INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-1,10.128.0.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.289787] ================================================================== [ 31.297209] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.305322] Read of size 4 at addr ffff8801cf2145d0 by task syzkaller726279/2986 [ 31.312823] [ 31.314425] CPU: 0 PID: 2986 Comm: syzkaller726279 Not tainted 4.14.0-rc1+ #58 [ 31.321755] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.331081] Call Trace: [ 31.333642] dump_stack+0x194/0x257 [ 31.337247] ? arch_local_irq_restore+0x53/0x53 [ 31.341887] ? show_regs_print_info+0x65/0x65 [ 31.346360] ? lock_release+0xd70/0xd70 [ 31.350309] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.355734] print_address_description+0x73/0x250 [ 31.360572] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.365996] kasan_report+0x24e/0x340 [ 31.369773] __asan_report_load4_noabort+0x14/0x20 [ 31.374679] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.379936] tipc_sendmcast+0x704/0xe30 [ 31.383904] ? tipc_release+0xfd0/0xfd0 [ 31.387855] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 31.393019] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 31.397761] ? check_noncircular+0x20/0x20 [ 31.401976] ? _raw_spin_unlock+0x22/0x30 [ 31.406095] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 31.411346] ? check_noncircular+0x20/0x20 [ 31.415557] ? find_held_lock+0x39/0x1d0 [ 31.419597] __tipc_sendmsg+0xf49/0x1590 [ 31.423628] ? __tipc_sendmsg+0xf49/0x1590 [ 31.427842] ? build_sched_domains+0x34e2/0x4ba0 [ 31.432572] ? tipc_sendmcast+0xe30/0xe30 [ 31.436698] ? lock_downgrade+0x990/0x990 [ 31.440818] ? check_same_owner+0x320/0x320 [ 31.445115] ? rw_copy_check_uvector+0x1ce/0x280 [ 31.449848] ? lock_acquire+0x1d5/0x580 [ 31.453795] ? tipc_sendmsg+0x42/0x70 [ 31.457579] ? mark_held_locks+0xb2/0x100 [ 31.461699] ? __local_bh_enable_ip+0x9d/0x160 [ 31.466252] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.471240] ? lock_sock_nested+0x91/0x110 [ 31.475446] ? trace_hardirqs_on+0xd/0x10 [ 31.479566] ? __local_bh_enable_ip+0x9d/0x160 [ 31.484127] tipc_sendmsg+0x50/0x70 [ 31.487723] ? __tipc_sendmsg+0x1590/0x1590 [ 31.492016] sock_sendmsg+0xca/0x110 [ 31.495702] ___sys_sendmsg+0x75b/0x8a0 [ 31.499652] ? copy_msghdr_from_user+0x590/0x590 [ 31.504387] ? lock_downgrade+0x990/0x990 [ 31.508518] ? __fget_light+0x29d/0x390 [ 31.512465] ? fget_raw+0x20/0x20 [ 31.515894] ? handle_mm_fault+0x410/0x8d0 [ 31.520099] ? down_read_trylock+0xdb/0x170 [ 31.524391] ? __do_page_fault+0x2b8/0xb60 [ 31.528612] ? __fdget+0x18/0x20 [ 31.531954] __sys_sendmsg+0xe5/0x210 [ 31.535724] ? __sys_sendmsg+0xe5/0x210 [ 31.539674] ? SyS_shutdown+0x290/0x290 [ 31.543621] ? __do_page_fault+0xb60/0xb60 [ 31.547837] ? fd_install+0x4d/0x60 [ 31.551449] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.556442] SyS_sendmsg+0x2d/0x50 [ 31.559963] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.564688] RIP: 0033:0x43fdf9 [ 31.567848] RSP: 002b:00007ffd5ef04b78 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 31.575526] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 31.582765] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 31.590006] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 31.597246] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 31.604489] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 31.611748] [ 31.613346] Allocated by task 2986: [ 31.616945] save_stack_trace+0x16/0x20 [ 31.620889] save_stack+0x43/0xd0 [ 31.624312] kasan_kmalloc+0xad/0xe0 [ 31.627994] kmem_cache_alloc_trace+0x136/0x750 [ 31.632633] tipc_nameseq_create+0xe8/0x540 [ 31.636923] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 31.641820] tipc_nametbl_publish+0x2aa/0x4f0 [ 31.646291] tipc_bind+0x33a/0x700 [ 31.649800] SYSC_bind+0x1b4/0x3f0 [ 31.653319] SyS_bind+0x24/0x30 [ 31.656566] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.661289] [ 31.662885] Freed by task 1535: [ 31.666137] save_stack_trace+0x16/0x20 [ 31.670080] save_stack+0x43/0xd0 [ 31.673501] kasan_slab_free+0x71/0xc0 [ 31.677359] kfree+0xca/0x250 [ 31.680433] kobject_uevent_env+0x241/0xa80 [ 31.684721] kobject_synth_uevent+0x514/0xad0 [ 31.689185] uevent_store+0x27/0x50 [ 31.692780] dev_attr_store+0x5c/0x90 [ 31.696551] sysfs_kf_write+0x107/0x160 [ 31.700494] kernfs_fop_write+0x2bc/0x450 [ 31.704614] __vfs_write+0xef/0x970 [ 31.708227] vfs_write+0x18f/0x510 [ 31.711746] SyS_write+0xef/0x220 [ 31.715174] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.719896] [ 31.721493] The buggy address belongs to the object at ffff8801cf2145c0 [ 31.721493] which belongs to the cache kmalloc-32 of size 32 [ 31.733944] The buggy address is located 16 bytes inside of [ 31.733944] 32-byte region [ffff8801cf2145c0, ffff8801cf2145e0) [ 31.745610] The buggy address belongs to the page: [ 31.750507] page:ffffea00073c8500 count:1 mapcount:0 mapping:ffff8801cf214000 index:0xffff8801cf214fc1 [ 31.759924] flags: 0x200000000000100(slab) [ 31.764129] raw: 0200000000000100 ffff8801cf214000 ffff8801cf214fc1 000000010000003f [ 31.771977] raw: ffffea00073dc720 ffffea00073c8a60 ffff8801dac001c0 0000000000000000 [ 31.779826] page dumped because: kasan: bad access detected [ 31.785503] [ 31.787100] Memory state around the buggy address: [ 31.792000] ffff8801cf214480: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.799337] ffff8801cf214500: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.806666] >ffff8801cf214580: 00 00 00 00 fc fc fc fc 00 00 fc fc fc fc fc fc [ 31.813991] ^ [ 31.819932] ffff8801cf214600: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 31.827259] ffff8801cf214680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.834585] ================================================================== [ 31.841909] Disabling lock debugging due to kernel taint [ 31.847348] Kernel panic - not syncing: panic_on_warn set ... [ 31.847348] [ 31.854677] CPU: 0 PID: 2986 Comm: syzkaller726279 Tainted: G B 4.14.0-rc1+ #58 [ 31.863217] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.872534] Call Trace: [ 31.875089] dump_stack+0x194/0x257 [ 31.878681] ? arch_local_irq_restore+0x53/0x53 [ 31.883319] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.888046] ? tipc_nametbl_lookup_dst_nodes+0x410/0x4b0 [ 31.893473] panic+0x1e4/0x417 [ 31.896636] ? __warn+0x1d9/0x1d9 [ 31.900065] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.905482] kasan_end_report+0x50/0x50 [ 31.909420] kasan_report+0x137/0x340 [ 31.913187] __asan_report_load4_noabort+0x14/0x20 [ 31.918085] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.923330] tipc_sendmcast+0x704/0xe30 [ 31.927279] ? tipc_release+0xfd0/0xfd0 [ 31.931224] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 31.936381] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 31.941110] ? check_noncircular+0x20/0x20 [ 31.945315] ? _raw_spin_unlock+0x22/0x30 [ 31.949426] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 31.954677] ? check_noncircular+0x20/0x20 [ 31.958881] ? find_held_lock+0x39/0x1d0 [ 31.962911] __tipc_sendmsg+0xf49/0x1590 [ 31.966934] ? __tipc_sendmsg+0xf49/0x1590 [ 31.971139] ? build_sched_domains+0x34e2/0x4ba0 [ 31.975861] ? tipc_sendmcast+0xe30/0xe30 [ 31.979977] ? lock_downgrade+0x990/0x990 [ 31.984094] ? check_same_owner+0x320/0x320 [ 31.988381] ? rw_copy_check_uvector+0x1ce/0x280 [ 31.993105] ? lock_acquire+0x1d5/0x580 [ 31.997044] ? tipc_sendmsg+0x42/0x70 [ 32.000816] ? mark_held_locks+0xb2/0x100 [ 32.004939] ? __local_bh_enable_ip+0x9d/0x160 [ 32.009486] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.014469] ? lock_sock_nested+0x91/0x110 [ 32.018667] ? trace_hardirqs_on+0xd/0x10 [ 32.022794] ? __local_bh_enable_ip+0x9d/0x160 [ 32.027343] tipc_sendmsg+0x50/0x70 [ 32.030942] ? __tipc_sendmsg+0x1590/0x1590 [ 32.035233] sock_sendmsg+0xca/0x110 [ 32.038921] ___sys_sendmsg+0x75b/0x8a0 [ 32.042864] ? copy_msghdr_from_user+0x590/0x590 [ 32.047588] ? lock_downgrade+0x990/0x990 [ 32.051709] ? __fget_light+0x29d/0x390 [ 32.055651] ? fget_raw+0x20/0x20 [ 32.059075] ? handle_mm_fault+0x410/0x8d0 [ 32.063284] ? down_read_trylock+0xdb/0x170 [ 32.067571] ? __do_page_fault+0x2b8/0xb60 [ 32.071778] ? __fdget+0x18/0x20 [ 32.075113] __sys_sendmsg+0xe5/0x210 [ 32.078876] ? __sys_sendmsg+0xe5/0x210 [ 32.082814] ? SyS_shutdown+0x290/0x290 [ 32.086754] ? __do_page_fault+0xb60/0xb60 [ 32.090955] ? fd_install+0x4d/0x60 [ 32.094553] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.099535] SyS_sendmsg+0x2d/0x50 [ 32.103044] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.107767] RIP: 0033:0x43fdf9 [ 32.110923] RSP: 002b:00007ffd5ef04b78 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 32.118596] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 32.125830] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 32.133065] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 32.140298] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 32.147531] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 32.155118] Dumping ftrace buffer: [ 32.158622] (ftrace buffer empty) [ 32.162298] Kernel Offset: disabled [ 32.165891] Rebooting in 86400 seconds..