INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. 2018/04/03 02:06:55 parsed 1 programs 2018/04/03 02:06:55 executed programs: 0 syzkaller login: [ 34.379485] IPVS: ftp: loaded support on port[0] = 21 [ 34.403113] IPVS: ftp: loaded support on port[0] = 21 [ 34.426367] IPVS: ftp: loaded support on port[0] = 21 [ 34.453516] IPVS: ftp: loaded support on port[0] = 21 [ 34.484923] IPVS: ftp: loaded support on port[0] = 21 [ 34.512804] IPVS: ftp: loaded support on port[0] = 21 [ 34.553706] IPVS: ftp: loaded support on port[0] = 21 [ 34.596936] IPVS: ftp: loaded support on port[0] = 21 [ 34.786816] ip (4648) used greatest stack depth: 16424 bytes left [ 35.178163] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.189273] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.278522] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.338926] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.354235] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.384408] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.422075] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 35.498368] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 36.939596] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.945875] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.957372] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.963545] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.108770] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.170545] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.186688] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.192776] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.214993] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.221089] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.237458] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.243579] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.299895] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.306104] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.359169] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.365315] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.376802] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.384555] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 37.398163] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.431418] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.439783] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.454353] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.460489] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 37.467928] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 37.511774] dst_release: dst:00000000817dbeed refcnt:-1 [ 37.531272] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready RESULT: signal 0, coverage 0 errno 0 [ 37.562897] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.586073] dst_release: dst:00000000f8e80b23 refcnt:-1 [ 37.594765] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready RESULT: signal 0, coverage 0 errno 0 [ 37.612822] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.618917] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.635427] dst_release: dst:000000005bf1df46 refcnt:-1 [ 37.655156] dst_release: dst:0000000081fa16cb refcnt:-1 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 37.674909] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.685322] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 37.698701] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 37.731370] dst_release: dst:0000000052c5e719 refcnt:-1 [ 37.748295] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.754476] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 37.764643] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 37.786262] dst_release: dst:000000006a844fe7 refcnt:-1 [ 37.803572] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.813155] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 37.845900] dst_release: dst:00000000f5be501e refcnt:-1 [ 37.855600] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 [ 37.919517] dst_release: dst:00000000bca17af8 refcnt:-1 [ 37.942442] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.952245] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.958497] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready RESULT: signal 0, coverage 0 errno 0 [ 37.961963] dst_release: dst:000000009fc72c88 refcnt:-1 [ 37.967336] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.988494] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 37.998519] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.003603] dst_release: dst:00000000465890a9 refcnt:-1 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 38.015783] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 38.095826] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 38.102058] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.109285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 RESULT: signal 0, coverage 0 errno 0 [ 38.759368] ================================================================== [ 38.766853] BUG: KASAN: use-after-free in dst_release+0x27/0xa0 [ 38.772904] Write of size 4 at addr ffff8801ac0a8440 by task syz-executor5/5921 [ 38.780336] [ 38.781957] CPU: 1 PID: 5921 Comm: syz-executor5 Not tainted 4.16.0+ #286 [ 38.788867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.798209] Call Trace: [ 38.800791] dump_stack+0x1a7/0x27d [ 38.804418] ? arch_local_irq_restore+0x53/0x53 [ 38.809077] ? show_regs_print_info+0x18/0x18 [ 38.813567] ? kasan_check_write+0x14/0x20 [ 38.817792] ? dst_release+0x27/0xa0 [ 38.821503] print_address_description+0x73/0x250 [ 38.826337] ? dst_release+0x27/0xa0 [ 38.830044] kasan_report+0x23c/0x360 [ 38.833839] check_memory_region+0x137/0x190 [ 38.838241] kasan_check_write+0x14/0x20 [ 38.842298] dst_release+0x27/0xa0 [ 38.845832] sock_setsockopt+0x431/0x1b20 [ 38.849977] ? sock_enable_timestamp+0xb0/0xb0 [ 38.854551] ? __fget+0x347/0x580 [ 38.858001] ? lock_downgrade+0x980/0x980 [ 38.862135] ? kasan_check_read+0x11/0x20 [ 38.866262] ? rcu_is_watching+0x85/0x130 [ 38.870402] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 38.875309] ? __fget+0x370/0x580 [ 38.878739] ? iterate_fd+0x3f0/0x3f0 [ 38.882524] ? lock_downgrade+0x980/0x980 [ 38.886650] compat_sock_setsockopt.constprop.6+0xae/0x3d0 [ 38.892247] ? compat_sock_getsockopt.constprop.4+0x440/0x440 [ 38.898119] ? security_socket_setsockopt+0x89/0xb0 [ 38.903117] compat_SyS_setsockopt+0x34a/0x410 [ 38.907670] ? __schedule+0x1ef0/0x1ef0 [ 38.911625] ? scm_detach_fds_compat+0x3d0/0x3d0 [ 38.916372] ? do_fast_syscall_32+0x156/0xf9f [ 38.920842] ? scm_detach_fds_compat+0x3d0/0x3d0 [ 38.925666] do_fast_syscall_32+0x3ec/0xf9f [ 38.929962] ? do_int80_syscall_32+0x9c0/0x9c0 [ 38.934519] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 38.940039] ? syscall_return_slowpath+0x2ac/0x550 [ 38.944950] ? sysret32_from_system_call+0x5/0x3c [ 38.949770] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.954590] entry_SYSENTER_compat+0x70/0x7f [ 38.958972] RIP: 0023:0xf7f6bc99 [ 38.962307] RSP: 002b:00000000ffe4b93c EFLAGS: 00000282 ORIG_RAX: 000000000000016e [ 38.969988] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000001 [ 38.977240] RDX: 0000000000000019 RSI: 00000000200010c0 RDI: 0000000000000010 [ 38.984489] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 38.991730] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 38.998972] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.006220] [ 39.007828] Allocated by task 5921: [ 39.011438] save_stack+0x43/0xd0 [ 39.014865] kasan_kmalloc+0xad/0xe0 [ 39.018552] kasan_slab_alloc+0x12/0x20 [ 39.022500] kmem_cache_alloc+0x12e/0x760 [ 39.026626] dst_alloc+0x11f/0x1a0 [ 39.030139] rt_dst_alloc+0xe9/0x540 [ 39.033825] ip_route_output_key_hash_rcu+0xa49/0x2c60 [ 39.039079] ip_route_output_key_hash+0x20b/0x370 [ 39.043898] ip_route_output_flow+0x26/0xa0 [ 39.048192] pptp_connect+0xa84/0x1170 [ 39.052055] SYSC_connect+0x213/0x4a0 [ 39.055828] SyS_connect+0x24/0x30 [ 39.059341] do_fast_syscall_32+0x3ec/0xf9f [ 39.063637] entry_SYSENTER_compat+0x70/0x7f [ 39.068016] [ 39.069630] Freed by task 4501: [ 39.072892] save_stack+0x43/0xd0 [ 39.076323] __kasan_slab_free+0x11a/0x170 [ 39.080537] kasan_slab_free+0xe/0x10 [ 39.084321] kmem_cache_free+0x83/0x2a0 [ 39.088277] dst_destroy+0x266/0x380 [ 39.091978] dst_destroy_rcu+0x16/0x20 [ 39.095848] rcu_process_callbacks+0xd6c/0x17b0 [ 39.100487] __do_softirq+0x2d7/0xb85 [ 39.104258] [ 39.105861] The buggy address belongs to the object at ffff8801ac0a8400 [ 39.105861] which belongs to the cache ip_dst_cache of size 168 [ 39.118574] The buggy address is located 64 bytes inside of [ 39.118574] 168-byte region [ffff8801ac0a8400, ffff8801ac0a84a8) [ 39.130334] The buggy address belongs to the page: [ 39.135242] page:ffffea0006b02a00 count:1 mapcount:0 mapping:ffff8801ac0a8000 index:0x0 [ 39.143360] flags: 0x2fffc0000000100(slab) [ 39.147567] raw: 02fffc0000000100 ffff8801ac0a8000 0000000000000000 0000000100000010 [ 39.155428] raw: ffffea0006e268a0 ffffea0007007c20 ffff8801d4ef8800 0000000000000000 [ 39.163288] page dumped because: kasan: bad access detected [ 39.168967] [ 39.170567] Memory state around the buggy address: [ 39.175466] ffff8801ac0a8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.182798] ffff8801ac0a8380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 39.190132] >ffff8801ac0a8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.197460] ^ [ 39.202883] ffff8801ac0a8480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc RESULT: signal 0, coverage 0 errno 0 [ 39.210214] ffff8801ac0a8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.217542] ================================================================== [ 39.224869] Disabling lock debugging due to kernel taint [ 39.230897] Kernel panic - not syncing: panic_on_warn set ... [ 39.230897] [ 39.238264] CPU: 1 PID: 5921 Comm: syz-executor5 Tainted: G B 4.16.0+ #286 [ 39.246474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.255812] Call Trace: [ 39.258387] dump_stack+0x1a7/0x27d [ 39.261997] ? arch_local_irq_restore+0x53/0x53 [ 39.266645] ? kasan_end_report+0x32/0x50 [ 39.270765] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.275735] ? vsnprintf+0x1ed/0x1900 [ 39.279508] ? dst_alloc+0x1a0/0x1a0 [ 39.283192] panic+0x1f8/0x42c [ 39.286356] ? refcount_error_report+0x214/0x214 [ 39.291092] ? do_raw_spin_unlock+0x9e/0x310 [ 39.295481] ? do_raw_spin_unlock+0x9e/0x310 [ 39.299864] ? dst_release+0x27/0xa0 [ 39.303551] kasan_end_report+0x50/0x50 [ 39.307501] kasan_report+0x149/0x360 [ 39.311276] check_memory_region+0x137/0x190 [ 39.315654] kasan_check_write+0x14/0x20 [ 39.319689] dst_release+0x27/0xa0 [ 39.323206] sock_setsockopt+0x431/0x1b20 [ 39.327327] ? sock_enable_timestamp+0xb0/0xb0 [ 39.331881] ? __fget+0x347/0x580 [ 39.335306] ? lock_downgrade+0x980/0x980 [ 39.339427] ? kasan_check_read+0x11/0x20 [ 39.343544] ? rcu_is_watching+0x85/0x130 [ 39.347663] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 39.352572] ? __fget+0x370/0x580 [ 39.356007] ? iterate_fd+0x3f0/0x3f0 [ 39.359793] ? lock_downgrade+0x980/0x980 [ 39.363920] compat_sock_setsockopt.constprop.6+0xae/0x3d0 [ 39.369523] ? compat_sock_getsockopt.constprop.4+0x440/0x440 [ 39.375382] ? security_socket_setsockopt+0x89/0xb0 [ 39.380369] compat_SyS_setsockopt+0x34a/0x410 [ 39.384921] ? __schedule+0x1ef0/0x1ef0 [ 39.388871] ? scm_detach_fds_compat+0x3d0/0x3d0 [ 39.393597] ? do_fast_syscall_32+0x156/0xf9f [ 39.398065] ? scm_detach_fds_compat+0x3d0/0x3d0 [ 39.402798] do_fast_syscall_32+0x3ec/0xf9f [ 39.407100] ? do_int80_syscall_32+0x9c0/0x9c0 [ 39.411659] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 39.417167] ? syscall_return_slowpath+0x2ac/0x550 [ 39.422072] ? sysret32_from_system_call+0x5/0x3c [ 39.426887] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.431702] entry_SYSENTER_compat+0x70/0x7f [ 39.436082] RIP: 0023:0xf7f6bc99 [ 39.439418] RSP: 002b:00000000ffe4b93c EFLAGS: 00000282 ORIG_RAX: 000000000000016e [ 39.447099] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000001 [ 39.454341] RDX: 0000000000000019 RSI: 00000000200010c0 RDI: 0000000000000010 [ 39.461581] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 39.468822] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 39.476068] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.483723] Dumping ftrace buffer: [ 39.487239] (ftrace buffer empty) [ 39.490921] Kernel Offset: disabled [ 39.494516] Rebooting in 86400 seconds..