INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 28.691100] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 28.931990] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 29.276457] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 29.282556] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.319292] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 29.356615] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.394305] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 29.400408] 8021q: adding VLAN 0 to HW filter on device team0 [ 29.425269] bond0: Enslaving bond_slave as an active interface with an up link [ 29.433998] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready executing program [ 29.444769] team0: Port device team_slave added [ 29.450075] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 29.490114] ================================================================== [ 29.497535] BUG: KASAN: use-after-free in skb_release_data+0x19b/0x860 [ 29.504200] Write of size 4 at addr ffff8801b37d7660 by task syzkaller670384/4438 [ 29.511791] [ 29.513400] CPU: 1 PID: 4438 Comm: syzkaller670384 Not tainted 4.16.0+ #17 [ 29.520385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.529713] Call Trace: [ 29.532276] dump_stack+0x1b9/0x294 [ 29.535883] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.541049] ? printk+0x9e/0xba [ 29.544308] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.549040] ? kasan_check_write+0x14/0x20 [ 29.553252] print_address_description+0x6c/0x20b [ 29.558069] ? skb_release_data+0x19b/0x860 [ 29.562366] kasan_report.cold.7+0xac/0x2f5 [ 29.566665] check_memory_region+0x13e/0x1b0 [ 29.571051] kasan_check_write+0x14/0x20 [ 29.575088] skb_release_data+0x19b/0x860 [ 29.579214] ? skb_tx_error+0x2f0/0x2f0 [ 29.583165] ? kasan_check_read+0x11/0x20 [ 29.587289] ? rcu_is_watching+0x85/0x140 [ 29.591413] ? kasan_check_write+0x14/0x20 [ 29.595623] ? sock_rmem_free+0x6f/0x90 [ 29.599575] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.605090] skb_release_all+0x4a/0x60 [ 29.608956] kfree_skb+0x195/0x560 [ 29.612470] ? skb_queue_purge+0x19/0x40 [ 29.616507] ? __kfree_skb+0x20/0x20 [ 29.620198] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.624755] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.629847] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.634847] ? trace_hardirqs_on+0xd/0x10 [ 29.638980] ? skb_dequeue+0x12f/0x180 [ 29.642848] skb_queue_purge+0x19/0x40 [ 29.646720] packet_sock_destruct+0x93/0x290 [ 29.651108] ? packet_mm_close+0xc0/0xc0 [ 29.655146] ? graph_lock+0x170/0x170 [ 29.658924] ? __free_object+0x16e/0x330 [ 29.662961] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 29.668214] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.672771] ? packet_mm_close+0xc0/0xc0 [ 29.676809] __sk_destruct+0xff/0xa40 [ 29.680595] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 29.685499] ? graph_lock+0x170/0x170 [ 29.689278] ? lock_downgrade+0x8e0/0x8e0 [ 29.693401] ? __lock_is_held+0xb5/0x140 [ 29.697438] ? kasan_check_read+0x11/0x20 [ 29.701560] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.705954] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.710513] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.715595] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.721108] ? refcount_sub_and_test+0x212/0x330 [ 29.725843] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 29.730576] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 29.735306] ? pcpu_free_area+0xa90/0xa90 [ 29.739444] sk_destruct+0x78/0x90 [ 29.742961] __sk_free+0x22e/0x340 [ 29.746480] sk_free+0x42/0x50 [ 29.749656] packet_release+0xa18/0xd50 [ 29.753606] ? lock_downgrade+0x8e0/0x8e0 [ 29.757731] ? packet_lookup_frame+0x270/0x270 [ 29.762290] ? cpumask_weight.constprop.5+0x44/0x44 [ 29.767279] ? do_raw_spin_lock+0xc1/0x200 [ 29.771493] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.777025] ? locks_remove_file+0x3f7/0x5a0 [ 29.781408] ? fcntl_setlk+0x1020/0x1020 [ 29.785446] ? fsnotify+0x415/0x1100 [ 29.789139] ? fsnotify_first_mark+0x330/0x330 [ 29.793701] sock_release+0x96/0x1b0 [ 29.797388] ? sock_alloc_file+0x4e0/0x4e0 [ 29.801595] sock_close+0x16/0x20 [ 29.805023] __fput+0x34d/0x890 [ 29.808280] ? fput+0x1a0/0x1a0 [ 29.811539] ? check_same_owner+0x320/0x320 [ 29.815835] ____fput+0x15/0x20 [ 29.819089] task_work_run+0x1e4/0x290 [ 29.822951] ? task_work_cancel+0x240/0x240 [ 29.827250] ? switch_task_namespaces+0xbd/0xd0 [ 29.831896] do_exit+0x1aee/0x2730 [ 29.835413] ? mm_update_next_owner+0x980/0x980 [ 29.840058] ? finish_mkwrite_fault+0x610/0x610 [ 29.844702] ? debug_check_no_locks_freed+0x310/0x310 [ 29.849880] ? kasan_check_read+0x11/0x20 [ 29.854008] ? rcu_is_watching+0x85/0x140 [ 29.858137] ? lock_acquire+0x1dc/0x520 [ 29.862092] ? lock_release+0xa10/0xa10 [ 29.866046] ? tun_chr_close+0x60/0x60 [ 29.869915] ? kasan_check_write+0x14/0x20 [ 29.874132] ? do_raw_spin_lock+0xc1/0x200 [ 29.878350] ? __handle_mm_fault+0x88c/0x4150 [ 29.882825] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 29.887557] ? graph_lock+0x170/0x170 [ 29.891333] ? rcu_is_watching+0x85/0x140 [ 29.895458] ? graph_lock+0x170/0x170 [ 29.899245] ? find_held_lock+0x36/0x1c0 [ 29.903288] ? find_held_lock+0x36/0x1c0 [ 29.907341] ? lock_downgrade+0x8e0/0x8e0 [ 29.911468] ? handle_mm_fault+0x8c0/0xc70 [ 29.915690] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.921212] ? handle_mm_fault+0x55a/0xc70 [ 29.925658] ? __handle_mm_fault+0x4150/0x4150 [ 29.930226] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.935741] ? __do_page_fault+0x441/0xe40 [ 29.939952] do_group_exit+0x16f/0x430 [ 29.943816] ? SyS_exit+0x30/0x30 [ 29.947247] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 29.952077] ? do_syscall_64+0xb7/0x9d0 [ 29.956026] ? do_group_exit+0x430/0x430 [ 29.960065] SyS_exit_group+0x1d/0x20 [ 29.963840] do_syscall_64+0x29e/0x9d0 [ 29.967704] ? vmalloc_sync_all+0x30/0x30 [ 29.971832] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.976588] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.981499] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.986415] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.991927] ? retint_user+0x18/0x18 [ 29.995619] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.000442] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.005610] RIP: 0033:0x441909 [ 30.008776] RSP: 002b:00007ffc7b145598 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 30.016458] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441909 [ 30.023701] RDX: 0000000000441840 RSI: 0000000000000004 RDI: 0000000000000001 [ 30.030947] RBP: 00000000004a3529 R08: 0000000000000000 R09: 00000000006cd018 [ 30.038189] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffc7b1456a8 [ 30.045432] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 30.052681] [ 30.054283] Allocated by task 4438: [ 30.057888] save_stack+0x43/0xd0 [ 30.061327] kasan_kmalloc+0xc4/0xe0 [ 30.065019] __kmalloc_node_track_caller+0x47/0x70 [ 30.069929] __kmalloc_reserve.isra.38+0x3a/0xe0 [ 30.074676] __alloc_skb+0x14d/0x780 [ 30.078366] alloc_skb_with_frags+0x137/0x760 [ 30.082835] sock_alloc_send_pskb+0x87a/0xae0 [ 30.087308] packet_sendmsg+0x1bd1/0x6100 [ 30.091434] sock_sendmsg+0xd5/0x120 [ 30.095124] ___sys_sendmsg+0x805/0x940 [ 30.099074] __sys_sendmsg+0x115/0x270 [ 30.102938] SyS_sendmsg+0x29/0x30 [ 30.106454] do_syscall_64+0x29e/0x9d0 [ 30.110318] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.115478] [ 30.117081] Freed by task 4438: [ 30.120336] save_stack+0x43/0xd0 [ 30.123764] __kasan_slab_free+0x11a/0x170 [ 30.127971] kasan_slab_free+0xe/0x10 [ 30.131746] kfree+0xd9/0x260 [ 30.134826] skb_free_head+0x99/0xc0 [ 30.138515] skb_release_data+0x690/0x860 [ 30.142639] skb_release_all+0x4a/0x60 [ 30.146502] kfree_skb+0x195/0x560 [ 30.150019] ip6_tnl_start_xmit+0xa44/0x2290 [ 30.154434] dev_hard_start_xmit+0x264/0xc10 [ 30.158819] __dev_queue_xmit+0x2724/0x34c0 [ 30.163135] dev_queue_xmit+0x17/0x20 [ 30.166912] packet_sendmsg+0x411d/0x6100 [ 30.171037] sock_sendmsg+0xd5/0x120 [ 30.174727] ___sys_sendmsg+0x805/0x940 [ 30.178676] __sys_sendmsg+0x115/0x270 [ 30.182536] SyS_sendmsg+0x29/0x30 [ 30.186053] do_syscall_64+0x29e/0x9d0 [ 30.189917] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.195073] [ 30.196675] The buggy address belongs to the object at ffff8801b37d7580 [ 30.196675] which belongs to the cache kmalloc-512 of size 512 [ 30.209304] The buggy address is located 224 bytes inside of [ 30.209304] 512-byte region [ffff8801b37d7580, ffff8801b37d7780) [ 30.221148] The buggy address belongs to the page: [ 30.226054] page:ffffea0006cdf5c0 count:1 mapcount:0 mapping:ffff8801b37d7080 index:0x0 [ 30.234172] flags: 0x2fffc0000000100(slab) [ 30.238385] raw: 02fffc0000000100 ffff8801b37d7080 0000000000000000 0000000100000006 [ 30.246240] raw: ffffea0006cdf2a0 ffffea0006cdf6a0 ffff8801dac00940 0000000000000000 [ 30.254093] page dumped because: kasan: bad access detected [ 30.259772] [ 30.261370] Memory state around the buggy address: [ 30.266277] ffff8801b37d7500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.273609] ffff8801b37d7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.280942] >ffff8801b37d7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.288270] ^ [ 30.294735] ffff8801b37d7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.302065] ffff8801b37d7700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.309419] ================================================================== [ 30.316750] Disabling lock debugging due to kernel taint [ 30.322708] Kernel panic - not syncing: panic_on_warn set ... [ 30.322708] [ 30.330055] CPU: 1 PID: 4438 Comm: syzkaller670384 Tainted: G B 4.16.0+ #17 [ 30.338340] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.347668] Call Trace: [ 30.350235] dump_stack+0x1b9/0x294 [ 30.353838] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.359007] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.363735] ? skb_release_data+0xd0/0x860 [ 30.367943] panic+0x22f/0x4de [ 30.371107] ? add_taint.cold.5+0x16/0x16 [ 30.375233] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.379617] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.383997] ? skb_release_data+0x19b/0x860 [ 30.388293] kasan_end_report+0x47/0x4f [ 30.392242] kasan_report.cold.7+0xc9/0x2f5 [ 30.396537] check_memory_region+0x13e/0x1b0 [ 30.400923] kasan_check_write+0x14/0x20 [ 30.404960] skb_release_data+0x19b/0x860 [ 30.409083] ? skb_tx_error+0x2f0/0x2f0 [ 30.413031] ? kasan_check_read+0x11/0x20 [ 30.417155] ? rcu_is_watching+0x85/0x140 [ 30.421275] ? kasan_check_write+0x14/0x20 [ 30.425485] ? sock_rmem_free+0x6f/0x90 [ 30.429436] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.434945] skb_release_all+0x4a/0x60 [ 30.438808] kfree_skb+0x195/0x560 [ 30.442318] ? skb_queue_purge+0x19/0x40 [ 30.446351] ? __kfree_skb+0x20/0x20 [ 30.450039] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.454596] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.459675] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.464669] ? trace_hardirqs_on+0xd/0x10 [ 30.468793] ? skb_dequeue+0x12f/0x180 [ 30.472653] skb_queue_purge+0x19/0x40 [ 30.476516] packet_sock_destruct+0x93/0x290 [ 30.480901] ? packet_mm_close+0xc0/0xc0 [ 30.484933] ? graph_lock+0x170/0x170 [ 30.488709] ? __free_object+0x16e/0x330 [ 30.492745] ? __list_del_entry_valid.cold.1+0x58/0x58 [ 30.497993] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.502549] ? packet_mm_close+0xc0/0xc0 [ 30.506582] __sk_destruct+0xff/0xa40 [ 30.510356] ? sock_warn_obsolete_bsdism+0xb0/0xb0 [ 30.515260] ? graph_lock+0x170/0x170 [ 30.519044] ? lock_downgrade+0x8e0/0x8e0 [ 30.523176] ? __lock_is_held+0xb5/0x140 [ 30.527217] ? kasan_check_read+0x11/0x20 [ 30.531344] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.535729] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.540288] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.545366] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.550878] ? refcount_sub_and_test+0x212/0x330 [ 30.555608] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 30.560335] ? refcount_inc_not_zero+0x2d0/0x2d0 [ 30.565063] ? pcpu_free_area+0xa90/0xa90 [ 30.569183] sk_destruct+0x78/0x90 [ 30.572711] __sk_free+0x22e/0x340 [ 30.576231] sk_free+0x42/0x50 [ 30.579407] packet_release+0xa18/0xd50 [ 30.583361] ? lock_downgrade+0x8e0/0x8e0 [ 30.587498] ? packet_lookup_frame+0x270/0x270 [ 30.592062] ? cpumask_weight.constprop.5+0x44/0x44 [ 30.597057] ? do_raw_spin_lock+0xc1/0x200 [ 30.601269] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.606779] ? locks_remove_file+0x3f7/0x5a0 [ 30.611163] ? fcntl_setlk+0x1020/0x1020 [ 30.615197] ? fsnotify+0x415/0x1100 [ 30.618889] ? fsnotify_first_mark+0x330/0x330 [ 30.623447] sock_release+0x96/0x1b0 [ 30.627138] ? sock_alloc_file+0x4e0/0x4e0 [ 30.631349] sock_close+0x16/0x20 [ 30.634775] __fput+0x34d/0x890 [ 30.638044] ? fput+0x1a0/0x1a0 [ 30.641302] ? check_same_owner+0x320/0x320 [ 30.645598] ____fput+0x15/0x20 [ 30.648855] task_work_run+0x1e4/0x290 [ 30.652717] ? task_work_cancel+0x240/0x240 [ 30.657026] ? switch_task_namespaces+0xbd/0xd0 [ 30.661672] do_exit+0x1aee/0x2730 [ 30.665186] ? mm_update_next_owner+0x980/0x980 [ 30.669829] ? finish_mkwrite_fault+0x610/0x610 [ 30.674475] ? debug_check_no_locks_freed+0x310/0x310 [ 30.679643] ? kasan_check_read+0x11/0x20 [ 30.683767] ? rcu_is_watching+0x85/0x140 [ 30.687889] ? lock_acquire+0x1dc/0x520 [ 30.691837] ? lock_release+0xa10/0xa10 [ 30.695784] ? tun_chr_close+0x60/0x60 [ 30.699645] ? kasan_check_write+0x14/0x20 [ 30.703852] ? do_raw_spin_lock+0xc1/0x200 [ 30.708063] ? __handle_mm_fault+0x88c/0x4150 [ 30.712532] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 30.717259] ? graph_lock+0x170/0x170 [ 30.721035] ? rcu_is_watching+0x85/0x140 [ 30.725157] ? graph_lock+0x170/0x170 [ 30.728929] ? find_held_lock+0x36/0x1c0 [ 30.732966] ? find_held_lock+0x36/0x1c0 [ 30.737001] ? lock_downgrade+0x8e0/0x8e0 [ 30.741129] ? handle_mm_fault+0x8c0/0xc70 [ 30.745342] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.750849] ? handle_mm_fault+0x55a/0xc70 [ 30.755056] ? __handle_mm_fault+0x4150/0x4150 [ 30.759616] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.765127] ? __do_page_fault+0x441/0xe40 [ 30.769335] do_group_exit+0x16f/0x430 [ 30.773196] ? SyS_exit+0x30/0x30 [ 30.776639] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 30.781455] ? do_syscall_64+0xb7/0x9d0 [ 30.785401] ? do_group_exit+0x430/0x430 [ 30.789437] SyS_exit_group+0x1d/0x20 [ 30.793214] do_syscall_64+0x29e/0x9d0 [ 30.797075] ? vmalloc_sync_all+0x30/0x30 [ 30.801211] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.805943] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.810846] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.815751] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.821261] ? retint_user+0x18/0x18 [ 30.824951] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.829770] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.834933] RIP: 0033:0x441909 [ 30.838096] RSP: 002b:00007ffc7b145598 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 30.845781] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441909 [ 30.853031] RDX: 0000000000441840 RSI: 0000000000000004 RDI: 0000000000000001 [ 30.860278] RBP: 00000000004a3529 R08: 0000000000000000 R09: 00000000006cd018 [ 30.867521] R10: 0000000000000004 R11: 0000000000000206 R12: 00007ffc7b1456a8 [ 30.874763] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000 [ 30.882434] Dumping ftrace buffer: [ 30.885951] (ftrace buffer empty) [ 30.889631] Kernel Offset: disabled [ 30.893233] Rebooting in 86400 seconds..