INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.0.34' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.504165] ================================================================== [ 40.505298] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 40.506181] Read of size 4 at addr ffff8801d64e7b6c by task syzkaller219166/2994 [ 40.507177] [ 40.507412] CPU: 1 PID: 2994 Comm: syzkaller219166 Not tainted 4.14.0-rc5-mm1+ #20 [ 40.508421] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.509643] Call Trace: [ 40.510002] dump_stack+0x194/0x257 [ 40.510506] ? arch_local_irq_restore+0x53/0x53 [ 40.511130] ? show_regs_print_info+0x65/0x65 [ 40.511735] ? tipc_group_self+0x1a2/0x1b0 [ 40.512307] print_address_description+0x73/0x250 [ 40.512953] ? tipc_group_self+0x1a2/0x1b0 [ 40.513522] kasan_report+0x25b/0x340 [ 40.514038] __asan_report_load4_noabort+0x14/0x20 [ 40.514697] tipc_group_self+0x1a2/0x1b0 [ 40.515243] tipc_sk_leave+0xfc/0x200 [ 40.515759] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 40.516338] ? __local_bh_enable_ip+0x9d/0x160 [ 40.516955] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.517627] ? lock_sock_nested+0x91/0x110 [ 40.518194] ? trace_hardirqs_on+0xd/0x10 [ 40.518770] ? __local_bh_enable_ip+0x9d/0x160 [ 40.519389] tipc_release+0x154/0xfe0 [ 40.519908] ? mntput_no_expire+0x130/0xa90 [ 40.520490] ? tipc_sk_backlog_rcv+0x370/0x370 [ 40.521140] ? lock_release+0xa40/0xa40 [ 40.521677] ? dentry_free+0xcd/0x130 [ 40.522204] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.522870] ? kmem_cache_free+0x249/0x280 [ 40.523440] ? dentry_free+0xd2/0x130 [ 40.523956] ? locks_remove_file+0x3fa/0x5a0 [ 40.524550] ? fcntl_setlk+0x10c0/0x10c0 [ 40.528581] ? __fsnotify_parent+0xb4/0x3a0 [ 40.532873] ? fsnotify+0x1af0/0x1af0 [ 40.536642] ? rcu_note_context_switch+0x710/0x710 [ 40.541543] sock_release+0x8d/0x1e0 [ 40.545225] ? sock_release+0x1e0/0x1e0 [ 40.549164] sock_close+0x16/0x20 [ 40.552585] __fput+0x327/0x7e0 [ 40.555838] ? fput+0x140/0x140 [ 40.559088] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 40.564936] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.569405] ____fput+0x15/0x20 [ 40.572655] task_work_run+0x199/0x270 [ 40.576518] ? task_work_cancel+0x210/0x210 [ 40.580809] ? _raw_spin_unlock+0x22/0x30 [ 40.584927] ? switch_task_namespaces+0x87/0xc0 [ 40.589567] do_exit+0x9b5/0x1ad0 [ 40.592994] ? mm_update_next_owner+0x930/0x930 [ 40.597631] ? reacquire_held_locks+0x1fd/0x3d0 [ 40.602269] ? find_held_lock+0x35/0x1d0 [ 40.606303] ? release_sock+0x1d4/0x2a0 [ 40.610244] ? lock_downgrade+0x990/0x990 [ 40.614359] ? lock_downgrade+0x990/0x990 [ 40.618479] ? do_raw_spin_trylock+0x190/0x190 [ 40.623035] ? tipc_group_delete+0x2c0/0x3c0 [ 40.627413] ? __local_bh_enable_ip+0x9d/0x160 [ 40.631972] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.636958] ? trace_hardirqs_on+0xd/0x10 [ 40.641074] ? __local_bh_enable_ip+0x9d/0x160 [ 40.645629] ? release_sock+0x1d4/0x2a0 [ 40.649579] ? tipc_nametbl_build_group+0x27a/0x370 [ 40.654569] ? tipc_setsockopt+0x703/0xc00 [ 40.658772] ? tipc_sk_leave+0x200/0x200 [ 40.662812] ? security_socket_setsockopt+0x89/0xb0 [ 40.667802] ? SyS_setsockopt+0x215/0x360 [ 40.671918] do_group_exit+0x149/0x400 [ 40.675771] ? SyS_recv+0x40/0x40 [ 40.679191] ? SyS_exit+0x30/0x30 [ 40.682613] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.687599] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.692325] SyS_exit_group+0x1d/0x20 [ 40.696095] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.700818] RIP: 0033:0x43e978 [ 40.703976] RSP: 002b:00007fff04b458e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.711656] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 40.718898] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.726136] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.733375] R10: 0000000020165fe4 R11: 0000000000000246 R12: 00000000006ca858 [ 40.740631] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 40.747885] [ 40.749482] Allocated by task 2994: [ 40.753081] save_stack+0x43/0xd0 [ 40.756502] kasan_kmalloc+0xad/0xe0 [ 40.760190] kmem_cache_alloc_trace+0x136/0x750 [ 40.764826] tipc_group_create+0x116/0x9c0 [ 40.769025] tipc_setsockopt+0x25e/0xc00 [ 40.773051] SyS_setsockopt+0x189/0x360 [ 40.776991] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.781709] [ 40.783305] Freed by task 2994: [ 40.786552] save_stack+0x43/0xd0 [ 40.789975] kasan_slab_free+0x71/0xc0 [ 40.793830] kfree+0xca/0x250 [ 40.796902] tipc_group_delete+0x2c0/0x3c0 [ 40.801104] tipc_setsockopt+0xb33/0xc00 [ 40.805129] SyS_setsockopt+0x189/0x360 [ 40.809074] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 40.813795] [ 40.815389] The buggy address belongs to the object at ffff8801d64e7b00 [ 40.815389] which belongs to the cache kmalloc-192 of size 192 [ 40.828011] The buggy address is located 108 bytes inside of [ 40.828011] 192-byte region [ffff8801d64e7b00, ffff8801d64e7bc0) [ 40.839851] The buggy address belongs to the page: [ 40.844767] page:ffffea00075939c0 count:1 mapcount:0 mapping:ffff8801d64e7000 index:0xffff8801d64e7800 [ 40.854178] flags: 0x200000000000100(slab) [ 40.858384] raw: 0200000000000100 ffff8801d64e7000 ffff8801d64e7800 0000000100000007 [ 40.866232] raw: ffffea00073ab920 ffff8801dac01138 ffff8801dac00040 0000000000000000 [ 40.874078] page dumped because: kasan: bad access detected [ 40.879751] [ 40.881343] Memory state around the buggy address: [ 40.886236] ffff8801d64e7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.893560] ffff8801d64e7a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.900882] >ffff8801d64e7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.908207] ^ [ 40.914922] ffff8801d64e7b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.922246] ffff8801d64e7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.929571] ================================================================== [ 40.936893] Disabling lock debugging due to kernel taint [ 40.942358] Kernel panic - not syncing: panic_on_warn set ... [ 40.942358] [ 40.949691] CPU: 1 PID: 2994 Comm: syzkaller219166 Tainted: G B 4.14.0-rc5-mm1+ #20 [ 40.958665] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.967985] Call Trace: [ 40.970545] dump_stack+0x194/0x257 [ 40.974139] ? arch_local_irq_restore+0x53/0x53 [ 40.978773] ? kasan_end_report+0x32/0x50 [ 40.982888] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.987609] ? vsnprintf+0x1ed/0x1900 [ 40.991377] ? tipc_group_self+0xb0/0x1b0 [ 40.995492] panic+0x1e4/0x41c [ 40.998653] ? refcount_error_report+0x214/0x214 [ 41.003375] ? add_taint+0x1c/0x50 [ 41.006883] ? add_taint+0x1c/0x50 [ 41.010391] ? tipc_group_self+0x1a2/0x1b0 [ 41.014589] kasan_end_report+0x50/0x50 [ 41.018528] kasan_report+0x144/0x340 [ 41.022296] __asan_report_load4_noabort+0x14/0x20 [ 41.027189] tipc_group_self+0x1a2/0x1b0 [ 41.031217] tipc_sk_leave+0xfc/0x200 [ 41.034985] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 41.039271] ? __local_bh_enable_ip+0x9d/0x160 [ 41.043821] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.048802] ? lock_sock_nested+0x91/0x110 [ 41.052999] ? trace_hardirqs_on+0xd/0x10 [ 41.057110] ? __local_bh_enable_ip+0x9d/0x160 [ 41.061659] tipc_release+0x154/0xfe0 [ 41.065427] ? mntput_no_expire+0x130/0xa90 [ 41.069714] ? tipc_sk_backlog_rcv+0x370/0x370 [ 41.074260] ? lock_release+0xa40/0xa40 [ 41.078202] ? dentry_free+0xcd/0x130 [ 41.081968] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.086950] ? kmem_cache_free+0x249/0x280 [ 41.091148] ? dentry_free+0xd2/0x130 [ 41.094919] ? locks_remove_file+0x3fa/0x5a0 [ 41.099295] ? fcntl_setlk+0x10c0/0x10c0 [ 41.103323] ? __fsnotify_parent+0xb4/0x3a0 [ 41.107610] ? fsnotify+0x1af0/0x1af0 [ 41.111378] ? rcu_note_context_switch+0x710/0x710 [ 41.116274] sock_release+0x8d/0x1e0 [ 41.119952] ? sock_release+0x1e0/0x1e0 [ 41.123890] sock_close+0x16/0x20 [ 41.127312] __fput+0x327/0x7e0 [ 41.130561] ? fput+0x140/0x140 [ 41.133810] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 41.139662] ? _raw_spin_unlock_irq+0x27/0x70 [ 41.144124] ____fput+0x15/0x20 [ 41.147370] task_work_run+0x199/0x270 [ 41.151226] ? task_work_cancel+0x210/0x210 [ 41.155512] ? _raw_spin_unlock+0x22/0x30 [ 41.159629] ? switch_task_namespaces+0x87/0xc0 [ 41.164265] do_exit+0x9b5/0x1ad0 [ 41.167686] ? mm_update_next_owner+0x930/0x930 [ 41.172318] ? reacquire_held_locks+0x1fd/0x3d0 [ 41.176958] ? find_held_lock+0x35/0x1d0 [ 41.180989] ? release_sock+0x1d4/0x2a0 [ 41.184927] ? lock_downgrade+0x990/0x990 [ 41.189038] ? lock_downgrade+0x990/0x990 [ 41.193153] ? do_raw_spin_trylock+0x190/0x190 [ 41.197702] ? tipc_group_delete+0x2c0/0x3c0 [ 41.202074] ? __local_bh_enable_ip+0x9d/0x160 [ 41.206624] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.211605] ? trace_hardirqs_on+0xd/0x10 [ 41.215720] ? __local_bh_enable_ip+0x9d/0x160 [ 41.220272] ? release_sock+0x1d4/0x2a0 [ 41.224217] ? tipc_nametbl_build_group+0x27a/0x370 [ 41.229203] ? tipc_setsockopt+0x703/0xc00 [ 41.233403] ? tipc_sk_leave+0x200/0x200 [ 41.237455] ? security_socket_setsockopt+0x89/0xb0 [ 41.242441] ? SyS_setsockopt+0x215/0x360 [ 41.246558] do_group_exit+0x149/0x400 [ 41.250408] ? SyS_recv+0x40/0x40 [ 41.253826] ? SyS_exit+0x30/0x30 [ 41.257244] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.262225] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.266947] SyS_exit_group+0x1d/0x20 [ 41.270804] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.275533] RIP: 0033:0x43e978 [ 41.278691] RSP: 002b:00007fff04b458e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.286362] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 41.293598] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.300846] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.308084] R10: 0000000020165fe4 R11: 0000000000000246 R12: 00000000006ca858 [ 41.315319] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 41.322602] Dumping ftrace buffer: [ 41.326107] (ftrace buffer empty) [ 41.329783] Kernel Offset: disabled [ 41.333377] Rebooting in 86400 seconds..