Debian GNU/Linux 7 syzkaller ttyS0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 26.203505] dev_remove_pack: ffff88003b337e80 not found executing program executing program [ 26.238203] ================================================================== [ 26.239744] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 26.240613] Read of size 8 at addr ffff880039105728 by task syzkaller567251/3748 [ 26.241390] [ 26.241562] CPU: 0 PID: 3748 Comm: syzkaller567251 Not tainted 4.13.0-next-20170907+ #17 [ 26.242385] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.243197] Call Trace: [ 26.243465] dump_stack+0x194/0x257 [ 26.243834] ? arch_local_irq_restore+0x53/0x53 [ 26.244305] ? show_regs_print_info+0x65/0x65 [ 26.244762] ? __dev_remove_pack+0x305/0x3b0 [ 26.245213] print_address_description+0x73/0x250 [ 26.245706] ? __dev_remove_pack+0x305/0x3b0 [ 26.246159] kasan_report+0x24e/0x340 [ 26.246546] __asan_report_load8_noabort+0x14/0x20 [ 26.247044] __dev_remove_pack+0x305/0x3b0 [ 26.247469] ? dev_get_by_name_rcu+0x270/0x270 [ 26.247928] ? refcount_sub_and_test+0x115/0x1b0 [ 26.248421] __unregister_prot_hook+0x211/0x280 [ 26.248891] packet_release+0x8bb/0xd70 [ 26.249302] ? packet_set_ring+0x1b70/0x1b70 [ 26.249745] ? dentry_free+0xcd/0x130 [ 26.250128] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.250623] ? kmem_cache_free+0x249/0x280 [ 26.251050] ? dentry_free+0xd2/0x130 [ 26.251432] ? locks_remove_file+0x3fa/0x5a0 [ 26.251873] ? fcntl_setlk+0x10d0/0x10d0 [ 26.252292] ? __fsnotify_parent+0xb4/0x3a0 [ 26.252727] ? fsnotify+0x1af0/0x1af0 [ 26.253120] sock_release+0x8d/0x1e0 [ 26.253487] ? sock_release+0x8d/0x1e0 [ 26.253876] ? sock_release+0x1e0/0x1e0 [ 26.254276] sock_close+0x16/0x20 [ 26.254621] __fput+0x333/0x7f0 [ 26.254956] ? fput+0x140/0x140 [ 26.255295] ? check_same_owner+0x320/0x320 [ 26.255729] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.256191] ____fput+0x15/0x20 [ 26.257787] task_work_run+0x199/0x270 [ 26.260856] ? task_work_cancel+0x210/0x210 [ 26.263278] ? _raw_spin_unlock+0x22/0x30 [ 26.265903] ? switch_task_namespaces+0x87/0xc0 [ 26.269123] do_exit+0xa52/0x1b40 [ 26.269472] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.269976] ? trace_hardirqs_on+0xd/0x10 [ 26.270406] ? hrtimer_try_to_cancel+0x11/0x5c0 [ 26.271113] ? mm_update_next_owner+0x930/0x930 [ 26.273255] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 26.275154] ? check_same_owner+0x320/0x320 [ 26.275589] ? _do_fork+0x2f5/0xfe0 [ 26.276340] ? __might_sleep+0x95/0x190 [ 26.276748] ? do_nanosleep+0x508/0x6f0 [ 26.277166] ? schedule_timeout_idle+0x90/0x90 [ 26.277647] ? memset+0x31/0x40 [ 26.277995] ? hrtimer_nanosleep+0x2cc/0x860 [ 26.278450] ? nanosleep_copyout+0x100/0x100 [ 26.278901] ? __might_sleep+0x95/0x190 [ 26.279778] ? kasan_check_write+0x14/0x20 [ 26.283548] ? _copy_from_user+0x99/0x110 [ 26.284301] ? __hrtimer_init+0x140/0x140 [ 26.284733] ? syscall_return_slowpath+0x500/0x500 [ 26.285242] do_group_exit+0x149/0x400 [ 26.285649] ? SyS_exit+0x30/0x30 [ 26.286022] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.286548] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.287071] SyS_exit_group+0x1d/0x20 [ 26.287467] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.287946] RIP: 0033:0x43bc69 [ 26.288277] RSP: 002b:00007ffcee409a68 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 26.289053] RAX: ffffffffffffffda RBX: 000000000000000b RCX: 000000000043bc69 [ 26.289772] RDX: 000000000043a341 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.290493] RBP: 0000000000000082 R08: 00000000006d01e0 R09: 0000000000000000 [ 26.291215] R10: 00000000006d01d8 R11: 0000000000000202 R12: 0000000000000000 [ 26.291947] R13: 0000000000000000 R14: 00007f2f0a2999c0 R15: 00007f2f0a299700 [ 26.294197] [ 26.294805] Allocated by task 3840: [ 26.296369] save_stack_trace+0x16/0x20 [ 26.298496] save_stack+0x43/0xd0 [ 26.300116] kasan_kmalloc+0xad/0xe0 [ 26.303463] kmem_cache_alloc_trace+0x136/0x750 [ 26.303932] fanout_add+0xa50/0x1190 [ 26.304985] packet_setsockopt+0xfdc/0x1e80 [ 26.307459] SyS_setsockopt+0x189/0x360 [ 26.308267] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.308736] [ 26.308906] Freed by task 3748: [ 26.309247] save_stack_trace+0x16/0x20 [ 26.309649] save_stack+0x43/0xd0 [ 26.309998] kasan_slab_free+0x71/0xc0 [ 26.310396] kfree+0xca/0x250 [ 26.310711] packet_release+0xa8f/0xd70 [ 26.311115] sock_release+0x8d/0x1e0 [ 26.311498] sock_close+0x16/0x20 [ 26.311847] __fput+0x333/0x7f0 [ 26.312187] ____fput+0x15/0x20 [ 26.312526] task_work_run+0x199/0x270 [ 26.312913] do_exit+0xa52/0x1b40 [ 26.313267] do_group_exit+0x149/0x400 [ 26.313657] SyS_exit_group+0x1d/0x20 [ 26.314043] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.314521] [ 26.314692] The buggy address belongs to the object at ffff880039104e80 [ 26.314692] which belongs to the cache kmalloc-4096 of size 4096 [ 26.315962] The buggy address is located 2216 bytes inside of [ 26.315962] 4096-byte region [ffff880039104e80, ffff880039105e80) [ 26.332829] The buggy address belongs to the page: [ 26.333347] page:ffffea0000e44100 count:1 mapcount:0 mapping:ffff880039104e80 index:0x0 compound_mapcount: 0 [ 26.337050] flags: 0x100000000008100(slab|head) [ 26.338186] raw: 0100000000008100 ffff880039104e80 0000000000000000 0000000100000001 [ 26.340269] raw: ffffea0000e60220 ffffea0000e444a0 ffff88003e800dc0 0000000000000000 [ 26.342346] page dumped because: kasan: bad access detected [ 26.343282] [ 26.343492] Memory state around the buggy address: [ 26.346001] ffff880039105600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.347861] ffff880039105680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.349711] >ffff880039105700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.350454] ^ [ 26.352360] ffff880039105780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.354101] ffff880039105800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.356460] ================================================================== [ 26.358433] Disabling lock debugging due to kernel taint [ 26.359102] Kernel panic - not syncing: panic_on_warn set ... [ 26.359102] [ 26.361889] CPU: 0 PID: 3748 Comm: syzkaller567251 Tainted: G B 4.13.0-next-20170907+ #17 [ 26.365093] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 26.368048] Call Trace: [ 26.368881] dump_stack+0x194/0x257 [ 26.370177] ? arch_local_irq_restore+0x53/0x53 [ 26.371555] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.372991] ? __dev_remove_pack+0x2f0/0x3b0 [ 26.374168] panic+0x1e4/0x417 [ 26.375020] ? __warn+0x1d9/0x1d9 [ 26.376017] ? __dev_remove_pack+0x305/0x3b0 [ 26.377553] kasan_end_report+0x50/0x50 [ 26.378775] kasan_report+0x137/0x340 [ 26.379923] __asan_report_load8_noabort+0x14/0x20 [ 26.381671] __dev_remove_pack+0x305/0x3b0 [ 26.383000] ? dev_get_by_name_rcu+0x270/0x270 [ 26.384720] ? refcount_sub_and_test+0x115/0x1b0 [ 26.386356] __unregister_prot_hook+0x211/0x280 [ 26.389168] packet_release+0x8bb/0xd70 [ 26.389855] ? packet_set_ring+0x1b70/0x1b70 [ 26.390996] ? dentry_free+0xcd/0x130 [ 26.392063] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.393457] ? kmem_cache_free+0x249/0x280 [ 26.394670] ? dentry_free+0xd2/0x130 [ 26.395761] ? locks_remove_file+0x3fa/0x5a0 [ 26.397200] ? fcntl_setlk+0x10d0/0x10d0 [ 26.398477] ? __fsnotify_parent+0xb4/0x3a0 [ 26.399177] ? fsnotify+0x1af0/0x1af0 [ 26.399898] sock_release+0x8d/0x1e0 [ 26.401435] ? sock_release+0x8d/0x1e0 [ 26.402675] ? sock_release+0x1e0/0x1e0 [ 26.404093] sock_close+0x16/0x20 [ 26.405429] __fput+0x333/0x7f0 [ 26.406554] ? fput+0x140/0x140 [ 26.407765] ? check_same_owner+0x320/0x320 [ 26.410727] ? _raw_spin_unlock_irq+0x27/0x70 [ 26.412039] ____fput+0x15/0x20 [ 26.412704] task_work_run+0x199/0x270 [ 26.414434] ? task_work_cancel+0x210/0x210 [ 26.415863] ? _raw_spin_unlock+0x22/0x30 [ 26.417029] ? switch_task_namespaces+0x87/0xc0 [ 26.418654] do_exit+0xa52/0x1b40 [ 26.419945] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.421746] ? trace_hardirqs_on+0xd/0x10 [ 26.423215] ? hrtimer_try_to_cancel+0x11/0x5c0 [ 26.424975] ? mm_update_next_owner+0x930/0x930 [ 26.426790] ? __hrtimer_get_remaining+0x1c0/0x1c0 [ 26.428515] ? check_same_owner+0x320/0x320 [ 26.430307] ? _do_fork+0x2f5/0xfe0 [ 26.431573] ? __might_sleep+0x95/0x190 [ 26.433019] ? do_nanosleep+0x508/0x6f0 [ 26.434421] ? schedule_timeout_idle+0x90/0x90 [ 26.436106] ? memset+0x31/0x40 [ 26.437251] ? hrtimer_nanosleep+0x2cc/0x860 [ 26.438699] ? nanosleep_copyout+0x100/0x100 [ 26.440123] ? __might_sleep+0x95/0x190 [ 26.441437] ? kasan_check_write+0x14/0x20 [ 26.442830] ? _copy_from_user+0x99/0x110 [ 26.444168] ? __hrtimer_init+0x140/0x140 [ 26.445664] ? syscall_return_slowpath+0x500/0x500 [ 26.447201] do_group_exit+0x149/0x400 [ 26.448439] ? SyS_exit+0x30/0x30 [ 26.449877] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.451573] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.453137] SyS_exit_group+0x1d/0x20 [ 26.453986] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 26.455286] RIP: 0033:0x43bc69 [ 26.456207] RSP: 002b:00007ffcee409a68 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 26.458590] RAX: ffffffffffffffda RBX: 000000000000000b RCX: 000000000043bc69 [ 26.461004] RDX: 000000000043a341 RSI: 0000000000000000 RDI: 0000000000000000 [ 26.463315] RBP: 0000000000000082 R08: 00000000006d01e0 R09: 0000000000000000 [ 26.465315] R10: 00000000006d01d8 R11: 0000000000000202 R12: 0000000000000000 [ 26.467249] R13: 0000000000000000 R14: 00007f2f0a2999c0 R15: 00007f2f0a299700 [ 26.471862] Dumping ftrace buffer: [ 26.473851] (ftrace buffer empty) [ 26.474247] Kernel Offset: disabled [ 26.474633] Rebooting in 86400 seconds..