INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-3,10.128.0.29' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 26.264137] dev_remove_pack: ffff8801c6d0b200 not found executing program executing program [ 26.351249] ================================================================== [ 26.358625] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801c6d0abcc [ 26.367424] Read of size 4 by task syzkaller818548/4002 [ 26.372758] CPU: 1 PID: 4002 Comm: syzkaller818548 Not tainted 4.9.48-g9983305 #42 [ 26.380432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.389763] ffff8801db307760 ffffffff81d93009 ffff8801da002000 ffff8801c6d0aa80 [ 26.397740] ffff8801c6d0b280 ffffed0038da1579 ffff8801c6d0abcc ffff8801db307788 [ 26.405683] ffffffff8153cbcc ffffed0038da1579 ffff8801da002000 0000000000000000 [ 26.413626] Call Trace: [ 26.416181] [ 26.418226] [] dump_stack+0xc1/0x128 [ 26.423575] [] kasan_object_err+0x1c/0x70 [ 26.429338] [] kasan_report.part.1+0x21c/0x500 [ 26.435540] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 26.441659] [] __asan_report_load4_noabort+0x29/0x30 [ 26.448378] [] do_raw_spin_lock+0x1ac/0x1e0 [ 26.454325] [] _raw_spin_lock_bh+0x42/0x50 [ 26.460183] [] ? packet_rcv_has_room+0x25/0xb0 [ 26.466378] [] packet_rcv_has_room+0x25/0xb0 [ 26.472404] [] fanout_demux_rollover+0x26f/0x4d0 [ 26.478780] [] packet_rcv_fanout+0x4ce/0x620 [ 26.484893] [] __netif_receive_skb_core+0x887/0x29e0 [ 26.491614] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.498594] [] ? netif_wake_subqueue+0x210/0x210 [ 26.504968] [] ? netif_receive_skb_internal+0x92/0x390 [ 26.511857] [] __netif_receive_skb+0x5b/0x1c0 [ 26.517967] [] netif_receive_skb_internal+0xff/0x390 [ 26.524684] [] ? netif_receive_skb_internal+0x92/0x390 [ 26.531581] [] ? dev_cpu_callback+0x680/0x680 [ 26.537692] [] ? dev_gro_receive+0x1d6/0x16f0 [ 26.543810] [] ? dev_gro_receive+0x67a/0x16f0 [ 26.549923] [] ? eth_type_trans+0x2a8/0x5d0 [ 26.555861] [] napi_gro_receive+0x1fb/0x400 [ 26.561800] [] virtnet_receive+0xe1c/0x1cf0 [ 26.567825] [] ? virtnet_open+0x250/0x250 [ 26.573591] [] ? check_preemption_disabled+0x3b/0x200 [ 26.580401] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.587407] [] ? check_preemption_disabled+0x3b/0x200 [ 26.594215] [] ? debug_smp_processor_id+0x1c/0x20 [ 26.600674] [] virtnet_poll+0x26/0x140 [ 26.606185] [] net_rx_action+0x396/0xe00 [ 26.611865] [] ? sk_busy_loop+0xca0/0xca0 [ 26.617736] [] ? handle_edge_irq+0x417/0x8e0 [ 26.623761] [] ? _raw_spin_lock+0x3e/0x50 [ 26.629528] [] ? check_preemption_disabled+0x3b/0x200 [ 26.636343] [] __do_softirq+0x22d/0x964 [ 26.641935] [] irq_exit+0x165/0x190 [ 26.647177] [] do_IRQ+0x107/0x1b0 [ 26.652245] [] common_interrupt+0x8c/0x8c [ 26.658002] [ 26.660036] [] ? audit_kill_trees+0x160/0x160 [ 26.666167] [] ? copy_process.part.51+0x8b2/0x5d40 [ 26.672717] [] ? check_preemption_disabled+0x3b/0x200 [ 26.679521] [] ? __lru_cache_add+0x187/0x250 [ 26.685545] [] ? __cleanup_sighand+0x40/0x40 [ 26.691569] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.697505] [] ? handle_mm_fault+0x6ee/0x2530 [ 26.703614] [] _do_fork+0x1c0/0xd70 [ 26.708855] [] ? fork_idle+0x270/0x270 [ 26.714364] [] ? __do_page_fault+0x2a7/0xbd0 [ 26.720388] [] ? __do_page_fault+0x510/0xbd0 [ 26.726411] [] SyS_clone+0x37/0x50 [ 26.731565] [] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 26.738107] [] do_syscall_64+0x197/0x490 [ 26.743782] [] ? sys_vfork+0x30/0x30 [ 26.749108] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 26.755653] Object at ffff8801c6d0aa80, in cache kmalloc-2048 size: 2048 [ 26.762456] Allocated: [ 26.764915] PID = 3956 [ 26.767377] save_stack_trace+0x16/0x20 [ 26.771316] save_stack+0x43/0xd0 [ 26.774741] kasan_kmalloc+0xad/0xe0 [ 26.778418] __kmalloc+0x11d/0x310 [ 26.781923] sk_prot_alloc+0x101/0x2a0 [ 26.785773] sk_alloc+0x3a/0x3a0 [ 26.789102] packet_create+0xf0/0x8e0 [ 26.792866] __sock_create+0x3ab/0x640 [ 26.796716] SyS_socket+0xf0/0x1b0 [ 26.800219] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 26.804934] Freed: [ 26.807045] PID = 3958 [ 26.809518] save_stack_trace+0x16/0x20 [ 26.813458] save_stack+0x43/0xd0 [ 26.816874] kasan_slab_free+0x73/0xc0 [ 26.820724] kfree+0xf0/0x2f0 [ 26.823793] __sk_destruct+0x47f/0x570 [ 26.827655] sk_destruct+0x47/0x80 [ 26.831159] __sk_free+0x57/0x230 [ 26.834574] sk_free+0x23/0x30 [ 26.837731] packet_release+0x732/0xa20 [ 26.841678] sock_release+0x8d/0x1e0 [ 26.845357] sock_close+0x16/0x20 [ 26.848777] __fput+0x28c/0x6e0 [ 26.852020] ____fput+0x15/0x20 [ 26.855264] task_work_run+0x115/0x190 [ 26.859123] do_exit+0x82e/0x2a50 [ 26.862543] do_group_exit+0x108/0x320 [ 26.866395] get_signal+0x55c/0x1600 [ 26.870076] do_signal+0x87/0x1960 [ 26.873584] exit_to_usermode_loop+0xe5/0x130 [ 26.878049] syscall_return_slowpath+0x1a0/0x1e0 [ 26.882768] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 26.887483] Memory state around the buggy address: [ 26.892377] ffff8801c6d0aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.899707] ffff8801c6d0ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.907030] >ffff8801c6d0ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.914363] ^ [ 26.920036] ffff8801c6d0ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.927358] ffff8801c6d0ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.934677] ================================================================== [ 26.942068] ================================================================== [ 26.949404] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801c6d0abd8 [ 26.958204] Read of size 8 by task syzkaller818548/4002 [ 26.963533] CPU: 1 PID: 4002 Comm: syzkaller818548 Tainted: G B 4.9.48-g9983305 #42 [ 26.972422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.981747] ffff8801db307760 ffffffff81d93009 ffff8801da002000 ffff8801c6d0aa80 [ 26.989693] ffff8801c6d0b280 ffffed0038da157b ffff8801c6d0abd8 ffff8801db307788 [ 26.997640] ffffffff8153cbcc ffffed0038da157b ffff8801da002000 0000000000000000 [ 27.005588] Call Trace: [ 27.008144] [ 27.010176] [] dump_stack+0xc1/0x128 [ 27.015518] [] kasan_object_err+0x1c/0x70 [ 27.021279] [] kasan_report.part.1+0x21c/0x500 [ 27.027477] [] ? do_raw_spin_lock+0x1d3/0x1e0 [ 27.033584] [] __asan_report_load8_noabort+0x29/0x30 [ 27.040312] [] do_raw_spin_lock+0x1d3/0x1e0 [ 27.046253] [] _raw_spin_lock_bh+0x42/0x50 [ 27.052109] [] ? packet_rcv_has_room+0x25/0xb0 [ 27.058311] [] packet_rcv_has_room+0x25/0xb0 [ 27.064334] [] fanout_demux_rollover+0x26f/0x4d0 [ 27.070703] [] packet_rcv_fanout+0x4ce/0x620 [ 27.076724] [] __netif_receive_skb_core+0x887/0x29e0 [ 27.083448] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.090432] [] ? netif_wake_subqueue+0x210/0x210 [ 27.096801] [] ? netif_receive_skb_internal+0x92/0x390 [ 27.103692] [] __netif_receive_skb+0x5b/0x1c0 [ 27.109801] [] netif_receive_skb_internal+0xff/0x390 [ 27.116518] [] ? netif_receive_skb_internal+0x92/0x390 [ 27.123409] [] ? dev_cpu_callback+0x680/0x680 [ 27.129523] [] ? dev_gro_receive+0x1d6/0x16f0 [ 27.135631] [] ? dev_gro_receive+0x67a/0x16f0 [ 27.141741] [] ? eth_type_trans+0x2a8/0x5d0 [ 27.147675] [] napi_gro_receive+0x1fb/0x400 [ 27.153611] [] virtnet_receive+0xe1c/0x1cf0 [ 27.159553] [] ? virtnet_open+0x250/0x250 [ 27.165321] [] ? check_preemption_disabled+0x3b/0x200 [ 27.172132] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.179114] [] ? check_preemption_disabled+0x3b/0x200 [ 27.185919] [] ? debug_smp_processor_id+0x1c/0x20 [ 27.192377] [] virtnet_poll+0x26/0x140 [ 27.197880] [] net_rx_action+0x396/0xe00 [ 27.203556] [] ? sk_busy_loop+0xca0/0xca0 [ 27.209316] [] ? handle_edge_irq+0x417/0x8e0 [ 27.215339] [] ? _raw_spin_lock+0x3e/0x50 [ 27.221110] [] ? check_preemption_disabled+0x3b/0x200 [ 27.227916] [] __do_softirq+0x22d/0x964 [ 27.233508] [] irq_exit+0x165/0x190 [ 27.238756] [] do_IRQ+0x107/0x1b0 [ 27.243822] [] common_interrupt+0x8c/0x8c [ 27.249579] [ 27.251610] [] ? audit_kill_trees+0x160/0x160 [ 27.257750] [] ? copy_process.part.51+0x8b2/0x5d40 [ 27.264298] [] ? check_preemption_disabled+0x3b/0x200 [ 27.271112] [] ? __lru_cache_add+0x187/0x250 [ 27.277143] [] ? __cleanup_sighand+0x40/0x40 [ 27.283173] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.289117] [] ? handle_mm_fault+0x6ee/0x2530 [ 27.295237] [] _do_fork+0x1c0/0xd70 [ 27.300478] [] ? fork_idle+0x270/0x270 [ 27.305981] [] ? __do_page_fault+0x2a7/0xbd0 [ 27.312003] [] ? __do_page_fault+0x510/0xbd0 [ 27.318024] [] SyS_clone+0x37/0x50 [ 27.323177] [] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 27.329721] [] do_syscall_64+0x197/0x490 [ 27.335401] [] ? sys_vfork+0x30/0x30 [ 27.340732] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 27.347275] Object at ffff8801c6d0aa80, in cache kmalloc-2048 size: 2048