2017/11/11 15:41:00 parsed 1 programs 2017/11/11 15:41:00 executed programs: 0 2017/11/11 15:41:05 executed programs: 123 2017/11/11 15:41:10 executed programs: 242 2017/11/11 15:41:15 executed programs: 405 2017/11/11 15:41:20 executed programs: 594 2017/11/11 15:41:25 executed programs: 720 2017/11/11 15:41:30 executed programs: 911 2017/11/11 15:41:35 executed programs: 1073 2017/11/11 15:41:40 executed programs: 1269 2017/11/11 15:41:45 executed programs: 1464 2017/11/11 15:41:50 executed programs: 1644 2017/11/11 15:41:55 executed programs: 1816 2017/11/11 15:42:00 executed programs: 2020 2017/11/11 15:42:05 executed programs: 2251 2017/11/11 15:42:10 executed programs: 2480 2017/11/11 15:42:15 executed programs: 2650 2017/11/11 15:42:20 executed programs: 2832 syzkaller login: [ 567.087429] ================================================================== [ 567.090879] BUG: KASAN: use-after-free in worker_thread+0x15bb/0x1990 [ 567.093848] Read of size 8 at addr ffff88002d0e3de0 by task kworker/u8:1/1209 [ 567.098411] [ 567.099066] CPU: 0 PID: 1209 Comm: kworker/u8:1 Not tainted 4.14.0-rc8-next-20171110+ #12 [ 567.102344] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 567.105393] Call Trace: [ 567.106103] dump_stack+0x194/0x257 [ 567.107095] ? arch_local_irq_restore+0x53/0x53 [ 567.108369] ? show_regs_print_info+0x65/0x65 [ 567.109584] ? worker_thread+0x15bb/0x1990 [ 567.110563] print_address_description+0x73/0x250 [ 567.111555] ? worker_thread+0x15bb/0x1990 [ 567.112430] kasan_report+0x25b/0x340 [ 567.113218] __asan_report_load8_noabort+0x14/0x20 [ 567.114225] worker_thread+0x15bb/0x1990 [ 567.115067] ? rcu_pm_notify+0xc0/0xc0 [ 567.115742] ? process_one_work+0x1bc0/0x1bc0 [ 567.116586] ? check_noncircular+0x20/0x20 [ 567.117738] ? lock_acquire+0x1d5/0x580 [ 567.118401] ? _raw_spin_unlock_irq+0x27/0x70 [ 567.119150] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 567.120008] ? trace_hardirqs_on+0xd/0x10 [ 567.120588] ? mmdrop+0x18/0x30 [ 567.121048] ? finish_task_switch+0x1f6/0x740 [ 567.121686] ? preempt_notifier_dec+0x20/0x20 [ 567.122336] ? __schedule+0x8f3/0x2060 [ 567.122897] ? find_held_lock+0x39/0x1d0 [ 567.123482] ? find_held_lock+0x39/0x1d0 [ 567.124076] ? lock_downgrade+0x990/0x990 [ 567.124675] ? default_wake_function+0x30/0x50 [ 567.125298] ? __schedule+0x2060/0x2060 [ 567.125785] ? do_wait_intr+0x3a0/0x3e0 [ 567.126275] ? lockdep_init_map+0x3d/0x70 [ 567.126792] ? __raw_spin_lock_init+0x2d/0x100 [ 567.127363] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 567.128001] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 567.128621] ? trace_hardirqs_on+0xd/0x10 [ 567.129136] ? __kthread_parkme+0x175/0x240 [ 567.129662] kthread+0x37a/0x440 [ 567.130080] ? process_one_work+0x1bc0/0x1bc0 [ 567.130568] ? kthread_stop+0x7b0/0x7b0 [ 567.131003] ret_from_fork+0x24/0x30 [ 567.131419] [ 567.131598] Allocated by task 11866: [ 567.132006] save_stack+0x43/0xd0 [ 567.132382] kasan_kmalloc+0xad/0xe0 [ 567.132787] kasan_slab_alloc+0x12/0x20 [ 567.133220] kmem_cache_alloc+0x12e/0x760 [ 567.133671] kcm_ioctl+0x2d1/0x1610 [ 567.134064] sock_do_ioctl+0x65/0xb0 [ 567.134466] sock_ioctl+0x2c2/0x440 [ 567.134859] do_vfs_ioctl+0x1b1/0x1530 [ 567.135259] SyS_ioctl+0x8f/0xc0 [ 567.135585] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 567.136041] [ 567.136200] Freed by task 11867: [ 567.136525] save_stack+0x43/0xd0 [ 567.136856] kasan_slab_free+0x71/0xc0 [ 567.137231] kmem_cache_free+0x77/0x280 [ 567.137614] kcm_unattach+0xe50/0x1510 [ 567.138476] kcm_ioctl+0xdf0/0x1610 [ 567.138826] sock_do_ioctl+0x65/0xb0 [ 567.139183] sock_ioctl+0x2c2/0x440 [ 567.139529] do_vfs_ioctl+0x1b1/0x1530 [ 567.139886] SyS_ioctl+0x8f/0xc0 [ 567.140205] entry_SYSCALL_64_fastpath+0x1f/0x96 [ 567.140650] [ 567.140807] The buggy address belongs to the object at ffff88002d0e3d00 [ 567.140807] which belongs to the cache kcm_psock_cache of size 576 [ 567.142026] The buggy address is located 224 bytes inside of [ 567.142026] 576-byte region [ffff88002d0e3d00, ffff88002d0e3f40) [ 567.143149] The buggy address belongs to the page: [ 567.143617] page:ffffea0000b43880 count:1 mapcount:0 mapping:ffff88002d0e2180 index:0x0 compound_mapcount: 0 [ 567.144592] flags: 0x100000000008100(slab|head) [ 567.145106] raw: 0100000000008100 ffff88002d0e2180 0000000000000000 000000010000000b [ 567.145938] raw: ffffea0000b14920 ffffea0000b27e20 ffff88002b0089c0 0000000000000000 [ 567.146793] page dumped because: kasan: bad access detected [ 567.147388] [ 567.147584] Memory state around the buggy address: [ 567.148110] ffff88002d0e3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 567.148888] ffff88002d0e3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 567.149692] >ffff88002d0e3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 567.150482] ^ [ 567.151219] ffff88002d0e3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 567.151940] ffff88002d0e3e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 567.152694] ================================================================== [ 567.153517] Disabling lock debugging due to kernel taint [ 567.154132] Kernel panic - not syncing: panic_on_warn set ... [ 567.154132] [ 567.154876] CPU: 0 PID: 1209 Comm: kworker/u8:1 Tainted: G B 4.14.0-rc8-next-20171110+ #12 [ 567.155888] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 567.156784] Call Trace: [ 567.157049] dump_stack+0x194/0x257 [ 567.157413] ? arch_local_irq_restore+0x53/0x53 [ 567.157890] ? vprintk_default+0x28/0x30 [ 567.158321] ? vsnprintf+0x1ed/0x1900 [ 567.158780] ? worker_thread+0x15a0/0x1990 [ 567.159759] panic+0x1e4/0x41c [ 567.160116] ? refcount_error_report+0x214/0x214 [ 567.160599] ? add_taint+0x40/0x50 [ 567.160952] ? worker_thread+0x15bb/0x1990 [ 567.161424] kasan_end_report+0x50/0x50 [ 567.161830] kasan_report+0x144/0x340 [ 567.162224] __asan_report_load8_noabort+0x14/0x20 [ 567.162710] worker_thread+0x15bb/0x1990 [ 567.163115] ? rcu_pm_notify+0xc0/0xc0 [ 567.163526] ? process_one_work+0x1bc0/0x1bc0 [ 567.164003] ? check_noncircular+0x20/0x20 [ 567.164424] ? lock_acquire+0x1d5/0x580 [ 567.164836] ? _raw_spin_unlock_irq+0x27/0x70 [ 567.165300] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 567.165824] ? trace_hardirqs_on+0xd/0x10 [ 567.166307] ? mmdrop+0x18/0x30 [ 567.166656] ? finish_task_switch+0x1f6/0x740 [ 567.167105] ? preempt_notifier_dec+0x20/0x20 [ 567.167545] ? __schedule+0x8f3/0x2060 [ 567.167946] ? find_held_lock+0x39/0x1d0 [ 567.168336] ? find_held_lock+0x39/0x1d0 [ 567.168754] ? lock_downgrade+0x990/0x990 [ 567.169220] ? default_wake_function+0x30/0x50 [ 567.169726] ? __schedule+0x2060/0x2060 [ 567.170144] ? do_wait_intr+0x3a0/0x3e0 [ 567.170616] ? lockdep_init_map+0x3d/0x70 [ 567.171024] ? __raw_spin_lock_init+0x2d/0x100 [ 567.171516] ? _raw_spin_unlock_irqrestore+0x31/0xba [ 567.172031] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 567.172627] ? trace_hardirqs_on+0xd/0x10 [ 567.173102] ? __kthread_parkme+0x175/0x240 [ 567.173543] kthread+0x37a/0x440 [ 567.173893] ? process_one_work+0x1bc0/0x1bc0 [ 567.174347] ? kthread_stop+0x7b0/0x7b0 [ 567.174781] ret_from_fork+0x24/0x30 [ 567.175293] Dumping ftrace buffer: [ 567.175636] (ftrace buffer empty) [ 567.175997] Kernel Offset: disabled [ 567.176349] Rebooting in 86400 seconds..