INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program syzkaller login: [ 28.228508] ================================================================== [ 28.235996] BUG: KASAN: use-after-free in __list_del_entry_valid+0x144/0x150 [ 28.243155] Read of size 8 at addr ffff8801d8dc7d20 by task syzkaller468166/4496 [ 28.250658] [ 28.252265] CPU: 0 PID: 4496 Comm: syzkaller468166 Not tainted 4.16.0+ #376 [ 28.259334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.268659] Call Trace: [ 28.271225] dump_stack+0x1a7/0x27d [ 28.274826] ? arch_local_irq_restore+0x53/0x53 [ 28.279469] ? show_regs_print_info+0x18/0x18 [ 28.283945] ? rcu_note_context_switch+0x710/0x710 [ 28.288863] ? kasan_check_write+0x14/0x20 [ 28.293248] ? __list_del_entry_valid+0x144/0x150 [ 28.298065] print_address_description+0x73/0x250 [ 28.302878] ? __list_del_entry_valid+0x144/0x150 [ 28.307693] kasan_report+0x23c/0x360 [ 28.311466] __asan_report_load8_noabort+0x14/0x20 [ 28.316378] __list_del_entry_valid+0x144/0x150 [ 28.321022] cma_cancel_operation+0x455/0xd60 [ 28.325491] ? finish_task_switch+0x29f/0x810 [ 28.329962] ? find_held_lock+0x35/0x1d0 [ 28.333997] ? rdma_destroy_id+0xda0/0xda0 [ 28.338206] ? rdma_destroy_id+0xf4/0xda0 [ 28.342328] ? lock_downgrade+0x980/0x980 [ 28.346451] ? ucma_close+0xe1/0x2f0 [ 28.350148] ? lock_release+0xa40/0xa40 [ 28.354108] ? kasan_check_read+0x11/0x20 [ 28.358237] ? do_raw_spin_unlock+0x9e/0x310 [ 28.362630] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.367187] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 28.372275] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.377267] rdma_destroy_id+0xff/0xda0 [ 28.381213] ? __mutex_unlock_slowpath+0x181/0x7e0 [ 28.386119] ? cma_release_dev+0x350/0x350 [ 28.390328] ? radix_tree_delete_item+0x146/0x280 [ 28.395155] ucma_close+0x100/0x2f0 [ 28.398761] ? ucma_free_ctx+0xd90/0xd90 [ 28.402796] __fput+0x327/0x7f0 [ 28.406048] ? fput+0x150/0x150 [ 28.409301] ? check_same_owner+0x320/0x320 [ 28.413592] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.418059] ____fput+0x15/0x20 [ 28.421311] task_work_run+0x1ab/0x280 [ 28.425169] ? task_work_cancel+0x240/0x240 [ 28.429473] ? kasan_check_write+0x14/0x20 [ 28.433682] ? switch_task_namespaces+0x94/0xc0 [ 28.438327] do_exit+0x1986/0x2700 [ 28.441843] ? print_irqtrace_events+0x241/0x270 [ 28.446568] ? mm_update_next_owner+0x960/0x960 [ 28.451214] ? trace_hardirqs_off+0x10/0x10 [ 28.455511] ? rcu_note_context_switch+0x710/0x710 [ 28.460412] ? __lock_acquire+0x638/0x3c30 [ 28.464618] ? __might_sleep+0x95/0x190 [ 28.468572] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 28.473732] ? lock_downgrade+0x980/0x980 [ 28.477851] ? kasan_check_write+0x14/0x20 [ 28.482067] ? __unqueue_futex+0x1e2/0x2b0 [ 28.486275] ? lock_release+0xa40/0xa40 [ 28.490222] ? kasan_check_read+0x11/0x20 [ 28.494340] ? do_raw_spin_unlock+0x9e/0x310 [ 28.498720] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.503283] ? kasan_check_write+0x14/0x20 [ 28.507496] ? do_raw_spin_lock+0xc1/0x230 [ 28.511703] ? kasan_check_write+0x14/0x20 [ 28.515911] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 28.520998] ? futex_wait+0x6a9/0x9a0 [ 28.524777] ? futex_wait_setup+0x400/0x400 [ 28.529084] ? trace_hardirqs_off+0x10/0x10 [ 28.533378] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 28.538453] ? futex_wake+0x2d7/0x680 [ 28.542226] ? memset+0x31/0x40 [ 28.545479] ? find_held_lock+0x35/0x1d0 [ 28.549515] ? get_signal+0x7bb/0x16e0 [ 28.553376] ? lock_downgrade+0x980/0x980 [ 28.557500] do_group_exit+0x149/0x400 [ 28.561357] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.565913] ? SyS_exit+0x30/0x30 [ 28.569350] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.573821] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.578814] get_signal+0x74c/0x16e0 [ 28.582516] ? ptrace_notify+0x130/0x130 [ 28.586550] ? ucma_query+0x230/0x230 [ 28.590325] ? kasan_check_write+0x14/0x20 [ 28.594533] ? ucma_write+0x11f/0x3d0 [ 28.598559] ? ucma_query+0x230/0x230 [ 28.602353] ? ucma_close_id+0x60/0x60 [ 28.606299] do_signal+0x90/0x1e90 [ 28.609839] ? ucma_close_id+0x60/0x60 [ 28.613721] ? __vfs_write+0xf7/0x970 [ 28.617529] ? setup_sigcontext+0x7d0/0x7d0 [ 28.621846] ? kernel_read+0x120/0x120 [ 28.625738] ? vm_mmap_pgoff+0x1fc/0x280 [ 28.629793] ? vm_mmap_pgoff+0x13b/0x280 [ 28.633874] ? exit_to_usermode_loop+0x8c/0x2f0 [ 28.638540] exit_to_usermode_loop+0x258/0x2f0 [ 28.643121] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 28.648650] ? do_syscall_64+0xb7/0x940 [ 28.652619] do_syscall_64+0x6ec/0x940 [ 28.656498] ? kasan_check_write+0x14/0x20 [ 28.660724] ? syscall_return_slowpath+0x550/0x550 [ 28.665650] ? syscall_return_slowpath+0x2ac/0x550 [ 28.670587] ? prepare_exit_to_usermode+0x350/0x350 [ 28.675605] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 28.680964] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.685798] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.690964] RIP: 0033:0x446b09 [ 28.694130] RSP: 002b:00007f2b89150da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.701813] RAX: fffffffffffffe00 RBX: 00000000006e29fc RCX: 0000000000446b09 [ 28.709059] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006e29fc [ 28.716310] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 28.723556] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 28.730807] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 28.738057] [ 28.739659] Allocated by task 4493: [ 28.743270] save_stack+0x43/0xd0 [ 28.746701] kasan_kmalloc+0xad/0xe0 [ 28.750386] kmem_cache_alloc_trace+0x136/0x740 [ 28.755025] rdma_create_id+0xd0/0x640 [ 28.758884] ucma_create_id+0x35f/0x920 [ 28.762828] ucma_write+0x2d6/0x3d0 [ 28.766426] __vfs_write+0xef/0x970 [ 28.770020] vfs_write+0x189/0x510 [ 28.773531] SyS_write+0xef/0x220 [ 28.776957] do_syscall_64+0x281/0x940 [ 28.780812] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.785969] [ 28.787577] Freed by task 4496: [ 28.790829] save_stack+0x43/0xd0 [ 28.794254] __kasan_slab_free+0x11a/0x170 [ 28.798466] kasan_slab_free+0xe/0x10 [ 28.802238] kfree+0xd9/0x260 [ 28.805318] rdma_destroy_id+0x821/0xda0 [ 28.809353] ucma_close+0x100/0x2f0 [ 28.812951] __fput+0x327/0x7f0 [ 28.816201] ____fput+0x15/0x20 [ 28.819451] task_work_run+0x1ab/0x280 [ 28.823309] do_exit+0x1986/0x2700 [ 28.826906] do_group_exit+0x149/0x400 [ 28.830770] get_signal+0x74c/0x16e0 [ 28.834454] do_signal+0x90/0x1e90 [ 28.837967] exit_to_usermode_loop+0x258/0x2f0 [ 28.842522] do_syscall_64+0x6ec/0x940 [ 28.846381] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.851540] [ 28.853138] The buggy address belongs to the object at ffff8801d8dc7b40 [ 28.853138] which belongs to the cache kmalloc-1024 of size 1024 [ 28.865937] The buggy address is located 480 bytes inside of [ 28.865937] 1024-byte region [ffff8801d8dc7b40, ffff8801d8dc7f40) [ 28.877865] The buggy address belongs to the page: [ 28.882782] page:ffffea0007637180 count:1 mapcount:0 mapping:ffff8801d8dc6040 index:0x0 compound_mapcount: 0 [ 28.892720] flags: 0x2fffc0000008100(slab|head) [ 28.897364] raw: 02fffc0000008100 ffff8801d8dc6040 0000000000000000 0000000100000007 [ 28.905216] raw: ffffea0007635ea0 ffff8801dac01848 ffff8801dac00ac0 0000000000000000 [ 28.913066] page dumped because: kasan: bad access detected [ 28.918745] [ 28.920353] Memory state around the buggy address: [ 28.925254] ffff8801d8dc7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.932583] ffff8801d8dc7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.939912] >ffff8801d8dc7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.947327] ^ [ 28.951706] ffff8801d8dc7d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.959044] ffff8801d8dc7e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.966373] ================================================================== [ 28.973703] Disabling lock debugging due to kernel taint [ 28.979440] Kernel panic - not syncing: panic_on_warn set ... [ 28.979440] [ 28.986785] CPU: 0 PID: 4496 Comm: syzkaller468166 Tainted: G B 4.16.0+ #376 [ 28.995156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.004489] Call Trace: [ 29.007051] dump_stack+0x1a7/0x27d [ 29.010661] ? arch_local_irq_restore+0x53/0x53 [ 29.015301] ? kasan_end_report+0x32/0x50 [ 29.019434] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.024162] ? vsnprintf+0x1ed/0x1900 [ 29.027935] ? __list_del_entry_valid+0xe0/0x150 [ 29.032664] panic+0x1f8/0x42c [ 29.035826] ? refcount_error_report+0x214/0x214 [ 29.040553] ? do_raw_spin_unlock+0x9e/0x310 [ 29.044929] ? do_raw_spin_unlock+0x9e/0x310 [ 29.049305] ? __list_del_entry_valid+0x144/0x150 [ 29.054131] kasan_end_report+0x50/0x50 [ 29.058076] kasan_report+0x149/0x360 [ 29.061846] __asan_report_load8_noabort+0x14/0x20 [ 29.066745] __list_del_entry_valid+0x144/0x150 [ 29.071388] cma_cancel_operation+0x455/0xd60 [ 29.075854] ? finish_task_switch+0x29f/0x810 [ 29.080322] ? find_held_lock+0x35/0x1d0 [ 29.084353] ? rdma_destroy_id+0xda0/0xda0 [ 29.088556] ? rdma_destroy_id+0xf4/0xda0 [ 29.092674] ? lock_downgrade+0x980/0x980 [ 29.096792] ? ucma_close+0xe1/0x2f0 [ 29.100476] ? lock_release+0xa40/0xa40 [ 29.104421] ? kasan_check_read+0x11/0x20 [ 29.108537] ? do_raw_spin_unlock+0x9e/0x310 [ 29.112912] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.117463] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 29.122538] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.127527] rdma_destroy_id+0xff/0xda0 [ 29.131471] ? __mutex_unlock_slowpath+0x181/0x7e0 [ 29.136368] ? cma_release_dev+0x350/0x350 [ 29.140575] ? radix_tree_delete_item+0x146/0x280 [ 29.145389] ucma_close+0x100/0x2f0 [ 29.148984] ? ucma_free_ctx+0xd90/0xd90 [ 29.153012] __fput+0x327/0x7f0 [ 29.156261] ? fput+0x150/0x150 [ 29.159532] ? check_same_owner+0x320/0x320 [ 29.163829] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.168293] ____fput+0x15/0x20 [ 29.171544] task_work_run+0x1ab/0x280 [ 29.175398] ? task_work_cancel+0x240/0x240 [ 29.179691] ? kasan_check_write+0x14/0x20 [ 29.183895] ? switch_task_namespaces+0x94/0xc0 [ 29.188537] do_exit+0x1986/0x2700 [ 29.192050] ? print_irqtrace_events+0x241/0x270 [ 29.196775] ? mm_update_next_owner+0x960/0x960 [ 29.201416] ? trace_hardirqs_off+0x10/0x10 [ 29.205711] ? rcu_note_context_switch+0x710/0x710 [ 29.210611] ? __lock_acquire+0x638/0x3c30 [ 29.214816] ? __might_sleep+0x95/0x190 [ 29.218767] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 29.223926] ? lock_downgrade+0x980/0x980 [ 29.228046] ? kasan_check_write+0x14/0x20 [ 29.232252] ? __unqueue_futex+0x1e2/0x2b0 [ 29.236457] ? lock_release+0xa40/0xa40 [ 29.240402] ? kasan_check_read+0x11/0x20 [ 29.244520] ? do_raw_spin_unlock+0x9e/0x310 [ 29.248899] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.253453] ? kasan_check_write+0x14/0x20 [ 29.257658] ? do_raw_spin_lock+0xc1/0x230 [ 29.261863] ? kasan_check_write+0x14/0x20 [ 29.266071] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.271153] ? futex_wait+0x6a9/0x9a0 [ 29.274925] ? futex_wait_setup+0x400/0x400 [ 29.279221] ? trace_hardirqs_off+0x10/0x10 [ 29.283513] ? drop_futex_key_refs.isra.13+0x71/0xc0 [ 29.288586] ? futex_wake+0x2d7/0x680 [ 29.292359] ? memset+0x31/0x40 [ 29.295623] ? find_held_lock+0x35/0x1d0 [ 29.299661] ? get_signal+0x7bb/0x16e0 [ 29.303521] ? lock_downgrade+0x980/0x980 [ 29.307652] do_group_exit+0x149/0x400 [ 29.311509] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.316062] ? SyS_exit+0x30/0x30 [ 29.319487] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.323953] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.328939] get_signal+0x74c/0x16e0 [ 29.332624] ? ptrace_notify+0x130/0x130 [ 29.336658] ? ucma_query+0x230/0x230 [ 29.340442] ? kasan_check_write+0x14/0x20 [ 29.344649] ? ucma_write+0x11f/0x3d0 [ 29.348430] ? ucma_query+0x230/0x230 [ 29.352201] ? ucma_close_id+0x60/0x60 [ 29.356070] do_signal+0x90/0x1e90 [ 29.359580] ? ucma_close_id+0x60/0x60 [ 29.363436] ? __vfs_write+0xf7/0x970 [ 29.367208] ? setup_sigcontext+0x7d0/0x7d0 [ 29.371499] ? kernel_read+0x120/0x120 [ 29.375360] ? vm_mmap_pgoff+0x1fc/0x280 [ 29.379390] ? vm_mmap_pgoff+0x13b/0x280 [ 29.383426] ? exit_to_usermode_loop+0x8c/0x2f0 [ 29.388065] exit_to_usermode_loop+0x258/0x2f0 [ 29.392705] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 29.398216] ? do_syscall_64+0xb7/0x940 [ 29.402160] do_syscall_64+0x6ec/0x940 [ 29.406018] ? kasan_check_write+0x14/0x20 [ 29.410221] ? syscall_return_slowpath+0x550/0x550 [ 29.415129] ? syscall_return_slowpath+0x2ac/0x550 [ 29.420027] ? prepare_exit_to_usermode+0x350/0x350 [ 29.425026] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.430366] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.435351] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.440511] RIP: 0033:0x446b09 [ 29.443673] RSP: 002b:00007f2b89150da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.451350] RAX: fffffffffffffe00 RBX: 00000000006e29fc RCX: 0000000000446b09 [ 29.458591] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006e29fc [ 29.465831] RBP: 00000000006e29f8 R08: 0000000000000000 R09: 0000000000000000 [ 29.473071] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 29.480320] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 29.487969] Dumping ftrace buffer: [ 29.491490] (ftrace buffer empty) [ 29.495172] Kernel Offset: disabled [ 29.499181] Rebooting in 86400 seconds..