Debian GNU/Linux 7 syzkaller ttyS0 2017/09/13 06:51:26 parsed 1 programs 2017/09/13 06:51:27 executed programs: 0 syzkaller login: [ 40.351837] dev_remove_pack: ffff88003c75e840 not found [ 40.909099] dev_remove_pack: ffff88006a3e8d80 not found [ 41.498084] ================================================================== [ 41.498842] BUG: KASAN: use-after-free in packet_rcv_fanout+0x78a/0x7d0 [ 41.499487] Read of size 8 at addr ffff88006a3e8d90 by task sshd/2977 [ 41.500100] [ 41.500261] CPU: 2 PID: 2977 Comm: sshd Not tainted 4.13.0-next-20170913+ #3 [ 41.500934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 41.501719] Call Trace: [ 41.501974] dump_stack+0x194/0x257 [ 41.506119] ? arch_local_irq_restore+0x53/0x53 [ 41.506568] ? show_regs_print_info+0x65/0x65 [ 41.506996] ? packet_rcv_fanout+0x78a/0x7d0 [ 41.512774] print_address_description+0x73/0x250 [ 41.513249] ? packet_rcv_fanout+0x78a/0x7d0 [ 41.513663] kasan_report+0x24e/0x340 [ 41.514021] __asan_report_load8_noabort+0x14/0x20 [ 41.514480] packet_rcv_fanout+0x78a/0x7d0 [ 41.514877] ? compat_packet_setsockopt+0x140/0x140 [ 41.515340] ? refcount_add+0x60/0x60 [ 41.521647] ? rb_next+0x140/0x140 [ 41.521987] dev_queue_xmit_nit+0x2d4/0xae0 [ 41.522519] ? netif_device_attach+0x150/0x150 [ 41.523363] ? update_curr+0x30c/0x800 [ 41.525255] ? reacquire_held_locks+0x205/0x3d0 [ 41.526674] ? dev_queue_xmit+0x17/0x20 [ 41.527361] dev_hard_start_xmit+0x16b/0xac0 [ 41.528240] ? validate_xmit_skb_list+0x120/0x120 [ 41.528803] ? netif_skb_features+0x573/0x8e0 [ 41.529551] ? lock_downgrade+0x6d0/0x990 [ 41.529951] ? __skb_gso_segment+0x7f0/0x7f0 [ 41.530653] ? lock_acquire+0x1d5/0x580 [ 41.530998] ? sch_direct_xmit+0x280/0x6d0 [ 41.531522] ? skb_csum_hwoffload_help+0x57/0xa0 [ 41.532191] ? lock_release+0xd70/0xd70 [ 41.532629] ? netif_skb_features+0x8e0/0x8e0 [ 41.533335] sch_direct_xmit+0x31d/0x6d0 [ 41.533941] ? dev_deactivate_queue.constprop.27+0x260/0x260 [ 41.534616] __dev_queue_xmit+0x15fe/0x1e40 [ 41.535247] ? netdev_pick_tx+0x300/0x300 [ 41.535711] ? print_usage_bug+0x480/0x480 [ 41.536340] ? selinux_ipv4_forward+0x50/0x50 [ 41.536818] ? lock_acquire+0x1d5/0x580 [ 41.537405] ? ip_finish_output+0x85e/0xd10 [ 41.537967] ? mark_held_locks+0xb2/0x100 [ 41.538566] ? ip_finish_output2+0xca6/0x1460 [ 41.539102] dev_queue_xmit+0x17/0x20 [ 41.539604] ip_finish_output2+0xece/0x1460 [ 41.540131] ? dst_output+0x140/0x140 [ 41.540640] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.541893] ? ipt_do_table+0xd04/0x1330 [ 41.542397] ? trace_hardirqs_on+0xd/0x10 [ 41.544188] ? find_held_lock+0x39/0x1d0 [ 41.545591] ? ipv4_mtu+0x28c/0x3d0 [ 41.547434] ? __lock_is_held+0xbc/0x140 [ 41.547941] ip_finish_output+0x85e/0xd10 [ 41.548755] ? ip_finish_output+0x85e/0xd10 [ 41.549296] ? ip_fragment.constprop.50+0x200/0x200 [ 41.549944] ? iptable_mangle_hook+0xa9/0x550 [ 41.550411] ? nf_hook_slow+0xd3/0x1a0 [ 41.550940] ip_output+0x1cc/0x860 [ 41.551386] ? ip_mc_output+0x1350/0x1350 [ 41.551939] ? ip_fragment.constprop.50+0x200/0x200 [ 41.552525] ip_local_out+0x95/0x160 [ 41.553100] ip_queue_xmit+0x8c6/0x18e0 [ 41.553537] ? ip_build_and_send_pkt+0xc30/0xc30 [ 41.554205] ? refcount_dec_if_one+0x20/0x20 [ 41.554683] ? __tcp_v4_send_check+0x1b8/0x350 [ 41.555294] ? tcp_options_write+0x228/0x940 [ 41.555779] tcp_transmit_skb+0x1947/0x3300 [ 41.556385] ? bictcp_cong_avoid+0xf20/0xf20 [ 41.556859] ? __tcp_select_window+0x8d0/0x8d0 [ 41.557661] ? save_stack_trace+0x16/0x20 [ 41.558209] ? save_stack+0x43/0xd0 [ 41.558758] ? kasan_kmalloc+0xad/0xe0 [ 41.559495] ? __kmalloc_node_track_caller+0x47/0x70 [ 41.560116] ? __kmalloc_reserve.isra.40+0x41/0xd0 [ 41.561201] ? __alloc_skb+0x13b/0x740 [ 41.561539] ? sk_stream_alloc_skb+0x10d/0x860 [ 41.562257] ? tcp_sendmsg_locked+0xfef/0x3bc0 [ 41.562650] ? tcp_sendmsg+0x2f/0x50 [ 41.563260] ? inet_sendmsg+0x11f/0x5e0 [ 41.563601] ? sock_sendmsg+0xca/0x110 [ 41.564216] ? sock_write_iter+0x320/0x5e0 [ 41.564582] ? __vfs_write+0x68a/0x970 [ 41.564945] ? tcp_init_tso_segs+0x1f0/0x1f0 [ 41.565581] ? sched_clock_cpu+0x1b/0x170 [ 41.565955] ? tcp_init_tso_segs+0x114/0x1f0 [ 41.566588] tcp_write_xmit+0x5fc/0x4960 [ 41.566907] ? find_held_lock+0x39/0x1d0 [ 41.567661] ? tcp_transmit_skb+0x3300/0x3300 [ 41.568195] ? __might_fault+0xe0/0x1d0 [ 41.568719] ? iov_iter_advance+0x2a1/0x13f0 [ 41.569132] ? lock_release+0xd70/0xd70 [ 41.569714] ? tcp_v4_md5_lookup+0x22/0x30 [ 41.570198] ? iov_iter_copy_from_user_atomic+0xd30/0xd30 [ 41.570933] __tcp_push_pending_frames+0xa0/0x250 [ 41.571449] tcp_push+0x4e0/0x760 [ 41.571991] ? tcp_splice_data_recv+0x1a0/0x1a0 [ 41.572500] ? skb_entail+0x5d4/0x8d0 [ 41.573115] ? iov_iter_advance+0x13f0/0x13f0 [ 41.573525] ? tcp_send_mss+0xa4/0x2f0 [ 41.574162] ? skb_put+0x149/0x1c0 [ 41.574497] tcp_sendmsg_locked+0x17ad/0x3bc0 [ 41.575198] ? check_noncircular+0x20/0x20 [ 41.575597] ? save_stack_trace+0x16/0x20 [ 41.576291] ? tcp_sendpage+0x60/0x60 [ 41.576664] ? lock_downgrade+0x990/0x990 [ 41.577330] ? lock_acquire+0x1d5/0x580 [ 41.577726] ? tcp_sendmsg+0x21/0x50 [ 41.578502] ? mark_held_locks+0xb2/0x100 [ 41.578897] ? __local_bh_enable_ip+0x9d/0x160 [ 41.579627] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.580168] ? lock_sock_nested+0x91/0x110 [ 41.580794] ? trace_hardirqs_on+0xd/0x10 [ 41.581277] ? __local_bh_enable_ip+0x9d/0x160 [ 41.581953] tcp_sendmsg+0x2f/0x50 [ 41.582360] inet_sendmsg+0x11f/0x5e0 [ 41.582954] ? inet_recvmsg+0x5f0/0x5f0 [ 41.583416] ? selinux_socket_sendmsg+0x36/0x40 [ 41.584134] ? security_socket_sendmsg+0x89/0xb0 [ 41.584566] ? inet_recvmsg+0x5f0/0x5f0 [ 41.585207] sock_sendmsg+0xca/0x110 [ 41.585576] sock_write_iter+0x320/0x5e0 [ 41.586229] ? sock_sendmsg+0x110/0x110 [ 41.586605] ? iov_iter_init+0xaf/0x1d0 [ 41.587238] __vfs_write+0x68a/0x970 [ 41.587589] ? kernel_read+0x120/0x120 [ 41.587946] ? selinux_capset+0x100/0x100 [ 41.588995] ? selinux_file_permission+0x82/0x460 [ 41.589735] ? rw_verify_area+0xe5/0x2b0 [ 41.590396] ? __fdget_raw+0x20/0x20 [ 41.590747] vfs_write+0x18f/0x510 [ 41.591190] SyS_write+0xef/0x220 [ 41.591697] ? SyS_read+0x220/0x220 [ 41.592110] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.592793] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.593347] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.594069] RIP: 0033:0x7f8192647370 [ 41.594472] RSP: 002b:00007fff54f62668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 41.595440] RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f8192647370 [ 41.596452] RDX: 0000000000000058 RSI: 00005596046ce260 RDI: 0000000000000003 [ 41.597454] RBP: 0000000000000082 R08: 0000000000000001 R09: 0101010101010101 [ 41.598427] R10: 0000000000000008 R11: 0000000000000246 R12: 00005596046db810 [ 41.599476] R13: 0000000000000001 R14: 00005596046db810 R15: 0000000000000050 [ 41.600474] [ 41.600633] Allocated by task 5382: [ 41.601123] save_stack_trace+0x16/0x20 [ 41.601676] save_stack+0x43/0xd0 [ 41.602099] kasan_kmalloc+0xad/0xe0 [ 41.602655] __kmalloc+0x162/0x760 [ 41.602993] sk_prot_alloc+0x101/0x2a0 [ 41.603661] sk_alloc+0x89/0x700 [ 41.604086] packet_create+0x169/0xb00 [ 41.604696] __sock_create+0x4d4/0x850 [ 41.605112] SyS_socket+0xeb/0x200 [ 41.605535] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.606202] [ 41.606399] Freed by task 5382: [ 41.606905] save_stack_trace+0x16/0x20 [ 41.607395] save_stack+0x43/0xd0 [ 41.607944] kasan_slab_free+0x71/0xc0 [ 41.608411] kfree+0xca/0x250 [ 41.609121] __sk_destruct+0x74a/0x910 [ 41.609862] sk_destruct+0x47/0x80 [ 41.610376] __sk_free+0x57/0x230 [ 41.610741] sk_free+0x2a/0x40 [ 41.611288] packet_release+0x859/0xd70 [ 41.611652] sock_release+0x8d/0x1e0 [ 41.612312] sock_close+0x16/0x20 [ 41.612648] __fput+0x333/0x7f0 [ 41.613102] ____fput+0x15/0x20 [ 41.613588] task_work_run+0x199/0x270 [ 41.613985] do_exit+0xa52/0x1b40 [ 41.614557] do_group_exit+0x149/0x400 [ 41.614972] get_signal+0x7e8/0x17e0 [ 41.615607] do_signal+0x94/0x1ee0 [ 41.615969] exit_to_usermode_loop+0x224/0x300 [ 41.616708] syscall_return_slowpath+0x42f/0x500 [ 41.617281] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 41.617971] [ 41.618246] The buggy address belongs to the object at ffff88006a3e85c0 [ 41.618246] which belongs to the cache kmalloc-2048 of size 2048 [ 41.620088] The buggy address is located 2000 bytes inside of [ 41.620088] 2048-byte region [ffff88006a3e85c0, ffff88006a3e8dc0) [ 41.621539] The buggy address belongs to the page: [ 41.622246] page:ffffea0001a8fa00 count:1 mapcount:0 mapping:ffff88006a3e85c0 index:0x0 compound_mapcount: 0 [ 41.623488] flags: 0x500000000008100(slab|head) [ 41.624098] raw: 0500000000008100 ffff88006a3e85c0 0000000000000000 0000000100000003 [ 41.625125] raw: ffffea0001b3f9a0 ffffea0001b251a0 ffff88003e800c40 0000000000000000 [ 41.626123] page dumped because: kasan: bad access detected [ 41.626784] [ 41.626980] Memory state around the buggy address: [ 41.627521] ffff88006a3e8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.628487] ffff88006a3e8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.629549] >ffff88006a3e8d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.631096] ^ [ 41.632173] ffff88006a3e8e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.633683] ffff88006a3e8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.635162] ================================================================== [ 41.636859] Disabling lock debugging due to kernel taint [ 41.645466] Kernel panic - not syncing: panic_on_warn set ... [ 41.645466] [ 41.646475] CPU: 2 PID: 2977 Comm: sshd Tainted: G B 4.13.0-next-20170913+ #3 [ 41.647563] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 41.648632] Call Trace: [ 41.649081] dump_stack+0x194/0x257 [ 41.649538] ? arch_local_irq_restore+0x53/0x53 [ 41.650209] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.650902] ? packet_rcv_fanout+0x6b0/0x7d0 [ 41.651403] panic+0x1e4/0x417 [ 41.653042] ? __warn+0x1d9/0x1d9 [ 41.653666] ? packet_rcv_fanout+0x78a/0x7d0 [ 41.654207] kasan_end_report+0x50/0x50 [ 41.654658] kasan_report+0x137/0x340 [ 41.655136] __asan_report_load8_noabort+0x14/0x20 [ 41.655698] packet_rcv_fanout+0x78a/0x7d0 [ 41.656223] ? compat_packet_setsockopt+0x140/0x140 [ 41.656789] ? refcount_add+0x60/0x60 [ 41.657266] ? rb_next+0x140/0x140 [ 41.657688] dev_queue_xmit_nit+0x2d4/0xae0 [ 41.658237] ? netif_device_attach+0x150/0x150 [ 41.658831] ? update_curr+0x30c/0x800 [ 41.659336] ? reacquire_held_locks+0x205/0x3d0 [ 41.659938] ? dev_queue_xmit+0x17/0x20 [ 41.660427] dev_hard_start_xmit+0x16b/0xac0 [ 41.660970] ? validate_xmit_skb_list+0x120/0x120 [ 41.661558] ? netif_skb_features+0x573/0x8e0 [ 41.662109] ? lock_downgrade+0x6d0/0x990 [ 41.662591] ? __skb_gso_segment+0x7f0/0x7f0 [ 41.663151] ? lock_acquire+0x1d5/0x580 [ 41.663623] ? sch_direct_xmit+0x280/0x6d0 [ 41.664156] ? skb_csum_hwoffload_help+0x57/0xa0 [ 41.664724] ? lock_release+0xd70/0xd70 [ 41.665224] ? netif_skb_features+0x8e0/0x8e0 [ 41.665782] sch_direct_xmit+0x31d/0x6d0 [ 41.666296] ? dev_deactivate_queue.constprop.27+0x260/0x260 [ 41.667024] __dev_queue_xmit+0x15fe/0x1e40 [ 41.667546] ? netdev_pick_tx+0x300/0x300 [ 41.668082] ? print_usage_bug+0x480/0x480 [ 41.668589] ? selinux_ipv4_forward+0x50/0x50 [ 41.669161] ? lock_acquire+0x1d5/0x580 [ 41.669602] ? ip_finish_output+0x85e/0xd10 [ 41.670160] ? mark_held_locks+0xb2/0x100 [ 41.670630] ? ip_finish_output2+0xca6/0x1460 [ 41.671207] dev_queue_xmit+0x17/0x20 [ 41.671647] ip_finish_output2+0xece/0x1460 [ 41.672199] ? dst_output+0x140/0x140 [ 41.672632] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.674960] ? ipt_do_table+0xd04/0x1330 [ 41.675449] ? trace_hardirqs_on+0xd/0x10 [ 41.675996] ? find_held_lock+0x39/0x1d0 [ 41.676474] ? ipv4_mtu+0x28c/0x3d0 [ 41.676959] ? __lock_is_held+0xbc/0x140 [ 41.677446] ip_finish_output+0x85e/0xd10 [ 41.677995] ? ip_finish_output+0x85e/0xd10 [ 41.678481] ? ip_fragment.constprop.50+0x200/0x200 [ 41.679095] ? iptable_mangle_hook+0xa9/0x550 [ 41.679632] ? nf_hook_slow+0xd3/0x1a0 [ 41.680099] ip_output+0x1cc/0x860 [ 41.680498] ? ip_mc_output+0x1350/0x1350 [ 41.681007] ? ip_fragment.constprop.50+0x200/0x200 [ 41.681507] ip_local_out+0x95/0x160 [ 41.681940] ip_queue_xmit+0x8c6/0x18e0 [ 41.682329] ? ip_build_and_send_pkt+0xc30/0xc30 [ 41.682927] ? refcount_dec_if_one+0x20/0x20 [ 41.683419] ? __tcp_v4_send_check+0x1b8/0x350 [ 41.684021] ? tcp_options_write+0x228/0x940 [ 41.684519] tcp_transmit_skb+0x1947/0x3300 [ 41.685058] ? bictcp_cong_avoid+0xf20/0xf20 [ 41.685945] ? __tcp_select_window+0x8d0/0x8d0 [ 41.686907] ? save_stack_trace+0x16/0x20 [ 41.687759] ? save_stack+0x43/0xd0 [ 41.688172] ? kasan_kmalloc+0xad/0xe0 [ 41.688611] ? __kmalloc_node_track_caller+0x47/0x70 [ 41.689230] ? __kmalloc_reserve.isra.40+0x41/0xd0 [ 41.689852] ? __alloc_skb+0x13b/0x740 [ 41.690279] ? sk_stream_alloc_skb+0x10d/0x860 [ 41.690856] ? tcp_sendmsg_locked+0xfef/0x3bc0 [ 41.691613] ? tcp_sendmsg+0x2f/0x50 [ 41.692398] ? inet_sendmsg+0x11f/0x5e0 [ 41.693256] ? sock_sendmsg+0xca/0x110 [ 41.695620] ? sock_write_iter+0x320/0x5e0 [ 41.696461] ? __vfs_write+0x68a/0x970 [ 41.697250] ? tcp_init_tso_segs+0x1f0/0x1f0 [ 41.698125] ? sched_clock_cpu+0x1b/0x170 [ 41.698954] ? tcp_init_tso_segs+0x114/0x1f0 [ 41.699829] tcp_write_xmit+0x5fc/0x4960 [ 41.700629] ? find_held_lock+0x39/0x1d0 [ 41.701506] ? tcp_transmit_skb+0x3300/0x3300 [ 41.702397] ? __might_fault+0xe0/0x1d0 [ 41.703181] ? iov_iter_advance+0x2a1/0x13f0 [ 41.704043] ? lock_release+0xd70/0xd70 [ 41.704825] ? tcp_v4_md5_lookup+0x22/0x30 [ 41.705667] ? iov_iter_copy_from_user_atomic+0xd30/0xd30 [ 41.706759] __tcp_push_pending_frames+0xa0/0x250 [ 41.707713] tcp_push+0x4e0/0x760 [ 41.708397] ? tcp_splice_data_recv+0x1a0/0x1a0 [ 41.709337] ? skb_entail+0x5d4/0x8d0 [ 41.710098] ? iov_iter_advance+0x13f0/0x13f0 [ 41.711342] ? tcp_send_mss+0xa4/0x2f0 [ 41.712107] ? skb_put+0x149/0x1c0 [ 41.712822] tcp_sendmsg_locked+0x17ad/0x3bc0 [ 41.713716] ? check_noncircular+0x20/0x20 [ 41.714537] ? save_stack_trace+0x16/0x20 [ 41.716947] ? tcp_sendpage+0x60/0x60 [ 41.717637] ? lock_downgrade+0x990/0x990 [ 41.718215] ? lock_acquire+0x1d5/0x580 [ 41.718570] ? tcp_sendmsg+0x21/0x50 [ 41.719141] ? mark_held_locks+0xb2/0x100 [ 41.719509] ? __local_bh_enable_ip+0x9d/0x160 [ 41.720107] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.720542] ? lock_sock_nested+0x91/0x110 [ 41.721133] ? trace_hardirqs_on+0xd/0x10 [ 41.721530] ? __local_bh_enable_ip+0x9d/0x160 [ 41.722134] tcp_sendmsg+0x2f/0x50 [ 41.722468] inet_sendmsg+0x11f/0x5e0 [ 41.722842] ? inet_recvmsg+0x5f0/0x5f0 [ 41.723390] ? selinux_socket_sendmsg+0x36/0x40 [ 41.723836] ? security_socket_sendmsg+0x89/0xb0 [ 41.724442] ? inet_recvmsg+0x5f0/0x5f0 [ 41.724828] sock_sendmsg+0xca/0x110 [ 41.725347] sock_write_iter+0x320/0x5e0 [ 41.725766] ? sock_sendmsg+0x110/0x110 [ 41.726464] ? iov_iter_init+0xaf/0x1d0 [ 41.726855] __vfs_write+0x68a/0x970 [ 41.727290] ? kernel_read+0x120/0x120 [ 41.727758] ? selinux_capset+0x100/0x100 [ 41.728185] ? selinux_file_permission+0x82/0x460 [ 41.728796] ? rw_verify_area+0xe5/0x2b0 [ 41.729250] ? __fdget_raw+0x20/0x20 [ 41.729712] vfs_write+0x18f/0x510 [ 41.730103] SyS_write+0xef/0x220 [ 41.730472] ? SyS_read+0x220/0x220 [ 41.730902] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.731425] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.731999] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.732501] RIP: 0033:0x7f8192647370 [ 41.732987] RSP: 002b:00007fff54f62668 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 41.733960] RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f8192647370 [ 41.734697] RDX: 0000000000000058 RSI: 00005596046ce260 RDI: 0000000000000003 [ 41.735534] RBP: 0000000000000082 R08: 0000000000000001 R09: 0101010101010101 [ 41.736380] R10: 0000000000000008 R11: 0000000000000246 R12: 00005596046db810 [ 41.737501] R13: 0000000000000001 R14: 00005596046db810 R15: 0000000000000050 [ 41.738202] Dumping ftrace buffer: [ 41.738471] (ftrace buffer empty) [ 41.738754] Kernel Offset: disabled [ 41.739037] Rebooting in 86400 seconds..