Pseudo-terminal will not be allocated because stdin is not a terminal. Warning: Permanently added '[ssh-serialport.googleapis.com]:9600,[216.239.38.127]:9600' (RSA) to the list of known hosts. Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.0.31' (ECDSA) to the list of known hosts. serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-2 port 1 (session ID: e354320d0d4a7799b2bce790bee10d03cb735002bd63f5241dbdcc0cfd5aa0cd, active connections: 1). 2017/07/25 03:08:03 parsed 1 programs 2017/07/25 03:08:03 executed programs: 0 INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.531822] hrtimer: interrupt took 24618 ns [ 41.778880] ================================================================== [ 41.786260] BUG: KASAN: use-after-free in skb_dequeue+0x162/0x180 at addr ffff8801cac25508 [ 41.794623] Write of size 8 by task syz-executor0/3353 [ 41.799862] CPU: 1 PID: 3353 Comm: syz-executor0 Not tainted 4.9.39-g72a0c9f #6 [ 41.807268] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.816581] ffff8801cfa776c8 ffffffff81eacd59 ffff8801d9ff23c0 ffff8801cac25500 [ 41.824517] ffff8801cac255e0 ffffed0039584aa1 ffff8801cac25508 ffff8801cfa776f0 [ 41.832444] ffffffff81546bfc ffffed0039584aa1 ffff8801d9ff23c0 0000000000000001 [ 41.840370] Call Trace: [ 41.842947] [] dump_stack+0xc1/0x128 [ 41.848271] [] kasan_object_err+0x1c/0x70 [ 41.854027] [] kasan_report.part.1+0x20d/0x4e0 [ 41.860221] [] ? skb_dequeue+0x162/0x180 [ 41.865895] [] __asan_report_store8_noabort+0x2c/0x30 [ 41.872713] [] skb_dequeue+0x162/0x180 [ 41.878215] [] skb_queue_purge+0x26/0x40 [ 41.883891] [] pfkey_sock_destruct+0x157/0x370 [ 41.890088] [] ? pfkey_sock_destruct+0x34/0x370 [ 41.896367] [] ? pfkey_is_alive+0x470/0x470 [ 41.902314] [] __sk_destruct+0x53/0x570 [ 41.907914] [] sk_destruct+0x47/0x80 [ 41.913238] [] __sk_free+0x57/0x230 [ 41.918475] [] sk_free+0x23/0x30 [ 41.923455] [] pfkey_release+0x25e/0x2f0 [ 41.929131] [] ? sock_release+0x1e0/0x1e0 [ 41.934890] [] sock_release+0x8d/0x1e0 [ 41.940387] [] sock_close+0x16/0x20 [ 41.945626] [] __fput+0x28c/0x6e0 [ 41.950692] [] ____fput+0x15/0x20 [ 41.955759] [] task_work_run+0x115/0x190 [ 41.961434] [] do_exit+0x82e/0x2a50 [ 41.966672] [] ? perf_trace_lock_acquire+0x520/0x520 [ 41.973387] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 41.980375] [] ? release_task+0x1240/0x1240 [ 41.986310] [] ? wake_up_q+0x8a/0xe0 [ 41.991634] [] ? drop_futex_key_refs.isra.12+0x63/0xd0 [ 41.998537] [] ? __dequeue_signal+0xa3/0x550 [ 42.004574] [] ? recalc_sigpending+0x72/0x90 [ 42.010592] [] do_group_exit+0x108/0x320 [ 42.016271] [] get_signal+0x55c/0x1600 [ 42.021786] [] do_signal+0x7f/0x1940 [ 42.027111] [] ? debug_smp_processor_id+0x1c/0x20 [ 42.033562] [] ? perf_trace_lock+0x112/0x500 [ 42.039582] [] ? perf_trace_lock_acquire+0x520/0x520 [ 42.046303] [] ? setup_sigcontext+0x7d0/0x7d0 [ 42.052410] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.059385] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.065926] [] ? SyS_futex+0x226/0x2c0 [ 42.071438] [] ? exit_to_usermode_loop+0xaf/0x130 [ 42.077889] [] exit_to_usermode_loop+0xe5/0x130 [ 42.084167] [] syscall_return_slowpath+0x1a0/0x1e0 [ 42.090707] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 42.097245] Object at ffff8801cac25500, in cache skbuff_head_cache size: 224 [ 42.104385] Allocated: [ 42.106840] PID = 3351 [ 42.109305] save_stack_trace+0x16/0x20 [ 42.113237] save_stack+0x43/0xd0 [ 42.116651] kasan_kmalloc+0xad/0xe0 [ 42.120322] kasan_slab_alloc+0x12/0x20 [ 42.124253] kmem_cache_alloc_node+0x107/0x2a0 [ 42.128795] __alloc_skb+0xef/0x600 [ 42.132382] pfkey_xfrm_policy2msg_prep+0x29/0x50 [ 42.137185] dump_sp+0xa8/0x450 [ 42.140423] xfrm_policy_walk+0x1b1/0x4d0 [ 42.144528] pfkey_dump_sp+0x42/0x50 [ 42.148201] pfkey_do_dump+0x40/0x2b0 [ 42.151960] pfkey_spddump+0x187/0x1e0 [ 42.155809] pfkey_process+0x606/0x710 [ 42.159656] pfkey_sendmsg+0x3af/0x750 [ 42.163503] sock_sendmsg+0xca/0x110 [ 42.167178] sock_write_iter+0x21d/0x3a0 [ 42.171201] __vfs_write+0x4ac/0x660 [ 42.174897] vfs_write+0x170/0x4e0 [ 42.178507] SyS_write+0xd4/0x1a0 [ 42.181923] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.186637] Freed: [ 42.188744] PID = 3352 [ 42.191202] save_stack_trace+0x16/0x20 [ 42.195136] save_stack+0x43/0xd0 [ 42.198549] kasan_slab_free+0x73/0xc0 [ 42.202394] kmem_cache_free+0xb2/0x2e0 [ 42.206331] kfree_skbmem+0xd7/0xf0 [ 42.209918] __kfree_skb+0x1d/0x20 [ 42.213419] kfree_skb+0xcc/0x330 [ 42.216838] pfkey_broadcast+0x3d6/0x5f0 [ 42.220862] pfkey_do_dump+0x20e/0x2b0 [ 42.224708] pfkey_recvmsg+0x443/0x4f0 [ 42.228581] sock_recvmsg+0xc9/0x110 [ 42.232255] SYSC_recvfrom+0x1e3/0x300 [ 42.236099] SyS_recvfrom+0x40/0x50 [ 42.239683] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.244393] Memory state around the buggy address: [ 42.249283] ffff8801cac25400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.256602] ffff8801cac25480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 42.263922] >ffff8801cac25500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.271254] ^ [ 42.274842] ffff8801cac25580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 42.282259] ffff8801cac25600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 42.289596] ================================================================== [ 42.296926] Disabling lock debugging due to kernel taint [ 42.304570] ================================================================== [ 42.311908] BUG: KASAN: use-after-free in skb_dequeue+0x176/0x180 at addr ffff8801cac25500 [ 42.320268] Read of size 8 by task syz-executor0/3353 [ 42.325420] CPU: 1 PID: 3353 Comm: syz-executor0 Tainted: G B 4.9.39-g72a0c9f #6 [ 42.334039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.343353] ffff8801cfa776c8 ffffffff81eacd59 ffff8801d9ff23c0 ffff8801cac25500 [ 42.351274] ffff8801cac255e0 ffffed0039584aa0 ffff8801cac25500 ffff8801cfa776f0 [ 42.359218] ffffffff81546bfc ffffed0039584aa0 ffff8801d9ff23c0 0000000000000000 [ 42.367163] Call Trace: [ 42.369713] [] dump_stack+0xc1/0x128 [ 42.375037] [] kasan_object_err+0x1c/0x70 [ 42.380825] [] kasan_report.part.1+0x20d/0x4e0 [ 42.387018] [] ? skb_dequeue+0x176/0x180 [ 42.392691] [] __asan_report_load8_noabort+0x29/0x30 [ 42.399403] [] skb_dequeue+0x176/0x180 [ 42.404899] [] skb_queue_purge+0x26/0x40 [ 42.410570] [] pfkey_sock_destruct+0x157/0x370 [ 42.416759] [] ? pfkey_sock_destruct+0x34/0x370 [ 42.423037] [] ? pfkey_is_alive+0x470/0x470 [ 42.428966] [] __sk_destruct+0x53/0x570 [ 42.434554] [] sk_destruct+0x47/0x80 [ 42.439878] [] __sk_free+0x57/0x230 [ 42.445119] [] sk_free+0x23/0x30 [ 42.450099] [] pfkey_release+0x25e/0x2f0 [ 42.455772] [] ? sock_release+0x1e0/0x1e0 [ 42.461531] [] sock_release+0x8d/0x1e0 [ 42.467043] [] sock_close+0x16/0x20 [ 42.472296] [] __fput+0x28c/0x6e0 [ 42.477383] [] ____fput+0x15/0x20 [ 42.482451] [] task_work_run+0x115/0x190 [ 42.488121] [] do_exit+0x82e/0x2a50 [ 42.493359] [] ? perf_trace_lock_acquire+0x520/0x520 [ 42.500073] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.507059] [] ? release_task+0x1240/0x1240 [ 42.512994] [] ? wake_up_q+0x8a/0xe0 [ 42.518320] [] ? drop_futex_key_refs.isra.12+0x63/0xd0 [ 42.525209] [] ? __dequeue_signal+0xa3/0x550 [ 42.531227] [] ? recalc_sigpending+0x72/0x90 [ 42.537246] [] do_group_exit+0x108/0x320 [ 42.542924] [] get_signal+0x55c/0x1600 [ 42.548425] [] do_signal+0x7f/0x1940 [ 42.553754] [] ? debug_smp_processor_id+0x1c/0x20 [ 42.560210] [] ? perf_trace_lock+0x112/0x500 [ 42.566229] [] ? perf_trace_lock_acquire+0x520/0x520 [ 42.572953] [] ? setup_sigcontext+0x7d0/0x7d0 [ 42.579062] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.586037] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.592579] [] ? SyS_futex+0x226/0x2c0 [ 42.598074] [] ? exit_to_usermode_loop+0xaf/0x130 [ 42.604525] [] exit_to_usermode_loop+0xe5/0x130 [ 42.610804] [] syscall_return_slowpath+0x1a0/0x1e0 [ 42.617347] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 42.623886] Object at ffff8801cac25500, in cache skbuff_head_cache size: 224 [ 42.631027] Allocated: [ 42.633483] PID = 3351 [ 42.635943] save_stack_trace+0x16/0x20 [ 42.639878] save_stack+0x43/0xd0 [ 42.643306] kasan_kmalloc+0xad/0xe0 [ 42.646982] kasan_slab_alloc+0x12/0x20 [ 42.650934] kmem_cache_alloc_node+0x107/0x2a0 [ 42.655479] __alloc_skb+0xef/0x600 [ 42.659080] pfkey_xfrm_policy2msg_prep+0x29/0x50 [ 42.663883] dump_sp+0xa8/0x450 [ 42.667126] xfrm_policy_walk+0x1b1/0x4d0 [ 42.671247] pfkey_dump_sp+0x42/0x50 [ 42.674928] pfkey_do_dump+0x40/0x2b0 [ 42.678693] pfkey_spddump+0x187/0x1e0 [ 42.682544] pfkey_process+0x606/0x710 [ 42.686398] pfkey_sendmsg+0x3af/0x750 [ 42.690247] sock_sendmsg+0xca/0x110 [ 42.693919] sock_write_iter+0x21d/0x3a0 [ 42.697937] __vfs_write+0x4ac/0x660 [ 42.701607] vfs_write+0x170/0x4e0 [ 42.705116] SyS_write+0xd4/0x1a0 [ 42.708538] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.713250] Freed: [ 42.715359] PID = 3352 [ 42.717826] save_stack_trace+0x16/0x20 [ 42.721776] save_stack+0x43/0xd0 [ 42.725190] kasan_slab_free+0x73/0xc0 [ 42.729037] kmem_cache_free+0xb2/0x2e0 [ 42.732990] kfree_skbmem+0xd7/0xf0 [ 42.736591] __kfree_skb+0x1d/0x20 [ 42.740102] kfree_skb+0xcc/0x330 [ 42.743520] pfkey_broadcast+0x3d6/0x5f0 [ 42.747542] pfkey_do_dump+0x20e/0x2b0 [ 42.751396] pfkey_recvmsg+0x443/0x4f0 [ 42.755252] sock_recvmsg+0xc9/0x110 [ 42.758928] SYSC_recvfrom+0x1e3/0x300 [ 42.762774] SyS_recvfrom+0x40/0x50 [ 42.766363] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.771076] Memory state around the buggy address: [ 42.775967] ffff8801cac25400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb