INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.608402] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.651280] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.689635] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.727406] IPVS: ftp: loaded support on port[0] = 21 [ 28.765963] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.797279] Failed to remove local publication {0,0,0}/3017079972 [ 28.811643] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 28.841193] Failed to remove local publication {0,0,0}/3771580035 [ 28.856306] IPVS: ftp: loaded support on port[0] = 21 [ 28.896445] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 28.926887] Failed to remove local publication {0,0,0}/3746838944 [ 28.942041] IPVS: ftp: loaded support on port[0] = 21 executing program [ 28.979860] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.017797] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.055857] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.093778] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.131534] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.169225] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.207432] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.245388] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.283343] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 29.321209] IPVS: ftp: loaded support on port[0] = 21 [ 29.359348] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.398122] IPVS: ftp: loaded support on port[0] = 21 [ 29.437547] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 29.468741] Failed to remove local publication {0,0,0}/2806128474 [ 29.483275] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.521868] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.559761] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.599048] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.637404] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.676008] IPVS: ftp: loaded support on port[0] = 21 [ 29.714078] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 29.745415] Failed to remove local publication {0,0,0}/206417777 [ 29.760095] IPVS: ftp: loaded support on port[0] = 21 executing program [ 29.800934] IPVS: ftp: loaded support on port[0] = 21 [ 29.838398] IPVS: ftp: loaded support on port[0] = 21 [ 29.929469] ================================================================== [ 29.936909] BUG: KASAN: use-after-free in tipc_nametbl_stop+0x94e/0xd70 [ 29.943637] Read of size 8 at addr ffff8801c4c25130 by task kworker/u4:2/30 [ 29.950705] [ 29.952315] CPU: 0 PID: 30 Comm: kworker/u4:2 Not tainted 4.16.0+ #1 [ 29.958781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.968116] Workqueue: netns cleanup_net [ 29.972151] Call Trace: [ 29.974717] dump_stack+0x1b9/0x294 [ 29.978320] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.983487] ? printk+0x9e/0xba [ 29.986741] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.991473] ? kasan_check_write+0x14/0x20 [ 29.995686] print_address_description+0x6c/0x20b [ 30.000506] ? tipc_nametbl_stop+0x94e/0xd70 [ 30.004892] kasan_report.cold.7+0x242/0x2fe [ 30.009278] __asan_report_load8_noabort+0x14/0x20 [ 30.014183] tipc_nametbl_stop+0x94e/0xd70 [ 30.018399] ? tipc_nametbl_init+0x5b0/0x5b0 [ 30.022785] ? mark_held_locks+0xc9/0x160 [ 30.026908] ? quarantine_put+0xeb/0x190 [ 30.030946] ? kfree+0x111/0x260 [ 30.034290] ? tipc_bcast_stop+0x281/0x3d0 [ 30.038499] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.043488] ? trace_hardirqs_on+0xd/0x10 [ 30.047621] ? tipc_bcast_stop+0x281/0x3d0 [ 30.051834] ? tipc_bcast_init+0xc80/0xc80 [ 30.056046] ? tipc_enable_bearer.cold.19+0xbf/0xbf [ 30.061036] tipc_exit_net+0x2d/0x40 [ 30.064729] ops_exit_list.isra.7+0xb0/0x160 [ 30.069116] cleanup_net+0x51d/0xb20 [ 30.072804] ? lock_downgrade+0x8e0/0x8e0 [ 30.076930] ? peernet2id_alloc+0x3e0/0x3e0 [ 30.081224] ? find_held_lock+0x36/0x1c0 [ 30.085262] ? graph_lock+0x170/0x170 [ 30.089040] ? lock_acquire+0x1dc/0x520 [ 30.092991] ? process_one_work+0xb46/0x1b50 [ 30.097376] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.102455] ? __lock_is_held+0xb5/0x140 [ 30.106509] process_one_work+0xc1e/0x1b50 [ 30.110721] ? finish_task_switch+0x28b/0x810 [ 30.115197] ? pwq_dec_nr_in_flight+0x490/0x490 [ 30.119846] ? __schedule+0x809/0x1e30 [ 30.123716] ? graph_lock+0x170/0x170 [ 30.127491] ? lock_downgrade+0x8e0/0x8e0 [ 30.131623] ? find_held_lock+0x36/0x1c0 [ 30.135664] ? lock_acquire+0x1dc/0x520 [ 30.139613] ? lock_downgrade+0x8e0/0x8e0 [ 30.143737] ? lock_release+0xa10/0xa10 [ 30.147684] ? kasan_check_read+0x11/0x20 [ 30.151814] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.156390] worker_thread+0x1cc/0x1440 [ 30.160346] ? process_one_work+0x1b50/0x1b50 [ 30.164819] ? graph_lock+0x170/0x170 [ 30.168599] ? find_held_lock+0x36/0x1c0 [ 30.172643] ? __schedule+0x1e30/0x1e30 [ 30.176595] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.180977] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.185534] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.190612] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.195615] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.201130] ? __kthread_parkme+0x1b7/0x280 [ 30.205428] kthread+0x345/0x410 [ 30.208770] ? process_one_work+0x1b50/0x1b50 [ 30.213239] ? kthread_bind+0x40/0x40 [ 30.217015] ret_from_fork+0x3a/0x50 [ 30.220709] [ 30.222318] Allocated by task 4535: [ 30.225930] save_stack+0x43/0xd0 [ 30.229361] kasan_kmalloc+0xc4/0xe0 [ 30.233051] kmem_cache_alloc_trace+0x152/0x780 [ 30.237693] tipc_nametbl_insert_publ+0x569/0x1910 [ 30.242594] tipc_nametbl_publish+0x6c3/0xba0 [ 30.247061] tipc_sk_publish+0x22a/0x510 [ 30.251096] tipc_bind+0x206/0x330 [ 30.254610] __sys_bind+0x331/0x440 [ 30.258211] SyS_bind+0x24/0x30 [ 30.261466] do_syscall_64+0x29e/0x9d0 [ 30.265327] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.270487] [ 30.272090] Freed by task 30: [ 30.275176] save_stack+0x43/0xd0 [ 30.278609] __kasan_slab_free+0x11a/0x170 [ 30.282820] kasan_slab_free+0xe/0x10 [ 30.286594] kfree+0xd9/0x260 [ 30.289674] tipc_service_remove_publ.isra.8+0x909/0xc30 [ 30.295097] tipc_nametbl_stop+0x746/0xd70 [ 30.299314] tipc_exit_net+0x2d/0x40 [ 30.303005] ops_exit_list.isra.7+0xb0/0x160 [ 30.307391] cleanup_net+0x51d/0xb20 [ 30.311085] process_one_work+0xc1e/0x1b50 [ 30.315293] worker_thread+0x1cc/0x1440 [ 30.319247] kthread+0x345/0x410 [ 30.322592] ret_from_fork+0x3a/0x50 [ 30.326277] [ 30.327879] The buggy address belongs to the object at ffff8801c4c25100 [ 30.327879] which belongs to the cache kmalloc-64 of size 64 [ 30.340345] The buggy address is located 48 bytes inside of [ 30.340345] 64-byte region [ffff8801c4c25100, ffff8801c4c25140) [ 30.352024] The buggy address belongs to the page: [ 30.356929] page:ffffea0007130940 count:1 mapcount:0 mapping:ffff8801c4c25000 index:0x0 [ 30.365053] flags: 0x2fffc0000000100(slab) [ 30.369265] raw: 02fffc0000000100 ffff8801c4c25000 0000000000000000 0000000100000020 [ 30.377122] raw: ffffea0006ccf860 ffffea00070840a0 ffff8801dac00340 0000000000000000 [ 30.385135] page dumped because: kasan: bad access detected [ 30.390838] [ 30.392435] Memory state around the buggy address: [ 30.397336] ffff8801c4c25000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.404669] ffff8801c4c25080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.411999] >ffff8801c4c25100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.419329] ^ [ 30.424229] ffff8801c4c25180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.431563] ffff8801c4c25200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.438892] ================================================================== [ 30.446223] Disabling lock debugging due to kernel taint [ 30.451686] Kernel panic - not syncing: panic_on_warn set ... [ 30.451686] [ 30.459032] CPU: 0 PID: 30 Comm: kworker/u4:2 Tainted: G B 4.16.0+ #1 [ 30.466884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.476230] Workqueue: netns cleanup_net [ 30.480262] Call Trace: [ 30.482829] dump_stack+0x1b9/0x294 [ 30.486439] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.491606] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.496337] ? tipc_nametbl_stop+0x8a0/0xd70 [ 30.500721] panic+0x22f/0x4de [ 30.503888] ? add_taint.cold.5+0x16/0x16 [ 30.508016] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.512400] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.516783] ? tipc_nametbl_stop+0x94e/0xd70 [ 30.521168] kasan_end_report+0x47/0x4f [ 30.525114] kasan_report.cold.7+0x76/0x2fe [ 30.529409] __asan_report_load8_noabort+0x14/0x20 [ 30.534313] tipc_nametbl_stop+0x94e/0xd70 [ 30.538524] ? tipc_nametbl_init+0x5b0/0x5b0 [ 30.542905] ? mark_held_locks+0xc9/0x160 [ 30.547030] ? quarantine_put+0xeb/0x190 [ 30.551065] ? kfree+0x111/0x260 [ 30.554412] ? tipc_bcast_stop+0x281/0x3d0 [ 30.558621] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.563609] ? trace_hardirqs_on+0xd/0x10 [ 30.567732] ? tipc_bcast_stop+0x281/0x3d0 [ 30.571942] ? tipc_bcast_init+0xc80/0xc80 [ 30.576160] ? tipc_enable_bearer.cold.19+0xbf/0xbf [ 30.581154] tipc_exit_net+0x2d/0x40 [ 30.584844] ops_exit_list.isra.7+0xb0/0x160 [ 30.589228] cleanup_net+0x51d/0xb20 [ 30.592922] ? lock_downgrade+0x8e0/0x8e0 [ 30.597048] ? peernet2id_alloc+0x3e0/0x3e0 [ 30.601343] ? find_held_lock+0x36/0x1c0 [ 30.605391] ? graph_lock+0x170/0x170 [ 30.609176] ? lock_acquire+0x1dc/0x520 [ 30.613135] ? process_one_work+0xb46/0x1b50 [ 30.617527] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.622615] ? __lock_is_held+0xb5/0x140 [ 30.626658] process_one_work+0xc1e/0x1b50 [ 30.630872] ? finish_task_switch+0x28b/0x810 [ 30.635351] ? pwq_dec_nr_in_flight+0x490/0x490 [ 30.640000] ? __schedule+0x809/0x1e30 [ 30.643870] ? graph_lock+0x170/0x170 [ 30.647648] ? lock_downgrade+0x8e0/0x8e0 [ 30.651773] ? find_held_lock+0x36/0x1c0 [ 30.655809] ? lock_acquire+0x1dc/0x520 [ 30.659759] ? lock_downgrade+0x8e0/0x8e0 [ 30.663884] ? lock_release+0xa10/0xa10 [ 30.667835] ? kasan_check_read+0x11/0x20 [ 30.671961] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.676523] worker_thread+0x1cc/0x1440 [ 30.680477] ? process_one_work+0x1b50/0x1b50 [ 30.684946] ? graph_lock+0x170/0x170 [ 30.688725] ? find_held_lock+0x36/0x1c0 [ 30.692769] ? __schedule+0x1e30/0x1e30 [ 30.696718] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.701106] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.705662] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 30.710739] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.715732] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.721246] ? __kthread_parkme+0x1b7/0x280 [ 30.725544] kthread+0x345/0x410 [ 30.728888] ? process_one_work+0x1b50/0x1b50 [ 30.733355] ? kthread_bind+0x40/0x40 [ 30.737131] ret_from_fork+0x3a/0x50 [ 30.741244] Dumping ftrace buffer: [ 30.744760] (ftrace buffer empty) [ 30.748439] Kernel Offset: disabled [ 30.752042] Rebooting in 86400 seconds..