2017/09/02 19:51:17 parsed 1 programs 2017/09/02 19:51:17 executed programs: 0 syzkaller login: [ 34.677658] dev_remove_pack: ffff88003ba54d80 not found [ 34.719355] ================================================================== [ 34.719926] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 34.720328] Read of size 8 at addr ffff88003acc49e8 by task syz-executor0/3064 [ 34.720826] [ 34.720930] CPU: 1 PID: 3064 Comm: syz-executor0 Not tainted 4.13.0-rc7-next-20170901+ #13 [ 34.721449] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 34.721980] Call Trace: [ 34.722189] dump_stack+0x194/0x257 [ 34.722416] ? arch_local_irq_restore+0x53/0x53 [ 34.722778] ? show_regs_print_info+0x65/0x65 [ 34.723199] ? __dev_remove_pack+0x305/0x3b0 [ 34.723468] print_address_description+0x73/0x250 [ 34.723779] ? __dev_remove_pack+0x305/0x3b0 [ 34.724041] kasan_report+0x24e/0x340 [ 34.724293] __asan_report_load8_noabort+0x14/0x20 [ 34.724629] __dev_remove_pack+0x305/0x3b0 [ 34.725015] ? dev_get_by_name_rcu+0x270/0x270 [ 34.725459] ? refcount_sub_and_test+0x115/0x1b0 [ 34.725897] __unregister_prot_hook+0x211/0x280 [ 34.726271] packet_release+0x8bb/0xd70 [ 34.726696] ? packet_set_ring+0x1b70/0x1b70 [ 34.727152] ? dentry_free+0xcd/0x130 [ 34.727523] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.728104] ? kmem_cache_free+0x249/0x280 [ 34.728510] ? dentry_free+0xd2/0x130 [ 34.728971] ? locks_remove_file+0x3fa/0x5a0 [ 34.729396] ? fcntl_setlk+0x10d0/0x10d0 [ 34.729884] ? __fsnotify_parent+0xb4/0x3a0 [ 34.730337] ? fsnotify+0x1af0/0x1af0 [ 34.730776] sock_release+0x8d/0x1e0 [ 34.731178] ? sock_release+0x8d/0x1e0 [ 34.731562] ? sock_release+0x1e0/0x1e0 [ 34.732028] sock_close+0x16/0x20 [ 34.732365] __fput+0x333/0x7f0 [ 34.732721] ? fput+0x140/0x140 [ 34.733471] ? check_same_owner+0x320/0x320 [ 34.733990] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.734551] ____fput+0x15/0x20 [ 34.735113] task_work_run+0x199/0x270 [ 34.735574] ? task_work_cancel+0x210/0x210 [ 34.735995] ? _raw_spin_unlock+0x22/0x30 [ 34.736422] ? switch_task_namespaces+0x87/0xc0 [ 34.736949] do_exit+0xa52/0x1b40 [ 34.737267] ? plist_check_list+0xa0/0xa0 [ 34.737718] ? plist_del+0x47b/0x990 [ 34.738130] ? mm_update_next_owner+0x930/0x930 [ 34.738593] ? plist_add+0x760/0x760 [ 34.739032] ? check_same_owner+0x320/0x320 [ 34.739434] ? find_held_lock+0x39/0x1d0 [ 34.739835] ? check_noncircular+0x20/0x20 [ 34.740227] ? lock_downgrade+0x990/0x990 [ 34.740607] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 34.741084] ? find_held_lock+0x39/0x1d0 [ 34.741473] ? lock_downgrade+0x990/0x990 [ 34.741918] ? recalc_sigpending_tsk+0x117/0x150 [ 34.742408] ? recalc_sigpending+0x103/0x160 [ 34.742819] ? recalc_sigpending_tsk+0x150/0x150 [ 34.743353] ? get_signal+0x397/0x17e0 [ 34.743646] do_group_exit+0x149/0x400 [ 34.743928] ? __lock_is_held+0xbc/0x140 [ 34.744252] ? SyS_exit+0x30/0x30 [ 34.744503] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.744924] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.745332] get_signal+0x7e8/0x17e0 [ 34.745700] ? ptrace_notify+0x130/0x130 [ 34.746074] ? __fget+0xbb/0x580 [ 34.746390] ? kasan_slab_free+0x71/0xc0 [ 34.746766] ? kmem_cache_free+0x77/0x280 [ 34.747149] ? __mmdrop+0x2e0/0x530 [ 34.747489] ? lock_release+0xd70/0xd70 [ 34.747863] ? exit_robust_list+0x240/0x240 [ 34.748274] do_signal+0x94/0x1ee0 [ 34.748613] ? iterate_fd+0x3f0/0x3f0 [ 34.748973] ? free_pages+0x51/0x90 [ 34.749321] ? setup_sigcontext+0x7d0/0x7d0 [ 34.749731] ? __mmdrop+0x2e0/0x530 [ 34.750090] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.750550] ? kmem_cache_free+0x249/0x280 [ 34.750945] ? __fget_light+0x29d/0x390 [ 34.751312] ? selinux_tun_dev_create+0xc0/0xc0 [ 34.751741] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 34.752262] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 34.752752] ? exit_to_usermode_loop+0x98/0x300 [ 34.753174] exit_to_usermode_loop+0x224/0x300 [ 34.753598] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 34.754368] syscall_return_slowpath+0x42f/0x500 [ 34.754807] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 34.755270] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 34.755724] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.756184] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.756630] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 34.757066] RIP: 0033:0x447299 [ 34.757359] RSP: 002b:00007f197a08acf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.758061] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299 [ 34.758720] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8 [ 34.759378] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000 [ 34.760036] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 34.760697] R13: 0000000000000000 R14: 00007f197a08b9c0 R15: 00007f197a08b700 [ 34.761363] [ 34.761516] Allocated by task 3063: [ 34.761846] save_stack_trace+0x16/0x20 [ 34.762228] save_stack+0x43/0xd0 [ 34.762551] kasan_kmalloc+0xad/0xe0 [ 34.762899] kmem_cache_alloc_trace+0x136/0x750 [ 34.763336] fanout_add+0xa50/0x1190 [ 34.763685] packet_setsockopt+0xfdc/0x1e80 [ 34.764093] SyS_setsockopt+0x189/0x360 [ 34.764470] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 34.764922] [ 34.765079] Freed by task 3064: [ 34.765390] save_stack_trace+0x16/0x20 [ 34.765766] save_stack+0x43/0xd0 [ 34.766093] kasan_slab_free+0x71/0xc0 [ 34.766461] kfree+0xca/0x250 [ 34.766761] packet_release+0xa8f/0xd70 [ 34.767104] sock_release+0x8d/0x1e0 [ 34.767407] sock_close+0x16/0x20 [ 34.767726] __fput+0x333/0x7f0 [ 34.767966] ____fput+0x15/0x20 [ 34.768204] task_work_run+0x199/0x270 [ 34.768485] do_exit+0xa52/0x1b40 [ 34.768807] do_group_exit+0x149/0x400 [ 34.769176] get_signal+0x7e8/0x17e0 [ 34.769528] do_signal+0x94/0x1ee0 [ 34.769863] exit_to_usermode_loop+0x224/0x300 [ 34.770298] syscall_return_slowpath+0x42f/0x500 [ 34.770745] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 34.771190] [ 34.771347] The buggy address belongs to the object at ffff88003acc4140 [ 34.771347] which belongs to the cache kmalloc-4096 of size 4096 [ 34.772539] The buggy address is located 2216 bytes inside of [ 34.772539] 4096-byte region [ffff88003acc4140, ffff88003acc5140) [ 34.773622] The buggy address belongs to the page: [ 34.774068] page:ffffea0000eb3100 count:1 mapcount:0 mapping:ffff88003acc4140 index:0x0 compound_mapcount: 0 [ 34.774977] flags: 0x100000000008100(slab|head) [ 34.775708] raw: 0100000000008100 ffff88003acc4140 0000000000000000 0000000100000001 [ 34.776458] raw: ffffea0000e907a0 ffff88003e801a50 ffff88003e800dc0 0000000000000000 [ 34.777175] page dumped because: kasan: bad access detected [ 34.777688] [ 34.777839] Memory state around the buggy address: [ 34.778208] ffff88003acc4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.778704] ffff88003acc4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.779419] >ffff88003acc4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.780231] ^ [ 34.780988] ffff88003acc4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.782259] ffff88003acc4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.783378] ================================================================== [ 34.785272] Disabling lock debugging due to kernel taint [ 34.796722] Kernel panic - not syncing: panic_on_warn set ... [ 34.796722] [ 34.798184] CPU: 1 PID: 3064 Comm: syz-executor0 Tainted: G B 4.13.0-rc7-next-20170901+ #13 [ 34.799199] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 34.800059] Call Trace: [ 34.800338] dump_stack+0x194/0x257 [ 34.800735] ? arch_local_irq_restore+0x53/0x53 [ 34.801230] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.801737] ? __dev_remove_pack+0x2a0/0x3b0 [ 34.802196] panic+0x1e4/0x417 [ 34.802534] ? __warn+0x1d9/0x1d9 [ 34.803133] ? __dev_remove_pack+0x305/0x3b0 [ 34.803629] kasan_end_report+0x50/0x50 [ 34.804119] kasan_report+0x137/0x340 [ 34.804550] __asan_report_load8_noabort+0x14/0x20 [ 34.805296] __dev_remove_pack+0x305/0x3b0 [ 34.805696] ? dev_get_by_name_rcu+0x270/0x270 [ 34.806109] ? refcount_sub_and_test+0x115/0x1b0 [ 34.806598] __unregister_prot_hook+0x211/0x280 [ 34.807074] packet_release+0x8bb/0xd70 [ 34.807437] ? packet_set_ring+0x1b70/0x1b70 [ 34.807843] ? dentry_free+0xcd/0x130 [ 34.808209] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.808751] ? kmem_cache_free+0x249/0x280 [ 34.809254] ? dentry_free+0xd2/0x130 [ 34.809780] ? locks_remove_file+0x3fa/0x5a0 [ 34.810435] ? fcntl_setlk+0x10d0/0x10d0 [ 34.810840] ? __fsnotify_parent+0xb4/0x3a0 [ 34.811400] ? fsnotify+0x1af0/0x1af0 [ 34.811988] sock_release+0x8d/0x1e0 [ 34.812559] ? sock_release+0x8d/0x1e0 [ 34.813162] ? sock_release+0x1e0/0x1e0 [ 34.813775] sock_close+0x16/0x20 [ 34.814393] __fput+0x333/0x7f0 [ 34.815074] ? fput+0x140/0x140 [ 34.815790] ? check_same_owner+0x320/0x320 [ 34.816712] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.817664] ____fput+0x15/0x20 [ 34.819274] task_work_run+0x199/0x270 [ 34.820150] ? task_work_cancel+0x210/0x210 [ 34.820902] ? _raw_spin_unlock+0x22/0x30 [ 34.821358] ? switch_task_namespaces+0x87/0xc0 [ 34.821850] do_exit+0xa52/0x1b40 [ 34.822221] ? plist_check_list+0xa0/0xa0 [ 34.822616] ? plist_del+0x47b/0x990 [ 34.822957] ? mm_update_next_owner+0x930/0x930 [ 34.823412] ? plist_add+0x760/0x760 [ 34.823790] ? check_same_owner+0x320/0x320 [ 34.824212] ? find_held_lock+0x39/0x1d0 [ 34.824621] ? check_noncircular+0x20/0x20 [ 34.825034] ? lock_downgrade+0x990/0x990 [ 34.825437] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 34.825978] ? find_held_lock+0x39/0x1d0 [ 34.826349] ? lock_downgrade+0x990/0x990 [ 34.826733] ? recalc_sigpending_tsk+0x117/0x150 [ 34.827159] ? recalc_sigpending+0x103/0x160 [ 34.827630] ? recalc_sigpending_tsk+0x150/0x150 [ 34.828113] ? get_signal+0x397/0x17e0 [ 34.828506] do_group_exit+0x149/0x400 [ 34.828905] ? __lock_is_held+0xbc/0x140 [ 34.829312] ? SyS_exit+0x30/0x30 [ 34.829653] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.830128] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.830637] get_signal+0x7e8/0x17e0 [ 34.830998] ? ptrace_notify+0x130/0x130 [ 34.831469] ? __fget+0xbb/0x580 [ 34.832065] ? kasan_slab_free+0x71/0xc0 [ 34.832835] ? kmem_cache_free+0x77/0x280 [ 34.833565] ? __mmdrop+0x2e0/0x530 [ 34.834204] ? lock_release+0xd70/0xd70 [ 34.834909] ? exit_robust_list+0x240/0x240 [ 34.835682] do_signal+0x94/0x1ee0 [ 34.836310] ? iterate_fd+0x3f0/0x3f0 [ 34.836988] ? free_pages+0x51/0x90 [ 34.837636] ? setup_sigcontext+0x7d0/0x7d0 [ 34.838180] ? __mmdrop+0x2e0/0x530 [ 34.838562] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.839084] ? kmem_cache_free+0x249/0x280 [ 34.839525] ? __fget_light+0x29d/0x390 [ 34.840440] ? selinux_tun_dev_create+0xc0/0xc0 [ 34.840989] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 34.841799] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 34.842413] ? exit_to_usermode_loop+0x98/0x300 [ 34.842913] exit_to_usermode_loop+0x224/0x300 [ 34.843471] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 34.844085] syscall_return_slowpath+0x42f/0x500 [ 34.844619] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 34.845199] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 34.845706] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.846286] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.846786] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 34.847339] RIP: 0033:0x447299 [ 34.847673] RSP: 002b:00007f197a08acf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 34.848520] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299 [ 34.849300] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8 [ 34.850018] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000 [ 34.850836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 34.851727] R13: 0000000000000000 R14: 00007f197a08b9c0 R15: 00007f197a08b700 [ 34.853205] Dumping ftrace buffer: [ 34.853825] (ftrace buffer empty) [ 34.854360] Kernel Offset: disabled [ 34.854956] Rebooting in 86400 seconds..