INIT: Entering runlevel: 2
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added 'ci-upstream-next-kasan-gce-1,10.128.0.24' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   55.180417] device lo entered promiscuous mode
executing program
[   55.273038] ==================================================================
[   55.280467] BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930
[   55.287538] Read of size 8 at addr ffff8801d18a02a0 by task syzkaller497885/3008
[   55.295034] 
[   55.296634] CPU: 0 PID: 3008 Comm: syzkaller497885 Not tainted 4.14.0-rc5-next-20171018+ #36
[   55.305173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.314496] Call Trace:
[   55.317061]  dump_stack+0x194/0x257
[   55.320669]  ? arch_local_irq_restore+0x53/0x53
[   55.325308]  ? show_regs_print_info+0x65/0x65
[   55.329779]  ? sctp_association_free+0x7b7/0x930
[   55.334507]  print_address_description+0x73/0x250
[   55.339323]  ? sctp_association_free+0x7b7/0x930
[   55.344047]  kasan_report+0x25b/0x340
[   55.347820]  __asan_report_load8_noabort+0x14/0x20
[   55.352723]  sctp_association_free+0x7b7/0x930
[   55.357278]  ? sctp_asconf_queue_teardown+0x700/0x700
[   55.362448]  ? sctp_init_sock+0x1350/0x1350
[   55.366740]  ? sctp_sched_fcfs_dequeue+0x290/0x290
[   55.371643]  ? finish_wait+0x490/0x490
[   55.375509]  sctp_sendmsg+0x1845/0x32b0
[   55.379465]  ? sctp_id2assoc+0x390/0x390
[   55.383496]  ? check_noncircular+0x20/0x20
[   55.387713]  ? iterate_fd+0x3f0/0x3f0
[   55.391489]  ? check_noncircular+0x20/0x20
[   55.395701]  ? find_held_lock+0x35/0x1d0
[   55.399737]  ? __might_fault+0x110/0x1d0
[   55.403777]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   55.409126]  ? __check_object_size+0x25d/0x4f0
[   55.413686]  inet_sendmsg+0x11f/0x5e0
[   55.417451]  ? inet_sendmsg+0x11f/0x5e0
[   55.421394]  ? __might_sleep+0x95/0x190
[   55.425336]  ? inet_recvmsg+0x5f0/0x5f0
[   55.429281]  ? selinux_socket_sendmsg+0x36/0x40
[   55.433920]  ? security_socket_sendmsg+0x89/0xb0
[   55.438644]  ? inet_recvmsg+0x5f0/0x5f0
[   55.442590]  sock_sendmsg+0xca/0x110
[   55.446273]  SYSC_sendto+0x352/0x5a0
[   55.449966]  ? SYSC_connect+0x470/0x470
[   55.453921]  ? mm_fault_error+0x2c0/0x2c0
[   55.458039]  ? do_raw_spin_trylock+0x190/0x190
[   55.462587]  ? lock_release+0xa40/0xa40
[   55.466536]  ? __do_page_fault+0xd60/0xd60
[   55.470742]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   55.475733]  ? syscall_return_slowpath+0x2b3/0x510
[   55.480651]  ? finish_task_switch+0x1f6/0x740
[   55.485116]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   55.490112]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   55.494924]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   55.499913]  SyS_sendto+0x40/0x50
[   55.503339]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   55.508062] RIP: 0033:0x446f79
[   55.511219] RSP: 002b:00007f8289ce9db8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   55.518897] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446f79
[   55.526135] RDX: 0000000000000002 RSI: 0000000020925000 RDI: 0000000000000003
[   55.533371] RBP: 0000000000000082 R08: 00000000209e1000 R09: 000000000000001c
[   55.540607] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   55.547844] R13: 00000000007efd1f R14: 00007f8289cea9c0 R15: 0000000000000000
[   55.555187] 
[   55.556783] Allocated by task 3008:
[   55.560382]  save_stack+0x43/0xd0
[   55.563809]  kasan_kmalloc+0xad/0xe0
[   55.567488]  kmem_cache_alloc_trace+0x136/0x750
[   55.572125]  sctp_association_new+0x114/0x21e0
[   55.576683]  sctp_sendmsg+0x1c89/0x32b0
[   55.580626]  inet_sendmsg+0x11f/0x5e0
[   55.584653]  sock_sendmsg+0xca/0x110
[   55.588332]  SYSC_sendto+0x352/0x5a0
[   55.592011]  SyS_sendto+0x40/0x50
[   55.595431]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   55.600149] 
[   55.601743] Freed by task 3008:
[   55.604996]  save_stack+0x43/0xd0
[   55.608414]  kasan_slab_free+0x71/0xc0
[   55.612278]  kfree+0xca/0x250
[   55.615366]  sctp_association_put+0x21c/0x2f0
[   55.619830]  sctp_wait_for_sndbuf+0x5e3/0x7c0
[   55.624291]  sctp_sendmsg+0x2906/0x32b0
[   55.628232]  inet_sendmsg+0x11f/0x5e0
[   55.631999]  sock_sendmsg+0xca/0x110
[   55.635688]  SYSC_sendto+0x352/0x5a0
[   55.639368]  SyS_sendto+0x40/0x50
[   55.642790]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   55.647507] 
[   55.649105] The buggy address belongs to the object at ffff8801d18a0280
[   55.649105]  which belongs to the cache kmalloc-4096 of size 4096
[   55.661898] The buggy address is located 32 bytes inside of
[   55.661898]  4096-byte region [ffff8801d18a0280, ffff8801d18a1280)
[   55.673736] The buggy address belongs to the page:
[   55.678652] page:ffffea0007462800 count:1 mapcount:0 mapping:ffff8801d18a0280 index:0x0 compound_mapcount: 0
[   55.688588] flags: 0x200000000008100(slab|head)
[   55.693399] raw: 0200000000008100 ffff8801d18a0280 0000000000000000 0000000100000001
[   55.701246] raw: ffffea00074625a0 ffffea0007462a20 ffff8801dac00dc0 0000000000000000
[   55.709090] page dumped because: kasan: bad access detected
[   55.714763] 
[   55.716356] Memory state around the buggy address:
[   55.721250]  ffff8801d18a0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.728661]  ffff8801d18a0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   55.735984] >ffff8801d18a0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.743309]                                ^
[   55.747682]  ffff8801d18a0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.755009]  ffff8801d18a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   55.762330] ==================================================================
[   55.769652] Disabling lock debugging due to kernel taint
[   55.775182] Kernel panic - not syncing: panic_on_warn set ...
[   55.775182] 
[   55.782524] CPU: 0 PID: 3008 Comm: syzkaller497885 Tainted: G    B            4.14.0-rc5-next-20171018+ #36
[   55.792365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.801689] Call Trace:
[   55.804921]  dump_stack+0x194/0x257
[   55.808519]  ? arch_local_irq_restore+0x53/0x53
[   55.813159]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   55.817885]  ? vsnprintf+0x1ed/0x1900
[   55.821657]  ? sctp_association_free+0x6f0/0x930
[   55.826399]  panic+0x1e4/0x41c
[   55.829559]  ? refcount_error_report+0x214/0x214
[   55.834286]  ? add_taint+0x1c/0x50
[   55.837794]  ? add_taint+0x1c/0x50
[   55.841304]  ? sctp_association_free+0x7b7/0x930
[   55.846029]  kasan_end_report+0x50/0x50
[   55.849969]  kasan_report+0x144/0x340
[   55.853738]  __asan_report_load8_noabort+0x14/0x20
[   55.858633]  sctp_association_free+0x7b7/0x930
[   55.863183]  ? sctp_asconf_queue_teardown+0x700/0x700
[   55.868338]  ? sctp_init_sock+0x1350/0x1350
[   55.872628]  ? sctp_sched_fcfs_dequeue+0x290/0x290
[   55.877527]  ? finish_wait+0x490/0x490
[   55.881384]  sctp_sendmsg+0x1845/0x32b0
[   55.885333]  ? sctp_id2assoc+0x390/0x390
[   55.889363]  ? check_noncircular+0x20/0x20
[   55.893572]  ? iterate_fd+0x3f0/0x3f0
[   55.897339]  ? check_noncircular+0x20/0x20
[   55.901541]  ? find_held_lock+0x35/0x1d0
[   55.905572]  ? __might_fault+0x110/0x1d0
[   55.909604]  ? selinux_secmark_relabel_packet+0xc0/0xc0
[   55.914937]  ? __check_object_size+0x25d/0x4f0
[   55.919488]  inet_sendmsg+0x11f/0x5e0
[   55.923254]  ? inet_sendmsg+0x11f/0x5e0
[   55.927195]  ? __might_sleep+0x95/0x190
[   55.931137]  ? inet_recvmsg+0x5f0/0x5f0
[   55.935079]  ? selinux_socket_sendmsg+0x36/0x40
[   55.939714]  ? security_socket_sendmsg+0x89/0xb0
[   55.944434]  ? inet_recvmsg+0x5f0/0x5f0
[   55.948378]  sock_sendmsg+0xca/0x110
[   55.952058]  SYSC_sendto+0x352/0x5a0
[   55.955739]  ? SYSC_connect+0x470/0x470
[   55.959685]  ? mm_fault_error+0x2c0/0x2c0
[   55.963805]  ? do_raw_spin_trylock+0x190/0x190
[   55.968441]  ? lock_release+0xa40/0xa40
[   55.972383]  ? __do_page_fault+0xd60/0xd60
[   55.976583]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   55.981584]  ? syscall_return_slowpath+0x2b3/0x510
[   55.986575]  ? finish_task_switch+0x1f6/0x740
[   55.991037]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   55.996025]  ? entry_SYSCALL_64_fastpath+0x5/0xbe
[   56.000831]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   56.005819]  SyS_sendto+0x40/0x50
[   56.009240]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   56.013961] RIP: 0033:0x446f79
[   56.017116] RSP: 002b:00007f8289ce9db8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   56.024787] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446f79
[   56.032025] RDX: 0000000000000002 RSI: 0000000020925000 RDI: 0000000000000003
[   56.039260] RBP: 0000000000000082 R08: 00000000209e1000 R09: 000000000000001c
[   56.046496] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   56.053733] R13: 00000000007efd1f R14: 00007f8289cea9c0 R15: 0000000000000000
[   56.061360] Dumping ftrace buffer:
[   56.064875]    (ftrace buffer empty)
[   56.068553] Kernel Offset: disabled
[   56.072149] Rebooting in 86400 seconds..