Warning: Permanently added 'ci-android-49-kasan-gce-1,10.128.0.27' (ECDSA) to the list of known hosts.
serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-1 port 1 (session ID: e308b9dcfcf4a07602d83a51d0b68d30b12ebe5064c1a8313f5b40d2c5afde78, active connections: 1).
INIT: Entering runlevel: 2

[info] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

2017/07/26 07:22:04 parsed 1 programs
2017/07/26 07:22:04 executed programs: 0
syzkaller login: [   28.885148] BUG: sleeping function called from invalid context at mm/slab.h:393
[   28.886725] in_atomic(): 1, irqs_disabled(): 0, pid: 3500, name: syz-executor1
[   28.887980] 2 locks held by syz-executor1/3500:
[   28.888634]  #0:  (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83596861>] pfkey_sendmsg+0x3a1/0x750
[   28.890390]  #1:  (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff833df510>] xfrm_policy_walk+0xb0/0x4d0
[   28.892221] Preemption disabled at:[   28.892770] [<ffffffff833df510>] xfrm_policy_walk+0xb0/0x4d0
[   28.893602] CPU: 1 PID: 3500 Comm: syz-executor1 Not tainted 4.9.39-g72a0c9f #6
[   28.894808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.896176]  ffff8801d0fe76c0 ffffffff81eacd59 ffffffff833df510 0000000000000000
[   28.897453]  0000000000000201 ffff8801d0fade00 ffff8801d0fade00 ffff8801d0fe76f8
[   28.898813]  ffffffff811babe4 ffff8801d0fade00 ffffffff84175d81 0000000000000189
[   28.900052] Call Trace:
[   28.900502]  [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[   28.901233]  [<ffffffff833df510>] ? xfrm_policy_walk+0xb0/0x4d0
[   28.902157]  [<ffffffff811babe4>] ___might_sleep+0x2f4/0x470
[   28.903027]  [<ffffffff811badf5>] __might_sleep+0x95/0x1a0
[   28.903827]  [<ffffffff82f1d842>] ? skb_clone+0x142/0x2c0
[   28.904590]  [<ffffffff81541a11>] kmem_cache_alloc+0x151/0x2a0
[   28.906978]  [<ffffffff82f1d842>] skb_clone+0x142/0x2c0
[   28.912329]  [<ffffffff8358a6d7>] pfkey_broadcast_one+0x367/0x480
[   28.918551]  [<ffffffff83591d2a>] pfkey_broadcast+0x3ba/0x5f0
[   28.924417]  [<ffffffff83591b02>] ? pfkey_broadcast+0x192/0x5f0
[   28.930447]  [<ffffffff83591970>] ? pfkey_seq_stop+0x80/0x80
[   28.936217]  [<ffffffff83595ba4>] dump_sp+0x354/0x450
[   28.941382]  [<ffffffff833df611>] xfrm_policy_walk+0x1b1/0x4d0
[   28.947327]  [<ffffffff83595850>] ? pfkey_flush+0x2d0/0x2d0
[   28.953014]  [<ffffffff8358a832>] pfkey_dump_sp+0x42/0x50
[   28.958525]  [<ffffffff83593a60>] pfkey_do_dump+0x40/0x2b0
[   28.964126]  [<ffffffff83593e57>] pfkey_spddump+0x187/0x1e0
[   28.969812]  [<ffffffff83593cd0>] ? pfkey_do_dump+0x2b0/0x2b0
[   28.975674]  [<ffffffff83595006>] pfkey_process+0x606/0x710
[   28.981386]  [<ffffffff812373ff>] ? mark_held_locks+0xaf/0x100
[   28.987354]  [<ffffffff83594a00>] ? pfkey_dump+0x660/0x660
[   28.993395]  [<ffffffff8359686f>] pfkey_sendmsg+0x3af/0x750
[   28.999095]  [<ffffffff835964c0>] ? pfkey_spdget+0x820/0x820
[   29.004932]  [<ffffffff82efba2a>] sock_sendmsg+0xca/0x110
[   29.010485]  [<ffffffff82efbc8d>] sock_write_iter+0x21d/0x3a0
[   29.016377]  [<ffffffff812ddbb3>] ? do_futex+0x3d3/0x1600
[   29.021924]  [<ffffffff82efba70>] ? sock_sendmsg+0x110/0x110
[   29.027706]  [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   29.034697]  [<ffffffff81ee9e2f>] ? iov_iter_init+0xaf/0x1d0
[   29.040472]  [<ffffffff8157311c>] __vfs_write+0x4ac/0x660
[   29.045985]  [<ffffffff81540cfd>] ? ___slab_alloc+0x3bd/0x5e0
[   29.051843]  [<ffffffff81572c70>] ? default_llseek+0x290/0x290
[   29.057790]  [<ffffffff81d7c3a2>] ? apparmor_file_permission+0x22/0x30
[   29.064427]  [<ffffffff81576785>] ? rw_verify_area+0xe5/0x2b0
[   29.070283]  [<ffffffff81576df0>] vfs_write+0x170/0x4e0
[   29.075619]  [<ffffffff8157a724>] SyS_write+0xd4/0x1a0
[   29.080868]  [<ffffffff8157a650>] ? SyS_read+0x1a0/0x1a0
[   29.086294]  [<ffffffff812377db>] ? trace_hardirqs_on_caller+0x38b/0x590
[   29.093107]  [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.099666]  [<ffffffff83965985>] entry_SYSCALL_64_fastpath+0x23/0xc6
[   29.152880] ==================================================================
[   29.160276] BUG: KASAN: use-after-free in skb_dequeue+0x162/0x180 at addr ffff8801cf9e0788
[   29.168660] Write of size 8 by task syz-executor1/3500
[   29.173914] CPU: 1 PID: 3500 Comm: syz-executor1 Tainted: G        W       4.9.39-g72a0c9f #6
[   29.182556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.191886]  ffff8801d0fe76c8 ffffffff81eacd59 ffff8801d9ff23c0 ffff8801cf9e0780
[   29.199905]  ffff8801cf9e0860 ffffed0039f3c0f1 ffff8801cf9e0788 ffff8801d0fe76f0
[   29.207880]  ffffffff81546bfc ffffed0039f3c0f1 ffff8801d9ff23c0 0000000000000001
[   29.215855] Call Trace:
[   29.218423]  [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[   29.223765]  [<ffffffff81546bfc>] kasan_object_err+0x1c/0x70
[   29.229540]  [<ffffffff81546ead>] kasan_report.part.1+0x20d/0x4e0
[   29.235749]  [<ffffffff82f12112>] ? skb_dequeue+0x162/0x180
[   29.241434]  [<ffffffff8154732c>] __asan_report_store8_noabort+0x2c/0x30
[   29.248248]  [<ffffffff82f12112>] skb_dequeue+0x162/0x180
[   29.253761]  [<ffffffff82f187f6>] skb_queue_purge+0x26/0x40
[   29.259449]  [<ffffffff835a0097>] pfkey_sock_destruct+0x157/0x370
[   29.265654]  [<ffffffff8359ff74>] ? pfkey_sock_destruct+0x34/0x370
[   29.271947]  [<ffffffff8359ff40>] ? pfkey_is_alive+0x470/0x470
[   29.277894]  [<ffffffff82f08c93>] __sk_destruct+0x53/0x570
[   29.283494]  [<ffffffff82f0d397>] sk_destruct+0x47/0x80
[   29.288834]  [<ffffffff82f0d427>] __sk_free+0x57/0x230
[   29.294087]  [<ffffffff82f0d623>] sk_free+0x23/0x30
[   29.299081]  [<ffffffff8359185e>] pfkey_release+0x25e/0x2f0
[   29.304769]  [<ffffffff82ef8980>] ? sock_release+0x1e0/0x1e0
[   29.310542]  [<ffffffff82ef882d>] sock_release+0x8d/0x1e0
[   29.316056]  [<ffffffff82ef8996>] sock_close+0x16/0x20
[   29.321307]  [<ffffffff8157bfdc>] __fput+0x28c/0x6e0
[   29.326382]  [<ffffffff8157c4b5>] ____fput+0x15/0x20
[   29.331462]  [<ffffffff81196f95>] task_work_run+0x115/0x190
[   29.337150]  [<ffffffff8113eb7e>] do_exit+0x82e/0x2a50
[   29.342404]  [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   29.349395]  [<ffffffff82f13267>] ? kfree_skbmem+0xd7/0xf0
[   29.354995]  [<ffffffff8113e350>] ? release_task+0x1240/0x1240
[   29.360948]  [<ffffffff81283133>] ? rcu_read_lock_sched_held+0x103/0x120
[   29.367767]  [<ffffffff815422ae>] ? kmem_cache_free+0x26e/0x2e0
[   29.373827]  [<ffffffff8115c9f3>] ? __dequeue_signal+0xa3/0x550
[   29.379950]  [<ffffffff8115c712>] ? recalc_sigpending+0x72/0x90
[   29.385984]  [<ffffffff81145308>] do_group_exit+0x108/0x320
[   29.391688]  [<ffffffff8116766c>] get_signal+0x55c/0x1600
[   29.397203]  [<ffffffff82efbd09>] ? sock_write_iter+0x299/0x3a0
[   29.403240]  [<ffffffff81054b7f>] do_signal+0x7f/0x1940
[   29.408727]  [<ffffffff81054b00>] ? setup_sigcontext+0x7d0/0x7d0
[   29.414853]  [<ffffffff81648566>] ? fsnotify+0x86/0xf30
[   29.420202]  [<ffffffff81d7c3a2>] ? apparmor_file_permission+0x22/0x30
[   29.426843]  [<ffffffff81576785>] ? rw_verify_area+0xe5/0x2b0
[   29.432703]  [<ffffffff81576e8a>] ? vfs_write+0x20a/0x4e0
[   29.438219]  [<ffffffff8157bce2>] ? fput+0xd2/0x140
[   29.443213]  [<ffffffff810039df>] ? exit_to_usermode_loop+0xaf/0x130
[   29.449682]  [<ffffffff81003a15>] exit_to_usermode_loop+0xe5/0x130
[   29.455975]  [<ffffffff81006260>] syscall_return_slowpath+0x1a0/0x1e0
[   29.462532]  [<ffffffff83965a26>] entry_SYSCALL_64_fastpath+0xc4/0xc6
[   29.469094] Object at ffff8801cf9e0780, in cache skbuff_head_cache size: 224
[   29.476266] Allocated:
[   29.478736] PID = 3500
[   29.481210]  save_stack_trace+0x16/0x20
[   29.485159]  save_stack+0x43/0xd0
[   29.488586]  kasan_kmalloc+0xad/0xe0
[   29.492270]  kasan_slab_alloc+0x12/0x20
[   29.496214]  kmem_cache_alloc_node+0x107/0x2a0
[   29.500769]  __alloc_skb+0xef/0x600
[   29.504371]  pfkey_xfrm_policy2msg_prep+0x29/0x50
[   29.509185]  dump_sp+0xa8/0x450
[   29.512438]  xfrm_policy_walk+0x1b1/0x4d0
[   29.516559]  pfkey_dump_sp+0x42/0x50
[   29.520246]  pfkey_do_dump+0x40/0x2b0
[   29.524016]  pfkey_spddump+0x187/0x1e0
[   29.527877]  pfkey_process+0x606/0x710
[   29.531740]  pfkey_sendmsg+0x3af/0x750
[   29.535604]  sock_sendmsg+0xca/0x110
[   29.539319]  sock_write_iter+0x21d/0x3a0
[   29.543353]  __vfs_write+0x4ac/0x660
[   29.547044]  vfs_write+0x170/0x4e0
[   29.550555]  SyS_write+0xd4/0x1a0
[   29.553980]  entry_SYSCALL_64_fastpath+0x23/0xc6
[   29.558705] Freed:
[   29.560825] PID = 3500
[   29.563293]  save_stack_trace+0x16/0x20
[   29.567248]  save_stack+0x43/0xd0
[   29.570674]  kasan_slab_free+0x73/0xc0
[   29.574536]  kmem_cache_free+0xb2/0x2e0
[   29.578483]  kfree_skbmem+0xd7/0xf0
[   29.582081]  __kfree_skb+0x1d/0x20
[   29.585593]  kfree_skb+0xcc/0x330
[   29.589018]  pfkey_broadcast+0x3d6/0x5f0
[   29.593053]  dump_sp+0x354/0x450
[   29.596392]  xfrm_policy_walk+0x1b1/0x4d0
[   29.600509]  pfkey_dump_sp+0x42/0x50
[   29.604194]  pfkey_do_dump+0x40/0x2b0
[   29.607966]  pfkey_spddump+0x187/0x1e0
[   29.611824]  pfkey_process+0x606/0x710
[   29.615689]  pfkey_sendmsg+0x3af/0x750
[   29.619550]  sock_sendmsg+0xca/0x110
[   29.623238]  sock_write_iter+0x21d/0x3a0
[   29.627271]  __vfs_write+0x4ac/0x660
[   29.630964]  vfs_write+0x170/0x4e0
[   29.634475]  SyS_write+0xd4/0x1a0
[   29.637904]  entry_SYSCALL_64_fastpath+0x23/0xc6
[   29.642629] Memory state around the buggy address:
[   29.647532]  ffff8801cf9e0680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.654865]  ffff8801cf9e0700: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   29.662197] >ffff8801cf9e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.669525]                       ^
[   29.673136]  ffff8801cf9e0800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   29.680471]  ffff8801cf9e0880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   29.687807] ==================================================================
[   29.695136] Disabling lock debugging due to kernel taint
[   29.702250] ==================================================================
[   29.709609] BUG: KASAN: use-after-free in skb_dequeue+0x176/0x180 at addr ffff8801cf9e0780
[   29.717982] Read of size 8 by task syz-executor1/3500
[   29.723148] CPU: 1 PID: 3500 Comm: syz-executor1 Tainted: G    B   W       4.9.39-g72a0c9f #6
[   29.731780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.741110]  ffff8801d0fe76c8 ffffffff81eacd59 ffff8801d9ff23c0 ffff8801cf9e0780
[   29.749163]  ffff8801cf9e0860 ffffed0039f3c0f0 ffff8801cf9e0780 ffff8801d0fe76f0
[   29.757288]  ffffffff81546bfc ffffed0039f3c0f0 ffff8801d9ff23c0 0000000000000000
[   29.765344] Call Trace:
[   29.767910]  [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[   29.773340]  [<ffffffff81546bfc>] kasan_object_err+0x1c/0x70
[   29.779175]  [<ffffffff81546ead>] kasan_report.part.1+0x20d/0x4e0
[   29.785404]  [<ffffffff82f12126>] ? skb_dequeue+0x176/0x180
[   29.791093]  [<ffffffff81547239>] __asan_report_load8_noabort+0x29/0x30
[   29.797821]  [<ffffffff82f12126>] skb_dequeue+0x176/0x180
[   29.803335]  [<ffffffff82f187f6>] skb_queue_purge+0x26/0x40
[   29.809054]  [<ffffffff835a0097>] pfkey_sock_destruct+0x157/0x370
[   29.815266]  [<ffffffff8359ff74>] ? pfkey_sock_destruct+0x34/0x370
[   29.821561]  [<ffffffff8359ff40>] ? pfkey_is_alive+0x470/0x470
[   29.827507]  [<ffffffff82f08c93>] __sk_destruct+0x53/0x570
[   29.833107]  [<ffffffff82f0d397>] sk_destruct+0x47/0x80
[   29.838444]  [<ffffffff82f0d427>] __sk_free+0x57/0x230
[   29.843692]  [<ffffffff82f0d623>] sk_free+0x23/0x30
[   29.848681]  [<ffffffff8359185e>] pfkey_release+0x25e/0x2f0
[   29.854365]  [<ffffffff82ef8980>] ? sock_release+0x1e0/0x1e0
[   29.860144]  [<ffffffff82ef882d>] sock_release+0x8d/0x1e0
[   29.865657]  [<ffffffff82ef8996>] sock_close+0x16/0x20
[   29.870917]  [<ffffffff8157bfdc>] __fput+0x28c/0x6e0
[   29.875992]  [<ffffffff8157c4b5>] ____fput+0x15/0x20
[   29.881075]  [<ffffffff81196f95>] task_work_run+0x115/0x190
[   29.886767]  [<ffffffff8113eb7e>] do_exit+0x82e/0x2a50
[   29.892021]  [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   29.899011]  [<ffffffff82f13267>] ? kfree_skbmem+0xd7/0xf0