executing program syzkaller login: [ 25.613754] ================================================================== [ 25.614464] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.615201] Read of size 4 at addr ffff88003b898810 by task syzkaller515330/3010 [ 25.615991] [ 25.616146] CPU: 3 PID: 3010 Comm: syzkaller515330 Not tainted 4.13.0-next-20170908+ #18 [ 25.616703] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 25.617254] Call Trace: [ 25.617441] dump_stack+0x194/0x257 [ 25.617698] ? arch_local_irq_restore+0x53/0x53 [ 25.618033] ? show_regs_print_info+0x65/0x65 [ 25.618351] ? lock_release+0xd70/0xd70 [ 25.618630] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.619009] print_address_description+0x73/0x250 [ 25.619346] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.619724] kasan_report+0x24e/0x340 [ 25.619990] __asan_report_load4_noabort+0x14/0x20 [ 25.620333] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.620704] tipc_sendmcast+0x704/0xe30 [ 25.620982] ? unwind_dump+0x4c0/0x4c0 [ 25.621263] ? tipc_release+0xfd0/0xfd0 [ 25.621543] ? unwind_get_return_address+0x61/0xa0 [ 25.621887] ? __is_insn_slot_addr+0x1fc/0x330 [ 25.622213] ? lock_downgrade+0x990/0x990 [ 25.622507] ? __sys_sendmsg+0xe5/0x210 [ 25.622794] ? lock_release+0xd70/0xd70 [ 25.623072] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 25.623478] ? is_bpf_text_address+0x7b/0x120 [ 25.623793] ? lock_downgrade+0x990/0x990 [ 25.624085] ? show_initstate+0xb0/0xb0 [ 25.624364] ? __bfs+0xaa/0x750 [ 25.624602] ? noop_count+0x40/0x40 [ 25.624861] __tipc_sendmsg+0xf49/0x1590 [ 25.625144] ? __tipc_sendmsg+0xf49/0x1590 [ 25.625438] ? unwind_dump+0x4c0/0x4c0 [ 25.625718] ? tipc_sendmcast+0xe30/0xe30 [ 25.626016] ? is_bpf_text_address+0xa4/0x120 [ 25.626331] ? check_usage_backwards+0x20a/0x420 [ 25.626663] ? print_shortest_lock_dependencies+0x350/0x350 [ 25.627065] ? save_stack_trace+0x16/0x20 [ 25.627355] ? save_trace+0x11f/0x350 [ 25.627625] ? mark_held_locks+0xb2/0x100 [ 25.627915] ? __raw_spin_lock_init+0x1c/0x100 [ 25.628235] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.628582] ? __lockdep_init_map+0xe4/0x650 [ 25.628890] ? lockdep_init_map+0x3d/0x70 [ 25.629183] __tipc_sendstream+0x8eb/0xc00 [ 25.629793] ? find_held_lock+0x39/0x1d0 [ 25.630089] ? tipc_connect+0x6d0/0x6d0 [ 25.630365] ? lock_downgrade+0x990/0x990 [ 25.630657] ? lock_acquire+0x1d5/0x580 [ 25.630933] ? tipc_sendstream+0x42/0x70 [ 25.631222] ? mark_held_locks+0xb2/0x100 [ 25.631517] ? __local_bh_enable_ip+0x9d/0x160 [ 25.631838] tipc_sendstream+0x50/0x70 [ 25.632110] tipc_send_packet+0x33/0x50 [ 25.632386] ? tipc_sendstream+0x70/0x70 [ 25.632669] sock_sendmsg+0xca/0x110 [ 25.632932] ___sys_sendmsg+0x75b/0x8a0 [ 25.633261] ? copy_msghdr_from_user+0x590/0x590 [ 25.633687] ? lock_downgrade+0x990/0x990 [ 25.634073] ? __fget_light+0x29d/0x390 [ 25.634433] ? fget_raw+0x20/0x20 [ 25.634750] ? handle_mm_fault+0x410/0x8d0 [ 25.635131] ? __do_page_fault+0x2b8/0xb60 [ 25.635525] ? __fdget+0x18/0x20 [ 25.635834] __sys_sendmsg+0xe5/0x210 [ 25.636175] ? __sys_sendmsg+0xe5/0x210 [ 25.636535] ? SyS_shutdown+0x290/0x290 [ 25.636811] ? __do_page_fault+0xb60/0xb60 [ 25.637112] ? fd_install+0x4d/0x60 [ 25.637374] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.637723] SyS_sendmsg+0x2d/0x50 [ 25.637977] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 25.638304] RIP: 0033:0x434f59 [ 25.638526] RSP: 002b:00007fff014b08f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.639055] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000434f59 [ 25.639554] RDX: 0000000000000004 RSI: 00000000207ca000 RDI: 0000000000000003 [ 25.640061] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 25.640559] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.641053] R13: 00000000004018d0 R14: 0000000000401960 R15: 0000000000000000 [ 25.641562] [ 25.641681] Allocated by task 1: [ 25.641919] save_stack_trace+0x16/0x20 [ 25.642382] save_stack+0x43/0xd0 [ 25.642781] kasan_kmalloc+0xad/0xe0 [ 25.643076] kmem_cache_alloc_trace+0x136/0x750 [ 25.643399] tipc_nameseq_create+0xe8/0x540 [ 25.643682] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 25.644023] tipc_nametbl_publish+0x2aa/0x4f0 [ 25.644346] tipc_bind+0x33a/0x700 [ 25.644630] kernel_bind+0x62/0x80 [ 25.644888] tipc_server_start+0x3a1/0xb60 [ 25.645240] tipc_topsrv_start+0x64f/0x890 [ 25.645540] tipc_init_net+0x3cc/0x570 [ 25.645878] ops_init+0x10a/0x570 [ 25.646205] register_pernet_operations+0x45e/0x980 [ 25.646640] register_pernet_subsys+0x2a/0x40 [ 25.646949] tipc_init+0x83/0x104 [ 25.647188] do_one_initcall+0x9e/0x330 [ 25.647461] kernel_init_freeable+0x469/0x521 [ 25.647769] kernel_init+0x13/0x172 [ 25.648018] ret_from_fork+0x2a/0x40 [ 25.648271] [ 25.648386] Freed by task 0: [ 25.648593] (stack is not available) [ 25.648845] [ 25.648960] The buggy address belongs to the object at ffff88003b898800 [ 25.648960] which belongs to the cache kmalloc-32 of size 32 [ 25.649802] The buggy address is located 16 bytes inside of [ 25.649802] 32-byte region [ffff88003b898800, ffff88003b898820) [ 25.650617] The buggy address belongs to the page: [ 25.651412] page:ffffea0000ee2600 count:1 mapcount:0 mapping:ffff88003b898000 index:0xffff88003b898fc1 [ 25.652057] flags: 0x100000000000100(slab) [ 25.652350] raw: 0100000000000100 ffff88003b898000 ffff88003b898fc1 0000000100000034 [ 25.652890] raw: ffffea0000efc5a0 ffffea0000f1fda0 ffff88003e8001c0 0000000000000000 [ 25.653421] page dumped because: kasan: bad access detected [ 25.653809] [ 25.653923] Memory state around the buggy address: [ 25.654273] ffff88003b898700: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc [ 25.654773] ffff88003b898780: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 25.655270] >ffff88003b898800: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 25.655772] ^ [ 25.656040] ffff88003b898880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 25.656539] ffff88003b898900: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 25.657038] ================================================================== [ 25.657536] Disabling lock debugging due to kernel taint [ 25.657921] Kernel panic - not syncing: panic_on_warn set ... [ 25.657921] [ 25.658424] CPU: 3 PID: 3010 Comm: syzkaller515330 Tainted: G B 4.13.0-next-20170908+ #18 [ 25.659063] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 25.659616] Call Trace: [ 25.659798] dump_stack+0x194/0x257 [ 25.660047] ? arch_local_irq_restore+0x53/0x53 [ 25.660364] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.660693] ? tipc_nametbl_lookup_dst_nodes+0x4a0/0x4b0 [ 25.661060] panic+0x1e4/0x417 [ 25.661276] ? __warn+0x1d9/0x1d9 [ 25.661516] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.661891] kasan_end_report+0x50/0x50 [ 25.662163] kasan_report+0x137/0x340 [ 25.662427] __asan_report_load4_noabort+0x14/0x20 [ 25.662760] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 25.663120] tipc_sendmcast+0x704/0xe30 [ 25.663378] ? unwind_dump+0x4c0/0x4c0 [ 25.663646] ? tipc_release+0xfd0/0xfd0 [ 25.663916] ? unwind_get_return_address+0x61/0xa0 [ 25.664250] ? __is_insn_slot_addr+0x1fc/0x330 [ 25.664597] ? lock_downgrade+0x990/0x990 [ 25.664883] ? __sys_sendmsg+0xe5/0x210 [ 25.665159] ? lock_release+0xd70/0xd70 [ 25.665430] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 25.665822] ? is_bpf_text_address+0x7b/0x120 [ 25.666140] ? lock_downgrade+0x990/0x990 [ 25.666420] ? show_initstate+0xb0/0xb0 [ 25.666689] ? __bfs+0xaa/0x750 [ 25.666915] ? noop_count+0x40/0x40 [ 25.667163] __tipc_sendmsg+0xf49/0x1590 [ 25.667431] ? __tipc_sendmsg+0xf49/0x1590 [ 25.667723] ? unwind_dump+0x4c0/0x4c0 [ 25.668084] ? tipc_sendmcast+0xe30/0xe30 [ 25.668450] ? is_bpf_text_address+0xa4/0x120 [ 25.668886] ? check_usage_backwards+0x20a/0x420 [ 25.669386] ? print_shortest_lock_dependencies+0x350/0x350 [ 25.669987] ? save_stack_trace+0x16/0x20 [ 25.670423] ? save_trace+0x11f/0x350 [ 25.670825] ? mark_held_locks+0xb2/0x100 [ 25.671242] ? __raw_spin_lock_init+0x1c/0x100 [ 25.671701] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.672204] ? __lockdep_init_map+0xe4/0x650 [ 25.672939] ? lockdep_init_map+0x3d/0x70 [ 25.673380] __tipc_sendstream+0x8eb/0xc00 [ 25.673828] ? find_held_lock+0x39/0x1d0 [ 25.674271] ? tipc_connect+0x6d0/0x6d0 [ 25.674687] ? lock_downgrade+0x990/0x990 [ 25.675127] ? lock_acquire+0x1d5/0x580 [ 25.675540] ? tipc_sendstream+0x42/0x70 [ 25.675933] ? mark_held_locks+0xb2/0x100 [ 25.676220] ? __local_bh_enable_ip+0x9d/0x160 [ 25.676534] tipc_sendstream+0x50/0x70 [ 25.676814] tipc_send_packet+0x33/0x50 [ 25.677086] ? tipc_sendstream+0x70/0x70 [ 25.677363] sock_sendmsg+0xca/0x110 [ 25.677661] ___sys_sendmsg+0x75b/0x8a0 [ 25.677948] ? copy_msghdr_from_user+0x590/0x590 [ 25.678276] ? lock_downgrade+0x990/0x990 [ 25.678684] ? __fget_light+0x29d/0x390 [ 25.679100] ? fget_raw+0x20/0x20 [ 25.679374] ? handle_mm_fault+0x410/0x8d0 [ 25.679663] ? __do_page_fault+0x2b8/0xb60 [ 25.679978] ? __fdget+0x18/0x20 [ 25.680210] __sys_sendmsg+0xe5/0x210 [ 25.680468] ? __sys_sendmsg+0xe5/0x210 [ 25.680739] ? SyS_shutdown+0x290/0x290 [ 25.681038] ? __do_page_fault+0xb60/0xb60 [ 25.681331] ? fd_install+0x4d/0x60 [ 25.681583] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 25.681950] SyS_sendmsg+0x2d/0x50 [ 25.682210] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 25.682707] RIP: 0033:0x434f59 [ 25.683037] RSP: 002b:00007fff014b08f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 25.683806] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000434f59 [ 25.684524] RDX: 0000000000000004 RSI: 00000000207ca000 RDI: 0000000000000003 [ 25.685272] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 25.686021] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 25.686769] R13: 00000000004018d0 R14: 0000000000401960 R15: 0000000000000000 [ 25.687537] Dumping ftrace buffer: [ 25.687782] (ftrace buffer empty) [ 25.688042] Kernel Offset: disabled [ 25.688290] Rebooting in 86400 seconds..