INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 38.717539] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 38.977580] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 39.348484] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 39.354618] 8021q: adding VLAN 0 to HW filter on device bond0 [ 39.394509] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 39.434361] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.472414] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 39.478531] 8021q: adding VLAN 0 to HW filter on device team0 [ 39.507209] bond0: Enslaving bond_slave as an active interface with an up link [ 39.515551] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready executing program [ 39.531682] team0: Port device team_slave added [ 39.536956] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 39.573128] ================================================================== [ 39.580605] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860 [ 39.587258] Write of size 4 at addr ffff8801d75d35e0 by task syzkaller391705/4496 [ 39.594862] [ 39.596483] CPU: 0 PID: 4496 Comm: syzkaller391705 Not tainted 4.16.0+ #19 [ 39.603475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.612810] Call Trace: [ 39.615387] dump_stack+0x1b9/0x294 [ 39.619000] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.624171] ? printk+0x9e/0xba [ 39.627435] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.632176] ? kasan_check_write+0x14/0x20 [ 39.636396] print_address_description+0x6c/0x20b [ 39.641227] ? skb_release_data+0x19b/0x860 [ 39.645532] kasan_report.cold.7+0xac/0x2f5 [ 39.649838] check_memory_region+0x13e/0x1b0 [ 39.654235] kasan_check_write+0x14/0x20 [ 39.658278] skb_release_data+0x19b/0x860 [ 39.662409] ? skb_tx_error+0x2f0/0x2f0 [ 39.666366] ? kasan_check_read+0x11/0x20 [ 39.670497] ? rcu_is_watching+0x85/0x140 [ 39.674628] ? kasan_check_write+0x14/0x20 [ 39.678847] ? sock_rmem_free+0x6f/0x90 [ 39.682806] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.688329] skb_release_all+0x4a/0x60 [ 39.692199] kfree_skb+0x195/0x560 [ 39.695724] ? skb_queue_purge+0x19/0x40 [ 39.699771] ? __kfree_skb+0x20/0x20 [ 39.703467] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 39.708045] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 39.713129] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 39.718133] ? trace_hardirqs_on+0xd/0x10 [ 39.722268] ? skb_dequeue+0x12f/0x180 [ 39.726139] skb_queue_purge+0x19/0x40 [ 39.730011] packet_sock_destruct+0x93/0x290 [ 39.734406] ? packet_mm_close+0xc0/0xc0 [ 39.738451] ? graph_lock+0x170/0x170 [ 39.742241] ? __free_object+0x16e/0x330 [ 39.746286] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 39.751548] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 39.756114] ? packet_mm_close+0xc0/0xc0 [ 39.760159] __sk_destruct+0xff/0xa40 [ 39.763948] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 39.768868] ? graph_lock+0x170/0x170 [ 39.773250] ? lock_downgrade+0x8e0/0x8e0 [ 39.777387] ? __lock_is_held+0xb5/0x140 [ 39.781432] ? kasan_check_read+0x11/0x20 [ 39.785562] ? do_raw_spin_unlock+0x9e/0x2e0 [ 39.789957] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 39.794528] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 39.799620] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.805144] ? refcount_sub_and_test+0x212/0x330 [ 39.809883] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 39.814634] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 39.819374] ? pcpu_free_area+0xa90/0xa90 [ 39.823512] sk_destruct+0x78/0x90 [ 39.827039] __sk_free+0x22e/0x340 [ 39.830563] sk_free+0x42/0x50 [ 39.833743] packet_release+0xa18/0xd50 [ 39.837697] ? lock_downgrade+0x8e0/0x8e0 [ 39.841831] ? packet_lookup_frame+0x270/0x270 [ 39.846399] ? cpumask_weight.constprop.5+0x44/0x44 [ 39.851400] ? do_raw_spin_lock+0xc1/0x200 [ 39.855618] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.861137] ? locks_remove_file+0x3f7/0x5a0 [ 39.865527] ? fcntl_setlk+0x1020/0x1020 [ 39.869570] ? fsnotify+0x415/0x1100 [ 39.873271] ? fsnotify_first_mark+0x330/0x330 [ 39.878099] sock_release+0x96/0x1b0 [ 39.881801] ? sock_alloc_file+0x4e0/0x4e0 [ 39.886017] sock_close+0x16/0x20 [ 39.889456] __fput+0x34d/0x890 [ 39.892723] ? fput+0x1a0/0x1a0 [ 39.895990] ? check_same_owner+0x320/0x320 [ 39.900299] ____fput+0x15/0x20 [ 39.903561] task_work_run+0x1e4/0x290 [ 39.907435] ? task_work_cancel+0x240/0x240 [ 39.911744] ? switch_task_namespaces+0xbd/0xd0 [ 39.916403] do_exit+0x1aee/0x2730 [ 39.919932] ? mm_update_next_owner+0x980/0x980 [ 39.924587] ? finish_mkwrite_fault+0x610/0x610 [ 39.929241] ? debug_check_no_locks_freed+0x310/0x310 [ 39.934417] ? kasan_check_read+0x11/0x20 [ 39.938548] ? rcu_is_watching+0x85/0x140 [ 39.942682] ? lock_acquire+0x1dc/0x520 [ 39.946641] ? lock_release+0xa10/0xa10 [ 39.950599] ? tun_chr_close+0x60/0x60 [ 39.954471] ? kasan_check_write+0x14/0x20 [ 39.958689] ? do_raw_spin_lock+0xc1/0x200 [ 39.962911] ? __handle_mm_fault+0x88c/0x4150 [ 39.967393] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 39.972131] ? graph_lock+0x170/0x170 [ 39.975914] ? rcu_is_watching+0x85/0x140 [ 39.980045] ? graph_lock+0x170/0x170 [ 39.983831] ? find_held_lock+0x36/0x1c0 [ 39.987884] ? find_held_lock+0x36/0x1c0 [ 39.991934] ? lock_downgrade+0x8e0/0x8e0 [ 39.996065] ? handle_mm_fault+0x8c0/0xc70 [ 40.000288] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.005813] ? handle_mm_fault+0x55a/0xc70 [ 40.010031] ? __handle_mm_fault+0x4150/0x4150 [ 40.014615] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.020136] ? __do_page_fault+0x441/0xe40 [ 40.024356] do_group_exit+0x16f/0x430 [ 40.028227] ? SyS_exit+0x30/0x30 [ 40.031668] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 40.036492] ? do_syscall_64+0xb7/0x9d0 [ 40.040451] ? do_group_exit+0x430/0x430 [ 40.044496] SyS_exit_group+0x1d/0x20 [ 40.048284] do_syscall_64+0x29e/0x9d0 [ 40.052153] ? vmalloc_sync_all+0x30/0x30 [ 40.056285] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.061024] ? syscall_return_slowpath+0x5c0/0x5c0 [ 40.065936] ? syscall_return_slowpath+0x30f/0x5c0 [ 40.070851] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.076375] ? retint_user+0x18/0x18 [ 40.080074] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.084902] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.090073] RIP: 0033:0x4416f9 [ 40.093247] RSP: 002b:00007ffe895eb968 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 40.100938] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416f9 [ 40.108207] RDX: 0000000000441630 RSI: 0000000000000001 RDI: 0000000000000001 [ 40.115459] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 40.122711] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe895eba58 [ 40.129963] R13: 0000000000402480 R14: 0000000000000000 R15: 0000000000000000 [ 40.137233] [ 40.138843] Allocated by task 4496: [ 40.142456] save_stack+0x43/0xd0 [ 40.145893] kasan_kmalloc+0xc4/0xe0 [ 40.149589] __kmalloc_node_track_caller+0x47/0x70 [ 40.154502] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 40.159240] __alloc_skb+0x14d/0x780 [ 40.162935] alloc_skb_with_frags+0x137/0x760 [ 40.167413] sock_alloc_send_pskb+0x87a/0xae0 [ 40.171888] packet_sendmsg+0x1bd1/0x6100 [ 40.176016] sock_sendmsg+0xd5/0x120 [ 40.179711] ___sys_sendmsg+0x805/0x940 [ 40.183668] __sys_sendmsg+0x115/0x270 [ 40.187547] SyS_sendmsg+0x29/0x30 [ 40.191070] do_syscall_64+0x29e/0x9d0 [ 40.194939] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.200106] [ 40.201713] Freed by task 4496: [ 40.204974] save_stack+0x43/0xd0 [ 40.208411] __kasan_slab_free+0x11a/0x170 [ 40.212628] kasan_slab_free+0xe/0x10 [ 40.216411] kfree+0xd9/0x260 [ 40.219500] skb_free_head+0x99/0xc0 [ 40.223195] skb_release_data+0x690/0x860 [ 40.227326] skb_release_all+0x4a/0x60 [ 40.231205] kfree_skb+0x195/0x560 [ 40.234727] ip6_tnl_start_xmit+0xa44/0x2290 [ 40.239117] dev_hard_start_xmit+0x264/0xc10 [ 40.243508] __dev_queue_xmit+0x2724/0x34c0 [ 40.247812] dev_queue_xmit+0x17/0x20 [ 40.251594] packet_sendmsg+0x411d/0x6100 [ 40.255723] sock_sendmsg+0xd5/0x120 [ 40.259420] ___sys_sendmsg+0x805/0x940 [ 40.263378] __sys_sendmsg+0x115/0x270 [ 40.267248] SyS_sendmsg+0x29/0x30 [ 40.270776] do_syscall_64+0x29e/0x9d0 [ 40.274647] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.279812] [ 40.281429] The buggy address belongs to the object at ffff8801d75d3500 [ 40.281429] which belongs to the cache kmalloc-512 of size 512 [ 40.294067] The buggy address is located 224 bytes inside of [ 40.294067] 512-byte region [ffff8801d75d3500, ffff8801d75d3700) [ 40.305920] The buggy address belongs to the page: [ 40.310834] page:ffffea00075d74c0 count:1 mapcount:0 mapping:ffff8801d75d3000 index:0x0 [ 40.318959] flags: 0x2fffc0000000100(slab) [ 40.323182] raw: 02fffc0000000100 ffff8801d75d3000 0000000000000000 0000000100000006 [ 40.331045] raw: ffffea00075d78a0 ffffea00075efa60 ffff8801dac00940 0000000000000000 [ 40.338903] page dumped because: kasan: bad access detected [ 40.344590] [ 40.346195] Memory state around the buggy address: [ 40.351104] ffff8801d75d3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.358444] ffff8801d75d3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.365785] >ffff8801d75d3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.373123] ^ [ 40.379596] ffff8801d75d3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.386935] ffff8801d75d3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.394270] ================================================================== [ 40.401606] Disabling lock debugging due to kernel taint [ 40.407161] Kernel panic - not syncing: panic_on_warn set ... [ 40.407161] [ 40.414514] CPU: 0 PID: 4496 Comm: syzkaller391705 Tainted: G B 4.16.0+ #19 [ 40.422812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.432149] Call Trace: [ 40.434725] dump_stack+0x1b9/0x294 [ 40.438345] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.443516] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.448264] ? skb_release_data+0xd0/0x860 [ 40.452479] panic+0x22f/0x4de [ 40.455651] ? add_taint.cold.5+0x16/0x16 [ 40.459782] ? do_raw_spin_unlock+0x9e/0x2e0 [ 40.464266] ? do_raw_spin_unlock+0x9e/0x2e0 [ 40.468653] ? skb_release_data+0x19b/0x860 [ 40.472959] kasan_end_report+0x47/0x4f [ 40.476913] kasan_report.cold.7+0xc9/0x2f5 [ 40.481216] check_memory_region+0x13e/0x1b0 [ 40.485605] kasan_check_write+0x14/0x20 [ 40.489644] skb_release_data+0x19b/0x860 [ 40.493775] ? skb_tx_error+0x2f0/0x2f0 [ 40.497744] ? kasan_check_read+0x11/0x20 [ 40.501870] ? rcu_is_watching+0x85/0x140 [ 40.506000] ? kasan_check_write+0x14/0x20 [ 40.510214] ? sock_rmem_free+0x6f/0x90 [ 40.514175] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.519691] skb_release_all+0x4a/0x60 [ 40.523559] kfree_skb+0x195/0x560 [ 40.527076] ? skb_queue_purge+0x19/0x40 [ 40.531120] ? __kfree_skb+0x20/0x20 [ 40.534816] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 40.539379] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 40.544634] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.549628] ? trace_hardirqs_on+0xd/0x10 [ 40.553756] ? skb_dequeue+0x12f/0x180 [ 40.557621] skb_queue_purge+0x19/0x40 [ 40.561489] packet_sock_destruct+0x93/0x290 [ 40.565877] ? packet_mm_close+0xc0/0xc0 [ 40.569916] ? graph_lock+0x170/0x170 [ 40.573699] ? __free_object+0x16e/0x330 [ 40.577742] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 40.583000] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 40.587563] ? packet_mm_close+0xc0/0xc0 [ 40.591616] __sk_destruct+0xff/0xa40 [ 40.595398] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 40.600306] ? graph_lock+0x170/0x170 [ 40.604090] ? lock_downgrade+0x8e0/0x8e0 [ 40.608219] ? __lock_is_held+0xb5/0x140 [ 40.612260] ? kasan_check_read+0x11/0x20 [ 40.616389] ? do_raw_spin_unlock+0x9e/0x2e0 [ 40.620778] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 40.625342] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 40.630427] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.635948] ? refcount_sub_and_test+0x212/0x330 [ 40.640684] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 40.645419] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 40.650161] ? pcpu_free_area+0xa90/0xa90 [ 40.654290] sk_destruct+0x78/0x90 [ 40.657816] __sk_free+0x22e/0x340 [ 40.661337] sk_free+0x42/0x50 [ 40.664510] packet_release+0xa18/0xd50 [ 40.668464] ? lock_downgrade+0x8e0/0x8e0 [ 40.672593] ? packet_lookup_frame+0x270/0x270 [ 40.677156] ? cpumask_weight.constprop.5+0x44/0x44 [ 40.682155] ? do_raw_spin_lock+0xc1/0x200 [ 40.686372] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.691888] ? locks_remove_file+0x3f7/0x5a0 [ 40.696278] ? fcntl_setlk+0x1020/0x1020 [ 40.700319] ? fsnotify+0x415/0x1100 [ 40.704018] ? fsnotify_first_mark+0x330/0x330 [ 40.708582] sock_release+0x96/0x1b0 [ 40.712275] ? sock_alloc_file+0x4e0/0x4e0 [ 40.716492] sock_close+0x16/0x20 [ 40.719926] __fput+0x34d/0x890 [ 40.723189] ? fput+0x1a0/0x1a0 [ 40.726450] ? check_same_owner+0x320/0x320 [ 40.730755] ____fput+0x15/0x20 [ 40.734013] task_work_run+0x1e4/0x290 [ 40.737882] ? task_work_cancel+0x240/0x240 [ 40.742189] ? switch_task_namespaces+0xbd/0xd0 [ 40.746842] do_exit+0x1aee/0x2730 [ 40.750365] ? mm_update_next_owner+0x980/0x980 [ 40.755028] ? finish_mkwrite_fault+0x610/0x610 [ 40.759680] ? debug_check_no_locks_freed+0x310/0x310 [ 40.764852] ? kasan_check_read+0x11/0x20 [ 40.768978] ? rcu_is_watching+0x85/0x140 [ 40.773110] ? lock_acquire+0x1dc/0x520 [ 40.777076] ? lock_release+0xa10/0xa10 [ 40.781033] ? tun_chr_close+0x60/0x60 [ 40.784902] ? kasan_check_write+0x14/0x20 [ 40.789116] ? do_raw_spin_lock+0xc1/0x200 [ 40.793337] ? __handle_mm_fault+0x88c/0x4150 [ 40.797812] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 40.802548] ? graph_lock+0x170/0x170 [ 40.806328] ? rcu_is_watching+0x85/0x140 [ 40.810454] ? graph_lock+0x170/0x170 [ 40.814234] ? find_held_lock+0x36/0x1c0 [ 40.818277] ? find_held_lock+0x36/0x1c0 [ 40.822321] ? lock_downgrade+0x8e0/0x8e0 [ 40.826447] ? handle_mm_fault+0x8c0/0xc70 [ 40.830665] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.836183] ? handle_mm_fault+0x55a/0xc70 [ 40.840399] ? __handle_mm_fault+0x4150/0x4150 [ 40.844963] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.850494] ? __do_page_fault+0x441/0xe40 [ 40.854711] do_group_exit+0x16f/0x430 [ 40.858578] ? SyS_exit+0x30/0x30 [ 40.862017] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 40.866852] ? do_syscall_64+0xb7/0x9d0 [ 40.870810] ? do_group_exit+0x430/0x430 [ 40.874850] SyS_exit_group+0x1d/0x20 [ 40.878630] do_syscall_64+0x29e/0x9d0 [ 40.882495] ? vmalloc_sync_all+0x30/0x30 [ 40.886627] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.891364] ? syscall_return_slowpath+0x5c0/0x5c0 [ 40.896285] ? syscall_return_slowpath+0x30f/0x5c0 [ 40.901195] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.906712] ? retint_user+0x18/0x18 [ 40.910408] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.915234] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.920414] RIP: 0033:0x4416f9 [ 40.923584] RSP: 002b:00007ffe895eb968 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 40.931272] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416f9 [ 40.938524] RDX: 0000000000441630 RSI: 0000000000000001 RDI: 0000000000000001 [ 40.945779] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 40.953044] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe895eba58 [ 40.960298] R13: 0000000000402480 R14: 0000000000000000 R15: 0000000000000000 [ 40.967915] Dumping ftrace buffer: [ 40.971434] (ftrace buffer empty) [ 40.975129] Kernel Offset: disabled [ 40.978738] Rebooting in 86400 seconds..