DUID 00:04:c5:78:79:07:21:f0:b3:e0:09:b6:1a:d6:4d:97:86:4f forked to background, child pid 3172 [ 29.734609][ T3173] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.744396][ T3173] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 52.586722][ T3597] ================================================================== [ 52.595138][ T3597] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 52.602591][ T3597] Read of size 8 at addr ffff88807d24c1e0 by task syz-executor341/3597 [ 52.610824][ T3597] [ 52.613138][ T3597] CPU: 1 PID: 3597 Comm: syz-executor341 Not tainted 5.17.0-rc3-syzkaller-00020-g555f3d7be91a #0 [ 52.623679][ T3597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.633729][ T3597] Call Trace: [ 52.637002][ T3597] [ 52.639929][ T3597] dump_stack_lvl+0xcd/0x134 [ 52.644534][ T3597] print_address_description.constprop.0.cold+0x8d/0x336 [ 52.651643][ T3597] ? __list_add_valid+0x93/0xa0 [ 52.656484][ T3597] ? __list_add_valid+0x93/0xa0 [ 52.662111][ T3597] kasan_report.cold+0x83/0xdf [ 52.666899][ T3597] ? __list_add_valid+0x93/0xa0 [ 52.671744][ T3597] __list_add_valid+0x93/0xa0 [ 52.676503][ T3597] rdma_listen+0x86e/0xde0 [ 52.680918][ T3597] ? do_raw_spin_unlock+0x171/0x230 [ 52.686113][ T3597] ? rdma_resolve_addr+0x2460/0x2460 [ 52.691405][ T3597] ? ucma_get_ctx+0x1f0/0x280 [ 52.696078][ T3597] ? ucma_create_uevent+0xb60/0xb60 [ 52.701291][ T3597] ucma_listen+0x16a/0x210 [ 52.705722][ T3597] ? ucma_notify+0x1b0/0x1b0 [ 52.710305][ T3597] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 52.716543][ T3597] ? _copy_from_user+0x5d/0x180 [ 52.721412][ T3597] ? ucma_notify+0x1b0/0x1b0 [ 52.726018][ T3597] ucma_write+0x25c/0x350 [ 52.730348][ T3597] ? ucma_query_gid+0x520/0x520 [ 52.735193][ T3597] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 52.741430][ T3597] ? security_file_permission+0xab/0xd0 [ 52.746999][ T3597] ? ucma_query_gid+0x520/0x520 [ 52.751986][ T3597] vfs_write+0x28e/0xae0 [ 52.756236][ T3597] ksys_write+0x1ee/0x250 [ 52.760567][ T3597] ? __ia32_sys_read+0xb0/0xb0 [ 52.765337][ T3597] ? syscall_enter_from_user_mode+0x21/0x70 [ 52.771233][ T3597] do_syscall_64+0x35/0xb0 [ 52.775643][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.781550][ T3597] RIP: 0033:0x7f0aca906fb9 [ 52.786106][ T3597] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 52.805795][ T3597] RSP: 002b:00007fffc9f11448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 52.814324][ T3597] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0aca906fb9 [ 52.822296][ T3597] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 52.830499][ T3597] RBP: 0000000000000000 R08: 00007fffc9f115e8 R09: 00007fffc9f115e8 [ 52.838535][ T3597] R10: 00007fffc9f115e8 R11: 0000000000000246 R12: 00007fffc9f1145c [ 52.846536][ T3597] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 52.854625][ T3597] [ 52.857750][ T3597] [ 52.860067][ T3597] Allocated by task 3596: [ 52.864381][ T3597] kasan_save_stack+0x1e/0x40 [ 52.869057][ T3597] __kasan_kmalloc+0xa9/0xd0 [ 52.873656][ T3597] __rdma_create_id+0x5b/0x5c0 [ 52.878412][ T3597] rdma_create_user_id+0x79/0xd0 [ 52.883344][ T3597] ucma_create_id+0x162/0x360 [ 52.888017][ T3597] ucma_write+0x25c/0x350 [ 52.892452][ T3597] vfs_write+0x28e/0xae0 [ 52.896772][ T3597] ksys_write+0x1ee/0x250 [ 52.901105][ T3597] do_syscall_64+0x35/0xb0 [ 52.905660][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.911651][ T3597] [ 52.913980][ T3597] Freed by task 3596: [ 52.917982][ T3597] kasan_save_stack+0x1e/0x40 [ 52.922656][ T3597] kasan_set_track+0x21/0x30 [ 52.927232][ T3597] kasan_set_free_info+0x20/0x30 [ 52.932161][ T3597] ____kasan_slab_free+0x130/0x160 [ 52.937393][ T3597] slab_free_freelist_hook+0x8b/0x1c0 [ 52.942973][ T3597] kfree+0xcb/0x280 [ 52.946907][ T3597] ucma_destroy_private_ctx+0x9ca/0xd20 [ 52.952680][ T3597] ucma_close+0x10a/0x180 [ 52.957010][ T3597] __fput+0x286/0x9f0 [ 52.961109][ T3597] task_work_run+0xdd/0x1a0 [ 52.965708][ T3597] do_exit+0xb29/0x2a30 [ 52.970026][ T3597] do_group_exit+0xd2/0x2f0 [ 52.974536][ T3597] __x64_sys_exit_group+0x3a/0x50 [ 52.979564][ T3597] do_syscall_64+0x35/0xb0 [ 52.983976][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 52.989866][ T3597] [ 52.992179][ T3597] Last potentially related work creation: [ 52.997934][ T3597] kasan_save_stack+0x1e/0x40 [ 53.002619][ T3597] __kasan_record_aux_stack+0xbe/0xd0 [ 53.007996][ T3597] call_rcu+0xb1/0x740 [ 53.012129][ T3597] netlink_release+0xf08/0x1db0 [ 53.017004][ T3597] __sock_release+0xcd/0x280 [ 53.021605][ T3597] sock_close+0x18/0x20 [ 53.025784][ T3597] __fput+0x286/0x9f0 [ 53.029752][ T3597] task_work_run+0xdd/0x1a0 [ 53.034262][ T3597] exit_to_user_mode_prepare+0x27e/0x290 [ 53.039905][ T3597] syscall_exit_to_user_mode+0x19/0x60 [ 53.045365][ T3597] do_syscall_64+0x42/0xb0 [ 53.049774][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 53.055659][ T3597] [ 53.057976][ T3597] The buggy address belongs to the object at ffff88807d24c000 [ 53.057976][ T3597] which belongs to the cache kmalloc-2k of size 2048 [ 53.072073][ T3597] The buggy address is located 480 bytes inside of [ 53.072073][ T3597] 2048-byte region [ffff88807d24c000, ffff88807d24c800) [ 53.085530][ T3597] The buggy address belongs to the page: [ 53.091164][ T3597] page:ffffea0001f49200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d248 [ 53.101326][ T3597] head:ffffea0001f49200 order:3 compound_mapcount:0 compound_pincount:0 [ 53.109650][ T3597] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 53.117728][ T3597] raw: 00fff00000010200 ffffea00052c7e00 dead000000000002 ffff888010c42000 [ 53.126322][ T3597] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 53.134900][ T3597] page dumped because: kasan: bad access detected [ 53.141299][ T3597] page_owner tracks the page as allocated [ 53.147015][ T3597] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2947, ts 17013492589, free_ts 15683127625 [ 53.166110][ T3597] get_page_from_freelist+0xa72/0x2f50 [ 53.171659][ T3597] __alloc_pages+0x1b2/0x500 [ 53.176237][ T3597] alloc_pages+0x1aa/0x310 [ 53.180657][ T3597] new_slab+0x28a/0x3b0 [ 53.184819][ T3597] ___slab_alloc+0x87c/0xe90 [ 53.189410][ T3597] __slab_alloc.constprop.0+0x4d/0xa0 [ 53.194860][ T3597] __kmalloc+0x2fb/0x340 [ 53.199090][ T3597] sk_prot_alloc+0x110/0x290 [ 53.203672][ T3597] sk_alloc+0x32/0xa80 [ 53.207983][ T3597] __netlink_create+0x63/0x2f0 [ 53.212735][ T3597] netlink_create+0x3ad/0x5e0 [ 53.217398][ T3597] __sock_create+0x353/0x790 [ 53.221993][ T3597] __sys_socket+0xef/0x200 [ 53.226402][ T3597] __x64_sys_socket+0x6f/0xb0 [ 53.231072][ T3597] do_syscall_64+0x35/0xb0 [ 53.235506][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 53.241388][ T3597] page last free stack trace: [ 53.246044][ T3597] free_pcp_prepare+0x374/0x870 [ 53.250885][ T3597] free_unref_page+0x19/0x690 [ 53.255548][ T3597] free_contig_range+0xa8/0xf0 [ 53.260296][ T3597] destroy_args+0xa8/0x646 [ 53.264709][ T3597] debug_vm_pgtable+0x298e/0x2a20 [ 53.269727][ T3597] do_one_initcall+0x103/0x650 [ 53.274497][ T3597] kernel_init_freeable+0x6b1/0x73a [ 53.279687][ T3597] kernel_init+0x1a/0x1d0 [ 53.284020][ T3597] ret_from_fork+0x1f/0x30 [ 53.288438][ T3597] [ 53.290747][ T3597] Memory state around the buggy address: [ 53.296464][ T3597] ffff88807d24c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.304513][ T3597] ffff88807d24c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.312651][ T3597] >ffff88807d24c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.321927][ T3597] ^ [ 53.329833][ T3597] ffff88807d24c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.337912][ T3597] ffff88807d24c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.346079][ T3597] ================================================================== [ 53.354123][ T3597] Disabling lock debugging due to kernel taint [ 53.361263][ T3597] Kernel panic - not syncing: panic_on_warn set ... [ 53.367866][ T3597] CPU: 0 PID: 3597 Comm: syz-executor341 Tainted: G B 5.17.0-rc3-syzkaller-00020-g555f3d7be91a #0 [ 53.379865][ T3597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.390275][ T3597] Call Trace: [ 53.393551][ T3597] [ 53.396469][ T3597] dump_stack_lvl+0xcd/0x134 [ 53.401067][ T3597] panic+0x2b0/0x6dd [ 53.404953][ T3597] ? __warn_printk+0xf3/0xf3 [ 53.409689][ T3597] ? preempt_schedule_common+0x59/0xc0 [ 53.415140][ T3597] ? __list_add_valid+0x93/0xa0 [ 53.419981][ T3597] ? preempt_schedule_thunk+0x16/0x18 [ 53.425354][ T3597] ? trace_hardirqs_on+0x38/0x1c0 [ 53.430367][ T3597] ? trace_hardirqs_on+0x51/0x1c0 [ 53.435378][ T3597] ? __list_add_valid+0x93/0xa0 [ 53.440217][ T3597] ? __list_add_valid+0x93/0xa0 [ 53.445067][ T3597] end_report.cold+0x63/0x6f [ 53.449653][ T3597] kasan_report.cold+0x71/0xdf [ 53.454427][ T3597] ? __list_add_valid+0x93/0xa0 [ 53.459268][ T3597] __list_add_valid+0x93/0xa0 [ 53.463941][ T3597] rdma_listen+0x86e/0xde0 [ 53.468466][ T3597] ? do_raw_spin_unlock+0x171/0x230 [ 53.473665][ T3597] ? rdma_resolve_addr+0x2460/0x2460 [ 53.478968][ T3597] ? ucma_get_ctx+0x1f0/0x280 [ 53.483643][ T3597] ? ucma_create_uevent+0xb60/0xb60 [ 53.488845][ T3597] ucma_listen+0x16a/0x210 [ 53.493255][ T3597] ? ucma_notify+0x1b0/0x1b0 [ 53.497839][ T3597] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 53.504115][ T3597] ? _copy_from_user+0x5d/0x180 [ 53.508974][ T3597] ? ucma_notify+0x1b0/0x1b0 [ 53.513558][ T3597] ucma_write+0x25c/0x350 [ 53.517915][ T3597] ? ucma_query_gid+0x520/0x520 [ 53.522778][ T3597] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 53.529025][ T3597] ? security_file_permission+0xab/0xd0 [ 53.534602][ T3597] ? ucma_query_gid+0x520/0x520 [ 53.539448][ T3597] vfs_write+0x28e/0xae0 [ 53.543688][ T3597] ksys_write+0x1ee/0x250 [ 53.548017][ T3597] ? __ia32_sys_read+0xb0/0xb0 [ 53.552797][ T3597] ? syscall_enter_from_user_mode+0x21/0x70 [ 53.558703][ T3597] do_syscall_64+0x35/0xb0 [ 53.563115][ T3597] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 53.569008][ T3597] RIP: 0033:0x7f0aca906fb9 [ 53.573416][ T3597] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 53.593015][ T3597] RSP: 002b:00007fffc9f11448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 53.601447][ T3597] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0aca906fb9 [ 53.609429][ T3597] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 53.617390][ T3597] RBP: 0000000000000000 R08: 00007fffc9f115e8 R09: 00007fffc9f115e8 [ 53.625374][ T3597] R10: 00007fffc9f115e8 R11: 0000000000000246 R12: 00007fffc9f1145c [ 53.633336][ T3597] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 53.641364][ T3597] [ 53.644539][ T3597] Kernel Offset: disabled [ 53.648864][ T3597] Rebooting in 86400 seconds..