Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.637219][ T7930] ================================================================== [ 68.645420][ T7930] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.653120][ T7930] Read of size 4 at addr ffff8880a018e0b4 by task syz-executor234/7930 [ 68.661398][ T7930] [ 68.663728][ T7930] CPU: 0 PID: 7930 Comm: syz-executor234 Not tainted 5.1.0-rc1-next-20190320 #7 [ 68.672776][ T7930] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.682843][ T7930] Call Trace: [ 68.686141][ T7930] dump_stack+0x172/0x1f0 [ 68.690523][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.695888][ T7930] print_address_description.cold+0x7c/0x20d [ 68.701857][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.707322][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.712682][ T7930] kasan_report.cold+0x1b/0x40 [ 68.717457][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.722822][ T7930] __asan_report_load4_noabort+0x14/0x20 [ 68.728448][ T7930] tipc_sk_filter_rcv+0x2166/0x34f0 [ 68.733646][ T7930] ? tipc_sk_overlimit2+0xa0/0xa0 [ 68.738811][ T7930] ? __local_bh_enable_ip+0x15a/0x270 [ 68.744212][ T7930] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 68.749497][ T7930] ? tipc_sk_rcv+0x562/0x25a0 [ 68.754179][ T7930] ? __local_bh_enable_ip+0x15a/0x270 [ 68.759540][ T7930] tipc_sk_rcv+0xc45/0x25a0 [ 68.764070][ T7930] ? __lock_acquire+0x548/0x3fb0 [ 68.769010][ T7930] ? __kmalloc_reserve.isra.0+0x40/0xf0 [ 68.774551][ T7930] ? sock_recvmsg+0xd0/0x110 [ 68.779128][ T7930] ? ___sys_recvmsg+0x273/0x5a0 [ 68.783971][ T7930] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 68.789383][ T7930] ? tipc_node_xmit+0x20b/0x640 [ 68.794341][ T7930] ? find_held_lock+0x35/0x130 [ 68.799106][ T7930] ? tipc_node_xmit+0x20b/0x640 [ 68.803945][ T7930] ? lock_downgrade+0x880/0x880 [ 68.808794][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.815237][ T7930] ? kasan_check_read+0x11/0x20 [ 68.827664][ T7930] tipc_node_xmit+0x296/0x640 [ 68.838531][ T7930] ? tipc_node_get_linkname+0x110/0x110 [ 68.844850][ T7930] ? kasan_kmalloc+0x9/0x10 [ 68.849475][ T7930] ? __kmalloc_node_track_caller+0x4e/0x70 [ 68.855461][ T7930] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 68.861887][ T7930] ? lockdep_init_map+0x1be/0x6d0 [ 68.866910][ T7930] tipc_node_xmit_skb+0x10f/0x190 [ 68.872121][ T7930] ? skb_trim+0x190/0x190 [ 68.876504][ T7930] ? tipc_node_xmit+0x640/0x640 [ 68.881452][ T7930] ? memset+0x32/0x40 [ 68.885515][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.891871][ T7930] ? tipc_msg_create+0x20f/0x270 [ 68.897635][ T7930] tipc_sk_send_ack+0x40e/0x4e0 [ 68.903023][ T7930] tipc_recvstream+0x8e3/0xa10 [ 68.908146][ T7930] ? tipc_recvmsg+0xc90/0xc90 [ 68.915114][ T7930] ? apparmor_socket_recvmsg+0x2a/0x30 [ 68.920631][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.927476][ T7930] ? security_socket_recvmsg+0x9b/0xd0 [ 68.933156][ T7930] ? tipc_recvmsg+0xc90/0xc90 [ 68.938292][ T7930] sock_recvmsg+0xd0/0x110 [ 68.942812][ T7930] ? __sock_recv_ts_and_drops+0x590/0x590 [ 68.948526][ T7930] ___sys_recvmsg+0x273/0x5a0 [ 68.953249][ T7930] ? ___sys_sendmsg+0x930/0x930 [ 68.958116][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.964836][ T7930] ? kasan_check_read+0x11/0x20 [ 68.969704][ T7930] ? __fget+0x381/0x550 [ 68.974021][ T7930] ? ksys_dup3+0x3e0/0x3e0 [ 68.978447][ T7930] ? __fget_light+0x1a9/0x230 [ 68.983473][ T7930] ? __fdget+0x1b/0x20 [ 68.987645][ T7930] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 68.994531][ T7930] __sys_recvmsg+0x102/0x1d0 [ 68.999770][ T7930] ? __ia32_sys_sendmmsg+0x100/0x100 [ 69.006044][ T7930] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 69.012886][ T7930] ? do_syscall_64+0x26/0x610 [ 69.017990][ T7930] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.024363][ T7930] ? do_syscall_64+0x26/0x610 [ 69.029857][ T7930] __x64_sys_recvmsg+0x78/0xb0 [ 69.041217][ T7930] do_syscall_64+0x103/0x610 [ 69.046110][ T7930] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.052351][ T7930] RIP: 0033:0x445879 [ 69.056286][ T7930] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.077251][ T7930] RSP: 002b:00007f9bcb72adb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 69.087307][ T7930] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445879 [ 69.095643][ T7930] RDX: 0000000000003f00 RSI: 0000000020000200 RDI: 0000000000000003 [ 69.104269][ T7930] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 69.112387][ T7930] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 69.120457][ T7930] R13: 00007ffdb16835ff R14: 00007f9bcb72b9c0 R15: 20c49ba5e353f7cf [ 69.128559][ T7930] [ 69.130872][ T7930] Allocated by task 7930: [ 69.135326][ T7930] save_stack+0x45/0xd0 [ 69.139620][ T7930] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 69.145364][ T7930] kasan_kmalloc+0x9/0x10 [ 69.149700][ T7930] __kmalloc_node_track_caller+0x4e/0x70 [ 69.155586][ T7930] __kmalloc_reserve.isra.0+0x40/0xf0 [ 69.161171][ T7930] __alloc_skb+0x10b/0x5e0 [ 69.165606][ T7930] tipc_buf_acquire+0x2f/0x100 [ 69.170602][ T7930] tipc_msg_create+0x38/0x270 [ 69.176303][ T7930] tipc_sk_send_ack+0x19b/0x4e0 [ 69.181674][ T7930] tipc_recvstream+0x8e3/0xa10 [ 69.186695][ T7930] sock_recvmsg+0xd0/0x110 [ 69.191822][ T7930] ___sys_recvmsg+0x273/0x5a0 [ 69.197440][ T7930] __sys_recvmsg+0x102/0x1d0 [ 69.202334][ T7930] __x64_sys_recvmsg+0x78/0xb0 [ 69.207096][ T7930] do_syscall_64+0x103/0x610 [ 69.211830][ T7930] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.217951][ T7930] [ 69.220287][ T7930] Freed by task 7930: [ 69.224260][ T7930] save_stack+0x45/0xd0 [ 69.228574][ T7930] __kasan_slab_free+0x102/0x150 [ 69.233637][ T7930] kasan_slab_free+0xe/0x10 [ 69.238126][ T7930] kfree+0xcf/0x230 [ 69.242228][ T7930] skb_free_head+0x93/0xb0 [ 69.246823][ T7930] skb_release_data+0x576/0x7a0 [ 69.251782][ T7930] skb_release_all+0x4d/0x60 [ 69.256380][ T7930] kfree_skb+0xe8/0x390 [ 69.260627][ T7930] tipc_sk_filter_rcv+0x241b/0x34f0 [ 69.265826][ T7930] tipc_sk_rcv+0xc45/0x25a0 [ 69.270396][ T7930] tipc_node_xmit+0x296/0x640 [ 69.275160][ T7930] tipc_node_xmit_skb+0x10f/0x190 [ 69.280987][ T7930] tipc_sk_send_ack+0x40e/0x4e0 [ 69.285867][ T7930] tipc_recvstream+0x8e3/0xa10 [ 69.290958][ T7930] sock_recvmsg+0xd0/0x110 [ 69.295914][ T7930] ___sys_recvmsg+0x273/0x5a0 [ 69.300895][ T7930] __sys_recvmsg+0x102/0x1d0 [ 69.305519][ T7930] __x64_sys_recvmsg+0x78/0xb0 [ 69.314231][ T7930] do_syscall_64+0x103/0x610 [ 69.322446][ T7930] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.328340][ T7930] [ 69.330653][ T7930] The buggy address belongs to the object at ffff8880a018e000 [ 69.330653][ T7930] which belongs to the cache kmalloc-1k of size 1024 [ 69.344926][ T7930] The buggy address is located 180 bytes inside of [ 69.344926][ T7930] 1024-byte region [ffff8880a018e000, ffff8880a018e400) [ 69.358602][ T7930] The buggy address belongs to the page: [ 69.364339][ T7930] page:ffffea0002806380 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 69.375195][ T7930] flags: 0x1fffc0000010200(slab|head) [ 69.380573][ T7930] raw: 01fffc0000010200 ffffea0002825688 ffffea000243cc88 ffff88812c3f0ac0 [ 69.389147][ T7930] raw: 0000000000000000 ffff8880a018e000 0000000100000007 0000000000000000 [ 69.397716][ T7930] page dumped because: kasan: bad access detected [ 69.404261][ T7930] [ 69.406575][ T7930] Memory state around the buggy address: [ 69.412193][ T7930] ffff8880a018df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.420236][ T7930] ffff8880a018e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.428295][ T7930] >ffff8880a018e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.436340][ T7930] ^ [ 69.442009][ T7930] ffff8880a018e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.450094][ T7930] ffff8880a018e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.458139][ T7930] ================================================================== [ 69.466180][ T7930] Disabling lock debugging due to kernel taint [ 69.472379][ T7930] Kernel panic - not syncing: panic_on_warn set ... [ 69.479052][ T7930] CPU: 0 PID: 7930 Comm: syz-executor234 Tainted: G B 5.1.0-rc1-next-20190320 #7 [ 69.489445][ T7930] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.499928][ T7930] Call Trace: [ 69.503483][ T7930] dump_stack+0x172/0x1f0 [ 69.507848][ T7930] panic+0x2cb/0x65c [ 69.511844][ T7930] ? __warn_printk+0xf3/0xf3 [ 69.516424][ T7930] ? trace_hardirqs_on+0x5e/0x230 [ 69.521438][ T7930] ? trace_hardirqs_on+0x5e/0x230 [ 69.526538][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 69.532113][ T7930] end_report+0x47/0x4f [ 69.536256][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 69.541702][ T7930] kasan_report.cold+0xe/0x40 [ 69.546367][ T7930] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 69.551837][ T7930] __asan_report_load4_noabort+0x14/0x20 [ 69.557460][ T7930] tipc_sk_filter_rcv+0x2166/0x34f0 [ 69.562653][ T7930] ? tipc_sk_overlimit2+0xa0/0xa0 [ 69.567674][ T7930] ? __local_bh_enable_ip+0x15a/0x270 [ 69.573033][ T7930] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 69.578310][ T7930] ? tipc_sk_rcv+0x562/0x25a0 [ 69.583073][ T7930] ? __local_bh_enable_ip+0x15a/0x270 [ 69.588437][ T7930] tipc_sk_rcv+0xc45/0x25a0 [ 69.593015][ T7930] ? __lock_acquire+0x548/0x3fb0 [ 69.597941][ T7930] ? __kmalloc_reserve.isra.0+0x40/0xf0 [ 69.603482][ T7930] ? sock_recvmsg+0xd0/0x110 [ 69.608063][ T7930] ? ___sys_recvmsg+0x273/0x5a0 [ 69.613019][ T7930] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 69.618384][ T7930] ? tipc_node_xmit+0x20b/0x640 [ 69.623227][ T7930] ? find_held_lock+0x35/0x130 [ 69.627982][ T7930] ? tipc_node_xmit+0x20b/0x640 [ 69.632821][ T7930] ? lock_downgrade+0x880/0x880 [ 69.637659][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.643922][ T7930] ? kasan_check_read+0x11/0x20 [ 69.649054][ T7930] tipc_node_xmit+0x296/0x640 [ 69.653725][ T7930] ? tipc_node_get_linkname+0x110/0x110 [ 69.659260][ T7930] ? kasan_kmalloc+0x9/0x10 [ 69.664052][ T7930] ? __kmalloc_node_track_caller+0x4e/0x70 [ 69.669852][ T7930] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 69.676116][ T7930] ? lockdep_init_map+0x1be/0x6d0 [ 69.681182][ T7930] tipc_node_xmit_skb+0x10f/0x190 [ 69.686402][ T7930] ? skb_trim+0x190/0x190 [ 69.690734][ T7930] ? tipc_node_xmit+0x640/0x640 [ 69.695571][ T7930] ? memset+0x32/0x40 [ 69.699540][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.705772][ T7930] ? tipc_msg_create+0x20f/0x270 [ 69.710709][ T7930] tipc_sk_send_ack+0x40e/0x4e0 [ 69.715544][ T7930] tipc_recvstream+0x8e3/0xa10 [ 69.720298][ T7930] ? tipc_recvmsg+0xc90/0xc90 [ 69.724962][ T7930] ? apparmor_socket_recvmsg+0x2a/0x30 [ 69.730412][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.736635][ T7930] ? security_socket_recvmsg+0x9b/0xd0 [ 69.742077][ T7930] ? tipc_recvmsg+0xc90/0xc90 [ 69.746737][ T7930] sock_recvmsg+0xd0/0x110 [ 69.751144][ T7930] ? __sock_recv_ts_and_drops+0x590/0x590 [ 69.756844][ T7930] ___sys_recvmsg+0x273/0x5a0 [ 69.761504][ T7930] ? ___sys_sendmsg+0x930/0x930 [ 69.766338][ T7930] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.772567][ T7930] ? kasan_check_read+0x11/0x20 [ 69.777410][ T7930] ? __fget+0x381/0x550 [ 69.781581][ T7930] ? ksys_dup3+0x3e0/0x3e0 [ 69.785991][ T7930] ? __fget_light+0x1a9/0x230 [ 69.790787][ T7930] ? __fdget+0x1b/0x20 [ 69.794900][ T7930] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 69.801130][ T7930] __sys_recvmsg+0x102/0x1d0 [ 69.805716][ T7930] ? __ia32_sys_sendmmsg+0x100/0x100 [ 69.810996][ T7930] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 69.816449][ T7930] ? do_syscall_64+0x26/0x610 [ 69.821150][ T7930] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.827240][ T7930] ? do_syscall_64+0x26/0x610 [ 69.831914][ T7930] __x64_sys_recvmsg+0x78/0xb0 [ 69.836726][ T7930] do_syscall_64+0x103/0x610 [ 69.841379][ T7930] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.847259][ T7930] RIP: 0033:0x445879 [ 69.851148][ T7930] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.870822][ T7930] RSP: 002b:00007f9bcb72adb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 69.879232][ T7930] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445879 [ 69.887188][ T7930] RDX: 0000000000003f00 RSI: 0000000020000200 RDI: 0000000000000003 [ 69.895148][ T7930] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 69.903412][ T7930] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 69.911417][ T7930] R13: 00007ffdb16835ff R14: 00007f9bcb72b9c0 R15: 20c49ba5e353f7cf [ 69.920170][ T7930] Kernel Offset: disabled [ 69.924493][ T7930] Rebooting in 86400 seconds..