
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[   27.695190] audit: type=1800 audit(1545112574.566:21): pid=5888 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.869307] sshd (6026) used greatest stack depth: 15744 bytes left
Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts.
2018/12/18 05:56:59 parsed 1 programs
2018/12/18 05:57:01 executed programs: 0
[   74.452303] IPVS: ftp: loaded support on port[0] = 21
[   74.708336] bridge0: port 1(bridge_slave_0) entered blocking state
[   74.715235] bridge0: port 1(bridge_slave_0) entered disabled state
[   74.722412] device bridge_slave_0 entered promiscuous mode
[   74.741026] bridge0: port 2(bridge_slave_1) entered blocking state
[   74.747614] bridge0: port 2(bridge_slave_1) entered disabled state
[   74.754567] device bridge_slave_1 entered promiscuous mode
[   74.773512] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   74.792224] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   74.842327] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   74.862127] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   74.938837] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   74.946298] team0: Port device team_slave_0 added
[   74.963084] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   74.970420] team0: Port device team_slave_1 added
[   74.987130] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   75.007992] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   75.027887] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   75.048192] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   75.196218] bridge0: port 2(bridge_slave_1) entered blocking state
[   75.202882] bridge0: port 2(bridge_slave_1) entered forwarding state
[   75.209868] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.216203] bridge0: port 1(bridge_slave_0) entered forwarding state
[   75.735073] 8021q: adding VLAN 0 to HW filter on device bond0
[   75.787163] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   75.839218] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   75.845442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   75.853192] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   75.899400] 8021q: adding VLAN 0 to HW filter on device team0
2018/12/18 05:57:06 executed programs: 125
2018/12/18 05:57:11 executed programs: 319
[   86.282397] ==================================================================
[   86.289880] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac
[   86.296374] Read of size 8 at addr ffff8881b770f4e0 by task syz-executor0/8887
[   86.303740] 
[   86.305372] CPU: 0 PID: 8887 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #376
[   86.312637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   86.321974] Call Trace:
[   86.324558]  dump_stack+0x244/0x39d
[   86.328191]  ? dump_stack_print_info.cold.1+0x20/0x20
[   86.333391]  ? printk+0xa7/0xcf
[   86.336653]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   86.341401]  ? kasan_check_read+0x11/0x20
[   86.345553]  print_address_description.cold.7+0x9/0x1ff
[   86.350903]  kasan_report.cold.8+0x242/0x309
[   86.355298]  ? __list_add_valid+0x8f/0xac
[   86.359447]  __asan_report_load8_noabort+0x14/0x20
[   86.364363]  __list_add_valid+0x8f/0xac
[   86.368326]  rdma_listen+0x6dc/0x990
[   86.372030]  ? rdma_resolve_addr+0x2870/0x2870
[   86.376606]  ucma_listen+0x1a4/0x260
[   86.380311]  ? ucma_notify+0x210/0x210
[   86.384187]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   86.389710]  ? _copy_from_user+0xdf/0x150
[   86.393857]  ? ucma_notify+0x210/0x210
[   86.397734]  ucma_write+0x365/0x460
[   86.401365]  ? ucma_open+0x3f0/0x3f0
[   86.405070]  __vfs_write+0x119/0x9f0
[   86.408771]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   86.413700]  ? ucma_open+0x3f0/0x3f0
[   86.417401]  ? kernel_read+0x120/0x120
[   86.421279]  ? apparmor_path_rmdir+0x30/0x30
[   86.425676]  ? trace_hardirqs_off_caller+0x310/0x310
[   86.430787]  ? apparmor_file_permission+0x24/0x30
[   86.435638]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   86.441162]  ? security_file_permission+0x1c2/0x220
[   86.446168]  ? rw_verify_area+0x118/0x360
[   86.450302]  vfs_write+0x1fc/0x560
[   86.453845]  ksys_write+0x101/0x260
[   86.457461]  ? __ia32_sys_read+0xb0/0xb0
[   86.461508]  ? trace_hardirqs_off_caller+0x310/0x310
[   86.466599]  __x64_sys_write+0x73/0xb0
[   86.470476]  do_syscall_64+0x1b9/0x820
[   86.474354]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   86.479704]  ? syscall_return_slowpath+0x5e0/0x5e0
[   86.484617]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   86.489450]  ? trace_hardirqs_on_caller+0x310/0x310
[   86.494466]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   86.499480]  ? prepare_exit_to_usermode+0x291/0x3b0
[   86.504518]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   86.509352]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   86.514556] RIP: 0033:0x457669
[   86.517753] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   86.536753] RSP: 002b:00007fc98614cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   86.544456] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[   86.551726] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003
[   86.559016] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[   86.566282] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc98614d6d4
[   86.573547] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff
[   86.580839] 
[   86.582457] Allocated by task 8881:
[   86.586108]  save_stack+0x43/0xd0
[   86.589570]  kasan_kmalloc+0xc7/0xe0
[   86.593267]  kmem_cache_alloc_trace+0x152/0x750
[   86.597935]  __rdma_create_id+0xdf/0x650
[   86.601982]  ucma_create_id+0x39b/0x990
[   86.605971]  ucma_write+0x365/0x460
[   86.609607]  __vfs_write+0x119/0x9f0
[   86.613317]  vfs_write+0x1fc/0x560
[   86.616872]  ksys_write+0x101/0x260
[   86.620497]  __x64_sys_write+0x73/0xb0
[   86.624368]  do_syscall_64+0x1b9/0x820
[   86.628252]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   86.633420] 
[   86.635030] Freed by task 8880:
[   86.638291]  save_stack+0x43/0xd0
[   86.641742]  __kasan_slab_free+0x102/0x150
[   86.645991]  kasan_slab_free+0xe/0x10
[   86.649775]  kfree+0xcf/0x230
[   86.652895]  rdma_destroy_id+0x835/0xcc0
[   86.656949]  ucma_close+0x114/0x310
[   86.660574]  __fput+0x385/0xa30
[   86.663848]  ____fput+0x15/0x20
[   86.667122]  task_work_run+0x1e8/0x2a0
[   86.671007]  exit_to_usermode_loop+0x318/0x380
[   86.675580]  do_syscall_64+0x6be/0x820
[   86.679458]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   86.684638] 
[   86.686246] The buggy address belongs to the object at ffff8881b770f300
[   86.686246]  which belongs to the cache kmalloc-2k of size 2048
[   86.698885] The buggy address is located 480 bytes inside of
[   86.698885]  2048-byte region [ffff8881b770f300, ffff8881b770fb00)
[   86.710831] The buggy address belongs to the page:
[   86.715750] page:ffffea0006ddc380 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0
[   86.725716] flags: 0x2fffc0000010200(slab|head)
[   86.730389] raw: 02fffc0000010200 ffffea0006ed0988 ffffea0006e87308 ffff8881da800c40
[   86.738272] raw: 0000000000000000 ffff8881b770e200 0000000100000003 0000000000000000
[   86.746130] page dumped because: kasan: bad access detected
[   86.751824] 
[   86.753450] Memory state around the buggy address:
[   86.758368]  ffff8881b770f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.765708]  ffff8881b770f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.773051] >ffff8881b770f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.780397]                                                        ^
[   86.786888]  ffff8881b770f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.794250]  ffff8881b770f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.801593] ==================================================================
[   86.808941] Disabling lock debugging due to kernel taint
[   86.815318] Kernel panic - not syncing: panic_on_warn set ...
[   86.821226] CPU: 0 PID: 8887 Comm: syz-executor0 Tainted: G    B             4.20.0-rc7+ #376
[   86.829875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   86.839239] Call Trace:
[   86.841808]  dump_stack+0x244/0x39d
[   86.845428]  ? dump_stack_print_info.cold.1+0x20/0x20
[   86.850603]  panic+0x2ad/0x55c
[   86.853780]  ? add_taint.cold.5+0x16/0x16
[   86.857911]  ? preempt_schedule+0x4d/0x60
[   86.862057]  ? ___preempt_schedule+0x16/0x18
[   86.866464]  ? trace_hardirqs_on+0xb4/0x310
[   86.870776]  kasan_end_report+0x47/0x4f
[   86.874738]  kasan_report.cold.8+0x76/0x309
[   86.879043]  ? __list_add_valid+0x8f/0xac
[   86.883224]  __asan_report_load8_noabort+0x14/0x20
[   86.888136]  __list_add_valid+0x8f/0xac
[   86.892094]  rdma_listen+0x6dc/0x990
[   86.895794]  ? rdma_resolve_addr+0x2870/0x2870
[   86.900362]  ucma_listen+0x1a4/0x260
[   86.904062]  ? ucma_notify+0x210/0x210
[   86.907934]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   86.913451]  ? _copy_from_user+0xdf/0x150
[   86.917580]  ? ucma_notify+0x210/0x210
[   86.921453]  ucma_write+0x365/0x460
[   86.925072]  ? ucma_open+0x3f0/0x3f0
[   86.928804]  __vfs_write+0x119/0x9f0
[   86.932529]  ? debug_lockdep_rcu_enabled+0x77/0x90
[   86.937441]  ? ucma_open+0x3f0/0x3f0
[   86.941139]  ? kernel_read+0x120/0x120
[   86.945012]  ? apparmor_path_rmdir+0x30/0x30
[   86.949405]  ? trace_hardirqs_off_caller+0x310/0x310
[   86.954494]  ? apparmor_file_permission+0x24/0x30
[   86.959334]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   86.964892]  ? security_file_permission+0x1c2/0x220
[   86.969939]  ? rw_verify_area+0x118/0x360
[   86.974068]  vfs_write+0x1fc/0x560
[   86.977593]  ksys_write+0x101/0x260
[   86.981243]  ? __ia32_sys_read+0xb0/0xb0
[   86.985299]  ? trace_hardirqs_off_caller+0x310/0x310
[   86.990384]  __x64_sys_write+0x73/0xb0
[   86.994313]  do_syscall_64+0x1b9/0x820
[   86.998190]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   87.003538]  ? syscall_return_slowpath+0x5e0/0x5e0
[   87.008452]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   87.013301]  ? trace_hardirqs_on_caller+0x310/0x310
[   87.018318]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   87.023316]  ? prepare_exit_to_usermode+0x291/0x3b0
[   87.028315]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   87.033150]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   87.038321] RIP: 0033:0x457669
[   87.041511] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   87.060438] RSP: 002b:00007fc98614cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   87.068129] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[   87.075388] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003
[   87.082669] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[   87.089964] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc98614d6d4
[   87.097229] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff
[   87.105494] Kernel Offset: disabled
[   87.109121] Rebooting in 86400 seconds..