executing program syzkaller login: [ 17.936201] ================================================================== [ 17.936702] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.937223] Read of size 4 at addr ffff88003b571c10 by task syzkaller790424/3029 [ 17.937731] [ 17.937843] CPU: 2 PID: 3029 Comm: syzkaller790424 Not tainted 4.13.0-rc5-next-20170815+ #3 [ 17.938521] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.939135] Call Trace: [ 17.939321] dump_stack+0x194/0x257 [ 17.939569] ? arch_local_irq_restore+0x53/0x53 [ 17.939879] ? show_regs_print_info+0x65/0x65 [ 17.940180] ? lock_release+0xa40/0xa40 [ 17.940500] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.940870] print_address_description+0x73/0x250 [ 17.941191] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.941566] kasan_report+0x24e/0x340 [ 17.941821] __asan_report_load4_noabort+0x14/0x20 [ 17.942186] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.942560] tipc_sendmcast+0x704/0xe30 [ 17.942827] ? get_kernel_page+0x110/0x110 [ 17.943114] ? tipc_release+0xfe0/0xfe0 [ 17.943386] ? save_stack+0xa3/0xd0 [ 17.943616] ? save_stack_trace+0x16/0x20 [ 17.943934] ? save_stack+0x43/0xd0 [ 17.944242] ? kasan_kmalloc+0xad/0xe0 [ 17.944515] ? kasan_slab_alloc+0x12/0x20 [ 17.944833] ? kmem_cache_alloc+0x12e/0x760 [ 17.945196] ? ptlock_alloc+0x24/0x70 [ 17.945469] ? do_huge_pmd_anonymous_page+0x571/0x1c10 [ 17.945844] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.946223] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.946599] ? page_add_new_anon_rmap+0x36c/0x750 [ 17.947000] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.947393] __tipc_sendmsg+0xf49/0x1590 [ 17.947681] ? __tipc_sendmsg+0xf49/0x1590 [ 17.948047] ? lock_downgrade+0x990/0x990 [ 17.948370] ? tipc_sendmcast+0xe30/0xe30 [ 17.948651] ? clear_huge_page+0x140/0x3a0 [ 17.948949] ? lockdep_init_map+0x9/0x10 [ 17.949284] ? _raw_spin_unlock+0x22/0x30 [ 17.949564] ? do_huge_pmd_anonymous_page+0xb10/0x1c10 [ 17.949973] ? __thp_get_unmapped_area+0x130/0x130 [ 17.950317] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.950691] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.951060] ? is_bpf_text_address+0xa4/0x120 [ 17.951377] ? __lockdep_init_map+0xe4/0x650 [ 17.951741] ? lockdep_init_map+0x9/0x10 [ 17.952092] __tipc_sendstream+0x8eb/0xc00 [ 17.952481] ? lock_acquire+0x1d5/0x580 [ 17.952752] ? tipc_connect+0x6d0/0x6d0 [ 17.953020] ? check_same_owner+0x320/0x320 [ 17.953313] ? lock_acquire+0x1d5/0x580 [ 17.953594] ? lock_sock_nested+0xa3/0x110 [ 17.953834] ? lock_acquire+0x1d5/0x580 [ 17.954358] ? tipc_sendstream+0x42/0x70 [ 17.954706] ? lock_release+0xa40/0xa40 [ 17.955062] ? check_same_owner+0x320/0x320 [ 17.955465] ? _copy_from_user+0x99/0x110 [ 17.955857] ? trace_hardirqs_on+0xd/0x10 [ 17.956251] ? __local_bh_enable_ip+0x9d/0x160 [ 17.956684] tipc_sendstream+0x50/0x70 [ 17.957044] ? __tipc_sendstream+0xc00/0xc00 [ 17.957419] sock_sendmsg+0xca/0x110 [ 17.957749] ___sys_sendmsg+0x742/0x8c0 [ 17.958045] ? copy_msghdr_from_user+0x590/0x590 [ 17.958362] ? handle_mm_fault+0x23e/0x940 [ 17.958674] ? lock_downgrade+0x990/0x990 [ 17.958955] ? __fd_install+0x2da/0x6a0 [ 17.959269] ? __do_page_fault+0x51b/0xb60 [ 17.959566] ? __fget_light+0x297/0x380 [ 17.959833] ? fget_raw+0x20/0x20 [ 17.960066] ? handle_mm_fault+0x4e3/0x940 [ 17.960411] ? __fdget+0x18/0x20 [ 17.960641] __sys_sendmsg+0xe5/0x210 [ 17.960896] ? __sys_sendmsg+0xe5/0x210 [ 17.961162] ? SyS_shutdown+0x290/0x290 [ 17.961430] ? do_page_fault+0x70/0x70 [ 17.961699] ? perf_trace_sys_enter+0xc20/0xc20 [ 17.962011] SyS_sendmsg+0x2d/0x50 [ 17.962252] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 17.962582] RIP: 0033:0x434f39 [ 17.962830] RSP: 002b:00007ffd4dbf49b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 17.963434] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000434f39 [ 17.963966] RDX: 0000000000004000 RSI: 00000000201ff000 RDI: 0000000000000003 [ 17.964499] RBP: 00000000006c0018 R08: 0000000000000000 R09: 0000000000000000 [ 17.964979] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 17.965461] R13: 00000000004018b0 R14: 0000000000401940 R15: 0000000000000000 [ 17.965974] [ 17.966127] Allocated by task 1: [ 17.966396] save_stack_trace+0x16/0x20 [ 17.966663] save_stack+0x43/0xd0 [ 17.966912] kasan_kmalloc+0xad/0xe0 [ 17.967189] kmem_cache_alloc_trace+0x136/0x750 [ 17.967515] tipc_nameseq_create+0xe8/0x540 [ 17.967805] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 17.968158] tipc_nametbl_publish+0x2aa/0x4f0 [ 17.968457] tipc_bind+0x33a/0x700 [ 17.968761] kernel_bind+0x62/0x80 [ 17.968999] tipc_server_start+0x39b/0xb60 [ 17.969363] tipc_topsrv_start+0x64b/0x880 [ 17.969684] tipc_init_net+0x3cc/0x570 [ 17.969943] ops_init+0x10a/0x570 [ 17.970214] register_pernet_operations+0x45e/0x980 [ 17.970548] register_pernet_subsys+0x2a/0x40 [ 17.970850] tipc_init+0x83/0x104 [ 17.971124] do_one_initcall+0x9e/0x330 [ 17.971428] kernel_init_freeable+0x46e/0x526 [ 17.971721] kernel_init+0x13/0x172 [ 17.972003] ret_from_fork+0x2a/0x40 [ 17.972261] [ 17.972372] Freed by task 0: [ 17.972572] (stack is not available) [ 17.972817] [ 17.972944] The buggy address belongs to the object at ffff88003b571c00 [ 17.972944] which belongs to the cache kmalloc-32 of size 32 [ 17.973776] The buggy address is located 16 bytes inside of [ 17.973776] 32-byte region [ffff88003b571c00, ffff88003b571c20) [ 17.974599] The buggy address belongs to the page: [ 17.974975] page:ffffea0000ed5c40 count:1 mapcount:0 mapping:ffff88003b571000 index:0xffff88003b571fc1 [ 17.975899] flags: 0x100000000000100(slab) [ 17.976260] raw: 0100000000000100 ffff88003b571000 ffff88003b571fc1 0000000100000024 [ 17.976991] raw: ffffea0000ed8f20 ffffea0000ed2220 ffff88003e8001c0 0000000000000000 [ 17.977697] page dumped because: kasan: bad access detected [ 17.978114] [ 17.978225] Memory state around the buggy address: [ 17.978549] ffff88003b571b00: 00 06 fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.979055] ffff88003b571b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 17.979560] >ffff88003b571c00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 17.980096] ^ [ 17.980355] ffff88003b571c80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 17.980837] ffff88003b571d00: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 17.981317] ================================================================== [ 17.981834] Kernel panic - not syncing: panic_on_warn set ... [ 17.981834] [ 17.982367] CPU: 2 PID: 3029 Comm: syzkaller790424 Tainted: G B 4.13.0-rc5-next-20170815+ #3 [ 17.983004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 17.983608] Call Trace: [ 17.983785] dump_stack+0x194/0x257 [ 17.984097] ? arch_local_irq_restore+0x53/0x53 [ 17.984408] ? kasan_end_report+0x32/0x50 [ 17.984727] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 17.985059] ? tipc_nametbl_lookup_dst_nodes+0x3e0/0x4b0 [ 17.985448] panic+0x1e4/0x417 [ 17.985663] ? __warn+0x1d9/0x1d9 [ 17.985968] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.986347] kasan_end_report+0x50/0x50 [ 17.986639] kasan_report+0x137/0x340 [ 17.986909] __asan_report_load4_noabort+0x14/0x20 [ 17.987290] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 17.987725] tipc_sendmcast+0x704/0xe30 [ 17.987991] ? get_kernel_page+0x110/0x110 [ 17.988343] ? tipc_release+0xfe0/0xfe0 [ 17.988622] ? save_stack+0xa3/0xd0 [ 17.988866] ? save_stack_trace+0x16/0x20 [ 17.989156] ? save_stack+0x43/0xd0 [ 17.989426] ? kasan_kmalloc+0xad/0xe0 [ 17.989714] ? kasan_slab_alloc+0x12/0x20 [ 17.990052] ? kmem_cache_alloc+0x12e/0x760 [ 17.990395] ? ptlock_alloc+0x24/0x70 [ 17.990683] ? do_huge_pmd_anonymous_page+0x571/0x1c10 [ 17.991093] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.991468] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.991816] ? page_add_new_anon_rmap+0x36c/0x750 [ 17.992157] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.992550] __tipc_sendmsg+0xf49/0x1590 [ 17.992823] ? __tipc_sendmsg+0xf49/0x1590 [ 17.993106] ? lock_downgrade+0x990/0x990 [ 17.993387] ? tipc_sendmcast+0xe30/0xe30 [ 17.993728] ? clear_huge_page+0x140/0x3a0 [ 17.994093] ? lockdep_init_map+0x9/0x10 [ 17.994441] ? _raw_spin_unlock+0x22/0x30 [ 17.994796] ? do_huge_pmd_anonymous_page+0xb10/0x1c10 [ 17.995186] ? __thp_get_unmapped_area+0x130/0x130 [ 17.995517] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.995925] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 17.996258] ? is_bpf_text_address+0xa4/0x120 [ 17.996768] ? __lockdep_init_map+0xe4/0x650 [ 17.997105] ? lockdep_init_map+0x9/0x10 [ 17.997389] __tipc_sendstream+0x8eb/0xc00 [ 17.997682] ? lock_acquire+0x1d5/0x580 [ 17.997945] ? tipc_connect+0x6d0/0x6d0 [ 17.998235] ? check_same_owner+0x320/0x320 [ 17.998534] ? lock_acquire+0x1d5/0x580 [ 17.998805] ? lock_sock_nested+0xa3/0x110 [ 17.999098] ? lock_acquire+0x1d5/0x580 [ 17.999376] ? tipc_sendstream+0x42/0x70 [ 17.999664] ? lock_release+0xa40/0xa40 [ 17.999926] ? check_same_owner+0x320/0x320 [ 18.000226] ? _copy_from_user+0x99/0x110 [ 18.000522] ? trace_hardirqs_on+0xd/0x10 [ 18.000817] ? __local_bh_enable_ip+0x9d/0x160 [ 18.001149] tipc_sendstream+0x50/0x70 [ 18.001435] ? __tipc_sendstream+0xc00/0xc00 [ 18.001735] sock_sendmsg+0xca/0x110 [ 18.001995] ___sys_sendmsg+0x742/0x8c0 [ 18.002315] ? copy_msghdr_from_user+0x590/0x590 [ 18.002666] ? handle_mm_fault+0x23e/0x940 [ 18.002991] ? lock_downgrade+0x990/0x990 [ 18.003294] ? __fd_install+0x2da/0x6a0 [ 18.003587] ? __do_page_fault+0x51b/0xb60 [ 18.003896] ? __fget_light+0x297/0x380 [ 18.004171] ? fget_raw+0x20/0x20 [ 18.004384] ? handle_mm_fault+0x4e3/0x940 [ 18.004666] ? __fdget+0x18/0x20 [ 18.004873] __sys_sendmsg+0xe5/0x210 [ 18.005111] ? __sys_sendmsg+0xe5/0x210 [ 18.005363] ? SyS_shutdown+0x290/0x290 [ 18.005620] ? do_page_fault+0x70/0x70 [ 18.005875] ? perf_trace_sys_enter+0xc20/0xc20 [ 18.006185] SyS_sendmsg+0x2d/0x50 [ 18.006424] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 18.006755] RIP: 0033:0x434f39 [ 18.006984] RSP: 002b:00007ffd4dbf49b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.007527] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000434f39 [ 18.008091] RDX: 0000000000004000 RSI: 00000000201ff000 RDI: 0000000000000003 [ 18.008567] RBP: 00000000006c0018 R08: 0000000000000000 R09: 0000000000000000 [ 18.009067] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 18.009537] R13: 00000000004018b0 R14: 0000000000401940 R15: 0000000000000000 [ 18.010034] Dumping ftrace buffer: [ 18.010263] (ftrace buffer empty) [ 18.010495] Kernel Offset: disabled [ 18.010737] Rebooting in 86400 seconds..