2017/10/24 13:36:48 parsed 1 programs 2017/10/24 13:36:48 executed programs: 0 syzkaller login: [ 26.438434] ================================================================== [ 26.439149] BUG: KASAN: use-after-free in packet_getsockopt+0xc72/0xe00 [ 26.439774] Read of size 8 at addr ffff88006d0bbd98 by task syz-executor0/3067 [ 26.440329] [ 26.440457] CPU: 1 PID: 3067 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 26.441066] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.441585] Call Trace: [ 26.441749] dump_stack+0x194/0x257 [ 26.441986] ? arch_local_irq_restore+0x53/0x53 [ 26.442268] ? show_regs_print_info+0x65/0x65 [ 26.442537] ? lock_release+0xa40/0xa40 [ 26.442791] ? packet_getsockopt+0xc72/0xe00 [ 26.443071] print_address_description+0x73/0x250 [ 26.443418] ? packet_getsockopt+0xc72/0xe00 [ 26.443748] kasan_report+0x25b/0x340 [ 26.444042] __asan_report_load8_noabort+0x14/0x20 [ 26.444380] packet_getsockopt+0xc72/0xe00 [ 26.444678] ? packet_notifier+0x950/0x950 [ 26.445032] ? iput+0x540/0xaf0 [ 26.445291] ? __fget_light+0x297/0x380 [ 26.445588] ? sock_has_perm+0x29c/0x400 [ 26.445885] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.446268] ? free_modinfo_version+0x70/0x70 [ 26.446676] ? __sk_free+0x5c/0x230 [ 26.447011] ? sk_free+0x2f/0x40 [ 26.447309] ? selinux_socket_getsockopt+0x36/0x40 [ 26.447608] ? security_socket_getsockopt+0x89/0xb0 [ 26.447953] SyS_getsockopt+0x178/0x340 [ 26.448739] ? SyS_setsockopt+0x360/0x360 [ 26.449123] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 26.449515] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.449885] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.450240] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.450530] RIP: 0033:0x447c89 [ 26.450722] RSP: 002b:00007f428feb7bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 [ 26.451179] RAX: ffffffffffffffda RBX: 00007f428feb86cc RCX: 0000000000447c89 [ 26.451606] RDX: 0000000000000015 RSI: 0000000000000107 RDI: 000000000000000b [ 26.452130] RBP: 0000000000000082 R08: 00000000208a5000 R09: 0000000000000000 [ 26.452655] R10: 0000000020ec8000 R11: 0000000000000246 R12: 0000000000000000 [ 26.453184] R13: 0000000000000000 R14: 00007f428feb89c0 R15: 00007f428feb8700 [ 26.453721] [ 26.453845] Allocated by task 3066: [ 26.454114] save_stack+0x43/0xd0 [ 26.454371] kasan_kmalloc+0xad/0xe0 [ 26.454641] kmem_cache_alloc_trace+0x136/0x750 [ 26.454985] fanout_add+0x27e/0x1480 [ 26.455259] packet_setsockopt+0xfdc/0x1e80 [ 26.455567] SyS_setsockopt+0x189/0x360 [ 26.455868] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.456241] [ 26.456360] Freed by task 3066: [ 26.456599] save_stack+0x43/0xd0 [ 26.456855] kasan_slab_free+0x71/0xc0 [ 26.457139] kfree+0xca/0x250 [ 26.457368] fanout_add+0x432/0x1480 [ 26.457646] packet_setsockopt+0xfdc/0x1e80 [ 26.457962] SyS_setsockopt+0x189/0x360 [ 26.458255] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.458643] [ 26.458797] The buggy address belongs to the object at ffff88006d0bbd80 [ 26.458797] which belongs to the cache kmalloc-128 of size 128 [ 26.459655] The buggy address is located 24 bytes inside of [ 26.459655] 128-byte region [ffff88006d0bbd80, ffff88006d0bbe00) [ 26.460472] The buggy address belongs to the page: [ 26.460818] page:ffffea0001b42ec0 count:1 mapcount:0 mapping:ffff88006d0bb000 index:0xffff88006d0bb0c0 [ 26.461467] flags: 0x500000000000100(slab) [ 26.461766] raw: 0500000000000100 ffff88006d0bb000 ffff88006d0bb0c0 0000000100000010 [ 26.462358] raw: ffffea0001b34820 ffffea0001b42b60 ffff88003e800640 0000000000000000 [ 26.463069] page dumped because: kasan: bad access detected [ 26.463585] [ 26.463702] Memory state around the buggy address: [ 26.464056] ffff88006d0bbc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.464566] ffff88006d0bbd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.465083] >ffff88006d0bbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.465740] ^ [ 26.466113] ffff88006d0bbe00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 26.466770] ffff88006d0bbe80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 26.467439] ================================================================== [ 26.468107] Disabling lock debugging due to kernel taint [ 26.468626] Kernel panic - not syncing: panic_on_warn set ... [ 26.468626] [ 26.469301] CPU: 1 PID: 3067 Comm: syz-executor0 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 26.470671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.471413] Call Trace: [ 26.471654] dump_stack+0x194/0x257 [ 26.471997] ? arch_local_irq_restore+0x53/0x53 [ 26.472428] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.472861] ? vsnprintf+0x1ed/0x1900 [ 26.473205] ? packet_getsockopt+0xbf0/0xe00 [ 26.473601] panic+0x1e4/0x41c [ 26.473891] ? refcount_error_report+0x214/0x214 [ 26.474316] ? add_taint+0x1c/0x50 [ 26.474637] ? add_taint+0x1c/0x50 [ 26.474958] ? packet_getsockopt+0xc72/0xe00 [ 26.475359] kasan_end_report+0x50/0x50 [ 26.475719] kasan_report+0x144/0x340 [ 26.476082] __asan_report_load8_noabort+0x14/0x20 [ 26.476457] packet_getsockopt+0xc72/0xe00 [ 26.476774] ? packet_notifier+0x950/0x950 [ 26.477087] ? iput+0x540/0xaf0 [ 26.477336] ? __fget_light+0x297/0x380 [ 26.477633] ? sock_has_perm+0x29c/0x400 [ 26.477942] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 26.478340] ? free_modinfo_version+0x70/0x70 [ 26.478675] ? __sk_free+0x5c/0x230 [ 26.478943] ? sk_free+0x2f/0x40 [ 26.479201] ? selinux_socket_getsockopt+0x36/0x40 [ 26.479568] ? security_socket_getsockopt+0x89/0xb0 [ 26.480083] SyS_getsockopt+0x178/0x340 [ 26.480448] ? SyS_setsockopt+0x360/0x360 [ 26.480741] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 26.481085] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.481440] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.481780] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.482114] RIP: 0033:0x447c89 [ 26.482338] RSP: 002b:00007f428feb7bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 [ 26.482880] RAX: ffffffffffffffda RBX: 00007f428feb86cc RCX: 0000000000447c89 [ 26.483388] RDX: 0000000000000015 RSI: 0000000000000107 RDI: 000000000000000b [ 26.483959] RBP: 0000000000000082 R08: 00000000208a5000 R09: 0000000000000000 [ 26.484475] R10: 0000000020ec8000 R11: 0000000000000246 R12: 0000000000000000 [ 26.484987] R13: 0000000000000000 R14: 00007f428feb89c0 R15: 00007f428feb8700 [ 26.485535] Dumping ftrace buffer: [ 26.485836] (ftrace buffer empty) [ 26.486167] Kernel Offset: disabled [ 26.486493] Rebooting in 86400 seconds..