INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. syzkaller login: [ 27.266838] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 27.293521] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 27.321315] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 [ 27.348266] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 27.377866] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 27.418531] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 [ 27.464907] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: File exists [ 27.523417] IPVS: ftp: loaded support on port[0] = 21 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: File exists [ 27.967506] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.163118] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 28.175947] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available [ 28.210316] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 28.219299] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.331911] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.386832] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 28.440543] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.278083] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.284231] 8021q: adding VLAN 0 to HW filter on device bond0 RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.435621] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.510657] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.516804] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.540922] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.547049] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.644719] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.650883] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.664683] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.670789] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 29.697692] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 29.704621] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.717201] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.738361] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.741604] dst_release: dst:000000002cf56afe refcnt:-1 executing program [ 29.771865] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready executing program [ 29.816839] dst_release: dst:00000000d8296eed refcnt:-1 executing program [ 29.857287] dst_release: dst:000000004c4ad298 refcnt:-1 [ 29.860059] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready executing program [ 29.900413] dst_release: dst:000000005db30695 refcnt:-1 [ 29.929463] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.945368] dst_release: dst:00000000df127496 refcnt:-1 executing program executing program [ 29.951309] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.957405] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.968075] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 29.985086] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.992657] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.007315] dst_release: dst:0000000073323c63 refcnt:-1 executing program [ 30.028128] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.034261] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.034344] dst_release: dst:00000000c05ecc33 refcnt:-1 [ 30.047635] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.056074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 30.064875] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program executing program executing program executing program [ 30.077577] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.083667] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.084541] dst_release: dst:00000000a965cd3c refcnt:-1 [ 30.110151] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.116572] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.127329] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.131984] dst_release: dst:00000000dc69f989 refcnt:-1 [ 30.164047] dst_release: dst:00000000b864a108 refcnt:-1 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.230691] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.240764] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.247712] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.254150] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 30.265933] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.349827] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready executing program executing program executing program executing program executing program executing program [ 30.393189] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.399402] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 30.406657] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.421669] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.430871] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.439576] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 30.523217] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 30.529669] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 30.542284] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 31.090550] ================================================================== [ 31.098042] BUG: KASAN: use-after-free in dst_release+0x27/0xa0 [ 31.104091] Write of size 4 at addr ffff8801c6959e40 by task syzkaller871835/5987 [ 31.111687] [ 31.113298] CPU: 1 PID: 5987 Comm: syzkaller871835 Not tainted 4.16.0+ #11 [ 31.120281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.129616] Call Trace: [ 31.132183] dump_stack+0x1a7/0x27d [ 31.135786] ? arch_local_irq_restore+0x53/0x53 [ 31.140430] ? show_regs_print_info+0x18/0x18 [ 31.144903] ? kasan_check_write+0x14/0x20 [ 31.149118] ? dst_release+0x27/0xa0 [ 31.152811] print_address_description+0x73/0x250 [ 31.157629] ? dst_release+0x27/0xa0 [ 31.161322] kasan_report+0x23c/0x360 [ 31.165103] check_memory_region+0x137/0x190 [ 31.169486] kasan_check_write+0x14/0x20 [ 31.173534] dst_release+0x27/0xa0 [ 31.177056] sock_setsockopt+0x431/0x1b20 [ 31.181187] ? sock_enable_timestamp+0xb0/0xb0 [ 31.185750] ? pptp_connect+0xda0/0x1170 [ 31.189784] ? pptp_rcv_core+0xcb0/0xcb0 [ 31.193828] ? kasan_check_read+0x11/0x20 [ 31.197956] ? __fget_light+0x2bc/0x400 [ 31.201907] ? fget_raw+0x20/0x20 [ 31.205338] ? security_socket_connect+0x89/0xb0 [ 31.210071] ? SYSC_connect+0x2e0/0x4a0 [ 31.214023] ? SYSC_bind+0x290/0x410 [ 31.217724] ? SYSC_bind+0x410/0x410 [ 31.221423] ? __fdget+0x18/0x20 [ 31.224769] ? security_socket_setsockopt+0x89/0xb0 [ 31.229774] SyS_setsockopt+0x2ff/0x360 [ 31.233730] ? SyS_recv+0x40/0x40 [ 31.237160] ? mm_fault_error+0x2c0/0x2c0 [ 31.241288] ? move_addr_to_kernel+0x60/0x60 [ 31.245683] ? do_syscall_64+0xb7/0x940 [ 31.249636] ? SyS_recv+0x40/0x40 [ 31.253073] do_syscall_64+0x281/0x940 [ 31.256938] ? vmalloc_sync_all+0x30/0x30 [ 31.261064] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.265804] ? syscall_return_slowpath+0x550/0x550 [ 31.270707] ? syscall_return_slowpath+0x2ac/0x550 [ 31.275609] ? prepare_exit_to_usermode+0x350/0x350 [ 31.280600] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.285940] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.290768] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.295937] RIP: 0033:0x4427a9 [ 31.299098] RSP: 002b:00007ffcdc766e08 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.306779] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004427a9 [ 31.314029] RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000003 [ 31.321273] RBP: 0000000000000000 R08: 0000000000000010 R09: 0000000000000000 [ 31.328526] R10: 00000000200010c0 R11: 0000000000000217 R12: 0000000000007950 [ 31.335777] R13: 00000000006cf448 R14: 0000000000000000 R15: 0000000000000000 [ 31.343036] [ 31.344641] Allocated by task 5987: [ 31.348248] save_stack+0x43/0xd0 [ 31.351679] kasan_kmalloc+0xad/0xe0 [ 31.355364] kasan_slab_alloc+0x12/0x20 [ 31.359316] kmem_cache_alloc+0x12e/0x760 [ 31.363441] dst_alloc+0x11f/0x1a0 [ 31.366959] rt_dst_alloc+0xe9/0x540 [ 31.370652] ip_route_output_key_hash_rcu+0xa49/0x2c60 [ 31.375903] ip_route_output_key_hash+0x20b/0x370 [ 31.380720] ip_route_output_flow+0x26/0xa0 [ 31.385026] pptp_connect+0xa84/0x1170 [ 31.388892] SYSC_connect+0x213/0x4a0 [ 31.392671] SyS_connect+0x24/0x30 [ 31.396195] do_syscall_64+0x281/0x940 [ 31.400063] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.405219] [ 31.406818] Freed by task 5986: [ 31.410071] save_stack+0x43/0xd0 [ 31.413510] __kasan_slab_free+0x11a/0x170 [ 31.417726] kasan_slab_free+0xe/0x10 [ 31.421511] kmem_cache_free+0x83/0x2a0 [ 31.425465] dst_destroy+0x266/0x380 [ 31.429154] dst_destroy_rcu+0x16/0x20 [ 31.433025] rcu_process_callbacks+0xd6c/0x17b0 [ 31.437675] __do_softirq+0x2d7/0xb85 [ 31.441443] [ 31.443046] The buggy address belongs to the object at ffff8801c6959e00 [ 31.443046] which belongs to the cache ip_dst_cache of size 168 [ 31.455761] The buggy address is located 64 bytes inside of [ 31.455761] 168-byte region [ffff8801c6959e00, ffff8801c6959ea8) [ 31.467517] The buggy address belongs to the page: [ 31.472419] page:ffffea00071a5640 count:1 mapcount:0 mapping:ffff8801c6959000 index:0x0 [ 31.480537] flags: 0x2fffc0000000100(slab) [ 31.484751] raw: 02fffc0000000100 ffff8801c6959000 0000000000000000 0000000100000010 [ 31.492605] raw: ffffea0006be4ee0 ffffea0007142860 ffff8801d7de3300 0000000000000000 [ 31.500453] page dumped because: kasan: bad access detected [ 31.506134] [ 31.507738] Memory state around the buggy address: [ 31.512645] ffff8801c6959d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.519982] ffff8801c6959d80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 31.527320] >ffff8801c6959e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.534646] ^ executing program executing program [ 31.540068] ffff8801c6959e80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 31.547507] ffff8801c6959f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.554846] ================================================================== [ 31.562182] Disabling lock debugging due to kernel taint [ 31.568226] Kernel panic - not syncing: panic_on_warn set ... [ 31.568226] [ 31.575587] CPU: 1 PID: 5987 Comm: syzkaller871835 Tainted: G B 4.16.0+ #11 [ 31.583878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.593204] Call Trace: [ 31.595768] dump_stack+0x1a7/0x27d [ 31.599369] ? arch_local_irq_restore+0x53/0x53 [ 31.604029] ? kasan_end_report+0x32/0x50 [ 31.608158] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.612892] ? vsnprintf+0x1ed/0x1900 [ 31.616664] ? dst_alloc+0x1a0/0x1a0 [ 31.620350] panic+0x1f8/0x42c [ 31.623526] ? refcount_error_report+0x214/0x214 [ 31.628272] ? do_raw_spin_unlock+0x9e/0x310 [ 31.632658] ? do_raw_spin_unlock+0x9e/0x310 [ 31.637048] ? dst_release+0x27/0xa0 [ 31.640741] kasan_end_report+0x50/0x50 [ 31.644697] kasan_report+0x149/0x360 [ 31.648477] check_memory_region+0x137/0x190 [ 31.652874] kasan_check_write+0x14/0x20 [ 31.656910] dst_release+0x27/0xa0 [ 31.660423] sock_setsockopt+0x431/0x1b20 [ 31.664542] ? sock_enable_timestamp+0xb0/0xb0 [ 31.669097] ? pptp_connect+0xda0/0x1170 [ 31.673138] ? pptp_rcv_core+0xcb0/0xcb0 [ 31.677175] ? kasan_check_read+0x11/0x20 [ 31.681299] ? __fget_light+0x2bc/0x400 [ 31.685242] ? fget_raw+0x20/0x20 [ 31.688667] ? security_socket_connect+0x89/0xb0 [ 31.693393] ? SYSC_connect+0x2e0/0x4a0 [ 31.697338] ? SYSC_bind+0x290/0x410 [ 31.701027] ? SYSC_bind+0x410/0x410 [ 31.704719] ? __fdget+0x18/0x20 [ 31.708057] ? security_socket_setsockopt+0x89/0xb0 [ 31.713051] SyS_setsockopt+0x2ff/0x360 [ 31.717018] ? SyS_recv+0x40/0x40 [ 31.720464] ? mm_fault_error+0x2c0/0x2c0 [ 31.724592] ? move_addr_to_kernel+0x60/0x60 [ 31.728975] ? do_syscall_64+0xb7/0x940 [ 31.732920] ? SyS_recv+0x40/0x40 [ 31.736348] do_syscall_64+0x281/0x940 [ 31.740212] ? vmalloc_sync_all+0x30/0x30 [ 31.744330] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.749055] ? syscall_return_slowpath+0x550/0x550 [ 31.753959] ? syscall_return_slowpath+0x2ac/0x550 [ 31.758861] ? prepare_exit_to_usermode+0x350/0x350 [ 31.763850] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.769184] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.774006] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.779173] RIP: 0033:0x4427a9 [ 31.782332] RSP: 002b:00007ffcdc766e08 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.790011] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004427a9 [ 31.797258] RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000003 [ 31.804501] RBP: 0000000000000000 R08: 0000000000000010 R09: 0000000000000000 [ 31.811742] R10: 00000000200010c0 R11: 0000000000000217 R12: 0000000000007950 [ 31.818987] R13: 00000000006cf448 R14: 0000000000000000 R15: 0000000000000000 [ 31.826660] Dumping ftrace buffer: [ 31.830172] (ftrace buffer empty) [ 31.833850] Kernel Offset: disabled [ 31.837448] Rebooting in 86400 seconds..