[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[ 14.788431] rsyslogd (4019) used greatest stack depth: 16488 bytes left [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 28.434746] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: File exists [ 28.515440] ip (4169) used greatest stack depth: 16248 bytes left RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.667893] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 28.990255] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.996360] 8021q: adding VLAN 0 to HW filter on device bond0 executing program [ 29.030733] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.066189] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.072369] ================================================================== [ 29.080168] BUG: KASAN: use-after-free in skb_copy_datagram_iter+0xa7f/0xac0 [ 29.087330] Read of size 1 at addr ffff8801bd0b6b82 by task syzkaller271188/4153 [ 29.094832] [ 29.096436] CPU: 1 PID: 4153 Comm: syzkaller271188 Not tainted 4.16.0-rc7+ #2 [ 29.103679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.113003] Call Trace: [ 29.115566] dump_stack+0x194/0x24d [ 29.119166] ? arch_local_irq_restore+0x53/0x53 [ 29.123806] ? show_regs_print_info+0x18/0x18 [ 29.128282] ? skb_copy_datagram_iter+0xa7f/0xac0 [ 29.133098] print_address_description+0x73/0x250 [ 29.137923] ? skb_copy_datagram_iter+0xa7f/0xac0 [ 29.142740] kasan_report+0x23c/0x360 [ 29.146517] __asan_report_load1_noabort+0x14/0x20 [ 29.151422] skb_copy_datagram_iter+0xa7f/0xac0 [ 29.156082] ? do_raw_spin_trylock+0x190/0x190 [ 29.160638] ? __sk_queue_drop_skb+0x1d0/0x1d0 [ 29.165197] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.170188] ? trace_hardirqs_on+0xd/0x10 [ 29.174314] ? sock_dequeue_err_skb+0x2b1/0x420 [ 29.178961] sock_recv_errqueue+0xbe/0x3e0 [ 29.183168] ? rw_copy_check_uvector+0x1be/0x280 [ 29.187911] packet_recvmsg+0xb2e/0x17a0 [ 29.191954] ? import_iovec+0x238/0x430 [ 29.195919] ? packet_getname_spkt+0x2b0/0x2b0 [ 29.200477] ? kasan_check_write+0x14/0x20 [ 29.204686] ? _copy_from_user+0x99/0x110 [ 29.208809] ? copy_msghdr_from_user+0x3a6/0x590 [ 29.213548] ? SYSC_sendto+0x5c0/0x5c0 [ 29.217411] ? find_held_lock+0x35/0x1d0 [ 29.221459] ? security_socket_recvmsg+0x91/0xc0 [ 29.226191] ? packet_getname_spkt+0x2b0/0x2b0 [ 29.230745] sock_recvmsg+0xc9/0x110 [ 29.234435] ? poll_select_set_timeout+0x16a/0x210 [ 29.239335] ? __sock_recv_wifi_status+0x210/0x210 [ 29.244240] ___sys_recvmsg+0x2a4/0x640 [ 29.248192] ? ___sys_sendmsg+0x8b0/0x8b0 [ 29.252318] ? ktime_get_ts64+0x15f/0x4d0 [ 29.256448] ? kvm_clock_get_cycles+0x25/0x30 [ 29.260919] ? ktime_get_ts64+0x328/0x4d0 [ 29.265040] ? __fget_light+0x2b2/0x3c0 [ 29.268989] ? fget_raw+0x20/0x20 [ 29.272420] ? nsec_to_clock_t+0x30/0x30 [ 29.276455] ? lock_downgrade+0x980/0x980 [ 29.280577] ? lock_release+0xa40/0xa40 [ 29.284529] ? poll_select_set_timeout+0x12f/0x210 [ 29.289430] ? do_restart_poll+0x2a0/0x2a0 [ 29.293648] __sys_recvmmsg+0x2a9/0xaf0 [ 29.297594] ? __sys_recvmmsg+0x2a9/0xaf0 [ 29.301725] ? SyS_recvmsg+0x50/0x50 [ 29.305412] ? find_held_lock+0x35/0x1d0 [ 29.309454] ? __might_fault+0x110/0x1d0 [ 29.313514] ? lock_downgrade+0x980/0x980 [ 29.317637] ? lock_release+0xa40/0xa40 [ 29.321585] ? check_same_owner+0x320/0x320 [ 29.325894] ? kasan_check_write+0x14/0x20 [ 29.330104] ? _copy_from_user+0x99/0x110 [ 29.334231] SyS_recvmmsg+0xc4/0x160 [ 29.337919] ? __sys_recvmmsg+0xaf0/0xaf0 [ 29.342043] ? do_syscall_64+0xb7/0x940 [ 29.345993] ? __sys_recvmmsg+0xaf0/0xaf0 [ 29.350116] do_syscall_64+0x281/0x940 [ 29.353978] ? __do_page_fault+0xc90/0xc90 [ 29.358183] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.362915] ? syscall_return_slowpath+0x550/0x550 [ 29.367818] ? syscall_return_slowpath+0x2ac/0x550 [ 29.372719] ? prepare_exit_to_usermode+0x350/0x350 [ 29.377712] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.383053] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.387874] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.393034] RIP: 0033:0x441a29 [ 29.396195] RSP: 002b:00007ffe3ff9efd8 EFLAGS: 00000217 ORIG_RAX: 000000000000012b [ 29.403876] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441a29 [ 29.411119] RDX: 0000000000000002 RSI: 0000000020000940 RDI: 0000000000000003 [ 29.418364] RBP: 00000000004a359c R08: 00000000200009c0 R09: 000000000000001c [ 29.425621] R10: 0000000000012000 R11: 0000000000000217 R12: 00007ffe3ff9f0c0 [ 29.432866] R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000 [ 29.440126] [ 29.441727] Allocated by task 4153: [ 29.445326] save_stack+0x43/0xd0 [ 29.448752] kasan_kmalloc+0xad/0xe0 [ 29.452435] __kmalloc_node_track_caller+0x47/0x70 [ 29.457336] __kmalloc_reserve.isra.39+0x41/0xd0 [ 29.462069] __alloc_skb+0x13b/0x780 [ 29.465767] alloc_skb_with_frags+0x10d/0x750 [ 29.470231] sock_alloc_send_pskb+0x787/0x9b0 [ 29.474696] packet_sendmsg+0x1ece/0x60b0 [ 29.478813] sock_sendmsg+0xca/0x110 [ 29.482496] SYSC_sendto+0x361/0x5c0 [ 29.486178] SyS_sendto+0x40/0x50 [ 29.489603] do_syscall_64+0x281/0x940 [ 29.493460] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.498618] [ 29.500214] Freed by task 4153: [ 29.503463] save_stack+0x43/0xd0 [ 29.506890] __kasan_slab_free+0x11a/0x170 [ 29.511095] kasan_slab_free+0xe/0x10 [ 29.514872] kfree+0xd9/0x260 [ 29.517951] skb_free_head+0x74/0xb0 [ 29.521636] skb_release_data+0x58c/0x790 [ 29.525755] skb_release_all+0x4a/0x60 [ 29.529612] kfree_skb+0x15d/0x4c0 [ 29.533125] ip6_tnl_start_xmit+0x184/0x2070 [ 29.537507] dev_hard_start_xmit+0x24e/0xac0 [ 29.541885] __dev_queue_xmit+0x26bf/0x2fc0 [ 29.546179] dev_queue_xmit+0x17/0x20 [ 29.549950] packet_sendmsg+0x3aed/0x60b0 [ 29.554070] sock_sendmsg+0xca/0x110 [ 29.557762] SYSC_sendto+0x361/0x5c0 [ 29.561446] SyS_sendto+0x40/0x50 [ 29.564868] do_syscall_64+0x281/0x940 [ 29.568726] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.573884] [ 29.575486] The buggy address belongs to the object at ffff8801bd0b6ac0 [ 29.575486] which belongs to the cache kmalloc-512 of size 512 [ 29.588112] The buggy address is located 194 bytes inside of [ 29.588112] 512-byte region [ffff8801bd0b6ac0, ffff8801bd0b6cc0) [ 29.599954] The buggy address belongs to the page: [ 29.604856] page:ffffea0006f42d80 count:1 mapcount:0 mapping:ffff8801bd0b60c0 index:0x0 [ 29.612971] flags: 0x2fffc0000000100(slab) [ 29.617176] raw: 02fffc0000000100 ffff8801bd0b60c0 0000000000000000 0000000100000006 [ 29.625028] raw: ffffea0006f457e0 ffff8801dac01748 ffff8801dac00940 0000000000000000 [ 29.632894] page dumped because: kasan: bad access detected [ 29.638573] [ 29.640169] Memory state around the buggy address: [ 29.645070] ffff8801bd0b6a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.652398] ffff8801bd0b6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.659735] >ffff8801bd0b6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.667062] ^ [ 29.670398] ffff8801bd0b6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.677728] ffff8801bd0b6c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.685058] ================================================================== [ 29.692388] Disabling lock debugging due to kernel taint [ 29.698148] Kernel panic - not syncing: panic_on_warn set ... [ 29.698148] [ 29.705487] CPU: 1 PID: 4153 Comm: syzkaller271188 Tainted: G B 4.16.0-rc7+ #2 [ 29.714035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.723359] Call Trace: [ 29.725919] dump_stack+0x194/0x24d [ 29.729518] ? arch_local_irq_restore+0x53/0x53 [ 29.734156] ? kasan_end_report+0x32/0x50 [ 29.738275] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.743002] ? vsnprintf+0x1ed/0x1900 [ 29.746773] ? skb_copy_datagram_iter+0xa00/0xac0 [ 29.751586] panic+0x1e4/0x41c [ 29.754752] ? refcount_error_report+0x214/0x214 [ 29.759480] ? add_taint+0x1c/0x50 [ 29.762992] ? add_taint+0x1c/0x50 [ 29.766506] ? skb_copy_datagram_iter+0xa7f/0xac0 [ 29.771318] kasan_end_report+0x50/0x50 [ 29.775265] kasan_report+0x149/0x360 [ 29.779044] __asan_report_load1_noabort+0x14/0x20 [ 29.783941] skb_copy_datagram_iter+0xa7f/0xac0 [ 29.788583] ? do_raw_spin_trylock+0x190/0x190 [ 29.793134] ? __sk_queue_drop_skb+0x1d0/0x1d0 [ 29.797687] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.802672] ? trace_hardirqs_on+0xd/0x10 [ 29.806795] ? sock_dequeue_err_skb+0x2b1/0x420 [ 29.811435] sock_recv_errqueue+0xbe/0x3e0 [ 29.815640] ? rw_copy_check_uvector+0x1be/0x280 [ 29.820370] packet_recvmsg+0xb2e/0x17a0 [ 29.824402] ? import_iovec+0x238/0x430 [ 29.828357] ? packet_getname_spkt+0x2b0/0x2b0 [ 29.832911] ? kasan_check_write+0x14/0x20 [ 29.837129] ? _copy_from_user+0x99/0x110 [ 29.841251] ? copy_msghdr_from_user+0x3a6/0x590 [ 29.845979] ? SYSC_sendto+0x5c0/0x5c0 [ 29.849836] ? find_held_lock+0x35/0x1d0 [ 29.853866] ? security_socket_recvmsg+0x91/0xc0 [ 29.858594] ? packet_getname_spkt+0x2b0/0x2b0 [ 29.863147] sock_recvmsg+0xc9/0x110 [ 29.866832] ? poll_select_set_timeout+0x16a/0x210 [ 29.871732] ? __sock_recv_wifi_status+0x210/0x210 [ 29.876656] ___sys_recvmsg+0x2a4/0x640 [ 29.880605] ? ___sys_sendmsg+0x8b0/0x8b0 [ 29.884724] ? ktime_get_ts64+0x15f/0x4d0 [ 29.888845] ? kvm_clock_get_cycles+0x25/0x30 [ 29.893319] ? ktime_get_ts64+0x328/0x4d0 [ 29.897437] ? __fget_light+0x2b2/0x3c0 [ 29.901384] ? fget_raw+0x20/0x20 [ 29.904808] ? nsec_to_clock_t+0x30/0x30 [ 29.908837] ? lock_downgrade+0x980/0x980 [ 29.912956] ? lock_release+0xa40/0xa40 [ 29.916903] ? poll_select_set_timeout+0x12f/0x210 [ 29.921801] ? do_restart_poll+0x2a0/0x2a0 [ 29.926011] __sys_recvmmsg+0x2a9/0xaf0 [ 29.929954] ? __sys_recvmmsg+0x2a9/0xaf0 [ 29.934079] ? SyS_recvmsg+0x50/0x50 [ 29.937767] ? find_held_lock+0x35/0x1d0 [ 29.941803] ? __might_fault+0x110/0x1d0 [ 29.945837] ? lock_downgrade+0x980/0x980 [ 29.949958] ? lock_release+0xa40/0xa40 [ 29.953917] ? check_same_owner+0x320/0x320 [ 29.958244] ? kasan_check_write+0x14/0x20 [ 29.962465] ? _copy_from_user+0x99/0x110 [ 29.966604] SyS_recvmmsg+0xc4/0x160 [ 29.970304] ? __sys_recvmmsg+0xaf0/0xaf0 [ 29.974440] ? do_syscall_64+0xb7/0x940 [ 29.978404] ? __sys_recvmmsg+0xaf0/0xaf0 [ 29.982543] do_syscall_64+0x281/0x940 [ 29.986420] ? __do_page_fault+0xc90/0xc90 [ 29.990649] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.995398] ? syscall_return_slowpath+0x550/0x550 [ 30.000312] ? syscall_return_slowpath+0x2ac/0x550 [ 30.005237] ? prepare_exit_to_usermode+0x350/0x350 [ 30.010237] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.015575] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.020855] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.026015] RIP: 0033:0x441a29 [ 30.029171] RSP: 002b:00007ffe3ff9efd8 EFLAGS: 00000217 ORIG_RAX: 000000000000012b [ 30.036847] RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441a29 [ 30.044086] RDX: 0000000000000002 RSI: 0000000020000940 RDI: 0000000000000003 [ 30.051325] RBP: 00000000004a359c R08: 00000000200009c0 R09: 000000000000001c [ 30.058565] R10: 0000000000012000 R11: 0000000000000217 R12: 00007ffe3ff9f0c0 [ 30.065814] R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000 [ 30.073445] Dumping ftrace buffer: [ 30.076956] (ftrace buffer empty) [ 30.080637] Kernel Offset: disabled [ 30.084235] Rebooting in 86400 seconds..