2017/09/11 13:35:45 parsed 1 programs 2017/09/11 13:35:45 executed programs: 0 2017/09/11 13:35:50 executed programs: 88 syzkaller login: [ 138.965194] dev_remove_pack: ffff88006a355140 not found [ 138.990412] ================================================================== [ 138.992569] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 138.994482] Read of size 8 at addr ffff880067a888a8 by task syz-executor0/3350 [ 138.996466] [ 138.996840] CPU: 1 PID: 3350 Comm: syz-executor0 Not tainted 4.13.0-next-20170911+ #1 [ 138.998958] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 139.000663] Call Trace: [ 139.001229] dump_stack+0x194/0x257 [ 139.002035] ? arch_local_irq_restore+0x53/0x53 [ 139.003049] ? show_regs_print_info+0x65/0x65 [ 139.004014] ? __dev_remove_pack+0x305/0x3b0 [ 139.006222] print_address_description+0x73/0x250 [ 139.007333] ? __dev_remove_pack+0x305/0x3b0 [ 139.008340] kasan_report+0x24e/0x340 [ 139.009293] __asan_report_load8_noabort+0x14/0x20 [ 139.010345] __dev_remove_pack+0x305/0x3b0 [ 139.011242] ? dev_get_by_name_rcu+0x270/0x270 [ 139.012211] ? refcount_sub_and_test+0x115/0x1b0 [ 139.013324] __unregister_prot_hook+0x211/0x280 [ 139.014337] packet_release+0x8bb/0xd70 [ 139.015199] ? packet_set_ring+0x1b70/0x1b70 [ 139.016149] ? dentry_free+0xcd/0x130 [ 139.016956] ? rcu_read_lock_sched_held+0x108/0x120 [ 139.018135] ? kmem_cache_free+0x249/0x280 [ 139.019045] ? dentry_free+0xd2/0x130 [ 139.019852] ? locks_remove_file+0x3fa/0x5a0 [ 139.020769] ? fcntl_setlk+0x10d0/0x10d0 [ 139.021743] ? __fsnotify_parent+0xb4/0x3a0 [ 139.022636] ? fsnotify+0x1af0/0x1af0 [ 139.023344] sock_release+0x8d/0x1e0 [ 139.023898] ? sock_release+0x8d/0x1e0 [ 139.024498] ? sock_release+0x1e0/0x1e0 [ 139.025192] sock_close+0x16/0x20 [ 139.026691] __fput+0x333/0x7f0 [ 139.027289] ? fput+0x140/0x140 [ 139.027813] ? check_same_owner+0x320/0x320 [ 139.028401] ? _raw_spin_unlock_irq+0x27/0x70 [ 139.028928] ____fput+0x15/0x20 [ 139.029500] task_work_run+0x199/0x270 [ 139.030187] ? task_work_cancel+0x210/0x210 [ 139.030907] ? _raw_spin_unlock+0x22/0x30 [ 139.031598] ? switch_task_namespaces+0x87/0xc0 [ 139.032378] do_exit+0xa52/0x1b40 [ 139.032954] ? plist_check_list+0xa0/0xa0 [ 139.033538] ? plist_del+0x47b/0x990 [ 139.034030] ? mm_update_next_owner+0x930/0x930 [ 139.034536] ? plist_add+0x760/0x760 [ 139.034976] ? check_same_owner+0x320/0x320 [ 139.035445] ? find_held_lock+0x39/0x1d0 [ 139.035897] ? check_noncircular+0x20/0x20 [ 139.036350] ? lock_downgrade+0x990/0x990 [ 139.036879] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 139.037639] ? find_held_lock+0x39/0x1d0 [ 139.038214] ? lock_downgrade+0x990/0x990 [ 139.038713] ? recalc_sigpending_tsk+0x117/0x150 [ 139.039255] ? recalc_sigpending+0x103/0x160 [ 139.039791] ? recalc_sigpending_tsk+0x150/0x150 [ 139.040359] ? get_signal+0x397/0x17e0 [ 139.040837] do_group_exit+0x149/0x400 [ 139.041306] ? __lock_is_held+0xbc/0x140 [ 139.041795] ? SyS_exit+0x30/0x30 [ 139.042199] ? _raw_spin_unlock_irq+0x27/0x70 [ 139.042722] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 139.043279] get_signal+0x7e8/0x17e0 [ 139.043681] ? ptrace_notify+0x130/0x130 [ 139.044092] ? __fget+0xbb/0x580 [ 139.044441] ? lock_release+0xd70/0xd70 [ 139.044851] ? exit_robust_list+0x240/0x240 [ 139.045304] do_signal+0x94/0x1ee0 [ 139.045672] ? iterate_fd+0x3f0/0x3f0 [ 139.046071] ? fget_raw+0x20/0x20 [ 139.046435] ? setup_sigcontext+0x7d0/0x7d0 [ 139.046888] ? find_held_lock+0x39/0x1d0 [ 139.047733] ? __fget_light+0x29d/0x390 [ 139.048060] ? selinux_tun_dev_create+0xc0/0xc0 [ 139.048399] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 139.048810] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 139.049172] ? exit_to_usermode_loop+0x98/0x300 [ 139.049516] exit_to_usermode_loop+0x224/0x300 [ 139.049851] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 139.050230] syscall_return_slowpath+0x42f/0x500 [ 139.050558] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 139.050888] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 139.051222] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 139.051580] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 139.051921] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 139.052254] RIP: 0033:0x447299 [ 139.052488] RSP: 002b:00007fec16b4ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 139.053047] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299 [ 139.053547] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8 [ 139.054047] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000 [ 139.054547] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 139.055059] R13: 0000000000000000 R14: 00007fec16b4d9c0 R15: 00007fec16b4d700 [ 139.055632] [ 139.055757] Allocated by task 3349: [ 139.055999] save_stack_trace+0x16/0x20 [ 139.056269] save_stack+0x43/0xd0 [ 139.056506] kasan_kmalloc+0xad/0xe0 [ 139.056771] kmem_cache_alloc_trace+0x136/0x750 [ 139.057088] fanout_add+0xa50/0x1190 [ 139.057341] packet_setsockopt+0xfdc/0x1e80 [ 139.057632] SyS_setsockopt+0x189/0x360 [ 139.057907] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 139.058227] [ 139.058341] Freed by task 3350: [ 139.058580] save_stack_trace+0x16/0x20 [ 139.058877] save_stack+0x43/0xd0 [ 139.059119] kasan_slab_free+0x71/0xc0 [ 139.059406] kfree+0xca/0x250 [ 139.059654] packet_release+0xa8f/0xd70 [ 139.059950] sock_release+0x8d/0x1e0 [ 139.060253] sock_close+0x16/0x20 [ 139.060501] __fput+0x333/0x7f0 [ 139.060761] ____fput+0x15/0x20 [ 139.061013] task_work_run+0x199/0x270 [ 139.061345] do_exit+0xa52/0x1b40 [ 139.061646] do_group_exit+0x149/0x400 [ 139.061935] get_signal+0x7e8/0x17e0 [ 139.062188] do_signal+0x94/0x1ee0 [ 139.062438] exit_to_usermode_loop+0x224/0x300 [ 139.062797] syscall_return_slowpath+0x42f/0x500 [ 139.063119] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 139.063507] [ 139.063692] The buggy address belongs to the object at ffff880067a88000 [ 139.063692] which belongs to the cache kmalloc-4096 of size 4096 [ 139.064521] The buggy address is located 2216 bytes inside of [ 139.064521] 4096-byte region [ffff880067a88000, ffff880067a89000) [ 139.065335] The buggy address belongs to the page: [ 139.065678] page:ffffea00019ea200 count:1 mapcount:0 mapping:ffff880067a88000 index:0x0 compound_mapcount: 0 [ 139.066368] flags: 0x500000000008100(slab|head) [ 139.066699] raw: 0500000000008100 ffff880067a88000 0000000000000000 0000000100000001 [ 139.067232] raw: ffffea0001a8d5a0 ffff88006d800a50 ffff88003e800dc0 0000000000000000 [ 139.067780] page dumped because: kasan: bad access detected [ 139.068169] [ 139.068748] Memory state around the buggy address: [ 139.069153] ffff880067a88780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 139.069734] ffff880067a88800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 139.070309] >ffff880067a88880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 139.070829] ^ [ 139.071168] ffff880067a88900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 139.071697] ffff880067a88980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 139.072238] ================================================================== [ 139.072765] Disabling lock debugging due to kernel taint [ 139.073195] Kernel panic - not syncing: panic_on_warn set ... [ 139.073195] [ 139.073726] CPU: 1 PID: 3350 Comm: syz-executor0 Tainted: G B 4.13.0-next-20170911+ #1 [ 139.074401] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 139.075058] Call Trace: [ 139.075318] dump_stack+0x194/0x257 [ 139.075688] ? arch_local_irq_restore+0x53/0x53 [ 139.076091] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 139.076560] ? __dev_remove_pack+0x2f0/0x3b0 [ 139.076960] panic+0x1e4/0x417 [ 139.077194] ? __warn+0x1d9/0x1d9 [ 139.077453] ? __dev_remove_pack+0x305/0x3b0 [ 139.077784] kasan_end_report+0x50/0x50 [ 139.078072] kasan_report+0x137/0x340 [ 139.078361] __asan_report_load8_noabort+0x14/0x20 [ 139.078736] __dev_remove_pack+0x305/0x3b0 [ 139.079119] ? dev_get_by_name_rcu+0x270/0x270 [ 139.079610] ? refcount_sub_and_test+0x115/0x1b0 [ 139.080141] __unregister_prot_hook+0x211/0x280 [ 139.080621] packet_release+0x8bb/0xd70 [ 139.081020] ? packet_set_ring+0x1b70/0x1b70 [ 139.081524] ? dentry_free+0xcd/0x130 [ 139.081971] ? rcu_read_lock_sched_held+0x108/0x120 [ 139.082560] ? kmem_cache_free+0x249/0x280 [ 139.082996] ? dentry_free+0xd2/0x130 [ 139.083429] ? locks_remove_file+0x3fa/0x5a0 [ 139.083949] ? fcntl_setlk+0x10d0/0x10d0 [ 139.084417] ? __fsnotify_parent+0xb4/0x3a0 [ 139.084873] ? fsnotify+0x1af0/0x1af0 [ 139.085318] sock_release+0x8d/0x1e0 [ 139.085737] ? sock_release+0x8d/0x1e0 [ 139.086192] ? sock_release+0x1e0/0x1e0 [ 139.086480] sock_close+0x16/0x20 [ 139.086744] __fput+0x333/0x7f0 [ 139.086983] ? fput+0x140/0x140 [ 139.087231] ? check_same_owner+0x320/0x320 [ 139.087626] ? _raw_spin_unlock_irq+0x27/0x70 [ 139.087995] ____fput+0x15/0x20 [ 139.088244] task_work_run+0x199/0x270 [ 139.088545] ? task_work_cancel+0x210/0x210 [ 139.089003] ? _raw_spin_unlock+0x22/0x30 [ 139.089322] ? switch_task_namespaces+0x87/0xc0 [ 139.090420] do_exit+0xa52/0x1b40 [ 139.090655] ? plist_check_list+0xa0/0xa0 [ 139.090973] ? plist_del+0x47b/0x990 [ 139.091307] ? mm_update_next_owner+0x930/0x930 [ 139.091686] ? plist_add+0x760/0x760 [ 139.091976] ? check_same_owner+0x320/0x320 [ 139.092358] ? find_held_lock+0x39/0x1d0 [ 139.092711] ? check_noncircular+0x20/0x20 [ 139.093055] ? lock_downgrade+0x990/0x990 [ 139.093361] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 139.093772] ? find_held_lock+0x39/0x1d0 [ 139.094117] ? lock_downgrade+0x990/0x990 [ 139.094524] ? recalc_sigpending_tsk+0x117/0x150 [ 139.094990] ? recalc_sigpending+0x103/0x160 [ 139.095372] ? recalc_sigpending_tsk+0x150/0x150 [ 139.095709] ? get_signal+0x397/0x17e0 [ 139.096006] do_group_exit+0x149/0x400 [ 139.096275] ? __lock_is_held+0xbc/0x140 [ 139.096591] ? SyS_exit+0x30/0x30 [ 139.096857] ? _raw_spin_unlock_irq+0x27/0x70 [ 139.097175] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 139.097550] get_signal+0x7e8/0x17e0 [ 139.097847] ? ptrace_notify+0x130/0x130 [ 139.098135] ? __fget+0xbb/0x580 [ 139.098417] ? lock_release+0xd70/0xd70 [ 139.098710] ? exit_robust_list+0x240/0x240 [ 139.099032] do_signal+0x94/0x1ee0 [ 139.099300] ? iterate_fd+0x3f0/0x3f0 [ 139.099562] ? fget_raw+0x20/0x20 [ 139.099818] ? setup_sigcontext+0x7d0/0x7d0 [ 139.100133] ? find_held_lock+0x39/0x1d0 [ 139.100423] ? __fget_light+0x29d/0x390 [ 139.100729] ? selinux_tun_dev_create+0xc0/0xc0 [ 139.101059] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 139.101465] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 139.101831] ? exit_to_usermode_loop+0x98/0x300 [ 139.102148] exit_to_usermode_loop+0x224/0x300 [ 139.102507] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 139.102888] syscall_return_slowpath+0x42f/0x500 [ 139.103236] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 139.103601] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 139.103960] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 139.104380] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 139.104738] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 139.105057] RIP: 0033:0x447299 [ 139.105298] RSP: 002b:00007fec16b4ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 139.105819] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299 [ 139.106406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8 [ 139.106967] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000 [ 139.107621] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 139.108257] R13: 0000000000000000 R14: 00007fec16b4d9c0 R15: 00007fec16b4d700 [ 139.108901] Dumping ftrace buffer: [ 139.109190] (ftrace buffer empty) [ 139.109471] Kernel Offset: disabled [ 139.109746] Rebooting in 86400 seconds..