INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-9,10.128.15.243' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.040406] ================================================================== [ 33.047815] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.055937] Read of size 4 at addr ffff8801cf28c050 by task syzkaller025347/2980 [ 33.063438] [ 33.065038] CPU: 0 PID: 2980 Comm: syzkaller025347 Not tainted 4.14.0-rc2+ #105 [ 33.072453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.081777] Call Trace: [ 33.084340] dump_stack+0x194/0x257 [ 33.087943] ? arch_local_irq_restore+0x53/0x53 [ 33.092581] ? show_regs_print_info+0x65/0x65 [ 33.097050] ? lock_release+0xd70/0xd70 [ 33.100997] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.106421] print_address_description+0x73/0x250 [ 33.111238] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.116661] kasan_report+0x25b/0x340 [ 33.120437] __asan_report_load4_noabort+0x14/0x20 [ 33.125336] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.130594] tipc_sendmcast+0x70b/0xe20 [ 33.134556] ? tipc_release+0xfd0/0xfd0 [ 33.138504] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 33.143759] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 33.148497] ? clear_page_erms+0x7/0x10 [ 33.152444] ? check_noncircular+0x20/0x20 [ 33.156661] ? _raw_spin_unlock+0x22/0x30 [ 33.160791] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 33.166042] ? check_noncircular+0x20/0x20 [ 33.170251] ? find_held_lock+0x39/0x1d0 [ 33.174377] __tipc_sendmsg+0xf49/0x1590 [ 33.178425] ? __tipc_sendmsg+0xf49/0x1590 [ 33.183262] ? build_sched_domains+0x3602/0x4ba0 [ 33.188004] ? tipc_sendmcast+0xe20/0xe20 [ 33.192136] ? lock_downgrade+0x990/0x990 [ 33.196254] ? check_same_owner+0x320/0x320 [ 33.200556] ? lock_acquire+0x1d5/0x580 [ 33.204501] ? tipc_sendmsg+0x42/0x70 [ 33.208285] ? mark_held_locks+0xb2/0x100 [ 33.212579] ? __local_bh_enable_ip+0x9d/0x160 [ 33.217134] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.222122] ? lock_sock_nested+0x91/0x110 [ 33.226329] ? trace_hardirqs_on+0xd/0x10 [ 33.230450] ? __local_bh_enable_ip+0x9d/0x160 [ 33.235010] tipc_sendmsg+0x50/0x70 [ 33.238616] ? __tipc_sendmsg+0x1590/0x1590 [ 33.242914] sock_sendmsg+0xca/0x110 [ 33.246607] ___sys_sendmsg+0x75b/0x8a0 [ 33.250557] ? copy_msghdr_from_user+0x590/0x590 [ 33.255296] ? lock_downgrade+0x990/0x990 [ 33.259424] ? __fget_light+0x29d/0x390 [ 33.263373] ? fget_raw+0x20/0x20 [ 33.266804] ? handle_mm_fault+0x410/0x8d0 [ 33.271010] ? down_read_trylock+0xdb/0x170 [ 33.275303] ? __do_page_fault+0x2b8/0xb60 [ 33.279522] ? __fdget+0x18/0x20 [ 33.282864] __sys_sendmsg+0xe5/0x210 [ 33.286634] ? __sys_sendmsg+0xe5/0x210 [ 33.290581] ? SyS_shutdown+0x290/0x290 [ 33.294541] ? __do_page_fault+0xb60/0xb60 [ 33.298753] ? fd_install+0x4d/0x60 [ 33.302365] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.307359] SyS_sendmsg+0x2d/0x50 [ 33.310873] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.315599] RIP: 0033:0x43fdf9 [ 33.318758] RSP: 002b:00007fffd728ef58 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 33.326449] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 33.333688] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 33.340929] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 33.348177] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 33.355418] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 33.362676] [ 33.364274] Allocated by task 2980: [ 33.367873] save_stack_trace+0x16/0x20 [ 33.371816] save_stack+0x43/0xd0 [ 33.375238] kasan_kmalloc+0xad/0xe0 [ 33.378920] kmem_cache_alloc_trace+0x136/0x750 [ 33.383560] tipc_nameseq_create+0xe8/0x540 [ 33.387849] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 33.392743] tipc_nametbl_publish+0x2aa/0x4f0 [ 33.397206] tipc_bind+0x33a/0x700 [ 33.400714] SYSC_bind+0x1b4/0x3f0 [ 33.404222] SyS_bind+0x24/0x30 [ 33.407471] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.412196] [ 33.413793] Freed by task 1534: [ 33.417042] save_stack_trace+0x16/0x20 [ 33.420983] save_stack+0x43/0xd0 [ 33.424406] kasan_slab_free+0x71/0xc0 [ 33.428262] kfree+0xca/0x250 [ 33.431339] kobject_uevent_env+0x251/0xb00 [ 33.435631] kobject_synth_uevent+0x514/0xad0 [ 33.440098] uevent_store+0x27/0x50 [ 33.443696] dev_attr_store+0x5c/0x90 [ 33.447467] sysfs_kf_write+0x107/0x160 [ 33.451407] kernfs_fop_write+0x2bc/0x450 [ 33.455524] __vfs_write+0xef/0x970 [ 33.459120] vfs_write+0x18f/0x510 [ 33.462629] SyS_write+0xef/0x220 [ 33.466062] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.470782] [ 33.472380] The buggy address belongs to the object at ffff8801cf28c040 [ 33.472380] which belongs to the cache kmalloc-32 of size 32 [ 33.484828] The buggy address is located 16 bytes inside of [ 33.484828] 32-byte region [ffff8801cf28c040, ffff8801cf28c060) [ 33.496494] The buggy address belongs to the page: [ 33.501394] page:ffffea00073ca300 count:1 mapcount:0 mapping:ffff8801cf28c000 index:0xffff8801cf28cfc1 [ 33.510813] flags: 0x200000000000100(slab) [ 33.515019] raw: 0200000000000100 ffff8801cf28c000 ffff8801cf28cfc1 000000010000003f [ 33.522870] raw: ffffea00073ca620 ffffea00073ae560 ffff8801dac001c0 0000000000000000 [ 33.530718] page dumped because: kasan: bad access detected [ 33.536395] [ 33.537992] Memory state around the buggy address: [ 33.542891] ffff8801cf28bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.550218] ffff8801cf28bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.557545] >ffff8801cf28c000: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 33.564872] ^ [ 33.570814] ffff8801cf28c080: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 33.578143] ffff8801cf28c100: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 33.585471] ================================================================== [ 33.592799] Disabling lock debugging due to kernel taint [ 33.598284] Kernel panic - not syncing: panic_on_warn set ... [ 33.598284] [ 33.605617] CPU: 0 PID: 2980 Comm: syzkaller025347 Tainted: G B 4.14.0-rc2+ #105 [ 33.614242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.623559] Call Trace: [ 33.626117] dump_stack+0x194/0x257 [ 33.629711] ? arch_local_irq_restore+0x53/0x53 [ 33.634348] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.639070] ? tipc_nametbl_lookup_dst_nodes+0x3f0/0x4b0 [ 33.644487] panic+0x1e4/0x417 [ 33.647642] ? __warn+0x1d9/0x1d9 [ 33.651068] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.656482] kasan_end_report+0x50/0x50 [ 33.660421] kasan_report+0x144/0x340 [ 33.664186] __asan_report_load4_noabort+0x14/0x20 [ 33.669081] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 33.674325] tipc_sendmcast+0x70b/0xe20 [ 33.678271] ? tipc_release+0xfd0/0xfd0 [ 33.682212] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 33.687369] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 33.692108] ? clear_page_erms+0x7/0x10 [ 33.696048] ? check_noncircular+0x20/0x20 [ 33.700262] ? _raw_spin_unlock+0x22/0x30 [ 33.704375] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 33.709617] ? check_noncircular+0x20/0x20 [ 33.713816] ? find_held_lock+0x39/0x1d0 [ 33.717846] __tipc_sendmsg+0xf49/0x1590 [ 33.721871] ? __tipc_sendmsg+0xf49/0x1590 [ 33.726071] ? build_sched_domains+0x3602/0x4ba0 [ 33.730789] ? tipc_sendmcast+0xe20/0xe20 [ 33.734905] ? lock_downgrade+0x990/0x990 [ 33.739017] ? check_same_owner+0x320/0x320 [ 33.743308] ? lock_acquire+0x1d5/0x580 [ 33.747244] ? tipc_sendmsg+0x42/0x70 [ 33.751016] ? mark_held_locks+0xb2/0x100 [ 33.755128] ? __local_bh_enable_ip+0x9d/0x160 [ 33.759674] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.764653] ? lock_sock_nested+0x91/0x110 [ 33.768851] ? trace_hardirqs_on+0xd/0x10 [ 33.772960] ? __local_bh_enable_ip+0x9d/0x160 [ 33.777506] tipc_sendmsg+0x50/0x70 [ 33.781095] ? __tipc_sendmsg+0x1590/0x1590 [ 33.785384] sock_sendmsg+0xca/0x110 [ 33.789063] ___sys_sendmsg+0x75b/0x8a0 [ 33.793001] ? copy_msghdr_from_user+0x590/0x590 [ 33.797723] ? lock_downgrade+0x990/0x990 [ 33.801841] ? __fget_light+0x29d/0x390 [ 33.805780] ? fget_raw+0x20/0x20 [ 33.809202] ? handle_mm_fault+0x410/0x8d0 [ 33.813397] ? down_read_trylock+0xdb/0x170 [ 33.817681] ? __do_page_fault+0x2b8/0xb60 [ 33.821890] ? __fdget+0x18/0x20 [ 33.825222] __sys_sendmsg+0xe5/0x210 [ 33.828987] ? __sys_sendmsg+0xe5/0x210 [ 33.832932] ? SyS_shutdown+0x290/0x290 [ 33.836871] ? __do_page_fault+0xb60/0xb60 [ 33.841074] ? fd_install+0x4d/0x60 [ 33.844672] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.849653] SyS_sendmsg+0x2d/0x50 [ 33.853159] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 33.857877] RIP: 0033:0x43fdf9 [ 33.861029] RSP: 002b:00007fffd728ef58 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 33.868697] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 33.875932] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 33.883166] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 33.890399] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 33.897632] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 33.905262] Dumping ftrace buffer: [ 33.908763] (ftrace buffer empty) [ 33.912437] Kernel Offset: disabled [ 33.916030] Rebooting in 86400 seconds..