INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.486103] sshd (4427) used greatest stack depth: 16568 bytes left
Warning: Permanently added '10.128.0.56' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[   42.125107] IPVS: ftp: loaded support on port[0] = 21
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   42.378498] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   42.737133] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   42.743238] 8021q: adding VLAN 0 to HW filter on device bond0
[   42.780948] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   42.820236] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   42.859325] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   42.865436] 8021q: adding VLAN 0 to HW filter on device team0
[   42.892711] bond0: Enslaving bond_slave as an active interface with an up link
[   42.901212] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
executing program
[   42.917676] team0: Port device team_slave added
[   42.922990] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   42.962125] ==================================================================
[   42.969551] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860
[   42.976195] Write of size 4 at addr ffff8801d8da53e0 by task syzkaller507699/4446
[   42.983788] 
[   42.985401] CPU: 0 PID: 4446 Comm: syzkaller507699 Not tainted 4.16.0+ #17
[   42.992388] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.001723] Call Trace:
[   43.004294]  dump_stack+0x1b9/0x294
[   43.007904]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.013071]  ? printk+0x9e/0xba
[   43.016329]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   43.021064]  ? kasan_check_write+0x14/0x20
[   43.025278]  print_address_description+0x6c/0x20b
[   43.030099]  ? skb_release_data+0x19b/0x860
[   43.034398]  kasan_report.cold.7+0xac/0x2f5
[   43.038701]  check_memory_region+0x13e/0x1b0
[   43.043089]  kasan_check_write+0x14/0x20
[   43.047126]  skb_release_data+0x19b/0x860
[   43.051254]  ? skb_tx_error+0x2f0/0x2f0
[   43.055206]  ? kasan_check_read+0x11/0x20
[   43.059333]  ? rcu_is_watching+0x85/0x140
[   43.063465]  ? kasan_check_write+0x14/0x20
[   43.067678]  ? sock_rmem_free+0x6f/0x90
[   43.071633]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.077152]  skb_release_all+0x4a/0x60
[   43.081017]  kfree_skb+0x195/0x560
[   43.084535]  ? skb_queue_purge+0x19/0x40
[   43.088584]  ? __kfree_skb+0x20/0x20
[   43.092277]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   43.096840]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   43.101920]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.106912]  ? trace_hardirqs_on+0xd/0x10
[   43.111040]  ? skb_dequeue+0x12f/0x180
[   43.114905]  skb_queue_purge+0x19/0x40
[   43.118773]  packet_sock_destruct+0x93/0x290
[   43.123177]  ? packet_mm_close+0xc0/0xc0
[   43.127216]  ? graph_lock+0x170/0x170
[   43.131169]  ? __free_object+0x16e/0x330
[   43.135208]  ? __list_del_entry_valid.cold.1+0x58/0x58
[   43.140468]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   43.145030]  ? packet_mm_close+0xc0/0xc0
[   43.149070]  __sk_destruct+0xff/0xa40
[   43.152851]  ? sock_warn_obsolete_bsdism+0xb0/0xb0
[   43.157762]  ? graph_lock+0x170/0x170
[   43.161544]  ? lock_downgrade+0x8e0/0x8e0
[   43.165668]  ? __lock_is_held+0xb5/0x140
[   43.169709]  ? kasan_check_read+0x11/0x20
[   43.173835]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.178220]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   43.182781]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   43.187864]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.193387]  ? refcount_sub_and_test+0x212/0x330
[   43.198123]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   43.202859]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   43.207592]  ? pcpu_free_area+0xa90/0xa90
[   43.211722]  sk_destruct+0x78/0x90
[   43.215239]  __sk_free+0x22e/0x340
[   43.218757]  sk_free+0x42/0x50
[   43.221927]  packet_release+0xa18/0xd50
[   43.225880]  ? lock_downgrade+0x8e0/0x8e0
[   43.230010]  ? packet_lookup_frame+0x270/0x270
[   43.234573]  ? cpumask_weight.constprop.5+0x44/0x44
[   43.239578]  ? do_raw_spin_lock+0xc1/0x200
[   43.243795]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.249309]  ? locks_remove_file+0x3f7/0x5a0
[   43.253695]  ? fcntl_setlk+0x1020/0x1020
[   43.257734]  ? fsnotify+0x415/0x1100
[   43.261428]  ? fsnotify_first_mark+0x330/0x330
[   43.266001]  sock_release+0x96/0x1b0
[   43.269866]  ? sock_alloc_file+0x4e0/0x4e0
[   43.274077]  sock_close+0x16/0x20
[   43.277506]  __fput+0x34d/0x890
[   43.280767]  ? fput+0x1a0/0x1a0
[   43.284045]  ? check_same_owner+0x320/0x320
[   43.288350]  ____fput+0x15/0x20
[   43.291614]  task_work_run+0x1e4/0x290
[   43.295479]  ? task_work_cancel+0x240/0x240
[   43.299782]  ? switch_task_namespaces+0xbd/0xd0
[   43.304428]  do_exit+0x1aee/0x2730
[   43.307946]  ? find_held_lock+0x36/0x1c0
[   43.311990]  ? mm_update_next_owner+0x980/0x980
[   43.316641]  ? kasan_check_read+0x11/0x20
[   43.320766]  ? rcu_is_watching+0x85/0x140
[   43.324893]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.330068]  ? tun_get+0x22b/0x360
[   43.333584]  ? tun_chr_close+0x60/0x60
[   43.337455]  ? tun_chr_write_iter+0x110/0x154
[   43.341929]  ? fsnotify+0x415/0x1100
[   43.345624]  ? kasan_check_read+0x11/0x20
[   43.349746]  ? rcu_is_watching+0x85/0x140
[   43.353872]  ? rcu_pm_notify+0xc0/0xc0
[   43.357751]  ? vfs_writev+0x255/0x330
[   43.363455]  ? rcu_read_lock_sched_held+0x108/0x120
[   43.368452]  ? kfree+0x1e9/0x260
[   43.371799]  ? vfs_writev+0xfc/0x330
[   43.375493]  ? vfs_iter_write+0xb0/0xb0
[   43.379449]  ? lock_downgrade+0x8e0/0x8e0
[   43.383583]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.389097]  ? sockfd_lookup_light+0xc5/0x160
[   43.393572]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.399084]  ? __fdget_pos+0xd6/0x1e0
[   43.402864]  ? __fdget_raw+0x20/0x20
[   43.406563]  do_group_exit+0x16f/0x430
[   43.410429]  ? SyS_exit+0x30/0x30
[   43.413866]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   43.418694]  ? do_syscall_64+0xb7/0x9d0
[   43.422647]  ? do_group_exit+0x430/0x430
[   43.426688]  SyS_exit_group+0x1d/0x20
[   43.430467]  do_syscall_64+0x29e/0x9d0
[   43.434331]  ? vmalloc_sync_all+0x30/0x30
[   43.438460]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.443195]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.448101]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.453012]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   43.458355]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.463179]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.468348] RIP: 0033:0x441979
[   43.471513] RSP: 002b:00007ffc8ba097e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   43.479200] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441979
[   43.486450] RDX: 00000000004418b0 RSI: 0000000000000001 RDI: 0000000000000001
[   43.493699] RBP: 00000000004a3589 R08: 0000000000000020 R09: 00000000006cd018
[   43.500948] R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8ba098e8
[   43.508196] R13: 0000000000402700 R14: 0000000000000000 R15: 0000000000000000
[   43.515458] 
[   43.517152] Allocated by task 4446:
[   43.520758]  save_stack+0x43/0xd0
[   43.524195]  kasan_kmalloc+0xc4/0xe0
[   43.527885]  __kmalloc_node_track_caller+0x47/0x70
[   43.532792]  __kmalloc_reserve.isra.38+0x3a/0xe0
[   43.537524]  __alloc_skb+0x14d/0x780
[   43.541213]  alloc_skb_with_frags+0x137/0x760
[   43.545684]  sock_alloc_send_pskb+0x87a/0xae0
[   43.550155]  packet_sendmsg+0x1bd1/0x6100
[   43.554280]  sock_sendmsg+0xd5/0x120
[   43.557970]  ___sys_sendmsg+0x805/0x940
[   43.561920]  __sys_sendmsg+0x115/0x270
[   43.565781]  SyS_sendmsg+0x29/0x30
[   43.569296]  do_syscall_64+0x29e/0x9d0
[   43.573160]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.578320] 
[   43.579921] Freed by task 4446:
[   43.583178]  save_stack+0x43/0xd0
[   43.586606]  __kasan_slab_free+0x11a/0x170
[   43.590816]  kasan_slab_free+0xe/0x10
[   43.594589]  kfree+0xd9/0x260
[   43.597670]  skb_free_head+0x99/0xc0
[   43.601363]  skb_release_data+0x690/0x860
[   43.605490]  skb_release_all+0x4a/0x60
[   43.609357]  kfree_skb+0x195/0x560
[   43.612876]  ip6_tnl_start_xmit+0xa44/0x2290
[   43.617259]  dev_hard_start_xmit+0x264/0xc10
[   43.621642]  __dev_queue_xmit+0x2724/0x34c0
[   43.625938]  dev_queue_xmit+0x17/0x20
[   43.629714]  packet_sendmsg+0x411d/0x6100
[   43.633845]  sock_sendmsg+0xd5/0x120
[   43.637538]  ___sys_sendmsg+0x805/0x940
[   43.641496]  __sys_sendmsg+0x115/0x270
[   43.645372]  SyS_sendmsg+0x29/0x30
[   43.648890]  do_syscall_64+0x29e/0x9d0
[   43.652753]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.657915] 
[   43.659520] The buggy address belongs to the object at ffff8801d8da5300
[   43.659520]  which belongs to the cache kmalloc-512 of size 512
[   43.672156] The buggy address is located 224 bytes inside of
[   43.672156]  512-byte region [ffff8801d8da5300, ffff8801d8da5500)
[   43.684005] The buggy address belongs to the page:
[   43.688912] page:ffffea0007636940 count:1 mapcount:0 mapping:ffff8801d8da5080 index:0x0
[   43.697030] flags: 0x2fffc0000000100(slab)
[   43.701252] raw: 02fffc0000000100 ffff8801d8da5080 0000000000000000 0000000100000006
[   43.709113] raw: ffffea0007620ca0 ffffea0007666960 ffff8801dac00940 0000000000000000
[   43.716973] page dumped because: kasan: bad access detected
[   43.722652] 
[   43.724255] Memory state around the buggy address:
[   43.729158]  ffff8801d8da5280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.736492]  ffff8801d8da5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.743828] >ffff8801d8da5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.751160]                                                        ^
[   43.757629]  ffff8801d8da5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.764965]  ffff8801d8da5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.772295] ==================================================================
[   43.779626] Disabling lock debugging due to kernel taint
[   43.785213] Kernel panic - not syncing: panic_on_warn set ...
[   43.785213] 
[   43.792561] CPU: 0 PID: 4446 Comm: syzkaller507699 Tainted: G    B            4.16.0+ #17
[   43.800862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.810194] Call Trace:
[   43.812762]  dump_stack+0x1b9/0x294
[   43.816368]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.821534]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.826267]  ? skb_release_data+0xd0/0x860
[   43.830477]  panic+0x22f/0x4de
[   43.833643]  ? add_taint.cold.5+0x16/0x16
[   43.837786]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.842177]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.846560]  ? skb_release_data+0x19b/0x860
[   43.850857]  kasan_end_report+0x47/0x4f
[   43.854805]  kasan_report.cold.7+0xc9/0x2f5
[   43.859103]  check_memory_region+0x13e/0x1b0
[   43.863485]  kasan_check_write+0x14/0x20
[   43.867520]  skb_release_data+0x19b/0x860
[   43.871644]  ? skb_tx_error+0x2f0/0x2f0
[   43.875592]  ? kasan_check_read+0x11/0x20
[   43.879714]  ? rcu_is_watching+0x85/0x140
[   43.883839]  ? kasan_check_write+0x14/0x20
[   43.888050]  ? sock_rmem_free+0x6f/0x90
[   43.892003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.897516]  skb_release_all+0x4a/0x60
[   43.901380]  kfree_skb+0x195/0x560
[   43.904898]  ? skb_queue_purge+0x19/0x40
[   43.908934]  ? __kfree_skb+0x20/0x20
[   43.912630]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   43.917189]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   43.922273]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.927271]  ? trace_hardirqs_on+0xd/0x10
[   43.931396]  ? skb_dequeue+0x12f/0x180
[   43.935255]  skb_queue_purge+0x19/0x40
[   43.939126]  packet_sock_destruct+0x93/0x290
[   43.943508]  ? packet_mm_close+0xc0/0xc0
[   43.947541]  ? graph_lock+0x170/0x170
[   43.951316]  ? __free_object+0x16e/0x330
[   43.955351]  ? __list_del_entry_valid.cold.1+0x58/0x58
[   43.960602]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   43.965159]  ? packet_mm_close+0xc0/0xc0
[   43.969194]  __sk_destruct+0xff/0xa40
[   43.972971]  ? sock_warn_obsolete_bsdism+0xb0/0xb0
[   43.977876]  ? graph_lock+0x170/0x170
[   43.981653]  ? lock_downgrade+0x8e0/0x8e0
[   43.985776]  ? __lock_is_held+0xb5/0x140
[   43.989813]  ? kasan_check_read+0x11/0x20
[   43.993936]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.998321]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   44.002879]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   44.008392]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.013910]  ? refcount_sub_and_test+0x212/0x330
[   44.018644]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   44.023377]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   44.028110]  ? pcpu_free_area+0xa90/0xa90
[   44.032237]  sk_destruct+0x78/0x90
[   44.035754]  __sk_free+0x22e/0x340
[   44.039269]  sk_free+0x42/0x50
[   44.042441]  packet_release+0xa18/0xd50
[   44.046389]  ? lock_downgrade+0x8e0/0x8e0
[   44.050514]  ? packet_lookup_frame+0x270/0x270
[   44.055072]  ? cpumask_weight.constprop.5+0x44/0x44
[   44.060063]  ? do_raw_spin_lock+0xc1/0x200
[   44.064273]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   44.069785]  ? locks_remove_file+0x3f7/0x5a0
[   44.074168]  ? fcntl_setlk+0x1020/0x1020
[   44.078202]  ? fsnotify+0x415/0x1100
[   44.081892]  ? fsnotify_first_mark+0x330/0x330
[   44.086449]  sock_release+0x96/0x1b0
[   44.090137]  ? sock_alloc_file+0x4e0/0x4e0
[   44.094346]  sock_close+0x16/0x20
[   44.097774]  __fput+0x34d/0x890
[   44.101027]  ? fput+0x1a0/0x1a0
[   44.104282]  ? check_same_owner+0x320/0x320
[   44.108577]  ____fput+0x15/0x20
[   44.111830]  task_work_run+0x1e4/0x290
[   44.115693]  ? task_work_cancel+0x240/0x240
[   44.119989]  ? switch_task_namespaces+0xbd/0xd0
[   44.124634]  do_exit+0x1aee/0x2730
[   44.128156]  ? find_held_lock+0x36/0x1c0
[   44.132193]  ? mm_update_next_owner+0x980/0x980
[   44.136840]  ? kasan_check_read+0x11/0x20
[   44.140961]  ? rcu_is_watching+0x85/0x140
[   44.145086]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   44.150252]  ? tun_get+0x22b/0x360
[   44.153764]  ? tun_chr_close+0x60/0x60
[   44.157629]  ? tun_chr_write_iter+0x110/0x154
[   44.162098]  ? fsnotify+0x415/0x1100
[   44.165788]  ? kasan_check_read+0x11/0x20
[   44.169907]  ? rcu_is_watching+0x85/0x140
[   44.174028]  ? rcu_pm_notify+0xc0/0xc0
[   44.177892]  ? vfs_writev+0x255/0x330
[   44.181664]  ? rcu_read_lock_sched_held+0x108/0x120
[   44.186652]  ? kfree+0x1e9/0x260
[   44.189991]  ? vfs_writev+0xfc/0x330
[   44.193680]  ? vfs_iter_write+0xb0/0xb0
[   44.197628]  ? lock_downgrade+0x8e0/0x8e0
[   44.201754]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   44.207274]  ? sockfd_lookup_light+0xc5/0x160
[   44.211750]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.217262]  ? __fdget_pos+0xd6/0x1e0
[   44.221037]  ? __fdget_raw+0x20/0x20
[   44.224735]  do_group_exit+0x16f/0x430
[   44.228609]  ? SyS_exit+0x30/0x30
[   44.232039]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   44.236856]  ? do_syscall_64+0xb7/0x9d0
[   44.240807]  ? do_group_exit+0x430/0x430
[   44.244844]  SyS_exit_group+0x1d/0x20
[   44.248620]  do_syscall_64+0x29e/0x9d0
[   44.252489]  ? vmalloc_sync_all+0x30/0x30
[   44.256611]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   44.261342]  ? syscall_return_slowpath+0x5c0/0x5c0
[   44.266247]  ? syscall_return_slowpath+0x30f/0x5c0
[   44.271153]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   44.276491]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.281309]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   44.286473] RIP: 0033:0x441979
[   44.289642] RSP: 002b:00007ffc8ba097e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   44.297330] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441979
[   44.304573] RDX: 00000000004418b0 RSI: 0000000000000001 RDI: 0000000000000001
[   44.311818] RBP: 00000000004a3589 R08: 0000000000000020 R09: 00000000006cd018
[   44.319061] R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8ba098e8
[   44.326304] R13: 0000000000402700 R14: 0000000000000000 R15: 0000000000000000
[   44.333944] Dumping ftrace buffer:
[   44.337455]    (ftrace buffer empty)
[   44.341140] Kernel Offset: disabled
[   44.344742] Rebooting in 86400 seconds..