[ 37.994517][ T26] audit: type=1800 audit(1553851985.425:27): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.021419][ T26] audit: type=1800 audit(1553851985.425:28): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.750015][ T26] audit: type=1800 audit(1553851986.235:29): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 38.775028][ T26] audit: type=1800 audit(1553851986.245:30): pid=7611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. 2019/03/29 09:33:16 fuzzer started 2019/03/29 09:33:19 dialing manager at 10.128.0.26:43143 2019/03/29 09:33:19 syscalls: 1 2019/03/29 09:33:19 code coverage: enabled 2019/03/29 09:33:19 comparison tracing: enabled 2019/03/29 09:33:19 extra coverage: extra coverage is not supported by the kernel 2019/03/29 09:33:19 setuid sandbox: enabled 2019/03/29 09:33:19 namespace sandbox: enabled 2019/03/29 09:33:19 Android sandbox: /sys/fs/selinux/policy does not exist 2019/03/29 09:33:19 fault injection: enabled 2019/03/29 09:33:19 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/03/29 09:33:19 net packet injection: enabled 2019/03/29 09:33:19 net device setup: enabled 09:36:02 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x80003ff, 0x0, 0x1b, 0x20040, 0x0, 0x1000000004}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") syzkaller login: [ 215.358372][ T7776] IPVS: ftp: loaded support on port[0] = 21 09:36:02 executing program 1: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x98e9, 0x0, 0x5, 0x0, 0xffffffffffffffff, 0x0, 0x3437f0dd}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") [ 215.469845][ T7776] chnl_net:caif_netlink_parms(): no params data found [ 215.557920][ T7776] bridge0: port 1(bridge_slave_0) entered blocking state [ 215.582821][ T7776] bridge0: port 1(bridge_slave_0) entered disabled state [ 215.590901][ T7776] device bridge_slave_0 entered promiscuous mode [ 215.600241][ T7776] bridge0: port 2(bridge_slave_1) entered blocking state [ 215.607654][ T7776] bridge0: port 2(bridge_slave_1) entered disabled state [ 215.615547][ T7776] device bridge_slave_1 entered promiscuous mode [ 215.638510][ T7776] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 215.649133][ T7776] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 215.651498][ T7779] IPVS: ftp: loaded support on port[0] = 21 09:36:03 executing program 2: socketpair$unix(0x1, 0x20000000000002, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x3, 0x0, 0x7, 0x2, 0xe2}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") [ 215.679123][ T7776] team0: Port device team_slave_0 added [ 215.687079][ T7776] team0: Port device team_slave_1 added [ 215.775448][ T7776] device hsr_slave_0 entered promiscuous mode [ 215.813088][ T7776] device hsr_slave_1 entered promiscuous mode 09:36:03 executing program 3: socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x7, 0x0, 0x14, 0x0, 0x0, 0xffffffffffffffff, 0x80000000}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") [ 215.967764][ T7781] IPVS: ftp: loaded support on port[0] = 21 [ 216.029969][ T7776] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.037223][ T7776] bridge0: port 2(bridge_slave_1) entered forwarding state [ 216.044969][ T7776] bridge0: port 1(bridge_slave_0) entered blocking state [ 216.052061][ T7776] bridge0: port 1(bridge_slave_0) entered forwarding state [ 216.078126][ T7783] IPVS: ftp: loaded support on port[0] = 21 09:36:03 executing program 4: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000080)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000000)={0xffffffffffffffff}, 0x13f}}, 0xffaf) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0xe, 0x18, 0xfa00, @id_afonly={&(0x7f0000000040)=0x1, r1, 0x0, 0x2, 0x4}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f0000000200)={0x3, 0x40, 0xfa00, {{0xa, 0x4e21}, {0xa, 0x0, 0x0, @mcast1}, r1}}, 0x48) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000340)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000380)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f00000003c0)={0x3, 0x8, 0xfa00, {{0xa, 0x4e21, 0x0, @ipv4}, {}, r2}}, 0x48) write$RDMA_USER_CM_CMD_LISTEN(r0, &(0x7f00000001c0)={0x7, 0x8, 0xfa00, {r2}}, 0x10) [ 216.295728][ T7779] chnl_net:caif_netlink_parms(): no params data found [ 216.310669][ T7781] chnl_net:caif_netlink_parms(): no params data found [ 216.348666][ T7776] 8021q: adding VLAN 0 to HW filter on device bond0 [ 216.394573][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 216.408695][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 216.427146][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 216.436137][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready 09:36:04 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000ac0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(aes-aesni)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}, 0x0) recvmmsg(r1, &(0x7f0000004ec0)=[{{0x0, 0x0, &(0x7f00000006c0)=[{&(0x7f0000000000)=""/84, 0x54}], 0x1}}], 0x1, 0x0, 0x0) [ 216.452546][ T7776] 8021q: adding VLAN 0 to HW filter on device team0 [ 216.481843][ T7788] IPVS: ftp: loaded support on port[0] = 21 [ 216.586701][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 216.595706][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 216.606866][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 216.613988][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 216.621785][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 216.632481][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 216.640841][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.647893][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 216.655555][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 216.663987][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 216.672332][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 216.680822][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 216.689026][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 216.697475][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 216.706104][ T7779] bridge0: port 1(bridge_slave_0) entered blocking state [ 216.713818][ T7779] bridge0: port 1(bridge_slave_0) entered disabled state [ 216.721357][ T7779] device bridge_slave_0 entered promiscuous mode [ 216.731641][ T7779] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.738764][ T7779] bridge0: port 2(bridge_slave_1) entered disabled state [ 216.746599][ T7779] device bridge_slave_1 entered promiscuous mode [ 216.760013][ T7781] bridge0: port 1(bridge_slave_0) entered blocking state [ 216.767563][ T7781] bridge0: port 1(bridge_slave_0) entered disabled state [ 216.775517][ T7781] device bridge_slave_0 entered promiscuous mode [ 216.782992][ T7781] bridge0: port 2(bridge_slave_1) entered blocking state [ 216.790042][ T7781] bridge0: port 2(bridge_slave_1) entered disabled state [ 216.797825][ T7781] device bridge_slave_1 entered promiscuous mode [ 216.809975][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 216.836135][ T7779] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 216.857322][ T7781] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 216.866447][ T7783] chnl_net:caif_netlink_parms(): no params data found [ 216.881880][ T7779] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.900624][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 216.909033][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 216.920918][ T7776] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 216.932891][ T7776] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 216.941903][ T7781] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 216.980848][ T7792] IPVS: ftp: loaded support on port[0] = 21 [ 216.990033][ T3739] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 216.998540][ T3739] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 217.016493][ T7779] team0: Port device team_slave_0 added [ 217.036257][ T7781] team0: Port device team_slave_0 added [ 217.043664][ T7779] team0: Port device team_slave_1 added [ 217.064321][ T7783] bridge0: port 1(bridge_slave_0) entered blocking state [ 217.071422][ T7783] bridge0: port 1(bridge_slave_0) entered disabled state [ 217.079142][ T7783] device bridge_slave_0 entered promiscuous mode [ 217.087449][ T7781] team0: Port device team_slave_1 added [ 217.155845][ T7779] device hsr_slave_0 entered promiscuous mode [ 217.193040][ T7779] device hsr_slave_1 entered promiscuous mode [ 217.236167][ T7783] bridge0: port 2(bridge_slave_1) entered blocking state [ 217.243445][ T7783] bridge0: port 2(bridge_slave_1) entered disabled state [ 217.251025][ T7783] device bridge_slave_1 entered promiscuous mode [ 217.315474][ T7781] device hsr_slave_0 entered promiscuous mode [ 217.373222][ T7781] device hsr_slave_1 entered promiscuous mode [ 217.465025][ T7783] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 217.475315][ T7783] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 217.486553][ T7776] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 217.605091][ T7788] chnl_net:caif_netlink_parms(): no params data found [ 217.619772][ T7783] team0: Port device team_slave_0 added [ 217.628308][ T7783] team0: Port device team_slave_1 added [ 217.735277][ T7783] device hsr_slave_0 entered promiscuous mode [ 217.793095][ T7783] device hsr_slave_1 entered promiscuous mode 09:36:05 executing program 0: syz_emit_ethernet(0xffffffffffffffea, &(0x7f0000000000)={@local, @dev, [], {@ipv4={0x800, {{0x9, 0x4, 0x13, 0x0, 0x2ce, 0x0, 0x0, 0x0, 0x29, 0x0, @rand_addr, @multicast1}, @icmp=@address_reply={0x8, 0x10}}}}}, &(0x7f0000000040)={0x0, 0x3, [0x0, 0x2d9, 0x3]}) [ 217.906815][ T7792] chnl_net:caif_netlink_parms(): no params data found [ 217.913695][ T7802] sit: non-ECT from 0.0.0.0 with TOS=0x3 [ 217.914425][ T7802] sit: non-ECT from 0.0.0.0 with TOS=0x3 [ 217.942652][ T7788] bridge0: port 1(bridge_slave_0) entered blocking state 09:36:05 executing program 0: syz_emit_ethernet(0xffffffffffffffea, &(0x7f0000000000)={@local, @dev, [], {@ipv4={0x800, {{0x9, 0x4, 0x13, 0x0, 0x2ce, 0x0, 0x0, 0x0, 0x29, 0x0, @rand_addr, @multicast1}, @icmp=@address_reply={0x8, 0x10}}}}}, &(0x7f0000000040)={0x0, 0x3, [0x0, 0x2d9, 0x3]}) 09:36:05 executing program 0: syz_emit_ethernet(0xffffffffffffffea, &(0x7f0000000000)={@local, @dev, [], {@ipv4={0x800, {{0x9, 0x4, 0x13, 0x0, 0x2ce, 0x0, 0x0, 0x0, 0x29, 0x0, @rand_addr, @multicast1}, @icmp=@address_reply={0x8, 0x10}}}}}, &(0x7f0000000040)={0x0, 0x3, [0x0, 0x2d9, 0x3]}) [ 217.959385][ T7788] bridge0: port 1(bridge_slave_0) entered disabled state [ 217.975222][ T7788] device bridge_slave_0 entered promiscuous mode [ 217.995750][ T7805] sit: non-ECT from 0.0.0.0 with TOS=0x3 [ 217.996851][ T7781] 8021q: adding VLAN 0 to HW filter on device bond0 [ 218.037889][ T7788] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.050337][ T7788] bridge0: port 2(bridge_slave_1) entered disabled state [ 218.060001][ T7788] device bridge_slave_1 entered promiscuous mode [ 218.074816][ T7808] sit: non-ECT from 0.0.0.0 with TOS=0x3 09:36:05 executing program 0: syz_emit_ethernet(0xffffffffffffffea, &(0x7f0000000000)={@local, @dev, [], {@ipv4={0x800, {{0x9, 0x4, 0x13, 0x0, 0x2ce, 0x0, 0x0, 0x0, 0x29, 0x0, @rand_addr, @multicast1}, @icmp=@address_reply={0x8, 0x10}}}}}, &(0x7f0000000040)={0x0, 0x3, [0x0, 0x2d9, 0x3]}) [ 218.091824][ T7779] 8021q: adding VLAN 0 to HW filter on device bond0 [ 218.147561][ T7811] sit: non-ECT from 0.0.0.0 with TOS=0x3 [ 218.161140][ T7788] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 218.188077][ T7792] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.195302][ T7792] bridge0: port 1(bridge_slave_0) entered disabled state [ 218.211565][ T7792] device bridge_slave_0 entered promiscuous mode [ 218.221522][ T7792] bridge0: port 2(bridge_slave_1) entered blocking state 09:36:05 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x3, 0x0, 0xc, 0x0, 0x0, 0xeb}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") [ 218.236430][ T7792] bridge0: port 2(bridge_slave_1) entered disabled state [ 218.251485][ T7792] device bridge_slave_1 entered promiscuous mode [ 218.261948][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 218.269982][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 218.279374][ T7788] bond0: Enslaving bond_slave_1 as an active interface with an up link 09:36:05 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x4000009, 0x0, 0x0, 0x0, 0x2, 0xffffffffffffffdc, 0x8}) [ 218.314970][ T7792] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 218.325782][ T7781] 8021q: adding VLAN 0 to HW filter on device team0 [ 218.333948][ T7788] team0: Port device team_slave_0 added [ 218.341256][ T7792] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 218.391107][ T7792] team0: Port device team_slave_0 added [ 218.399183][ T7788] team0: Port device team_slave_1 added [ 218.430747][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 218.438952][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 218.450184][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 218.460589][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 218.475099][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.482190][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 218.492445][ T7779] 8021q: adding VLAN 0 to HW filter on device team0 [ 218.501772][ T7792] team0: Port device team_slave_1 added [ 218.575330][ T7792] device hsr_slave_0 entered promiscuous mode [ 218.620437][ T7792] device hsr_slave_1 entered promiscuous mode [ 218.715402][ T7788] device hsr_slave_0 entered promiscuous mode [ 218.773082][ T7788] device hsr_slave_1 entered promiscuous mode [ 218.825975][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 218.871077][ T7783] 8021q: adding VLAN 0 to HW filter on device bond0 [ 218.892787][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 218.901388][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 218.910867][ T7784] bridge0: port 1(bridge_slave_0) entered blocking state [ 218.918017][ T7784] bridge0: port 1(bridge_slave_0) entered forwarding state [ 218.927695][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 218.936464][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 218.945424][ T7784] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.952544][ T7784] bridge0: port 2(bridge_slave_1) entered forwarding state [ 218.960550][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 218.969832][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 218.978514][ T7784] bridge0: port 2(bridge_slave_1) entered blocking state [ 218.985647][ T7784] bridge0: port 2(bridge_slave_1) entered forwarding state [ 218.993580][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 219.002422][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 219.011432][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 219.020324][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 219.029122][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 219.039985][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 219.048748][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 219.057708][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 219.066600][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 219.075408][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 219.084080][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 219.093126][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 219.107562][ T7781] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 219.120874][ T7781] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 219.161421][ T7783] 8021q: adding VLAN 0 to HW filter on device team0 09:36:06 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x4000009, 0x0, 0x0, 0x0, 0x2, 0xffffffffffffffdc, 0x8}) [ 219.175665][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 219.188920][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 219.199298][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 219.211015][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 219.226919][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 219.238126][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 219.250184][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 219.258421][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 219.268196][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 219.275969][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 219.284516][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 219.293241][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 219.301361][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 219.310129][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 219.325737][ T7779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 219.344808][ T7781] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 219.393788][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 219.402357][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 219.417703][ T2988] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.424800][ T2988] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.432606][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 219.441167][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 219.449659][ T2988] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.456733][ T2988] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.486818][ T7792] 8021q: adding VLAN 0 to HW filter on device bond0 [ 219.498579][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 219.507099][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 219.527896][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 219.555124][ T7783] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 219.567155][ T7783] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 219.588558][ T7788] 8021q: adding VLAN 0 to HW filter on device bond0 [ 219.596102][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 219.604671][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 219.613041][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 219.621405][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 219.630888][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 219.639185][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 219.647618][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 219.656363][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 219.665080][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 219.672937][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 219.682114][ T7779] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 219.703371][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 219.711111][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 219.724160][ T7788] 8021q: adding VLAN 0 to HW filter on device team0 [ 219.733358][ T7792] 8021q: adding VLAN 0 to HW filter on device team0 [ 219.745984][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 219.759889][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 219.773586][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 219.782091][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 219.790703][ T7784] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.797793][ T7784] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.805992][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 219.814966][ T7784] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 219.823375][ T7784] bridge0: port 2(bridge_slave_1) entered blocking state [ 219.830411][ T7784] bridge0: port 2(bridge_slave_1) entered forwarding state [ 219.839774][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 219.847814][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 219.856504][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 219.865235][ T2988] bridge0: port 1(bridge_slave_0) entered blocking state [ 219.872280][ T2988] bridge0: port 1(bridge_slave_0) entered forwarding state [ 219.880920][ T2988] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 219.929563][ T7783] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 219.941822][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 219.952832][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 219.961190][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 219.969838][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 219.978394][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 219.987257][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 219.995983][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 220.004919][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 220.013140][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 220.021297][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 220.029723][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 220.038406][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 220.046736][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 220.053804][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 220.061223][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 220.069760][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 220.078132][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 220.087327][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 220.097120][ T7792] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready 09:36:07 executing program 1: socketpair$unix(0x1, 0x400000000005, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x5bb, 0x0, 0xfffffffffffffffd, 0x0, 0x551, 0x0, 0x1}) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") 09:36:07 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x4000009, 0x0, 0x0, 0x0, 0x2, 0xffffffffffffffdc, 0x8}) [ 220.121428][ T7788] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 220.139681][ T7788] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 220.151895][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 220.174053][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 220.184273][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 220.193201][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 220.201745][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 220.213358][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 220.221592][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 220.230599][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 220.240098][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 220.261974][ T7788] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 220.381668][ T7792] 8021q: adding VLAN 0 to HW filter on device batadv0 09:36:07 executing program 3: r0 = socket$inet(0x2, 0x80001, 0x84) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e20, @loopback}, 0x10) sendmsg(r0, &(0x7f000001afc8)={&(0x7f0000006000)=@in={0x2, 0x4e20, @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)='*', 0x1}], 0x1}, 0x0) write$binfmt_elf32(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="ee"], 0x1) shutdown(r0, 0x1) close(r0) 09:36:08 executing program 2: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000180)={0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1f, 0x9, 0x2000004000ce95}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c7b7d95a91914e424a2664f0ff065b460f343030082e67660f50e9000046a1e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") 09:36:08 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000ac0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(aes-aesni)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}, 0x0) recvmmsg(r1, &(0x7f0000004ec0)=[{{0x0, 0x0, &(0x7f00000006c0)=[{&(0x7f0000000000)=""/84, 0x54}], 0x1}}], 0x1, 0x0, 0x0) 09:36:08 executing program 0: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0df3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754e50c420fae9972b571112d02") ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x4000009, 0x0, 0x0, 0x0, 0x2, 0xffffffffffffffdc, 0x8}) 09:36:08 executing program 1: socketpair$unix(0x1, 0x200000000000005, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x400000000000007, 0x0, 0x0, 0xa, 0x0, 0x1, 0x40}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") 09:36:08 executing program 4: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000080)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000000)={0xffffffffffffffff}, 0x13f}}, 0xffaf) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0xe, 0x18, 0xfa00, @id_afonly={&(0x7f0000000040)=0x1, r1, 0x0, 0x2, 0x4}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f0000000200)={0x3, 0x40, 0xfa00, {{0xa, 0x4e21}, {0xa, 0x0, 0x0, @mcast1}, r1}}, 0x48) write$RDMA_USER_CM_CMD_CREATE_ID(r0, &(0x7f0000000340)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000380)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_RESOLVE_IP(r0, &(0x7f00000003c0)={0x3, 0x8, 0xfa00, {{0xa, 0x4e21, 0x0, @ipv4}, {}, r2}}, 0x48) write$RDMA_USER_CM_CMD_LISTEN(r0, &(0x7f00000001c0)={0x7, 0x8, 0xfa00, {r2}}, 0x10) [ 220.621185][ T7872] ================================================================== [ 220.629476][ T7872] BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 [ 220.636677][ T7872] Read of size 8 at addr ffff8880974b4f20 by task syz-executor.4/7872 [ 220.644818][ T7872] [ 220.647161][ T7872] CPU: 1 PID: 7872 Comm: syz-executor.4 Not tainted 5.1.0-rc2+ #43 [ 220.655128][ T7872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 220.665179][ T7872] Call Trace: [ 220.668481][ T7872] dump_stack+0x172/0x1f0 [ 220.672817][ T7872] ? __list_add_valid+0x9a/0xa0 [ 220.677677][ T7872] print_address_description.cold+0x7c/0x20d [ 220.683652][ T7872] ? __list_add_valid+0x9a/0xa0 [ 220.688504][ T7872] ? __list_add_valid+0x9a/0xa0 [ 220.693364][ T7872] kasan_report.cold+0x1b/0x40 [ 220.698126][ T7872] ? __list_add_valid+0x9a/0xa0 [ 220.702992][ T7872] __asan_report_load8_noabort+0x14/0x20 [ 220.708630][ T7872] __list_add_valid+0x9a/0xa0 [ 220.713314][ T7872] rdma_listen+0x6b7/0x970 [ 220.717734][ T7872] ucma_listen+0x14d/0x1c0 [ 220.722149][ T7872] ? ucma_notify+0x190/0x190 [ 220.726745][ T7872] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 220.732995][ T7872] ? _copy_from_user+0xdd/0x150 [ 220.737845][ T7872] ucma_write+0x2da/0x3c0 [ 220.742173][ T7872] ? ucma_notify+0x190/0x190 [ 220.746758][ T7872] ? ucma_open+0x290/0x290 [ 220.751264][ T7872] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 220.757506][ T7872] ? security_file_permission+0x94/0x380 [ 220.763148][ T7872] __vfs_write+0x8d/0x110 [ 220.767481][ T7872] ? ucma_open+0x290/0x290 [ 220.771909][ T7872] vfs_write+0x20c/0x580 [ 220.776160][ T7872] ksys_write+0xea/0x1f0 [ 220.780401][ T7872] ? __ia32_sys_read+0xb0/0xb0 [ 220.785162][ T7872] ? do_syscall_64+0x26/0x610 [ 220.789838][ T7872] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 220.795910][ T7872] ? do_syscall_64+0x26/0x610 [ 220.800597][ T7872] __x64_sys_write+0x73/0xb0 [ 220.805187][ T7872] do_syscall_64+0x103/0x610 [ 220.809785][ T7872] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 220.815679][ T7872] RIP: 0033:0x458209 [ 220.819576][ T7872] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 220.839178][ T7872] RSP: 002b:00007f093d49fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 220.847591][ T7872] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 220.855563][ T7872] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 220.863536][ T7872] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 220.871507][ T7872] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f093d4a06d4 [ 220.879485][ T7872] R13: 00000000004c77c2 R14: 00000000004dd780 R15: 00000000ffffffff [ 220.887473][ T7872] [ 220.889800][ T7872] Allocated by task 7860: [ 220.894134][ T7872] save_stack+0x45/0xd0 [ 220.898299][ T7872] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 220.903933][ T7872] kasan_kmalloc+0x9/0x10 [ 220.908306][ T7872] kmem_cache_alloc_trace+0x151/0x760 [ 220.913678][ T7872] __rdma_create_id+0x5f/0x4e0 [ 220.918440][ T7872] ucma_create_id+0x1de/0x640 [ 220.923122][ T7872] ucma_write+0x2da/0x3c0 [ 220.927450][ T7872] __vfs_write+0x8d/0x110 [ 220.931790][ T7872] vfs_write+0x20c/0x580 [ 220.936034][ T7872] ksys_write+0xea/0x1f0 [ 220.940281][ T7872] __x64_sys_write+0x73/0xb0 [ 220.944875][ T7872] do_syscall_64+0x103/0x610 [ 220.949476][ T7872] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 220.955358][ T7872] [ 220.957683][ T7872] Freed by task 7849: [ 220.961668][ T7872] save_stack+0x45/0xd0 [ 220.965825][ T7872] __kasan_slab_free+0x102/0x150 [ 220.970767][ T7872] kasan_slab_free+0xe/0x10 [ 220.975270][ T7872] kfree+0xcf/0x230 [ 220.979095][ T7872] rdma_destroy_id+0x719/0xaa0 [ 220.983859][ T7872] ucma_close+0x115/0x320 [ 220.988196][ T7872] __fput+0x2e5/0x8d0 [ 220.992179][ T7872] ____fput+0x16/0x20 [ 220.996160][ T7872] task_work_run+0x14a/0x1c0 [ 221.000753][ T7872] exit_to_usermode_loop+0x273/0x2c0 [ 221.006065][ T7872] do_syscall_64+0x52d/0x610 [ 221.010658][ T7872] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 221.016540][ T7872] [ 221.018876][ T7872] The buggy address belongs to the object at ffff8880974b4d40 [ 221.018876][ T7872] which belongs to the cache kmalloc-2k of size 2048 [ 221.032925][ T7872] The buggy address is located 480 bytes inside of [ 221.032925][ T7872] 2048-byte region [ffff8880974b4d40, ffff8880974b5540) [ 221.046292][ T7872] The buggy address belongs to the page: [ 221.051923][ T7872] page:ffffea00025d2d00 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 [ 221.062604][ T7872] flags: 0x1fffc0000010200(slab|head) [ 221.067986][ T7872] raw: 01fffc0000010200 ffffea00028fc488 ffffea00025efe88 ffff88812c3f0c40 [ 221.076577][ T7872] raw: 0000000000000000 ffff8880974b44c0 0000000100000003 0000000000000000 [ 221.085153][ T7872] page dumped because: kasan: bad access detected [ 221.091556][ T7872] [ 221.093881][ T7872] Memory state around the buggy address: [ 221.099562][ T7872] ffff8880974b4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.107623][ T7872] ffff8880974b4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.115686][ T7872] >ffff8880974b4f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 09:36:08 executing program 3: r0 = socket$inet(0x2, 0x80001, 0x84) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e20, @loopback}, 0x10) sendmsg(r0, &(0x7f000001afc8)={&(0x7f0000006000)=@in={0x2, 0x4e20, @loopback}, 0x80, &(0x7f0000007f80)=[{&(0x7f00000001c0)='*', 0x1}], 0x1}, 0x0) write$binfmt_elf32(r0, &(0x7f0000000040)=ANY=[@ANYBLOB="ee"], 0x1) shutdown(r0, 0x1) close(r0) [ 221.123741][ T7872] ^ [ 221.128852][ T7872] ffff8880974b4f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.136916][ T7872] ffff8880974b5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.144991][ T7872] ================================================================== [ 221.153077][ T7872] Disabling lock debugging due to kernel taint [ 221.196552][ T7872] Kernel panic - not syncing: panic_on_warn set ... [ 221.203177][ T7872] CPU: 1 PID: 7872 Comm: syz-executor.4 Tainted: G B 5.1.0-rc2+ #43 [ 221.212624][ T7872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 221.222675][ T7872] Call Trace: [ 221.225983][ T7872] dump_stack+0x172/0x1f0 [ 221.230319][ T7872] panic+0x2cb/0x65c [ 221.234215][ T7872] ? __warn_printk+0xf3/0xf3 [ 221.238809][ T7872] ? __list_add_valid+0x9a/0xa0 [ 221.243667][ T7872] ? preempt_schedule+0x4b/0x60 [ 221.248522][ T7872] ? ___preempt_schedule+0x16/0x18 [ 221.253668][ T7872] ? trace_hardirqs_on+0x5e/0x230 [ 221.258695][ T7872] ? __list_add_valid+0x9a/0xa0 [ 221.263545][ T7872] end_report+0x47/0x4f [ 221.267698][ T7872] ? __list_add_valid+0x9a/0xa0 [ 221.272547][ T7872] kasan_report.cold+0xe/0x40 [ 221.277227][ T7872] ? __list_add_valid+0x9a/0xa0 [ 221.282082][ T7872] __asan_report_load8_noabort+0x14/0x20 [ 221.288234][ T7872] __list_add_valid+0x9a/0xa0 [ 221.292916][ T7872] rdma_listen+0x6b7/0x970 [ 221.297338][ T7872] ucma_listen+0x14d/0x1c0 [ 221.301752][ T7872] ? ucma_notify+0x190/0x190 [ 221.306347][ T7872] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 221.312588][ T7872] ? _copy_from_user+0xdd/0x150 [ 221.317439][ T7872] ucma_write+0x2da/0x3c0 [ 221.321769][ T7872] ? ucma_notify+0x190/0x190 [ 221.326362][ T7872] ? ucma_open+0x290/0x290 [ 221.330782][ T7872] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 221.337028][ T7872] ? security_file_permission+0x94/0x380 [ 221.342668][ T7872] __vfs_write+0x8d/0x110 [ 221.346997][ T7872] ? ucma_open+0x290/0x290 [ 221.351412][ T7872] vfs_write+0x20c/0x580 [ 221.355660][ T7872] ksys_write+0xea/0x1f0 [ 221.359909][ T7872] ? __ia32_sys_read+0xb0/0xb0 [ 221.364681][ T7872] ? do_syscall_64+0x26/0x610 [ 221.369383][ T7872] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 221.375454][ T7872] ? do_syscall_64+0x26/0x610 [ 221.380145][ T7872] __x64_sys_write+0x73/0xb0 [ 221.384749][ T7872] do_syscall_64+0x103/0x610 [ 221.389344][ T7872] entry_SYSCALL_64_after_hwframe+0x49/0xbe 09:36:08 executing program 5: r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000ac0)={0x26, 'skcipher\x00', 0x0, 0x0, 'cbc(aes-aesni)\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000004c0)=[@op={0x18, 0x117, 0x3, 0x1}], 0x18}, 0x0) recvmmsg(r1, &(0x7f0000004ec0)=[{{0x0, 0x0, &(0x7f00000006c0)=[{&(0x7f0000000000)=""/84, 0x54}], 0x1}}], 0x1, 0x0, 0x0) 09:36:08 executing program 1: socketpair$unix(0x1, 0x200000000000005, 0x0, &(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x400000000000007, 0x0, 0x0, 0xa, 0x0, 0x1, 0x40}) r1 = dup(r0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d6c450754ddea420fae9972b571112d02") [ 221.395231][ T7872] RIP: 0033:0x458209 [ 221.395326][ T3877] kobject: 'loop5' (00000000497c4ed4): kobject_uevent_env [ 221.399132][ T7872] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 221.424434][ T3877] kobject: 'loop5' (00000000497c4ed4): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 221.425894][ T7872] RSP: 002b:00007f093d49fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 221.425908][ T7872] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 221.425923][ T7872] RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000003 [ 221.460375][ T7872] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 221.467453][ T3877] kobject: 'loop1' (00000000cda7dbfc): kobject_uevent_env [ 221.468343][ T7872] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f093d4a06d4 [ 221.468352][ T7872] R13: 00000000004c77c2 R14: 00000000004dd780 R15: 00000000ffffffff [ 221.475910][ T7872] Kernel Offset: disabled [ 221.496155][ T7872] Rebooting in 86400 seconds..