INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.277762] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.309902] IPVS: ftp: loaded support on port[0] = 21 [ 51.346518] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 51.377405] Failed to remove local publication {0,0,0}/4198504698 [ 51.391081] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.427672] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.463555] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.499218] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.535920] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.572511] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.609189] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.645684] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 51.682440] IPVS: ftp: loaded support on port[0] = 21 [ 51.718662] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.755113] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.791682] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.828120] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.864696] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.901367] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.937773] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.974448] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.011114] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.047701] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.084160] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.121083] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.158160] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.195181] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.230816] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.267373] IPVS: ftp: loaded support on port[0] = 21 [ 52.304367] IPVS: ftp: loaded support on port[0] = 21 executing program [ 53.144962] IPVS: ftp: loaded support on port[0] = 21 [ 53.163132] ================================================================== [ 53.170638] BUG: KASAN: use-after-free in tipc_nametbl_stop+0x94e/0xd70 [ 53.177396] Read of size 8 at addr ffff8801cccdd2b0 by task kworker/u4:2/61 [ 53.184493] [ 53.186112] CPU: 1 PID: 61 Comm: kworker/u4:2 Not tainted 4.16.0+ #4 [ 53.192583] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.201931] Workqueue: netns cleanup_net [ 53.205985] Call Trace: [ 53.208570] dump_stack+0x1b9/0x294 [ 53.212183] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.217357] ? printk+0x9e/0xba [ 53.220618] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.225360] ? kasan_check_write+0x14/0x20 [ 53.229580] print_address_description+0x6c/0x20b [ 53.234409] ? tipc_nametbl_stop+0x94e/0xd70 [ 53.238801] kasan_report.cold.7+0x242/0x2fe [ 53.243194] __asan_report_load8_noabort+0x14/0x20 [ 53.248107] tipc_nametbl_stop+0x94e/0xd70 [ 53.252331] ? tipc_nametbl_init+0x5b0/0x5b0 [ 53.256725] ? mark_held_locks+0xc9/0x160 [ 53.260853] ? quarantine_put+0xeb/0x190 [ 53.264898] ? kfree+0x111/0x260 [ 53.268245] ? tipc_bcast_stop+0x281/0x3d0 [ 53.272461] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.277460] ? trace_hardirqs_on+0xd/0x10 [ 53.281765] ? tipc_bcast_stop+0x281/0x3d0 [ 53.285981] ? tipc_bcast_init+0xc80/0xc80 [ 53.290203] ? tipc_enable_bearer.cold.19+0xbf/0xbf [ 53.295201] tipc_exit_net+0x2d/0x40 [ 53.298897] ops_exit_list.isra.7+0xb0/0x160 [ 53.303289] cleanup_net+0x51d/0xb20 [ 53.306986] ? lock_downgrade+0x8e0/0x8e0 [ 53.311119] ? peernet2id_alloc+0x3e0/0x3e0 [ 53.315422] ? find_held_lock+0x36/0x1c0 [ 53.319467] ? graph_lock+0x170/0x170 [ 53.323770] ? lock_acquire+0x1dc/0x520 [ 53.327729] ? process_one_work+0xb46/0x1b50 [ 53.332119] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 53.337206] ? __lock_is_held+0xb5/0x140 [ 53.341258] process_one_work+0xc1e/0x1b50 [ 53.345476] ? finish_task_switch+0x28b/0x810 [ 53.349958] ? pwq_dec_nr_in_flight+0x490/0x490 [ 53.354615] ? __schedule+0x809/0x1e30 [ 53.358490] ? pick_next_task_fair+0x973/0x1660 [ 53.363139] ? graph_lock+0x170/0x170 [ 53.366923] ? graph_lock+0x170/0x170 [ 53.370706] ? find_held_lock+0x36/0x1c0 [ 53.374753] ? find_held_lock+0x36/0x1c0 [ 53.378802] ? lock_acquire+0x1dc/0x520 [ 53.382758] ? lock_downgrade+0x8e0/0x8e0 [ 53.386891] ? lock_release+0xa10/0xa10 [ 53.390848] ? kasan_check_read+0x11/0x20 [ 53.394982] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 53.399557] worker_thread+0x1cc/0x1440 [ 53.403522] ? process_one_work+0x1b50/0x1b50 [ 53.408021] ? graph_lock+0x170/0x170 [ 53.411817] ? find_held_lock+0x36/0x1c0 [ 53.415870] ? __schedule+0x1e30/0x1e30 [ 53.419828] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.424221] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 53.428786] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 53.433872] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.438875] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.444393] ? __kthread_parkme+0x1b7/0x280 [ 53.448697] kthread+0x345/0x410 [ 53.452048] ? process_one_work+0x1b50/0x1b50 [ 53.456523] ? kthread_bind+0x40/0x40 [ 53.460307] ret_from_fork+0x3a/0x50 [ 53.464008] [ 53.465620] Allocated by task 4490: [ 53.469229] save_stack+0x43/0xd0 [ 53.472661] kasan_kmalloc+0xc4/0xe0 [ 53.476365] kmem_cache_alloc_trace+0x152/0x780 [ 53.481028] tipc_nametbl_insert_publ+0x569/0x1910 [ 53.485940] tipc_nametbl_publish+0x6c3/0xba0 [ 53.490416] tipc_sk_publish+0x22a/0x510 [ 53.494458] tipc_bind+0x206/0x330 [ 53.497981] __sys_bind+0x331/0x440 [ 53.501588] SyS_bind+0x24/0x30 [ 53.504851] do_syscall_64+0x29e/0x9d0 [ 53.508723] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.513889] [ 53.515497] Freed by task 61: [ 53.518585] save_stack+0x43/0xd0 [ 53.522027] __kasan_slab_free+0x11a/0x170 [ 53.526244] kasan_slab_free+0xe/0x10 [ 53.530028] kfree+0xd9/0x260 [ 53.533116] tipc_service_remove_publ.isra.8+0x909/0xc30 [ 53.538548] tipc_nametbl_stop+0x746/0xd70 [ 53.542761] tipc_exit_net+0x2d/0x40 [ 53.546458] ops_exit_list.isra.7+0xb0/0x160 [ 53.550854] cleanup_net+0x51d/0xb20 [ 53.554560] process_one_work+0xc1e/0x1b50 [ 53.558776] worker_thread+0x1cc/0x1440 [ 53.562734] kthread+0x345/0x410 [ 53.566081] ret_from_fork+0x3a/0x50 [ 53.569771] [ 53.571383] The buggy address belongs to the object at ffff8801cccdd280 [ 53.571383] which belongs to the cache kmalloc-64 of size 64 [ 53.583850] The buggy address is located 48 bytes inside of [ 53.583850] 64-byte region [ffff8801cccdd280, ffff8801cccdd2c0) [ 53.595531] The buggy address belongs to the page: [ 53.600440] page:ffffea0007333740 count:1 mapcount:0 mapping:ffff8801cccdd000 index:0x0 [ 53.608567] flags: 0x2fffc0000000100(slab) [ 53.612788] raw: 02fffc0000000100 ffff8801cccdd000 0000000000000000 0000000100000020 [ 53.620666] raw: ffffea00073a66a0 ffffea000735db60 ffff8801dac00340 0000000000000000 [ 53.628522] page dumped because: kasan: bad access detected [ 53.634206] [ 53.635813] Memory state around the buggy address: [ 53.640722] ffff8801cccdd180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 53.648068] ffff8801cccdd200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 53.655407] >ffff8801cccdd280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.662741] ^ [ 53.667657] ffff8801cccdd300: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 53.674996] ffff8801cccdd380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.682336] ================================================================== [ 53.689674] Disabling lock debugging due to kernel taint executing program executing program [ 53.695143] Kernel panic - not syncing: panic_on_warn set ... [ 53.695143] [ 53.702511] CPU: 1 PID: 61 Comm: kworker/u4:2 Tainted: G B 4.16.0+ #4 [ 53.708661] IPVS: ftp: loaded support on port[0] = 21 [ 53.710380] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.710400] Workqueue: netns cleanup_net [ 53.728963] Call Trace: [ 53.731549] dump_stack+0x1b9/0x294 [ 53.735181] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.740371] ? trace_hardirqs_on_thunk+0x1a/0x1c executing program [ 53.745128] ? tipc_nametbl_stop+0x890/0xd70 [ 53.747092] IPVS: ftp: loaded support on port[0] = 21 [ 53.749528] panic+0x22f/0x4de [ 53.749538] ? add_taint.cold.5+0x16/0x16 [ 53.749555] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.766421] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.770834] ? tipc_nametbl_stop+0x94e/0xd70 [ 53.775239] kasan_end_report+0x47/0x4f [ 53.779208] kasan_report.cold.7+0x76/0x2fe [ 53.783528] __asan_report_load8_noabort+0x14/0x20 [ 53.785569] IPVS: ftp: loaded support on port[0] = 21 [ 53.788453] tipc_nametbl_stop+0x94e/0xd70 executing program [ 53.788473] ? tipc_nametbl_init+0x5b0/0x5b0 [ 53.802257] ? mark_held_locks+0xc9/0x160 [ 53.806402] ? quarantine_put+0xeb/0x190 [ 53.810459] ? kfree+0x111/0x260 [ 53.813823] ? tipc_bcast_stop+0x281/0x3d0 [ 53.818057] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.823068] ? trace_hardirqs_on+0xd/0x10 [ 53.826821] IPVS: ftp: loaded support on port[0] = 21 [ 53.827211] ? tipc_bcast_stop+0x281/0x3d0 [ 53.827220] ? tipc_bcast_init+0xc80/0xc80 [ 53.827236] ? tipc_enable_bearer.cold.19+0xbf/0xbf executing program [ 53.845854] tipc_exit_net+0x2d/0x40 [ 53.849571] ops_exit_list.isra.7+0xb0/0x160 [ 53.853977] cleanup_net+0x51d/0xb20 [ 53.857686] ? lock_downgrade+0x8e0/0x8e0 [ 53.861841] ? peernet2id_alloc+0x3e0/0x3e0 [ 53.864643] IPVS: ftp: loaded support on port[0] = 21 [ 53.866154] ? find_held_lock+0x36/0x1c0 [ 53.866165] ? graph_lock+0x170/0x170 [ 53.866179] ? lock_acquire+0x1dc/0x520 [ 53.883130] ? process_one_work+0xb46/0x1b50 [ 53.887535] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 53.892641] ? __lock_is_held+0xb5/0x140 executing program executing program [ 53.896709] process_one_work+0xc1e/0x1b50 [ 53.900941] ? finish_task_switch+0x28b/0x810 [ 53.904344] IPVS: ftp: loaded support on port[0] = 21 [ 53.905440] ? pwq_dec_nr_in_flight+0x490/0x490 [ 53.905458] ? __schedule+0x809/0x1e30 [ 53.919260] ? pick_next_task_fair+0x973/0x1660 [ 53.923929] ? graph_lock+0x170/0x170 [ 53.927724] ? graph_lock+0x170/0x170 [ 53.931523] ? find_held_lock+0x36/0x1c0 [ 53.935584] ? find_held_lock+0x36/0x1c0 [ 53.939649] ? lock_acquire+0x1dc/0x520 [ 53.943624] ? lock_downgrade+0x8e0/0x8e0 executing program [ 53.944061] IPVS: ftp: loaded support on port[0] = 21 [ 53.947763] ? lock_release+0xa10/0xa10 [ 53.947775] ? kasan_check_read+0x11/0x20 [ 53.947791] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 53.965608] worker_thread+0x1cc/0x1440 [ 53.969589] ? process_one_work+0x1b50/0x1b50 [ 53.974088] ? graph_lock+0x170/0x170 [ 53.977881] ? find_held_lock+0x36/0x1c0 [ 53.981938] ? __schedule+0x1e30/0x1e30 [ 53.985912] ? do_raw_spin_unlock+0x9e/0x2e0 [ 53.987127] IPVS: ftp: loaded support on port[0] = 21 executing program [ 53.990314] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 53.990328] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 53.990342] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.010154] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.015688] ? __kthread_parkme+0x1b7/0x280 [ 54.020009] kthread+0x345/0x410 [ 54.023388] ? process_one_work+0x1b50/0x1b50 [ 54.027880] ? kthread_bind+0x40/0x40 [ 54.028997] IPVS: ftp: loaded support on port[0] = 21 [ 54.031676] ret_from_fork+0x3a/0x50 [ 54.037230] Dumping ftrace buffer: [ 54.037234] (ftrace buffer empty) [ 54.037237] Kernel Offset: disabled [ 54.051712] Rebooting in 86400 seconds..