INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.15.227' (ECDSA) to the list of known hosts. 2017/10/03 02:47:59 parsed 1 programs 2017/10/03 02:47:59 executed programs: 0 syzkaller login: [ 40.473716] ================================================================== [ 40.481434] BUG: KASAN: use-after-free in packet_getsockopt+0xc72/0xe00 [ 40.488161] Read of size 8 at addr ffff8801d0ba8258 by task syz-executor6/3074 [ 40.495487] [ 40.497089] CPU: 1 PID: 3074 Comm: syz-executor6 Not tainted 4.14.0-rc3+ #22 [ 40.504250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.513573] Call Trace: [ 40.516132] dump_stack+0x194/0x257 [ 40.519733] ? arch_local_irq_restore+0x53/0x53 [ 40.524375] ? show_regs_print_info+0x65/0x65 [ 40.528839] ? lock_release+0xd70/0xd70 [ 40.532786] ? __fget+0xbb/0x580 [ 40.536131] ? packet_getsockopt+0xc72/0xe00 [ 40.540514] print_address_description+0x73/0x250 [ 40.545328] ? packet_getsockopt+0xc72/0xe00 [ 40.549707] kasan_report+0x25b/0x340 [ 40.553483] __asan_report_load8_noabort+0x14/0x20 [ 40.558380] packet_getsockopt+0xc72/0xe00 [ 40.562625] ? packet_notifier+0x950/0x950 [ 40.566853] ? __fget+0x362/0x580 [ 40.570323] ? sock_has_perm+0x29c/0x400 [ 40.574388] ? selinux_tun_dev_create+0xc0/0xc0 [ 40.579037] ? schedule+0xf5/0x430 [ 40.582554] ? __schedule+0x2080/0x2080 [ 40.586518] ? selinux_socket_getsockopt+0x36/0x40 [ 40.591432] ? security_socket_getsockopt+0x89/0xb0 [ 40.596438] compat_SyS_getsockopt+0x2ed/0x420 [ 40.600999] ? compat_SyS_setsockopt+0x410/0x410 [ 40.605729] ? lock_acquire+0x1d5/0x580 [ 40.609680] ? do_fast_syscall_32+0x158/0xf05 [ 40.614153] ? compat_SyS_setsockopt+0x410/0x410 [ 40.618880] do_fast_syscall_32+0x3f2/0xf05 [ 40.623173] ? compat_start_thread+0x80/0x80 [ 40.627558] ? do_int80_syscall_32+0x940/0x940 [ 40.632116] ? lockdep_sys_exit+0x47/0xf0 [ 40.636235] ? syscall_return_slowpath+0x2b3/0x510 [ 40.641134] ? finish_task_switch+0x1aa/0x740 [ 40.645601] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 40.650591] ? sysret32_from_system_call+0x5/0x3b [ 40.655410] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.660230] entry_SYSENTER_compat+0x51/0x60 [ 40.664610] RIP: 0023:0xf7f52c79 [ 40.667945] RSP: 002b:00000000f7f2d05c EFLAGS: 00000296 ORIG_RAX: 000000000000016d [ 40.675625] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 0000000000000107 [ 40.682866] RDX: 0000000000000015 RSI: 0000000020ec8000 RDI: 00000000208a5000 [ 40.690106] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 40.697347] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 40.704588] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 40.711849] [ 40.713447] Allocated by task 3065: [ 40.717047] save_stack_trace+0x16/0x20 [ 40.720994] save_stack+0x43/0xd0 [ 40.724418] kasan_kmalloc+0xad/0xe0 [ 40.728101] kmem_cache_alloc_trace+0x136/0x750 [ 40.732740] fanout_add+0x27e/0x1480 [ 40.736424] packet_setsockopt+0xfdc/0x1e80 [ 40.740719] compat_packet_setsockopt+0xe1/0x140 [ 40.745446] compat_SyS_setsockopt+0x17c/0x410 [ 40.749996] do_fast_syscall_32+0x3f2/0xf05 [ 40.754286] entry_SYSENTER_compat+0x51/0x60 [ 40.758660] [ 40.760257] Freed by task 3065: [ 40.763510] save_stack_trace+0x16/0x20 [ 40.767454] save_stack+0x43/0xd0 [ 40.770875] kasan_slab_free+0x71/0xc0 [ 40.774729] kfree+0xca/0x250 [ 40.777804] fanout_add+0x432/0x1480 [ 40.781485] packet_setsockopt+0xfdc/0x1e80 [ 40.785808] compat_packet_setsockopt+0xe1/0x140 [ 40.790544] compat_SyS_setsockopt+0x17c/0x410 [ 40.795096] do_fast_syscall_32+0x3f2/0xf05 [ 40.799386] entry_SYSENTER_compat+0x51/0x60 [ 40.803761] [ 40.805361] The buggy address belongs to the object at ffff8801d0ba8240 [ 40.805361] which belongs to the cache kmalloc-128 of size 128 [ 40.817990] The buggy address is located 24 bytes inside of [ 40.817990] 128-byte region [ffff8801d0ba8240, ffff8801d0ba82c0) [ 40.829745] The buggy address belongs to the page: [ 40.834647] page:ffffea000742ea00 count:1 mapcount:0 mapping:ffff8801d0ba8000 index:0x0 [ 40.842762] flags: 0x200000000000100(slab) [ 40.846969] raw: 0200000000000100 ffff8801d0ba8000 0000000000000000 0000000100000015 [ 40.854820] raw: ffffea00073faa20 ffffea00073fc860 ffff8801dac00640 0000000000000000 [ 40.862681] page dumped because: kasan: bad access detected [ 40.868358] [ 40.869955] Memory state around the buggy address: [ 40.874853] ffff8801d0ba8100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 40.882181] ffff8801d0ba8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.889512] >ffff8801d0ba8200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.896843] ^ [ 40.903043] ffff8801d0ba8280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.910372] ffff8801d0ba8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.917699] ================================================================== [ 40.925034] Disabling lock debugging due to kernel taint [ 40.930547] Kernel panic - not syncing: panic_on_warn set ... [ 40.930547] [ 40.937879] CPU: 1 PID: 3074 Comm: syz-executor6 Tainted: G B 4.14.0-rc3+ #22 [ 40.946242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.955561] Call Trace: [ 40.958120] dump_stack+0x194/0x257 [ 40.961714] ? arch_local_irq_restore+0x53/0x53 [ 40.966348] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.971072] ? packet_getsockopt+0xc70/0xe00 [ 40.975446] panic+0x1e4/0x417 [ 40.978606] ? __warn+0x1d9/0x1d9 [ 40.982043] ? packet_getsockopt+0xc72/0xe00 [ 40.986418] kasan_end_report+0x50/0x50 [ 40.990356] kasan_report+0x144/0x340 [ 40.994131] __asan_report_load8_noabort+0x14/0x20 [ 40.999026] packet_getsockopt+0xc72/0xe00 [ 41.003227] ? packet_notifier+0x950/0x950 [ 41.007429] ? __fget+0x362/0x580 [ 41.010851] ? sock_has_perm+0x29c/0x400 [ 41.014880] ? selinux_tun_dev_create+0xc0/0xc0 [ 41.019516] ? schedule+0xf5/0x430 [ 41.023024] ? __schedule+0x2080/0x2080 [ 41.026973] ? selinux_socket_getsockopt+0x36/0x40 [ 41.031871] ? security_socket_getsockopt+0x89/0xb0 [ 41.036857] compat_SyS_getsockopt+0x2ed/0x420 [ 41.041408] ? compat_SyS_setsockopt+0x410/0x410 [ 41.046128] ? lock_acquire+0x1d5/0x580 [ 41.050070] ? do_fast_syscall_32+0x158/0xf05 [ 41.054530] ? compat_SyS_setsockopt+0x410/0x410 [ 41.059249] do_fast_syscall_32+0x3f2/0xf05 [ 41.063539] ? compat_start_thread+0x80/0x80 [ 41.067914] ? do_int80_syscall_32+0x940/0x940 [ 41.072464] ? lockdep_sys_exit+0x47/0xf0 [ 41.076579] ? syscall_return_slowpath+0x2b3/0x510 [ 41.081474] ? finish_task_switch+0x1aa/0x740 [ 41.085936] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 41.090919] ? sysret32_from_system_call+0x5/0x3b [ 41.095736] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.100551] entry_SYSENTER_compat+0x51/0x60 [ 41.104923] RIP: 0023:0xf7f52c79 [ 41.108251] RSP: 002b:00000000f7f2d05c EFLAGS: 00000296 ORIG_RAX: 000000000000016d [ 41.115924] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 0000000000000107 [ 41.123160] RDX: 0000000000000015 RSI: 0000000020ec8000 RDI: 00000000208a5000 [ 41.130392] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 41.137627] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.144868] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.152153] Dumping ftrace buffer: [ 41.155660] (ftrace buffer empty) [ 41.159335] Kernel Offset: disabled [ 41.162928] Rebooting in 86400 seconds..