2017/09/06 17:54:16 parsed 1 programs
2017/09/06 17:54:16 executed programs: 0
syzkaller login: [   29.549642] dev_remove_pack: ffff88003c707480 not found
[   29.571235] ==================================================================
[   29.572770] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0
[   29.574157] Read of size 8 at addr ffff880039a2eba8 by task syz-executor0/3095
[   29.575325] 
[   29.575507] CPU: 0 PID: 3095 Comm: syz-executor0 Not tainted 4.13.0-next-20170906+ #16
[   29.576341] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   29.577193] Call Trace:
[   29.577481]  dump_stack+0x194/0x257
[   29.577869]  ? arch_local_irq_restore+0x53/0x53
[   29.578362]  ? show_regs_print_info+0x65/0x65
[   29.578849]  ? __dev_remove_pack+0x305/0x3b0
[   29.579309]  print_address_description+0x73/0x250
[   29.579846]  ? __dev_remove_pack+0x305/0x3b0
[   29.580370]  kasan_report+0x24e/0x340
[   29.580780]  __asan_report_load8_noabort+0x14/0x20
[   29.581319]  __dev_remove_pack+0x305/0x3b0
[   29.581773]  ? dev_get_by_name_rcu+0x270/0x270
[   29.582273]  ? refcount_sub_and_test+0x115/0x1b0
[   29.582795]  __unregister_prot_hook+0x211/0x280
[   29.583325]  packet_release+0x8bb/0xd70
[   29.583738]  ? packet_set_ring+0x1b70/0x1b70
[   29.584059]  ? dentry_free+0xcd/0x130
[   29.584325]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.584690]  ? kmem_cache_free+0x249/0x280
[   29.585027]  ? dentry_free+0xd2/0x130
[   29.585377]  ? locks_remove_file+0x3fa/0x5a0
[   29.586059]  ? fcntl_setlk+0x10d0/0x10d0
[   29.586300]  ? __fsnotify_parent+0xb4/0x3a0
[   29.586557]  ? fsnotify+0x1af0/0x1af0
[   29.586842]  sock_release+0x8d/0x1e0
[   29.587155]  ? sock_release+0x8d/0x1e0
[   29.587425]  ? sock_release+0x1e0/0x1e0
[   29.587730]  sock_close+0x16/0x20
[   29.587983]  __fput+0x333/0x7f0
[   29.588292]  ? fput+0x140/0x140
[   29.588601]  ? check_same_owner+0x320/0x320
[   29.588925]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.589281]  ____fput+0x15/0x20
[   29.589508]  task_work_run+0x199/0x270
[   29.589778]  ? task_work_cancel+0x210/0x210
[   29.590113]  ? _raw_spin_unlock+0x22/0x30
[   29.590411]  ? switch_task_namespaces+0x87/0xc0
[   29.590778]  do_exit+0xa52/0x1b40
[   29.591071]  ? plist_check_list+0xa0/0xa0
[   29.591392]  ? plist_del+0x47b/0x990
[   29.591678]  ? mm_update_next_owner+0x930/0x930
[   29.591996]  ? plist_add+0x760/0x760
[   29.592274]  ? check_same_owner+0x320/0x320
[   29.592644]  ? find_held_lock+0x39/0x1d0
[   29.592944]  ? check_noncircular+0x20/0x20
[   29.593260]  ? lock_downgrade+0x990/0x990
[   29.593572]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   29.593964]  ? find_held_lock+0x39/0x1d0
[   29.594287]  ? lock_downgrade+0x990/0x990
[   29.594599]  ? recalc_sigpending_tsk+0x117/0x150
[   29.594945]  ? recalc_sigpending+0x103/0x160
[   29.595289]  ? recalc_sigpending_tsk+0x150/0x150
[   29.595615]  ? get_signal+0x397/0x17e0
[   29.595939]  do_group_exit+0x149/0x400
[   29.596317]  ? __lock_is_held+0xbc/0x140
[   29.596655]  ? SyS_exit+0x30/0x30
[   29.596928]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.597272]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.597620]  get_signal+0x7e8/0x17e0
[   29.597897]  ? ptrace_notify+0x130/0x130
[   29.598184]  ? __fget+0xbb/0x580
[   29.598423]  ? lock_release+0xd70/0xd70
[   29.598723]  ? exit_robust_list+0x240/0x240
[   29.599033]  do_signal+0x94/0x1ee0
[   29.599297]  ? iterate_fd+0x3f0/0x3f0
[   29.599564]  ? setup_sigcontext+0x7d0/0x7d0
[   29.599866]  ? find_held_lock+0x39/0x1d0
[   29.600166]  ? __fget_light+0x29d/0x390
[   29.600443]  ? selinux_tun_dev_create+0xc0/0xc0
[   29.600766]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   29.601170]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   29.601530]  ? exit_to_usermode_loop+0x98/0x300
[   29.601853]  exit_to_usermode_loop+0x224/0x300
[   29.602178]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   29.602563]  syscall_return_slowpath+0x42f/0x500
[   29.602888]  ? prepare_exit_to_usermode+0x2c0/0x2c0
[   29.603260]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   29.603598]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.603940]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.604281]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   29.604605] RIP: 0033:0x447299
[   29.604824] RSP: 002b:00007f746c4d0cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   29.605357] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299
[   29.605849] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8
[   29.606354] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000
[   29.607259] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   29.607754] R13: 0000000000000000 R14: 00007f746c4d19c0 R15: 00007f746c4d1700
[   29.608255] 
[   29.608370] Allocated by task 3094:
[   29.608621]  save_stack_trace+0x16/0x20
[   29.608902]  save_stack+0x43/0xd0
[   29.609140]  kasan_kmalloc+0xad/0xe0
[   29.609393]  kmem_cache_alloc_trace+0x136/0x750
[   29.609726]  fanout_add+0xa50/0x1190
[   29.609983]  packet_setsockopt+0xfdc/0x1e80
[   29.610280]  SyS_setsockopt+0x189/0x360
[   29.610557]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   29.610881] 
[   29.610996] Freed by task 3095:
[   29.611224]  save_stack_trace+0x16/0x20
[   29.611497]  save_stack+0x43/0xd0
[   29.611735]  kasan_slab_free+0x71/0xc0
[   29.612003]  kfree+0xca/0x250
[   29.612219]  packet_release+0xa8f/0xd70
[   29.612492]  sock_release+0x8d/0x1e0
[   29.612747]  sock_close+0x16/0x20
[   29.612986]  __fput+0x333/0x7f0
[   29.613212]  ____fput+0x15/0x20
[   29.613437]  task_work_run+0x199/0x270
[   29.613705]  do_exit+0xa52/0x1b40
[   29.613942]  do_group_exit+0x149/0x400
[   29.614217]  get_signal+0x7e8/0x17e0
[   29.614473]  do_signal+0x94/0x1ee0
[   29.614717]  exit_to_usermode_loop+0x224/0x300
[   29.615033]  syscall_return_slowpath+0x42f/0x500
[   29.615359]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   29.615682] 
[   29.615797] The buggy address belongs to the object at ffff880039a2e300
[   29.615797]  which belongs to the cache kmalloc-4096 of size 4096
[   29.616664] The buggy address is located 2216 bytes inside of
[   29.616664]  4096-byte region [ffff880039a2e300, ffff880039a2f300)
[   29.617474] The buggy address belongs to the page:
[   29.617811] page:ffffea0000e68b80 count:1 mapcount:0 mapping:ffff880039a2e300 index:0x0 compound_mapcount: 0
[   29.618494] flags: 0x100000000008100(slab|head)
[   29.618814] raw: 0100000000008100 ffff880039a2e300 0000000000000000 0000000100000001
[   29.619352] raw: ffffea0000f72120 ffff88003e801a50 ffff88003e800dc0 0000000000000000
[   29.619887] page dumped because: kasan: bad access detected
[   29.620272] 
[   29.620385] Memory state around the buggy address:
[   29.620722]  ffff880039a2ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.621224]  ffff880039a2eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.621723] >ffff880039a2eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.622266]                                   ^
[   29.622585]  ffff880039a2ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.623084]  ffff880039a2ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.623582] ==================================================================
[   29.624079] Disabling lock debugging due to kernel taint
[   29.624478] Kernel panic - not syncing: panic_on_warn set ...
[   29.624478] 
[   29.624974] CPU: 0 PID: 3095 Comm: syz-executor0 Tainted: G    B           4.13.0-next-20170906+ #16
[   29.625609] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   29.626163] Call Trace:
[   29.626340]  dump_stack+0x194/0x257
[   29.626579]  ? arch_local_irq_restore+0x53/0x53
[   29.626885]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.627205]  ? __dev_remove_pack+0x2f0/0x3b0
[   29.627499]  panic+0x1e4/0x417
[   29.627775]  ? __warn+0x1d9/0x1d9
[   29.628702]  ? __dev_remove_pack+0x305/0x3b0
[   29.629159]  kasan_end_report+0x50/0x50
[   29.629565]  kasan_report+0x137/0x340
[   29.629952]  __asan_report_load8_noabort+0x14/0x20
[   29.630459]  __dev_remove_pack+0x305/0x3b0
[   29.630899]  ? dev_get_by_name_rcu+0x270/0x270
[   29.631373]  ? refcount_sub_and_test+0x115/0x1b0
[   29.631865]  __unregister_prot_hook+0x211/0x280
[   29.632306]  packet_release+0x8bb/0xd70
[   29.632668]  ? packet_set_ring+0x1b70/0x1b70
[   29.633086]  ? dentry_free+0xcd/0x130
[   29.633449]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.633956]  ? kmem_cache_free+0x249/0x280
[   29.634402]  ? dentry_free+0xd2/0x130
[   29.634816]  ? locks_remove_file+0x3fa/0x5a0
[   29.635341]  ? fcntl_setlk+0x10d0/0x10d0
[   29.635751]  ? __fsnotify_parent+0xb4/0x3a0
[   29.636203]  ? fsnotify+0x1af0/0x1af0
[   29.636676]  sock_release+0x8d/0x1e0
[   29.637105]  ? sock_release+0x8d/0x1e0
[   29.637598]  ? sock_release+0x1e0/0x1e0
[   29.638040]  sock_close+0x16/0x20
[   29.638391]  __fput+0x333/0x7f0
[   29.638733]  ? fput+0x140/0x140
[   29.639145]  ? check_same_owner+0x320/0x320
[   29.639599]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.640087]  ____fput+0x15/0x20
[   29.640541]  task_work_run+0x199/0x270
[   29.641232]  ? task_work_cancel+0x210/0x210
[   29.641929]  ? _raw_spin_unlock+0x22/0x30
[   29.642357]  ? switch_task_namespaces+0x87/0xc0
[   29.642674]  do_exit+0xa52/0x1b40
[   29.642910]  ? plist_check_list+0xa0/0xa0
[   29.643257]  ? plist_del+0x47b/0x990
[   29.643508]  ? mm_update_next_owner+0x930/0x930
[   29.643826]  ? plist_add+0x760/0x760
[   29.644096]  ? check_same_owner+0x320/0x320
[   29.644391]  ? find_held_lock+0x39/0x1d0
[   29.644669]  ? check_noncircular+0x20/0x20
[   29.644964]  ? lock_downgrade+0x990/0x990
[   29.645357]  ? refill_pi_state_cache.part.6+0x2f0/0x2f0
[   29.645726]  ? find_held_lock+0x39/0x1d0
[   29.646005]  ? lock_downgrade+0x990/0x990
[   29.646300]  ? recalc_sigpending_tsk+0x117/0x150
[   29.646623]  ? recalc_sigpending+0x103/0x160
[   29.646923]  ? recalc_sigpending_tsk+0x150/0x150
[   29.647260]  ? get_signal+0x397/0x17e0
[   29.647528]  do_group_exit+0x149/0x400
[   29.647787]  ? __lock_is_held+0xbc/0x140
[   29.648075]  ? SyS_exit+0x30/0x30
[   29.648312]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.648618]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.648962]  get_signal+0x7e8/0x17e0
[   29.649626]  ? ptrace_notify+0x130/0x130
[   29.649936]  ? __fget+0xbb/0x580
[   29.650182]  ? lock_release+0xd70/0xd70
[   29.650455]  ? exit_robust_list+0x240/0x240
[   29.650802]  do_signal+0x94/0x1ee0
[   29.651121]  ? iterate_fd+0x3f0/0x3f0
[   29.651502]  ? setup_sigcontext+0x7d0/0x7d0
[   29.651914]  ? find_held_lock+0x39/0x1d0
[   29.652308]  ? __fget_light+0x29d/0x390
[   29.652720]  ? selinux_tun_dev_create+0xc0/0xc0
[   29.653200]  ? selinux_netlbl_socket_setsockopt+0x10c/0x460
[   29.653783]  ? selinux_netlbl_sock_rcv_skb+0x730/0x730
[   29.654277]  ? exit_to_usermode_loop+0x98/0x300
[   29.654733]  exit_to_usermode_loop+0x224/0x300
[   29.655208]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   29.655800]  syscall_return_slowpath+0x42f/0x500
[   29.656264]  ? prepare_exit_to_usermode+0x2c0/0x2c0
[   29.656767]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   29.657266]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.657793]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.658259]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   29.658710] RIP: 0033:0x447299
[   29.659074] RSP: 002b:00007f746c4d0cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   29.659853] RAX: fffffffffffffe00 RBX: 00000000007080d8 RCX: 0000000000447299
[   29.660577] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080d8
[   29.661348] RBP: 00000000007080b0 R08: 0000000000000000 R09: 0000000000000000
[   29.662128] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   29.662826] R13: 0000000000000000 R14: 00007f746c4d19c0 R15: 00007f746c4d1700
[   29.663566] Dumping ftrace buffer:
[   29.663924]    (ftrace buffer empty)
[   29.664267] Kernel Offset: disabled
[   29.664619] Rebooting in 86400 seconds..