[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   42.047070] can: request_module (can-proto-0) failed.
[   42.056516] can: request_module (can-proto-0) failed.
[   42.793764] IPVS: ftp: loaded support on port[0] = 21
[   43.472814] 8021q: adding VLAN 0 to HW filter on device bond0
[   43.547645] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   43.853404] tipc: TX() has been purged, node left!
[   45.420168] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts.
2020/02/11 22:27:22 parsed 1 programs
2020/02/11 22:27:22 executed programs: 0
[   50.441555] IPVS: ftp: loaded support on port[0] = 21
[   50.470679] IPVS: ftp: loaded support on port[0] = 21
[   50.481476] IPVS: ftp: loaded support on port[0] = 21
[   50.488518] IPVS: ftp: loaded support on port[0] = 21
[   50.504678] IPVS: ftp: loaded support on port[0] = 21
[   50.511823] IPVS: ftp: loaded support on port[0] = 21
[   51.107185] ==================================================================
[   51.114777] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3
[   51.121789] Read of size 8 at addr ffff8881d89d61e8 by task syz-executor/4335
[   51.129072] 
[   51.130702] CPU: 0 PID: 4335 Comm: syz-executor Not tainted 5.6.0-rc1-syzkaller #0
[   51.138404] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.147847] Call Trace:
[   51.150474]  dump_stack+0x12f/0x187
[   51.154102]  ? __list_del_entry_valid+0xe7/0xf3
[   51.158793]  print_address_description.constprop.8+0x3b/0x60
[   51.164632]  ? __list_del_entry_valid+0xe7/0xf3
[   51.169394]  ? __list_del_entry_valid+0xe7/0xf3
[   51.174065]  __kasan_report.cold.11+0x1b/0x32
[   51.178560]  ? __list_del_entry_valid+0xe7/0xf3
[   51.183238]  kasan_report+0x12/0x20
[   51.186856]  __asan_report_load8_noabort+0x14/0x20
[   51.191776]  __list_del_entry_valid+0xe7/0xf3
[   51.196296]  cma_cancel_operation+0x2f7/0x9c0
[   51.200790]  rdma_destroy_id+0xc2/0xbb0
[   51.204751]  ? complete+0x62/0x80
[   51.208192]  ucma_close+0x101/0x2d0
[   51.211833]  __fput+0x25a/0x780
[   51.215115]  ____fput+0x9/0x10
[   51.218317]  task_work_run+0x10e/0x190
[   51.222323]  do_exit+0x9ed/0x2e30
[   51.225786]  ? mm_update_next_owner+0x710/0x710
[   51.230446]  ? get_signal+0x2c4/0x1d00
[   51.234344]  ? lock_downgrade+0x900/0x900
[   51.238500]  ? _raw_spin_unlock_irq+0x22/0x70
[   51.242988]  ? get_signal+0x2c4/0x1d00
[   51.246869]  do_group_exit+0xf4/0x2e0
[   51.250663]  get_signal+0x368/0x1d00
[   51.254371]  ? __kasan_check_write+0x14/0x20
[   51.258879]  ? _copy_from_user+0xd6/0x110
[   51.263023]  do_signal+0x87/0x16c0
[   51.266591]  ? __vfs_write+0x61/0x110
[   51.270380]  ? setup_sigcontext+0x7d0/0x7d0
[   51.274692]  ? __x64_sys_futex+0x1cb/0x38e
[   51.278929]  ? exit_to_usermode_loop+0x3a/0x210
[   51.283587]  ? do_syscall_64+0x50b/0x600
[   51.287633]  ? lockdep_hardirqs_on+0x42d/0x5d0
[   51.292200]  ? exit_to_usermode_loop+0x3a/0x210
[   51.296874]  ? trace_hardirqs_on+0x28/0x180
[   51.301199]  exit_to_usermode_loop+0x114/0x210
[   51.305774]  do_syscall_64+0x50b/0x600
[   51.309655]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.314846] RIP: 0033:0x4549c9
[   51.318040] Code: Bad RIP value.
[   51.321388] RSP: 002b:00007f600763fce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   51.329084] RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 00000000004549c9
[   51.336343] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
[   51.343619] RBP: 000000000072bec8 R08: 0000000000000000 R09: 000000000072bea0
[   51.350879] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   51.358140] R13: 00007ffd83a1269f R14: 00007f60076409c0 R15: 0000000000000000
[   51.365437] 
[   51.367056] Allocated by task 4335:
[   51.370668]  save_stack+0x21/0x90
[   51.374111]  __kasan_kmalloc.constprop.7+0xc1/0xd0
[   51.379069]  kasan_kmalloc+0x9/0x10
[   51.382686]  kmem_cache_alloc_trace+0x15b/0x760
[   51.387344]  __rdma_create_id+0x5d/0x6e0
[   51.391402]  ucma_create_id+0x199/0x550
[   51.395375]  ucma_write+0x206/0x2e0
[   51.398988]  __vfs_write+0x61/0x110
[   51.402600]  vfs_write+0x191/0x4c0
[   51.406127]  ksys_write+0x197/0x220
[   51.409742]  __x64_sys_write+0x6e/0xb0
[   51.413679]  do_syscall_64+0xd0/0x600
[   51.417526]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.422700] 
[   51.424323] Freed by task 4335:
[   51.427595]  save_stack+0x21/0x90
[   51.431084]  __kasan_slab_free+0x11a/0x170
[   51.435300]  kasan_slab_free+0xe/0x10
[   51.439091]  kfree+0xfa/0x290
[   51.442194]  rdma_destroy_id+0x643/0xbb0
[   51.446240]  ucma_close+0x101/0x2d0
[   51.449853]  __fput+0x25a/0x780
[   51.453114]  ____fput+0x9/0x10
[   51.456310]  task_work_run+0x10e/0x190
[   51.460189]  do_exit+0x9ed/0x2e30
[   51.463729]  do_group_exit+0xf4/0x2e0
[   51.467516]  get_signal+0x368/0x1d00
[   51.471208]  do_signal+0x87/0x16c0
[   51.474736]  exit_to_usermode_loop+0x114/0x210
[   51.479302]  do_syscall_64+0x50b/0x600
[   51.483263]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.488432] 
[   51.490177] The buggy address belongs to the object at ffff8881d89d6000
[   51.490177]  which belongs to the cache kmalloc-2k of size 2048
[   51.502869] The buggy address is located 488 bytes inside of
[   51.502869]  2048-byte region [ffff8881d89d6000, ffff8881d89d6800)
[   51.514822] The buggy address belongs to the page:
[   51.519816] page:ffffea0007627580 refcount:1 mapcount:0 mapping:ffff8881da000e00 index:0x0
[   51.528211] flags: 0x2fffc0000000200(slab)
[   51.532427] raw: 02fffc0000000200 ffffea0007606a48 ffffea0007363108 ffff8881da000e00
[   51.540356] raw: 0000000000000000 ffff8881d89d6000 0000000100000001 0000000000000000
[   51.548250] page dumped because: kasan: bad access detected
[   51.554008] 
[   51.555662] Memory state around the buggy address:
[   51.560576]  ffff8881d89d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.567913]  ffff8881d89d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.575301] >ffff8881d89d6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.582693]                                                           ^
[   51.589485]  ffff8881d89d6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.596927]  ffff8881d89d6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.604334] ==================================================================
[   51.611683] Disabling lock debugging due to kernel taint
[   51.617205] Kernel panic - not syncing: panic_on_warn set ...
[   51.623084] CPU: 0 PID: 4335 Comm: syz-executor Tainted: G    B             5.6.0-rc1-syzkaller #0
[   51.632161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.641501] Call Trace:
[   51.644071]  dump_stack+0x12f/0x187
[   51.647688]  ? __list_del_entry_valid+0xb0/0xf3
[   51.652346]  panic+0x22a/0x4f5
[   51.655518]  ? add_taint.cold.7+0x11/0x11
[   51.659657]  ? do_raw_spin_unlock+0x54/0x260
[   51.664060]  ? do_raw_spin_unlock+0x54/0x260
[   51.668452]  ? __list_del_entry_valid+0xe7/0xf3
[   51.673101]  ? __list_del_entry_valid+0xe7/0xf3
[   51.677753]  end_report+0x47/0x4f
[   51.681208]  __kasan_report.cold.11+0xe/0x32
[   51.685647]  ? __list_del_entry_valid+0xe7/0xf3
[   51.690317]  kasan_report+0x12/0x20
[   51.693992]  __asan_report_load8_noabort+0x14/0x20
[   51.698914]  __list_del_entry_valid+0xe7/0xf3
[   51.703390]  cma_cancel_operation+0x2f7/0x9c0
[   51.707877]  rdma_destroy_id+0xc2/0xbb0
[   51.711839]  ? complete+0x62/0x80
[   51.715277]  ucma_close+0x101/0x2d0
[   51.718898]  __fput+0x25a/0x780
[   51.722167]  ____fput+0x9/0x10
[   51.725362]  task_work_run+0x10e/0x190
[   51.729237]  do_exit+0x9ed/0x2e30
[   51.732725]  ? mm_update_next_owner+0x710/0x710
[   51.737383]  ? get_signal+0x2c4/0x1d00
[   51.741255]  ? lock_downgrade+0x900/0x900
[   51.745410]  ? _raw_spin_unlock_irq+0x22/0x70
[   51.749890]  ? get_signal+0x2c4/0x1d00
[   51.753761]  do_group_exit+0xf4/0x2e0
[   51.757593]  get_signal+0x368/0x1d00
[   51.761294]  ? __kasan_check_write+0x14/0x20
[   51.765693]  ? _copy_from_user+0xd6/0x110
[   51.769852]  do_signal+0x87/0x16c0
[   51.773375]  ? __vfs_write+0x61/0x110
[   51.777159]  ? setup_sigcontext+0x7d0/0x7d0
[   51.781551]  ? __x64_sys_futex+0x1cb/0x38e
[   51.785768]  ? exit_to_usermode_loop+0x3a/0x210
[   51.790410]  ? do_syscall_64+0x50b/0x600
[   51.794493]  ? lockdep_hardirqs_on+0x42d/0x5d0
[   51.799105]  ? exit_to_usermode_loop+0x3a/0x210
[   51.803762]  ? trace_hardirqs_on+0x28/0x180
[   51.808077]  exit_to_usermode_loop+0x114/0x210
[   51.812645]  do_syscall_64+0x50b/0x600
[   51.816512]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   51.821710] RIP: 0033:0x4549c9
[   51.824935] Code: Bad RIP value.
[   51.828276] RSP: 002b:00007f600763fce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   51.835962] RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 00000000004549c9
[   51.843214] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
[   51.850472] RBP: 000000000072bec8 R08: 0000000000000000 R09: 000000000072bea0
[   51.857724] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   51.864973] R13: 00007ffd83a1269f R14: 00007f60076409c0 R15: 0000000000000000
[   51.873099] Kernel Offset: disabled
[   51.876718] Rebooting in 86400 seconds..