INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-4,10.128.15.195' (ECDSA) to the list of known hosts. 2017/08/15 11:00:20 parsed 1 programs 2017/08/15 11:00:20 executed programs: 0 syzkaller login: [ 32.688385] ================================================================== [ 32.689481] BUG: KASAN: use-after-free in skb_release_data+0x5cf/0x790 [ 32.690384] Read of size 1 at addr ffff8801ce0c7d42 by task syz-executor3/3475 [ 32.691434] [ 32.691665] CPU: 0 PID: 3475 Comm: syz-executor3 Not tainted 4.13.0-rc5-next-20170815+ #3 [ 32.692782] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.694055] Call Trace: [ 32.694447] dump_stack+0x194/0x257 [ 32.694935] ? arch_local_irq_restore+0x53/0x53 [ 32.695595] ? show_regs_print_info+0x65/0x65 [ 32.696199] ? skb_release_data+0x5cf/0x790 [ 32.696777] print_address_description+0x73/0x250 [ 32.697430] ? skb_release_data+0x5cf/0x790 [ 32.698005] kasan_report+0x24e/0x340 [ 32.698519] __asan_report_load1_noabort+0x14/0x20 [ 32.699171] skb_release_data+0x5cf/0x790 [ 32.699723] ? lock_downgrade+0x990/0x990 [ 32.700280] ? ip_route_input_rcu+0x1193/0x3210 [ 32.701042] ? do_raw_spin_trylock+0x190/0x190 [ 32.701669] ? skb_tx_error+0x2c0/0x2c0 [ 32.702217] ? __lock_is_held+0xb6/0x140 [ 32.702836] skb_release_all+0x4a/0x60 [ 32.703359] kfree_skb+0x15d/0x4c0 [ 32.703837] ? ip_defrag+0xc69/0x4000 [ 32.704370] ? __kfree_skb+0x20/0x20 [ 32.704894] ? lock_release+0xa40/0xa40 [ 32.705438] ? check_noncircular+0x20/0x20 [ 32.706001] ? ipqhashfn+0xb7/0x180 [ 32.706541] ? ip4_frag_match+0x370/0x370 [ 32.707113] ? percpu_counter_add_batch+0xce/0x130 [ 32.707770] ip_defrag+0xc69/0x4000 [ 32.708273] ? match_held_lock+0x9f0/0x9f0 [ 32.711066] ? ip_expire+0x6d0/0x6d0 [ 32.714748] ? lock_downgrade+0x990/0x990 [ 32.718871] ? check_noncircular+0x20/0x20 [ 32.723075] ? lock_release+0xa40/0xa40 [ 32.727029] ip_local_deliver+0x174/0x6d0 [ 32.731145] ? ip_call_ra_chain+0x6d0/0x6d0 [ 32.735443] ? __lock_is_held+0xb6/0x140 [ 32.739487] ip_rcv_finish+0x8db/0x19c0 [ 32.743432] ? iptable_nat_ipv4_fn+0x40/0x40 [ 32.747815] ? ip_local_deliver_finish+0xba0/0xba0 [ 32.752724] ? ip_rcv+0xf05/0x17d0 [ 32.756234] ? lock_downgrade+0x990/0x990 [ 32.760357] ? rcu_read_lock_held+0xa9/0xc0 [ 32.764659] ? nf_hook_slow+0x12d/0x290 [ 32.768615] ip_rcv+0xc3f/0x17d0 [ 32.771953] ? ip_local_deliver+0x6d0/0x6d0 [ 32.776240] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.781398] ? __lock_acquire+0x6aa/0x3bc0 [ 32.785614] ? ip_local_deliver_finish+0xba0/0xba0 [ 32.790511] ? ip_local_deliver+0x6d0/0x6d0 [ 32.794803] __netif_receive_skb_core+0x19af/0x33d0 [ 32.799789] ? unwind_get_return_address+0x61/0xa0 [ 32.804701] ? nf_ingress+0x9f0/0x9f0 [ 32.808473] ? save_stack+0xa3/0xd0 [ 32.812066] ? save_stack_trace+0x16/0x20 [ 32.816176] ? save_stack+0x43/0xd0 [ 32.819770] ? kasan_kmalloc+0xad/0xe0 [ 32.823621] ? kasan_slab_alloc+0x12/0x20 [ 32.827732] ? kmem_cache_alloc+0x12e/0x760 [ 32.832035] ? __build_skb+0x9d/0x450 [ 32.835886] ? build_skb+0x6f/0x260 [ 32.839482] ? tun_get_user+0x1db7/0x2150 [ 32.843601] ? tun_chr_write_iter+0xd8/0x190 [ 32.847981] ? __vfs_write+0x684/0x970 [ 32.851833] ? vfs_write+0x189/0x510 [ 32.855509] ? SyS_write+0xef/0x220 [ 32.859114] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.864022] ? __unlock_page_memcg+0x72/0x100 [ 32.868486] ? unlock_page_memcg+0x2c/0x40 [ 32.872690] ? check_noncircular+0x20/0x20 [ 32.876889] ? check_noncircular+0x20/0x20 [ 32.881093] ? page_add_new_anon_rmap+0x750/0x750 [ 32.885909] ? __skb_flow_dissect+0xfa1/0x3ae0 [ 32.890465] ? __lock_acquire+0x5d0/0x3bc0 [ 32.895020] ? __skb_flow_get_ports+0x400/0x400 [ 32.899671] ? find_held_lock+0x35/0x1d0 [ 32.903709] ? netif_receive_skb_internal+0x1d7/0x5e0 [ 32.908868] ? lock_downgrade+0x990/0x990 [ 32.912994] ? pvclock_read_flags+0x160/0x160 [ 32.917473] ? lock_acquire+0x1d5/0x580 [ 32.921413] ? lock_acquire+0x1d5/0x580 [ 32.925357] ? netif_receive_skb_internal+0x93/0x5e0 [ 32.930430] ? ktime_get_with_offset+0x2c1/0x420 [ 32.935158] ? lock_release+0xa40/0xa40 [ 32.939096] ? do_gettimeofday+0x190/0x190 [ 32.943328] __netif_receive_skb+0x2c/0x1b0 [ 32.947627] ? __netif_receive_skb+0x2c/0x1b0 [ 32.952099] netif_receive_skb_internal+0x10b/0x5e0 [ 32.957084] ? dev_cpu_dead+0xb00/0xb00 [ 32.961028] ? tun_device_event+0xca0/0xca0 [ 32.965325] ? rcu_pm_notify+0xc0/0xc0 [ 32.969195] netif_receive_skb+0xae/0x390 [ 32.973310] ? netif_receive_skb_internal+0x5e0/0x5e0 [ 32.978495] ? find_held_lock+0x35/0x1d0 [ 32.982535] ? tun_rx_batched.isra.43+0x5bd/0x860 [ 32.987348] tun_rx_batched.isra.43+0x5e7/0x860 [ 32.991988] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 32.996636] ? tun_sock_write_space+0x370/0x370 [ 33.001279] ? compat_start_thread+0x80/0x80 [ 33.005670] ? tun_free_netdev+0x1b0/0x1b0 [ 33.009888] ? check_noncircular+0x20/0x20 [ 33.014104] tun_get_user+0x11dd/0x2150 [ 33.018064] ? tun_flow_update+0xf70/0xf70 [ 33.022274] ? __tun_get+0x1ab/0x2e0 [ 33.025963] ? lock_downgrade+0x990/0x990 [ 33.030079] ? lock_release+0xa40/0xa40 [ 33.034032] ? __lock_is_held+0xb6/0x140 [ 33.038071] ? __tun_get+0x1d4/0x2e0 [ 33.041758] ? tun_chr_close+0x60/0x60 [ 33.045629] tun_chr_write_iter+0xd8/0x190 [ 33.049838] __vfs_write+0x684/0x970 [ 33.053523] ? default_llseek+0x290/0x290 [ 33.057642] ? _cond_resched+0x14/0x30 [ 33.061510] ? avc_policy_seqno+0x9/0x20 [ 33.065539] ? selinux_file_permission+0x82/0x460 [ 33.070357] ? rw_verify_area+0xe5/0x2b0 [ 33.074384] ? __fdget_raw+0x20/0x20 [ 33.078073] vfs_write+0x189/0x510 [ 33.081584] SyS_write+0xef/0x220 [ 33.085007] ? SyS_read+0x220/0x220 [ 33.088599] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.093594] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.098329] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.103059] RIP: 0033:0x40b751 [ 33.106222] RSP: 002b:00007fb3dbcfec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 33.113896] RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 000000000040b751 [ 33.121132] RDX: 0000000000000036 RSI: 0000000020002000 RDI: 0000000000000003 [ 33.128372] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 33.135607] R10: 00000000000f4246 R11: 0000000000000293 R12: 00000000004bab1b [ 33.142847] R13: 00000000ffffffff R14: 0000000000000036 R15: 0000000020002000 [ 33.150131] [ 33.151744] The buggy address belongs to the page: [ 33.156644] page:ffffea00073831c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.164759] flags: 0x200000000000000() [ 33.168612] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 33.176462] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 33.184318] page dumped because: kasan: bad access detected [ 33.190003] [ 33.191596] Memory state around the buggy address: [ 33.196491] ffff8801ce0c7c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.203824] ffff8801ce0c7c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.211160] >ffff8801ce0c7d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.218488] ^ [ 33.223915] ffff8801ce0c7d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.231240] ffff8801ce0c7e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.238560] ================================================================== [ 33.245882] Disabling lock debugging due to kernel taint [ 33.251374] Kernel panic - not syncing: panic_on_warn set ... [ 33.251374] [ 33.258706] CPU: 0 PID: 3475 Comm: syz-executor3 Tainted: G B 4.13.0-rc5-next-20170815+ #3 [ 33.268198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.277524] Call Trace: [ 33.280088] dump_stack+0x194/0x257 [ 33.283681] ? arch_local_irq_restore+0x53/0x53 [ 33.288315] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.293039] ? skb_release_data+0x520/0x790 [ 33.297336] panic+0x1e4/0x417 [ 33.300491] ? __warn+0x1d9/0x1d9 [ 33.303915] ? skb_release_data+0x5cf/0x790 [ 33.308202] kasan_end_report+0x50/0x50 [ 33.312144] kasan_report+0x137/0x340 [ 33.315924] __asan_report_load1_noabort+0x14/0x20 [ 33.320819] skb_release_data+0x5cf/0x790 [ 33.324942] ? lock_downgrade+0x990/0x990 [ 33.329058] ? ip_route_input_rcu+0x1193/0x3210 [ 33.333701] ? do_raw_spin_trylock+0x190/0x190 [ 33.338253] ? skb_tx_error+0x2c0/0x2c0 [ 33.342208] ? __lock_is_held+0xb6/0x140 [ 33.346255] skb_release_all+0x4a/0x60 [ 33.350108] kfree_skb+0x15d/0x4c0 [ 33.353613] ? ip_defrag+0xc69/0x4000 [ 33.357379] ? __kfree_skb+0x20/0x20 [ 33.361061] ? lock_release+0xa40/0xa40 [ 33.365038] ? check_noncircular+0x20/0x20 [ 33.369237] ? ipqhashfn+0xb7/0x180 [ 33.372829] ? ip4_frag_match+0x370/0x370 [ 33.376954] ? percpu_counter_add_batch+0xce/0x130 [ 33.381854] ip_defrag+0xc69/0x4000 [ 33.385453] ? match_held_lock+0x9f0/0x9f0 [ 33.389661] ? ip_expire+0x6d0/0x6d0 [ 33.393344] ? lock_downgrade+0x990/0x990 [ 33.397460] ? check_noncircular+0x20/0x20 [ 33.401663] ? lock_release+0xa40/0xa40 [ 33.405607] ip_local_deliver+0x174/0x6d0 [ 33.409759] ? ip_call_ra_chain+0x6d0/0x6d0 [ 33.414054] ? __lock_is_held+0xb6/0x140 [ 33.418117] ip_rcv_finish+0x8db/0x19c0 [ 33.422057] ? iptable_nat_ipv4_fn+0x40/0x40 [ 33.426437] ? ip_local_deliver_finish+0xba0/0xba0 [ 33.431336] ? ip_rcv+0xf05/0x17d0 [ 33.434847] ? lock_downgrade+0x990/0x990 [ 33.438966] ? rcu_read_lock_held+0xa9/0xc0 [ 33.443256] ? nf_hook_slow+0x12d/0x290 [ 33.447218] ip_rcv+0xc3f/0x17d0 [ 33.450557] ? ip_local_deliver+0x6d0/0x6d0 [ 33.454851] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 33.460014] ? __lock_acquire+0x6aa/0x3bc0 [ 33.464228] ? ip_local_deliver_finish+0xba0/0xba0 [ 33.469131] ? ip_local_deliver+0x6d0/0x6d0 [ 33.473422] __netif_receive_skb_core+0x19af/0x33d0 [ 33.478411] ? unwind_get_return_address+0x61/0xa0 [ 33.483310] ? nf_ingress+0x9f0/0x9f0 [ 33.487080] ? save_stack+0xa3/0xd0 [ 33.490672] ? save_stack_trace+0x16/0x20 [ 33.494784] ? save_stack+0x43/0xd0 [ 33.498375] ? kasan_kmalloc+0xad/0xe0 [ 33.502234] ? kasan_slab_alloc+0x12/0x20 [ 33.506350] ? kmem_cache_alloc+0x12e/0x760 [ 33.510651] ? __build_skb+0x9d/0x450 [ 33.514428] ? build_skb+0x6f/0x260 [ 33.518031] ? tun_get_user+0x1db7/0x2150 [ 33.522149] ? tun_chr_write_iter+0xd8/0x190 [ 33.526524] ? __vfs_write+0x684/0x970 [ 33.530377] ? vfs_write+0x189/0x510 [ 33.534055] ? SyS_write+0xef/0x220 [ 33.537648] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.542544] ? __unlock_page_memcg+0x72/0x100 [ 33.547007] ? unlock_page_memcg+0x2c/0x40 [ 33.551217] ? check_noncircular+0x20/0x20 [ 33.555418] ? check_noncircular+0x20/0x20 [ 33.559627] ? page_add_new_anon_rmap+0x750/0x750 [ 33.564436] ? __skb_flow_dissect+0xfa1/0x3ae0 [ 33.569000] ? __lock_acquire+0x5d0/0x3bc0 [ 33.573210] ? __skb_flow_get_ports+0x400/0x400 [ 33.577848] ? find_held_lock+0x35/0x1d0 [ 33.581887] ? netif_receive_skb_internal+0x1d7/0x5e0 [ 33.587045] ? lock_downgrade+0x990/0x990 [ 33.591165] ? pvclock_read_flags+0x160/0x160 [ 33.595628] ? lock_acquire+0x1d5/0x580 [ 33.599566] ? lock_acquire+0x1d5/0x580 [ 33.603507] ? netif_receive_skb_internal+0x93/0x5e0 [ 33.608587] ? ktime_get_with_offset+0x2c1/0x420 [ 33.613311] ? lock_release+0xa40/0xa40 [ 33.617257] ? do_gettimeofday+0x190/0x190 [ 33.621463] __netif_receive_skb+0x2c/0x1b0 [ 33.625751] ? __netif_receive_skb+0x2c/0x1b0 [ 33.630213] netif_receive_skb_internal+0x10b/0x5e0 [ 33.635209] ? dev_cpu_dead+0xb00/0xb00 [ 33.639160] ? tun_device_event+0xca0/0xca0 [ 33.643459] ? rcu_pm_notify+0xc0/0xc0 [ 33.647325] netif_receive_skb+0xae/0x390 [ 33.651456] ? netif_receive_skb_internal+0x5e0/0x5e0 [ 33.656616] ? find_held_lock+0x35/0x1d0 [ 33.660648] ? tun_rx_batched.isra.43+0x5bd/0x860 [ 33.665464] tun_rx_batched.isra.43+0x5e7/0x860 [ 33.670101] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 33.674734] ? tun_sock_write_space+0x370/0x370 [ 33.679370] ? compat_start_thread+0x80/0x80 [ 33.683744] ? tun_free_netdev+0x1b0/0x1b0 [ 33.687950] ? check_noncircular+0x20/0x20