Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. 2020/03/28 04:19:45 parsed 1 programs 2020/03/28 04:19:47 executed programs: 0 syzkaller login: [ 62.844080][ T7037] IPVS: ftp: loaded support on port[0] = 21 [ 62.944494][ T7037] chnl_net:caif_netlink_parms(): no params data found [ 63.001148][ T7037] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.009035][ T7037] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.017806][ T7037] device bridge_slave_0 entered promiscuous mode [ 63.027211][ T7037] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.035660][ T7037] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.044060][ T7037] device bridge_slave_1 entered promiscuous mode [ 63.066771][ T7037] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 63.077913][ T7037] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 63.104880][ T7037] team0: Port device team_slave_0 added [ 63.113416][ T7037] team0: Port device team_slave_1 added [ 63.134491][ T7037] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 63.141661][ T7037] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.167687][ T7037] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 63.181375][ T7037] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 63.188371][ T7037] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.214527][ T7037] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 63.283759][ T7037] device hsr_slave_0 entered promiscuous mode [ 63.350727][ T7037] device hsr_slave_1 entered promiscuous mode [ 63.531284][ T7037] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.573994][ T7037] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.633433][ T7037] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.703415][ T7037] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.789474][ T7037] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.796951][ T7037] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.805480][ T7037] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.812798][ T7037] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.867043][ T7037] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.882491][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.894017][ T2687] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.903498][ T2687] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.912268][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.927886][ T7037] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.938408][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 63.948611][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.958350][ T3209] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.965688][ T3209] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.979474][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 63.988608][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.998550][ T2692] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.005753][ T2692] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.019265][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 64.040532][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 64.049291][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 64.059043][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 64.068338][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 64.077776][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 64.088085][ T3209] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 64.104373][ T7037] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 64.117088][ T7037] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 64.131764][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 64.140774][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 64.150464][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 64.159141][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 64.171221][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 64.191466][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 64.199008][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 64.216208][ T7037] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 64.241343][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 64.251778][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 64.274061][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 64.283347][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 64.293670][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 64.302046][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 64.313852][ T7037] device veth0_vlan entered promiscuous mode [ 64.327800][ T7037] device veth1_vlan entered promiscuous mode [ 64.353571][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 64.362407][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 64.372293][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 64.381521][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 64.394684][ T7037] device veth0_macvtap entered promiscuous mode [ 64.405209][ T7037] device veth1_macvtap entered promiscuous mode [ 64.425289][ T7037] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.433171][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 64.442419][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 64.451465][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 64.460842][ T3208] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 64.475641][ T7037] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.483764][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 64.494754][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 67.221474][ T7560] ================================================================== [ 67.229946][ T7560] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 67.237127][ T7560] Read of size 8 at addr ffff8880983631e0 by task syz-executor.0/7560 [ 67.245273][ T7560] [ 67.247599][ T7560] CPU: 1 PID: 7560 Comm: syz-executor.0 Not tainted 5.6.0-rc7-syzkaller #0 [ 67.256169][ T7560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.266202][ T7560] Call Trace: [ 67.270025][ T7560] dump_stack+0x188/0x20d [ 67.274340][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.279203][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.284060][ T7560] print_address_description.constprop.0.cold+0xd3/0x315 [ 67.291075][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.295925][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.300801][ T7560] __kasan_report.cold+0x1a/0x32 [ 67.305746][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.310785][ T7560] kasan_report+0xe/0x20 [ 67.315035][ T7560] __list_add_valid+0x93/0xa0 [ 67.319706][ T7560] rdma_listen+0x681/0x910 [ 67.324143][ T7560] ucma_listen+0x14d/0x1c0 [ 67.328571][ T7560] ? ucma_notify+0x190/0x190 [ 67.333190][ T7560] ? __might_fault+0x190/0x1d0 [ 67.337960][ T7560] ? _copy_from_user+0x123/0x190 [ 67.342900][ T7560] ? ucma_notify+0x190/0x190 [ 67.347494][ T7560] ucma_write+0x285/0x350 [ 67.351831][ T7560] ? ucma_open+0x270/0x270 [ 67.356268][ T7560] ? security_file_permission+0x8a/0x370 [ 67.361914][ T7560] ? ucma_open+0x270/0x270 [ 67.366330][ T7560] __vfs_write+0x76/0x100 [ 67.370663][ T7560] vfs_write+0x262/0x5c0 [ 67.374901][ T7560] ksys_write+0x1e8/0x250 [ 67.379241][ T7560] ? __ia32_sys_read+0xb0/0xb0 [ 67.384010][ T7560] ? __ia32_sys_clock_settime+0x260/0x260 [ 67.389742][ T7560] ? trace_hardirqs_off_caller+0x55/0x230 [ 67.395482][ T7560] do_syscall_64+0xf6/0x7d0 [ 67.399993][ T7560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.405882][ T7560] RIP: 0033:0x45c849 [ 67.409774][ T7560] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.429501][ T7560] RSP: 002b:00007f8a3f379c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 67.437992][ T7560] RAX: ffffffffffffffda RBX: 00007f8a3f37a6d4 RCX: 000000000045c849 [ 67.445986][ T7560] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000007 [ 67.454000][ T7560] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 67.462019][ T7560] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 67.469975][ T7560] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 67.477946][ T7560] [ 67.480264][ T7560] Allocated by task 7547: [ 67.484599][ T7560] save_stack+0x1b/0x80 [ 67.488739][ T7560] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 67.494376][ T7560] kmem_cache_alloc_trace+0x153/0x7d0 [ 67.499768][ T7560] __rdma_create_id+0x5b/0x850 [ 67.504545][ T7560] ucma_create_id+0x1cb/0x580 [ 67.509221][ T7560] ucma_write+0x285/0x350 [ 67.513960][ T7560] __vfs_write+0x76/0x100 [ 67.518443][ T7560] vfs_write+0x262/0x5c0 [ 67.522696][ T7560] ksys_write+0x1e8/0x250 [ 67.527016][ T7560] do_syscall_64+0xf6/0x7d0 [ 67.531831][ T7560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.537968][ T7560] [ 67.540278][ T7560] Freed by task 7546: [ 67.544247][ T7560] save_stack+0x1b/0x80 [ 67.548385][ T7560] __kasan_slab_free+0xf7/0x140 [ 67.553287][ T7560] kfree+0x109/0x2b0 [ 67.557172][ T7560] ucma_close+0x10b/0x300 [ 67.561499][ T7560] __fput+0x2da/0x850 [ 67.565465][ T7560] task_work_run+0x13f/0x1b0 [ 67.570159][ T7560] exit_to_usermode_loop+0x2fa/0x360 [ 67.575585][ T7560] do_syscall_64+0x6b1/0x7d0 [ 67.580171][ T7560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.586053][ T7560] [ 67.588390][ T7560] The buggy address belongs to the object at ffff888098363000 [ 67.588390][ T7560] which belongs to the cache kmalloc-2k of size 2048 [ 67.602437][ T7560] The buggy address is located 480 bytes inside of [ 67.602437][ T7560] 2048-byte region [ffff888098363000, ffff888098363800) [ 67.615780][ T7560] The buggy address belongs to the page: [ 67.621437][ T7560] page:ffffea000260d8c0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 67.631148][ T7560] flags: 0xfffe0000000200(slab) [ 67.636000][ T7560] raw: 00fffe0000000200 ffffea0002a2d808 ffffea00024d7b88 ffff8880aa000e00 [ 67.644590][ T7560] raw: 0000000000000000 ffff888098363000 0000000100000001 0000000000000000 [ 67.653161][ T7560] page dumped because: kasan: bad access detected [ 67.659565][ T7560] [ 67.661877][ T7560] Memory state around the buggy address: [ 67.667495][ T7560] ffff888098363080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.675538][ T7560] ffff888098363100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.683598][ T7560] >ffff888098363180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.691809][ T7560] ^ [ 67.699028][ T7560] ffff888098363200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.707105][ T7560] ffff888098363280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.715213][ T7560] ================================================================== [ 67.723258][ T7560] Disabling lock debugging due to kernel taint [ 67.739320][ T7560] Kernel panic - not syncing: panic_on_warn set ... [ 67.745939][ T7560] CPU: 1 PID: 7560 Comm: syz-executor.0 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 67.755918][ T7560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.765963][ T7560] Call Trace: [ 67.769245][ T7560] dump_stack+0x188/0x20d [ 67.773586][ T7560] panic+0x2e3/0x75c [ 67.777475][ T7560] ? add_taint.cold+0x16/0x16 [ 67.782143][ T7560] ? preempt_schedule_common+0x5e/0xc0 [ 67.787588][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.792425][ T7560] ? ___preempt_schedule+0x16/0x18 [ 67.797536][ T7560] ? trace_hardirqs_on+0x55/0x220 [ 67.802554][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.807411][ T7560] end_report+0x43/0x49 [ 67.811553][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.816414][ T7560] __kasan_report.cold+0xd/0x32 [ 67.821251][ T7560] ? __list_add_valid+0x93/0xa0 [ 67.826110][ T7560] kasan_report+0xe/0x20 [ 67.830336][ T7560] __list_add_valid+0x93/0xa0 [ 67.834996][ T7560] rdma_listen+0x681/0x910 [ 67.839403][ T7560] ucma_listen+0x14d/0x1c0 [ 67.843806][ T7560] ? ucma_notify+0x190/0x190 [ 67.848503][ T7560] ? __might_fault+0x190/0x1d0 [ 67.853276][ T7560] ? _copy_from_user+0x123/0x190 [ 67.858217][ T7560] ? ucma_notify+0x190/0x190 [ 67.862901][ T7560] ucma_write+0x285/0x350 [ 67.867344][ T7560] ? ucma_open+0x270/0x270 [ 67.871806][ T7560] ? security_file_permission+0x8a/0x370 [ 67.877841][ T7560] ? ucma_open+0x270/0x270 [ 67.882553][ T7560] __vfs_write+0x76/0x100 [ 67.887198][ T7560] vfs_write+0x262/0x5c0 [ 67.891459][ T7560] ksys_write+0x1e8/0x250 [ 67.895790][ T7560] ? __ia32_sys_read+0xb0/0xb0 [ 67.900544][ T7560] ? __ia32_sys_clock_settime+0x260/0x260 [ 67.906269][ T7560] ? trace_hardirqs_off_caller+0x55/0x230 [ 67.912055][ T7560] do_syscall_64+0xf6/0x7d0 [ 67.916621][ T7560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.922517][ T7560] RIP: 0033:0x45c849 [ 67.926439][ T7560] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.946283][ T7560] RSP: 002b:00007f8a3f379c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 67.954813][ T7560] RAX: ffffffffffffffda RBX: 00007f8a3f37a6d4 RCX: 000000000045c849 [ 67.962809][ T7560] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000007 [ 67.970906][ T7560] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 67.979014][ T7560] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 67.986993][ T7560] R13: 0000000000000cc0 R14: 00000000004cee4e R15: 000000000076bf0c [ 67.996590][ T7560] Kernel Offset: disabled [ 68.001001][ T7560] Rebooting in 86400 seconds..