================================================================== BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0 lib/list_debug.c:26 Read of size 8 at addr ffff8801cb5f6218 by task syz-executor7/968 CPU: 0 PID: 968 Comm: syz-executor7 Not tainted 4.16.0-rc7+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __list_add_valid+0xc6/0xd0 lib/list_debug.c:26 __list_add include/linux/list.h:60 [inline] list_add_tail include/linux/list.h:93 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2309 [inline] rdma_listen+0x581/0x8e0 drivers/infiniband/core/cma.c:3333 ucma_listen+0x172/0x1f0 drivers/infiniband/core/ucma.c:1074 ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1649 __vfs_write+0xef/0x970 fs/read_write.c:480 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x454889 RSP: 002b:00007fed3df58c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fed3df596d4 RCX: 0000000000454889 RDX: 0000000000000010 RSI: 000000002000b900 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000006a9 R14: 00000000006fc078 R15: 0000000000000000 Allocated by task 31472: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kmem_cache_alloc_trace+0x136/0x740 mm/slab.c:3607 kmalloc include/linux/slab.h:512 [inline] pty_common_install drivers/tty/pty.c:387 [inline] pty_unix98_install+0x119/0xa30 drivers/tty/pty.c:727 tty_driver_install_tty drivers/tty/tty_io.c:1224 [inline] tty_init_dev+0xf6/0x4b0 drivers/tty/tty_io.c:1324 ptmx_open+0xf3/0x310 drivers/tty/pty.c:832 chrdev_open+0x257/0x730 fs/char_dev.c:417 do_dentry_open+0x667/0xd40 fs/open.c:752 vfs_open+0x107/0x220 fs/open.c:866 do_last fs/namei.c:3379 [inline] path_openat+0x1151/0x3530 fs/namei.c:3519 do_filp_open+0x25b/0x3b0 fs/namei.c:3554 do_sys_open+0x502/0x6d0 fs/open.c:1059 SYSC_openat fs/open.c:1086 [inline] SyS_openat+0x30/0x40 fs/open.c:1080 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 1925: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kfree+0xd9/0x260 mm/slab.c:3800 tty_port_destructor drivers/tty/tty_port.c:265 [inline] kref_put include/linux/kref.h:70 [inline] tty_port_put+0x142/0x170 drivers/tty/tty_port.c:271 pty_cleanup+0x37/0x50 drivers/tty/pty.c:449 release_one_tty+0x133/0x510 drivers/tty/tty_io.c:1429 process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 The buggy address belongs to the object at ffff8801cb5f6040 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 472 bytes inside of 1024-byte region [ffff8801cb5f6040, ffff8801cb5f6440) The buggy address belongs to the page: page:ffffea00072d7d80 count:1 mapcount:0 mapping:ffff8801cb5f6040 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffff8801cb5f6040 0000000000000000 0000000100000007 raw: ffffea00074437a0 ffffea0006bf7520 ffff8801dac00ac0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb5f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cb5f6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801cb5f6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801cb5f6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cb5f6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================