INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-9,10.128.15.199' (ECDSA) to the list of known hosts. 2017/09/04 07:25:02 parsed 1 programs 2017/09/04 07:25:02 executed programs: 0 2017/09/04 07:25:07 executed programs: 96 syzkaller login: [ 49.421720] dev_remove_pack: ffff8801ce5f98c0 not found [ 49.435251] ================================================================== [ 49.436342] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 49.437230] Read of size 8 at addr ffff8801ce4d8ae8 by task syz-executor0/3426 [ 49.438217] [ 49.438449] CPU: 0 PID: 3426 Comm: syz-executor0 Not tainted 4.13.0-rc7+ #65 [ 49.439396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.440622] Call Trace: [ 49.440978] dump_stack+0x194/0x257 [ 49.441489] ? arch_local_irq_restore+0x53/0x53 [ 49.443799] ? show_regs_print_info+0x65/0x65 [ 49.448271] ? __dev_remove_pack+0x305/0x3b0 [ 49.452648] print_address_description+0x73/0x250 [ 49.457461] ? __dev_remove_pack+0x305/0x3b0 [ 49.461837] kasan_report+0x24e/0x340 [ 49.465611] __asan_report_load8_noabort+0x14/0x20 [ 49.470506] __dev_remove_pack+0x305/0x3b0 [ 49.474710] ? dev_get_by_name_rcu+0x270/0x270 [ 49.479269] ? refcount_sub_and_test+0x115/0x1b0 [ 49.484003] __unregister_prot_hook+0x211/0x280 [ 49.488644] packet_release+0x8bb/0xd70 [ 49.492591] ? packet_set_ring+0x1b70/0x1b70 [ 49.496965] ? dentry_free+0xcd/0x130 [ 49.500733] ? rcu_read_lock_sched_held+0x108/0x120 [ 49.505716] ? kmem_cache_free+0x249/0x280 [ 49.509921] ? dentry_free+0xd2/0x130 [ 49.513696] ? locks_remove_file+0x414/0x560 [ 49.518074] ? fcntl_setlk+0x10c0/0x10c0 [ 49.522103] ? __fsnotify_parent+0xb4/0x3a0 [ 49.526398] ? fsnotify+0x1af0/0x1af0 [ 49.530172] sock_release+0x8d/0x1e0 [ 49.533850] ? sock_release+0x8d/0x1e0 [ 49.537706] ? sock_release+0x1e0/0x1e0 [ 49.541646] sock_close+0x16/0x20 [ 49.545068] __fput+0x327/0x7e0 [ 49.548318] ? fput+0x140/0x140 [ 49.551567] ? check_same_owner+0x320/0x320 [ 49.555852] ? do_raw_spin_trylock+0x190/0x190 [ 49.560405] ? check_same_owner+0x320/0x320 [ 49.564695] ____fput+0x15/0x20 [ 49.567943] task_work_run+0x18a/0x260 [ 49.571799] ? task_work_cancel+0x210/0x210 [ 49.576090] ? _raw_spin_unlock+0x22/0x30 [ 49.580216] ? switch_task_namespaces+0x87/0xc0 [ 49.584856] do_exit+0xa3a/0x1b10 [ 49.588280] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 49.593436] ? plist_check_list+0xa0/0xa0 [ 49.597552] ? plist_add+0x5cb/0x760 [ 49.601244] ? mm_update_next_owner+0x930/0x930 [ 49.605882] ? plist_add+0x760/0x760 [ 49.609567] ? check_noncircular+0x20/0x20 [ 49.613769] ? check_same_owner+0x320/0x320 [ 49.618058] ? lock_acquire+0x1d5/0x580 [ 49.621998] ? futex_wait_setup+0x14a/0x3d0 [ 49.626290] ? __might_sleep+0x95/0x190 [ 49.630246] ? check_noncircular+0x20/0x20 [ 49.634446] ? futex_wait+0x43e/0xa00 [ 49.638221] ? do_raw_spin_trylock+0x190/0x190 [ 49.642767] ? fault_in_user_writeable+0x90/0x90 [ 49.647495] ? find_held_lock+0x35/0x1d0 [ 49.651527] ? get_signal+0x855/0x17e0 [ 49.655381] ? lock_downgrade+0x990/0x990 [ 49.659505] do_group_exit+0x149/0x400 [ 49.663360] ? __lock_is_held+0xb6/0x140 [ 49.667391] ? SyS_exit+0x30/0x30 [ 49.670812] ? _raw_spin_unlock_irq+0x27/0x70 [ 49.675276] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.680265] get_signal+0x7e8/0x17e0 [ 49.683972] ? ptrace_notify+0x130/0x130 [ 49.688000] ? lock_downgrade+0x990/0x990 [ 49.692116] ? lock_release+0xa40/0xa40 [ 49.696065] ? exit_robust_list+0x240/0x240 [ 49.700367] do_signal+0x94/0x1ee0 [ 49.703885] ? iterate_fd+0x3f0/0x3f0 [ 49.707652] ? lock_downgrade+0x990/0x990 [ 49.711770] ? setup_sigcontext+0x7d0/0x7d0 [ 49.716063] ? __lock_is_held+0xb6/0x140 [ 49.720105] ? selinux_tun_dev_create+0xc0/0xc0 [ 49.724743] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 49.730423] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 49.735669] ? alloc_file+0x27e/0x390 [ 49.739436] ? exit_to_usermode_loop+0x98/0x300 [ 49.744077] exit_to_usermode_loop+0x224/0x300 [ 49.748629] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 49.754141] syscall_return_slowpath+0x3a7/0x450 [ 49.758867] ? prepare_exit_to_usermode+0x220/0x220 [ 49.763849] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 49.768745] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.773729] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.778454] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 49.783175] RIP: 0033:0x451e59 [ 49.786330] RSP: 002b:00007fc274c71cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 49.794003] RAX: fffffffffffffe00 RBX: 00000000007180d8 RCX: 0000000000451e59 [ 49.801237] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007180d8 [ 49.808473] RBP: 00000000007180b0 R08: 0000000000000000 R09: 0000000000000000 [ 49.815708] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 49.822943] R13: 0000000000a6f7ef R14: 00007fc274c729c0 R15: 0000000000000002 [ 49.830194] [ 49.831789] Allocated by task 3425: [ 49.835388] save_stack_trace+0x16/0x20 [ 49.839327] save_stack+0x43/0xd0 [ 49.842745] kasan_kmalloc+0xad/0xe0 [ 49.846435] kmem_cache_alloc_trace+0x12f/0x740 [ 49.851070] fanout_add+0xa50/0x1190 [ 49.854748] packet_setsockopt+0xfdc/0x1e80 [ 49.859044] SyS_setsockopt+0x189/0x360 [ 49.862983] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 49.867707] [ 49.869301] Freed by task 3426: [ 49.872549] save_stack_trace+0x16/0x20 [ 49.876489] save_stack+0x43/0xd0 [ 49.879906] kasan_slab_free+0x71/0xc0 [ 49.883759] kfree+0xca/0x250 [ 49.886831] packet_release+0xa8f/0xd70 [ 49.890768] sock_release+0x8d/0x1e0 [ 49.894445] sock_close+0x16/0x20 [ 49.897864] __fput+0x327/0x7e0 [ 49.901106] ____fput+0x15/0x20 [ 49.904352] task_work_run+0x18a/0x260 [ 49.908207] do_exit+0xa3a/0x1b10 [ 49.911624] do_group_exit+0x149/0x400 [ 49.915477] get_signal+0x7e8/0x17e0 [ 49.919159] do_signal+0x94/0x1ee0 [ 49.922666] exit_to_usermode_loop+0x224/0x300 [ 49.927212] syscall_return_slowpath+0x3a7/0x450 [ 49.931932] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 49.936659] [ 49.938255] The buggy address belongs to the object at ffff8801ce4d8240 [ 49.938255] which belongs to the cache kmalloc-4096 of size 4096 [ 49.951047] The buggy address is located 2216 bytes inside of [ 49.951047] 4096-byte region [ffff8801ce4d8240, ffff8801ce4d9240) [ 49.963062] The buggy address belongs to the page: [ 49.967957] page:ffffea0007393600 count:1 mapcount:0 mapping:ffff8801ce4d8240 index:0x0 compound_mapcount: 0 [ 49.977888] flags: 0x200000000008100(slab|head) [ 49.982523] raw: 0200000000008100 ffff8801ce4d8240 0000000000000000 0000000100000001 [ 49.990890] raw: ffffea00073a0420 ffffea00073934a0 ffff8801dac00dc0 0000000000000000 [ 49.998732] page dumped because: kasan: bad access detected [ 50.004402] [ 50.005994] Memory state around the buggy address: [ 50.010884] ffff8801ce4d8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.018204] ffff8801ce4d8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.025546] >ffff8801ce4d8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.032869] ^ [ 50.039586] ffff8801ce4d8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.046908] ffff8801ce4d8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.054228] ================================================================== [ 50.061548] Disabling lock debugging due to kernel taint [ 50.067050] Kernel panic - not syncing: panic_on_warn set ... [ 50.067050] [ 50.074397] CPU: 0 PID: 3426 Comm: syz-executor0 Tainted: G B 4.13.0-rc7+ #65 [ 50.082774] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.092091] Call Trace: [ 50.094652] dump_stack+0x194/0x257 [ 50.098244] ? arch_local_irq_restore+0x53/0x53 [ 50.102879] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.107602] ? __dev_remove_pack+0x2c0/0x3b0 [ 50.111973] panic+0x1e4/0x417 [ 50.115129] ? __warn+0x1d9/0x1d9 [ 50.118549] ? __dev_remove_pack+0x305/0x3b0 [ 50.122923] kasan_end_report+0x50/0x50 [ 50.126861] kasan_report+0x137/0x340 [ 50.130625] __asan_report_load8_noabort+0x14/0x20 [ 50.135515] __dev_remove_pack+0x305/0x3b0 [ 50.139712] ? dev_get_by_name_rcu+0x270/0x270 [ 50.144259] ? refcount_sub_and_test+0x115/0x1b0 [ 50.148982] __unregister_prot_hook+0x211/0x280 [ 50.153618] packet_release+0x8bb/0xd70 [ 50.157561] ? packet_set_ring+0x1b70/0x1b70 [ 50.161935] ? dentry_free+0xcd/0x130 [ 50.165702] ? rcu_read_lock_sched_held+0x108/0x120 [ 50.170680] ? kmem_cache_free+0x249/0x280 [ 50.174878] ? dentry_free+0xd2/0x130 [ 50.178661] ? locks_remove_file+0x414/0x560 [ 50.183033] ? fcntl_setlk+0x10c0/0x10c0 [ 50.187060] ? __fsnotify_parent+0xb4/0x3a0 [ 50.191345] ? fsnotify+0x1af0/0x1af0 [ 50.195111] sock_release+0x8d/0x1e0 [ 50.198790] ? sock_release+0x8d/0x1e0 [ 50.202641] ? sock_release+0x1e0/0x1e0 [ 50.206578] sock_close+0x16/0x20 [ 50.209998] __fput+0x327/0x7e0 [ 50.213244] ? fput+0x140/0x140 [ 50.216492] ? check_same_owner+0x320/0x320 [ 50.220776] ? do_raw_spin_trylock+0x190/0x190 [ 50.225324] ? check_same_owner+0x320/0x320 [ 50.229611] ____fput+0x15/0x20 [ 50.232857] task_work_run+0x18a/0x260 [ 50.236709] ? task_work_cancel+0x210/0x210 [ 50.240998] ? _raw_spin_unlock+0x22/0x30 [ 50.245107] ? switch_task_namespaces+0x87/0xc0 [ 50.249744] do_exit+0xa3a/0x1b10 [ 50.253164] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 50.258325] ? plist_check_list+0xa0/0xa0 [ 50.262436] ? plist_add+0x5cb/0x760 [ 50.266116] ? mm_update_next_owner+0x930/0x930 [ 50.270749] ? plist_add+0x760/0x760 [ 50.274429] ? check_noncircular+0x20/0x20 [ 50.278630] ? check_same_owner+0x320/0x320 [ 50.282914] ? lock_acquire+0x1d5/0x580 [ 50.286865] ? futex_wait_setup+0x14a/0x3d0 [ 50.291152] ? __might_sleep+0x95/0x190 [ 50.295098] ? check_noncircular+0x20/0x20 [ 50.299294] ? futex_wait+0x43e/0xa00 [ 50.303062] ? do_raw_spin_trylock+0x190/0x190 [ 50.307607] ? fault_in_user_writeable+0x90/0x90 [ 50.312330] ? find_held_lock+0x35/0x1d0 [ 50.316370] ? get_signal+0x855/0x17e0 [ 50.320219] ? lock_downgrade+0x990/0x990 [ 50.324335] do_group_exit+0x149/0x400 [ 50.328187] ? __lock_is_held+0xb6/0x140 [ 50.332216] ? SyS_exit+0x30/0x30 [ 50.335633] ? _raw_spin_unlock_irq+0x27/0x70 [ 50.340093] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 50.345073] get_signal+0x7e8/0x17e0 [ 50.348763] ? ptrace_notify+0x130/0x130 [ 50.352787] ? lock_downgrade+0x990/0x990 [ 50.356897] ? lock_release+0xa40/0xa40 [ 50.360835] ? exit_robust_list+0x240/0x240 [ 50.365128] do_signal+0x94/0x1ee0 [ 50.368636] ? iterate_fd+0x3f0/0x3f0 [ 50.372397] ? lock_downgrade+0x990/0x990 [ 50.376509] ? setup_sigcontext+0x7d0/0x7d0 [ 50.380795] ? __lock_is_held+0xb6/0x140 [ 50.384826] ? selinux_tun_dev_create+0xc0/0xc0 [ 50.389459] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 50.395134] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 50.400376] ? alloc_file+0x27e/0x390 [ 50.404143] ? exit_to_usermode_loop+0x98/0x300 [ 50.408782] exit_to_usermode_loop+0x224/0x300 [ 50.413329] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 50.418832] syscall_return_slowpath+0x3a7/0x450