INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.45' (ECDSA) to the list of known hosts. 2017/10/03 04:45:14 parsed 1 programs 2017/10/03 04:45:14 executed programs: 0 syzkaller login: [ 42.688709] ================================================================== [ 42.696162] BUG: KASAN: use-after-free in packet_getsockopt+0xc72/0xe00 [ 42.702891] Read of size 8 at addr ffff8801cbcc3498 by task syz-executor4/3386 [ 42.710220] [ 42.711827] CPU: 1 PID: 3386 Comm: syz-executor4 Not tainted 4.14.0-rc3+ #22 [ 42.718985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.728309] Call Trace: [ 42.730872] dump_stack+0x194/0x257 [ 42.734476] ? arch_local_irq_restore+0x53/0x53 [ 42.739120] ? show_regs_print_info+0x65/0x65 [ 42.743589] ? lock_release+0xd70/0xd70 [ 42.747541] ? __fget+0xbb/0x580 [ 42.750884] ? packet_getsockopt+0xc72/0xe00 [ 42.755267] print_address_description+0x73/0x250 [ 42.760083] ? packet_getsockopt+0xc72/0xe00 [ 42.764466] kasan_report+0x25b/0x340 [ 42.768245] __asan_report_load8_noabort+0x14/0x20 [ 42.773146] packet_getsockopt+0xc72/0xe00 [ 42.777357] ? packet_notifier+0x950/0x950 [ 42.781567] ? __fget+0x362/0x580 [ 42.784999] ? sock_has_perm+0x29c/0x400 [ 42.789036] ? selinux_tun_dev_create+0xc0/0xc0 [ 42.793676] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 42.799360] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 42.804619] ? ___sys_recvmsg+0x630/0x630 [ 42.808747] ? selinux_socket_getsockopt+0x36/0x40 [ 42.813654] ? security_socket_getsockopt+0x89/0xb0 [ 42.818649] compat_SyS_getsockopt+0x2ed/0x420 [ 42.823206] ? compat_SyS_setsockopt+0x410/0x410 [ 42.827935] ? lock_acquire+0x1d5/0x580 [ 42.831884] ? do_fast_syscall_32+0x158/0xf05 [ 42.836358] ? compat_SyS_setsockopt+0x410/0x410 [ 42.841090] do_fast_syscall_32+0x3f2/0xf05 [ 42.845389] ? compat_start_thread+0x80/0x80 [ 42.849777] ? do_int80_syscall_32+0x940/0x940 [ 42.854343] ? lockdep_sys_exit+0x47/0xf0 [ 42.858471] ? syscall_return_slowpath+0x2b3/0x510 [ 42.863374] ? finish_task_switch+0x1aa/0x740 [ 42.867846] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 42.872839] ? sysret32_from_system_call+0x5/0x3b [ 42.877660] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.882482] entry_SYSENTER_compat+0x51/0x60 [ 42.886864] RIP: 0023:0xf7fdbc79 [ 42.890200] RSP: 002b:00000000f7fb605c EFLAGS: 00000296 ORIG_RAX: 000000000000016d [ 42.897886] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 0000000000000107 [ 42.905130] RDX: 0000000000000015 RSI: 0000000020ec8000 RDI: 00000000208a5000 [ 42.912373] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 42.919617] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 42.926861] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 42.934123] [ 42.935724] Allocated by task 3380: [ 42.939326] save_stack_trace+0x16/0x20 [ 42.943273] save_stack+0x43/0xd0 [ 42.946708] kasan_kmalloc+0xad/0xe0 [ 42.950393] kmem_cache_alloc_trace+0x136/0x750 [ 42.955035] fanout_add+0x27e/0x1480 [ 42.958719] packet_setsockopt+0xfdc/0x1e80 [ 42.963010] compat_packet_setsockopt+0xe1/0x140 [ 42.967738] compat_SyS_setsockopt+0x17c/0x410 [ 42.972291] do_fast_syscall_32+0x3f2/0xf05 [ 42.976583] entry_SYSENTER_compat+0x51/0x60 [ 42.980959] [ 42.982557] Freed by task 3380: [ 42.985811] save_stack_trace+0x16/0x20 [ 42.989755] save_stack+0x43/0xd0 [ 42.993179] kasan_slab_free+0x71/0xc0 [ 42.997035] kfree+0xca/0x250 [ 43.000113] fanout_add+0x432/0x1480 [ 43.003803] packet_setsockopt+0xfdc/0x1e80 [ 43.008098] compat_packet_setsockopt+0xe1/0x140 [ 43.012827] compat_SyS_setsockopt+0x17c/0x410 [ 43.017380] do_fast_syscall_32+0x3f2/0xf05 [ 43.021670] entry_SYSENTER_compat+0x51/0x60 [ 43.026045] [ 43.027646] The buggy address belongs to the object at ffff8801cbcc3480 [ 43.027646] which belongs to the cache kmalloc-128 of size 128 [ 43.040272] The buggy address is located 24 bytes inside of [ 43.040272] 128-byte region [ffff8801cbcc3480, ffff8801cbcc3500) [ 43.052027] The buggy address belongs to the page: [ 43.056928] page:ffffea00072f30c0 count:1 mapcount:0 mapping:ffff8801cbcc3000 index:0x0 [ 43.065044] flags: 0x200000000000100(slab) [ 43.069251] raw: 0200000000000100 ffff8801cbcc3000 0000000000000000 0000000100000015 [ 43.077104] raw: ffffea00073313a0 ffffea00073377a0 ffff8801dac00640 0000000000000000 [ 43.084955] page dumped because: kasan: bad access detected [ 43.090634] [ 43.092231] Memory state around the buggy address: [ 43.097131] ffff8801cbcc3380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 43.104460] ffff8801cbcc3400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 43.111788] >ffff8801cbcc3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.119119] ^ [ 43.123236] ffff8801cbcc3500: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 43.130568] ffff8801cbcc3580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 43.137895] ================================================================== [ 43.145222] Disabling lock debugging due to kernel taint [ 43.150717] Kernel panic - not syncing: panic_on_warn set ... [ 43.150717] [ 43.158053] CPU: 1 PID: 3386 Comm: syz-executor4 Tainted: G B 4.14.0-rc3+ #22 [ 43.166420] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.175742] Call Trace: [ 43.178300] dump_stack+0x194/0x257 [ 43.181895] ? arch_local_irq_restore+0x53/0x53 [ 43.186534] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.191258] ? packet_getsockopt+0xc70/0xe00 [ 43.195635] panic+0x1e4/0x417 [ 43.198803] ? __warn+0x1d9/0x1d9 [ 43.202229] ? packet_getsockopt+0xc72/0xe00 [ 43.206602] kasan_end_report+0x50/0x50 [ 43.210544] kasan_report+0x144/0x340 [ 43.214310] __asan_report_load8_noabort+0x14/0x20 [ 43.219203] packet_getsockopt+0xc72/0xe00 [ 43.223405] ? packet_notifier+0x950/0x950 [ 43.227605] ? __fget+0x362/0x580 [ 43.231028] ? sock_has_perm+0x29c/0x400 [ 43.235057] ? selinux_tun_dev_create+0xc0/0xc0 [ 43.239689] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 43.245364] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 43.250611] ? ___sys_recvmsg+0x630/0x630 [ 43.254727] ? selinux_socket_getsockopt+0x36/0x40 [ 43.259621] ? security_socket_getsockopt+0x89/0xb0 [ 43.264605] compat_SyS_getsockopt+0x2ed/0x420 [ 43.269157] ? compat_SyS_setsockopt+0x410/0x410 [ 43.273879] ? lock_acquire+0x1d5/0x580 [ 43.277818] ? do_fast_syscall_32+0x158/0xf05 [ 43.282282] ? compat_SyS_setsockopt+0x410/0x410 [ 43.287004] do_fast_syscall_32+0x3f2/0xf05 [ 43.291292] ? compat_start_thread+0x80/0x80 [ 43.295666] ? do_int80_syscall_32+0x940/0x940 [ 43.300215] ? lockdep_sys_exit+0x47/0xf0 [ 43.304330] ? syscall_return_slowpath+0x2b3/0x510 [ 43.309239] ? finish_task_switch+0x1aa/0x740 [ 43.313710] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 43.318694] ? sysret32_from_system_call+0x5/0x3b [ 43.323519] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.328342] entry_SYSENTER_compat+0x51/0x60 [ 43.332722] RIP: 0023:0xf7fdbc79 [ 43.336057] RSP: 002b:00000000f7fb605c EFLAGS: 00000296 ORIG_RAX: 000000000000016d [ 43.343733] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 0000000000000107 [ 43.350969] RDX: 0000000000000015 RSI: 0000000020ec8000 RDI: 00000000208a5000 [ 43.358205] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 43.365446] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 43.372687] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 43.380366] Dumping ftrace buffer: [ 43.383879] (ftrace buffer empty) [ 43.387563] Kernel Offset: disabled [ 43.391169] Rebooting in 86400 seconds..