INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-7,10.128.0.54' (ECDSA) to the list of known hosts. 2017/09/11 23:22:22 parsed 1 programs 2017/09/11 23:22:22 executed programs: 0 syzkaller login: [ 42.792843] dev_remove_pack: ffff8801c847c900 not found [ 42.815906] ================================================================== [ 42.823306] BUG: KASAN: use-after-free in __list_add_valid+0xb1/0xd0 [ 42.829771] Read of size 8 at addr ffff8801c7721270 by task syz-executor0/3436 [ 42.837098] [ 42.838700] CPU: 0 PID: 3436 Comm: syz-executor0 Not tainted 4.13.0+ #79 [ 42.845507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.854832] Call Trace: [ 42.857395] dump_stack+0x194/0x257 [ 42.860999] ? arch_local_irq_restore+0x53/0x53 [ 42.865642] ? show_regs_print_info+0x65/0x65 [ 42.870110] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.875105] ? __list_add_valid+0xb1/0xd0 [ 42.879232] print_address_description+0x73/0x250 [ 42.884049] ? __list_add_valid+0xb1/0xd0 [ 42.888170] kasan_report+0x24e/0x340 [ 42.891948] __asan_report_load8_noabort+0x14/0x20 [ 42.896849] __list_add_valid+0xb1/0xd0 [ 42.900801] dev_add_pack+0x113/0x2b0 [ 42.904574] ? napi_skb_free_stolen_head+0x170/0x170 [ 42.909646] ? __lockdep_init_map+0xe4/0x650 [ 42.914029] ? lockdep_init_map+0x3d/0x70 [ 42.918156] register_prot_hook.part.49+0x95/0xb0 [ 42.922970] packet_create+0x820/0xb00 [ 42.926833] ? sock_destroy_inode+0x70/0x70 [ 42.931130] ? register_prot_hook.part.49+0xb0/0xb0 [ 42.936119] ? __sock_create+0x211/0x850 [ 42.940156] ? module_unload_free+0x5b0/0x5b0 [ 42.944628] ? lock_release+0xd70/0xd70 [ 42.948577] ? __lock_is_held+0xbc/0x140 [ 42.952620] __sock_create+0x4d4/0x850 [ 42.956477] ? putname+0xee/0x130 [ 42.959908] ? ___sys_recvmsg+0x630/0x630 [ 42.964026] ? rcu_read_lock_sched_held+0x108/0x120 [ 42.969014] ? kmem_cache_free+0x249/0x280 [ 42.973225] ? SyS_futex+0x260/0x390 [ 42.976913] ? SyS_futex+0x269/0x390 [ 42.980606] SyS_socket+0xeb/0x200 [ 42.984135] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 42.988949] ? move_addr_to_kernel+0x60/0x60 [ 42.993327] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.998316] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.003049] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.007775] RIP: 0033:0x451e59 [ 43.010938] RSP: 002b:00007f9718515c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 43.018620] RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 [ 43.025861] RDX: 0000000000000008 RSI: 0000000000080003 RDI: 0000000000000011 [ 43.033105] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 43.040347] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb8ec [ 43.047589] R13: 00000000ffffffff R14: 0000000020f29000 R15: 0000000000000001 [ 43.054851] [ 43.056452] Allocated by task 3428: [ 43.060056] save_stack_trace+0x16/0x20 [ 43.064003] save_stack+0x43/0xd0 [ 43.067426] kasan_kmalloc+0xad/0xe0 [ 43.071110] kmem_cache_alloc_trace+0x136/0x750 [ 43.075753] fanout_add+0xa50/0x1190 [ 43.079435] packet_setsockopt+0xfdc/0x1e80 [ 43.083727] SyS_setsockopt+0x189/0x360 [ 43.087676] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.092398] [ 43.093995] Freed by task 3439: [ 43.097242] save_stack_trace+0x16/0x20 [ 43.101185] save_stack+0x43/0xd0 [ 43.104607] kasan_slab_free+0x71/0xc0 [ 43.108463] kfree+0xca/0x250 [ 43.111537] packet_release+0xa8f/0xd70 [ 43.115480] sock_release+0x8d/0x1e0 [ 43.119162] sock_close+0x16/0x20 [ 43.122587] __fput+0x333/0x7f0 [ 43.125836] ____fput+0x15/0x20 [ 43.129088] task_work_run+0x199/0x270 [ 43.132948] do_exit+0xa52/0x1b40 [ 43.136372] do_group_exit+0x149/0x400 [ 43.140228] get_signal+0x7e8/0x17e0 [ 43.143913] do_signal+0x94/0x1ee0 [ 43.147425] exit_to_usermode_loop+0x224/0x300 [ 43.151974] syscall_return_slowpath+0x42f/0x500 [ 43.156701] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 43.161422] [ 43.163021] The buggy address belongs to the object at ffff8801c77209c0 [ 43.163021] which belongs to the cache kmalloc-4096 of size 4096 [ 43.175839] The buggy address is located 2224 bytes inside of [ 43.175839] 4096-byte region [ffff8801c77209c0, ffff8801c77219c0) [ 43.187866] The buggy address belongs to the page: [ 43.192775] page:ffffea00071dc800 count:1 mapcount:0 mapping:ffff8801c77209c0 index:0x0 compound_mapcount: 0 [ 43.202725] flags: 0x200000000008100(slab|head) [ 43.207370] raw: 0200000000008100 ffff8801c77209c0 0000000000000000 0000000100000001 [ 43.215226] raw: ffffea000721caa0 ffff8801dac01a50 ffff8801dac00dc0 0000000000000000 [ 43.223076] page dumped because: kasan: bad access detected [ 43.228755] [ 43.230356] Memory state around the buggy address: [ 43.235257] ffff8801c7721100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.242587] ffff8801c7721180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.249918] >ffff8801c7721200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.257248] ^ [ 43.264230] ffff8801c7721280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.271560] ffff8801c7721300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.278892] ================================================================== [ 43.286219] Disabling lock debugging due to kernel taint [ 43.291920] Kernel panic - not syncing: panic_on_warn set ... [ 43.291920] [ 43.299256] CPU: 0 PID: 3436 Comm: syz-executor0 Tainted: G B 4.13.0+ #79 [ 43.307277] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.316597] Call Trace: [ 43.319158] dump_stack+0x194/0x257 [ 43.322756] ? arch_local_irq_restore+0x53/0x53 [ 43.327393] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.332121] ? __list_add_valid+0xa0/0xd0 [ 43.336235] panic+0x1e4/0x417 [ 43.339394] ? __warn+0x1d9/0x1d9 [ 43.342820] ? __list_add_valid+0xb1/0xd0 [ 43.346934] kasan_end_report+0x50/0x50 [ 43.350873] kasan_report+0x137/0x340 [ 43.354645] __asan_report_load8_noabort+0x14/0x20 [ 43.359558] __list_add_valid+0xb1/0xd0 [ 43.363503] dev_add_pack+0x113/0x2b0 [ 43.367270] ? napi_skb_free_stolen_head+0x170/0x170 [ 43.372341] ? __lockdep_init_map+0xe4/0x650 [ 43.376720] ? lockdep_init_map+0x3d/0x70 [ 43.380840] register_prot_hook.part.49+0x95/0xb0 [ 43.385653] packet_create+0x820/0xb00 [ 43.389508] ? sock_destroy_inode+0x70/0x70 [ 43.393798] ? register_prot_hook.part.49+0xb0/0xb0 [ 43.398780] ? __sock_create+0x211/0x850 [ 43.402811] ? module_unload_free+0x5b0/0x5b0 [ 43.407276] ? lock_release+0xd70/0xd70 [ 43.411216] ? __lock_is_held+0xbc/0x140 [ 43.415250] __sock_create+0x4d4/0x850 [ 43.419107] ? putname+0xee/0x130 [ 43.422530] ? ___sys_recvmsg+0x630/0x630 [ 43.426648] ? rcu_read_lock_sched_held+0x108/0x120 [ 43.431631] ? kmem_cache_free+0x249/0x280 [ 43.435836] ? SyS_futex+0x260/0x390 [ 43.439516] ? SyS_futex+0x269/0x390 [ 43.443200] SyS_socket+0xeb/0x200 [ 43.446710] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 43.451519] ? move_addr_to_kernel+0x60/0x60 [ 43.455895] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.460880] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.465606] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.470326] RIP: 0033:0x451e59 [ 43.473483] RSP: 002b:00007f9718515c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 43.481157] RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 [ 43.488396] RDX: 0000000000000008 RSI: 0000000000080003 RDI: 0000000000000011 [ 43.495634] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 43.502871] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb8ec [ 43.510113] R13: 00000000ffffffff R14: 0000000020f29000 R15: 0000000000000001 [ 43.517719] Dumping ftrace buffer: [ 43.521229] (ftrace buffer empty) [ 43.524906] Kernel Offset: disabled [ 43.528497] Rebooting in 86400 seconds..