INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 25.183309] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 25.417828] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 25.743980] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 25.750228] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 25.785095] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 25.820543] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 25.857126] ================================================================== [ 25.864543] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 25.871715] Read of size 8 at addr ffff8801b6022fa0 by task syzkaller871713/4346 [ 25.879216] [ 25.880825] CPU: 1 PID: 4346 Comm: syzkaller871713 Not tainted 4.16.0-rc7+ #2 [ 25.888064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.897391] Call Trace: [ 25.899966] dump_stack+0x194/0x24d [ 25.903566] ? arch_local_irq_restore+0x53/0x53 [ 25.908206] ? show_regs_print_info+0x18/0x18 [ 25.912679] ? rcu_note_context_switch+0x710/0x710 [ 25.917584] ? __list_del_entry_valid+0x144/0x150 [ 25.922398] print_address_description+0x73/0x250 [ 25.927216] ? __list_del_entry_valid+0x144/0x150 [ 25.932038] kasan_report+0x23c/0x360 [ 25.935814] __asan_report_load8_noabort+0x14/0x20 [ 25.940715] __list_del_entry_valid+0x144/0x150 [ 25.945366] cma_cancel_operation+0x455/0xd60 [ 25.949833] ? finish_task_switch+0x182/0x7e0 [ 25.954306] ? find_held_lock+0x35/0x1d0 [ 25.958338] ? rdma_destroy_id+0xda0/0xda0 [ 25.962550] ? rdma_destroy_id+0xf4/0xda0 [ 25.966669] ? lock_downgrade+0x980/0x980 [ 25.970790] ? lock_release+0xa40/0xa40 [ 25.974735] ? find_held_lock+0x35/0x1d0 [ 25.978769] ? do_raw_spin_trylock+0x190/0x190 [ 25.983324] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 25.988399] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.993391] rdma_destroy_id+0xff/0xda0 [ 25.997335] ? lock_release+0xa40/0xa40 [ 26.001281] ? find_next_bit+0xcc/0x100 [ 26.005227] ? cma_release_dev+0x350/0x350 [ 26.009437] ? radix_tree_delete_item+0x146/0x280 [ 26.014275] ucma_close+0x100/0x2f0 [ 26.017878] ? ucma_free_ctx+0xd90/0xd90 [ 26.021914] __fput+0x327/0x7e0 [ 26.025170] ? fput+0x140/0x140 [ 26.028426] ? check_same_owner+0x320/0x320 [ 26.032725] ____fput+0x15/0x20 [ 26.035974] task_work_run+0x199/0x270 [ 26.039834] ? task_work_cancel+0x210/0x210 [ 26.044128] ? free_nsproxy+0x18b/0x1f0 [ 26.048076] ? switch_task_namespaces+0xa2/0xc0 [ 26.052724] do_exit+0x9bb/0x1ad0 [ 26.056154] ? mm_update_next_owner+0x930/0x930 [ 26.060797] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.065957] ? __lock_acquire+0x664/0x3e00 [ 26.070162] ? rdma_listen+0x568/0x8e0 [ 26.074035] ? trace_hardirqs_off+0x10/0x10 [ 26.078328] ? __lock_is_held+0xb6/0x140 [ 26.082365] ? trace_hardirqs_off+0x10/0x10 [ 26.087272] ? __lock_is_held+0xb6/0x140 [ 26.091304] ? nohz_balance_exit_idle.part.95+0x70/0x70 [ 26.096643] ? find_held_lock+0x35/0x1d0 [ 26.100682] ? kprobe_flush_task+0x1a3/0x5d0 [ 26.105066] ? trace_hardirqs_off+0x10/0x10 [ 26.109356] ? lock_downgrade+0x980/0x980 [ 26.113478] ? lock_release+0xa40/0xa40 [ 26.117430] ? memset+0x31/0x40 [ 26.120685] ? find_held_lock+0x35/0x1d0 [ 26.124727] ? get_signal+0x7a9/0x16d0 [ 26.128589] ? lock_downgrade+0x980/0x980 [ 26.132717] do_group_exit+0x149/0x400 [ 26.136574] ? do_raw_spin_trylock+0x190/0x190 [ 26.141127] ? SyS_exit+0x30/0x30 [ 26.144553] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.149028] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.154036] get_signal+0x73a/0x16d0 [ 26.157730] ? ptrace_notify+0x130/0x130 [ 26.161767] ? __schedule+0x903/0x1ec0 [ 26.165634] ? __sched_text_start+0x8/0x8 [ 26.169754] ? ucma_write+0x11f/0x3d0 [ 26.173524] ? ucma_accept+0x970/0x970 [ 26.177384] ? ucma_close_id+0x60/0x60 [ 26.181246] do_signal+0x90/0x1e90 [ 26.184771] ? __vfs_write+0xf7/0x970 [ 26.188545] ? setup_sigcontext+0x7d0/0x7d0 [ 26.192836] ? kernel_read+0x120/0x120 [ 26.196694] ? trace_hardirqs_off+0x10/0x10 [ 26.201005] ? schedule+0xf5/0x430 [ 26.204525] ? __schedule+0x1ec0/0x1ec0 [ 26.208487] ? exit_to_usermode_loop+0x8c/0x2f0 [ 26.213134] exit_to_usermode_loop+0x258/0x2f0 [ 26.217700] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.223218] ? do_syscall_64+0xb7/0x940 [ 26.227172] do_syscall_64+0x6ec/0x940 [ 26.231038] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.235509] ? finish_task_switch+0x1c1/0x7e0 [ 26.239978] ? syscall_return_slowpath+0x550/0x550 [ 26.244893] ? syscall_return_slowpath+0x2ac/0x550 [ 26.249796] ? prepare_exit_to_usermode+0x350/0x350 [ 26.254783] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.260122] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.264942] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.270104] RIP: 0033:0x447529 [ 26.273271] RSP: 002b:00007f782c2b0cf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca [ 26.280952] RAX: 0000000000000001 RBX: 00000000006ddc5c RCX: 0000000000447529 [ 26.288194] RDX: 0000000000447529 RSI: 0000000000000001 RDI: 00000000006ddc5c [ 26.295433] RBP: 00000000006ddc58 R08: 0000000000000000 R09: 0000000000000000 [ 26.302682] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 26.309924] R13: 00007fff8bb3d8cf R14: 00007f782c2b19c0 R15: 0000000000000005 [ 26.317179] [ 26.318777] Allocated by task 4343: [ 26.322374] save_stack+0x43/0xd0 [ 26.325796] kasan_kmalloc+0xad/0xe0 [ 26.329481] kmem_cache_alloc_trace+0x136/0x740 [ 26.334119] rdma_create_id+0xd0/0x630 [ 26.337975] ucma_create_id+0x35f/0x920 [ 26.341919] ucma_write+0x2d6/0x3d0 [ 26.345515] __vfs_write+0xef/0x970 [ 26.349110] vfs_write+0x189/0x510 [ 26.352620] SyS_write+0xef/0x220 [ 26.356046] do_syscall_64+0x281/0x940 [ 26.359905] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.365062] [ 26.366659] Freed by task 4346: [ 26.369907] save_stack+0x43/0xd0 [ 26.373327] __kasan_slab_free+0x11a/0x170 [ 26.377530] kasan_slab_free+0xe/0x10 [ 26.381303] kfree+0xd9/0x260 [ 26.384381] rdma_destroy_id+0x821/0xda0 [ 26.388414] ucma_close+0x100/0x2f0 [ 26.392017] __fput+0x327/0x7e0 [ 26.395270] ____fput+0x15/0x20 [ 26.398520] task_work_run+0x199/0x270 [ 26.402378] do_exit+0x9bb/0x1ad0 [ 26.405799] do_group_exit+0x149/0x400 [ 26.409655] get_signal+0x73a/0x16d0 [ 26.413345] do_signal+0x90/0x1e90 [ 26.416857] exit_to_usermode_loop+0x258/0x2f0 [ 26.421408] do_syscall_64+0x6ec/0x940 [ 26.425265] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.430424] [ 26.432028] The buggy address belongs to the object at ffff8801b6022dc0 [ 26.432028] which belongs to the cache kmalloc-1024 of size 1024 [ 26.444830] The buggy address is located 480 bytes inside of [ 26.444830] 1024-byte region [ffff8801b6022dc0, ffff8801b60231c0) [ 26.456759] The buggy address belongs to the page: [ 26.461659] page:ffffea0006d80880 count:1 mapcount:0 mapping:ffff8801b6022040 index:0x0 compound_mapcount: 0 [ 26.471597] flags: 0x2fffc0000008100(slab|head) [ 26.476239] raw: 02fffc0000008100 ffff8801b6022040 0000000000000000 0000000100000007 [ 26.484090] raw: ffffea0006dca520 ffffea0006d88720 ffff8801dac00ac0 0000000000000000 [ 26.491937] page dumped because: kasan: bad access detected [ 26.497616] [ 26.499214] Memory state around the buggy address: [ 26.504110] ffff8801b6022e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.511439] ffff8801b6022f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.518768] >ffff8801b6022f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.526096] ^ [ 26.530475] ffff8801b6023000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.537803] ffff8801b6023080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.545127] ================================================================== [ 26.552455] Disabling lock debugging due to kernel taint [ 26.557938] Kernel panic - not syncing: panic_on_warn set ... [ 26.557938] [ 26.565283] CPU: 1 PID: 4346 Comm: syzkaller871713 Tainted: G B 4.16.0-rc7+ #2 [ 26.573824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.583145] Call Trace: [ 26.585703] dump_stack+0x194/0x24d [ 26.589301] ? arch_local_irq_restore+0x53/0x53 [ 26.593937] ? kasan_end_report+0x32/0x50 [ 26.598055] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.602779] ? vsnprintf+0x1ed/0x1900 [ 26.606549] ? __list_del_entry_valid+0xc0/0x150 [ 26.611273] panic+0x1e4/0x41c [ 26.614438] ? refcount_error_report+0x214/0x214 [ 26.619162] ? add_taint+0x1c/0x50 [ 26.622669] ? add_taint+0x1c/0x50 [ 26.626180] ? __list_del_entry_valid+0x144/0x150 [ 26.630992] kasan_end_report+0x50/0x50 [ 26.634940] kasan_report+0x149/0x360 [ 26.638712] __asan_report_load8_noabort+0x14/0x20 [ 26.643610] __list_del_entry_valid+0x144/0x150 [ 26.648260] cma_cancel_operation+0x455/0xd60 [ 26.652724] ? finish_task_switch+0x182/0x7e0 [ 26.657203] ? find_held_lock+0x35/0x1d0 [ 26.661238] ? rdma_destroy_id+0xda0/0xda0 [ 26.665445] ? rdma_destroy_id+0xf4/0xda0 [ 26.669562] ? lock_downgrade+0x980/0x980 [ 26.673680] ? lock_release+0xa40/0xa40 [ 26.677626] ? find_held_lock+0x35/0x1d0 [ 26.681656] ? do_raw_spin_trylock+0x190/0x190 [ 26.686211] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 26.691285] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.696270] rdma_destroy_id+0xff/0xda0 [ 26.700211] ? lock_release+0xa40/0xa40 [ 26.704156] ? find_next_bit+0xcc/0x100 [ 26.708098] ? cma_release_dev+0x350/0x350 [ 26.712303] ? radix_tree_delete_item+0x146/0x280 [ 26.717127] ucma_close+0x100/0x2f0 [ 26.720724] ? ucma_free_ctx+0xd90/0xd90 [ 26.724753] __fput+0x327/0x7e0 [ 26.728009] ? fput+0x140/0x140 [ 26.731265] ? check_same_owner+0x320/0x320 [ 26.735557] ____fput+0x15/0x20 [ 26.738805] task_work_run+0x199/0x270 [ 26.742662] ? task_work_cancel+0x210/0x210 [ 26.746951] ? free_nsproxy+0x18b/0x1f0 [ 26.750900] ? switch_task_namespaces+0xa2/0xc0 [ 26.755539] do_exit+0x9bb/0x1ad0 [ 26.758968] ? mm_update_next_owner+0x930/0x930 [ 26.763607] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.768763] ? __lock_acquire+0x664/0x3e00 [ 26.772968] ? rdma_listen+0x568/0x8e0 [ 26.776827] ? trace_hardirqs_off+0x10/0x10 [ 26.781120] ? __lock_is_held+0xb6/0x140 [ 26.785154] ? trace_hardirqs_off+0x10/0x10 [ 26.789450] ? __lock_is_held+0xb6/0x140 [ 26.793480] ? nohz_balance_exit_idle.part.95+0x70/0x70 [ 26.798814] ? find_held_lock+0x35/0x1d0 [ 26.802848] ? kprobe_flush_task+0x1a3/0x5d0 [ 26.807227] ? trace_hardirqs_off+0x10/0x10 [ 26.811516] ? lock_downgrade+0x980/0x980 [ 26.815636] ? lock_release+0xa40/0xa40 [ 26.819580] ? memset+0x31/0x40 [ 26.822829] ? find_held_lock+0x35/0x1d0 [ 26.826863] ? get_signal+0x7a9/0x16d0 [ 26.830720] ? lock_downgrade+0x980/0x980 [ 26.834841] do_group_exit+0x149/0x400 [ 26.838696] ? do_raw_spin_trylock+0x190/0x190 [ 26.843246] ? SyS_exit+0x30/0x30 [ 26.846667] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.851132] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.856127] get_signal+0x73a/0x16d0 [ 26.859820] ? ptrace_notify+0x130/0x130 [ 26.863852] ? __schedule+0x903/0x1ec0 [ 26.867712] ? __sched_text_start+0x8/0x8 [ 26.871829] ? ucma_write+0x11f/0x3d0 [ 26.875596] ? ucma_accept+0x970/0x970 [ 26.879450] ? ucma_close_id+0x60/0x60 [ 26.883309] do_signal+0x90/0x1e90 [ 26.886824] ? __vfs_write+0xf7/0x970 [ 26.890596] ? setup_sigcontext+0x7d0/0x7d0 [ 26.894884] ? kernel_read+0x120/0x120 [ 26.898759] ? trace_hardirqs_off+0x10/0x10 [ 26.903056] ? schedule+0xf5/0x430 [ 26.906572] ? __schedule+0x1ec0/0x1ec0 [ 26.910524] ? exit_to_usermode_loop+0x8c/0x2f0 [ 26.915163] exit_to_usermode_loop+0x258/0x2f0 [ 26.919717] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 26.925223] ? do_syscall_64+0xb7/0x940 [ 26.929169] do_syscall_64+0x6ec/0x940 [ 26.933028] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.937495] ? finish_task_switch+0x1c1/0x7e0 [ 26.941974] ? syscall_return_slowpath+0x550/0x550 [ 26.946874] ? syscall_return_slowpath+0x2ac/0x550 [ 26.951773] ? prepare_exit_to_usermode+0x350/0x350 [ 26.956760] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 26.962093] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.966908] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.972066] RIP: 0033:0x447529 [ 26.975225] RSP: 002b:00007f782c2b0cf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca [ 26.982902] RAX: 0000000000000001 RBX: 00000000006ddc5c RCX: 0000000000447529 [ 26.990143] RDX: 0000000000447529 RSI: 0000000000000001 RDI: 00000000006ddc5c [ 26.997385] RBP: 00000000006ddc58 R08: 0000000000000000 R09: 0000000000000000 [ 27.004623] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 27.011863] R13: 00007fff8bb3d8cf R14: 00007f782c2b19c0 R15: 0000000000000005 [ 27.019548] Dumping ftrace buffer: [ 27.023059] (ftrace buffer empty) [ 27.026736] Kernel Offset: disabled [ 27.030333] Rebooting in 86400 seconds..