INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-1,10.128.0.35' (ECDSA) to the list of known hosts. 2017/09/09 20:01:13 parsed 1 programs 2017/09/09 20:01:13 executed programs: 0 syzkaller login: [ 37.243854] dev_remove_pack: ffff8801ccd52980 not found 2017/09/09 20:01:18 executed programs: 193 [ 43.396965] ================================================================== [ 43.404448] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801ccd5234c [ 43.413252] Read of size 4 by task sshd/3230 [ 43.417626] CPU: 0 PID: 3230 Comm: sshd Not tainted 4.9.48-g93babeb #44 [ 43.424346] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.433673] ffff8801d5b0ee10 ffffffff81d92f89 ffff8801da002000 ffff8801ccd52200 [ 43.441642] ffff8801ccd52a00 ffffed00399aa469 ffff8801ccd5234c ffff8801d5b0ee38 [ 43.449603] ffffffff8153cbcc ffffed00399aa469 ffff8801da002000 0000000000000000 [ 43.457569] Call Trace: [ 43.460130] [] dump_stack+0xc1/0x128 [ 43.465461] [] kasan_object_err+0x1c/0x70 [ 43.471226] [] kasan_report.part.1+0x21c/0x500 [ 43.477435] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 43.483555] [] __asan_report_load4_noabort+0x29/0x30 [ 43.490284] [] do_raw_spin_lock+0x1ac/0x1e0 [ 43.496225] [] _raw_spin_lock_bh+0x42/0x50 [ 43.502077] [] ? packet_rcv_has_room+0x25/0xb0 [ 43.508282] [] packet_rcv_has_room+0x25/0xb0 [ 43.514316] [] fanout_demux_rollover+0x26f/0x4d0 [ 43.520689] [] packet_rcv_fanout+0x4ce/0x620 [ 43.526714] [] dev_queue_xmit_nit+0x1b9/0x870 [ 43.532823] [] ? __netdev_pick_tx+0x700/0x700 [ 43.538933] [] dev_hard_start_xmit+0xa6/0x8a0 [ 43.545047] [] sch_direct_xmit+0x2bc/0x5d0 [ 43.550903] [] ? dev_deactivate_queue.constprop.28+0x150/0x150 [ 43.558501] [] ? dev_queue_xmit+0x17/0x20 [ 43.564267] [] __dev_queue_xmit+0x15fd/0x1e60 [ 43.570381] [] ? dev_queue_xmit+0x17/0x20 [ 43.576163] [] ? netdev_pick_tx+0x300/0x300 [ 43.582105] [] ? nf_ct_deliver_cached_events+0x26c/0x5f0 [ 43.589172] [] ? nf_ct_deliver_cached_events+0x89/0x5f0 [ 43.596149] [] ? ip_finish_output+0x6b1/0xa00 [ 43.602269] [] dev_queue_xmit+0x17/0x20 [ 43.607858] [] ip_finish_output2+0xbe8/0x1060 [ 43.613967] [] ? ip_finish_output+0x6b1/0xa00 [ 43.620080] [] ? dst_output+0x150/0x150 [ 43.625673] [] ? nf_hook_slow+0x131/0x1e0 [ 43.631434] [] ip_finish_output+0x6b1/0xa00 [ 43.637375] [] ip_output+0x1ca/0x610 [ 43.642728] [] ? ip_output+0x2f6/0x610 [ 43.648229] [] ? ip_mc_output+0xd50/0xd50 [ 43.653999] [] ? ip_fragment.constprop.56+0x200/0x200 [ 43.660816] [] ip_local_out+0x95/0x170 [ 43.666327] [] ip_queue_xmit+0x884/0x1760 [ 43.672092] [] ? ip_queue_xmit+0x3f/0x1760 [ 43.677944] [] ? __tcp_v4_send_check+0x1be/0x350 [ 43.684325] [] tcp_transmit_skb+0x1782/0x2d80 [ 43.690443] [] ? bictcp_cong_avoid+0xef0/0xef0 [ 43.696640] [] ? __tcp_select_window+0x510/0x510 [ 43.703018] [] ? remove_wait_queue+0x14/0x40 [ 43.709045] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.717310] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 43.724206] [] tcp_write_xmit+0xbd6/0x4a00 [ 43.730065] [] ? kasan_slab_alloc+0x12/0x20 [ 43.736001] [] ? check_stack_object+0x50/0x140 [ 43.742207] [] __tcp_push_pending_frames+0xa0/0x240 [ 43.748850] [] ? copy_from_iter+0x2d0/0x960 [ 43.754790] [] tcp_push+0x3fc/0x5d0 [ 43.760032] [] tcp_sendmsg+0xb89/0x2e30 [ 43.765624] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.772603] [] ? assoc_array_gc+0x12b0/0x1300 [ 43.778812] [] ? tcp_sendpage+0x1910/0x1910 [ 43.784749] [] ? sock_has_perm+0x292/0x3e0 [ 43.790690] [] ? sock_has_perm+0x9f/0x3e0 [ 43.796452] [] ? selinux_file_send_sigiotask+0x310/0x310 [ 43.803528] [] ? inet_sendmsg+0x73/0x4c0 [ 43.809383] [] ? inet_sendmsg+0x201/0x4c0 [ 43.815148] [] inet_sendmsg+0x2bc/0x4c0 [ 43.820740] [] ? inet_sendmsg+0x73/0x4c0 [ 43.826794] [] ? inet_recvmsg+0x4c0/0x4c0 [ 43.832566] [] sock_sendmsg+0xca/0x110 [ 43.838085] [] sock_write_iter+0x226/0x3b0 [ 43.844350] [] ? avc_has_perm_noaudit+0x450/0x450 [ 43.850807] [] ? sock_sendmsg+0x110/0x110 [ 43.856591] [] ? iov_iter_init+0xaf/0x1d0 [ 43.862355] [] __vfs_write+0x4bf/0x680 [ 43.867856] [] ? default_llseek+0x290/0x290 [ 43.873882] [] ? __set_current_blocked+0x80/0xa0 [ 43.880264] [] ? selinux_file_permission+0x82/0x460 [ 43.888043] [] ? rw_verify_area+0xe5/0x2b0 [ 43.893899] [] vfs_write+0x170/0x4e0 [ 43.899237] [] SyS_write+0xd9/0x1b0 [ 43.904489] [] ? SyS_read+0x1b0/0x1b0 [ 43.909905] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.916454] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.923005] Object at ffff8801ccd52200, in cache kmalloc-2048 size: 2048 [ 43.929813] Allocated: [ 43.932287] PID = 3857 [ 43.934754] save_stack_trace+0x16/0x20 [ 43.938699] save_stack+0x43/0xd0 [ 43.942118] kasan_kmalloc+0xad/0xe0 [ 43.945803] __kmalloc+0x11d/0x310 [ 43.949319] sk_prot_alloc+0x101/0x2a0 [ 43.953182] sk_alloc+0x3a/0x3a0 [ 43.956514] packet_create+0xf0/0x8e0 [ 43.960278] __sock_create+0x3ab/0x640 [ 43.964137] SyS_socket+0xf0/0x1b0 [ 43.967650] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.972556] Freed: [ 43.974723] PID = 3859 [ 43.977202] save_stack_trace+0x16/0x20 [ 43.981150] save_stack+0x43/0xd0 [ 43.984836] kasan_slab_free+0x73/0xc0 [ 43.988693] kfree+0xf0/0x2f0 [ 43.991767] __sk_destruct+0x47f/0x570 [ 43.995632] sk_destruct+0x47/0x80 [ 43.999162] __sk_free+0x57/0x230 [ 44.002592] sk_free+0x23/0x30 [ 44.005751] packet_release+0x732/0xa20 [ 44.009692] sock_release+0x8d/0x1e0 [ 44.013373] sock_close+0x16/0x20 [ 44.016793] __fput+0x28c/0x6e0 [ 44.020038] ____fput+0x15/0x20 [ 44.023290] task_work_run+0x115/0x190 [ 44.027144] do_exit+0x82e/0x2a50 [ 44.030567] do_group_exit+0x108/0x320 [ 44.034427] get_signal+0x55c/0x1600 [ 44.038118] do_signal+0x87/0x1960 [ 44.041621] exit_to_usermode_loop+0xe5/0x130 [ 44.046080] syscall_return_slowpath+0x1a0/0x1e0 [ 44.050800] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 44.055519] Memory state around the buggy address: [ 44.060421] ffff8801ccd52200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.067758] ffff8801ccd52280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.075083] >ffff8801ccd52300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.082413] ^ [ 44.088087] ffff8801ccd52380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.095413] ffff8801ccd52400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.102742] ================================================================== [ 44.110121] ================================================================== [ 44.117466] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801ccd52358 [ 44.126273] Read of size 8 by task sshd/3230 [ 44.130656] CPU: 0 PID: 3230 Comm: sshd Tainted: G B 4.9.48-g93babeb #44 [ 44.138590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.147915] ffff8801d5b0ee10 ffffffff81d92f89 ffff8801da002000 ffff8801ccd52200 [ 44.155869] ffff8801ccd52a00 ffffed00399aa46b ffff8801ccd52358 ffff8801d5b0ee38 [ 44.163823] ffffffff8153cbcc ffffed00399aa46b ffff8801da002000 0000000000000000 [ 44.171791] Call Trace: [ 44.174356] [] dump_stack+0xc1/0x128 [ 44.179695] [] kasan_object_err+0x1c/0x70 [ 44.185559] [] kasan_report.part.1+0x21c/0x500 [ 44.191766] [] ? do_raw_spin_lock+0x1d3/0x1e0 [ 44.197877] [] __asan_report_load8_noabort+0x29/0x30 [ 44.204593] [] do_raw_spin_lock+0x1d3/0x1e0 [ 44.210528] [] _raw_spin_lock_bh+0x42/0x50 [ 44.216385] [] ? packet_rcv_has_room+0x25/0xb0 [ 44.222582] [] packet_rcv_has_room+0x25/0xb0 [ 44.228613] [] fanout_demux_rollover+0x26f/0x4d0 [ 44.234984] [] packet_rcv_fanout+0x4ce/0x620 [ 44.241016] [] dev_queue_xmit_nit+0x1b9/0x870 [ 44.247130] [] ? __netdev_pick_tx+0x700/0x700 [ 44.253242] [] dev_hard_start_xmit+0xa6/0x8a0 [ 44.259360] [] sch_direct_xmit+0x2bc/0x5d0 [ 44.265315] [] ? dev_deactivate_queue.constprop.28+0x150/0x150 [ 44.272906] [] ? dev_queue_xmit+0x17/0x20 [ 44.278672] [] __dev_queue_xmit+0x15fd/0x1e60 [ 44.284784] [] ? dev_queue_xmit+0x17/0x20 [ 44.290548] [] ? netdev_pick_tx+0x300/0x300 [ 44.296490] [] ? nf_ct_deliver_cached_events+0x26c/0x5f0 [ 44.303556] [] ? nf_ct_deliver_cached_events+0x89/0x5f0 [ 44.310547] [] ? ip_finish_output+0x6b1/0xa00 [ 44.318065] [] dev_queue_xmit+0x17/0x20 [ 44.323661] [] ip_finish_output2+0xbe8/0x1060 [ 44.329780] [] ? ip_finish_output+0x6b1/0xa00 [ 44.336002] [] ? dst_output+0x150/0x150 [ 44.341607] [] ? nf_hook_slow+0x131/0x1e0 [ 44.347382] [] ip_finish_output+0x6b1/0xa00 [ 44.353321] [] ip_output+0x1ca/0x610 [ 44.358837] [] ? ip_output+0x2f6/0x610 [ 44.364360] [] ? ip_mc_output+0xd50/0xd50 [ 44.370139] [] ? ip_fragment.constprop.56+0x200/0x200 [ 44.376952] [] ip_local_out+0x95/0x170 [ 44.382464] [] ip_queue_xmit+0x884/0x1760 [ 44.388239] [] ? ip_queue_xmit+0x3f/0x1760 [ 44.394102] [] ? __tcp_v4_send_check+0x1be/0x350