[ 465.661169] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.667943] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.676264] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.683335] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.693569] device bridge_slave_1 left promiscuous mode [ 465.699188] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.742061] device bridge_slave_0 left promiscuous mode [ 465.747505] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.804127] device veth1_macvtap left promiscuous mode [ 465.810357] device veth0_macvtap left promiscuous mode [ 465.815650] device veth1_vlan left promiscuous mode [ 465.821808] device veth0_vlan left promiscuous mode [ 465.942099] device hsr_slave_1 left promiscuous mode [ 465.991856] device hsr_slave_0 left promiscuous mode [ 466.037720] team0 (unregistering): Port device team_slave_1 removed [ 466.046451] team0 (unregistering): Port device team_slave_0 removed [ 466.055928] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 466.094143] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 466.146417] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.162' (ECDSA) to the list of known hosts. [ 468.445683] ================================================================== [ 468.453227] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3 [ 468.460212] Read of size 8 at addr ffff88808abb6ae0 by task syz-executor270/20455 [ 468.467804] [ 468.469423] CPU: 1 PID: 20455 Comm: syz-executor270 Not tainted 4.14.184-syzkaller #0 [ 468.477391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 468.486719] Call Trace: [ 468.489323] dump_stack+0xf7/0x13b [ 468.492853] ? __list_del_entry_valid+0xe7/0xf3 [ 468.497520] print_address_description.cold.7+0x9/0x1c9 [ 468.502857] ? __list_del_entry_valid+0xe7/0xf3 [ 468.507497] kasan_report.cold.8+0x11a/0x2d3 [ 468.511885] __asan_report_load8_noabort+0x14/0x20 [ 468.516785] __list_del_entry_valid+0xe7/0xf3 [ 468.521281] cma_cancel_operation+0x300/0x9b0 [ 468.525748] ? trace_hardirqs_on_caller+0x40c/0x580 [ 468.530734] rdma_destroy_id+0x83/0xa70 [ 468.534680] ? complete+0x62/0x80 [ 468.538128] ucma_close+0x101/0x2e0 [ 468.541751] __fput+0x232/0x750 [ 468.545004] ____fput+0x9/0x10 [ 468.548185] task_work_run+0xe5/0x170 [ 468.551972] do_exit+0x94b/0x2cc0 [ 468.555405] ? match_held_lock+0x711/0x740 [ 468.559610] ? mm_update_next_owner+0x630/0x630 [ 468.564266] ? preempt_schedule+0x4d/0x60 [ 468.568419] ? preempt_schedule_common+0x1f/0xe0 [ 468.573189] ? preempt_schedule+0x4d/0x60 [ 468.577319] ? ___preempt_schedule+0x16/0x18 [ 468.581702] do_group_exit+0xf4/0x2f0 [ 468.585475] ? do_group_exit+0x2f0/0x2f0 [ 468.589505] SyS_exit_group+0x18/0x20 [ 468.593276] do_syscall_64+0x1c7/0x5b0 [ 468.597135] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 468.601949] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 468.607119] RIP: 0033:0x445598 [ 468.610283] RSP: 002b:00007ffffa4afe78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 468.617961] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445598 [ 468.625201] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 468.632455] RBP: 00000000004ccc90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 468.639696] R10: 00007ffffa4afed0 R11: 0000000000000246 R12: 0000000000000001 [ 468.646948] R13: 00000000006e0320 R14: 000000000000002d R15: 20c49ba5e353f7cf [ 468.654195] [ 468.655795] Allocated by task 20458: [ 468.659479] save_stack_trace+0x16/0x20 [ 468.663423] save_stack+0x43/0xd0 [ 468.666846] kasan_kmalloc+0xc7/0xe0 [ 468.670582] kmem_cache_alloc_trace+0x152/0x7a0 [ 468.675222] rdma_create_id+0x58/0x4d0 [ 468.679090] ucma_create_id+0x191/0x550 [ 468.683032] ucma_write+0x1f1/0x2c0 [ 468.686628] __vfs_write+0xdb/0x840 [ 468.690223] vfs_write+0x150/0x4f0 [ 468.693732] SyS_write+0x100/0x250 [ 468.697264] do_syscall_64+0x1c7/0x5b0 [ 468.701137] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 468.706300] [ 468.707899] Freed by task 20455: [ 468.711241] save_stack_trace+0x16/0x20 [ 468.715193] save_stack+0x43/0xd0 [ 468.718614] kasan_slab_free+0x71/0xc0 [ 468.722474] kfree+0xcc/0x270 [ 468.725550] rdma_destroy_id+0x619/0xa70 [ 468.729582] ucma_close+0x101/0x2e0 [ 468.733189] __fput+0x232/0x750 [ 468.736436] ____fput+0x9/0x10 [ 468.739600] task_work_run+0xe5/0x170 [ 468.743381] do_exit+0x94b/0x2cc0 [ 468.746803] do_group_exit+0xf4/0x2f0 [ 468.750571] SyS_exit_group+0x18/0x20 [ 468.754340] do_syscall_64+0x1c7/0x5b0 [ 468.758195] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 468.763351] [ 468.764951] The buggy address belongs to the object at ffff88808abb6900 [ 468.764951] which belongs to the cache kmalloc-1024 of size 1024 [ 468.777759] The buggy address is located 480 bytes inside of [ 468.777759] 1024-byte region [ffff88808abb6900, ffff88808abb6d00) [ 468.789691] The buggy address belongs to the page: [ 468.794593] page:ffffea00022aed80 count:1 mapcount:0 mapping:ffff88808abb6000 index:0x0 compound_mapcount: 0 [ 468.804531] flags: 0xfffe0000008100(slab|head) [ 468.809105] raw: 00fffe0000008100 ffff88808abb6000 0000000000000000 0000000100000007 [ 468.816973] raw: ffffea0002a4b7a0 ffff8880aa801848 ffff8880aa800ac0 0000000000000000 [ 468.824824] page dumped because: kasan: bad access detected [ 468.830516] [ 468.832114] Memory state around the buggy address: [ 468.837014] ffff88808abb6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.844352] ffff88808abb6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.851696] >ffff88808abb6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.859024] ^ [ 468.865485] ffff88808abb6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.872822] ffff88808abb6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.880148] ================================================================== [ 468.887474] Disabling lock debugging due to kernel taint [ 468.896192] Kernel panic - not syncing: panic_on_warn set ... [ 468.896192] [ 468.903561] CPU: 0 PID: 20455 Comm: syz-executor270 Tainted: G B 4.14.184-syzkaller #0 [ 468.912720] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 468.922044] Call Trace: [ 468.924673] dump_stack+0xf7/0x13b [ 468.928183] ? __list_del_entry_valid+0xe7/0xf3 [ 468.932822] panic+0x1b0/0x358 [ 468.935981] ? add_taint.cold.5+0x11/0x11 [ 468.940115] ? ___preempt_schedule+0x16/0x18 [ 468.944494] ? __list_del_entry_valid+0xe7/0xf3 [ 468.949131] kasan_end_report+0x47/0x4f [ 468.953182] kasan_report.cold.8+0x76/0x2d3 [ 468.957511] __asan_report_load8_noabort+0x14/0x20 [ 468.962414] __list_del_entry_valid+0xe7/0xf3 [ 468.966916] cma_cancel_operation+0x300/0x9b0 [ 468.971383] ? trace_hardirqs_on_caller+0x40c/0x580 [ 468.976381] rdma_destroy_id+0x83/0xa70 [ 468.980325] ? complete+0x62/0x80 [ 468.983754] ucma_close+0x101/0x2e0 [ 468.987351] __fput+0x232/0x750 [ 468.990600] ____fput+0x9/0x10 [ 468.993762] task_work_run+0xe5/0x170 [ 468.997532] do_exit+0x94b/0x2cc0 [ 469.000965] ? match_held_lock+0x711/0x740 [ 469.005190] ? mm_update_next_owner+0x630/0x630 [ 469.009829] ? preempt_schedule+0x4d/0x60 [ 469.013948] ? preempt_schedule_common+0x1f/0xe0 [ 469.018670] ? preempt_schedule+0x4d/0x60 [ 469.022792] ? ___preempt_schedule+0x16/0x18 [ 469.027170] do_group_exit+0xf4/0x2f0 [ 469.030942] ? do_group_exit+0x2f0/0x2f0 [ 469.034986] SyS_exit_group+0x18/0x20 [ 469.038754] do_syscall_64+0x1c7/0x5b0 [ 469.042611] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 469.047424] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 469.052582] RIP: 0033:0x445598 [ 469.055744] RSP: 002b:00007ffffa4afe78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 469.063429] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445598 [ 469.070687] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 469.077937] RBP: 00000000004ccc90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 469.085262] R10: 00007ffffa4afed0 R11: 0000000000000246 R12: 0000000000000001 [ 469.092512] R13: 00000000006e0320 R14: 000000000000002d R15: 20c49ba5e353f7cf [ 469.101022] Kernel Offset: disabled [ 469.104629] Rebooting in 86400 seconds..