INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-2,10.128.0.5' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.535082] ================================================================== [ 52.542478] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 52.550591] Read of size 4 at addr ffff8801d2e3d850 by task syzkaller061920/2984 [ 52.558091] [ 52.559704] CPU: 0 PID: 2984 Comm: syzkaller061920 Not tainted 4.14.0-rc4-mm1+ #16 [ 52.567379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.576700] Call Trace: [ 52.579259] dump_stack+0x194/0x257 [ 52.582858] ? arch_local_irq_restore+0x53/0x53 [ 52.587497] ? show_regs_print_info+0x65/0x65 [ 52.591965] ? lock_release+0xd70/0xd70 [ 52.595919] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 52.601341] print_address_description+0x73/0x250 [ 52.606154] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 52.611576] kasan_report+0x25b/0x340 [ 52.615350] __asan_report_load4_noabort+0x14/0x20 [ 52.620257] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 52.625529] tipc_sendmcast+0x70b/0xe20 [ 52.629475] ? unwind_dump+0x4c0/0x4c0 [ 52.633347] ? tipc_release+0xfd0/0xfd0 [ 52.637290] ? __kernel_text_address+0xd/0x40 [ 52.641755] ? __is_insn_slot_addr+0x1fc/0x330 [ 52.646305] ? lock_downgrade+0x990/0x990 [ 52.650420] ? __save_stack_trace+0x61/0xd0 [ 52.654718] ? SyS_sendmsg+0x2d/0x50 [ 52.658410] ? lock_release+0xd70/0xd70 [ 52.662358] ? is_bpf_text_address+0x7b/0x120 [ 52.666822] ? lock_downgrade+0x990/0x990 [ 52.670943] ? show_initstate+0xb0/0xb0 [ 52.674890] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 52.681008] ? __bfs+0xaa/0x750 [ 52.684263] ? lock_release+0xd70/0xd70 [ 52.688207] ? noop_count+0x40/0x40 [ 52.691811] __tipc_sendmsg+0xf49/0x1590 [ 52.695839] ? __tipc_sendmsg+0xf49/0x1590 [ 52.700045] ? rcutorture_record_progress+0x10/0x10 [ 52.705041] ? tipc_sendmcast+0xe20/0xe20 [ 52.709174] ? check_usage_backwards+0x20a/0x420 [ 52.713912] ? print_shortest_lock_dependencies+0x350/0x350 [ 52.719603] ? save_stack_trace+0x1a/0x20 [ 52.723728] ? save_trace+0x11f/0x350 [ 52.727505] ? mark_held_locks+0xb2/0x100 [ 52.731625] ? __raw_spin_lock_init+0x1c/0x100 [ 52.736184] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 52.741170] ? __lockdep_init_map+0xe4/0x650 [ 52.745555] ? lockdep_init_map+0x3d/0x70 [ 52.749683] __tipc_sendstream+0x8eb/0xc00 [ 52.753895] ? find_held_lock+0x39/0x1d0 [ 52.757933] ? tipc_connect+0x6d0/0x6d0 [ 52.761876] ? lock_downgrade+0x990/0x990 [ 52.766002] ? lock_acquire+0x1d5/0x580 [ 52.769944] ? tipc_sendstream+0x42/0x70 [ 52.774075] ? mark_held_locks+0xb2/0x100 [ 52.778206] ? __local_bh_enable_ip+0x9d/0x160 [ 52.782765] tipc_sendstream+0x50/0x70 [ 52.786624] tipc_send_packet+0x33/0x50 [ 52.790569] ? tipc_sendstream+0x70/0x70 [ 52.794602] sock_sendmsg+0xca/0x110 [ 52.798287] ___sys_sendmsg+0x75b/0x8a0 [ 52.802236] ? copy_msghdr_from_user+0x590/0x590 [ 52.806982] ? __fget_light+0x29d/0x390 [ 52.810932] ? fget_raw+0x20/0x20 [ 52.814357] ? vmacache_find+0x5f/0x280 [ 52.818326] ? __fdget+0x18/0x20 [ 52.821673] __sys_sendmsg+0xe5/0x210 [ 52.825441] ? __sys_sendmsg+0xe5/0x210 [ 52.829388] ? SyS_shutdown+0x290/0x290 [ 52.833339] ? __do_page_fault+0xd60/0xd60 [ 52.837550] ? fd_install+0x4d/0x60 [ 52.841161] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 52.846152] SyS_sendmsg+0x2d/0x50 [ 52.849667] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 52.854391] RIP: 0033:0x43fd59 [ 52.857555] RSP: 002b:00007ffd14a1fa28 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 52.865238] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 [ 52.872480] RDX: 0000000000000004 RSI: 00000000203bbfc8 RDI: 0000000000000003 [ 52.879724] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 52.886963] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016c0 [ 52.894204] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 52.901467] [ 52.903065] Allocated by task 1: [ 52.906402] save_stack+0x43/0xd0 [ 52.909822] kasan_kmalloc+0xad/0xe0 [ 52.913505] kmem_cache_alloc_trace+0x136/0x750 [ 52.918144] tipc_nameseq_create+0xe8/0x540 [ 52.922435] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 52.927334] tipc_nametbl_publish+0x2aa/0x4f0 [ 52.931798] tipc_bind+0x33a/0x700 [ 52.935308] kernel_bind+0x62/0x80 [ 52.938816] tipc_server_start+0x3a1/0xb60 [ 52.943019] tipc_topsrv_start+0x64f/0x890 [ 52.947223] tipc_init_net+0x3cc/0x570 [ 52.951080] ops_init+0x10a/0x570 [ 52.954501] register_pernet_operations+0x45e/0x980 [ 52.959485] register_pernet_subsys+0x2a/0x40 [ 52.963949] tipc_init+0x83/0x104 [ 52.967372] do_one_initcall+0x9e/0x330 [ 52.971319] kernel_init_freeable+0x469/0x521 [ 52.975784] kernel_init+0x13/0x172 [ 52.979382] ret_from_fork+0x2a/0x40 [ 52.983064] [ 52.984662] Freed by task 0: [ 52.987646] (stack is not available) [ 52.991323] [ 52.992920] The buggy address belongs to the object at ffff8801d2e3d840 [ 52.992920] which belongs to the cache kmalloc-32 of size 32 [ 53.005369] The buggy address is located 16 bytes inside of [ 53.005369] 32-byte region [ffff8801d2e3d840, ffff8801d2e3d860) [ 53.017035] The buggy address belongs to the page: [ 53.021932] page:ffffea00074b8f40 count:1 mapcount:0 mapping:ffff8801d2e3d000 index:0xffff8801d2e3dfc1 [ 53.031350] flags: 0x200000000000100(slab) [ 53.035563] raw: 0200000000000100 ffff8801d2e3d000 ffff8801d2e3dfc1 000000010000003a [ 53.043413] raw: ffffea00074b7b20 ffffea00074cbfe0 ffff8801dac001c0 0000000000000000 [ 53.051260] page dumped because: kasan: bad access detected [ 53.056937] [ 53.058535] Memory state around the buggy address: [ 53.063433] ffff8801d2e3d700: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 53.070759] ffff8801d2e3d780: 00 06 fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 53.078090] >ffff8801d2e3d800: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 53.085424] ^ [ 53.091365] ffff8801d2e3d880: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 53.098693] ffff8801d2e3d900: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 53.106018] ================================================================== [ 53.113341] Disabling lock debugging due to kernel taint [ 53.118788] Kernel panic - not syncing: panic_on_warn set ... [ 53.118788] [ 53.126120] CPU: 0 PID: 2984 Comm: syzkaller061920 Tainted: G B 4.14.0-rc4-mm1+ #16 [ 53.135090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.144406] Call Trace: [ 53.146960] dump_stack+0x194/0x257 [ 53.150554] ? arch_local_irq_restore+0x53/0x53 [ 53.155189] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.159912] ? tipc_nametbl_lookup_dst_nodes+0x3d0/0x4b0 [ 53.165328] panic+0x1e4/0x41c [ 53.168487] ? refcount_error_report+0x214/0x214 [ 53.173212] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 53.178628] kasan_end_report+0x50/0x50 [ 53.182568] kasan_report+0x144/0x340 [ 53.186334] __asan_report_load4_noabort+0x14/0x20 [ 53.191226] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 53.196472] tipc_sendmcast+0x70b/0xe20 [ 53.200497] ? unwind_dump+0x4c0/0x4c0 [ 53.204352] ? tipc_release+0xfd0/0xfd0 [ 53.208290] ? __kernel_text_address+0xd/0x40 [ 53.212752] ? __is_insn_slot_addr+0x1fc/0x330 [ 53.217296] ? lock_downgrade+0x990/0x990 [ 53.221406] ? __save_stack_trace+0x61/0xd0 [ 53.225694] ? SyS_sendmsg+0x2d/0x50 [ 53.229381] ? lock_release+0xd70/0xd70 [ 53.233323] ? is_bpf_text_address+0x7b/0x120 [ 53.237780] ? lock_downgrade+0x990/0x990 [ 53.241894] ? show_initstate+0xb0/0xb0 [ 53.245832] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 53.251940] ? __bfs+0xaa/0x750 [ 53.255272] ? lock_release+0xd70/0xd70 [ 53.259209] ? noop_count+0x40/0x40 [ 53.262807] __tipc_sendmsg+0xf49/0x1590 [ 53.266831] ? __tipc_sendmsg+0xf49/0x1590 [ 53.271029] ? rcutorture_record_progress+0x10/0x10 [ 53.276013] ? tipc_sendmcast+0xe20/0xe20 [ 53.280126] ? check_usage_backwards+0x20a/0x420 [ 53.284845] ? print_shortest_lock_dependencies+0x350/0x350 [ 53.290524] ? save_stack_trace+0x1a/0x20 [ 53.294633] ? save_trace+0x11f/0x350 [ 53.298400] ? mark_held_locks+0xb2/0x100 [ 53.302512] ? __raw_spin_lock_init+0x1c/0x100 [ 53.307059] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.312038] ? __lockdep_init_map+0xe4/0x650 [ 53.316410] ? lockdep_init_map+0x3d/0x70 [ 53.320526] __tipc_sendstream+0x8eb/0xc00 [ 53.324726] ? find_held_lock+0x39/0x1d0 [ 53.328756] ? tipc_connect+0x6d0/0x6d0 [ 53.332692] ? lock_downgrade+0x990/0x990 [ 53.336805] ? lock_acquire+0x1d5/0x580 [ 53.340741] ? tipc_sendstream+0x42/0x70 [ 53.344773] ? mark_held_locks+0xb2/0x100 [ 53.348891] ? __local_bh_enable_ip+0x9d/0x160 [ 53.353440] tipc_sendstream+0x50/0x70 [ 53.357292] tipc_send_packet+0x33/0x50 [ 53.361231] ? tipc_sendstream+0x70/0x70 [ 53.365256] sock_sendmsg+0xca/0x110 [ 53.368935] ___sys_sendmsg+0x75b/0x8a0 [ 53.372875] ? copy_msghdr_from_user+0x590/0x590 [ 53.377690] ? __fget_light+0x29d/0x390 [ 53.381631] ? fget_raw+0x20/0x20 [ 53.385050] ? vmacache_find+0x5f/0x280 [ 53.389000] ? __fdget+0x18/0x20 [ 53.392333] __sys_sendmsg+0xe5/0x210 [ 53.396302] ? __sys_sendmsg+0xe5/0x210 [ 53.400243] ? SyS_shutdown+0x290/0x290 [ 53.404359] ? __do_page_fault+0xd60/0xd60 [ 53.408564] ? fd_install+0x4d/0x60 [ 53.412162] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.417145] SyS_sendmsg+0x2d/0x50 [ 53.420652] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 53.425373] RIP: 0033:0x43fd59 [ 53.428529] RSP: 002b:00007ffd14a1fa28 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 53.436203] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 [ 53.443437] RDX: 0000000000000004 RSI: 00000000203bbfc8 RDI: 0000000000000003 [ 53.450671] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 53.457907] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016c0 [ 53.465144] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 53.472794] Dumping ftrace buffer: [ 53.476302] (ftrace buffer empty) [ 53.479981] Kernel Offset: disabled [ 53.483576] Rebooting in 86400 seconds..