2017/09/10 06:40:28 parsed 1 programs 2017/09/10 06:40:28 executed programs: 0 syzkaller login: [ 24.969246] dev_remove_pack: ffff880069147d80 not found [ 24.995218] ================================================================== [ 24.995763] BUG: KASAN: use-after-free in __dev_remove_pack+0x305/0x3b0 [ 24.996237] Read of size 8 at addr ffff88006b5b6b28 by task syz-executor0/3009 [ 24.996735] [ 24.996852] CPU: 3 PID: 3009 Comm: syz-executor0 Not tainted 4.13.0-next-20170908+ #18 [ 24.997408] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 24.998016] Call Trace: [ 24.998201] dump_stack+0x194/0x257 [ 24.998456] ? arch_local_irq_restore+0x53/0x53 [ 24.998835] ? show_regs_print_info+0x65/0x65 [ 24.999249] ? __dev_remove_pack+0x305/0x3b0 [ 24.999689] print_address_description+0x73/0x250 [ 25.000160] ? __dev_remove_pack+0x305/0x3b0 [ 25.000593] kasan_report+0x24e/0x340 [ 25.000946] __asan_report_load8_noabort+0x14/0x20 [ 25.001384] __dev_remove_pack+0x305/0x3b0 [ 25.001779] ? dev_get_by_name_rcu+0x270/0x270 [ 25.002202] ? refcount_sub_and_test+0x115/0x1b0 [ 25.002539] __unregister_prot_hook+0x211/0x280 [ 25.002955] packet_release+0x8bb/0xd70 [ 25.003326] ? packet_set_ring+0x1b70/0x1b70 [ 25.003733] ? dentry_free+0xcd/0x130 [ 25.004086] ? rcu_read_lock_sched_held+0x108/0x120 [ 25.004544] ? kmem_cache_free+0x249/0x280 [ 25.004936] ? dentry_free+0xd2/0x130 [ 25.005290] ? locks_remove_file+0x3fa/0x5a0 [ 25.005700] ? fcntl_setlk+0x10d0/0x10d0 [ 25.005991] ? __fsnotify_parent+0xb4/0x3a0 [ 25.006295] ? fsnotify+0x1af0/0x1af0 [ 25.006568] sock_release+0x8d/0x1e0 [ 25.006830] ? sock_release+0x8d/0x1e0 [ 25.007120] ? sock_release+0x1e0/0x1e0 [ 25.007396] sock_close+0x16/0x20 [ 25.007640] __fput+0x333/0x7f0 [ 25.007876] ? fput+0x140/0x140 [ 25.008108] ? check_same_owner+0x320/0x320 [ 25.008408] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.008753] ____fput+0x15/0x20 [ 25.009000] task_work_run+0x199/0x270 [ 25.009304] ? task_work_cancel+0x210/0x210 [ 25.009690] ? _raw_spin_unlock+0x22/0x30 [ 25.010010] ? switch_task_namespaces+0x87/0xc0 [ 25.010363] do_exit+0xa52/0x1b40 [ 25.010605] ? plist_check_list+0xa0/0xa0 [ 25.010929] ? plist_del+0x47b/0x990 [ 25.011257] ? mm_update_next_owner+0x930/0x930 [ 25.011620] ? plist_add+0x760/0x760 [ 25.011930] ? check_same_owner+0x320/0x320 [ 25.012609] ? find_held_lock+0x39/0x1d0 [ 25.012897] ? check_noncircular+0x20/0x20 [ 25.013202] ? lock_downgrade+0x990/0x990 [ 25.013572] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 25.014033] ? find_held_lock+0x39/0x1d0 [ 25.014376] ? lock_downgrade+0x990/0x990 [ 25.014690] ? recalc_sigpending_tsk+0x117/0x150 [ 25.015073] ? recalc_sigpending+0x103/0x160 [ 25.015406] ? recalc_sigpending_tsk+0x150/0x150 [ 25.015732] ? get_signal+0x397/0x17e0 [ 25.016038] do_group_exit+0x149/0x400 [ 25.016345] ? __lock_is_held+0xbc/0x140 [ 25.016693] ? SyS_exit+0x30/0x30 [ 25.016933] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.017244] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.017590] get_signal+0x7e8/0x17e0 [ 25.017948] ? ptrace_notify+0x130/0x130 [ 25.018234] ? __fget+0xbb/0x580 [ 25.018494] ? lock_release+0xd70/0xd70 [ 25.018781] ? exit_robust_list+0x240/0x240 [ 25.019130] do_signal+0x94/0x1ee0 [ 25.019410] ? iterate_fd+0x3f0/0x3f0 [ 25.019705] ? setup_sigcontext+0x7d0/0x7d0 [ 25.020054] ? mntput_no_expire+0x15e/0xa90 [ 25.020368] ? check_same_owner+0x320/0x320 [ 25.020677] ? __fget_light+0x29d/0x390 [ 25.020983] ? selinux_tun_dev_create+0xc0/0xc0 [ 25.021332] ? putname+0xee/0x130 [ 25.021575] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 25.022000] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 25.022394] ? exit_to_usermode_loop+0x98/0x300 [ 25.022803] exit_to_usermode_loop+0x224/0x300 [ 25.023177] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 25.023622] syscall_return_slowpath+0x42f/0x500 [ 25.023980] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 25.024357] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 25.024745] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.025260] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.025706] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 25.026143] RIP: 0033:0x447299 [ 25.026434] RSP: 002b:00007fb1a8f24cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.027137] RAX: fffffffffffffe00 RBX: 0000000000708028 RCX: 0000000000447299 [ 25.027890] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708028 [ 25.028550] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 25.029144] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.029642] R13: 0000000000000000 R14: 00007fb1a8f259c0 R15: 00007fb1a8f25700 [ 25.030153] [ 25.030274] Allocated by task 3009: [ 25.030529] save_stack_trace+0x16/0x20 [ 25.030862] save_stack+0x43/0xd0 [ 25.031133] kasan_kmalloc+0xad/0xe0 [ 25.031422] kmem_cache_alloc_trace+0x136/0x750 [ 25.031748] fanout_add+0xa50/0x1190 [ 25.032064] packet_setsockopt+0xfdc/0x1e80 [ 25.032365] SyS_setsockopt+0x189/0x360 [ 25.032697] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 25.033262] [ 25.033383] Freed by task 3009: [ 25.033622] save_stack_trace+0x16/0x20 [ 25.033899] save_stack+0x43/0xd0 [ 25.034142] kasan_slab_free+0x71/0xc0 [ 25.034440] kfree+0xca/0x250 [ 25.034659] packet_release+0xa8f/0xd70 [ 25.034943] sock_release+0x8d/0x1e0 [ 25.035201] sock_close+0x16/0x20 [ 25.035442] __fput+0x333/0x7f0 [ 25.035673] ____fput+0x15/0x20 [ 25.035905] task_work_run+0x199/0x270 [ 25.036178] do_exit+0xa52/0x1b40 [ 25.036419] do_group_exit+0x149/0x400 [ 25.036689] get_signal+0x7e8/0x17e0 [ 25.036950] do_signal+0x94/0x1ee0 [ 25.037198] exit_to_usermode_loop+0x224/0x300 [ 25.037517] syscall_return_slowpath+0x42f/0x500 [ 25.037883] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 25.038284] [ 25.038406] The buggy address belongs to the object at ffff88006b5b6280 [ 25.038406] which belongs to the cache kmalloc-4096 of size 4096 [ 25.039549] The buggy address is located 2216 bytes inside of [ 25.039549] 4096-byte region [ffff88006b5b6280, ffff88006b5b7280) [ 25.040634] The buggy address belongs to the page: [ 25.041083] page:ffffea0001ad6d80 count:1 mapcount:0 mapping:ffff88006b5b6280 index:0x0 compound_mapcount: 0 [ 25.041768] flags: 0x500000000008100(slab|head) [ 25.042091] raw: 0500000000008100 ffff88006b5b6280 0000000000000000 0000000100000001 [ 25.042629] raw: ffffea0001b23da0 ffff88006d800a50 ffff88003e800dc0 0000000000000000 [ 25.043167] page dumped because: kasan: bad access detected [ 25.043554] [ 25.043672] Memory state around the buggy address: [ 25.043999] ffff88006b5b6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.044495] ffff88006b5b6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.044997] >ffff88006b5b6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.045499] ^ [ 25.045826] ffff88006b5b6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.046329] ffff88006b5b6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.046831] ================================================================== [ 25.047332] Disabling lock debugging due to kernel taint [ 25.047727] Kernel panic - not syncing: panic_on_warn set ... [ 25.047727] [ 25.048232] CPU: 3 PID: 3009 Comm: syz-executor0 Tainted: G B 4.13.0-next-20170908+ #18 [ 25.048858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 25.049412] Call Trace: [ 25.049595] dump_stack+0x194/0x257 [ 25.049850] ? arch_local_irq_restore+0x53/0x53 [ 25.050229] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.050558] ? __dev_remove_pack+0x2f0/0x3b0 [ 25.050863] panic+0x1e4/0x417 [ 25.051085] ? __warn+0x1d9/0x1d9 [ 25.051330] ? __dev_remove_pack+0x305/0x3b0 [ 25.051632] kasan_end_report+0x50/0x50 [ 25.051993] kasan_report+0x137/0x340 [ 25.052258] __asan_report_load8_noabort+0x14/0x20 [ 25.052599] __dev_remove_pack+0x305/0x3b0 [ 25.052892] ? dev_get_by_name_rcu+0x270/0x270 [ 25.053208] ? refcount_sub_and_test+0x115/0x1b0 [ 25.053539] __unregister_prot_hook+0x211/0x280 [ 25.053866] packet_release+0x8bb/0xd70 [ 25.054144] ? packet_set_ring+0x1b70/0x1b70 [ 25.054449] ? dentry_free+0xcd/0x130 [ 25.054947] ? rcu_read_lock_sched_held+0x108/0x120 [ 25.055260] ? kmem_cache_free+0x249/0x280 [ 25.055555] ? dentry_free+0xd2/0x130 [ 25.055821] ? locks_remove_file+0x3fa/0x5a0 [ 25.056127] ? fcntl_setlk+0x10d0/0x10d0 [ 25.056409] ? __fsnotify_parent+0xb4/0x3a0 [ 25.056709] ? fsnotify+0x1af0/0x1af0 [ 25.056976] sock_release+0x8d/0x1e0 [ 25.057235] ? sock_release+0x8d/0x1e0 [ 25.057505] ? sock_release+0x1e0/0x1e0 [ 25.057789] sock_close+0x16/0x20 [ 25.058028] __fput+0x333/0x7f0 [ 25.058259] ? fput+0x140/0x140 [ 25.058488] ? check_same_owner+0x320/0x320 [ 25.058786] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.059099] ____fput+0x15/0x20 [ 25.059327] task_work_run+0x199/0x270 [ 25.059599] ? task_work_cancel+0x210/0x210 [ 25.059899] ? _raw_spin_unlock+0x22/0x30 [ 25.060245] ? switch_task_namespaces+0x87/0xc0 [ 25.060670] do_exit+0xa52/0x1b40 [ 25.060983] ? plist_check_list+0xa0/0xa0 [ 25.061272] ? plist_del+0x47b/0x990 [ 25.061530] ? mm_update_next_owner+0x930/0x930 [ 25.061858] ? plist_add+0x760/0x760 [ 25.062121] ? check_same_owner+0x320/0x320 [ 25.062422] ? find_held_lock+0x39/0x1d0 [ 25.062706] ? check_noncircular+0x20/0x20 [ 25.062998] ? lock_downgrade+0x990/0x990 [ 25.063284] ? refill_pi_state_cache.part.6+0x2f0/0x2f0 [ 25.063662] ? find_held_lock+0x39/0x1d0 [ 25.063946] ? lock_downgrade+0x990/0x990 [ 25.064233] ? recalc_sigpending_tsk+0x117/0x150 [ 25.064562] ? recalc_sigpending+0x103/0x160 [ 25.064865] ? recalc_sigpending_tsk+0x150/0x150 [ 25.065189] ? get_signal+0x397/0x17e0 [ 25.065461] do_group_exit+0x149/0x400 [ 25.065735] ? __lock_is_held+0xbc/0x140 [ 25.066016] ? SyS_exit+0x30/0x30 [ 25.066256] ? _raw_spin_unlock_irq+0x27/0x70 [ 25.066565] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.066909] get_signal+0x7e8/0x17e0 [ 25.067177] ? ptrace_notify+0x130/0x130 [ 25.067455] ? __fget+0xbb/0x580 [ 25.067690] ? lock_release+0xd70/0xd70 [ 25.067966] ? exit_robust_list+0x240/0x240 [ 25.068268] do_signal+0x94/0x1ee0 [ 25.068515] ? iterate_fd+0x3f0/0x3f0 [ 25.068777] ? setup_sigcontext+0x7d0/0x7d0 [ 25.069077] ? mntput_no_expire+0x15e/0xa90 [ 25.069371] ? check_same_owner+0x320/0x320 [ 25.069671] ? __fget_light+0x29d/0x390 [ 25.069945] ? selinux_tun_dev_create+0xc0/0xc0 [ 25.070266] ? putname+0xee/0x130 [ 25.070503] ? selinux_netlbl_socket_setsockopt+0x10c/0x460 [ 25.070894] ? selinux_netlbl_sock_rcv_skb+0x730/0x730 [ 25.071255] ? exit_to_usermode_loop+0x98/0x300 [ 25.071578] exit_to_usermode_loop+0x224/0x300 [ 25.071899] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 25.072283] syscall_return_slowpath+0x42f/0x500 [ 25.072611] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 25.072956] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 25.073295] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.073642] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.073970] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 25.074294] RIP: 0033:0x447299 [ 25.074514] RSP: 002b:00007fb1a8f24cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 25.075036] RAX: fffffffffffffe00 RBX: 0000000000708028 RCX: 0000000000447299 [ 25.075528] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708028 [ 25.076271] RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000 [ 25.076751] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.077239] R13: 0000000000000000 R14: 00007fb1a8f259c0 R15: 00007fb1a8f25700 [ 25.081631] Dumping ftrace buffer: [ 25.081874] (ftrace buffer empty) [ 25.082128] Kernel Offset: disabled [ 25.082381] Rebooting in 86400 seconds..