INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-0,10.128.0.32' (ECDSA) to the list of known hosts. 2017/09/12 06:52:17 parsed 1 programs 2017/09/12 06:52:17 executed programs: 0 syzkaller login: [ 32.243488] dev_remove_pack: ffff8801ca81ac00 not found [ 32.272639] ================================================================== [ 32.280066] BUG: KASAN: use-after-free in __list_add_valid+0xb1/0xd0 [ 32.286535] Read of size 8 at addr ffff8801ca4accf0 by task syz-executor1/3878 [ 32.293865] [ 32.295469] CPU: 0 PID: 3878 Comm: syz-executor1 Not tainted 4.13.0+ #79 [ 32.302278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.311603] Call Trace: [ 32.314163] dump_stack+0x194/0x257 [ 32.317766] ? arch_local_irq_restore+0x53/0x53 [ 32.322410] ? show_regs_print_info+0x65/0x65 [ 32.326880] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.331875] ? __list_add_valid+0xb1/0xd0 [ 32.335998] print_address_description+0x73/0x250 [ 32.340817] ? __list_add_valid+0xb1/0xd0 [ 32.344938] kasan_report+0x24e/0x340 [ 32.348716] __asan_report_load8_noabort+0x14/0x20 [ 32.353617] __list_add_valid+0xb1/0xd0 [ 32.357576] dev_add_pack+0x113/0x2b0 [ 32.361349] ? napi_skb_free_stolen_head+0x170/0x170 [ 32.366422] ? __lockdep_init_map+0xe4/0x650 [ 32.370811] ? lockdep_init_map+0x3d/0x70 [ 32.374940] register_prot_hook.part.49+0x95/0xb0 [ 32.379756] packet_create+0x820/0xb00 [ 32.383617] ? sock_destroy_inode+0x70/0x70 [ 32.387914] ? register_prot_hook.part.49+0xb0/0xb0 [ 32.392904] ? __sock_create+0x211/0x850 [ 32.396943] ? module_unload_free+0x5b0/0x5b0 [ 32.401416] ? lock_release+0xd70/0xd70 [ 32.405372] ? __lock_is_held+0xbc/0x140 [ 32.409428] __sock_create+0x4d4/0x850 [ 32.413288] ? __fget_light+0x29d/0x390 [ 32.417241] ? ___sys_recvmsg+0x630/0x630 [ 32.421366] ? __fdget+0x18/0x20 [ 32.424709] ? SyS_futex+0x260/0x390 [ 32.428392] ? SyS_futex+0x269/0x390 [ 32.432086] ? SyS_setsockopt+0x215/0x360 [ 32.436214] SyS_socket+0xeb/0x200 [ 32.439727] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 32.444543] ? move_addr_to_kernel+0x60/0x60 [ 32.448925] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.453917] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.458665] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.463394] RIP: 0033:0x451e59 [ 32.466556] RSP: 002b:00007f89bbc2bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 32.474240] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 [ 32.481486] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000011 [ 32.488728] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 32.495969] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 32.503212] R13: 00007ffe328c26df R14: 00007f89bbc2c9c0 R15: 0000000000000000 [ 32.510476] [ 32.512076] Allocated by task 3853: [ 32.515678] save_stack_trace+0x16/0x20 [ 32.519624] save_stack+0x43/0xd0 [ 32.523049] kasan_kmalloc+0xad/0xe0 [ 32.526740] kmem_cache_alloc_trace+0x136/0x750 [ 32.531383] fanout_add+0xa50/0x1190 [ 32.535068] packet_setsockopt+0xfdc/0x1e80 [ 32.539360] SyS_setsockopt+0x189/0x360 [ 32.543305] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.548030] [ 32.549632] Freed by task 3874: [ 32.552884] save_stack_trace+0x16/0x20 [ 32.556830] save_stack+0x43/0xd0 [ 32.560253] kasan_slab_free+0x71/0xc0 [ 32.564112] kfree+0xca/0x250 [ 32.567188] packet_release+0xa8f/0xd70 [ 32.571135] sock_release+0x8d/0x1e0 [ 32.574820] sock_close+0x16/0x20 [ 32.578244] __fput+0x333/0x7f0 [ 32.581493] ____fput+0x15/0x20 [ 32.584747] task_work_run+0x199/0x270 [ 32.588605] do_exit+0xa52/0x1b40 [ 32.592034] do_group_exit+0x149/0x400 [ 32.595895] get_signal+0x7e8/0x17e0 [ 32.599583] do_signal+0x94/0x1ee0 [ 32.603096] exit_to_usermode_loop+0x224/0x300 [ 32.607651] syscall_return_slowpath+0x42f/0x500 [ 32.612379] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 32.617102] [ 32.618701] The buggy address belongs to the object at ffff8801ca4ac440 [ 32.618701] which belongs to the cache kmalloc-4096 of size 4096 [ 32.631505] The buggy address is located 2224 bytes inside of [ 32.631505] 4096-byte region [ffff8801ca4ac440, ffff8801ca4ad440) [ 32.643524] The buggy address belongs to the page: [ 32.648426] page:ffffea0007292b00 count:1 mapcount:0 mapping:ffff8801ca4ac440 index:0x0 compound_mapcount: 0 [ 32.658373] flags: 0x200000000008100(slab|head) [ 32.663020] raw: 0200000000008100 ffff8801ca4ac440 0000000000000000 0000000100000001 [ 32.670879] raw: ffffea0007292920 ffffea0007292ba0 ffff8801dac00dc0 0000000000000000 [ 32.678730] page dumped because: kasan: bad access detected [ 32.684411] [ 32.686016] Memory state around the buggy address: [ 32.690921] ffff8801ca4acb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.698264] ffff8801ca4acc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.705596] >ffff8801ca4acc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.712928] ^ [ 32.719912] ffff8801ca4acd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.727244] ffff8801ca4acd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.734572] ================================================================== [ 32.741898] Disabling lock debugging due to kernel taint [ 32.747396] Kernel panic - not syncing: panic_on_warn set ... [ 32.747396] [ 32.754728] CPU: 0 PID: 3878 Comm: syz-executor1 Tainted: G B 4.13.0+ #79 [ 32.762745] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.772063] Call Trace: [ 32.774619] dump_stack+0x194/0x257 [ 32.778212] ? arch_local_irq_restore+0x53/0x53 [ 32.782850] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.787574] ? __list_add_valid+0xa0/0xd0 [ 32.791690] panic+0x1e4/0x417 [ 32.794848] ? __warn+0x1d9/0x1d9 [ 32.798276] ? __list_add_valid+0xb1/0xd0 [ 32.802392] kasan_end_report+0x50/0x50 [ 32.806335] kasan_report+0x137/0x340 [ 32.810103] __asan_report_load8_noabort+0x14/0x20 [ 32.814998] __list_add_valid+0xb1/0xd0 [ 32.818944] dev_add_pack+0x113/0x2b0 [ 32.822710] ? napi_skb_free_stolen_head+0x170/0x170 [ 32.827776] ? __lockdep_init_map+0xe4/0x650 [ 32.832154] ? lockdep_init_map+0x3d/0x70 [ 32.836273] register_prot_hook.part.49+0x95/0xb0 [ 32.841080] packet_create+0x820/0xb00 [ 32.844933] ? sock_destroy_inode+0x70/0x70 [ 32.849221] ? register_prot_hook.part.49+0xb0/0xb0 [ 32.854203] ? __sock_create+0x211/0x850 [ 32.858230] ? module_unload_free+0x5b0/0x5b0 [ 32.862693] ? lock_release+0xd70/0xd70 [ 32.866636] ? __lock_is_held+0xbc/0x140 [ 32.870669] __sock_create+0x4d4/0x850 [ 32.874524] ? __fget_light+0x29d/0x390 [ 32.878468] ? ___sys_recvmsg+0x630/0x630 [ 32.882581] ? __fdget+0x18/0x20 [ 32.885915] ? SyS_futex+0x260/0x390 [ 32.889593] ? SyS_futex+0x269/0x390 [ 32.893270] ? SyS_setsockopt+0x215/0x360 [ 32.897386] SyS_socket+0xeb/0x200 [ 32.900896] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 32.905705] ? move_addr_to_kernel+0x60/0x60 [ 32.910077] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.915059] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.919789] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.924507] RIP: 0033:0x451e59 [ 32.927662] RSP: 002b:00007f89bbc2bc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000029 [ 32.935334] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 [ 32.942572] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000011 [ 32.949806] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 32.957044] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 [ 32.964279] R13: 00007ffe328c26df R14: 00007f89bbc2c9c0 R15: 0000000000000000 [ 32.971958] Dumping ftrace buffer: [ 32.975463] (ftrace buffer empty) [ 32.979144] Kernel Offset: disabled [ 32.982736] Rebooting in 86400 seconds..