[info] Using makefile-style concurrent boot in runlevel 2. [ 27.695190] audit: type=1800 audit(1545112574.566:21): pid=5888 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.869307] sshd (6026) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts. 2018/12/18 05:56:59 parsed 1 programs 2018/12/18 05:57:01 executed programs: 0 [ 74.452303] IPVS: ftp: loaded support on port[0] = 21 [ 74.708336] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.715235] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.722412] device bridge_slave_0 entered promiscuous mode [ 74.741026] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.747614] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.754567] device bridge_slave_1 entered promiscuous mode [ 74.773512] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 74.792224] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 74.842327] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 74.862127] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 74.938837] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 74.946298] team0: Port device team_slave_0 added [ 74.963084] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 74.970420] team0: Port device team_slave_1 added [ 74.987130] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 75.007992] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 75.027887] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 75.048192] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 75.196218] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.202882] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.209868] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.216203] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.735073] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.787163] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 75.839218] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 75.845442] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 75.853192] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.899400] 8021q: adding VLAN 0 to HW filter on device team0 2018/12/18 05:57:06 executed programs: 125 2018/12/18 05:57:11 executed programs: 319 [ 86.282397] ================================================================== [ 86.289880] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 86.296374] Read of size 8 at addr ffff8881b770f4e0 by task syz-executor0/8887 [ 86.303740] [ 86.305372] CPU: 0 PID: 8887 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #376 [ 86.312637] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.321974] Call Trace: [ 86.324558] dump_stack+0x244/0x39d [ 86.328191] ? dump_stack_print_info.cold.1+0x20/0x20 [ 86.333391] ? printk+0xa7/0xcf [ 86.336653] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 86.341401] ? kasan_check_read+0x11/0x20 [ 86.345553] print_address_description.cold.7+0x9/0x1ff [ 86.350903] kasan_report.cold.8+0x242/0x309 [ 86.355298] ? __list_add_valid+0x8f/0xac [ 86.359447] __asan_report_load8_noabort+0x14/0x20 [ 86.364363] __list_add_valid+0x8f/0xac [ 86.368326] rdma_listen+0x6dc/0x990 [ 86.372030] ? rdma_resolve_addr+0x2870/0x2870 [ 86.376606] ucma_listen+0x1a4/0x260 [ 86.380311] ? ucma_notify+0x210/0x210 [ 86.384187] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 86.389710] ? _copy_from_user+0xdf/0x150 [ 86.393857] ? ucma_notify+0x210/0x210 [ 86.397734] ucma_write+0x365/0x460 [ 86.401365] ? ucma_open+0x3f0/0x3f0 [ 86.405070] __vfs_write+0x119/0x9f0 [ 86.408771] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 86.413700] ? ucma_open+0x3f0/0x3f0 [ 86.417401] ? kernel_read+0x120/0x120 [ 86.421279] ? apparmor_path_rmdir+0x30/0x30 [ 86.425676] ? trace_hardirqs_off_caller+0x310/0x310 [ 86.430787] ? apparmor_file_permission+0x24/0x30 [ 86.435638] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.441162] ? security_file_permission+0x1c2/0x220 [ 86.446168] ? rw_verify_area+0x118/0x360 [ 86.450302] vfs_write+0x1fc/0x560 [ 86.453845] ksys_write+0x101/0x260 [ 86.457461] ? __ia32_sys_read+0xb0/0xb0 [ 86.461508] ? trace_hardirqs_off_caller+0x310/0x310 [ 86.466599] __x64_sys_write+0x73/0xb0 [ 86.470476] do_syscall_64+0x1b9/0x820 [ 86.474354] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 86.479704] ? syscall_return_slowpath+0x5e0/0x5e0 [ 86.484617] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 86.489450] ? trace_hardirqs_on_caller+0x310/0x310 [ 86.494466] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 86.499480] ? prepare_exit_to_usermode+0x291/0x3b0 [ 86.504518] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 86.509352] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.514556] RIP: 0033:0x457669 [ 86.517753] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 86.536753] RSP: 002b:00007fc98614cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 86.544456] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 86.551726] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003 [ 86.559016] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 86.566282] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc98614d6d4 [ 86.573547] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff [ 86.580839] [ 86.582457] Allocated by task 8881: [ 86.586108] save_stack+0x43/0xd0 [ 86.589570] kasan_kmalloc+0xc7/0xe0 [ 86.593267] kmem_cache_alloc_trace+0x152/0x750 [ 86.597935] __rdma_create_id+0xdf/0x650 [ 86.601982] ucma_create_id+0x39b/0x990 [ 86.605971] ucma_write+0x365/0x460 [ 86.609607] __vfs_write+0x119/0x9f0 [ 86.613317] vfs_write+0x1fc/0x560 [ 86.616872] ksys_write+0x101/0x260 [ 86.620497] __x64_sys_write+0x73/0xb0 [ 86.624368] do_syscall_64+0x1b9/0x820 [ 86.628252] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.633420] [ 86.635030] Freed by task 8880: [ 86.638291] save_stack+0x43/0xd0 [ 86.641742] __kasan_slab_free+0x102/0x150 [ 86.645991] kasan_slab_free+0xe/0x10 [ 86.649775] kfree+0xcf/0x230 [ 86.652895] rdma_destroy_id+0x835/0xcc0 [ 86.656949] ucma_close+0x114/0x310 [ 86.660574] __fput+0x385/0xa30 [ 86.663848] ____fput+0x15/0x20 [ 86.667122] task_work_run+0x1e8/0x2a0 [ 86.671007] exit_to_usermode_loop+0x318/0x380 [ 86.675580] do_syscall_64+0x6be/0x820 [ 86.679458] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.684638] [ 86.686246] The buggy address belongs to the object at ffff8881b770f300 [ 86.686246] which belongs to the cache kmalloc-2k of size 2048 [ 86.698885] The buggy address is located 480 bytes inside of [ 86.698885] 2048-byte region [ffff8881b770f300, ffff8881b770fb00) [ 86.710831] The buggy address belongs to the page: [ 86.715750] page:ffffea0006ddc380 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0 compound_mapcount: 0 [ 86.725716] flags: 0x2fffc0000010200(slab|head) [ 86.730389] raw: 02fffc0000010200 ffffea0006ed0988 ffffea0006e87308 ffff8881da800c40 [ 86.738272] raw: 0000000000000000 ffff8881b770e200 0000000100000003 0000000000000000 [ 86.746130] page dumped because: kasan: bad access detected [ 86.751824] [ 86.753450] Memory state around the buggy address: [ 86.758368] ffff8881b770f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.765708] ffff8881b770f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.773051] >ffff8881b770f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.780397] ^ [ 86.786888] ffff8881b770f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.794250] ffff8881b770f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.801593] ================================================================== [ 86.808941] Disabling lock debugging due to kernel taint [ 86.815318] Kernel panic - not syncing: panic_on_warn set ... [ 86.821226] CPU: 0 PID: 8887 Comm: syz-executor0 Tainted: G B 4.20.0-rc7+ #376 [ 86.829875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.839239] Call Trace: [ 86.841808] dump_stack+0x244/0x39d [ 86.845428] ? dump_stack_print_info.cold.1+0x20/0x20 [ 86.850603] panic+0x2ad/0x55c [ 86.853780] ? add_taint.cold.5+0x16/0x16 [ 86.857911] ? preempt_schedule+0x4d/0x60 [ 86.862057] ? ___preempt_schedule+0x16/0x18 [ 86.866464] ? trace_hardirqs_on+0xb4/0x310 [ 86.870776] kasan_end_report+0x47/0x4f [ 86.874738] kasan_report.cold.8+0x76/0x309 [ 86.879043] ? __list_add_valid+0x8f/0xac [ 86.883224] __asan_report_load8_noabort+0x14/0x20 [ 86.888136] __list_add_valid+0x8f/0xac [ 86.892094] rdma_listen+0x6dc/0x990 [ 86.895794] ? rdma_resolve_addr+0x2870/0x2870 [ 86.900362] ucma_listen+0x1a4/0x260 [ 86.904062] ? ucma_notify+0x210/0x210 [ 86.907934] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 86.913451] ? _copy_from_user+0xdf/0x150 [ 86.917580] ? ucma_notify+0x210/0x210 [ 86.921453] ucma_write+0x365/0x460 [ 86.925072] ? ucma_open+0x3f0/0x3f0 [ 86.928804] __vfs_write+0x119/0x9f0 [ 86.932529] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 86.937441] ? ucma_open+0x3f0/0x3f0 [ 86.941139] ? kernel_read+0x120/0x120 [ 86.945012] ? apparmor_path_rmdir+0x30/0x30 [ 86.949405] ? trace_hardirqs_off_caller+0x310/0x310 [ 86.954494] ? apparmor_file_permission+0x24/0x30 [ 86.959334] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.964892] ? security_file_permission+0x1c2/0x220 [ 86.969939] ? rw_verify_area+0x118/0x360 [ 86.974068] vfs_write+0x1fc/0x560 [ 86.977593] ksys_write+0x101/0x260 [ 86.981243] ? __ia32_sys_read+0xb0/0xb0 [ 86.985299] ? trace_hardirqs_off_caller+0x310/0x310 [ 86.990384] __x64_sys_write+0x73/0xb0 [ 86.994313] do_syscall_64+0x1b9/0x820 [ 86.998190] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 87.003538] ? syscall_return_slowpath+0x5e0/0x5e0 [ 87.008452] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 87.013301] ? trace_hardirqs_on_caller+0x310/0x310 [ 87.018318] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 87.023316] ? prepare_exit_to_usermode+0x291/0x3b0 [ 87.028315] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 87.033150] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.038321] RIP: 0033:0x457669 [ 87.041511] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.060438] RSP: 002b:00007fc98614cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 87.068129] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 87.075388] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000003 [ 87.082669] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 87.089964] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc98614d6d4 [ 87.097229] R13: 00000000004c5f10 R14: 00000000004da9d0 R15: 00000000ffffffff [ 87.105494] Kernel Offset: disabled [ 87.109121] Rebooting in 86400 seconds..