2017/09/05 16:09:31 parsed 1 programs 2017/09/05 16:09:31 executed programs: 0 syzkaller login: [ 24.154697] dev_remove_pack: ffff88006bde1e80 not found [ 24.168280] ================================================================== [ 24.169114] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 24.169884] Read of size 8 at addr ffff8800678db6e8 by task syz-executor0/3003 [ 24.170651] [ 24.170819] CPU: 3 PID: 3003 Comm: syz-executor0 Not tainted 4.13.0-next-20170905+ #15 [ 24.171631] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.172414] Call Trace: [ 24.172687] dump_stack+0x194/0x257 [ 24.173003] ? arch_local_irq_restore+0x53/0x53 [ 24.173677] ? show_regs_print_info+0x65/0x65 [ 24.174063] ? __dev_remove_pack+0x305/0x3b0 [ 24.174377] print_address_description+0x73/0x250 [ 24.174705] ? __dev_remove_pack+0x305/0x3b0 [ 24.175003] kasan_report+0x24e/0x340 [ 24.175337] __asan_report_load8_noabort+0x14/0x20 [ 24.175846] __dev_remove_pack+0x305/0x3b0 [ 24.176254] ? dev_get_by_name_rcu+0x270/0x270 [ 24.176599] ? refcount_sub_and_test+0x115/0x1b0 [ 24.176948] __unregister_prot_hook+0x211/0x280 [ 24.177285] packet_release+0x8bb/0xd70 [ 24.177588] ? packet_set_ring+0x1b70/0x1b70 [ 24.177901] ? dentry_free+0xcd/0x130 [ 24.178239] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.178631] ? kmem_cache_free+0x249/0x280 [ 24.178978] ? dentry_free+0xd2/0x130 [ 24.179287] ? locks_remove_file+0x3fa/0x5a0 [ 24.179634] ? fcntl_setlk+0x10d0/0x10d0 [ 24.179928] ? __fsnotify_parent+0xb4/0x3a0 [ 24.180243] ? fsnotify+0x1af0/0x1af0 [ 24.180599] sock_release+0x8d/0x1e0 [ 24.181002] ? sock_release+0x8d/0x1e0 [ 24.181374] ? sock_release+0x1e0/0x1e0 [ 24.181790] sock_close+0x16/0x20 [ 24.182144] __fput+0x333/0x7f0 [ 24.182501] ? fput+0x140/0x140 [ 24.182844] ? check_same_owner+0x320/0x320 [ 24.183285] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.183714] ____fput+0x15/0x20 [ 24.184050] task_work_run+0x199/0x270 [ 24.184422] ? task_work_cancel+0x210/0x210 [ 24.184829] ? _raw_spin_unlock+0x22/0x30 [ 24.185233] ? switch_task_namespaces+0x87/0xc0 [ 24.185657] do_exit+0xa52/0x1b40 [ 24.185926] ? plist_check_list+0xa0/0xa0 [ 24.186240] ? plist_del+0x47b/0x990 [ 24.186509] ? mm_update_next_owner+0x930/0x930 [ 24.186842] ? plist_add+0x760/0x760 [ 24.187119] ? check_same_owner+0x320/0x320 [ 24.187431] ? find_held_lock+0x39/0x1d0 [ 24.187729] ? check_noncircular+0x20/0x20 [ 24.188035] ? lock_downgrade+0x990/0x990 [ 24.188333] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 24.188728] ? find_held_lock+0x39/0x1d0 [ 24.189055] ? lock_downgrade+0x990/0x990 [ 24.189354] ? recalc_sigpending_tsk+0x117/0x150 [ 24.189776] ? recalc_sigpending+0x103/0x160 [ 24.190214] ? recalc_sigpending_tsk+0x150/0x150 [ 24.190703] ? get_signal+0x397/0x17e0 [ 24.191099] do_group_exit+0x149/0x400 [ 24.191502] ? __lock_is_held+0xbc/0x140 [ 24.191798] ? SyS_exit+0x30/0x30 [ 24.192039] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.192351] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.192747] get_signal+0x7e8/0x17e0 [ 24.193105] ? ptrace_notify+0x130/0x130 [ 24.193387] ? __fget+0xbb/0x580 [ 24.193628] ? lock_release+0xd70/0xd70 [ 24.193910] ? exit_robust_list+0x240/0x240 [ 24.194218] do_signal+0x94/0x1ee0 [ 24.194867] ? iterate_fd+0x3f0/0x3f0 [ 24.195313] ? kmem_cache_free+0x77/0x280 [ 24.195755] ? setup_sigcontext+0x7d0/0x7d0 [ 24.196236] ? __lock_is_held+0xbc/0x140 [ 24.196653] ? __fget_light+0x29d/0x390 [ 24.197077] ? selinux_tun_dev_create+0xc0/0xc0 [ 24.197600] ? get_unused_fd_flags+0x190/0x190 [ 24.198082] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 24.198689] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.199228] ? exit_to_usermode_loop+0x98/0x300 [ 24.199725] exit_to_usermode_loop+0x224/0x300 [ 24.200247] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 24.200799] syscall_return_slowpath+0x42f/0x500 [ 24.201275] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 24.201784] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 24.202308] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.202818] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.203319] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 24.203780] RIP: 0033:0x447299 [ 24.204119] RSP: 002b:00007fe732eebcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 24.204916] RAX: fffffffffffffe00 RBX: 0000000000708028 RCX: 0000000000447299 [ 24.205615] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708028 [ 24.206392] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 24.207160] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 24.207918] R13: 0000000000000000 R14: 00007fe732eec9c0 R15: 00007fe732eec700 [ 24.208793] [ 24.208973] Allocated by task 3003: [ 24.209331] save_stack_trace+0x16/0x20 [ 24.209719] save_stack+0x43/0xd0 [ 24.210063] kasan_kmalloc+0xad/0xe0 [ 24.210433] kmem_cache_alloc_trace+0x136/0x750 [ 24.210889] fanout_add+0xa50/0x1190 [ 24.211253] packet_setsockopt+0xfdc/0x1e80 [ 24.211672] SyS_setsockopt+0x189/0x360 [ 24.212061] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 24.212519] [ 24.212685] Freed by task 3003: [ 24.212996] save_stack_trace+0x16/0x20 [ 24.213373] save_stack+0x43/0xd0 [ 24.213702] kasan_slab_free+0x71/0xc0 [ 24.214081] kfree+0xca/0x250 [ 24.214384] packet_release+0xa8f/0xd70 [ 24.214771] sock_release+0x8d/0x1e0 [ 24.215136] sock_close+0x16/0x20 [ 24.215474] __fput+0x333/0x7f0 [ 24.215768] ____fput+0x15/0x20 [ 24.216257] task_work_run+0x199/0x270 [ 24.216548] do_exit+0xa52/0x1b40 [ 24.216880] do_group_exit+0x149/0x400 [ 24.217260] get_signal+0x7e8/0x17e0 [ 24.217621] do_signal+0x94/0x1ee0 [ 24.217973] exit_to_usermode_loop+0x224/0x300 [ 24.218427] syscall_return_slowpath+0x42f/0x500 [ 24.218885] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 24.219341] [ 24.219505] The buggy address belongs to the object at ffff8800678dae40 [ 24.219505] which belongs to the cache kmalloc-4096 of size 4096 [ 24.220717] The buggy address is located 2216 bytes inside of [ 24.220717] 4096-byte region [ffff8800678dae40, ffff8800678dbe40) [ 24.221865] The buggy address belongs to the page: [ 24.222347] page:ffffea00019e3680 count:1 mapcount:0 mapping:ffff8800678dae40 index:0x0 compound_mapcount: 0 [ 24.223372] flags: 0x500000000008100(slab|head) [ 24.223829] raw: 0500000000008100 ffff8800678dae40 0000000000000000 0000000100000001 [ 24.224636] raw: ffffea0001adba20 ffffea0001a183a0 ffff88003e800dc0 0000000000000000 [ 24.225472] page dumped because: kasan: bad access detected [ 24.226022] [ 24.226187] Memory state around the buggy address: [ 24.226691] ffff8800678db580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.227426] ffff8800678db600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.228119] >ffff8800678db680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.228839] ^ [ 24.229539] ffff8800678db700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.230277] ffff8800678db780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.230982] ================================================================== [ 24.231738] Disabling lock debugging due to kernel taint [ 24.232288] Kernel panic - not syncing: panic_on_warn set ... [ 24.232288] [ 24.233069] CPU: 3 PID: 3003 Comm: syz-executor0 Tainted: G B 4.13.0-next-20170905+ #15 [ 24.234015] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.234873] Call Trace: [ 24.235178] dump_stack+0x194/0x257 [ 24.235555] ? arch_local_irq_restore+0x53/0x53 [ 24.236010] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.236548] ? __dev_remove_pack+0x2e0/0x3b0 [ 24.237331] panic+0x1e4/0x417 [ 24.237666] ? __warn+0x1d9/0x1d9 [ 24.238073] ? __dev_remove_pack+0x305/0x3b0 [ 24.238538] kasan_end_report+0x50/0x50 [ 24.238935] kasan_report+0x137/0x340 [ 24.239367] __asan_report_load8_noabort+0x14/0x20 [ 24.239918] __dev_remove_pack+0x305/0x3b0 [ 24.240343] ? dev_get_by_name_rcu+0x270/0x270 [ 24.240797] ? refcount_sub_and_test+0x115/0x1b0 [ 24.241259] __unregister_prot_hook+0x211/0x280 [ 24.241740] packet_release+0x8bb/0xd70 [ 24.242132] ? packet_set_ring+0x1b70/0x1b70 [ 24.242569] ? dentry_free+0xcd/0x130 [ 24.242948] ? rcu_read_lock_sched_held+0x108/0x120 [ 24.243509] ? kmem_cache_free+0x249/0x280 [ 24.243948] ? dentry_free+0xd2/0x130 [ 24.244341] ? locks_remove_file+0x3fa/0x5a0 [ 24.244769] ? fcntl_setlk+0x10d0/0x10d0 [ 24.245162] ? __fsnotify_parent+0xb4/0x3a0 [ 24.245582] ? fsnotify+0x1af0/0x1af0 [ 24.245979] sock_release+0x8d/0x1e0 [ 24.246340] ? sock_release+0x8d/0x1e0 [ 24.246742] ? sock_release+0x1e0/0x1e0 [ 24.247153] sock_close+0x16/0x20 [ 24.247492] __fput+0x333/0x7f0 [ 24.247841] ? fput+0x140/0x140 [ 24.248182] ? check_same_owner+0x320/0x320 [ 24.248599] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.249062] ____fput+0x15/0x20 [ 24.249406] task_work_run+0x199/0x270 [ 24.249805] ? task_work_cancel+0x210/0x210 [ 24.250222] ? _raw_spin_unlock+0x22/0x30 [ 24.250643] ? switch_task_namespaces+0x87/0xc0 [ 24.251095] do_exit+0xa52/0x1b40 [ 24.251425] ? plist_check_list+0xa0/0xa0 [ 24.251828] ? plist_del+0x47b/0x990 [ 24.252238] ? mm_update_next_owner+0x930/0x930 [ 24.252712] ? plist_add+0x760/0x760 [ 24.253071] ? check_same_owner+0x320/0x320 [ 24.253513] ? find_held_lock+0x39/0x1d0 [ 24.253907] ? check_noncircular+0x20/0x20 [ 24.254324] ? lock_downgrade+0x990/0x990 [ 24.254748] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 24.255298] ? find_held_lock+0x39/0x1d0 [ 24.255723] ? lock_downgrade+0x990/0x990 [ 24.256122] ? recalc_sigpending_tsk+0x117/0x150 [ 24.256631] ? recalc_sigpending+0x103/0x160 [ 24.257056] ? recalc_sigpending_tsk+0x150/0x150 [ 24.257524] ? get_signal+0x397/0x17e0 [ 24.258346] do_group_exit+0x149/0x400 [ 24.258640] ? __lock_is_held+0xbc/0x140 [ 24.258968] ? SyS_exit+0x30/0x30 [ 24.259238] ? _raw_spin_unlock_irq+0x27/0x70 [ 24.259541] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.259907] get_signal+0x7e8/0x17e0 [ 24.260180] ? ptrace_notify+0x130/0x130 [ 24.260453] ? __fget+0xbb/0x580 [ 24.260682] ? lock_release+0xd70/0xd70 [ 24.260953] ? exit_robust_list+0x240/0x240 [ 24.261259] do_signal+0x94/0x1ee0 [ 24.261502] ? iterate_fd+0x3f0/0x3f0 [ 24.261759] ? kmem_cache_free+0x77/0x280 [ 24.262055] ? setup_sigcontext+0x7d0/0x7d0 [ 24.262348] ? __lock_is_held+0xbc/0x140 [ 24.262627] ? __fget_light+0x29d/0x390 [ 24.262895] ? selinux_tun_dev_create+0xc0/0xc0 [ 24.263215] ? get_unused_fd_flags+0x190/0x190 [ 24.263522] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 24.263932] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 24.264299] ? exit_to_usermode_loop+0x98/0x300 [ 24.264617] exit_to_usermode_loop+0x224/0x300 [ 24.264927] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 24.265313] syscall_return_slowpath+0x42f/0x500 [ 24.265634] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 24.266005] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 24.266347] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 24.266685] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.267042] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 24.267363] RIP: 0033:0x447299 [ 24.267577] RSP: 002b:00007fe732eebcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 24.268101] RAX: fffffffffffffe00 RBX: 0000000000708028 RCX: 0000000000447299 [ 24.268589] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708028 [ 24.269136] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 24.269703] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 24.270282] R13: 0000000000000000 R14: 00007fe732eec9c0 R15: 00007fe732eec700 [ 24.270882] Dumping ftrace buffer: [ 24.271125] (ftrace buffer empty) [ 24.271373] Kernel Offset: disabled [ 24.271617] Rebooting in 86400 seconds..