2017/08/15 10:38:35 parsed 1 programs 2017/08/15 10:38:35 executed programs: 0 syzkaller login: [ 24.485750] ================================================================== [ 24.487325] BUG: KASAN: use-after-free in skb_release_data+0x5cf/0x790 [ 24.488022] Read of size 1 at addr ffff8800687f7d42 by task syz-executor0/3331 [ 24.489200] [ 24.489529] CPU: 2 PID: 3331 Comm: syz-executor0 Not tainted 4.13.0-rc5-next-20170815+ #3 [ 24.491124] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.492805] Call Trace: [ 24.493105] dump_stack+0x194/0x257 [ 24.493596] ? arch_local_irq_restore+0x53/0x53 [ 24.494134] ? show_regs_print_info+0x65/0x65 [ 24.494988] ? skb_release_data+0x5cf/0x790 [ 24.495951] print_address_description+0x73/0x250 [ 24.496524] ? skb_release_data+0x5cf/0x790 [ 24.496949] kasan_report+0x24e/0x340 [ 24.497366] __asan_report_load1_noabort+0x14/0x20 [ 24.497963] skb_release_data+0x5cf/0x790 [ 24.498285] ? lock_downgrade+0x990/0x990 [ 24.498607] ? ip_route_input_rcu+0x1193/0x3210 [ 24.499339] ? do_raw_spin_trylock+0x190/0x190 [ 24.499778] ? skb_tx_error+0x2c0/0x2c0 [ 24.500150] ? refcount_add+0x60/0x60 [ 24.500509] ? rt_flush_dev+0x290/0x290 [ 24.500989] ? trace_hardirqs_on+0xd/0x10 [ 24.501307] skb_release_all+0x4a/0x60 [ 24.501627] kfree_skb+0x15d/0x4c0 [ 24.501951] ? ip_defrag+0xc69/0x4000 [ 24.502277] ? __kfree_skb+0x20/0x20 [ 24.502620] ? lock_release+0xa40/0xa40 [ 24.503002] ? ipqhashfn+0xb7/0x180 [ 24.503340] ? ip4_frag_match+0x370/0x370 [ 24.503735] ? percpu_counter_add_batch+0xce/0x130 [ 24.504214] ip_defrag+0xc69/0x4000 [ 24.505140] ? ip_expire+0x6d0/0x6d0 [ 24.505425] ? lock_downgrade+0x990/0x990 [ 24.505733] ? lock_release+0xa40/0xa40 [ 24.506069] ? lock_acquire+0x1d5/0x580 [ 24.506327] ip_local_deliver+0x174/0x6d0 [ 24.506649] ? ip_call_ra_chain+0x6d0/0x6d0 [ 24.507060] ? ip_route_input_noref+0x13c/0x1e0 [ 24.507513] ? ip_route_input_rcu+0x3210/0x3210 [ 24.507943] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.508400] ip_rcv_finish+0x8db/0x19c0 [ 24.508784] ? iptable_nat_ipv4_fn+0x40/0x40 [ 24.509192] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.509619] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 24.510307] ? ip_rcv+0xf05/0x17d0 [ 24.510628] ? lock_downgrade+0x990/0x990 [ 24.511024] ? iptable_nat_ipv4_in+0x2c/0x40 [ 24.511439] ? nf_hook_slow+0x12d/0x290 [ 24.511815] ? nf_unregister_afinfo+0x150/0x150 [ 24.512284] ? lock_release+0xa40/0xa40 [ 24.512638] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 24.513162] ip_rcv+0xc3f/0x17d0 [ 24.513467] ? ip_local_deliver+0x6d0/0x6d0 [ 24.513848] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.514311] ? lock_release+0xa40/0xa40 [ 24.514687] ? unwind_dump+0x4c0/0x4c0 [ 24.515112] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.515520] ? ip_local_deliver+0x6d0/0x6d0 [ 24.515950] __netif_receive_skb_core+0x19af/0x33d0 [ 24.516422] ? unwind_get_return_address+0x61/0xa0 [ 24.516909] ? nf_ingress+0x9f0/0x9f0 [ 24.517288] ? save_stack+0xa3/0xd0 [ 24.517643] ? save_stack_trace+0x16/0x20 [ 24.518042] ? save_stack+0x43/0xd0 [ 24.518384] ? kasan_kmalloc+0xad/0xe0 [ 24.518752] ? kasan_slab_alloc+0x12/0x20 [ 24.519198] ? kmem_cache_alloc+0x12e/0x760 [ 24.519646] ? __build_skb+0x9d/0x450 [ 24.520030] ? build_skb+0x6f/0x260 [ 24.520398] ? tun_get_user+0x1db7/0x2150 [ 24.520838] ? tun_chr_write_iter+0xd8/0x190 [ 24.521308] ? __vfs_write+0x684/0x970 [ 24.521700] ? vfs_write+0x189/0x510 [ 24.522105] ? SyS_write+0xef/0x220 [ 24.522556] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 24.523233] ? __skb_flow_dissect+0xfa1/0x3ae0 [ 24.523761] ? __sched_text_start+0x8/0x8 [ 24.524300] ? plist_check_list+0x7e/0xa0 [ 24.524840] ? __skb_flow_get_ports+0x400/0x400 [ 24.525628] ? lock_acquire+0x1d5/0x580 [ 24.526462] ? netif_receive_skb_internal+0x1d7/0x5e0 [ 24.526988] ? lock_downgrade+0x990/0x990 [ 24.527440] ? pvclock_read_flags+0x160/0x160 [ 24.527878] ? __build_skb+0x325/0x450 [ 24.528324] ? lock_acquire+0x1d5/0x580 [ 24.528705] ? lock_acquire+0x1d5/0x580 [ 24.529093] ? netif_receive_skb_internal+0x93/0x5e0 [ 24.529626] ? ktime_get_with_offset+0x2c1/0x420 [ 24.530146] ? lock_release+0xa40/0xa40 [ 24.530591] ? do_gettimeofday+0x190/0x190 [ 24.531023] ? __build_skb+0x450/0x450 [ 24.531450] __netif_receive_skb+0x2c/0x1b0 [ 24.531871] ? __netif_receive_skb+0x2c/0x1b0 [ 24.532384] netif_receive_skb_internal+0x10b/0x5e0 [ 24.532894] ? dev_cpu_dead+0xb00/0xb00 [ 24.533290] ? tun_device_event+0xca0/0xca0 [ 24.534105] ? futex_wake+0x680/0x680 [ 24.534803] ? __unqueue_futex+0x1c0/0x290 [ 24.535288] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 24.535811] netif_receive_skb+0xae/0x390 [ 24.536206] ? netif_receive_skb_internal+0x5e0/0x5e0 [ 24.536741] ? mark_wake_futex+0xc0/0x1c0 [ 24.537069] ? futex_wait_setup+0x3d0/0x3d0 [ 24.537477] ? tun_rx_batched.isra.43+0x5bd/0x860 [ 24.537883] tun_rx_batched.isra.43+0x5e7/0x860 [ 24.538279] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 24.538762] ? tun_sock_write_space+0x370/0x370 [ 24.539137] ? tun_free_netdev+0x1b0/0x1b0 [ 24.539539] tun_get_user+0x11dd/0x2150 [ 24.539880] ? tun_flow_update+0xf70/0xf70 [ 24.540242] ? lock_acquire+0x1d5/0x580 [ 24.540580] ? lock_acquire+0x1d5/0x580 [ 24.540940] ? __tun_get+0x1ab/0x2e0 [ 24.541394] ? lock_downgrade+0x990/0x990 [ 24.541787] ? lock_release+0xa40/0xa40 [ 24.542023] ? __fget+0x35c/0x570 [ 24.542239] ? __tun_get+0x1d4/0x2e0 [ 24.542446] ? tun_chr_close+0x60/0x60 [ 24.542691] ? rcu_note_context_switch+0x710/0x710 [ 24.542996] tun_chr_write_iter+0xd8/0x190 [ 24.543240] __vfs_write+0x684/0x970 [ 24.543467] ? default_llseek+0x290/0x290 [ 24.543744] ? _cond_resched+0x14/0x30 [ 24.544070] ? avc_policy_seqno+0x9/0x20 [ 24.544395] ? selinux_file_permission+0x82/0x460 [ 24.544789] ? rw_verify_area+0xe5/0x2b0 [ 24.545130] ? __fdget_raw+0x20/0x20 [ 24.545449] vfs_write+0x189/0x510 [ 24.545751] SyS_write+0xef/0x220 [ 24.546044] ? SyS_read+0x220/0x220 [ 24.546355] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.546767] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 24.548703] RIP: 0033:0x40bab1 [ 24.549265] RSP: 002b:00007fe09e61cc00 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 24.550013] RAX: ffffffffffffffda RBX: 000000000000002a RCX: 000000000040bab1 [ 24.550809] RDX: 000000000000002a RSI: 0000000020a71fd0 RDI: 0000000000000003 [ 24.551522] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 24.552193] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000ffffffff [ 24.553524] R13: 00000000000056b0 R14: 00000000006e7770 R15: 0000000001010200 [ 24.554189] [ 24.554305] The buggy address belongs to the page: [ 24.554618] page:ffffea0001a1fdc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 24.555277] flags: 0x500000000000000() [ 24.555627] raw: 0500000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 24.556320] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 24.556991] page dumped because: kasan: bad access detected [ 24.557478] [ 24.557622] Memory state around the buggy address: [ 24.558048] ffff8800687f7c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.558710] ffff8800687f7c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.559366] >ffff8800687f7d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.560011] ^ [ 24.560498] ffff8800687f7d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.561153] ffff8800687f7e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 24.561779] ================================================================== [ 24.562433] Kernel panic - not syncing: panic_on_warn set ... [ 24.562433] [ 24.563082] CPU: 2 PID: 3331 Comm: syz-executor0 Tainted: G B 4.13.0-rc5-next-20170815+ #3 [ 24.563882] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.564406] Call Trace: [ 24.564635] dump_stack+0x194/0x257 [ 24.564873] ? arch_local_irq_restore+0x53/0x53 [ 24.565186] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.565520] ? skb_release_data+0x520/0x790 [ 24.565809] panic+0x1e4/0x417 [ 24.566079] ? __warn+0x1d9/0x1d9 [ 24.566390] ? skb_release_data+0x5cf/0x790 [ 24.566793] kasan_end_report+0x50/0x50 [ 24.567211] kasan_report+0x137/0x340 [ 24.567660] __asan_report_load1_noabort+0x14/0x20 [ 24.568185] skb_release_data+0x5cf/0x790 [ 24.568582] ? lock_downgrade+0x990/0x990 [ 24.569216] ? ip_route_input_rcu+0x1193/0x3210 [ 24.569601] ? do_raw_spin_trylock+0x190/0x190 [ 24.569988] ? skb_tx_error+0x2c0/0x2c0 [ 24.570318] ? refcount_add+0x60/0x60 [ 24.570639] ? rt_flush_dev+0x290/0x290 [ 24.570996] ? trace_hardirqs_on+0xd/0x10 [ 24.571354] skb_release_all+0x4a/0x60 [ 24.571706] kfree_skb+0x15d/0x4c0 [ 24.572022] ? ip_defrag+0xc69/0x4000 [ 24.572362] ? __kfree_skb+0x20/0x20 [ 24.572692] ? lock_release+0xa40/0xa40 [ 24.573045] ? ipqhashfn+0xb7/0x180 [ 24.573355] ? ip4_frag_match+0x370/0x370 [ 24.573658] ? percpu_counter_add_batch+0xce/0x130 [ 24.573988] ip_defrag+0xc69/0x4000 [ 24.574320] ? ip_expire+0x6d0/0x6d0 [ 24.574662] ? lock_downgrade+0x990/0x990 [ 24.575100] ? lock_release+0xa40/0xa40 [ 24.575480] ? lock_acquire+0x1d5/0x580 [ 24.575843] ip_local_deliver+0x174/0x6d0 [ 24.576210] ? ip_call_ra_chain+0x6d0/0x6d0 [ 24.576588] ? ip_route_input_noref+0x13c/0x1e0 [ 24.577004] ? ip_route_input_rcu+0x3210/0x3210 [ 24.577477] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.577974] ip_rcv_finish+0x8db/0x19c0 [ 24.578330] ? iptable_nat_ipv4_fn+0x40/0x40 [ 24.578787] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.579250] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 24.579759] ? ip_rcv+0xf05/0x17d0 [ 24.580090] ? lock_downgrade+0x990/0x990 [ 24.580471] ? iptable_nat_ipv4_in+0x2c/0x40 [ 24.580869] ? nf_hook_slow+0x12d/0x290 [ 24.581236] ? nf_unregister_afinfo+0x150/0x150 [ 24.581675] ? lock_release+0xa40/0xa40 [ 24.582040] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 24.582582] ip_rcv+0xc3f/0x17d0 [ 24.582920] ? ip_local_deliver+0x6d0/0x6d0 [ 24.583310] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 24.583765] ? lock_release+0xa40/0xa40 [ 24.584121] ? unwind_dump+0x4c0/0x4c0 [ 24.584470] ? ip_local_deliver_finish+0xba0/0xba0 [ 24.584946] ? ip_local_deliver+0x6d0/0x6d0 [ 24.585347] __netif_receive_skb_core+0x19af/0x33d0 [ 24.585804] ? unwind_get_return_address+0x61/0xa0 [ 24.586250] ? nf_ingress+0x9f0/0x9f0 [ 24.586600] ? save_stack+0xa3/0xd0 [ 24.586938] ? save_stack_trace+0x16/0x20 [ 24.587301] ? save_stack+0x43/0xd0 [ 24.587616] ? kasan_kmalloc+0xad/0xe0 [ 24.587949] ? kasan_slab_alloc+0x12/0x20 [ 24.588309] ? kmem_cache_alloc+0x12e/0x760 [ 24.588705] ? __build_skb+0x9d/0x450 [ 24.589052] ? build_skb+0x6f/0x260 [ 24.589382] ? tun_get_user+0x1db7/0x2150 [ 24.589757] ? tun_chr_write_iter+0xd8/0x190 [ 24.590659] ? __vfs_write+0x684/0x970 [ 24.591021] ? vfs_write+0x189/0x510 [ 24.591326] ? SyS_write+0xef/0x220 [ 24.591577] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 24.591937] ? __skb_flow_dissect+0xfa1/0x3ae0 [ 24.592247] ? __sched_text_start+0x8/0x8 [ 24.592526] ? plist_check_list+0x7e/0xa0 [ 24.592819] ? __skb_flow_get_ports+0x400/0x400 [ 24.593134] ? lock_acquire+0x1d5/0x580 [ 24.593412] ? netif_receive_skb_internal+0x1d7/0x5e0 [ 24.593768] ? lock_downgrade+0x990/0x990 [ 24.594057] ? pvclock_read_flags+0x160/0x160 [ 24.594371] ? __build_skb+0x325/0x450 [ 24.594641] ? lock_acquire+0x1d5/0x580 [ 24.594939] ? lock_acquire+0x1d5/0x580 [ 24.595208] ? netif_receive_skb_internal+0x93/0x5e0 [ 24.595550] ? ktime_get_with_offset+0x2c1/0x420 [ 24.595877] ? lock_release+0xa40/0xa40 [ 24.596140] ? do_gettimeofday+0x190/0x190 [ 24.596437] ? __build_skb+0x450/0x450 [ 24.596699] __netif_receive_skb+0x2c/0x1b0 [ 24.596997] ? __netif_receive_skb+0x2c/0x1b0 [ 24.597296] netif_receive_skb_internal+0x10b/0x5e0 [ 24.597639] ? dev_cpu_dead+0xb00/0xb00 [ 24.597916] ? tun_device_event+0xca0/0xca0 [ 24.598213] ? futex_wake+0x680/0x680 [ 24.598475] ? __unqueue_futex+0x1c0/0x290 [ 24.598782] ? drop_futex_key_refs.isra.13+0x63/0xb0 [ 24.599155] netif_receive_skb+0xae/0x390 [ 24.599446] ? netif_receive_skb_internal+0x5e0/0x5e0 [ 24.599801] ? mark_wake_futex+0xc0/0x1c0 [ 24.600142] ? futex_wait_setup+0x3d0/0x3d0 [ 24.600489] ? tun_rx_batched.isra.43+0x5bd/0x860 [ 24.600825] tun_rx_batched.isra.43+0x5e7/0x860 [ 24.601147] ? skb_get_hash_perturb+0x9d0/0x9d0 [ 24.601470] ? tun_sock_write_space+0x370/0x370 [ 24.601783] ? tun_free_netdev+0x1b0/0x1b0 [ 24.602076] tun_get_user+0x11dd/0x2150 [ 24.602356] ? tun_flow_update+0xf70/0xf70 [ 24.602646] ? lock_acquire+0x1d5/0x580 [ 24.602935] ? lock_acquire+0x1d5/0x580 [ 24.603197] ? __tun_get+0x1ab/0x2e0 [ 24.603457] ? lock_downgrade+0x990/0x990 [ 24.603747] ? lock_release+0xa40/0xa40 [ 24.604018] ? __fget+0x35c/0x570 [ 24.604250] ? __tun_get+0x1d4/0x2e0 [ 24.604505] ? tun_chr_close+0x60/0x60 [ 24.604772] ? rcu_note_context_switch+0x710/0x710 [ 24.605114] tun_chr_write_iter+0xd8/0x190 [ 24.605403] __vfs_write+0x684/0x970 [ 24.605648] ? default_llseek+0x290/0x290 [ 24.605935] ? _cond_resched+0x14/0x30 [ 24.606203] ? avc_policy_seqno+0x9/0x20 [ 24.606481] ? selinux_file_permission+0x82/0x460 [ 24.606861] ? rw_verify_area+0xe5/0x2b0 [ 24.607254] ? __fdget_raw+0x20/0x20 [ 24.607622] vfs_write+0x189/0x510 [ 24.607985] SyS_write+0xef/0x220 [ 24.608479] ? SyS_read+0x220/0x220 [ 24.608901] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.609384] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 24.609931] RIP: 0033:0x40bab1 [ 24.610316] RSP: 002b:00007fe09e61cc00 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 24.610898] RAX: ffffffffffffffda RBX: 000000000000002a RCX: 000000000040bab1 [ 24.611788] RDX: 000000000000002a RSI: 0000000020a71fd0 RDI: 0000000000000003 [ 24.612570] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 24.613234] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000ffffffff [ 24.613902] R13: 00000000000056b0 R14: 00000000006e7770 R15: 0000000001010200 [ 24.614617] Dumping ftrace buffer: [ 24.614978] (ftrace buffer empty) [ 24.615352] Kernel Offset: disabled [ 24.615718] Rebooting in 86400 seconds..