INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-3,10.128.15.200' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.094761] ================================================================== [ 31.102161] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.110272] Read of size 4 at addr ffff8801ce7adc10 by task syzkaller223169/2989 [ 31.117771] [ 31.119370] CPU: 1 PID: 2989 Comm: syzkaller223169 Not tainted 4.14.0-rc2-next-20170928+ #31 [ 31.127911] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.137235] Call Trace: [ 31.139793] dump_stack+0x194/0x257 [ 31.143392] ? arch_local_irq_restore+0x53/0x53 [ 31.148032] ? show_regs_print_info+0x65/0x65 [ 31.152503] ? lock_release+0xd70/0xd70 [ 31.156450] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.161874] print_address_description+0x73/0x250 [ 31.166685] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.172105] kasan_report+0x25b/0x340 [ 31.175882] __asan_report_load4_noabort+0x14/0x20 [ 31.180781] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.186040] tipc_sendmcast+0x70b/0xe20 [ 31.189997] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 31.195163] ? tipc_release+0xfd0/0xfd0 [ 31.199108] ? do_raw_spin_trylock+0x190/0x190 [ 31.203664] ? trace_event_raw_event_sched_switch+0x740/0x770 [ 31.209540] ? check_noncircular+0x20/0x20 [ 31.213752] ? __thp_get_unmapped_area+0x130/0x130 [ 31.218653] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.223814] ? check_noncircular+0x20/0x20 [ 31.228026] ? find_held_lock+0x39/0x1d0 [ 31.232070] __tipc_sendmsg+0xf49/0x1590 [ 31.236107] ? __tipc_sendmsg+0xf49/0x1590 [ 31.240325] ? put_prev_task_stop+0x6f2/0x980 [ 31.244794] ? tipc_sendmcast+0xe20/0xe20 [ 31.248920] ? lock_downgrade+0x990/0x990 [ 31.253040] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 31.258906] ? lock_acquire+0x1d5/0x580 [ 31.262851] ? tipc_sendmsg+0x42/0x70 [ 31.266634] ? mark_held_locks+0xb2/0x100 [ 31.270754] ? __local_bh_enable_ip+0x9d/0x160 [ 31.275308] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.280295] ? lock_sock_nested+0x91/0x110 [ 31.284500] ? trace_hardirqs_on+0xd/0x10 [ 31.288618] ? __local_bh_enable_ip+0x9d/0x160 [ 31.293176] tipc_sendmsg+0x50/0x70 [ 31.296772] ? __tipc_sendmsg+0x1590/0x1590 [ 31.301067] sock_sendmsg+0xca/0x110 [ 31.304752] ___sys_sendmsg+0x75b/0x8a0 [ 31.308701] ? copy_msghdr_from_user+0x590/0x590 [ 31.313443] ? __fget_light+0x29d/0x390 [ 31.317397] ? fget_raw+0x20/0x20 [ 31.320827] ? vmacache_find+0x5f/0x280 [ 31.324794] ? __fdget+0x18/0x20 [ 31.328135] __sys_sendmsg+0xe5/0x210 [ 31.331905] ? __sys_sendmsg+0xe5/0x210 [ 31.335850] ? SyS_shutdown+0x290/0x290 [ 31.339797] ? __do_page_fault+0xd60/0xd60 [ 31.344007] ? fd_install+0x4d/0x60 [ 31.347618] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.352607] SyS_sendmsg+0x2d/0x50 [ 31.356123] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.360848] RIP: 0033:0x43fdf9 [ 31.364009] RSP: 002b:00007ffc67ec7728 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 31.371691] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 31.378931] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 31.386171] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 31.393412] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 31.400650] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 31.407910] [ 31.409508] Allocated by task 2989: [ 31.413107] save_stack_trace+0x16/0x20 [ 31.417056] save_stack+0x43/0xd0 [ 31.420478] kasan_kmalloc+0xad/0xe0 [ 31.424161] kmem_cache_alloc_trace+0x136/0x750 [ 31.428798] tipc_nameseq_create+0xe8/0x540 [ 31.433457] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 31.438356] tipc_nametbl_publish+0x2aa/0x4f0 [ 31.442818] tipc_bind+0x33a/0x700 [ 31.446330] SYSC_bind+0x1b4/0x3f0 [ 31.449838] SyS_bind+0x24/0x30 [ 31.453087] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.457818] [ 31.459413] Freed by task 1534: [ 31.462661] save_stack_trace+0x16/0x20 [ 31.466606] save_stack+0x43/0xd0 [ 31.470029] kasan_slab_free+0x71/0xc0 [ 31.473887] kfree+0xca/0x250 [ 31.476960] kobject_uevent_env+0x248/0xbc0 [ 31.481250] kobject_synth_uevent+0x514/0xad0 [ 31.486076] uevent_store+0x27/0x50 [ 31.489670] dev_attr_store+0x5c/0x90 [ 31.493449] sysfs_kf_write+0x107/0x160 [ 31.497394] kernfs_fop_write+0x2bc/0x450 [ 31.501509] __vfs_write+0xef/0x970 [ 31.505103] vfs_write+0x18f/0x510 [ 31.508609] SyS_write+0xef/0x220 [ 31.512030] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.516754] [ 31.518353] The buggy address belongs to the object at ffff8801ce7adc00 [ 31.518353] which belongs to the cache kmalloc-32 of size 32 [ 31.530803] The buggy address is located 16 bytes inside of [ 31.530803] 32-byte region [ffff8801ce7adc00, ffff8801ce7adc20) [ 31.542469] The buggy address belongs to the page: [ 31.547365] page:ffffea000739eb40 count:1 mapcount:0 mapping:ffff8801ce7ad000 index:0xffff8801ce7adfc1 [ 31.556781] flags: 0x200000000000100(slab) [ 31.560986] raw: 0200000000000100 ffff8801ce7ad000 ffff8801ce7adfc1 000000010000003f [ 31.568834] raw: ffffea00073abce0 ffffea00073df8e0 ffff8801dac001c0 0000000000000000 [ 31.576680] page dumped because: kasan: bad access detected [ 31.582356] [ 31.583951] Memory state around the buggy address: [ 31.588851] ffff8801ce7adb00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.596180] ffff8801ce7adb80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 31.603505] >ffff8801ce7adc00: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 31.610832] ^ [ 31.614688] ffff8801ce7adc80: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 31.622017] ffff8801ce7add00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.629344] ================================================================== [ 31.636670] Disabling lock debugging due to kernel taint [ 31.642120] Kernel panic - not syncing: panic_on_warn set ... [ 31.642120] [ 31.649447] CPU: 1 PID: 2989 Comm: syzkaller223169 Tainted: G B 4.14.0-rc2-next-20170928+ #31 [ 31.659197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.668513] Call Trace: [ 31.671069] dump_stack+0x194/0x257 [ 31.674663] ? arch_local_irq_restore+0x53/0x53 [ 31.679297] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.684018] ? tipc_nametbl_lookup_dst_nodes+0x430/0x4b0 [ 31.689435] panic+0x1e4/0x417 [ 31.692591] ? __warn+0x1d9/0x1d9 [ 31.696015] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.701431] kasan_end_report+0x50/0x50 [ 31.705371] kasan_report+0x144/0x340 [ 31.709138] __asan_report_load4_noabort+0x14/0x20 [ 31.714032] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 31.719278] tipc_sendmcast+0x70b/0xe20 [ 31.723222] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 31.728380] ? tipc_release+0xfd0/0xfd0 [ 31.732320] ? do_raw_spin_trylock+0x190/0x190 [ 31.736868] ? trace_event_raw_event_sched_switch+0x740/0x770 [ 31.742729] ? check_noncircular+0x20/0x20 [ 31.746929] ? __thp_get_unmapped_area+0x130/0x130 [ 31.751821] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.756977] ? check_noncircular+0x20/0x20 [ 31.761178] ? find_held_lock+0x39/0x1d0 [ 31.765209] __tipc_sendmsg+0xf49/0x1590 [ 31.769234] ? __tipc_sendmsg+0xf49/0x1590 [ 31.773438] ? put_prev_task_stop+0x6f2/0x980 [ 31.777899] ? tipc_sendmcast+0xe20/0xe20 [ 31.782019] ? lock_downgrade+0x990/0x990 [ 31.786132] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 31.791985] ? lock_acquire+0x1d5/0x580 [ 31.795923] ? tipc_sendmsg+0x42/0x70 [ 31.799693] ? mark_held_locks+0xb2/0x100 [ 31.803807] ? __local_bh_enable_ip+0x9d/0x160 [ 31.808353] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.813336] ? lock_sock_nested+0x91/0x110 [ 31.817534] ? trace_hardirqs_on+0xd/0x10 [ 31.821647] ? __local_bh_enable_ip+0x9d/0x160 [ 31.826195] tipc_sendmsg+0x50/0x70 [ 31.829786] ? __tipc_sendmsg+0x1590/0x1590 [ 31.834071] sock_sendmsg+0xca/0x110 [ 31.837750] ___sys_sendmsg+0x75b/0x8a0 [ 31.841690] ? copy_msghdr_from_user+0x590/0x590 [ 31.846418] ? __fget_light+0x29d/0x390 [ 31.850357] ? fget_raw+0x20/0x20 [ 31.853778] ? vmacache_find+0x5f/0x280 [ 31.857725] ? __fdget+0x18/0x20 [ 31.861056] __sys_sendmsg+0xe5/0x210 [ 31.864817] ? __sys_sendmsg+0xe5/0x210 [ 31.868756] ? SyS_shutdown+0x290/0x290 [ 31.872697] ? __do_page_fault+0xd60/0xd60 [ 31.876899] ? fd_install+0x4d/0x60 [ 31.880498] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.885480] SyS_sendmsg+0x2d/0x50 [ 31.888984] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 31.893702] RIP: 0033:0x43fdf9 [ 31.896857] RSP: 002b:00007ffc67ec7728 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 31.904527] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 31.911760] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 31.918994] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 31.926229] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 31.933462] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 31.941052] Dumping ftrace buffer: [ 31.944557] (ftrace buffer empty) [ 31.948233] Kernel Offset: disabled [ 31.951825] Rebooting in 86400 seconds..