[ 14.176387] ? trace_hardirqs_on+0xd/0x10 [ 14.180506] default_idle+0xbf/0x460 [ 14.184192] ? __sched_text_end+0x4/0x4 [ 14.188133] ? tick_nohz_idle_enter+0xde/0x160 [ 14.192679] arch_cpu_idle+0xa/0x10 [ 14.196269] default_idle_call+0x36/0x90 [ 14.200292] do_idle+0x24e/0x3b0 [ 14.203621] cpu_startup_entry+0x18/0x20 [ 14.207648] start_secondary+0x2ea/0x3f0 [ 14.211674] secondary_startup_64+0xa5/0xa5 Warning: Permanently added 'ci-upstream-net-kasan-gce-2,10.128.0.59' (ECDSA) to the list of known hosts. 2017/11/11 13:40:51 parsed 1 programs 2017/11/11 13:40:51 executed programs: 0 2017/11/11 13:40:56 executed programs: 290 2017/11/11 13:41:01 executed programs: 586 2017/11/11 13:41:06 executed programs: 887 [ 814.721103] ================================================================== [ 814.728485] BUG: KASAN: use-after-free in get_work_pool+0x1c2/0x1e0 [ 814.734854] Read of size 8 at addr ffff8801c69747d0 by task syz-executor0/5923 [ 814.742173] [ 814.743768] CPU: 1 PID: 5923 Comm: syz-executor0 Not tainted 4.14.0-rc8+ #117 [ 814.751004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 814.760320] Call Trace: [ 814.762877] dump_stack+0x194/0x257 [ 814.766471] ? arch_local_irq_restore+0x53/0x53 [ 814.771105] ? show_regs_print_info+0x65/0x65 [ 814.775578] ? __kernel_text_address+0xd/0x40 [ 814.780046] ? get_work_pool+0x1c2/0x1e0 [ 814.784075] print_address_description+0x73/0x250 [ 814.788890] ? get_work_pool+0x1c2/0x1e0 [ 814.792915] kasan_report+0x25b/0x340 [ 814.796684] __asan_report_load8_noabort+0x14/0x20 [ 814.801588] get_work_pool+0x1c2/0x1e0 [ 814.805444] ? trace_raw_output_workqueue_execute_start+0x100/0x100 [ 814.811815] ? save_stack_trace+0x16/0x20 [ 814.815927] ? save_stack+0x43/0xd0 [ 814.819516] ? kasan_kmalloc+0xad/0xe0 [ 814.823368] ? kasan_slab_alloc+0x12/0x20 [ 814.827478] ? kmem_cache_alloc+0x12e/0x760 [ 814.831767] ? kcm_ioctl+0x2d1/0x1610 [ 814.835535] ? sock_do_ioctl+0x65/0xb0 [ 814.839387] __queue_work+0x235/0x1150 [ 814.843248] ? __fget_light+0x297/0x380 [ 814.847190] ? insert_work+0x5d0/0x5d0 [ 814.851043] ? lockdep_init_map+0x9/0x10 [ 814.855070] ? init_timer_key+0x126/0x3b0 [ 814.859186] ? try_to_del_timer_sync+0x120/0x120 [ 814.863905] ? lock_acquire+0x1d5/0x580 [ 814.867846] ? kcm_ioctl+0x81a/0x1610 [ 814.871610] ? lock_downgrade+0x990/0x990 [ 814.875720] ? kcm_rcv_strparser+0x9a0/0x9a0 [ 814.880098] ? do_raw_spin_trylock+0x190/0x190 [ 814.884646] queue_work_on+0x16a/0x1c0 [ 814.888500] strp_check_rcv+0x25/0x30 [ 814.892266] kcm_ioctl+0x826/0x1610 [ 814.895863] ? kcm_unattach+0x1510/0x1510 [ 814.899977] ? avc_ss_reset+0x110/0x110 [ 814.903915] ? lock_downgrade+0x990/0x990 [ 814.908026] ? lock_release+0xa40/0xa40 [ 814.911964] ? __fget+0x35c/0x570 [ 814.915384] ? iterate_fd+0x3f0/0x3f0 [ 814.919149] ? selinux_socket_sendmsg+0x36/0x40 [ 814.923784] ? __fget+0x35c/0x570 [ 814.927209] sock_do_ioctl+0x65/0xb0 [ 814.930889] sock_ioctl+0x2c2/0x440 [ 814.934481] ? dlci_ioctl_set+0x40/0x40 [ 814.938419] do_vfs_ioctl+0x1b1/0x1520 [ 814.942273] ? ioctl_preallocate+0x2b0/0x2b0 [ 814.946647] ? selinux_capable+0x40/0x40 [ 814.950679] ? SyS_futex+0x269/0x390 [ 814.954356] ? SyS_epoll_pwait+0x31b/0x4e0 [ 814.958559] ? security_file_ioctl+0x89/0xb0 [ 814.962935] SyS_ioctl+0x8f/0xc0 [ 814.966277] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 814.970998] RIP: 0033:0x452879 [ 814.974719] RSP: 002b:00007fa69fd78be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 [ 814.982394] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 814.989631] RDX: 0000000020ef8ff8 RSI: 00000000000089e0 RDI: 0000000000000007 [ 814.996864] RBP: 000000000000003b R08: 0000000000000000 R09: 0000000000000000 [ 815.004100] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee628 [ 815.011335] R13: 00000000ffffffff R14: 00007fa69fd796d4 R15: 0000000000000000 [ 815.018590] [ 815.020184] Allocated by task 5923: [ 815.023781] save_stack_trace+0x16/0x20 [ 815.027721] save_stack+0x43/0xd0 [ 815.031139] kasan_kmalloc+0xad/0xe0 [ 815.034819] kasan_slab_alloc+0x12/0x20 [ 815.038757] kmem_cache_alloc+0x12e/0x760 [ 815.042871] kcm_ioctl+0x2d1/0x1610 [ 815.046463] sock_do_ioctl+0x65/0xb0 [ 815.050141] sock_ioctl+0x2c2/0x440 [ 815.053734] do_vfs_ioctl+0x1b1/0x1520 [ 815.057594] SyS_ioctl+0x8f/0xc0 [ 815.060930] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 815.065648] [ 815.067243] Freed by task 5924: [ 815.070486] save_stack_trace+0x16/0x20 [ 815.074434] save_stack+0x43/0xd0 [ 815.077850] kasan_slab_free+0x71/0xc0 [ 815.081700] kmem_cache_free+0x77/0x280 [ 815.085639] kcm_unattach+0xe50/0x1510 [ 815.089492] kcm_ioctl+0xdf0/0x1610 [ 815.093086] sock_do_ioctl+0x65/0xb0 [ 815.096764] sock_ioctl+0x2c2/0x440 [ 815.100353] do_vfs_ioctl+0x1b1/0x1520 [ 815.104209] SyS_ioctl+0x8f/0xc0 [ 815.107540] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 815.112256] [ 815.113856] The buggy address belongs to the object at ffff8801c6974700 [ 815.113856] which belongs to the cache kcm_psock_cache of size 552 [ 815.126825] The buggy address is located 208 bytes inside of [ 815.126825] 552-byte region [ffff8801c6974700, ffff8801c6974928) [ 815.138661] The buggy address belongs to the page: [ 815.143554] page:ffffea00071a5d00 count:1 mapcount:0 mapping:ffff8801c6974180 index:0x0 compound_mapcount: 0 [ 815.153484] flags: 0x2fffc0000008100(slab|head) [ 815.158119] raw: 02fffc0000008100 ffff8801c6974180 0000000000000000 000000010000000b [ 815.165965] raw: ffffea00071ae420 ffffea00071ac9a0 ffff8801d3e0b900 0000000000000000 [ 815.173808] page dumped because: kasan: bad access detected [ 815.179479] [ 815.181074] Memory state around the buggy address: [ 815.185966] ffff8801c6974680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 815.193291] ffff8801c6974700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 815.200613] >ffff8801c6974780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 815.207944] ^ [ 815.213877] ffff8801c6974800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 815.221198] ffff8801c6974880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 815.228518] ================================================================== [ 815.235844] Kernel panic - not syncing: panic_on_warn set ... [ 815.235844] [ 815.243174] CPU: 1 PID: 5923 Comm: syz-executor0 Tainted: G B 4.14.0-rc8+ #117 [ 815.251624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 815.260941] Call Trace: [ 815.263496] dump_stack+0x194/0x257 [ 815.267089] ? arch_local_irq_restore+0x53/0x53 [ 815.271721] ? kasan_end_report+0x32/0x50 [ 815.275837] ? lock_downgrade+0x990/0x990 [ 815.279952] ? get_work_pool+0x1b0/0x1e0 [ 815.283981] panic+0x1e4/0x417 [ 815.287138] ? __warn+0x1d9/0x1d9 [ 815.290569] ? get_work_pool+0x1c2/0x1e0 [ 815.294595] kasan_end_report+0x50/0x50 [ 815.298532] kasan_report+0x144/0x340 [ 815.302299] __asan_report_load8_noabort+0x14/0x20 [ 815.307192] get_work_pool+0x1c2/0x1e0 [ 815.311050] ? trace_raw_output_workqueue_execute_start+0x100/0x100 [ 815.317421] ? save_stack_trace+0x16/0x20 [ 815.321533] ? save_stack+0x43/0xd0 [ 815.325124] ? kasan_kmalloc+0xad/0xe0 [ 815.328977] ? kasan_slab_alloc+0x12/0x20 [ 815.333088] ? kmem_cache_alloc+0x12e/0x760 [ 815.337372] ? kcm_ioctl+0x2d1/0x1610 [ 815.341146] ? sock_do_ioctl+0x65/0xb0 [ 815.344998] __queue_work+0x235/0x1150 [ 815.348861] ? __fget_light+0x297/0x380 [ 815.352809] ? insert_work+0x5d0/0x5d0 [ 815.356665] ? lockdep_init_map+0x9/0x10 [ 815.360694] ? init_timer_key+0x126/0x3b0 [ 815.364808] ? try_to_del_timer_sync+0x120/0x120 [ 815.369526] ? lock_acquire+0x1d5/0x580 [ 815.373466] ? kcm_ioctl+0x81a/0x1610 [ 815.377231] ? lock_downgrade+0x990/0x990 [ 815.381343] ? kcm_rcv_strparser+0x9a0/0x9a0 [ 815.385722] ? do_raw_spin_trylock+0x190/0x190 [ 815.390271] queue_work_on+0x16a/0x1c0 [ 815.394133] strp_check_rcv+0x25/0x30 [ 815.397898] kcm_ioctl+0x826/0x1610 [ 815.401496] ? kcm_unattach+0x1510/0x1510 [ 815.405613] ? avc_ss_reset+0x110/0x110 [ 815.409549] ? lock_downgrade+0x990/0x990 [ 815.413663] ? lock_release+0xa40/0xa40 [ 815.417599] ? __fget+0x35c/0x570 [ 815.421020] ? iterate_fd+0x3f0/0x3f0 [ 815.424786] ? selinux_socket_sendmsg+0x36/0x40 [ 815.429420] ? __fget+0x35c/0x570 [ 815.432844] sock_do_ioctl+0x65/0xb0 [ 815.436523] sock_ioctl+0x2c2/0x440 [ 815.440114] ? dlci_ioctl_set+0x40/0x40 [ 815.444054] do_vfs_ioctl+0x1b1/0x1520 [ 815.447908] ? ioctl_preallocate+0x2b0/0x2b0 [ 815.452283] ? selinux_capable+0x40/0x40 [ 815.456316] ? SyS_futex+0x269/0x390 [ 815.459996] ? SyS_epoll_pwait+0x31b/0x4e0 [ 815.464201] ? security_file_ioctl+0x89/0xb0 [ 815.468575] SyS_ioctl+0x8f/0xc0 [ 815.471908] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 815.476629] RIP: 0033:0x452879 [ 815.479784] RSP: 002b:00007fa69fd78be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 [ 815.487458] RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 [ 815.494694] RDX: 0000000020ef8ff8 RSI: 00000000000089e0 RDI: 0000000000000007 [ 815.501929] RBP: 000000000000003b R08: 0000000000000000 R09: 0000000000000000 [ 815.509164] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee628 [ 815.516402] R13: 00000000ffffffff R14: 00007fa69fd796d4 R15: 0000000000000000 [ 815.523998] Dumping ftrace buffer: [ 815.527503] (ftrace buffer empty) [ 815.531181] Kernel Offset: disabled [ 815.534775] Rebooting in 86400 seconds..