2017/09/05 06:19:00 parsed 1 programs
2017/09/05 06:19:00 executed programs: 0
syzkaller login: [   26.336468] dev_remove_pack: ffff88006cce2ac0 not found
[   26.348409] ==================================================================
[   26.350006] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0
[   26.351325] Read of size 8 at addr ffff880069d096e8 by task syz-executor0/3006
[   26.352731] 
[   26.352919] CPU: 2 PID: 3006 Comm: syz-executor0 Not tainted 4.13.0-next-20170904+ #14
[   26.354089] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   26.355616] Call Trace:
[   26.356157]  dump_stack+0x194/0x257
[   26.357051]  ? arch_local_irq_restore+0x53/0x53
[   26.358126]  ? show_regs_print_info+0x65/0x65
[   26.359208]  ? __dev_remove_pack+0x305/0x3b0
[   26.360506]  print_address_description+0x73/0x250
[   26.361563]  ? __dev_remove_pack+0x305/0x3b0
[   26.362595]  kasan_report+0x24e/0x340
[   26.363480]  __asan_report_load8_noabort+0x14/0x20
[   26.364617]  __dev_remove_pack+0x305/0x3b0
[   26.365477]  ? dev_get_by_name_rcu+0x270/0x270
[   26.366542]  ? refcount_sub_and_test+0x115/0x1b0
[   26.367631]  __unregister_prot_hook+0x211/0x280
[   26.368727]  packet_release+0x8bb/0xd70
[   26.369710]  ? packet_set_ring+0x1b70/0x1b70
[   26.370701]  ? dentry_free+0xcd/0x130
[   26.371568]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.372705]  ? kmem_cache_free+0x249/0x280
[   26.373643]  ? dentry_free+0xd2/0x130
[   26.374428]  ? locks_remove_file+0x3fa/0x5a0
[   26.375356]  ? fcntl_setlk+0x10d0/0x10d0
[   26.376277]  ? __fsnotify_parent+0xb4/0x3a0
[   26.377233]  ? fsnotify+0x1af0/0x1af0
[   26.378308]  sock_release+0x8d/0x1e0
[   26.379154]  ? sock_release+0x8d/0x1e0
[   26.379956]  ? sock_release+0x1e0/0x1e0
[   26.380879]  sock_close+0x16/0x20
[   26.382068]  __fput+0x333/0x7f0
[   26.382851]  ? fput+0x140/0x140
[   26.383531]  ? check_same_owner+0x320/0x320
[   26.384513]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.385523]  ____fput+0x15/0x20
[   26.386301]  task_work_run+0x199/0x270
[   26.387319]  ? task_work_cancel+0x210/0x210
[   26.388301]  ? _raw_spin_unlock+0x22/0x30
[   26.389151]  ? switch_task_namespaces+0x87/0xc0
[   26.390199]  do_exit+0xa52/0x1b40
[   26.391102]  ? plist_check_list+0xa0/0xa0
[   26.392040]  ? plist_del+0x47b/0x990
[   26.392926]  ? mm_update_next_owner+0x930/0x930
[   26.393924]  ? plist_add+0x760/0x760
[   26.394511]  ? check_same_owner+0x320/0x320
[   26.395055]  ? osq_unlock+0x350/0x350
[   26.395441]  ? find_held_lock+0x39/0x1d0
[   26.395854]  ? check_noncircular+0x20/0x20
[   26.396399]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   26.396935]  ? find_held_lock+0x39/0x1d0
[   26.397456]  ? lock_downgrade+0x990/0x990
[   26.397880]  ? recalc_sigpending_tsk+0x117/0x150
[   26.398451]  ? retint_kernel+0x10/0x10
[   26.398858]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.399461]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.399958]  do_group_exit+0x149/0x400
[   26.400425]  ? SyS_exit+0x30/0x30
[   26.400748]  ? _raw_spin_unlock_irq+0x56/0x70
[   26.401162]  get_signal+0x7e8/0x17e0
[   26.401597]  ? ptrace_notify+0x130/0x130
[   26.401966]  ? __fget+0xbb/0x580
[   26.402519]  ? __lockdep_init_map+0xe4/0x650
[   26.402927]  ? lock_release+0xd70/0xd70
[   26.403300]  ? exit_robust_list+0x240/0x240
[   26.403712]  do_signal+0x94/0x1ee0
[   26.404053]  ? iterate_fd+0x3f0/0x3f0
[   26.404435]  ? setup_sigcontext+0x7d0/0x7d0
[   26.404835]  ? __lock_is_held+0xbc/0x140
[   26.405223]  ? __fget_light+0x29d/0x390
[   26.405594]  ? selinux_tun_dev_create+0xc0/0xc0
[   26.406021]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   26.406550]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   26.407038]  ? alloc_file+0x284/0x3a0
[   26.407381]  ? exit_to_usermode_loop+0x98/0x300
[   26.407806]  exit_to_usermode_loop+0x224/0x300
[   26.408225]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.408750]  syscall_return_slowpath+0x42f/0x500
[   26.409186]  ? prepare_exit_to_usermode+0x2c0/0x2c0
[   26.409646]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   26.410103]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.410553]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.410992]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   26.411425] RIP: 0033:0x447299
[   26.411716] RSP: 002b:00007f7eced55cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   26.412418] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299
[   26.413070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8
[   26.413721] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000
[   26.414384] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   26.415039] R13: 0000000000000000 R14: 00007f7eced569c0 R15: 00007f7eced56700
[   26.415710] 
[   26.415865] Allocated by task 3005:
[   26.416194]  save_stack_trace+0x16/0x20
[   26.416585]  save_stack+0x43/0xd0
[   26.416902]  kasan_kmalloc+0xad/0xe0
[   26.417236]  kmem_cache_alloc_trace+0x136/0x750
[   26.417669]  fanout_add+0xa50/0x1190
[   26.418015]  packet_setsockopt+0xfdc/0x1e80
[   26.418401]  SyS_setsockopt+0x189/0x360
[   26.418763]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   26.419192] 
[   26.419341] Freed by task 3006:
[   26.419637]  save_stack_trace+0x16/0x20
[   26.419996]  save_stack+0x43/0xd0
[   26.420312]  kasan_slab_free+0x71/0xc0
[   26.420658]  kfree+0xca/0x250
[   26.420941]  packet_release+0xa8f/0xd70
[   26.421300]  sock_release+0x8d/0x1e0
[   26.421634]  sock_close+0x16/0x20
[   26.421954]  __fput+0x333/0x7f0
[   26.422253]  ____fput+0x15/0x20
[   26.422552]  task_work_run+0x199/0x270
[   26.422897]  do_exit+0xa52/0x1b40
[   26.423209]  do_group_exit+0x149/0x400
[   26.423557]  get_signal+0x7e8/0x17e0
[   26.423873]  do_signal+0x94/0x1ee0
[   26.424173]  exit_to_usermode_loop+0x224/0x300
[   26.425268]  syscall_return_slowpath+0x42f/0x500
[   26.425662]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   26.426088] 
[   26.426244] The buggy address belongs to the object at ffff880069d08e40
[   26.426244]  which belongs to the cache kmalloc-4096 of size 4096
[   26.427371] The buggy address is located 2216 bytes inside of
[   26.427371]  4096-byte region [ffff880069d08e40, ffff880069d09e40)
[   26.428449] The buggy address belongs to the page:
[   26.428889] page:ffffea0001a74200 count:1 mapcount:0 mapping:ffff880069d08e40 index:0x0 compound_mapcount: 0
[   26.429798] flags: 0x500000000008100(slab|head)
[   26.430224] raw: 0500000000008100 ffff880069d08e40 0000000000000000 0000000100000001
[   26.430933] raw: ffffea0001ab3120 ffff88006d800a50 ffff88003e800dc0 0000000000000000
[   26.431622] page dumped because: kasan: bad access detected
[   26.432127] 
[   26.432283] Memory state around the buggy address:
[   26.432729]  ffff880069d09580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.433380]  ffff880069d09600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.434038] >ffff880069d09680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.434683]                                                           ^
[   26.435277]  ffff880069d09700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.435926]  ffff880069d09780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.436576] ==================================================================
[   26.437220] Disabling lock debugging due to kernel taint
[   26.449667] Kernel panic - not syncing: panic_on_warn set ...
[   26.449667] 
[   26.450336] CPU: 2 PID: 3006 Comm: syz-executor0 Tainted: G    B           4.13.0-next-20170904+ #14
[   26.451150] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   26.451872] Call Trace:
[   26.452108]  dump_stack+0x194/0x257
[   26.452439]  ? arch_local_irq_restore+0x53/0x53
[   26.452776]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.453115]  ? __dev_remove_pack+0x2e0/0x3b0
[   26.453439]  panic+0x1e4/0x417
[   26.453668]  ? __warn+0x1d9/0x1d9
[   26.453920]  ? __dev_remove_pack+0x305/0x3b0
[   26.454239]  kasan_end_report+0x50/0x50
[   26.454536]  kasan_report+0x137/0x340
[   26.454810]  __asan_report_load8_noabort+0x14/0x20
[   26.455166]  __dev_remove_pack+0x305/0x3b0
[   26.455481]  ? dev_get_by_name_rcu+0x270/0x270
[   26.455808]  ? refcount_sub_and_test+0x115/0x1b0
[   26.456149]  __unregister_prot_hook+0x211/0x280
[   26.456797]  packet_release+0x8bb/0xd70
[   26.457247]  ? packet_set_ring+0x1b70/0x1b70
[   26.457995]  ? dentry_free+0xcd/0x130
[   26.458810]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.459870]  ? kmem_cache_free+0x249/0x280
[   26.460797]  ? dentry_free+0xd2/0x130
[   26.461618]  ? locks_remove_file+0x3fa/0x5a0
[   26.462580]  ? fcntl_setlk+0x10d0/0x10d0
[   26.463462]  ? __fsnotify_parent+0xb4/0x3a0
[   26.464416]  ? fsnotify+0x1af0/0x1af0
[   26.465194]  sock_release+0x8d/0x1e0
[   26.465960]  ? sock_release+0x8d/0x1e0
[   26.467631]  ? sock_release+0x1e0/0x1e0
[   26.468256]  sock_close+0x16/0x20
[   26.468817]  __fput+0x333/0x7f0
[   26.469191]  ? fput+0x140/0x140
[   26.469677]  ? check_same_owner+0x320/0x320
[   26.470308]  ? _raw_spin_unlock_irq+0x27/0x70
[   26.471001]  ____fput+0x15/0x20
[   26.471468]  task_work_run+0x199/0x270
[   26.472066]  ? task_work_cancel+0x210/0x210
[   26.472720]  ? _raw_spin_unlock+0x22/0x30
[   26.473340]  ? switch_task_namespaces+0x87/0xc0
[   26.474053]  do_exit+0xa52/0x1b40
[   26.474546]  ? plist_check_list+0xa0/0xa0
[   26.475346]  ? plist_del+0x47b/0x990
[   26.476078]  ? mm_update_next_owner+0x930/0x930
[   26.476956]  ? plist_add+0x760/0x760
[   26.477609]  ? check_same_owner+0x320/0x320
[   26.478427]  ? osq_unlock+0x350/0x350
[   26.479179]  ? find_held_lock+0x39/0x1d0
[   26.479978]  ? check_noncircular+0x20/0x20
[   26.480516]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   26.481043]  ? find_held_lock+0x39/0x1d0
[   26.481432]  ? lock_downgrade+0x990/0x990
[   26.481828]  ? recalc_sigpending_tsk+0x117/0x150
[   26.482354]  ? retint_kernel+0x10/0x10
[   26.482705]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.483201]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.483638]  do_group_exit+0x149/0x400
[   26.484031]  ? SyS_exit+0x30/0x30
[   26.484372]  ? _raw_spin_unlock_irq+0x56/0x70
[   26.484801]  get_signal+0x7e8/0x17e0
[   26.485114]  ? ptrace_notify+0x130/0x130
[   26.485390]  ? __fget+0xbb/0x580
[   26.485629]  ? __lockdep_init_map+0xe4/0x650
[   26.486021]  ? lock_release+0xd70/0xd70
[   26.486407]  ? exit_robust_list+0x240/0x240
[   26.486800]  do_signal+0x94/0x1ee0
[   26.487139]  ? iterate_fd+0x3f0/0x3f0
[   26.487479]  ? setup_sigcontext+0x7d0/0x7d0
[   26.488295]  ? __lock_is_held+0xbc/0x140
[   26.488720]  ? __fget_light+0x29d/0x390
[   26.489156]  ? selinux_tun_dev_create+0xc0/0xc0
[   26.489569]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   26.490079]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   26.490442]  ? alloc_file+0x284/0x3a0
[   26.490702]  ? exit_to_usermode_loop+0x98/0x300
[   26.491077]  exit_to_usermode_loop+0x224/0x300
[   26.491481]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   26.491971]  syscall_return_slowpath+0x42f/0x500
[   26.492409]  ? prepare_exit_to_usermode+0x2c0/0x2c0
[   26.492849]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   26.493293]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.493733]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.494166]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   26.494590] RIP: 0033:0x447299
[   26.494868] RSP: 002b:00007f7eced55cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   26.495551] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299
[   26.496217] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8
[   26.496859] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000
[   26.497500] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   26.498135] R13: 0000000000000000 R14: 00007f7eced569c0 R15: 00007f7eced56700
[   26.500314] Dumping ftrace buffer:
[   26.500640]    (ftrace buffer empty)
[   26.500971] Kernel Offset: disabled
[   26.501302] Rebooting in 86400 seconds..