INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-net-kasan-gce-3,10.128.0.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.158659] ================================================================== [ 64.166068] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.174193] Read of size 4 at addr ffff8801d3275f10 by task syzkaller601354/2981 [ 64.181696] [ 64.183299] CPU: 1 PID: 2981 Comm: syzkaller601354 Not tainted 4.13.0+ #42 [ 64.190281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.199611] Call Trace: [ 64.202177] dump_stack+0x194/0x257 [ 64.205785] ? arch_local_irq_restore+0x53/0x53 [ 64.210430] ? show_regs_print_info+0x65/0x65 [ 64.214902] ? lock_release+0xd70/0xd70 [ 64.218854] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.224285] print_address_description+0x73/0x250 [ 64.229106] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.234557] kasan_report+0x24e/0x340 [ 64.238338] __asan_report_load4_noabort+0x14/0x20 [ 64.243240] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.248498] tipc_sendmcast+0x704/0xe30 [ 64.252446] ? unwind_dump+0x4c0/0x4c0 [ 64.256339] ? tipc_release+0xfd0/0xfd0 [ 64.260292] ? unwind_get_return_address+0x61/0xa0 [ 64.265199] ? __is_insn_slot_addr+0x1fc/0x330 [ 64.269755] ? lock_downgrade+0x990/0x990 [ 64.273880] ? __sys_sendmsg+0xe5/0x210 [ 64.277840] ? lock_release+0xd70/0xd70 [ 64.281788] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 64.287678] ? is_bpf_text_address+0x7b/0x120 [ 64.292149] ? lock_downgrade+0x990/0x990 [ 64.296277] ? show_initstate+0xb0/0xb0 [ 64.300228] ? __bfs+0xaa/0x750 [ 64.303489] ? noop_count+0x40/0x40 [ 64.307101] __tipc_sendmsg+0xf49/0x1590 [ 64.311135] ? __tipc_sendmsg+0xf49/0x1590 [ 64.315343] ? unwind_dump+0x4c0/0x4c0 [ 64.319217] ? tipc_sendmcast+0xe30/0xe30 [ 64.323339] ? is_bpf_text_address+0xa4/0x120 [ 64.327815] ? check_usage_backwards+0x20a/0x420 [ 64.332561] ? print_shortest_lock_dependencies+0x350/0x350 [ 64.338273] ? save_stack_trace+0x16/0x20 [ 64.342396] ? save_trace+0x11f/0x350 [ 64.346186] ? mark_held_locks+0xb2/0x100 [ 64.350309] ? __raw_spin_lock_init+0x1c/0x100 [ 64.354874] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 64.359862] ? __lockdep_init_map+0xe4/0x650 [ 64.364250] ? lockdep_init_map+0x3d/0x70 [ 64.368379] __tipc_sendstream+0x8eb/0xc00 [ 64.372590] ? find_held_lock+0x39/0x1d0 [ 64.376643] ? tipc_connect+0x6d0/0x6d0 [ 64.380595] ? lock_downgrade+0x990/0x990 [ 64.384725] ? lock_acquire+0x1d5/0x580 [ 64.388671] ? tipc_sendstream+0x42/0x70 [ 64.392717] ? mark_held_locks+0xb2/0x100 [ 64.396850] ? __local_bh_enable_ip+0x9d/0x160 [ 64.401414] tipc_sendstream+0x50/0x70 [ 64.405276] tipc_send_packet+0x33/0x50 [ 64.409221] ? tipc_sendstream+0x70/0x70 [ 64.413287] sock_sendmsg+0xca/0x110 [ 64.416975] ___sys_sendmsg+0x75b/0x8a0 [ 64.420956] ? copy_msghdr_from_user+0x590/0x590 [ 64.425709] ? startup_64+0x10/0x30 [ 64.429317] ? __fget_light+0x29d/0x390 [ 64.433266] ? fget_raw+0x20/0x20 [ 64.436703] ? handle_mm_fault+0x4a2/0x860 [ 64.440924] ? down_read_trylock+0xdb/0x170 [ 64.445236] ? __fdget+0x18/0x20 [ 64.448582] __sys_sendmsg+0xe5/0x210 [ 64.452353] ? __sys_sendmsg+0xe5/0x210 [ 64.456305] ? SyS_shutdown+0x290/0x290 [ 64.460257] ? __do_page_fault+0xb60/0xb60 [ 64.464471] ? fd_install+0x4d/0x60 [ 64.468085] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 64.473080] SyS_sendmsg+0x2d/0x50 [ 64.476599] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 64.481326] RIP: 0033:0x43fd79 [ 64.484489] RSP: 002b:00007ffcb61e8988 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 64.492169] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd79 [ 64.499415] RDX: 0000000000000004 RSI: 00000000207ca000 RDI: 0000000000000003 [ 64.506663] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 64.513914] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016e0 [ 64.521157] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 64.528418] [ 64.530019] Allocated by task 1: [ 64.533361] save_stack_trace+0x16/0x20 [ 64.537307] save_stack+0x43/0xd0 [ 64.540730] kasan_kmalloc+0xad/0xe0 [ 64.544415] kmem_cache_alloc_trace+0x136/0x750 [ 64.549056] tipc_nameseq_create+0xe8/0x540 [ 64.553346] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 64.558244] tipc_nametbl_publish+0x2aa/0x4f0 [ 64.562711] tipc_bind+0x33a/0x700 [ 64.566223] kernel_bind+0x62/0x80 [ 64.569732] tipc_server_start+0x3a1/0xb60 [ 64.573937] tipc_topsrv_start+0x64f/0x890 [ 64.578143] tipc_init_net+0x3cc/0x570 [ 64.582000] ops_init+0x10a/0x570 [ 64.585422] register_pernet_operations+0x45e/0x980 [ 64.590407] register_pernet_subsys+0x2a/0x40 [ 64.594877] tipc_init+0x83/0x104 [ 64.598339] do_one_initcall+0x9e/0x330 [ 64.602284] kernel_init_freeable+0x469/0x521 [ 64.606750] kernel_init+0x13/0x172 [ 64.610348] ret_from_fork+0x2a/0x40 [ 64.614038] [ 64.615639] Freed by task 0: [ 64.618625] (stack is not available) [ 64.622304] [ 64.623901] The buggy address belongs to the object at ffff8801d3275f00 [ 64.623901] which belongs to the cache kmalloc-32 of size 32 [ 64.636366] The buggy address is located 16 bytes inside of [ 64.636366] 32-byte region [ffff8801d3275f00, ffff8801d3275f20) [ 64.648050] The buggy address belongs to the page: [ 64.652951] page:ffffea00074c9d40 count:1 mapcount:0 mapping:ffff8801d3275000 index:0xffff8801d3275fc1 [ 64.662374] flags: 0x200000000000100(slab) [ 64.666582] raw: 0200000000000100 ffff8801d3275000 ffff8801d3275fc1 000000010000003f [ 64.674436] raw: ffffea00074c8920 ffffea00074cea20 ffff8801dac001c0 0000000000000000 [ 64.682285] page dumped because: kasan: bad access detected [ 64.687968] [ 64.689565] Memory state around the buggy address: [ 64.694463] ffff8801d3275e00: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 64.701797] ffff8801d3275e80: 04 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 64.709129] >ffff8801d3275f00: 00 00 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 64.716457] ^ [ 64.720315] ffff8801d3275f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 64.727644] ffff8801d3276000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.734988] ================================================================== [ 64.742332] Disabling lock debugging due to kernel taint [ 64.747798] Kernel panic - not syncing: panic_on_warn set ... [ 64.747798] [ 64.755133] CPU: 1 PID: 2981 Comm: syzkaller601354 Tainted: G B 4.13.0+ #42 [ 64.763323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.772640] Call Trace: [ 64.775196] dump_stack+0x194/0x257 [ 64.778789] ? arch_local_irq_restore+0x53/0x53 [ 64.783424] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.788149] ? tipc_nametbl_lookup_dst_nodes+0x470/0x4b0 [ 64.793566] panic+0x1e4/0x417 [ 64.796724] ? __warn+0x1d9/0x1d9 [ 64.800149] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.805565] kasan_end_report+0x50/0x50 [ 64.809506] kasan_report+0x137/0x340 [ 64.813275] __asan_report_load4_noabort+0x14/0x20 [ 64.818168] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 64.823421] tipc_sendmcast+0x704/0xe30 [ 64.827366] ? unwind_dump+0x4c0/0x4c0 [ 64.831235] ? tipc_release+0xfd0/0xfd0 [ 64.835175] ? unwind_get_return_address+0x61/0xa0 [ 64.840072] ? __is_insn_slot_addr+0x1fc/0x330 [ 64.844621] ? lock_downgrade+0x990/0x990 [ 64.848734] ? __sys_sendmsg+0xe5/0x210 [ 64.852680] ? lock_release+0xd70/0xd70 [ 64.856619] ? __read_once_size_nocheck.constprop.8+0x10/0x10 [ 64.862470] ? is_bpf_text_address+0x7b/0x120 [ 64.866940] ? lock_downgrade+0x990/0x990 [ 64.871056] ? show_initstate+0xb0/0xb0 [ 64.875005] ? __bfs+0xaa/0x750 [ 64.878253] ? noop_count+0x40/0x40 [ 64.881849] __tipc_sendmsg+0xf49/0x1590 [ 64.885874] ? __tipc_sendmsg+0xf49/0x1590 [ 64.890074] ? unwind_dump+0x4c0/0x4c0 [ 64.893931] ? tipc_sendmcast+0xe30/0xe30 [ 64.898043] ? is_bpf_text_address+0xa4/0x120 [ 64.902507] ? check_usage_backwards+0x20a/0x420 [ 64.907234] ? print_shortest_lock_dependencies+0x350/0x350 [ 64.912920] ? save_stack_trace+0x16/0x20 [ 64.917032] ? save_trace+0x11f/0x350 [ 64.920812] ? mark_held_locks+0xb2/0x100 [ 64.924927] ? __raw_spin_lock_init+0x1c/0x100 [ 64.929476] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 64.934459] ? __lockdep_init_map+0xe4/0x650 [ 64.938860] ? lockdep_init_map+0x3d/0x70 [ 64.942979] __tipc_sendstream+0x8eb/0xc00 [ 64.947195] ? find_held_lock+0x39/0x1d0 [ 64.951226] ? tipc_connect+0x6d0/0x6d0 [ 64.955165] ? lock_downgrade+0x990/0x990 [ 64.959283] ? lock_acquire+0x1d5/0x580 [ 64.963237] ? tipc_sendstream+0x42/0x70 [ 64.967466] ? mark_held_locks+0xb2/0x100 [ 64.971586] ? __local_bh_enable_ip+0x9d/0x160 [ 64.976163] tipc_sendstream+0x50/0x70 [ 64.980018] tipc_send_packet+0x33/0x50 [ 64.983969] ? tipc_sendstream+0x70/0x70 [ 64.987995] sock_sendmsg+0xca/0x110 [ 64.991676] ___sys_sendmsg+0x75b/0x8a0 [ 64.995618] ? copy_msghdr_from_user+0x590/0x590 [ 65.000342] ? startup_64+0x10/0x30 [ 65.003941] ? __fget_light+0x29d/0x390 [ 65.007880] ? fget_raw+0x20/0x20 [ 65.011304] ? handle_mm_fault+0x4a2/0x860 [ 65.015505] ? down_read_trylock+0xdb/0x170 [ 65.019800] ? __fdget+0x18/0x20 [ 65.023137] __sys_sendmsg+0xe5/0x210 [ 65.026902] ? __sys_sendmsg+0xe5/0x210 [ 65.030842] ? SyS_shutdown+0x290/0x290 [ 65.034784] ? __do_page_fault+0xb60/0xb60 [ 65.039003] ? fd_install+0x4d/0x60 [ 65.042605] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.047589] SyS_sendmsg+0x2d/0x50 [ 65.051117] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 65.055838] RIP: 0033:0x43fd79 [ 65.058991] RSP: 002b:00007ffcb61e8988 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 65.066695] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd79 [ 65.073932] RDX: 0000000000000004 RSI: 00000000207ca000 RDI: 0000000000000003 [ 65.081183] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 65.088427] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016e0 [ 65.095661] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 65.102957] Dumping ftrace buffer: [ 65.106476] (ftrace buffer empty) [ 65.110153] Kernel Offset: disabled [ 65.113745] Rebooting in 86400 seconds..