INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-3,10.128.15.207' (ECDSA) to the list of known hosts. 2017/09/30 03:25:12 parsed 1 programs 2017/09/30 03:25:12 executed programs: 0 2017/09/30 03:25:17 executed programs: 168 syzkaller login: [ 33.578478] dev_remove_pack: ffff8801c7784300 not found [ 35.468773] dev_remove_pack: ffff8801cc2e0780 not found 2017/09/30 03:25:22 executed programs: 340 [ 37.135781] ================================================================== [ 37.143234] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 at addr ffff8801cc2e014c [ 37.152029] Read of size 4 by task syz-executor4/3238 [ 37.157183] CPU: 0 PID: 3238 Comm: syz-executor4 Not tainted 4.9.52-g9b2b081 #55 [ 37.164676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.173993] ffff8801db207760 ffffffff81d93149 ffff8801da002000 ffff8801cc2e0000 [ 37.181936] ffff8801cc2e0800 ffffed003985c029 ffff8801cc2e014c ffff8801db207788 [ 37.189879] ffffffff8153cbdc ffffed003985c029 ffff8801da002000 0000000000000000 [ 37.197818] Call Trace: [ 37.200364] [ 37.202393] [] dump_stack+0xc1/0x128 [ 37.207739] [] kasan_object_err+0x1c/0x70 [ 37.213498] [] kasan_report.part.1+0x21c/0x500 [ 37.219693] [] ? do_raw_spin_lock+0x1ac/0x1e0 [ 37.225800] [] __asan_report_load4_noabort+0x29/0x30 [ 37.232515] [] do_raw_spin_lock+0x1ac/0x1e0 [ 37.238454] [] _raw_spin_lock_bh+0x42/0x50 [ 37.244300] [] ? packet_rcv_has_room+0x25/0xb0 [ 37.250500] [] packet_rcv_has_room+0x25/0xb0 [ 37.256519] [] fanout_demux_rollover+0x26f/0x4d0 [ 37.262888] [] packet_rcv_fanout+0x4ce/0x620 [ 37.268912] [] __netif_receive_skb_core+0x887/0x29e0 [ 37.275627] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.282601] [] ? netif_wake_subqueue+0x210/0x210 [ 37.288967] [] ? netif_receive_skb_internal+0x92/0x390 [ 37.295857] [] __netif_receive_skb+0x5b/0x1c0 [ 37.301963] [] netif_receive_skb_internal+0xff/0x390 [ 37.308677] [] ? netif_receive_skb_internal+0x92/0x390 [ 37.315567] [] ? dev_cpu_callback+0x680/0x680 [ 37.321675] [] ? dev_gro_receive+0x1d6/0x16f0 [ 37.327781] [] ? dev_gro_receive+0x67a/0x16f0 [ 37.333889] [] ? eth_type_trans+0x2a8/0x5d0 [ 37.339824] [] napi_gro_receive+0x1fb/0x400 [ 37.345757] [] virtnet_receive+0xe1c/0x1cf0 [ 37.351691] [] ? virtnet_open+0x250/0x250 [ 37.357453] [] ? check_preemption_disabled+0x3b/0x200 [ 37.364254] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.371227] [] ? check_preemption_disabled+0x3b/0x200 [ 37.378031] [] ? debug_smp_processor_id+0x1c/0x20 [ 37.384485] [] virtnet_poll+0x26/0x140 [ 37.389983] [] net_rx_action+0x396/0xe00 [ 37.395657] [] ? sk_busy_loop+0xca0/0xca0 [ 37.401418] [] ? handle_edge_irq+0x417/0x8e0 [ 37.407437] [] ? _raw_spin_lock+0x3e/0x50 [ 37.413196] [] ? check_preemption_disabled+0x3b/0x200 [ 37.420000] [] __do_softirq+0x22d/0x964 [ 37.425585] [] irq_exit+0x165/0x190 [ 37.430822] [] do_IRQ+0x107/0x1b0 [ 37.435888] [] common_interrupt+0x8c/0x8c [ 37.441646] [ 37.443674] Object at ffff8801cc2e0000, in cache kmalloc-2048 size: 2048 [ 37.450884] Allocated: [ 37.453345] PID = 4865 [ 37.455807] save_stack_trace+0x16/0x20 [ 37.459745] save_stack+0x43/0xd0 [ 37.463158] kasan_kmalloc+0xad/0xe0 [ 37.466832] __kmalloc+0x11d/0x310 [ 37.470337] sk_prot_alloc+0x101/0x2a0 [ 37.474184] sk_alloc+0x3a/0x3a0 [ 37.477513] packet_create+0xf0/0x8e0 [ 37.481274] __sock_create+0x3ab/0x640 [ 37.485121] SyS_socket+0xf0/0x1b0 [ 37.488627] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.493342] Freed: [ 37.495452] PID = 4865 [ 37.497910] save_stack_trace+0x16/0x20 [ 37.501846] save_stack+0x43/0xd0 [ 37.505261] kasan_slab_free+0x73/0xc0 [ 37.509108] kfree+0xf0/0x2f0 [ 37.512173] __sk_destruct+0x47f/0x570 [ 37.516021] sk_destruct+0x47/0x80 [ 37.519522] __sk_free+0x57/0x230 [ 37.522937] sk_free+0x23/0x30 [ 37.526091] packet_release+0x732/0xa20 [ 37.530026] sock_release+0x8d/0x1e0 [ 37.533701] sock_close+0x16/0x20 [ 37.537117] __fput+0x28c/0x6e0 [ 37.540360] ____fput+0x15/0x20 [ 37.543603] task_work_run+0x115/0x190 [ 37.547451] do_exit+0x82e/0x2a50 [ 37.550865] do_group_exit+0x108/0x320 [ 37.554716] get_signal+0x55c/0x1600 [ 37.558394] do_signal+0x87/0x1960 [ 37.561895] exit_to_usermode_loop+0xe5/0x130 [ 37.566351] syscall_return_slowpath+0x1a0/0x1e0 [ 37.571069] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 37.575791] Memory state around the buggy address: [ 37.580684] ffff8801cc2e0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.588003] ffff8801cc2e0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.595324] >ffff8801cc2e0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.602649] ^ [ 37.608328] ffff8801cc2e0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.615649] ffff8801cc2e0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.622966] ================================================================== [ 37.630327] ================================================================== [ 37.637654] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1d3/0x1e0 at addr ffff8801cc2e0158 [ 37.646453] Read of size 8 by task syz-executor4/3238 [ 37.651609] CPU: 0 PID: 3238 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 [ 37.660317] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.669633] ffff8801db207760 ffffffff81d93149 ffff8801da002000 ffff8801cc2e0000 [ 37.677580] ffff8801cc2e0800 ffffed003985c02b ffff8801cc2e0158 ffff8801db207788 [ 37.685521] ffffffff8153cbdc ffffed003985c02b ffff8801da002000 0000000000000000 [ 37.693466] Call Trace: [ 37.696013] [ 37.698043] [] dump_stack+0xc1/0x128 [ 37.703385] [] kasan_object_err+0x1c/0x70 [ 37.709144] [] kasan_report.part.1+0x21c/0x500 [ 37.715339] [] ? do_raw_spin_lock+0x1d3/0x1e0 [ 37.721445] [] __asan_report_load8_noabort+0x29/0x30 [ 37.728165] [] do_raw_spin_lock+0x1d3/0x1e0 [ 37.728170] [] _raw_spin_lock_bh+0x42/0x50 [ 37.728175] [] ? packet_rcv_has_room+0x25/0xb0 [ 37.728179] [] packet_rcv_has_room+0x25/0xb0 [ 37.728187] [] fanout_demux_rollover+0x26f/0x4d0 [ 37.728191] [] packet_rcv_fanout+0x4ce/0x620 [ 37.728198] [] __netif_receive_skb_core+0x887/0x29e0 [ 37.728204] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.728208] [] ? netif_wake_subqueue+0x210/0x210 [ 37.728213] [] ? netif_receive_skb_internal+0x92/0x390 [ 37.728217] [] __netif_receive_skb+0x5b/0x1c0 [ 37.728221] [] netif_receive_skb_internal+0xff/0x390 [ 37.728224] [] ? netif_receive_skb_internal+0x92/0x390 [ 37.728228] [] ? dev_cpu_callback+0x680/0x680 [ 37.728232] [] ? dev_gro_receive+0x1d6/0x16f0 [ 37.728236] [] ? dev_gro_receive+0x67a/0x16f0 [ 37.728240] [] ? eth_type_trans+0x2a8/0x5d0 [ 37.728244] [] napi_gro_receive+0x1fb/0x400 [ 37.728249] [] virtnet_receive+0xe1c/0x1cf0 [ 37.728253] [] ? virtnet_open+0x250/0x250 [ 37.728258] [] ? check_preemption_disabled+0x3b/0x200 [ 37.728263] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.728266] [] ? check_preemption_disabled+0x3b/0x200 [ 37.728270] [] ? debug_smp_processor_id+0x1c/0x20 [ 37.728273] [] virtnet_poll+0x26/0x140 [ 37.728277] [] net_rx_action+0x396/0xe00 [ 37.728281] [] ? sk_busy_loop+0xca0/0xca0 [ 37.728286] [] ? handle_edge_irq+0x417/0x8e0 [ 37.728290] [] ? _raw_spin_lock+0x3e/0x50 [ 37.728294] [] ? check_preemption_disabled+0x3b/0x200 [ 37.728298] [] __do_softirq+0x22d/0x964 [ 37.728302] [] irq_exit+0x165/0x190 [ 37.728305] [] do_IRQ+0x107/0x1b0 [ 37.728309] [] common_interrupt+0x8c/0x8c [ 37.728313] [ 37.728314] Object at ffff8801cc2e0000, in cache kmalloc-2048 size: 2048 [ 37.728314] Allocated: [ 37.728316] PID = 4865 [ 37.728319] save_stack_trace+0x16/0x20 [ 37.728322] save_stack+0x43/0xd0 [ 37.728325] kasan_kmalloc+0xad/0xe0 [ 37.728327] __kmalloc+0x11d/0x310 [ 37.728331] sk_prot_alloc+0x101/0x2a0 [ 37.728333] sk_alloc+0x3a/0x3a0 [ 37.728336] packet_create+0xf0/0x8e0 [ 37.728338] __sock_create+0x3ab/0x640 [ 37.728341] SyS_socket+0xf0/0x1b0 [ 37.728344] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.728345] Freed: [ 37.728346] PID = 4865 [ 37.728349] save_stack_trace+0x16/0x20 [ 37.728351] save_stack+0x43/0xd0 [ 37.728354] kasan_slab_free+0x73/0xc0 [ 37.728356] kfree+0xf0/0x2f0 [ 37.728359] __sk_destruct+0x47f/0x570 [ 37.728361] sk_destruct+0x47/0x80 [ 37.728363] __sk_free+0x57/0x230 [ 37.728366] sk_free+0x23/0x30 [ 37.728368] packet_release+0x732/0xa20 [ 37.728371] sock_release+0x8d/0x1e0 [ 37.728377] sock_close+0x16/0x20 [ 37.728380] __fput+0x28c/0x6e0 [ 37.728383] ____fput+0x15/0x20 [ 37.728386] task_work_run+0x115/0x190 [ 37.728389] do_exit+0x82e/0x2a50 [ 37.728392] do_group_exit+0x108/0x320 [ 37.728395] get_signal+0x55c/0x1600 [ 37.728398] do_signal+0x87/0x1960 [ 37.728401] exit_to_usermode_loop+0xe5/0x130 [ 37.728404] syscall_return_slowpath+0x1a0/0x1e0 [ 37.728407] entry_SYSCALL_64_fastpath+0xc4/0xc6 [ 37.728408] Memory state around the buggy address: [ 37.728411] ffff8801cc2e0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.728414] ffff8801cc2e0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.728416] >ffff8801cc2e0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.728417] ^ [ 37.728420] ffff8801cc2e0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.728422] ffff8801cc2e0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.728423] ================================================================== [ 37.728446] ==================================================================