0x9a/0xa0 [ 48.625329] kasan_report.cold+0x1b/0x40 [ 48.629387] ? __list_add_valid+0x9a/0xa0 [ 48.633528] __asan_report_load8_noabort+0x14/0x20 [ 48.638442] __list_add_valid+0x9a/0xa0 [ 48.642404] rdma_listen+0x63b/0x8e0 [ 48.646108] ucma_listen+0x14d/0x1c0 [ 48.649806] ? ucma_notify+0x190/0x190 [ 48.653808] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 48.659512] ? _copy_from_user+0xdd/0x150 [ 48.663668] ucma_write+0x2da/0x3c0 [ 48.667295] ? ucma_notify+0x190/0x190 [ 48.671174] ? ucma_open+0x290/0x290 [ 48.674881] ? do_wp_page+0x2f5/0x11d0 [ 48.678763] __vfs_write+0x116/0x8e0 [ 48.682466] ? ucma_open+0x290/0x290 [ 48.686165] ? kernel_read+0x120/0x120 [ 48.690037] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 48.694953] ? common_file_perm+0x1d6/0x6f0 [ 48.699260] ? apparmor_file_permission+0x25/0x30 [ 48.704088] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.709609] ? security_file_permission+0x94/0x320 [ 48.714523] ? rw_verify_area+0x118/0x360 [ 48.719279] vfs_write+0x20c/0x580 [ 48.722810] ksys_write+0xea/0x1f0 [ 48.726336] ? __ia32_sys_read+0xb0/0xb0 [ 48.730493] ? do_syscall_64+0x26/0x610 [ 48.734470] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.739918] ? do_syscall_64+0x26/0x610 [ 48.743881] __x64_sys_write+0x73/0xb0 [ 48.747756] do_syscall_64+0x103/0x610 [ 48.751641] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.756813] RIP: 0033:0x440f59 [ 48.759991] Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.778974] RSP: 002b:00007ffc04fa0d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 48.786665] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440f59 [ 48.794031] RDX: 0000000000000010 RSI: 0000000020000240 RDI: 0000000000000003 [ 48.801301] RBP: 000000000000bda6 R08: 00000000004002c8 R09: 00000000004002c8 [ 48.808592] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ea0 [ 48.815856] R13: 0000000000401f30 R14: 0000000000000000 R15: 0000000000000000 [ 48.823136] [ 48.824751] Allocated by task 7768: [ 48.828387] save_stack+0x45/0xd0 [ 48.831825] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 48.836753] kasan_kmalloc+0x9/0x10 [ 48.840366] kmem_cache_alloc_trace+0x151/0x760 [ 48.845023] __rdma_create_id+0x5f/0x4e0 [ 48.849063] ucma_create_id+0x1de/0x640 [ 48.853019] ucma_write+0x2da/0x3c0 [ 48.856626] __vfs_write+0x116/0x8e0 [ 48.860328] vfs_write+0x20c/0x580 [ 48.863868] ksys_write+0xea/0x1f0 [ 48.867387] __x64_sys_write+0x73/0xb0 [ 48.871320] do_syscall_64+0x103/0x610 [ 48.875193] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.880375] [ 48.881979] Freed by task 7768: [ 48.885243] save_stack+0x45/0xd0 [ 48.888679] __kasan_slab_free+0x102/0x150 [ 48.892926] kasan_slab_free+0xe/0x10 [ 48.896719] kfree+0xcf/0x230 [ 48.899830] rdma_destroy_id+0x723/0xab0 [ 48.903892] ucma_close+0x115/0x320 [ 48.907505] __fput+0x2df/0x8d0 [ 48.910773] ____fput+0x16/0x20 [ 48.914034] task_work_run+0x14a/0x1c0 [ 48.917903] exit_to_usermode_loop+0x273/0x2c0 [ 48.922470] do_syscall_64+0x52d/0x610 [ 48.926340] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.931519] [ 48.933244] The buggy address belongs to the object at ffff88808f7cd3c0 [ 48.933244] which belongs to the cache kmalloc-2k of size 2048 [ 48.946008] The buggy address is located 480 bytes inside of [ 48.946008] 2048-byte region [ffff88808f7cd3c0, ffff88808f7cdbc0) [ 48.957958] The buggy address belongs to the page: [ 48.962876] page:ffffea00023df300 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 48.972927] flags: 0x1fffc0000010200(slab|head) [ 48.977580] raw: 01fffc0000010200 ffffea0002457d08 ffff88812c3f1948 ffff88812c3f0c40 [ 48.985533] raw: 0000000000000000 ffff88808f7cc2c0 0000000100000003 0000000000000000 [ 48.993391] page dumped because: kasan: bad access detected [ 48.999188] [ 49.000799] Memory state around the buggy address: [ 49.005721] ffff88808f7cd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.013060] ffff88808f7cd500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.020401] >ffff88808f7cd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.027737] ^ [ 49.032227] ffff88808f7cd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.039567] ffff88808f7cd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.046909] ================================================================== [ 49.054248] Disabling lock debugging due to kernel taint [ 49.060550] Kernel panic - not syncing: panic_on_warn set ... [ 49.066458] CPU: 1 PID: 7770 Comm: syz-executor437 Tainted: G B 5.0.0-rc4+ #57 [ 49.075096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.084427] Call Trace: [ 49.086995] dump_stack+0x172/0x1f0 [ 49.090605] panic+0x2cb/0x65c [ 49.093780] ? __warn_printk+0xf3/0xf3 [ 49.097655] ? trace_hardirqs_on+0x5e/0x230 [ 49.101963] ? trace_hardirqs_on+0x5e/0x230 [ 49.106269] ? __list_add_valid+0x9a/0xa0 [ 49.110409] end_report+0x47/0x4f [ 49.113857] ? __list_add_valid+0x9a/0xa0 [ 49.117986] kasan_report.cold+0xe/0x40 [ 49.121971] ? __list_add_valid+0x9a/0xa0 [ 49.126118] __asan_report_load8_noabort+0x14/0x20 [ 49.131025] __list_add_valid+0x9a/0xa0 [ 49.134987] rdma_listen+0x63b/0x8e0 [ 49.138687] ucma_listen+0x14d/0x1c0 [ 49.142405] ? ucma_notify+0x190/0x190 [ 49.146274] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 49.151797] ? _copy_from_user+0xdd/0x150 [ 49.155930] ucma_write+0x2da/0x3c0 [ 49.159544] ? ucma_notify+0x190/0x190 [ 49.163413] ? ucma_open+0x290/0x290 [ 49.167111] ? do_wp_page+0x2f5/0x11d0 [ 49.170983] __vfs_write+0x116/0x8e0 [ 49.174678] ? ucma_open+0x290/0x290 [ 49.178381] ? kernel_read+0x120/0x120 [ 49.182252] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 49.187165] ? common_file_perm+0x1d6/0x6f0 [ 49.191586] ? apparmor_file_permission+0x25/0x30 [ 49.196424] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.201948] ? security_file_permission+0x94/0x320 [ 49.206860] ? rw_verify_area+0x118/0x360 [ 49.211003] vfs_write+0x20c/0x580 [ 49.214673] ksys_write+0xea/0x1f0 [ 49.218207] ? __ia32_sys_read+0xb0/0xb0 [ 49.222259] ? do_syscall_64+0x26/0x610 [ 49.226241] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.231691] ? do_syscall_64+0x26/0x610 [ 49.235678] __x64_sys_write+0x73/0xb0 [ 49.239559] do_syscall_64+0x103/0x610 [ 49.243443] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.248716] RIP: 0033:0x440f59 [ 49.251918] Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.270928] RSP: 002b:00007ffc04fa0d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 49.278635] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440f59 [ 49.285894] RDX: 0000000000000010 RSI: 0000000020000240 RDI: 0000000000000003 [ 49.293154] RBP: 000000000000bda6 R08: 00000000004002c8 R09: 00000000004002c8 [ 49.300504] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ea0 [ 49.307758] R13: 0000000000401f30 R14: 0000000000000000 R15: 0000000000000000 [ 49.316092] Kernel Offset: disabled [ 49.319717] Rebooting in 86400 seconds..