2017/11/11 15:41:00 parsed 1 programs
2017/11/11 15:41:00 executed programs: 0
2017/11/11 15:41:05 executed programs: 123
2017/11/11 15:41:10 executed programs: 242
2017/11/11 15:41:15 executed programs: 405
2017/11/11 15:41:20 executed programs: 594
2017/11/11 15:41:25 executed programs: 720
2017/11/11 15:41:30 executed programs: 911
2017/11/11 15:41:35 executed programs: 1073
2017/11/11 15:41:40 executed programs: 1269
2017/11/11 15:41:45 executed programs: 1464
2017/11/11 15:41:50 executed programs: 1644
2017/11/11 15:41:55 executed programs: 1816
2017/11/11 15:42:00 executed programs: 2020
2017/11/11 15:42:05 executed programs: 2251
2017/11/11 15:42:10 executed programs: 2480
2017/11/11 15:42:15 executed programs: 2650
2017/11/11 15:42:20 executed programs: 2832
syzkaller login: [  567.087429] ==================================================================
[  567.090879] BUG: KASAN: use-after-free in worker_thread+0x15bb/0x1990
[  567.093848] Read of size 8 at addr ffff88002d0e3de0 by task kworker/u8:1/1209
[  567.098411] 
[  567.099066] CPU: 0 PID: 1209 Comm: kworker/u8:1 Not tainted 4.14.0-rc8-next-20171110+ #12
[  567.102344] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[  567.105393] Call Trace:
[  567.106103]  dump_stack+0x194/0x257
[  567.107095]  ? arch_local_irq_restore+0x53/0x53
[  567.108369]  ? show_regs_print_info+0x65/0x65
[  567.109584]  ? worker_thread+0x15bb/0x1990
[  567.110563]  print_address_description+0x73/0x250
[  567.111555]  ? worker_thread+0x15bb/0x1990
[  567.112430]  kasan_report+0x25b/0x340
[  567.113218]  __asan_report_load8_noabort+0x14/0x20
[  567.114225]  worker_thread+0x15bb/0x1990
[  567.115067]  ? rcu_pm_notify+0xc0/0xc0
[  567.115742]  ? process_one_work+0x1bc0/0x1bc0
[  567.116586]  ? check_noncircular+0x20/0x20
[  567.117738]  ? lock_acquire+0x1d5/0x580
[  567.118401]  ? _raw_spin_unlock_irq+0x27/0x70
[  567.119150]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  567.120008]  ? trace_hardirqs_on+0xd/0x10
[  567.120588]  ? mmdrop+0x18/0x30
[  567.121048]  ? finish_task_switch+0x1f6/0x740
[  567.121686]  ? preempt_notifier_dec+0x20/0x20
[  567.122336]  ? __schedule+0x8f3/0x2060
[  567.122897]  ? find_held_lock+0x39/0x1d0
[  567.123482]  ? find_held_lock+0x39/0x1d0
[  567.124076]  ? lock_downgrade+0x990/0x990
[  567.124675]  ? default_wake_function+0x30/0x50
[  567.125298]  ? __schedule+0x2060/0x2060
[  567.125785]  ? do_wait_intr+0x3a0/0x3e0
[  567.126275]  ? lockdep_init_map+0x3d/0x70
[  567.126792]  ? __raw_spin_lock_init+0x2d/0x100
[  567.127363]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[  567.128001]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  567.128621]  ? trace_hardirqs_on+0xd/0x10
[  567.129136]  ? __kthread_parkme+0x175/0x240
[  567.129662]  kthread+0x37a/0x440
[  567.130080]  ? process_one_work+0x1bc0/0x1bc0
[  567.130568]  ? kthread_stop+0x7b0/0x7b0
[  567.131003]  ret_from_fork+0x24/0x30
[  567.131419] 
[  567.131598] Allocated by task 11866:
[  567.132006]  save_stack+0x43/0xd0
[  567.132382]  kasan_kmalloc+0xad/0xe0
[  567.132787]  kasan_slab_alloc+0x12/0x20
[  567.133220]  kmem_cache_alloc+0x12e/0x760
[  567.133671]  kcm_ioctl+0x2d1/0x1610
[  567.134064]  sock_do_ioctl+0x65/0xb0
[  567.134466]  sock_ioctl+0x2c2/0x440
[  567.134859]  do_vfs_ioctl+0x1b1/0x1530
[  567.135259]  SyS_ioctl+0x8f/0xc0
[  567.135585]  entry_SYSCALL_64_fastpath+0x1f/0x96
[  567.136041] 
[  567.136200] Freed by task 11867:
[  567.136525]  save_stack+0x43/0xd0
[  567.136856]  kasan_slab_free+0x71/0xc0
[  567.137231]  kmem_cache_free+0x77/0x280
[  567.137614]  kcm_unattach+0xe50/0x1510
[  567.138476]  kcm_ioctl+0xdf0/0x1610
[  567.138826]  sock_do_ioctl+0x65/0xb0
[  567.139183]  sock_ioctl+0x2c2/0x440
[  567.139529]  do_vfs_ioctl+0x1b1/0x1530
[  567.139886]  SyS_ioctl+0x8f/0xc0
[  567.140205]  entry_SYSCALL_64_fastpath+0x1f/0x96
[  567.140650] 
[  567.140807] The buggy address belongs to the object at ffff88002d0e3d00
[  567.140807]  which belongs to the cache kcm_psock_cache of size 576
[  567.142026] The buggy address is located 224 bytes inside of
[  567.142026]  576-byte region [ffff88002d0e3d00, ffff88002d0e3f40)
[  567.143149] The buggy address belongs to the page:
[  567.143617] page:ffffea0000b43880 count:1 mapcount:0 mapping:ffff88002d0e2180 index:0x0 compound_mapcount: 0
[  567.144592] flags: 0x100000000008100(slab|head)
[  567.145106] raw: 0100000000008100 ffff88002d0e2180 0000000000000000 000000010000000b
[  567.145938] raw: ffffea0000b14920 ffffea0000b27e20 ffff88002b0089c0 0000000000000000
[  567.146793] page dumped because: kasan: bad access detected
[  567.147388] 
[  567.147584] Memory state around the buggy address:
[  567.148110]  ffff88002d0e3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  567.148888]  ffff88002d0e3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  567.149692] >ffff88002d0e3d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  567.150482]                                                        ^
[  567.151219]  ffff88002d0e3e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  567.151940]  ffff88002d0e3e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  567.152694] ==================================================================
[  567.153517] Disabling lock debugging due to kernel taint
[  567.154132] Kernel panic - not syncing: panic_on_warn set ...
[  567.154132] 
[  567.154876] CPU: 0 PID: 1209 Comm: kworker/u8:1 Tainted: G    B            4.14.0-rc8-next-20171110+ #12
[  567.155888] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[  567.156784] Call Trace:
[  567.157049]  dump_stack+0x194/0x257
[  567.157413]  ? arch_local_irq_restore+0x53/0x53
[  567.157890]  ? vprintk_default+0x28/0x30
[  567.158321]  ? vsnprintf+0x1ed/0x1900
[  567.158780]  ? worker_thread+0x15a0/0x1990
[  567.159759]  panic+0x1e4/0x41c
[  567.160116]  ? refcount_error_report+0x214/0x214
[  567.160599]  ? add_taint+0x40/0x50
[  567.160952]  ? worker_thread+0x15bb/0x1990
[  567.161424]  kasan_end_report+0x50/0x50
[  567.161830]  kasan_report+0x144/0x340
[  567.162224]  __asan_report_load8_noabort+0x14/0x20
[  567.162710]  worker_thread+0x15bb/0x1990
[  567.163115]  ? rcu_pm_notify+0xc0/0xc0
[  567.163526]  ? process_one_work+0x1bc0/0x1bc0
[  567.164003]  ? check_noncircular+0x20/0x20
[  567.164424]  ? lock_acquire+0x1d5/0x580
[  567.164836]  ? _raw_spin_unlock_irq+0x27/0x70
[  567.165300]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  567.165824]  ? trace_hardirqs_on+0xd/0x10
[  567.166307]  ? mmdrop+0x18/0x30
[  567.166656]  ? finish_task_switch+0x1f6/0x740
[  567.167105]  ? preempt_notifier_dec+0x20/0x20
[  567.167545]  ? __schedule+0x8f3/0x2060
[  567.167946]  ? find_held_lock+0x39/0x1d0
[  567.168336]  ? find_held_lock+0x39/0x1d0
[  567.168754]  ? lock_downgrade+0x990/0x990
[  567.169220]  ? default_wake_function+0x30/0x50
[  567.169726]  ? __schedule+0x2060/0x2060
[  567.170144]  ? do_wait_intr+0x3a0/0x3e0
[  567.170616]  ? lockdep_init_map+0x3d/0x70
[  567.171024]  ? __raw_spin_lock_init+0x2d/0x100
[  567.171516]  ? _raw_spin_unlock_irqrestore+0x31/0xba
[  567.172031]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  567.172627]  ? trace_hardirqs_on+0xd/0x10
[  567.173102]  ? __kthread_parkme+0x175/0x240
[  567.173543]  kthread+0x37a/0x440
[  567.173893]  ? process_one_work+0x1bc0/0x1bc0
[  567.174347]  ? kthread_stop+0x7b0/0x7b0
[  567.174781]  ret_from_fork+0x24/0x30
[  567.175293] Dumping ftrace buffer:
[  567.175636]    (ftrace buffer empty)
[  567.175997] Kernel Offset: disabled
[  567.176349] Rebooting in 86400 seconds..