INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts.
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
syzkaller login: [   41.874421] IPVS: ftp: loaded support on port[0] = 21
RTNETLINK answers: File exists
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
[   42.117676] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   42.443242] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   42.449351] 8021q: adding VLAN 0 to HW filter on device bond0
executing program
[   42.484635] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   42.521977] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   42.527506] ==================================================================
[   42.536024] BUG: KASAN: use-after-free in skb_copy_datagram_iter+0xa7f/0xac0
[   42.543188] Read of size 1 at addr ffff8801aebdfb02 by task syzkaller304822/4434
[   42.550690] 
[   42.552296] CPU: 1 PID: 4434 Comm: syzkaller304822 Not tainted 4.16.0-rc7+ #5
[   42.559536] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.568863] Call Trace:
[   42.571431]  dump_stack+0x194/0x24d
[   42.575058]  ? arch_local_irq_restore+0x53/0x53
[   42.579702]  ? show_regs_print_info+0x18/0x18
[   42.584177]  ? skb_copy_datagram_iter+0xa7f/0xac0
[   42.588994]  print_address_description+0x73/0x250
[   42.593811]  ? skb_copy_datagram_iter+0xa7f/0xac0
[   42.598631]  kasan_report+0x23c/0x360
[   42.602410]  __asan_report_load1_noabort+0x14/0x20
[   42.607311]  skb_copy_datagram_iter+0xa7f/0xac0
[   42.611958]  ? check_same_owner+0x320/0x320
[   42.616253]  ? do_raw_spin_trylock+0x190/0x190
[   42.620808]  ? __sk_queue_drop_skb+0x1d0/0x1d0
[   42.625374]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   42.630361]  ? trace_hardirqs_on+0xd/0x10
[   42.634659]  ? sock_dequeue_err_skb+0x2b1/0x420
[   42.639301]  ? kasan_check_write+0x14/0x20
[   42.643514]  sock_recv_errqueue+0xbe/0x3e0
[   42.647727]  ? rw_copy_check_uvector+0x1be/0x280
[   42.652477]  packet_recvmsg+0xb2e/0x17a0
[   42.656516]  ? import_iovec+0x238/0x430
[   42.660469]  ? packet_getname_spkt+0x2b0/0x2b0
[   42.665026]  ? kasan_check_write+0x14/0x20
[   42.669232]  ? _copy_from_user+0x99/0x110
[   42.673355]  ? copy_msghdr_from_user+0x3a6/0x590
[   42.678087]  ? SYSC_sendto+0x5c0/0x5c0
[   42.681948]  ? security_socket_recvmsg+0x91/0xc0
[   42.686675]  ? packet_getname_spkt+0x2b0/0x2b0
[   42.691228]  sock_recvmsg+0xc9/0x110
[   42.694925]  ? __sock_recv_wifi_status+0x210/0x210
[   42.699830]  ___sys_recvmsg+0x2a4/0x640
[   42.703786]  ? ___sys_sendmsg+0x8b0/0x8b0
[   42.707917]  ? security_socket_sendmsg+0x89/0xb0
[   42.712645]  ? packet_cached_dev_get+0x2b0/0x2b0
[   42.717374]  ? __fget_light+0x2b2/0x3c0
[   42.721320]  ? fget_raw+0x20/0x20
[   42.724746]  ? SYSC_sendto+0x41c/0x5c0
[   42.728611]  ? SYSC_connect+0x4a0/0x4a0
[   42.732554]  ? __fget_light+0x2b2/0x3c0
[   42.736505]  ? __do_page_fault+0x5f7/0xc90
[   42.740717]  ? lock_downgrade+0x980/0x980
[   42.744846]  __sys_recvmsg+0xe2/0x210
[   42.748619]  ? __sys_recvmsg+0xe2/0x210
[   42.752567]  ? SyS_sendmmsg+0x60/0x60
[   42.756339]  ? __fdget+0x18/0x20
[   42.759691]  ? security_socket_setsockopt+0x89/0xb0
[   42.764683]  ? SyS_setsockopt+0x215/0x360
[   42.768813]  ? security_file_fcntl+0x89/0xb0
[   42.773199]  SyS_recvmsg+0x2d/0x50
[   42.776708]  ? __sys_recvmsg+0x210/0x210
[   42.780744]  do_syscall_64+0x281/0x940
[   42.784603]  ? __do_page_fault+0xc90/0xc90
[   42.788810]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   42.793540]  ? syscall_return_slowpath+0x550/0x550
[   42.798446]  ? syscall_return_slowpath+0x2ac/0x550
[   42.803351]  ? prepare_exit_to_usermode+0x350/0x350
[   42.808347]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   42.813688]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.818508]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   42.823670] RIP: 0033:0x4417e9
[   42.826831] RSP: 002b:00007ffe785a30f8 EFLAGS: 00000217 ORIG_RAX: 000000000000002f
[   42.834512] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 00000000004417e9
[   42.841755] RDX: 0000000000002000 RSI: 0000000020000580 RDI: 0000000000000003
[   42.848999] RBP: 00000000004a335c R08: 000000000000001c R09: 000000000000001c
[   42.856244] R10: 0000000020008000 R11: 0000000000000217 R12: 00007ffe785a31d0
[   42.863488] R13: 0000000000402570 R14: 0000000000000000 R15: 0000000000000000
[   42.870748] 
[   42.872351] Allocated by task 4434:
[   42.875956]  save_stack+0x43/0xd0
[   42.879379]  kasan_kmalloc+0xad/0xe0
[   42.883064]  __kmalloc_node_track_caller+0x47/0x70
[   42.887965]  __kmalloc_reserve.isra.39+0x41/0xd0
[   42.892690]  __alloc_skb+0x13b/0x780
[   42.896374]  alloc_skb_with_frags+0x10d/0x750
[   42.900840]  sock_alloc_send_pskb+0x787/0x9b0
[   42.905306]  packet_sendmsg+0x1ece/0x60b0
[   42.909425]  sock_sendmsg+0xca/0x110
[   42.913107]  SYSC_sendto+0x361/0x5c0
[   42.916792]  SyS_sendto+0x40/0x50
[   42.920216]  do_syscall_64+0x281/0x940
[   42.924075]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   42.929233] 
[   42.930831] Freed by task 4434:
[   42.934080]  save_stack+0x43/0xd0
[   42.937506]  __kasan_slab_free+0x11a/0x170
[   42.941710]  kasan_slab_free+0xe/0x10
[   42.945480]  kfree+0xd9/0x260
[   42.948556]  skb_free_head+0x74/0xb0
[   42.952240]  skb_release_data+0x58c/0x790
[   42.956357]  skb_release_all+0x4a/0x60
[   42.960217]  kfree_skb+0x15d/0x4c0
[   42.963731]  sit_tunnel_xmit+0x157/0x2d60
[   42.967853]  dev_hard_start_xmit+0x24e/0xac0
[   42.972233]  __dev_queue_xmit+0x26bf/0x2fc0
[   42.976530]  dev_queue_xmit+0x17/0x20
[   42.980301]  packet_sendmsg+0x3aed/0x60b0
[   42.984417]  sock_sendmsg+0xca/0x110
[   42.988102]  SYSC_sendto+0x361/0x5c0
[   42.991792]  SyS_sendto+0x40/0x50
[   42.995217]  do_syscall_64+0x281/0x940
[   42.999091]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.004259] 
[   43.005862] The buggy address belongs to the object at ffff8801aebdfa40
[   43.005862]  which belongs to the cache kmalloc-512 of size 512
[   43.019120] The buggy address is located 194 bytes inside of
[   43.019120]  512-byte region [ffff8801aebdfa40, ffff8801aebdfc40)
[   43.030965] The buggy address belongs to the page:
[   43.035868] page:ffffea0006baf7c0 count:1 mapcount:0 mapping:ffff8801aebdf040 index:0x0
[   43.043985] flags: 0x2fffc0000000100(slab)
[   43.048193] raw: 02fffc0000000100 ffff8801aebdf040 0000000000000000 0000000100000006
[   43.056043] raw: ffffea0006ba0620 ffffea0006b922a0 ffff8801dac00940 0000000000000000
[   43.063891] page dumped because: kasan: bad access detected
[   43.069570] 
[   43.071168] Memory state around the buggy address:
[   43.076067]  ffff8801aebdfa00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   43.083398]  ffff8801aebdfa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.090726] >ffff8801aebdfb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.098053]                    ^
[   43.101388]  ffff8801aebdfb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.108720]  ffff8801aebdfc00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   43.116048] ==================================================================
[   43.123383] Disabling lock debugging due to kernel taint
[   43.129183] Kernel panic - not syncing: panic_on_warn set ...
[   43.129183] 
[   43.136531] CPU: 1 PID: 4434 Comm: syzkaller304822 Tainted: G    B            4.16.0-rc7+ #5
[   43.145076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.154399] Call Trace:
[   43.156964]  dump_stack+0x194/0x24d
[   43.160564]  ? arch_local_irq_restore+0x53/0x53
[   43.165202]  ? kasan_end_report+0x32/0x50
[   43.169322]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.174047]  ? vsnprintf+0x1ed/0x1900
[   43.177818]  ? skb_copy_datagram_iter+0x9b0/0xac0
[   43.182633]  panic+0x1e4/0x41c
[   43.185799]  ? refcount_error_report+0x214/0x214
[   43.190526]  ? add_taint+0x1c/0x50
[   43.194038]  ? add_taint+0x1c/0x50
[   43.197548]  ? skb_copy_datagram_iter+0xa7f/0xac0
[   43.202359]  kasan_end_report+0x50/0x50
[   43.206301]  kasan_report+0x149/0x360
[   43.210075]  __asan_report_load1_noabort+0x14/0x20
[   43.214974]  skb_copy_datagram_iter+0xa7f/0xac0
[   43.219615]  ? check_same_owner+0x320/0x320
[   43.223908]  ? do_raw_spin_trylock+0x190/0x190
[   43.228463]  ? __sk_queue_drop_skb+0x1d0/0x1d0
[   43.233015]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   43.238003]  ? trace_hardirqs_on+0xd/0x10
[   43.242124]  ? sock_dequeue_err_skb+0x2b1/0x420
[   43.246762]  ? kasan_check_write+0x14/0x20
[   43.250967]  sock_recv_errqueue+0xbe/0x3e0
[   43.255172]  ? rw_copy_check_uvector+0x1be/0x280
[   43.259904]  packet_recvmsg+0xb2e/0x17a0
[   43.263934]  ? import_iovec+0x238/0x430
[   43.267879]  ? packet_getname_spkt+0x2b0/0x2b0
[   43.272433]  ? kasan_check_write+0x14/0x20
[   43.276638]  ? _copy_from_user+0x99/0x110
[   43.280758]  ? copy_msghdr_from_user+0x3a6/0x590
[   43.285488]  ? SYSC_sendto+0x5c0/0x5c0
[   43.289348]  ? security_socket_recvmsg+0x91/0xc0
[   43.294079]  ? packet_getname_spkt+0x2b0/0x2b0
[   43.298633]  sock_recvmsg+0xc9/0x110
[   43.302317]  ? __sock_recv_wifi_status+0x210/0x210
[   43.307218]  ___sys_recvmsg+0x2a4/0x640
[   43.311165]  ? ___sys_sendmsg+0x8b0/0x8b0
[   43.315286]  ? security_socket_sendmsg+0x89/0xb0
[   43.320013]  ? packet_cached_dev_get+0x2b0/0x2b0
[   43.324737]  ? __fget_light+0x2b2/0x3c0
[   43.328680]  ? fget_raw+0x20/0x20
[   43.332106]  ? SYSC_sendto+0x41c/0x5c0
[   43.335964]  ? SYSC_connect+0x4a0/0x4a0
[   43.339906]  ? __fget_light+0x2b2/0x3c0
[   43.343854]  ? __do_page_fault+0x5f7/0xc90
[   43.348059]  ? lock_downgrade+0x980/0x980
[   43.352182]  __sys_recvmsg+0xe2/0x210
[   43.355950]  ? __sys_recvmsg+0xe2/0x210
[   43.359893]  ? SyS_sendmmsg+0x60/0x60
[   43.363662]  ? __fdget+0x18/0x20
[   43.367000]  ? security_socket_setsockopt+0x89/0xb0
[   43.371988]  ? SyS_setsockopt+0x215/0x360
[   43.376113]  ? security_file_fcntl+0x89/0xb0
[   43.380498]  SyS_recvmsg+0x2d/0x50
[   43.384008]  ? __sys_recvmsg+0x210/0x210
[   43.388040]  do_syscall_64+0x281/0x940
[   43.391897]  ? __do_page_fault+0xc90/0xc90
[   43.396103]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.400829]  ? syscall_return_slowpath+0x550/0x550
[   43.405726]  ? syscall_return_slowpath+0x2ac/0x550
[   43.410624]  ? prepare_exit_to_usermode+0x350/0x350
[   43.415610]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   43.420944]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.425760]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   43.430918] RIP: 0033:0x4417e9
[   43.434099] RSP: 002b:00007ffe785a30f8 EFLAGS: 00000217 ORIG_RAX: 000000000000002f
[   43.441775] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 00000000004417e9
[   43.449015] RDX: 0000000000002000 RSI: 0000000020000580 RDI: 0000000000000003
[   43.456257] RBP: 00000000004a335c R08: 000000000000001c R09: 000000000000001c
[   43.463506] R10: 0000000020008000 R11: 0000000000000217 R12: 00007ffe785a31d0
[   43.470748] R13: 0000000000402570 R14: 0000000000000000 R15: 0000000000000000
[   43.478376] Dumping ftrace buffer:
[   43.481893]    (ftrace buffer empty)
[   43.485574] Kernel Offset: disabled
[   43.489175] Rebooting in 86400 seconds..