INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. 2018/04/16 03:14:29 parsed 1 programs 2018/04/16 03:14:29 executed programs: 0 syzkaller login: [ 26.295684] IPVS: ftp: loaded support on port[0] = 21 [ 26.346968] IPVS: ftp: loaded support on port[0] = 21 [ 26.389447] IPVS: ftp: loaded support on port[0] = 21 [ 26.443802] IPVS: ftp: loaded support on port[0] = 21 [ 26.483988] IPVS: ftp: loaded support on port[0] = 21 [ 26.531051] IPVS: ftp: loaded support on port[0] = 21 [ 26.587892] IPVS: ftp: loaded support on port[0] = 21 [ 26.638326] Failed to remove local publication {0,0,0}/2681829430 [ 26.672039] IPVS: ftp: loaded support on port[0] = 21 [ 26.740010] IPVS: ftp: loaded support on port[0] = 21 [ 26.809988] IPVS: ftp: loaded support on port[0] = 21 [ 26.876674] IPVS: ftp: loaded support on port[0] = 21 [ 26.919683] Failed to remove local publication {0,0,0}/1323857775 [ 26.954338] IPVS: ftp: loaded support on port[0] = 21 [ 27.033638] IPVS: ftp: loaded support on port[0] = 21 [ 27.103318] IPVS: ftp: loaded support on port[0] = 21 [ 27.170874] IPVS: ftp: loaded support on port[0] = 21 [ 27.241428] IPVS: ftp: loaded support on port[0] = 21 [ 27.294569] IPVS: ftp: loaded support on port[0] = 21 [ 27.360661] IPVS: ftp: loaded support on port[0] = 21 [ 27.423879] IPVS: ftp: loaded support on port[0] = 21 [ 27.487417] IPVS: ftp: loaded support on port[0] = 21 [ 27.533843] Failed to remove local publication {0,0,0}/2351500785 [ 27.568425] IPVS: ftp: loaded support on port[0] = 21 [ 27.638731] IPVS: ftp: loaded support on port[0] = 21 [ 27.703157] IPVS: ftp: loaded support on port[0] = 21 [ 27.761557] IPVS: ftp: loaded support on port[0] = 21 [ 27.822377] IPVS: ftp: loaded support on port[0] = 21 [ 27.876309] Failed to remove local publication {0,0,0}/3933191389 [ 27.900512] IPVS: ftp: loaded support on port[0] = 21 [ 27.958601] IPVS: ftp: loaded support on port[0] = 21 [ 28.021961] IPVS: ftp: loaded support on port[0] = 21 [ 28.074918] IPVS: ftp: loaded support on port[0] = 21 [ 28.147796] IPVS: ftp: loaded support on port[0] = 21 [ 28.203106] IPVS: ftp: loaded support on port[0] = 21 [ 28.286108] IPVS: ftp: loaded support on port[0] = 21 [ 28.331703] IPVS: ftp: loaded support on port[0] = 21 [ 28.409048] IPVS: ftp: loaded support on port[0] = 21 [ 28.486209] IPVS: ftp: loaded support on port[0] = 21 [ 28.527809] ================================================================== [ 28.535338] BUG: KASAN: use-after-free in tipc_nametbl_stop+0x94e/0xd70 [ 28.542096] Read of size 8 at addr ffff8801aad5bf30 by task kworker/u4:1/22 [ 28.549202] [ 28.550822] CPU: 1 PID: 22 Comm: kworker/u4:1 Not tainted 4.16.0+ #4 [ 28.557296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.566690] Workqueue: netns cleanup_net [ 28.570747] Call Trace: [ 28.573318] dump_stack+0x1b9/0x294 [ 28.576928] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.582537] ? printk+0x9e/0xba [ 28.585800] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.590540] ? kasan_check_write+0x14/0x20 [ 28.594761] print_address_description+0x6c/0x20b [ 28.599594] ? tipc_nametbl_stop+0x94e/0xd70 [ 28.603986] kasan_report.cold.7+0x242/0x2fe [ 28.608386] __asan_report_load8_noabort+0x14/0x20 [ 28.613303] tipc_nametbl_stop+0x94e/0xd70 [ 28.617530] ? tipc_nametbl_init+0x5b0/0x5b0 [ 28.621927] ? mark_held_locks+0xc9/0x160 [ 28.626056] ? quarantine_put+0xeb/0x190 [ 28.630102] ? kfree+0x111/0x260 [ 28.633454] ? tipc_bcast_stop+0x281/0x3d0 [ 28.637673] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.642686] ? trace_hardirqs_on+0xd/0x10 [ 28.646824] ? tipc_bcast_stop+0x281/0x3d0 [ 28.651042] ? tipc_bcast_init+0xc80/0xc80 [ 28.655266] ? tipc_enable_bearer.cold.19+0xbf/0xbf [ 28.660268] tipc_exit_net+0x2d/0x40 [ 28.663968] ops_exit_list.isra.7+0xb0/0x160 [ 28.668368] cleanup_net+0x51d/0xb20 [ 28.672064] ? lock_downgrade+0x8e0/0x8e0 [ 28.676199] ? peernet2id_alloc+0x3e0/0x3e0 [ 28.680503] ? find_held_lock+0x36/0x1c0 [ 28.684551] ? graph_lock+0x170/0x170 [ 28.688336] ? lock_acquire+0x1dc/0x520 [ 28.692311] ? process_one_work+0xb46/0x1b50 [ 28.696710] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 28.701802] ? __lock_is_held+0xb5/0x140 [ 28.705855] process_one_work+0xc1e/0x1b50 [ 28.710085] ? finish_task_switch+0x182/0x810 [ 28.714574] ? pwq_dec_nr_in_flight+0x490/0x490 [ 28.719236] ? __schedule+0x809/0x1e30 [ 28.723115] ? graph_lock+0x170/0x170 [ 28.726901] ? lock_downgrade+0x8e0/0x8e0 [ 28.731043] ? find_held_lock+0x36/0x1c0 [ 28.735092] ? lock_acquire+0x1dc/0x520 [ 28.739053] ? lock_downgrade+0x8e0/0x8e0 [ 28.743192] ? lock_release+0xa10/0xa10 [ 28.747156] ? kasan_check_read+0x11/0x20 [ 28.751292] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 28.755868] worker_thread+0x1cc/0x1440 [ 28.759834] ? process_one_work+0x1b50/0x1b50 [ 28.764317] ? graph_lock+0x170/0x170 [ 28.768101] ? find_held_lock+0x36/0x1c0 [ 28.772150] ? find_held_lock+0x36/0x1c0 [ 28.776207] ? __schedule+0x1e30/0x1e30 [ 28.780170] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.784567] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 28.789133] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 28.794220] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.799225] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.804749] ? __kthread_parkme+0x1b7/0x280 [ 28.809059] kthread+0x345/0x410 [ 28.812414] ? process_one_work+0x1b50/0x1b50 [ 28.816891] ? kthread_bind+0x40/0x40 [ 28.820679] ret_from_fork+0x3a/0x50 [ 28.824387] [ 28.825995] Allocated by task 4596: [ 28.829610] save_stack+0x43/0xd0 [ 28.833046] kasan_kmalloc+0xc4/0xe0 [ 28.836741] kmem_cache_alloc_trace+0x152/0x780 [ 28.841396] tipc_nametbl_insert_publ+0x569/0x1910 [ 28.846308] tipc_nametbl_publish+0x6c3/0xba0 [ 28.850785] tipc_sk_publish+0x22a/0x510 [ 28.854827] tipc_bind+0x206/0x330 [ 28.858362] __sys_bind+0x331/0x440 [ 28.861971] SyS_bind+0x24/0x30 [ 28.865237] do_syscall_64+0x29e/0x9d0 [ 28.869109] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.874274] [ 28.875882] Freed by task 22: [ 28.878970] save_stack+0x43/0xd0 [ 28.882494] __kasan_slab_free+0x11a/0x170 [ 28.886712] kasan_slab_free+0xe/0x10 [ 28.890496] kfree+0xd9/0x260 [ 28.893597] tipc_service_remove_publ.isra.8+0x909/0xc30 [ 28.899034] tipc_nametbl_stop+0x746/0xd70 [ 28.903247] tipc_exit_net+0x2d/0x40 [ 28.906948] ops_exit_list.isra.7+0xb0/0x160 [ 28.911341] cleanup_net+0x51d/0xb20 [ 28.915042] process_one_work+0xc1e/0x1b50 [ 28.919277] worker_thread+0x1cc/0x1440 [ 28.923234] kthread+0x345/0x410 [ 28.926586] ret_from_fork+0x3a/0x50 [ 28.930276] [ 28.931890] The buggy address belongs to the object at ffff8801aad5bf00 [ 28.931890] which belongs to the cache kmalloc-64 of size 64 [ 28.944360] The buggy address is located 48 bytes inside of [ 28.944360] 64-byte region [ffff8801aad5bf00, ffff8801aad5bf40) [ 28.956044] The buggy address belongs to the page: [ 28.960956] page:ffffea0006ab56c0 count:1 mapcount:0 mapping:ffff8801aad5b000 index:0x0 [ 28.969083] flags: 0x2fffc0000000100(slab) [ 28.973308] raw: 02fffc0000000100 ffff8801aad5b000 0000000000000000 0000000100000020 [ 28.981185] raw: ffffea00075fa460 ffffea0006ab1660 ffff8801dac00340 0000000000000000 [ 28.989049] page dumped because: kasan: bad access detected [ 28.994739] [ 28.996347] Memory state around the buggy address: [ 29.001269] ffff8801aad5be00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.008610] ffff8801aad5be80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.015952] >ffff8801aad5bf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.023291] ^ [ 29.028201] ffff8801aad5bf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.035544] ffff8801aad5c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.042898] ================================================================== [ 29.050254] Disabling lock debugging due to kernel taint [ 29.055740] Kernel panic - not syncing: panic_on_warn set ... [ 29.055740] [ 29.063228] CPU: 1 PID: 22 Comm: kworker/u4:1 Tainted: G B 4.16.0+ #4 [ 29.067865] IPVS: ftp: loaded support on port[0] = 21 [ 29.071101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.071122] Workqueue: netns cleanup_net [ 29.089710] Call Trace: [ 29.092299] dump_stack+0x1b9/0x294 [ 29.095932] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.101302] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.106068] ? tipc_nametbl_stop+0x890/0xd70 [ 29.110503] panic+0x22f/0x4de [ 29.113700] ? add_taint.cold.5+0x16/0x16 [ 29.117854] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.122266] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.123147] IPVS: ftp: loaded support on port[0] = 21 [ 29.126697] ? tipc_nametbl_stop+0x94e/0xd70 [ 29.126714] kasan_end_report+0x47/0x4f [ 29.140239] kasan_report.cold.7+0x76/0x2fe [ 29.144569] __asan_report_load8_noabort+0x14/0x20 [ 29.149509] tipc_nametbl_stop+0x94e/0xd70 [ 29.153772] ? tipc_nametbl_init+0x5b0/0x5b0 [ 29.158194] ? mark_held_locks+0xc9/0x160 [ 29.162354] ? quarantine_put+0xeb/0x190 [ 29.166418] ? kfree+0x111/0x260 [ 29.169783] ? tipc_bcast_stop+0x281/0x3d0 [ 29.171286] IPVS: ftp: loaded support on port[0] = 21 [ 29.174015] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.174030] ? trace_hardirqs_on+0xd/0x10 [ 29.189043] ? tipc_bcast_stop+0x281/0x3d0 [ 29.193288] ? tipc_bcast_init+0xc80/0xc80 [ 29.197531] ? tipc_enable_bearer.cold.19+0xbf/0xbf [ 29.202570] tipc_exit_net+0x2d/0x40 [ 29.206290] ops_exit_list.isra.7+0xb0/0x160 [ 29.210708] cleanup_net+0x51d/0xb20 [ 29.214435] ? lock_downgrade+0x8e0/0x8e0 [ 29.218616] ? peernet2id_alloc+0x3e0/0x3e0 [ 29.222943] ? find_held_lock+0x36/0x1c0 [ 29.227011] ? graph_lock+0x170/0x170 [ 29.228801] IPVS: ftp: loaded support on port[0] = 21 [ 29.230812] ? lock_acquire+0x1dc/0x520 [ 29.230826] ? process_one_work+0xb46/0x1b50 [ 29.230844] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 29.249462] ? __lock_is_held+0xb5/0x140 [ 29.253559] process_one_work+0xc1e/0x1b50 [ 29.257797] ? finish_task_switch+0x182/0x810 [ 29.262304] ? pwq_dec_nr_in_flight+0x490/0x490 [ 29.267226] ? __schedule+0x809/0x1e30 [ 29.271137] ? graph_lock+0x170/0x170 [ 29.274947] ? lock_downgrade+0x8e0/0x8e0 [ 29.279132] ? find_held_lock+0x36/0x1c0 [ 29.282314] IPVS: ftp: loaded support on port[0] = 21 [ 29.283197] ? lock_acquire+0x1dc/0x520 [ 29.283212] ? lock_downgrade+0x8e0/0x8e0 [ 29.296479] ? lock_release+0xa10/0xa10 [ 29.300454] ? kasan_check_read+0x11/0x20 [ 29.304608] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.309202] worker_thread+0x1cc/0x1440 [ 29.313186] ? process_one_work+0x1b50/0x1b50 [ 29.317686] ? graph_lock+0x170/0x170 [ 29.321491] ? find_held_lock+0x36/0x1c0 [ 29.325562] ? find_held_lock+0x36/0x1c0 [ 29.329635] ? __schedule+0x1e30/0x1e30 [ 29.333627] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.333882] IPVS: ftp: loaded support on port[0] = 21 [ 29.338034] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.338048] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.338062] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.357890] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.363431] ? __kthread_parkme+0x1b7/0x280 [ 29.367760] kthread+0x345/0x410 [ 29.371131] ? process_one_work+0x1b50/0x1b50 [ 29.375630] ? kthread_bind+0x40/0x40 [ 29.379438] ret_from_fork+0x3a/0x50 [ 29.383650] Dumping ftrace buffer: [ 29.387185] (ftrace buffer empty) [ 29.390881] Kernel Offset: disabled [ 29.394494] Rebooting in 86400 seconds..