INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 36.117839] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 36.366362] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 36.727944] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.734057] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.772512] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.810821] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.848389] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.854493] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.880620] bond0: Enslaving bond_slave as an active interface with an up link [ 36.889253] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready executing program [ 36.899961] team0: Port device team_slave added [ 36.905334] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.951166] ================================================================== [ 36.958597] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860 [ 36.965255] Write of size 4 at addr ffff8801d46f3de0 by task syzkaller825203/4516 [ 36.972857] [ 36.974468] CPU: 1 PID: 4516 Comm: syzkaller825203 Not tainted 4.16.0+ #17 [ 36.981455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.990787] Call Trace: [ 36.993361] dump_stack+0x1b9/0x294 [ 36.996971] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.002139] ? printk+0x9e/0xba [ 37.005399] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.010149] ? kasan_check_write+0x14/0x20 [ 37.014374] print_address_description+0x6c/0x20b [ 37.019195] ? skb_release_data+0x19b/0x860 [ 37.023496] kasan_report.cold.7+0xac/0x2f5 [ 37.027798] check_memory_region+0x13e/0x1b0 [ 37.032187] kasan_check_write+0x14/0x20 [ 37.036227] skb_release_data+0x19b/0x860 [ 37.040363] ? skb_tx_error+0x2f0/0x2f0 [ 37.044317] ? kasan_check_read+0x11/0x20 [ 37.048446] ? rcu_is_watching+0x85/0x140 [ 37.052581] ? kasan_check_write+0x14/0x20 [ 37.056793] ? sock_rmem_free+0x6f/0x90 [ 37.060750] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.066268] skb_release_all+0x4a/0x60 [ 37.070136] kfree_skb+0x195/0x560 [ 37.073655] ? skb_queue_purge+0x19/0x40 [ 37.077713] ? __kfree_skb+0x20/0x20 [ 37.081409] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.085971] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 37.091054] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.096050] ? trace_hardirqs_on+0xd/0x10 [ 37.100177] ? skb_dequeue+0x12f/0x180 [ 37.104043] skb_queue_purge+0x19/0x40 [ 37.107910] packet_sock_destruct+0x93/0x290 [ 37.112295] ? packet_mm_close+0xc0/0xc0 [ 37.116333] ? graph_lock+0x170/0x170 [ 37.120111] ? __free_object+0x16e/0x330 [ 37.124150] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 37.129413] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.133976] ? packet_mm_close+0xc0/0xc0 [ 37.138014] __sk_destruct+0xff/0xa40 [ 37.141794] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 37.146706] ? graph_lock+0x170/0x170 [ 37.150487] ? lock_downgrade+0x8e0/0x8e0 [ 37.154630] ? __lock_is_held+0xb5/0x140 [ 37.158671] ? kasan_check_read+0x11/0x20 [ 37.162801] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.167187] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.171748] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 37.176840] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.182778] ? refcount_sub_and_test+0x212/0x330 [ 37.187515] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 37.192248] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 37.196984] ? pcpu_free_area+0xa90/0xa90 [ 37.201114] sk_destruct+0x78/0x90 [ 37.204632] __sk_free+0x22e/0x340 [ 37.208154] sk_free+0x42/0x50 [ 37.211330] packet_release+0xa18/0xd50 [ 37.215282] ? lock_downgrade+0x8e0/0x8e0 [ 37.219412] ? packet_lookup_frame+0x270/0x270 [ 37.224060] ? cpumask_weight.constprop.5+0x44/0x44 [ 37.229059] ? do_raw_spin_lock+0xc1/0x200 [ 37.233275] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.238791] ? locks_remove_file+0x3f7/0x5a0 [ 37.243182] ? fcntl_setlk+0x1020/0x1020 [ 37.247222] ? fsnotify+0x415/0x1100 [ 37.250921] ? fsnotify_first_mark+0x330/0x330 [ 37.255485] sock_release+0x96/0x1b0 [ 37.259179] ? sock_alloc_file+0x4e0/0x4e0 [ 37.263391] sock_close+0x16/0x20 [ 37.266823] __fput+0x34d/0x890 [ 37.270085] ? fput+0x1a0/0x1a0 [ 37.273348] ? check_same_owner+0x320/0x320 [ 37.277649] ____fput+0x15/0x20 [ 37.280909] task_work_run+0x1e4/0x290 [ 37.284776] ? task_work_cancel+0x240/0x240 [ 37.289086] ? switch_task_namespaces+0xbd/0xd0 [ 37.293752] do_exit+0x1aee/0x2730 [ 37.297290] ? mm_update_next_owner+0x980/0x980 [ 37.301939] ? finish_mkwrite_fault+0x610/0x610 [ 37.306591] ? debug_check_no_locks_freed+0x310/0x310 [ 37.311770] ? kasan_check_read+0x11/0x20 [ 37.315895] ? rcu_is_watching+0x85/0x140 [ 37.320020] ? lock_acquire+0x1dc/0x520 [ 37.323974] ? lock_release+0xa10/0xa10 [ 37.327925] ? tun_chr_close+0x60/0x60 [ 37.331794] ? kasan_check_write+0x14/0x20 [ 37.336009] ? do_raw_spin_lock+0xc1/0x200 [ 37.340223] ? __handle_mm_fault+0x88c/0x4150 [ 37.344698] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 37.349431] ? graph_lock+0x170/0x170 [ 37.353212] ? rcu_is_watching+0x85/0x140 [ 37.357337] ? graph_lock+0x170/0x170 [ 37.361119] ? find_held_lock+0x36/0x1c0 [ 37.365165] ? find_held_lock+0x36/0x1c0 [ 37.369209] ? lock_downgrade+0x8e0/0x8e0 [ 37.373470] ? handle_mm_fault+0x8c0/0xc70 [ 37.377691] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.383205] ? handle_mm_fault+0x55a/0xc70 [ 37.387418] ? __handle_mm_fault+0x4150/0x4150 [ 37.391982] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.397495] ? __do_page_fault+0x441/0xe40 [ 37.401710] do_group_exit+0x16f/0x430 [ 37.405576] ? SyS_exit+0x30/0x30 [ 37.409007] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 37.413828] ? do_syscall_64+0xb7/0x9d0 [ 37.417787] ? do_group_exit+0x430/0x430 [ 37.421829] SyS_exit_group+0x1d/0x20 [ 37.425609] do_syscall_64+0x29e/0x9d0 [ 37.429473] ? vmalloc_sync_all+0x30/0x30 [ 37.433602] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.438335] ? syscall_return_slowpath+0x5c0/0x5c0 [ 37.443244] ? syscall_return_slowpath+0x30f/0x5c0 [ 37.448154] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.453669] ? retint_user+0x18/0x18 [ 37.457366] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.462189] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.467353] RIP: 0033:0x4416e9 [ 37.470522] RSP: 002b:00007fff683f33c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 37.478212] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416e9 [ 37.485465] RDX: 0000000000441620 RSI: 0000000000000001 RDI: 0000000000000001 [ 37.492721] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 37.499976] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff683f34b8 [ 37.507225] R13: 0000000000402470 R14: 0000000000000000 R15: 0000000000000000 [ 37.514480] [ 37.516095] Allocated by task 4516: [ 37.519715] save_stack+0x43/0xd0 [ 37.523147] kasan_kmalloc+0xc4/0xe0 [ 37.526841] __kmalloc_node_track_caller+0x47/0x70 [ 37.531750] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 37.536488] __alloc_skb+0x14d/0x780 [ 37.540177] alloc_skb_with_frags+0x137/0x760 [ 37.544721] sock_alloc_send_pskb+0x87a/0xae0 [ 37.549406] packet_sendmsg+0x1bd1/0x6100 [ 37.553548] sock_sendmsg+0xd5/0x120 [ 37.557248] ___sys_sendmsg+0x805/0x940 [ 37.561351] __sys_sendmsg+0x115/0x270 [ 37.565215] SyS_sendmsg+0x29/0x30 [ 37.568753] do_syscall_64+0x29e/0x9d0 [ 37.572718] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.577890] [ 37.579497] Freed by task 4516: [ 37.582758] save_stack+0x43/0xd0 [ 37.586205] __kasan_slab_free+0x11a/0x170 [ 37.590592] kasan_slab_free+0xe/0x10 [ 37.594461] kfree+0xd9/0x260 [ 37.597550] skb_free_head+0x99/0xc0 [ 37.601255] skb_release_data+0x690/0x860 [ 37.605480] skb_release_all+0x4a/0x60 [ 37.609349] kfree_skb+0x195/0x560 [ 37.612879] ip6_tnl_start_xmit+0xa44/0x2290 [ 37.617268] dev_hard_start_xmit+0x264/0xc10 [ 37.621657] __dev_queue_xmit+0x2724/0x34c0 [ 37.625964] dev_queue_xmit+0x17/0x20 [ 37.630042] packet_sendmsg+0x411d/0x6100 [ 37.634176] sock_sendmsg+0xd5/0x120 [ 37.637976] ___sys_sendmsg+0x805/0x940 [ 37.642738] __sys_sendmsg+0x115/0x270 [ 37.646612] SyS_sendmsg+0x29/0x30 [ 37.650146] do_syscall_64+0x29e/0x9d0 [ 37.654016] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.659182] [ 37.660789] The buggy address belongs to the object at ffff8801d46f3d00 [ 37.660789] which belongs to the cache kmalloc-512 of size 512 [ 37.673426] The buggy address is located 224 bytes inside of [ 37.673426] 512-byte region [ffff8801d46f3d00, ffff8801d46f3f00) [ 37.685283] The buggy address belongs to the page: [ 37.690194] page:ffffea000751bcc0 count:1 mapcount:0 mapping:ffff8801d46f3080 index:0x0 [ 37.698318] flags: 0x2fffc0000000100(slab) [ 37.702533] raw: 02fffc0000000100 ffff8801d46f3080 0000000000000000 0000000100000006 [ 37.710392] raw: ffffea0007500820 ffffea000751bd60 ffff8801dac00940 0000000000000000 [ 37.718263] page dumped because: kasan: bad access detected [ 37.724053] [ 37.725660] Memory state around the buggy address: [ 37.730926] ffff8801d46f3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.738277] ffff8801d46f3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.745616] >ffff8801d46f3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.752960] ^ [ 37.759429] ffff8801d46f3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.766778] ffff8801d46f3e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.774113] ================================================================== [ 37.781447] Disabling lock debugging due to kernel taint [ 37.787215] Kernel panic - not syncing: panic_on_warn set ... [ 37.787215] [ 37.794569] CPU: 1 PID: 4516 Comm: syzkaller825203 Tainted: G B 4.16.0+ #17 [ 37.802861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.812193] Call Trace: [ 37.814764] dump_stack+0x1b9/0x294 [ 37.818372] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.823543] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.828277] ? skb_release_data+0xd0/0x860 [ 37.832488] panic+0x22f/0x4de [ 37.835657] ? add_taint.cold.5+0x16/0x16 [ 37.839788] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.844175] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.848562] ? skb_release_data+0x19b/0x860 [ 37.852865] kasan_end_report+0x47/0x4f [ 37.856819] kasan_report.cold.7+0xc9/0x2f5 [ 37.861120] check_memory_region+0x13e/0x1b0 [ 37.865631] kasan_check_write+0x14/0x20 [ 37.869680] skb_release_data+0x19b/0x860 [ 37.873809] ? skb_tx_error+0x2f0/0x2f0 [ 37.877776] ? kasan_check_read+0x11/0x20 [ 37.881903] ? rcu_is_watching+0x85/0x140 [ 37.886031] ? kasan_check_write+0x14/0x20 [ 37.890245] ? sock_rmem_free+0x6f/0x90 [ 37.894197] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.899710] skb_release_all+0x4a/0x60 [ 37.903576] kfree_skb+0x195/0x560 [ 37.907094] ? skb_queue_purge+0x19/0x40 [ 37.911135] ? __kfree_skb+0x20/0x20 [ 37.914826] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.919385] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 37.924467] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.929460] ? trace_hardirqs_on+0xd/0x10 [ 37.933588] ? skb_dequeue+0x12f/0x180 [ 37.937550] skb_queue_purge+0x19/0x40 [ 37.941417] packet_sock_destruct+0x93/0x290 [ 37.945802] ? packet_mm_close+0xc0/0xc0 [ 37.949839] ? graph_lock+0x170/0x170 [ 37.953618] ? __free_object+0x16e/0x330 [ 37.957656] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 37.962913] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.967473] ? packet_mm_close+0xc0/0xc0 [ 37.971512] __sk_destruct+0xff/0xa40 [ 37.975300] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 37.980214] ? graph_lock+0x170/0x170 [ 37.983994] ? lock_downgrade+0x8e0/0x8e0 [ 37.988118] ? __lock_is_held+0xb5/0x140 [ 37.992159] ? kasan_check_read+0x11/0x20 [ 37.996286] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.000674] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 38.005232] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 38.010317] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.015839] ? refcount_sub_and_test+0x212/0x330 [ 38.020573] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 38.025318] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 38.030051] ? pcpu_free_area+0xa90/0xa90 [ 38.034177] sk_destruct+0x78/0x90 [ 38.037695] __sk_free+0x22e/0x340 [ 38.041232] sk_free+0x42/0x50 [ 38.044423] packet_release+0xa18/0xd50 [ 38.048373] ? lock_downgrade+0x8e0/0x8e0 [ 38.052507] ? packet_lookup_frame+0x270/0x270 [ 38.057069] ? cpumask_weight.constprop.5+0x44/0x44 [ 38.062065] ? do_raw_spin_lock+0xc1/0x200 [ 38.066280] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.071792] ? locks_remove_file+0x3f7/0x5a0 [ 38.076179] ? fcntl_setlk+0x1020/0x1020 [ 38.080217] ? fsnotify+0x415/0x1100 [ 38.083918] ? fsnotify_first_mark+0x330/0x330 [ 38.088480] sock_release+0x96/0x1b0 [ 38.092174] ? sock_alloc_file+0x4e0/0x4e0 [ 38.096400] sock_close+0x16/0x20 [ 38.099831] __fput+0x34d/0x890 [ 38.103088] ? fput+0x1a0/0x1a0 [ 38.106345] ? check_same_owner+0x320/0x320 [ 38.110643] ____fput+0x15/0x20 [ 38.113907] task_work_run+0x1e4/0x290 [ 38.117771] ? task_work_cancel+0x240/0x240 [ 38.122071] ? switch_task_namespaces+0xbd/0xd0 [ 38.126722] do_exit+0x1aee/0x2730 [ 38.130242] ? mm_update_next_owner+0x980/0x980 [ 38.134897] ? finish_mkwrite_fault+0x610/0x610 [ 38.139545] ? debug_check_no_locks_freed+0x310/0x310 [ 38.144713] ? kasan_check_read+0x11/0x20 [ 38.148838] ? rcu_is_watching+0x85/0x140 [ 38.152963] ? lock_acquire+0x1dc/0x520 [ 38.156923] ? lock_release+0xa10/0xa10 [ 38.160884] ? tun_chr_close+0x60/0x60 [ 38.164764] ? kasan_check_write+0x14/0x20 [ 38.169373] ? do_raw_spin_lock+0xc1/0x200 [ 38.173596] ? __handle_mm_fault+0x88c/0x4150 [ 38.178079] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.182818] ? graph_lock+0x170/0x170 [ 38.186608] ? rcu_is_watching+0x85/0x140 [ 38.190747] ? graph_lock+0x170/0x170 [ 38.194527] ? find_held_lock+0x36/0x1c0 [ 38.198566] ? find_held_lock+0x36/0x1c0 [ 38.202608] ? lock_downgrade+0x8e0/0x8e0 [ 38.206742] ? handle_mm_fault+0x8c0/0xc70 [ 38.210964] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 38.216491] ? handle_mm_fault+0x55a/0xc70 [ 38.220714] ? __handle_mm_fault+0x4150/0x4150 [ 38.225288] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.230816] ? __do_page_fault+0x441/0xe40 [ 38.235041] do_group_exit+0x16f/0x430 [ 38.238910] ? SyS_exit+0x30/0x30 [ 38.242346] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 38.247177] ? do_syscall_64+0xb7/0x9d0 [ 38.251137] ? do_group_exit+0x430/0x430 [ 38.255179] SyS_exit_group+0x1d/0x20 [ 38.258961] do_syscall_64+0x29e/0x9d0 [ 38.262834] ? vmalloc_sync_all+0x30/0x30 [ 38.266966] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.271704] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.276627] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.281549] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.287064] ? retint_user+0x18/0x18 [ 38.290766] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.295589] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.300756] RIP: 0033:0x4416e9 [ 38.303926] RSP: 002b:00007fff683f33c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 38.311614] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416e9 [ 38.318863] RDX: 0000000000441620 RSI: 0000000000000001 RDI: 0000000000000001 [ 38.326111] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 38.333362] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff683f34b8 [ 38.340617] R13: 0000000000402470 R14: 0000000000000000 R15: 0000000000000000 [ 38.348338] Dumping ftrace buffer: [ 38.351860] (ftrace buffer empty) [ 38.355556] Kernel Offset: disabled [ 38.359162] Rebooting in 86400 seconds..