INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz_tun.accept_dad = 0
syzkaller login: [   31.639310] IPVS: ftp: loaded support on port[0] = 21
net.ipv6.conf.syz_tun.router_solicitations = 0
[   31.729897] ip (4441) used greatest stack depth: 16584 bytes left
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   31.895299] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   32.255873] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   32.261980] 8021q: adding VLAN 0 to HW filter on device bond0
[   32.299205] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   32.338205] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   32.377748] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   32.383843] 8021q: adding VLAN 0 to HW filter on device team0
[   32.410537] bond0: Enslaving bond_slave as an active interface with an up link
[   32.419621] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
executing program
[   32.432307] team0: Port device team_slave added
[   32.437527] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   32.472102] ==================================================================
[   32.479521] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860
[   32.486174] Write of size 4 at addr ffff8801b49bbb20 by task syzkaller487790/4425
[   32.493773] 
[   32.495381] CPU: 0 PID: 4425 Comm: syzkaller487790 Not tainted 4.16.0+ #17
[   32.502366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.511697] Call Trace:
[   32.514265]  dump_stack+0x1b9/0x294
[   32.517882]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.523051]  ? printk+0x9e/0xba
[   32.526306]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.531044]  ? kasan_check_write+0x14/0x20
[   32.535257]  print_address_description+0x6c/0x20b
[   32.540078]  ? skb_release_data+0x19b/0x860
[   32.544376]  kasan_report.cold.7+0xac/0x2f5
[   32.548677]  check_memory_region+0x13e/0x1b0
[   32.553068]  kasan_check_write+0x14/0x20
[   32.557106]  skb_release_data+0x19b/0x860
[   32.561233]  ? skb_tx_error+0x2f0/0x2f0
[   32.565181]  ? kasan_check_read+0x11/0x20
[   32.569318]  ? rcu_is_watching+0x85/0x140
[   32.573442]  ? kasan_check_write+0x14/0x20
[   32.577655]  ? sock_rmem_free+0x6f/0x90
[   32.581608]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.587124]  skb_release_all+0x4a/0x60
[   32.590987]  kfree_skb+0x195/0x560
[   32.594503]  ? skb_queue_purge+0x19/0x40
[   32.598540]  ? __kfree_skb+0x20/0x20
[   32.602232]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.606793]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.611874]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.616867]  ? trace_hardirqs_on+0xd/0x10
[   32.621001]  ? skb_dequeue+0x12f/0x180
[   32.624872]  skb_queue_purge+0x19/0x40
[   32.628738]  packet_sock_destruct+0x93/0x290
[   32.633123]  ? packet_mm_close+0xc0/0xc0
[   32.637159]  ? graph_lock+0x170/0x170
[   32.640935]  ? __free_object+0x16e/0x330
[   32.644972]  ? __list_del_entry_valid.cold.1+0x58/0x58
[   32.650232]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.654796]  ? packet_mm_close+0xc0/0xc0
[   32.658834]  __sk_destruct+0xff/0xa40
[   32.662614]  ? sock_warn_obsolete_bsdism+0xb0/0xb0
[   32.667523]  ? graph_lock+0x170/0x170
[   32.671300]  ? lock_downgrade+0x8e0/0x8e0
[   32.675424]  ? __lock_is_held+0xb5/0x140
[   32.679464]  ? kasan_check_read+0x11/0x20
[   32.683588]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.687972]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.692533]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.697615]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.703130]  ? refcount_sub_and_test+0x212/0x330
[   32.707871]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   32.712602]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   32.717333]  ? pcpu_free_area+0xa90/0xa90
[   32.721458]  sk_destruct+0x78/0x90
[   32.724974]  __sk_free+0x22e/0x340
[   32.728491]  sk_free+0x42/0x50
[   32.731662]  packet_release+0xa18/0xd50
[   32.735615]  ? lock_downgrade+0x8e0/0x8e0
[   32.739741]  ? packet_lookup_frame+0x270/0x270
[   32.744303]  ? cpumask_weight.constprop.5+0x44/0x44
[   32.749295]  ? do_raw_spin_lock+0xc1/0x200
[   32.753509]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.759031]  ? locks_remove_file+0x3f7/0x5a0
[   32.763417]  ? fcntl_setlk+0x1020/0x1020
[   32.767455]  ? fsnotify+0x415/0x1100
[   32.771148]  ? fsnotify_first_mark+0x330/0x330
[   32.775711]  sock_release+0x96/0x1b0
[   32.779400]  ? sock_alloc_file+0x4e0/0x4e0
[   32.783609]  sock_close+0x16/0x20
[   32.787041]  __fput+0x34d/0x890
[   32.790298]  ? fput+0x1a0/0x1a0
[   32.793560]  ? check_same_owner+0x320/0x320
[   32.797862]  ____fput+0x15/0x20
[   32.801117]  task_work_run+0x1e4/0x290
[   32.804982]  ? task_work_cancel+0x240/0x240
[   32.809289]  ? switch_task_namespaces+0xbd/0xd0
[   32.814038]  do_exit+0x1aee/0x2730
[   32.817554]  ? find_held_lock+0x36/0x1c0
[   32.821593]  ? mm_update_next_owner+0x980/0x980
[   32.826244]  ? kasan_check_read+0x11/0x20
[   32.830369]  ? rcu_is_watching+0x85/0x140
[   32.834495]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.839670]  ? tun_get+0x22b/0x360
[   32.843184]  ? tun_chr_close+0x60/0x60
[   32.847067]  ? tun_chr_write_iter+0x110/0x154
[   32.851542]  ? fsnotify+0x415/0x1100
[   32.855235]  ? kasan_check_read+0x11/0x20
[   32.859359]  ? rcu_is_watching+0x85/0x140
[   32.863482]  ? rcu_pm_notify+0xc0/0xc0
[   32.867349]  ? vfs_writev+0x255/0x330
[   32.871125]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.876125]  ? kfree+0x1e9/0x260
[   32.879468]  ? vfs_writev+0xfc/0x330
[   32.883160]  ? vfs_iter_write+0xb0/0xb0
[   32.887119]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.892634]  ? sockfd_lookup_light+0xc5/0x160
[   32.897107]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.902621]  ? __fdget_pos+0xd6/0x1e0
[   32.906400]  ? __fdget_raw+0x20/0x20
[   32.910093]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.915611]  ? __sys_setsockopt+0x24f/0x390
[   32.919919]  do_group_exit+0x16f/0x430
[   32.923787]  ? SyS_exit+0x30/0x30
[   32.927231]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   32.932053]  ? do_syscall_64+0xb7/0x9d0
[   32.936002]  ? do_group_exit+0x430/0x430
[   32.940050]  SyS_exit_group+0x1d/0x20
[   32.943835]  do_syscall_64+0x29e/0x9d0
[   32.947701]  ? vmalloc_sync_all+0x30/0x30
[   32.951826]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.956559]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.961464]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.966381]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   32.971724]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.976545]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   32.981710] RIP: 0033:0x441989
[   32.984874] RSP: 002b:00007ffcb380f1a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   32.992559] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441989
[   32.999804] RDX: 00000000004418c0 RSI: 0000000000000001 RDI: 0000000000000001
[   33.007050] RBP: 00000000004a35a9 R08: 0000000000000020 R09: 00000000006cd018
[   33.014293] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffcb380f2a8
[   33.021539] R13: 0000000000402710 R14: 0000000000000000 R15: 0000000000000000
[   33.028798] 
[   33.030402] Allocated by task 4425:
[   33.034009]  save_stack+0x43/0xd0
[   33.037445]  kasan_kmalloc+0xc4/0xe0
[   33.041132]  __kmalloc_node_track_caller+0x47/0x70
[   33.046041]  __kmalloc_reserve.isra.38+0x3a/0xe0
[   33.050772]  __alloc_skb+0x14d/0x780
[   33.054458]  alloc_skb_with_frags+0x137/0x760
[   33.058935]  sock_alloc_send_pskb+0x87a/0xae0
[   33.063406]  packet_sendmsg+0x1bd1/0x6100
[   33.067528]  sock_sendmsg+0xd5/0x120
[   33.071215]  ___sys_sendmsg+0x805/0x940
[   33.075173]  __sys_sendmsg+0x115/0x270
[   33.079036]  SyS_sendmsg+0x29/0x30
[   33.082554]  do_syscall_64+0x29e/0x9d0
[   33.086417]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.091574] 
[   33.093176] Freed by task 4425:
[   33.096430]  save_stack+0x43/0xd0
[   33.099860]  __kasan_slab_free+0x11a/0x170
[   33.104069]  kasan_slab_free+0xe/0x10
[   33.107842]  kfree+0xd9/0x260
[   33.110925]  skb_free_head+0x99/0xc0
[   33.114611]  skb_release_data+0x690/0x860
[   33.118735]  skb_release_all+0x4a/0x60
[   33.122597]  kfree_skb+0x195/0x560
[   33.126114]  ip6_tnl_start_xmit+0xa44/0x2290
[   33.130496]  dev_hard_start_xmit+0x264/0xc10
[   33.134879]  __dev_queue_xmit+0x2724/0x34c0
[   33.139175]  dev_queue_xmit+0x17/0x20
[   33.142950]  packet_sendmsg+0x411d/0x6100
[   33.147075]  sock_sendmsg+0xd5/0x120
[   33.150766]  ___sys_sendmsg+0x805/0x940
[   33.154716]  __sys_sendmsg+0x115/0x270
[   33.158577]  SyS_sendmsg+0x29/0x30
[   33.162092]  do_syscall_64+0x29e/0x9d0
[   33.165953]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.171115] 
[   33.172719] The buggy address belongs to the object at ffff8801b49bba40
[   33.172719]  which belongs to the cache kmalloc-512 of size 512
[   33.185350] The buggy address is located 224 bytes inside of
[   33.185350]  512-byte region [ffff8801b49bba40, ffff8801b49bbc40)
[   33.197198] The buggy address belongs to the page:
[   33.202103] page:ffffea0006d26ec0 count:1 mapcount:0 mapping:ffff8801b49bb040 index:0x0
[   33.210221] flags: 0x2fffc0000000100(slab)
[   33.214433] raw: 02fffc0000000100 ffff8801b49bb040 0000000000000000 0000000100000006
[   33.222290] raw: ffffea0006d35160 ffffea0006d89fa0 ffff8801dac00940 0000000000000000
[   33.230153] page dumped because: kasan: bad access detected
[   33.235835] 
[   33.237433] Memory state around the buggy address:
[   33.242335]  ffff8801b49bba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.249668]  ffff8801b49bba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.257001] >ffff8801b49bbb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.264339]                                ^
[   33.268723]  ffff8801b49bbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.276058]  ffff8801b49bbc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.283385] ==================================================================
[   33.290716] Disabling lock debugging due to kernel taint
[   33.296403] Kernel panic - not syncing: panic_on_warn set ...
[   33.296403] 
[   33.303767] CPU: 0 PID: 4425 Comm: syzkaller487790 Tainted: G    B            4.16.0+ #17
[   33.312077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.321403] Call Trace:
[   33.323969]  dump_stack+0x1b9/0x294
[   33.327571]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.332750]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.337481]  ? skb_release_data+0xd0/0x860
[   33.341694]  panic+0x22f/0x4de
[   33.344863]  ? add_taint.cold.5+0x16/0x16
[   33.348988]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.353373]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.357758]  ? skb_release_data+0x19b/0x860
[   33.362055]  kasan_end_report+0x47/0x4f
[   33.366008]  kasan_report.cold.7+0xc9/0x2f5
[   33.370311]  check_memory_region+0x13e/0x1b0
[   33.374695]  kasan_check_write+0x14/0x20
[   33.378728]  skb_release_data+0x19b/0x860
[   33.382850]  ? skb_tx_error+0x2f0/0x2f0
[   33.386797]  ? kasan_check_read+0x11/0x20
[   33.390919]  ? rcu_is_watching+0x85/0x140
[   33.395042]  ? kasan_check_write+0x14/0x20
[   33.399260]  ? sock_rmem_free+0x6f/0x90
[   33.403209]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.408723]  skb_release_all+0x4a/0x60
[   33.412587]  kfree_skb+0x195/0x560
[   33.416104]  ? skb_queue_purge+0x19/0x40
[   33.420140]  ? __kfree_skb+0x20/0x20
[   33.423830]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   33.428387]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.433464]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.438453]  ? trace_hardirqs_on+0xd/0x10
[   33.442575]  ? skb_dequeue+0x12f/0x180
[   33.446436]  skb_queue_purge+0x19/0x40
[   33.450301]  packet_sock_destruct+0x93/0x290
[   33.454685]  ? packet_mm_close+0xc0/0xc0
[   33.458720]  ? graph_lock+0x170/0x170
[   33.462496]  ? __free_object+0x16e/0x330
[   33.466531]  ? __list_del_entry_valid.cold.1+0x58/0x58
[   33.471782]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   33.476337]  ? packet_mm_close+0xc0/0xc0
[   33.480370]  __sk_destruct+0xff/0xa40
[   33.484145]  ? sock_warn_obsolete_bsdism+0xb0/0xb0
[   33.489049]  ? graph_lock+0x170/0x170
[   33.492824]  ? lock_downgrade+0x8e0/0x8e0
[   33.496944]  ? __lock_is_held+0xb5/0x140
[   33.500980]  ? kasan_check_read+0x11/0x20
[   33.505104]  ? do_raw_spin_unlock+0x9e/0x2e0
[   33.509485]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   33.514043]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.519127]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.524641]  ? refcount_sub_and_test+0x212/0x330
[   33.529373]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   33.534112]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   33.538843]  ? pcpu_free_area+0xa90/0xa90
[   33.542966]  sk_destruct+0x78/0x90
[   33.546481]  __sk_free+0x22e/0x340
[   33.549995]  sk_free+0x42/0x50
[   33.553168]  packet_release+0xa18/0xd50
[   33.557113]  ? lock_downgrade+0x8e0/0x8e0
[   33.561236]  ? packet_lookup_frame+0x270/0x270
[   33.565792]  ? cpumask_weight.constprop.5+0x44/0x44
[   33.570782]  ? do_raw_spin_lock+0xc1/0x200
[   33.574992]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.580506]  ? locks_remove_file+0x3f7/0x5a0
[   33.584887]  ? fcntl_setlk+0x1020/0x1020
[   33.588921]  ? fsnotify+0x415/0x1100
[   33.592618]  ? fsnotify_first_mark+0x330/0x330
[   33.597175]  sock_release+0x96/0x1b0
[   33.600861]  ? sock_alloc_file+0x4e0/0x4e0
[   33.605068]  sock_close+0x16/0x20
[   33.608495]  __fput+0x34d/0x890
[   33.611748]  ? fput+0x1a0/0x1a0
[   33.615011]  ? check_same_owner+0x320/0x320
[   33.619313]  ____fput+0x15/0x20
[   33.622566]  task_work_run+0x1e4/0x290
[   33.626427]  ? task_work_cancel+0x240/0x240
[   33.630734]  ? switch_task_namespaces+0xbd/0xd0
[   33.635388]  do_exit+0x1aee/0x2730
[   33.638900]  ? find_held_lock+0x36/0x1c0
[   33.642940]  ? mm_update_next_owner+0x980/0x980
[   33.647585]  ? kasan_check_read+0x11/0x20
[   33.651711]  ? rcu_is_watching+0x85/0x140
[   33.655832]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   33.661000]  ? tun_get+0x22b/0x360
[   33.664519]  ? tun_chr_close+0x60/0x60
[   33.668382]  ? tun_chr_write_iter+0x110/0x154
[   33.672854]  ? fsnotify+0x415/0x1100
[   33.676545]  ? kasan_check_read+0x11/0x20
[   33.680667]  ? rcu_is_watching+0x85/0x140
[   33.684788]  ? rcu_pm_notify+0xc0/0xc0
[   33.688651]  ? vfs_writev+0x255/0x330
[   33.692424]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.697412]  ? kfree+0x1e9/0x260
[   33.700751]  ? vfs_writev+0xfc/0x330
[   33.704439]  ? vfs_iter_write+0xb0/0xb0
[   33.708392]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.713903]  ? sockfd_lookup_light+0xc5/0x160
[   33.718372]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.723883]  ? __fdget_pos+0xd6/0x1e0
[   33.727655]  ? __fdget_raw+0x20/0x20
[   33.731345]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.736858]  ? __sys_setsockopt+0x24f/0x390
[   33.741155]  do_group_exit+0x16f/0x430
[   33.745023]  ? SyS_exit+0x30/0x30
[   33.748457]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   33.753272]  ? do_syscall_64+0xb7/0x9d0
[   33.757230]  ? do_group_exit+0x430/0x430
[   33.761266]  SyS_exit_group+0x1d/0x20
[   33.765045]  do_syscall_64+0x29e/0x9d0
[   33.768907]  ? vmalloc_sync_all+0x30/0x30
[   33.773035]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.777765]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.782670]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.787595]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   33.792934]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.797750]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.802923] RIP: 0033:0x441989
[   33.806088] RSP: 002b:00007ffcb380f1a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
[   33.813777] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441989
[   33.821027] RDX: 00000000004418c0 RSI: 0000000000000001 RDI: 0000000000000001
[   33.828271] RBP: 00000000004a35a9 R08: 0000000000000020 R09: 00000000006cd018
[   33.835938] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffcb380f2a8
[   33.843182] R13: 0000000000402710 R14: 0000000000000000 R15: 0000000000000000
[   33.850836] Dumping ftrace buffer:
[   33.854347]    (ftrace buffer empty)
[   33.858028] Kernel Offset: disabled
[   33.861631] Rebooting in 86400 seconds..