2017/09/07 16:49:39 parsed 1 programs 2017/09/07 16:49:39 executed programs: 0 syzkaller login: [ 35.897143] dev_remove_pack: ffff88006af511c0 not found [ 35.929703] ================================================================== [ 35.930277] BUG: KASAN: use-after-free in __list_add_valid+0xb1/0xd0 [ 35.930778] Read of size 8 at addr ffff88003b795470 by task syz-executor0/3205 [ 35.931305] [ 35.931428] CPU: 0 PID: 3205 Comm: syz-executor0 Not tainted 4.13.0-next-20170907+ #17 [ 35.932071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 35.932841] Call Trace: [ 35.933129] dump_stack+0x194/0x257 [ 35.933475] ? arch_local_irq_restore+0x53/0x53 [ 35.933835] ? show_regs_print_info+0x65/0x65 [ 35.934227] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.934666] ? __list_add_valid+0xb1/0xd0 [ 35.935029] print_address_description+0x73/0x250 [ 35.935447] ? __list_add_valid+0xb1/0xd0 [ 35.935987] kasan_report+0x24e/0x340 [ 35.936387] __asan_report_load8_noabort+0x14/0x20 [ 35.936889] __list_add_valid+0xb1/0xd0 [ 35.937266] dev_add_pack+0x113/0x2b0 [ 35.937574] ? napi_skb_free_stolen_head+0x170/0x170 [ 35.938062] ? __lockdep_init_map+0xe4/0x650 [ 35.938478] ? lockdep_init_map+0x3d/0x70 [ 35.938867] register_prot_hook.part.49+0x95/0xb0 [ 35.939314] packet_create+0x820/0xb00 [ 35.939685] ? sock_destroy_inode+0x70/0x70 [ 35.940091] ? register_prot_hook.part.49+0xb0/0xb0 [ 35.940555] ? __sock_create+0x211/0x850 [ 35.940931] ? module_unload_free+0x5b0/0x5b0 [ 35.941331] ? lock_release+0xd70/0xd70 [ 35.941669] ? __lock_is_held+0xbc/0x140 [ 35.942052] __sock_create+0x4d4/0x850 [ 35.942416] ? ___sys_recvmsg+0x630/0x630 [ 35.942806] ? __do_page_fault+0xb60/0xb60 [ 35.943201] ? SyS_futex+0x260/0x390 [ 35.943549] ? SyS_futex+0x269/0x390 [ 35.943914] SyS_socket+0xeb/0x200 [ 35.944244] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 35.944697] ? move_addr_to_kernel+0x60/0x60 [ 35.945108] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.945578] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.946022] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 35.946458] RIP: 0033:0x447299 [ 35.946756] RSP: 002b:00007f577370cc08 EFLAGS: 00000286 ORIG_RAX: 0000000000000029 [ 35.947468] RAX: ffffffffffffffda RBX: 0004000000000011 RCX: 0000000000447299 [ 35.948145] RDX: 0000000000000005 RSI: 0000000100000802 RDI: 0004000000000011 [ 35.949490] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 35.950163] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000 [ 35.950753] R13: 0000000000000000 R14: 00007f577370d9c0 R15: 00007f577370d700 [ 35.951464] [ 35.951621] Allocated by task 3203: [ 35.951985] save_stack_trace+0x16/0x20 [ 35.952362] save_stack+0x43/0xd0 [ 35.952685] kasan_kmalloc+0xad/0xe0 [ 35.953031] kmem_cache_alloc_trace+0x136/0x750 [ 35.953463] fanout_add+0xa50/0x1190 [ 35.953809] packet_setsockopt+0xfdc/0x1e80 [ 35.954205] SyS_setsockopt+0x189/0x360 [ 35.954570] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 35.954959] [ 35.955113] Freed by task 3202: [ 35.955346] save_stack_trace+0x16/0x20 [ 35.955715] save_stack+0x43/0xd0 [ 35.956041] kasan_slab_free+0x71/0xc0 [ 35.956399] kfree+0xca/0x250 [ 35.956686] packet_release+0xa8f/0xd70 [ 35.957052] sock_release+0x8d/0x1e0 [ 35.957395] sock_close+0x16/0x20 [ 35.957715] __fput+0x333/0x7f0 [ 35.958016] ____fput+0x15/0x20 [ 35.958320] task_work_run+0x199/0x270 [ 35.958679] do_exit+0xa52/0x1b40 [ 35.959028] do_group_exit+0x149/0x400 [ 35.959391] get_signal+0x7e8/0x17e0 [ 35.959743] do_signal+0x94/0x1ee0 [ 35.960081] exit_to_usermode_loop+0x224/0x300 [ 35.960501] syscall_return_slowpath+0x42f/0x500 [ 35.960937] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 35.961372] [ 35.961526] The buggy address belongs to the object at ffff88003b794bc0 [ 35.961526] which belongs to the cache kmalloc-4096 of size 4096 [ 35.962693] The buggy address is located 2224 bytes inside of [ 35.962693] 4096-byte region [ffff88003b794bc0, ffff88003b795bc0) [ 35.963801] The buggy address belongs to the page: [ 35.964256] page:ffffea0000ede500 count:1 mapcount:0 mapping:ffff88003b794bc0 index:0x0 compound_mapcount: 0 [ 35.965165] flags: 0x100000000008100(slab|head) [ 35.965592] raw: 0100000000008100 ffff88003b794bc0 0000000000000000 0000000100000001 [ 35.966306] raw: ffffea0000efda20 ffff88003e801a50 ffff88003e800dc0 0000000000000000 [ 35.967073] page dumped because: kasan: bad access detected [ 35.967597] [ 35.967750] Memory state around the buggy address: [ 35.968204] ffff88003b795300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.968872] ffff88003b795380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.969541] >ffff88003b795400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.970637] ^ [ 35.971283] ffff88003b795480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.971965] ffff88003b795500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.972636] ================================================================== [ 35.973307] Disabling lock debugging due to kernel taint [ 35.973839] Kernel panic - not syncing: panic_on_warn set ... [ 35.973839] [ 35.974524] CPU: 0 PID: 3205 Comm: syz-executor0 Tainted: G B 4.13.0-next-20170907+ #17 [ 35.975374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 35.976139] Call Trace: [ 35.976386] dump_stack+0x194/0x257 [ 35.976720] ? arch_local_irq_restore+0x53/0x53 [ 35.977147] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.977582] ? assoc_array_gc+0x13c0/0x13c0 [ 35.977976] panic+0x1e4/0x417 [ 35.978267] ? __warn+0x1d9/0x1d9 [ 35.978588] ? __list_add_valid+0xb1/0xd0 [ 35.978974] kasan_end_report+0x50/0x50 [ 35.979339] kasan_report+0x137/0x340 [ 35.979687] __asan_report_load8_noabort+0x14/0x20 [ 35.980140] __list_add_valid+0xb1/0xd0 [ 35.980503] dev_add_pack+0x113/0x2b0 [ 35.980849] ? napi_skb_free_stolen_head+0x170/0x170 [ 35.981310] ? __lockdep_init_map+0xe4/0x650 [ 35.981711] ? lockdep_init_map+0x3d/0x70 [ 35.982091] register_prot_hook.part.49+0x95/0xb0 [ 35.982531] packet_create+0x820/0xb00 [ 35.982896] ? sock_destroy_inode+0x70/0x70 [ 35.983293] ? register_prot_hook.part.49+0xb0/0xb0 [ 35.983752] ? __sock_create+0x211/0x850 [ 35.984129] ? module_unload_free+0x5b0/0x5b0 [ 35.984541] ? lock_release+0xd70/0xd70 [ 35.984903] ? __lock_is_held+0xbc/0x140 [ 35.985276] __sock_create+0x4d4/0x850 [ 35.985630] ? ___sys_recvmsg+0x630/0x630 [ 35.986008] ? __do_page_fault+0xb60/0xb60 [ 35.986395] ? SyS_futex+0x260/0x390 [ 35.986731] ? SyS_futex+0x269/0x390 [ 35.987070] SyS_socket+0xeb/0x200 [ 35.987396] ? entry_SYSCALL_64_fastpath+0x5/0xbe [ 35.987844] ? move_addr_to_kernel+0x60/0x60 [ 35.988245] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.988701] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.989137] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 35.989568] RIP: 0033:0x447299 [ 35.989858] RSP: 002b:00007f577370cc08 EFLAGS: 00000286 ORIG_RAX: 0000000000000029 [ 35.990554] RAX: ffffffffffffffda RBX: 0004000000000011 RCX: 0000000000447299 [ 35.991585] RDX: 0000000000000005 RSI: 0000000100000802 RDI: 0004000000000011 [ 35.992263] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 35.992923] R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000 [ 35.993590] R13: 0000000000000000 R14: 00007f577370d9c0 R15: 00007f577370d700 [ 35.994349] Dumping ftrace buffer: [ 35.994676] (ftrace buffer empty) [ 35.995019] Kernel Offset: disabled [ 35.995356] Rebooting in 86400 seconds..