INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 29.168423] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 29.417760] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.772503] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.778643] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.818692] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.857890] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.897265] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 29.903379] 8021q: adding VLAN 0 to HW filter on device team0 [ 29.931370] bond0: Enslaving bond_slave as an active interface with an up link [ 29.939999] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready executing program [ 29.950627] team0: Port device team_slave added [ 29.956111] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 29.993125] ================================================================== [ 30.000586] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860 [ 30.007253] Write of size 4 at addr ffff8801d9619420 by task syzkaller459469/4465 [ 30.014865] [ 30.016484] CPU: 0 PID: 4465 Comm: syzkaller459469 Not tainted 4.16.0+ #17 [ 30.023470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.032801] Call Trace: [ 30.035368] dump_stack+0x1b9/0x294 [ 30.038986] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.044152] ? printk+0x9e/0xba [ 30.047409] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.052142] ? kasan_check_write+0x14/0x20 [ 30.056354] print_address_description+0x6c/0x20b [ 30.061173] ? skb_release_data+0x19b/0x860 [ 30.065471] kasan_report.cold.7+0xac/0x2f5 [ 30.069770] check_memory_region+0x13e/0x1b0 [ 30.074155] kasan_check_write+0x14/0x20 [ 30.078209] skb_release_data+0x19b/0x860 [ 30.082334] ? skb_tx_error+0x2f0/0x2f0 [ 30.086281] ? kasan_check_read+0x11/0x20 [ 30.090405] ? rcu_is_watching+0x85/0x140 [ 30.094531] ? kasan_check_write+0x14/0x20 [ 30.098749] ? sock_rmem_free+0x6f/0x90 [ 30.102703] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.108218] skb_release_all+0x4a/0x60 [ 30.112082] kfree_skb+0x195/0x560 [ 30.115683] ? skb_queue_purge+0x19/0x40 [ 30.119722] ? __kfree_skb+0x20/0x20 [ 30.123417] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.127977] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.133059] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.138051] ? trace_hardirqs_on+0xd/0x10 [ 30.142174] ? skb_dequeue+0x12f/0x180 [ 30.146038] skb_queue_purge+0x19/0x40 [ 30.149906] packet_sock_destruct+0x93/0x290 [ 30.154291] ? packet_mm_close+0xc0/0xc0 [ 30.158329] ? graph_lock+0x170/0x170 [ 30.162106] ? __free_object+0x16e/0x330 [ 30.166143] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 30.171397] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.175958] ? packet_mm_close+0xc0/0xc0 [ 30.179998] __sk_destruct+0xff/0xa40 [ 30.183777] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 30.188686] ? graph_lock+0x170/0x170 [ 30.192467] ? lock_downgrade+0x8e0/0x8e0 [ 30.196592] ? __lock_is_held+0xb5/0x140 [ 30.200632] ? kasan_check_read+0x11/0x20 [ 30.204756] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.209141] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.213701] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.218783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.224297] ? refcount_sub_and_test+0x212/0x330 [ 30.229041] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 30.233777] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 30.238509] ? pcpu_free_area+0xa90/0xa90 [ 30.242633] sk_destruct+0x78/0x90 [ 30.246149] __sk_free+0x22e/0x340 [ 30.249665] sk_free+0x42/0x50 [ 30.252841] packet_release+0xa18/0xd50 [ 30.256790] ? lock_downgrade+0x8e0/0x8e0 [ 30.260913] ? packet_lookup_frame+0x270/0x270 [ 30.265472] ? cpumask_weight.constprop.5+0x44/0x44 [ 30.270463] ? do_raw_spin_lock+0xc1/0x200 [ 30.274676] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.280190] ? locks_remove_file+0x3f7/0x5a0 [ 30.284577] ? fcntl_setlk+0x1020/0x1020 [ 30.288615] ? fsnotify+0x415/0x1100 [ 30.292308] ? fsnotify_first_mark+0x330/0x330 [ 30.296870] sock_release+0x96/0x1b0 [ 30.300561] ? sock_alloc_file+0x4e0/0x4e0 [ 30.304772] sock_close+0x16/0x20 [ 30.308200] __fput+0x34d/0x890 [ 30.311457] ? fput+0x1a0/0x1a0 [ 30.314717] ? check_same_owner+0x320/0x320 [ 30.319021] ____fput+0x15/0x20 [ 30.322274] task_work_run+0x1e4/0x290 [ 30.326139] ? task_work_cancel+0x240/0x240 [ 30.330438] ? switch_task_namespaces+0xbd/0xd0 [ 30.335094] do_exit+0x1aee/0x2730 [ 30.338615] ? mm_update_next_owner+0x980/0x980 [ 30.343260] ? finish_mkwrite_fault+0x610/0x610 [ 30.347907] ? debug_check_no_locks_freed+0x310/0x310 [ 30.353074] ? kasan_check_read+0x11/0x20 [ 30.357200] ? rcu_is_watching+0x85/0x140 [ 30.361325] ? lock_acquire+0x1dc/0x520 [ 30.365277] ? lock_release+0xa10/0xa10 [ 30.369230] ? tun_chr_close+0x60/0x60 [ 30.373097] ? kasan_check_write+0x14/0x20 [ 30.377307] ? do_raw_spin_lock+0xc1/0x200 [ 30.381519] ? __handle_mm_fault+0x88c/0x4150 [ 30.385993] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 30.390729] ? graph_lock+0x170/0x170 [ 30.394506] ? rcu_is_watching+0x85/0x140 [ 30.398629] ? graph_lock+0x170/0x170 [ 30.402417] ? find_held_lock+0x36/0x1c0 [ 30.406468] ? find_held_lock+0x36/0x1c0 [ 30.410507] ? lock_downgrade+0x8e0/0x8e0 [ 30.414640] ? handle_mm_fault+0x8c0/0xc70 [ 30.418854] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.424368] ? handle_mm_fault+0x55a/0xc70 [ 30.428578] ? __handle_mm_fault+0x4150/0x4150 [ 30.433149] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.438669] ? __do_page_fault+0x441/0xe40 [ 30.442881] do_group_exit+0x16f/0x430 [ 30.446747] ? SyS_exit+0x30/0x30 [ 30.450180] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 30.455002] ? do_syscall_64+0xb7/0x9d0 [ 30.458953] ? do_group_exit+0x430/0x430 [ 30.462991] SyS_exit_group+0x1d/0x20 [ 30.466789] do_syscall_64+0x29e/0x9d0 [ 30.470653] ? vmalloc_sync_all+0x30/0x30 [ 30.474780] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.479516] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.484433] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.489340] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.494851] ? retint_user+0x18/0x18 [ 30.498544] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.503384] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.508550] RIP: 0033:0x4416e9 [ 30.511718] RSP: 002b:00007ffeb098d9c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 30.519404] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416e9 [ 30.526653] RDX: 0000000000441620 RSI: 0000000000000001 RDI: 0000000000000001 [ 30.533899] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 30.541145] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffeb098dab8 [ 30.548393] R13: 0000000000402470 R14: 0000000000000000 R15: 0000000000000000 [ 30.555645] [ 30.557248] Allocated by task 4465: [ 30.560852] save_stack+0x43/0xd0 [ 30.564281] kasan_kmalloc+0xc4/0xe0 [ 30.567990] __kmalloc_node_track_caller+0x47/0x70 [ 30.572898] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 30.577630] __alloc_skb+0x14d/0x780 [ 30.581319] alloc_skb_with_frags+0x137/0x760 [ 30.585791] sock_alloc_send_pskb+0x87a/0xae0 [ 30.590267] packet_sendmsg+0x1bd1/0x6100 [ 30.594394] sock_sendmsg+0xd5/0x120 [ 30.598090] ___sys_sendmsg+0x805/0x940 [ 30.602050] __sys_sendmsg+0x115/0x270 [ 30.605915] SyS_sendmsg+0x29/0x30 [ 30.609431] do_syscall_64+0x29e/0x9d0 [ 30.613295] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.618464] [ 30.620066] Freed by task 4465: [ 30.623320] save_stack+0x43/0xd0 [ 30.626763] __kasan_slab_free+0x11a/0x170 [ 30.630976] kasan_slab_free+0xe/0x10 [ 30.634750] kfree+0xd9/0x260 [ 30.637835] skb_free_head+0x99/0xc0 [ 30.641524] skb_release_data+0x690/0x860 [ 30.645647] skb_release_all+0x4a/0x60 [ 30.649512] kfree_skb+0x195/0x560 [ 30.653029] ip6_tnl_start_xmit+0xa44/0x2290 [ 30.657418] dev_hard_start_xmit+0x264/0xc10 [ 30.661802] __dev_queue_xmit+0x2724/0x34c0 [ 30.666099] dev_queue_xmit+0x17/0x20 [ 30.669874] packet_sendmsg+0x411d/0x6100 [ 30.674004] sock_sendmsg+0xd5/0x120 [ 30.677703] ___sys_sendmsg+0x805/0x940 [ 30.681654] __sys_sendmsg+0x115/0x270 [ 30.685521] SyS_sendmsg+0x29/0x30 [ 30.689042] do_syscall_64+0x29e/0x9d0 [ 30.692915] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.698077] [ 30.699683] The buggy address belongs to the object at ffff8801d9619340 [ 30.699683] which belongs to the cache kmalloc-512 of size 512 [ 30.712318] The buggy address is located 224 bytes inside of [ 30.712318] 512-byte region [ffff8801d9619340, ffff8801d9619540) [ 30.724164] The buggy address belongs to the page: [ 30.729068] page:ffffea0007658640 count:1 mapcount:0 mapping:ffff8801d96190c0 index:0x0 [ 30.737189] flags: 0x2fffc0000000100(slab) [ 30.741402] raw: 02fffc0000000100 ffff8801d96190c0 0000000000000000 0000000100000006 [ 30.749260] raw: ffffea0006bffe20 ffffea000764e020 ffff8801dac00940 0000000000000000 [ 30.757114] page dumped because: kasan: bad access detected [ 30.762802] [ 30.764401] Memory state around the buggy address: [ 30.769307] ffff8801d9619300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.776641] ffff8801d9619380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.784060] >ffff8801d9619400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.791392] ^ [ 30.795784] ffff8801d9619480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.803118] ffff8801d9619500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.810448] ================================================================== [ 30.817787] Disabling lock debugging due to kernel taint [ 30.823711] Kernel panic - not syncing: panic_on_warn set ... [ 30.823711] [ 30.831062] CPU: 0 PID: 4465 Comm: syzkaller459469 Tainted: G B 4.16.0+ #17 [ 30.839360] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.848693] Call Trace: [ 30.851271] dump_stack+0x1b9/0x294 [ 30.854877] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.860047] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.864783] ? skb_release_data+0xd0/0x860 [ 30.868994] panic+0x22f/0x4de [ 30.872165] ? add_taint.cold.5+0x16/0x16 [ 30.876294] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.880684] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.885067] ? skb_release_data+0x19b/0x860 [ 30.889366] kasan_end_report+0x47/0x4f [ 30.893326] kasan_report.cold.7+0xc9/0x2f5 [ 30.897624] check_memory_region+0x13e/0x1b0 [ 30.902004] kasan_check_write+0x14/0x20 [ 30.906041] skb_release_data+0x19b/0x860 [ 30.910164] ? skb_tx_error+0x2f0/0x2f0 [ 30.914114] ? kasan_check_read+0x11/0x20 [ 30.918244] ? rcu_is_watching+0x85/0x140 [ 30.922368] ? kasan_check_write+0x14/0x20 [ 30.926591] ? sock_rmem_free+0x6f/0x90 [ 30.930544] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.936056] skb_release_all+0x4a/0x60 [ 30.939920] kfree_skb+0x195/0x560 [ 30.943544] ? skb_queue_purge+0x19/0x40 [ 30.947581] ? __kfree_skb+0x20/0x20 [ 30.951270] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.955829] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.960910] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.965903] ? trace_hardirqs_on+0xd/0x10 [ 30.970028] ? skb_dequeue+0x12f/0x180 [ 30.973891] skb_queue_purge+0x19/0x40 [ 30.977757] packet_sock_destruct+0x93/0x290 [ 30.982141] ? packet_mm_close+0xc0/0xc0 [ 30.986174] ? graph_lock+0x170/0x170 [ 30.989952] ? __free_object+0x16e/0x330 [ 30.993989] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 30.999253] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.003813] ? packet_mm_close+0xc0/0xc0 [ 31.007851] __sk_destruct+0xff/0xa40 [ 31.011643] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 31.016553] ? graph_lock+0x170/0x170 [ 31.020331] ? lock_downgrade+0x8e0/0x8e0 [ 31.024452] ? __lock_is_held+0xb5/0x140 [ 31.028491] ? kasan_check_read+0x11/0x20 [ 31.032614] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.036998] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.041557] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 31.046645] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.052856] ? refcount_sub_and_test+0x212/0x330 [ 31.057590] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 31.062330] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 31.067062] ? pcpu_free_area+0xa90/0xa90 [ 31.071188] sk_destruct+0x78/0x90 [ 31.074705] __sk_free+0x22e/0x340 [ 31.078224] sk_free+0x42/0x50 [ 31.081393] packet_release+0xa18/0xd50 [ 31.085343] ? lock_downgrade+0x8e0/0x8e0 [ 31.089468] ? packet_lookup_frame+0x270/0x270 [ 31.094026] ? cpumask_weight.constprop.5+0x44/0x44 [ 31.099018] ? do_raw_spin_lock+0xc1/0x200 [ 31.103241] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.108754] ? locks_remove_file+0x3f7/0x5a0 [ 31.113138] ? fcntl_setlk+0x1020/0x1020 [ 31.117174] ? fsnotify+0x415/0x1100 [ 31.120864] ? fsnotify_first_mark+0x330/0x330 [ 31.125438] sock_release+0x96/0x1b0 [ 31.129146] ? sock_alloc_file+0x4e0/0x4e0 [ 31.133360] sock_close+0x16/0x20 [ 31.136789] __fput+0x34d/0x890 [ 31.140055] ? fput+0x1a0/0x1a0 [ 31.143310] ? check_same_owner+0x320/0x320 [ 31.147606] ____fput+0x15/0x20 [ 31.150861] task_work_run+0x1e4/0x290 [ 31.154735] ? task_work_cancel+0x240/0x240 [ 31.159031] ? switch_task_namespaces+0xbd/0xd0 [ 31.163675] do_exit+0x1aee/0x2730 [ 31.167194] ? mm_update_next_owner+0x980/0x980 [ 31.171841] ? finish_mkwrite_fault+0x610/0x610 [ 31.176486] ? debug_check_no_locks_freed+0x310/0x310 [ 31.181657] ? kasan_check_read+0x11/0x20 [ 31.185786] ? rcu_is_watching+0x85/0x140 [ 31.190044] ? lock_acquire+0x1dc/0x520 [ 31.194012] ? lock_release+0xa10/0xa10 [ 31.197977] ? tun_chr_close+0x60/0x60 [ 31.201851] ? kasan_check_write+0x14/0x20 [ 31.206065] ? do_raw_spin_lock+0xc1/0x200 [ 31.210277] ? __handle_mm_fault+0x88c/0x4150 [ 31.214751] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 31.219491] ? graph_lock+0x170/0x170 [ 31.223267] ? rcu_is_watching+0x85/0x140 [ 31.227389] ? graph_lock+0x170/0x170 [ 31.231162] ? find_held_lock+0x36/0x1c0 [ 31.235200] ? find_held_lock+0x36/0x1c0 [ 31.239236] ? lock_downgrade+0x8e0/0x8e0 [ 31.243357] ? handle_mm_fault+0x8c0/0xc70 [ 31.247588] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.253103] ? handle_mm_fault+0x55a/0xc70 [ 31.257312] ? __handle_mm_fault+0x4150/0x4150 [ 31.261874] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.267388] ? __do_page_fault+0x441/0xe40 [ 31.271602] do_group_exit+0x16f/0x430 [ 31.275466] ? SyS_exit+0x30/0x30 [ 31.278897] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.283714] ? do_syscall_64+0xb7/0x9d0 [ 31.287664] ? do_group_exit+0x430/0x430 [ 31.291702] SyS_exit_group+0x1d/0x20 [ 31.295494] do_syscall_64+0x29e/0x9d0 [ 31.299356] ? vmalloc_sync_all+0x30/0x30 [ 31.303483] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.308215] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.313130] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.318040] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.323554] ? retint_user+0x18/0x18 [ 31.327243] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.332062] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.337227] RIP: 0033:0x4416e9 [ 31.340390] RSP: 002b:00007ffeb098d9c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 31.348073] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004416e9 [ 31.355318] RDX: 0000000000441620 RSI: 0000000000000001 RDI: 0000000000000001 [ 31.362563] RBP: 00000000004a3309 R08: 0000000000000000 R09: 00000000006cd018 [ 31.369809] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffeb098dab8 [ 31.377053] R13: 0000000000402470 R14: 0000000000000000 R15: 0000000000000000 [ 31.384838] Dumping ftrace buffer: [ 31.388366] (ftrace buffer empty) [ 31.392050] Kernel Offset: disabled [ 31.395663] Rebooting in 86400 seconds..