INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 36.854928] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 37.117559] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 37.504697] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.510841] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.551884] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.595562] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.641542] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 37.647692] 8021q: adding VLAN 0 to HW filter on device team0 [ 37.677763] bond0: Enslaving bond_slave as an active interface with an up link executing program [ 37.686302] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 37.704905] team0: Port device team_slave added [ 37.710340] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 37.747204] ================================================================== [ 37.754721] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860 [ 37.761494] Write of size 4 at addr ffff8801d8f90ae0 by task syzkaller756769/4502 [ 37.769101] [ 37.770718] CPU: 0 PID: 4502 Comm: syzkaller756769 Not tainted 4.16.0+ #19 [ 37.778239] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.787576] Call Trace: [ 37.790152] dump_stack+0x1b9/0x294 [ 37.793763] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.798944] ? printk+0x9e/0xba [ 37.802205] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.806944] ? kasan_check_write+0x14/0x20 [ 37.811164] print_address_description+0x6c/0x20b [ 37.815987] ? skb_release_data+0x19b/0x860 [ 37.820292] kasan_report.cold.7+0xac/0x2f5 [ 37.824627] check_memory_region+0x13e/0x1b0 [ 37.829027] kasan_check_write+0x14/0x20 [ 37.833067] skb_release_data+0x19b/0x860 [ 37.837198] ? skb_tx_error+0x2f0/0x2f0 [ 37.841150] ? kasan_check_read+0x11/0x20 [ 37.845278] ? rcu_is_watching+0x85/0x140 [ 37.849407] ? kasan_check_write+0x14/0x20 [ 37.853625] ? sock_rmem_free+0x6f/0x90 [ 37.857582] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.863100] skb_release_all+0x4a/0x60 [ 37.866970] kfree_skb+0x195/0x560 [ 37.870488] ? skb_queue_purge+0x19/0x40 [ 37.874531] ? __kfree_skb+0x20/0x20 [ 37.878228] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.882810] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 37.887896] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.892891] ? trace_hardirqs_on+0xd/0x10 [ 37.897020] ? skb_dequeue+0x12f/0x180 [ 37.900890] skb_queue_purge+0x19/0x40 [ 37.904763] packet_sock_destruct+0x93/0x290 [ 37.909165] ? packet_mm_close+0xc0/0xc0 [ 37.913216] ? graph_lock+0x170/0x170 [ 37.916999] ? __free_object+0x16e/0x330 [ 37.921037] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 37.926293] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.930857] ? packet_mm_close+0xc0/0xc0 [ 37.934908] __sk_destruct+0xff/0xa40 [ 37.938689] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 37.943601] ? graph_lock+0x170/0x170 [ 37.947381] ? lock_downgrade+0x8e0/0x8e0 [ 37.951508] ? __lock_is_held+0xb5/0x140 [ 37.955552] ? kasan_check_read+0x11/0x20 [ 37.959690] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.964088] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.968653] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 37.973739] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.979266] ? refcount_sub_and_test+0x212/0x330 [ 37.984004] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 37.988739] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 37.993473] ? pcpu_free_area+0xa90/0xa90 [ 37.997603] sk_destruct+0x78/0x90 [ 38.001132] __sk_free+0x22e/0x340 [ 38.004654] sk_free+0x42/0x50 [ 38.007828] packet_release+0xa18/0xd50 [ 38.011786] ? lock_downgrade+0x8e0/0x8e0 [ 38.015917] ? packet_lookup_frame+0x270/0x270 [ 38.020482] ? cpumask_weight.constprop.5+0x44/0x44 [ 38.025479] ? do_raw_spin_lock+0xc1/0x200 [ 38.029694] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.035212] ? locks_remove_file+0x3f7/0x5a0 [ 38.039611] ? fcntl_setlk+0x1020/0x1020 [ 38.043651] ? fsnotify+0x415/0x1100 [ 38.047348] ? fsnotify_first_mark+0x330/0x330 [ 38.051912] sock_release+0x96/0x1b0 [ 38.055605] ? sock_alloc_file+0x4e0/0x4e0 [ 38.059835] sock_close+0x16/0x20 [ 38.063284] __fput+0x34d/0x890 [ 38.066545] ? fput+0x1a0/0x1a0 [ 38.069806] ? check_same_owner+0x320/0x320 [ 38.074107] ____fput+0x15/0x20 [ 38.077365] task_work_run+0x1e4/0x290 [ 38.081246] ? task_work_cancel+0x240/0x240 [ 38.085565] ? switch_task_namespaces+0xbd/0xd0 [ 38.090243] do_exit+0x1aee/0x2730 [ 38.093784] ? mm_update_next_owner+0x980/0x980 [ 38.098434] ? finish_mkwrite_fault+0x610/0x610 [ 38.103094] ? debug_check_no_locks_freed+0x310/0x310 [ 38.108281] ? kasan_check_read+0x11/0x20 [ 38.112421] ? rcu_is_watching+0x85/0x140 [ 38.116561] ? lock_acquire+0x1dc/0x520 [ 38.120522] ? lock_release+0xa10/0xa10 [ 38.124480] ? tun_chr_close+0x60/0x60 [ 38.128355] ? kasan_check_write+0x14/0x20 [ 38.132572] ? do_raw_spin_lock+0xc1/0x200 [ 38.136800] ? __handle_mm_fault+0x88c/0x4150 [ 38.141277] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.146017] ? graph_lock+0x170/0x170 [ 38.149812] ? rcu_is_watching+0x85/0x140 [ 38.153941] ? graph_lock+0x170/0x170 [ 38.157723] ? find_held_lock+0x36/0x1c0 [ 38.161772] ? find_held_lock+0x36/0x1c0 [ 38.165822] ? lock_downgrade+0x8e0/0x8e0 [ 38.169950] ? handle_mm_fault+0x8c0/0xc70 [ 38.174174] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 38.179689] ? handle_mm_fault+0x55a/0xc70 [ 38.184100] ? __handle_mm_fault+0x4150/0x4150 [ 38.188665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.194182] ? __do_page_fault+0x441/0xe40 [ 38.198400] do_group_exit+0x16f/0x430 [ 38.202267] ? SyS_exit+0x30/0x30 [ 38.205997] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 38.210822] ? do_syscall_64+0xb7/0x9d0 [ 38.214782] ? do_group_exit+0x430/0x430 [ 38.218822] SyS_exit_group+0x1d/0x20 [ 38.222611] do_syscall_64+0x29e/0x9d0 [ 38.226577] ? vmalloc_sync_all+0x30/0x30 [ 38.230713] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.235447] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.240356] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.245278] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.250797] ? retint_user+0x18/0x18 [ 38.254492] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.259317] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.264486] RIP: 0033:0x441619 [ 38.267655] RSP: 002b:00007fffc8e43478 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 38.275345] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441619 [ 38.282595] RDX: 0000000000441550 RSI: 0000000000000001 RDI: 0000000000000001 [ 38.289855] RBP: 00000000004a3229 R08: 0000000000000000 R09: 00000000006cd018 [ 38.297115] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffc8e43568 [ 38.304383] R13: 00000000004023a0 R14: 0000000000000000 R15: 0000000000000000 [ 38.311645] [ 38.313258] Allocated by task 4502: [ 38.316875] save_stack+0x43/0xd0 [ 38.320310] kasan_kmalloc+0xc4/0xe0 [ 38.324034] __kmalloc_node_track_caller+0x47/0x70 [ 38.328951] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 38.333689] __alloc_skb+0x14d/0x780 [ 38.337402] alloc_skb_with_frags+0x137/0x760 [ 38.341880] sock_alloc_send_pskb+0x87a/0xae0 [ 38.346357] packet_sendmsg+0x1bd1/0x6100 [ 38.350497] sock_sendmsg+0xd5/0x120 [ 38.354192] ___sys_sendmsg+0x805/0x940 [ 38.358148] __sys_sendmsg+0x115/0x270 [ 38.362014] SyS_sendmsg+0x29/0x30 [ 38.365533] do_syscall_64+0x29e/0x9d0 [ 38.369401] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.374566] [ 38.376173] Freed by task 4502: [ 38.379435] save_stack+0x43/0xd0 [ 38.382872] __kasan_slab_free+0x11a/0x170 [ 38.387088] kasan_slab_free+0xe/0x10 [ 38.390883] kfree+0xd9/0x260 [ 38.393968] skb_free_head+0x99/0xc0 [ 38.397661] skb_release_data+0x690/0x860 [ 38.401801] skb_release_all+0x4a/0x60 [ 38.405843] kfree_skb+0x195/0x560 [ 38.409366] ip6_tnl_start_xmit+0xa44/0x2290 [ 38.413758] dev_hard_start_xmit+0x264/0xc10 [ 38.418146] __dev_queue_xmit+0x2724/0x34c0 [ 38.422445] dev_queue_xmit+0x17/0x20 [ 38.426234] packet_sendmsg+0x411d/0x6100 [ 38.430362] sock_sendmsg+0xd5/0x120 [ 38.434055] ___sys_sendmsg+0x805/0x940 [ 38.438009] __sys_sendmsg+0x115/0x270 [ 38.441877] SyS_sendmsg+0x29/0x30 [ 38.445397] do_syscall_64+0x29e/0x9d0 [ 38.449267] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.454441] [ 38.456049] The buggy address belongs to the object at ffff8801d8f90a00 [ 38.456049] which belongs to the cache kmalloc-512 of size 512 [ 38.468685] The buggy address is located 224 bytes inside of [ 38.468685] 512-byte region [ffff8801d8f90a00, ffff8801d8f90c00) [ 38.480547] The buggy address belongs to the page: [ 38.485463] page:ffffea000763e400 count:1 mapcount:0 mapping:ffff8801d8f90000 index:0x0 [ 38.493674] flags: 0x2fffc0000000100(slab) [ 38.497893] raw: 02fffc0000000100 ffff8801d8f90000 0000000000000000 0000000100000006 [ 38.505754] raw: ffffea0007634560 ffffea0007627160 ffff8801dac00940 0000000000000000 [ 38.513609] page dumped because: kasan: bad access detected [ 38.519305] [ 38.520912] Memory state around the buggy address: [ 38.525820] ffff8801d8f90980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.533157] ffff8801d8f90a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.540496] >ffff8801d8f90a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.547840] ^ [ 38.554314] ffff8801d8f90b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.561652] ffff8801d8f90b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.568986] ================================================================== [ 38.576321] Disabling lock debugging due to kernel taint [ 38.581984] Kernel panic - not syncing: panic_on_warn set ... [ 38.581984] [ 38.589346] CPU: 0 PID: 4502 Comm: syzkaller756769 Tainted: G B 4.16.0+ #19 [ 38.597638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.606983] Call Trace: [ 38.609556] dump_stack+0x1b9/0x294 [ 38.613163] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.618340] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.623075] ? skb_release_data+0xd0/0x860 [ 38.627289] panic+0x22f/0x4de [ 38.630460] ? add_taint.cold.5+0x16/0x16 [ 38.634594] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.638982] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.643463] ? skb_release_data+0x19b/0x860 [ 38.647770] kasan_end_report+0x47/0x4f [ 38.651723] kasan_report.cold.7+0xc9/0x2f5 [ 38.656023] check_memory_region+0x13e/0x1b0 [ 38.660417] kasan_check_write+0x14/0x20 [ 38.664457] skb_release_data+0x19b/0x860 [ 38.668583] ? skb_tx_error+0x2f0/0x2f0 [ 38.672534] ? kasan_check_read+0x11/0x20 [ 38.676660] ? rcu_is_watching+0x85/0x140 [ 38.680787] ? kasan_check_write+0x14/0x20 [ 38.684999] ? sock_rmem_free+0x6f/0x90 [ 38.688955] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.694468] skb_release_all+0x4a/0x60 [ 38.698334] kfree_skb+0x195/0x560 [ 38.701854] ? skb_queue_purge+0x19/0x40 [ 38.705903] ? __kfree_skb+0x20/0x20 [ 38.709610] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 38.714173] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 38.719256] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.724248] ? trace_hardirqs_on+0xd/0x10 [ 38.728375] ? skb_dequeue+0x12f/0x180 [ 38.732243] skb_queue_purge+0x19/0x40 [ 38.736113] packet_sock_destruct+0x93/0x290 [ 38.740498] ? packet_mm_close+0xc0/0xc0 [ 38.744545] ? graph_lock+0x170/0x170 [ 38.748324] ? __free_object+0x16e/0x330 [ 38.752367] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 38.757621] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 38.762192] ? packet_mm_close+0xc0/0xc0 [ 38.766232] __sk_destruct+0xff/0xa40 [ 38.770013] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 38.774924] ? graph_lock+0x170/0x170 [ 38.778703] ? lock_downgrade+0x8e0/0x8e0 [ 38.782831] ? __lock_is_held+0xb5/0x140 [ 38.786875] ? kasan_check_read+0x11/0x20 [ 38.791005] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.795395] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 38.799966] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 38.805050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.810565] ? refcount_sub_and_test+0x212/0x330 [ 38.815309] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 38.820043] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 38.824777] ? pcpu_free_area+0xa90/0xa90 [ 38.828915] sk_destruct+0x78/0x90 [ 38.832434] __sk_free+0x22e/0x340 [ 38.835955] sk_free+0x42/0x50 [ 38.839127] packet_release+0xa18/0xd50 [ 38.843080] ? lock_downgrade+0x8e0/0x8e0 [ 38.847206] ? packet_lookup_frame+0x270/0x270 [ 38.851768] ? cpumask_weight.constprop.5+0x44/0x44 [ 38.856764] ? do_raw_spin_lock+0xc1/0x200 [ 38.860978] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.866505] ? locks_remove_file+0x3f7/0x5a0 [ 38.870913] ? fcntl_setlk+0x1020/0x1020 [ 38.874953] ? fsnotify+0x415/0x1100 [ 38.878647] ? fsnotify_first_mark+0x330/0x330 [ 38.883210] sock_release+0x96/0x1b0 [ 38.886903] ? sock_alloc_file+0x4e0/0x4e0 [ 38.891117] sock_close+0x16/0x20 [ 38.894547] __fput+0x34d/0x890 [ 38.897825] ? fput+0x1a0/0x1a0 [ 38.901096] ? check_same_owner+0x320/0x320 [ 38.905399] ____fput+0x15/0x20 [ 38.908677] task_work_run+0x1e4/0x290 [ 38.912543] ? task_work_cancel+0x240/0x240 [ 38.916850] ? switch_task_namespaces+0xbd/0xd0 [ 38.921499] do_exit+0x1aee/0x2730 [ 38.925019] ? mm_update_next_owner+0x980/0x980 [ 38.929667] ? finish_mkwrite_fault+0x610/0x610 [ 38.934315] ? debug_check_no_locks_freed+0x310/0x310 [ 38.939483] ? kasan_check_read+0x11/0x20 [ 38.943609] ? rcu_is_watching+0x85/0x140 [ 38.947744] ? lock_acquire+0x1dc/0x520 [ 38.951695] ? lock_release+0xa10/0xa10 [ 38.955650] ? tun_chr_close+0x60/0x60 [ 38.960098] ? kasan_check_write+0x14/0x20 [ 38.964351] ? do_raw_spin_lock+0xc1/0x200 [ 38.968573] ? __handle_mm_fault+0x88c/0x4150 [ 38.973051] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 38.977786] ? graph_lock+0x170/0x170 [ 38.981581] ? rcu_is_watching+0x85/0x140 [ 38.985707] ? graph_lock+0x170/0x170 [ 38.989484] ? find_held_lock+0x36/0x1c0 [ 38.993525] ? find_held_lock+0x36/0x1c0 [ 38.997567] ? lock_downgrade+0x8e0/0x8e0 [ 39.001692] ? handle_mm_fault+0x8c0/0xc70 [ 39.005918] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.011433] ? handle_mm_fault+0x55a/0xc70 [ 39.015646] ? __handle_mm_fault+0x4150/0x4150 [ 39.020211] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.025734] ? __do_page_fault+0x441/0xe40 [ 39.029953] do_group_exit+0x16f/0x430 [ 39.033819] ? SyS_exit+0x30/0x30 [ 39.037251] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 39.042073] ? do_syscall_64+0xb7/0x9d0 [ 39.046037] ? do_group_exit+0x430/0x430 [ 39.050084] SyS_exit_group+0x1d/0x20 [ 39.053870] do_syscall_64+0x29e/0x9d0 [ 39.057738] ? vmalloc_sync_all+0x30/0x30 [ 39.061865] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.066603] ? syscall_return_slowpath+0x5c0/0x5c0 [ 39.071518] ? syscall_return_slowpath+0x30f/0x5c0 [ 39.076428] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.081950] ? retint_user+0x18/0x18 [ 39.085644] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.091137] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.096316] RIP: 0033:0x441619 [ 39.099482] RSP: 002b:00007fffc8e43478 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 39.107168] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441619 [ 39.114417] RDX: 0000000000441550 RSI: 0000000000000001 RDI: 0000000000000001 [ 39.121670] RBP: 00000000004a3229 R08: 0000000000000000 R09: 00000000006cd018 [ 39.128918] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffc8e43568 [ 39.136166] R13: 00000000004023a0 R14: 0000000000000000 R15: 0000000000000000 [ 39.143898] Dumping ftrace buffer: [ 39.147418] (ftrace buffer empty) [ 39.151104] Kernel Offset: disabled [ 39.154715] Rebooting in 86400 seconds..