INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-5,10.128.15.210' (ECDSA) to the list of known hosts. 2017/09/03 21:17:07 parsed 1 programs 2017/09/03 21:17:07 executed programs: 0 syzkaller login: [ 48.341238] dev_remove_pack: ffff8801c7daddc0 not found [ 48.741416] ================================================================== [ 48.748841] BUG: KASAN: use-after-free in __list_add_valid+0xb1/0xd0 [ 48.755311] Read of size 8 at addr ffff8801c8ce51f0 by task syz-executor0/4227 [ 48.762679] [ 48.764286] CPU: 0 PID: 4227 Comm: syz-executor0 Not tainted 4.13.0-rc7+ #65 [ 48.771436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.780756] Call Trace: [ 48.783316] dump_stack+0x194/0x257 [ 48.786921] ? arch_local_irq_restore+0x53/0x53 [ 48.791562] ? show_regs_print_info+0x65/0x65 [ 48.796026] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.801022] ? __list_add_valid+0xb1/0xd0 [ 48.805143] print_address_description+0x73/0x250 [ 48.809953] ? __list_add_valid+0xb1/0xd0 [ 48.814072] kasan_report+0x24e/0x340 [ 48.817847] __asan_report_load8_noabort+0x14/0x20 [ 48.822743] __list_add_valid+0xb1/0xd0 [ 48.826689] dev_add_pack+0x113/0x2b0 [ 48.830456] ? napi_skb_free_stolen_head+0x170/0x170 [ 48.835531] ? lockdep_init_map+0xe4/0x650 [ 48.839741] register_prot_hook.part.49+0x95/0xb0 [ 48.844554] packet_create+0x81a/0xb00 [ 48.848413] ? register_prot_hook.part.49+0xb0/0xb0 [ 48.853400] ? __sock_create+0x46e/0x850 [ 48.857432] ? lock_downgrade+0x990/0x990 [ 48.861553] ? lock_release+0xa40/0xa40 [ 48.865502] ? __lock_is_held+0xb6/0x140 [ 48.869552] __sock_create+0x4d4/0x850 [ 48.873413] ? ___sys_recvmsg+0x620/0x620 [ 48.877550] SyS_socket+0xeb/0x200 [ 48.881059] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 48.885868] ? move_addr_to_kernel+0x60/0x60 [ 48.890243] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.895230] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.899960] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.904681] RIP: 0033:0x451e59 [ 48.907840] RSP: 002b:00007f7c22bc0c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 48.915515] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 [ 48.922751] RDX: 0000000000000008 RSI: 0000000000080003 RDI: 0000000000000011 [ 48.929987] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 48.937227] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb419 [ 48.944462] R13: 00000000ffffffff R14: ffffffffffffffff R15: 0000000000000001 [ 48.951719] [ 48.953315] Allocated by task 4087: [ 48.956912] save_stack_trace+0x16/0x20 [ 48.960857] save_stack+0x43/0xd0 [ 48.964275] kasan_kmalloc+0xad/0xe0 [ 48.967961] kmem_cache_alloc_trace+0x12f/0x740 [ 48.972598] fanout_add+0xa50/0x1190 [ 48.976275] packet_setsockopt+0xfdc/0x1e80 [ 48.980563] SyS_setsockopt+0x189/0x360 [ 48.984505] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.989225] [ 48.990818] Freed by task 4232: [ 48.994063] save_stack_trace+0x16/0x20 [ 48.998005] save_stack+0x43/0xd0 [ 49.001429] kasan_slab_free+0x71/0xc0 [ 49.005284] kfree+0xca/0x250 [ 49.008356] packet_release+0xa8f/0xd70 [ 49.012297] sock_release+0x8d/0x1e0 [ 49.015975] sock_close+0x16/0x20 [ 49.019398] __fput+0x327/0x7e0 [ 49.022641] ____fput+0x15/0x20 [ 49.025891] task_work_run+0x18a/0x260 [ 49.029744] do_exit+0xa3a/0x1b10 [ 49.033163] do_group_exit+0x149/0x400 [ 49.037021] get_signal+0x7e8/0x17e0 [ 49.040707] do_signal+0x94/0x1ee0 [ 49.044217] exit_to_usermode_loop+0x224/0x300 [ 49.048763] syscall_return_slowpath+0x3a7/0x450 [ 49.053484] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 49.058204] [ 49.059800] The buggy address belongs to the object at ffff8801c8ce4940 [ 49.059800] which belongs to the cache kmalloc-4096 of size 4096 [ 49.072596] The buggy address is located 2224 bytes inside of [ 49.072596] 4096-byte region [ffff8801c8ce4940, ffff8801c8ce5940) [ 49.084606] The buggy address belongs to the page: [ 49.089500] page:ffffea0007233900 count:1 mapcount:0 mapping:ffff8801c8ce4940 index:0x0 compound_mapcount: 0 [ 49.099435] flags: 0x200000000008100(slab|head) [ 49.104073] raw: 0200000000008100 ffff8801c8ce4940 0000000000000000 0000000100000001 [ 49.111927] raw: ffffea000725fc20 ffffea0007233a20 ffff8801dac00dc0 0000000000000000 [ 49.119771] page dumped because: kasan: bad access detected [ 49.125443] [ 49.127043] Memory state around the buggy address: [ 49.131938] ffff8801c8ce5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.139261] ffff8801c8ce5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.146585] >ffff8801c8ce5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.153908] ^ [ 49.160884] ffff8801c8ce5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.168209] ffff8801c8ce5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.175531] ================================================================== [ 49.182859] Disabling lock debugging due to kernel taint [ 49.188412] Kernel panic - not syncing: panic_on_warn set ... [ 49.188412] [ 49.195743] CPU: 0 PID: 4227 Comm: syz-executor0 Tainted: G B 4.13.0-rc7+ #65 [ 49.204110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.213441] Call Trace: [ 49.216004] dump_stack+0x194/0x257 [ 49.219604] ? arch_local_irq_restore+0x53/0x53 [ 49.224242] ? kasan_end_report+0x32/0x50 [ 49.228359] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.233087] ? __list_add_valid+0x50/0xd0 [ 49.237204] panic+0x1e4/0x417 [ 49.240364] ? __warn+0x1d9/0x1d9 [ 49.243792] ? __list_add_valid+0xb1/0xd0 [ 49.247907] kasan_end_report+0x50/0x50 [ 49.251850] kasan_report+0x137/0x340 [ 49.255620] __asan_report_load8_noabort+0x14/0x20 [ 49.260514] __list_add_valid+0xb1/0xd0 [ 49.264455] dev_add_pack+0x113/0x2b0 [ 49.268221] ? napi_skb_free_stolen_head+0x170/0x170 [ 49.273291] ? lockdep_init_map+0xe4/0x650 [ 49.277496] register_prot_hook.part.49+0x95/0xb0 [ 49.282305] packet_create+0x81a/0xb00 [ 49.286159] ? register_prot_hook.part.49+0xb0/0xb0 [ 49.291143] ? __sock_create+0x46e/0x850 [ 49.295172] ? lock_downgrade+0x990/0x990 [ 49.299285] ? lock_release+0xa40/0xa40 [ 49.303228] ? __lock_is_held+0xb6/0x140 [ 49.307264] __sock_create+0x4d4/0x850 [ 49.311119] ? ___sys_recvmsg+0x620/0x620 [ 49.315244] SyS_socket+0xeb/0x200 [ 49.318760] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 49.323570] ? move_addr_to_kernel+0x60/0x60 [ 49.327949] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.332942] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.337666] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 49.342385] RIP: 0033:0x451e59 [ 49.345542] RSP: 002b:00007f7c22bc0c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 49.353215] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 [ 49.360450] RDX: 0000000000000008 RSI: 0000000000080003 RDI: 0000000000000011 [ 49.367687] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 49.374922] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb419 [ 49.382158] R13: 00000000ffffffff R14: ffffffffffffffff R15: 0000000000000001 [ 49.389892] Dumping ftrace buffer: [ 49.393398] (ftrace buffer empty) [ 49.397073] Kernel Offset: disabled [ 49.400673] Rebooting in 86400 seconds..