Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. 2020/03/08 16:32:17 parsed 1 programs 2020/03/08 16:32:18 executed programs: 0 syzkaller login: [ 963.963266][ T9616] IPVS: ftp: loaded support on port[0] = 21 [ 964.028328][ T9616] chnl_net:caif_netlink_parms(): no params data found [ 964.069759][ T9616] bridge0: port 1(bridge_slave_0) entered blocking state [ 964.077563][ T9616] bridge0: port 1(bridge_slave_0) entered disabled state [ 964.086812][ T9616] device bridge_slave_0 entered promiscuous mode [ 964.095910][ T9616] bridge0: port 2(bridge_slave_1) entered blocking state [ 964.104120][ T9616] bridge0: port 2(bridge_slave_1) entered disabled state [ 964.112121][ T9616] device bridge_slave_1 entered promiscuous mode [ 964.130353][ T9616] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 964.141587][ T9616] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 964.162226][ T9616] team0: Port device team_slave_0 added [ 964.169945][ T9616] team0: Port device team_slave_1 added [ 964.185476][ T9616] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 964.192501][ T9616] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 964.218526][ T9616] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 964.231262][ T9616] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 964.238334][ T9616] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 964.264585][ T9616] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 964.339986][ T9616] device hsr_slave_0 entered promiscuous mode [ 964.377469][ T9616] device hsr_slave_1 entered promiscuous mode [ 964.488731][ T9616] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 964.540594][ T9616] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 964.600298][ T9616] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 964.659468][ T9616] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 964.713768][ T9616] bridge0: port 2(bridge_slave_1) entered blocking state [ 964.721080][ T9616] bridge0: port 2(bridge_slave_1) entered forwarding state [ 964.728986][ T9616] bridge0: port 1(bridge_slave_0) entered blocking state [ 964.736172][ T9616] bridge0: port 1(bridge_slave_0) entered forwarding state [ 964.782503][ T9616] 8021q: adding VLAN 0 to HW filter on device bond0 [ 964.795887][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 964.816575][ T2806] bridge0: port 1(bridge_slave_0) entered disabled state [ 964.825773][ T2806] bridge0: port 2(bridge_slave_1) entered disabled state [ 964.834372][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 964.847267][ T9616] 8021q: adding VLAN 0 to HW filter on device team0 [ 964.862763][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 964.871308][ T2834] bridge0: port 1(bridge_slave_0) entered blocking state [ 964.878493][ T2834] bridge0: port 1(bridge_slave_0) entered forwarding state [ 964.886084][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 964.895963][ T2834] bridge0: port 2(bridge_slave_1) entered blocking state [ 964.903305][ T2834] bridge0: port 2(bridge_slave_1) entered forwarding state [ 964.922498][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 964.932395][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 964.945336][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 964.963651][ T9616] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 964.975068][ T9616] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 964.988188][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 964.996890][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 965.005764][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 965.028678][ T9616] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 965.036544][ T9626] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 965.045301][ T9626] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 965.070294][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 965.080840][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 965.097607][ T9616] device veth0_vlan entered promiscuous mode [ 965.111252][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 965.119774][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 965.129060][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 965.136801][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 965.147850][ T9616] device veth1_vlan entered promiscuous mode [ 965.171545][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 965.180826][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 965.189568][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 965.198060][ T2806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 965.209458][ T9616] device veth0_macvtap entered promiscuous mode [ 965.220471][ T9616] device veth1_macvtap entered promiscuous mode [ 965.237753][ T9616] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 965.245232][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 965.254702][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 965.263035][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 965.271909][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 965.284025][ T9616] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 965.291714][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 965.300700][ T2834] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 967.100050][ T9858] ================================================================== [ 967.108489][ T9858] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 967.115965][ T9858] Read of size 8 at addr ffff888093ed71e0 by task syz-executor.0/9858 [ 967.124103][ T9858] [ 967.126429][ T9858] CPU: 0 PID: 9858 Comm: syz-executor.0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0 [ 967.136208][ T9858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 967.146243][ T9858] Call Trace: [ 967.149626][ T9858] dump_stack+0x188/0x20d [ 967.153946][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.158785][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.163684][ T9858] print_address_description.constprop.0.cold+0xd3/0x315 [ 967.170702][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.175545][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.180374][ T9858] __kasan_report.cold+0x1a/0x32 [ 967.185321][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.190208][ T9858] kasan_report+0xe/0x20 [ 967.194479][ T9858] __list_add_valid+0x93/0xa0 [ 967.199258][ T9858] rdma_listen+0x681/0x910 [ 967.203695][ T9858] ucma_listen+0x14d/0x1c0 [ 967.208094][ T9858] ? ucma_notify+0x190/0x190 [ 967.212714][ T9858] ? __might_fault+0x190/0x1d0 [ 967.217473][ T9858] ? _copy_from_user+0x123/0x190 [ 967.222415][ T9858] ? ucma_notify+0x190/0x190 [ 967.226996][ T9858] ucma_write+0x285/0x350 [ 967.231337][ T9858] ? ucma_open+0x270/0x270 [ 967.235789][ T9858] ? security_file_permission+0x8a/0x370 [ 967.241426][ T9858] ? ucma_open+0x270/0x270 [ 967.245901][ T9858] __vfs_write+0x76/0x100 [ 967.250226][ T9858] vfs_write+0x262/0x5c0 [ 967.254470][ T9858] ksys_write+0x1e8/0x250 [ 967.258795][ T9858] ? __ia32_sys_read+0xb0/0xb0 [ 967.263582][ T9858] ? __ia32_sys_clock_settime+0x260/0x260 [ 967.269329][ T9858] ? trace_hardirqs_off_caller+0x55/0x230 [ 967.275270][ T9858] do_syscall_64+0xf6/0x790 [ 967.279849][ T9858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 967.285724][ T9858] RIP: 0033:0x45c4a9 [ 967.289599][ T9858] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 967.309418][ T9858] RSP: 002b:00007fb40d76bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 967.318002][ T9858] RAX: ffffffffffffffda RBX: 00007fb40d76c6d4 RCX: 000000000045c4a9 [ 967.326066][ T9858] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 967.334051][ T9858] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 967.342061][ T9858] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 967.350022][ T9858] R13: 0000000000000cbe R14: 00000000004cea80 R15: 000000000076bfcc [ 967.358001][ T9858] [ 967.360323][ T9858] Allocated by task 9822: [ 967.364649][ T9858] save_stack+0x1b/0x40 [ 967.368793][ T9858] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 967.374421][ T9858] kmem_cache_alloc_trace+0x153/0x7d0 [ 967.379784][ T9858] __rdma_create_id+0x5b/0x850 [ 967.384535][ T9858] ucma_create_id+0x1cb/0x580 [ 967.389217][ T9858] ucma_write+0x285/0x350 [ 967.393549][ T9858] __vfs_write+0x76/0x100 [ 967.397864][ T9858] vfs_write+0x262/0x5c0 [ 967.402110][ T9858] ksys_write+0x1e8/0x250 [ 967.406434][ T9858] do_syscall_64+0xf6/0x790 [ 967.410923][ T9858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 967.416802][ T9858] [ 967.419109][ T9858] Freed by task 9822: [ 967.423174][ T9858] save_stack+0x1b/0x40 [ 967.427323][ T9858] __kasan_slab_free+0xf7/0x140 [ 967.432169][ T9858] kfree+0x109/0x2b0 [ 967.436066][ T9858] ucma_close+0x10b/0x300 [ 967.440390][ T9858] __fput+0x2da/0x850 [ 967.444430][ T9858] task_work_run+0x13f/0x1b0 [ 967.449057][ T9858] exit_to_usermode_loop+0x2fa/0x360 [ 967.454403][ T9858] do_syscall_64+0x672/0x790 [ 967.459034][ T9858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 967.465024][ T9858] [ 967.467346][ T9858] The buggy address belongs to the object at ffff888093ed7000 [ 967.467346][ T9858] which belongs to the cache kmalloc-2k of size 2048 [ 967.481398][ T9858] The buggy address is located 480 bytes inside of [ 967.481398][ T9858] 2048-byte region [ffff888093ed7000, ffff888093ed7800) [ 967.494905][ T9858] The buggy address belongs to the page: [ 967.500533][ T9858] page:ffffea00024fb5c0 refcount:1 mapcount:0 mapping:000000005f7380dc index:0x0 [ 967.509633][ T9858] flags: 0xfffe0000000200(slab) [ 967.514484][ T9858] raw: 00fffe0000000200 ffffea00029f9848 ffffea000255ff48 ffff8880aa000e00 [ 967.523075][ T9858] raw: 0000000000000000 ffff888093ed7000 0000000100000001 0000000000000000 [ 967.531654][ T9858] page dumped because: kasan: bad access detected [ 967.538134][ T9858] [ 967.540442][ T9858] Memory state around the buggy address: [ 967.546054][ T9858] ffff888093ed7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 967.554195][ T9858] ffff888093ed7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 967.562239][ T9858] >ffff888093ed7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 967.570490][ T9858] ^ [ 967.577834][ T9858] ffff888093ed7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 967.585888][ T9858] ffff888093ed7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 967.593929][ T9858] ================================================================== [ 967.601991][ T9858] Disabling lock debugging due to kernel taint [ 967.610461][ T9858] Kernel panic - not syncing: panic_on_warn set ... [ 967.617058][ T9858] CPU: 1 PID: 9858 Comm: syz-executor.0 Tainted: G B 5.6.0-rc3-next-20200228-syzkaller #0 [ 967.628451][ T9858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 967.638496][ T9858] Call Trace: [ 967.641771][ T9858] dump_stack+0x188/0x20d [ 967.646167][ T9858] panic+0x2e3/0x75c [ 967.650045][ T9858] ? add_taint.cold+0x16/0x16 [ 967.654721][ T9858] ? preempt_schedule_common+0x5e/0xc0 [ 967.660184][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.665012][ T9858] ? ___preempt_schedule+0x16/0x18 [ 967.670113][ T9858] ? trace_hardirqs_on+0x55/0x220 [ 967.675184][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.680057][ T9858] end_report+0x43/0x49 [ 967.684192][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.689032][ T9858] __kasan_report.cold+0xd/0x32 [ 967.693865][ T9858] ? __list_add_valid+0x93/0xa0 [ 967.698696][ T9858] kasan_report+0xe/0x20 [ 967.702928][ T9858] __list_add_valid+0x93/0xa0 [ 967.707607][ T9858] rdma_listen+0x681/0x910 [ 967.712013][ T9858] ucma_listen+0x14d/0x1c0 [ 967.716417][ T9858] ? ucma_notify+0x190/0x190 [ 967.720984][ T9858] ? __might_fault+0x190/0x1d0 [ 967.725724][ T9858] ? _copy_from_user+0x123/0x190 [ 967.730648][ T9858] ? ucma_notify+0x190/0x190 [ 967.735212][ T9858] ucma_write+0x285/0x350 [ 967.739522][ T9858] ? ucma_open+0x270/0x270 [ 967.743965][ T9858] ? security_file_permission+0x8a/0x370 [ 967.749664][ T9858] ? ucma_open+0x270/0x270 [ 967.754155][ T9858] __vfs_write+0x76/0x100 [ 967.758524][ T9858] vfs_write+0x262/0x5c0 [ 967.762756][ T9858] ksys_write+0x1e8/0x250 [ 967.767068][ T9858] ? __ia32_sys_read+0xb0/0xb0 [ 967.771866][ T9858] ? __ia32_sys_clock_settime+0x260/0x260 [ 967.777699][ T9858] ? trace_hardirqs_off_caller+0x55/0x230 [ 967.783397][ T9858] do_syscall_64+0xf6/0x790 [ 967.788117][ T9858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 967.794185][ T9858] RIP: 0033:0x45c4a9 [ 967.798061][ T9858] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 967.817810][ T9858] RSP: 002b:00007fb40d76bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 967.826214][ T9858] RAX: ffffffffffffffda RBX: 00007fb40d76c6d4 RCX: 000000000045c4a9 [ 967.834220][ T9858] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003 [ 967.842216][ T9858] RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 [ 967.850225][ T9858] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 967.858189][ T9858] R13: 0000000000000cbe R14: 00000000004cea80 R15: 000000000076bfcc [ 967.867926][ T9858] Kernel Offset: disabled [ 967.872278][ T9858] Rebooting in 86400 seconds..