INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-1,10.128.0.14' (ECDSA) to the list of known hosts. 2017/09/10 06:31:17 parsed 1 programs 2017/09/10 06:31:17 executed programs: 0 syzkaller login: [ 37.930558] dev_remove_pack: ffff8801cf7c8780 not found [ 38.047592] ================================================================== [ 38.054959] BUG: KASAN: use-after-free in fanout_demux_rollover+0x4a5/0x4d0 at addr ffff8801cf7c872c [ 38.064192] Read of size 4 by task syz-executor1/3686 [ 38.069346] CPU: 1 PID: 3686 Comm: syz-executor1 Not tainted 4.9.48-g93babeb #44 [ 38.076839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.086156] ffff8801db307a68 ffffffff81d92f89 ffff8801da002000 ffff8801cf7c8000 [ 38.094277] ffff8801cf7c8800 ffffed0039ef90e5 ffff8801cf7c872c ffff8801db307a90 [ 38.102218] ffffffff8153cbcc ffffed0039ef90e5 ffff8801da002000 0000000000000000 [ 38.110176] Call Trace: [ 38.112722] [ 38.114753] [] dump_stack+0xc1/0x128 [ 38.120095] [] kasan_object_err+0x1c/0x70 [ 38.125856] [] kasan_report.part.1+0x21c/0x500 [ 38.132051] [] ? packet_rcv_has_room+0x95/0xb0 [ 38.138244] [] ? fanout_demux_rollover+0x4a5/0x4d0 [ 38.144792] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 38.151073] [] __asan_report_load4_noabort+0x29/0x30 [ 38.157786] [] fanout_demux_rollover+0x4a5/0x4d0 [ 38.164152] [] packet_rcv_fanout+0x4ce/0x620 [ 38.170174] [] ? _flat_send_IPI_mask+0x93/0xb0 [ 38.176371] [] __netif_receive_skb_core+0x887/0x29e0 [ 38.183102] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.190078] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.197053] [] ? netif_wake_subqueue+0x210/0x210 [ 38.203421] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.210400] [] ? ttwu_do_wakeup+0x27b/0x540 [ 38.216344] [] ? try_to_wake_up+0xb7/0xee0 [ 38.222190] [] ? process_backlog+0x17c/0x690 [ 38.228216] [] __netif_receive_skb+0x5b/0x1c0 [ 38.234334] [] process_backlog+0x1d4/0x690 [ 38.240189] [] ? process_backlog+0x17c/0x690 [ 38.246210] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.253193] [] net_rx_action+0x396/0xe00 [ 38.258868] [] ? sk_busy_loop+0xca0/0xca0 [ 38.264636] [] ? check_preemption_disabled+0x3b/0x200 [ 38.271439] [] __do_softirq+0x22d/0x964 [ 38.277029] [] ? rcu_eqs_enter_common.constprop.77+0xe5/0x1c0 [ 38.284526] [] do_softirq_own_stack+0x1c/0x30 [ 38.290632] [ 38.292659] [] do_softirq.part.16+0x99/0xb0 [ 38.298608] [] do_softirq+0x18/0x20 [ 38.303849] [] netif_rx_ni+0x140/0x320 [ 38.309348] [] tun_get_user+0xac5/0x2080 [ 38.315021] [] ? tun_chr_ioctl+0x40/0x40 [ 38.320697] [] ? tun_net_uninit+0x20/0x20 [ 38.326456] [] ? __tun_get+0x12a/0x230 [ 38.331955] [] tun_chr_write_iter+0xd5/0x190 [ 38.338065] [] __vfs_write+0x4bf/0x680 [ 38.343565] [] ? default_llseek+0x290/0x290 [ 38.349502] [] ? avc_policy_seqno+0x9/0x20 [ 38.355350] [] ? selinux_file_permission+0x82/0x460 [ 38.361982] [] ? rw_verify_area+0xe5/0x2b0 [ 38.367827] [] vfs_write+0x170/0x4e0 [ 38.373153] [] SyS_write+0xd9/0x1b0 [ 38.378390] [] ? SyS_read+0x1b0/0x1b0 [ 38.383803] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.390346] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.396889] Object at ffff8801cf7c8000, in cache kmalloc-2048 size: 2048 [ 38.403688] Allocated: [ 38.406147] PID = 3672 [ 38.408611] save_stack_trace+0x16/0x20 [ 38.412997] save_stack+0x43/0xd0 [ 38.416413] kasan_kmalloc+0xad/0xe0 [ 38.420095] __kmalloc+0x11d/0x310 [ 38.423603] sk_prot_alloc+0x101/0x2a0 [ 38.427453] sk_alloc+0x3a/0x3a0 [ 38.430784] packet_create+0xf0/0x8e0 [ 38.434547] __sock_create+0x3ab/0x640 [ 38.438404] SyS_socket+0xf0/0x1b0 [ 38.441910] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.446625] Freed: [ 38.448738] PID = 3672 [ 38.451200] save_stack_trace+0x16/0x20 [ 38.455137] save_stack+0x43/0xd0 [ 38.458551] kasan_slab_free+0x73/0xc0 [ 38.462408] kfree+0xf0/0x2f0 [ 38.465477] __sk_destruct+0x47f/0x570 [ 38.469323] sk_destruct+0x47/0x80 [ 38.472830] __sk_free+0x57/0x230 [ 38.476244] sk_free+0x23/0x30 [ 38.479401] packet_release+0x732/0xa20 [ 38.483339] sock_release+0x8d/0x1e0 [ 38.487016] sock_close+0x16/0x20 [ 38.490432] __fput+0x28c/0x6e0 [ 38.493679] ____fput+0x15/0x20 [ 38.496920] task_work_run+0x115/0x190 [ 38.500769] do_exit+0x82e/0x2a50 [ 38.504183] do_group_exit+0x108/0x320 [ 38.508032] get_signal+0x55c/0x1600 [ 38.511711] do_signal+0x87/0x1960 [ 38.515215] exit_to_usermode_loop+0xe5/0x130 [ 38.519673] syscall_return_slowpath+0x1a0/0x1e0 [ 38.524390] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 38.529105] Memory state around the buggy address: [ 38.533997] ffff8801cf7c8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.541319] ffff8801cf7c8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.548641] >ffff8801cf7c8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.555959] ^ [ 38.560588] ffff8801cf7c8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.567907] ffff8801cf7c8800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.575226] ================================================================== [ 38.582605] ================================================================== [ 38.589936] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801cf7c814c [ 38.598734] Read of size 4 by task syz-executor1/3686 [ 38.603889] CPU: 1 PID: 3686 Comm: syz-executor1 Tainted: G B 4.9.48-g93babeb #44 [ 38.612601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.621920] ffff8801db3079e8 ffffffff81d92f89 ffff8801da002000 ffff8801cf7c8000 [ 38.629869] ffff8801cf7c8800 ffffed0039ef9029 ffff8801cf7c814c ffff8801db307a10 [ 38.637812] ffffffff8153cbcc ffffed0039ef9029 ffff8801da002000 0000000000000000 [ 38.645752] Call Trace: [ 38.648296] [ 38.650325] [] dump_stack+0xc1/0x128 [ 38.655668] [] kasan_object_err+0x1c/0x70 [ 38.661426] [] kasan_report.part.1+0x21c/0x500 [ 38.667621] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 38.673726] [] __asan_report_load4_noabort+0x29/0x30 [ 38.680439] [] do_raw_spin_lock+0x1ac/0x1e0 [ 38.686372] [] _raw_spin_lock_bh+0x42/0x50 [ 38.692219] [] ? packet_rcv_has_room+0x25/0xb0 [ 38.698412] [] packet_rcv_has_room+0x25/0xb0 [ 38.704432] [] fanout_demux_rollover+0x17c/0x4d0 [ 38.710798] [] packet_rcv_fanout+0x4ce/0x620 [ 38.716818] [] ? _flat_send_IPI_mask+0x93/0xb0 [ 38.723014] [] __netif_receive_skb_core+0x887/0x29e0 [ 38.729729] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.736705] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.743681] [] ? netif_wake_subqueue+0x210/0x210 [ 38.750049] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.757023] [] ? ttwu_do_wakeup+0x27b/0x540 [ 38.762957] [] ? try_to_wake_up+0xb7/0xee0 [ 38.768803] [] ? process_backlog+0x17c/0x690 [ 38.774824] [] __netif_receive_skb+0x5b/0x1c0 [ 38.780930] [] process_backlog+0x1d4/0x690 [ 38.786777] [] ? process_backlog+0x17c/0x690 [ 38.792800] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.799776] [] net_rx_action+0x396/0xe00 [ 38.805449] [] ? sk_busy_loop+0xca0/0xca0 [ 38.811217] [] ? check_preemption_disabled+0x3b/0x200 [ 38.818019] [] __do_softirq+0x22d/0x964 [ 38.823606] [] ? rcu_eqs_enter_common.constprop.77+0xe5/0x1c0 [ 38.831101] [] do_softirq_own_stack+0x1c/0x30 [ 38.837219] [ 38.839248] [] do_softirq.part.16+0x99/0xb0 [ 38.845193] [] do_softirq+0x18/0x20 [ 38.850432] [] netif_rx_ni+0x140/0x320 [ 38.855931] [] tun_get_user+0xac5/0x2080 [ 38.861604] [] ? tun_chr_ioctl+0x40/0x40 [ 38.867278] [] ? tun_net_uninit+0x20/0x20 [ 38.873039] [] ? __tun_get+0x12a/0x230 [ 38.878537] [] tun_chr_write_iter+0xd5/0x190 [ 38.884558] [] __vfs_write+0x4bf/0x680 [ 38.890058] [] ? default_llseek+0x290/0x290 [ 38.895994] [] ? avc_policy_seqno+0x9/0x20 [ 38.901840] [] ? selinux_file_permission+0x82/0x460 [ 38.908469] [] ? rw_verify_area+0xe5/0x2b0 [ 38.914318] [] vfs_write+0x170/0x4e0 [ 38.919643] [] SyS_write+0xd9/0x1b0 [ 38.924884] [] ? SyS_read+0x1b0/0x1b0 [ 38.930299] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.936844] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.943383] Object at ffff8801cf7c8000, in cache kmalloc-2048 size: 2048 [ 38.950183] Allocated: [ 38.952640] PID = 3672 [ 38.955100] save_stack_trace+0x16/0x20 [ 38.959043] save_stack+0x43/0xd0 [ 38.962457] kasan_kmalloc+0xad/0xe0 [ 38.966131] __kmalloc+0x11d/0x310 [ 38.969635] sk_prot_alloc+0x101/0x2a0 [ 38.973482] sk_alloc+0x3a/0x3a0 [ 38.976817] packet_create+0xf0/0x8e0 [ 38.980580] __sock_create+0x3ab/0x640 [ 38.984427] SyS_socket+0xf0/0x1b0 [ 38.987929] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.992642] Freed: [ 38.994753] PID = 3672 [ 38.997212] save_stack_trace+0x16/0x20 [ 39.001146] save_stack+0x43/0xd0 [ 39.004559] kasan_slab_free+0x73/0xc0 [ 39.008405] kfree+0xf0/0x2f0 [ 39.011473] __sk_destruct+0x47f/0x570 [ 39.015320] sk_destruct+0x47/0x80 [ 39.018821] __sk_free+0x57/0x230 [ 39.022236] sk_free+0x23/0x30 [ 39.025389] packet_release+0x732/0xa20 [ 39.029324] sock_release+0x8d/0x1e0 [ 39.032999] sock_close+0x16/0x20 [ 39.036416] __fput+0x28c/0x6e0 [ 39.039654] ____fput+0x15/0x20 [ 39.042895] task_work_run+0x115/0x190 [ 39.046745] do_exit+0x82e/0x2a50