INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-7,10.128.15.193' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.726929] ================================================================== [ 40.734331] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 40.742443] Read of size 4 at addr ffff8801cf278f10 by task syzkaller212669/2982 [ 40.749942] [ 40.751541] CPU: 0 PID: 2982 Comm: syzkaller212669 Not tainted 4.14.0-rc2-mm1+ #9 [ 40.759135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.768463] Call Trace: [ 40.771030] dump_stack+0x194/0x257 [ 40.774631] ? arch_local_irq_restore+0x53/0x53 [ 40.779280] ? show_regs_print_info+0x65/0x65 [ 40.783748] ? lock_release+0xd70/0xd70 [ 40.787698] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 40.793121] print_address_description+0x73/0x250 [ 40.797936] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 40.803356] kasan_report+0x25b/0x340 [ 40.807131] __asan_report_load4_noabort+0x14/0x20 [ 40.812029] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 40.817289] tipc_sendmcast+0x70b/0xe20 [ 40.821250] ? tipc_release+0xfd0/0xfd0 [ 40.825199] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 40.830371] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 40.835129] ? check_noncircular+0x20/0x20 [ 40.839335] ? _cond_resched+0x14/0x30 [ 40.843199] ? _raw_spin_unlock+0x22/0x30 [ 40.847321] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 40.852570] ? check_noncircular+0x20/0x20 [ 40.856778] ? find_held_lock+0x39/0x1d0 [ 40.860817] __tipc_sendmsg+0xf49/0x1590 [ 40.864853] ? __tipc_sendmsg+0xf49/0x1590 [ 40.869067] ? cpuacct_all_seq_show+0x152/0x210 [ 40.873710] ? tipc_sendmcast+0xe20/0xe20 [ 40.877837] ? lock_downgrade+0x990/0x990 [ 40.881958] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 40.887821] ? lock_acquire+0x1d5/0x580 [ 40.891766] ? tipc_sendmsg+0x42/0x70 [ 40.895549] ? mark_held_locks+0xb2/0x100 [ 40.899671] ? __local_bh_enable_ip+0x9d/0x160 [ 40.904232] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.909222] ? lock_sock_nested+0x91/0x110 [ 40.913425] ? trace_hardirqs_on+0xd/0x10 [ 40.917542] ? __local_bh_enable_ip+0x9d/0x160 [ 40.922098] tipc_sendmsg+0x50/0x70 [ 40.925695] ? __tipc_sendmsg+0x1590/0x1590 [ 40.929988] sock_sendmsg+0xca/0x110 [ 40.933680] ___sys_sendmsg+0x75b/0x8a0 [ 40.937637] ? copy_msghdr_from_user+0x590/0x590 [ 40.942375] ? lock_downgrade+0x990/0x990 [ 40.946506] ? __fget_light+0x29d/0x390 [ 40.950450] ? fget_raw+0x20/0x20 [ 40.953883] ? handle_mm_fault+0x410/0x8d0 [ 40.958085] ? down_read_trylock+0xdb/0x170 [ 40.962376] ? __do_page_fault+0x2b8/0xb60 [ 40.966592] ? __fdget+0x18/0x20 [ 40.969935] __sys_sendmsg+0xe5/0x210 [ 40.973710] ? __sys_sendmsg+0xe5/0x210 [ 40.977655] ? SyS_shutdown+0x290/0x290 [ 40.981602] ? __do_page_fault+0xb60/0xb60 [ 40.985810] ? fd_install+0x4d/0x60 [ 40.989419] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.994412] SyS_sendmsg+0x2d/0x50 [ 40.997923] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.002647] RIP: 0033:0x43fdf9 [ 41.005807] RSP: 002b:00007fff30dd04f8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 41.013485] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 41.020728] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 41.027974] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 41.035217] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 41.042457] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 41.049716] [ 41.051312] Allocated by task 2982: [ 41.054910] save_stack_trace+0x16/0x20 [ 41.058851] save_stack+0x43/0xd0 [ 41.062273] kasan_kmalloc+0xad/0xe0 [ 41.065954] kmem_cache_alloc_trace+0x136/0x750 [ 41.070589] tipc_nameseq_create+0xe8/0x540 [ 41.074879] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 41.079777] tipc_nametbl_publish+0x2aa/0x4f0 [ 41.084240] tipc_bind+0x33a/0x700 [ 41.087750] SYSC_bind+0x1b4/0x3f0 [ 41.091257] SyS_bind+0x24/0x30 [ 41.094511] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.099236] [ 41.100834] Freed by task 1535: [ 41.104085] save_stack_trace+0x16/0x20 [ 41.108028] save_stack+0x43/0xd0 [ 41.111448] kasan_slab_free+0x71/0xc0 [ 41.115305] kfree+0xca/0x250 [ 41.118379] kobject_uevent_env+0x248/0xbc0 [ 41.122670] kobject_synth_uevent+0x514/0xad0 [ 41.127137] uevent_store+0x27/0x50 [ 41.130737] dev_attr_store+0x5c/0x90 [ 41.134505] sysfs_kf_write+0x107/0x160 [ 41.138448] kernfs_fop_write+0x2bc/0x450 [ 41.142564] __vfs_write+0xef/0x970 [ 41.146165] vfs_write+0x18f/0x510 [ 41.149676] SyS_write+0xef/0x220 [ 41.153098] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.157819] [ 41.159418] The buggy address belongs to the object at ffff8801cf278f00 [ 41.159418] which belongs to the cache kmalloc-32 of size 32 [ 41.171868] The buggy address is located 16 bytes inside of [ 41.171868] 32-byte region [ffff8801cf278f00, ffff8801cf278f20) [ 41.183534] The buggy address belongs to the page: [ 41.188432] page:ffffea00073c9e00 count:1 mapcount:0 mapping:ffff8801cf278000 index:0xffff8801cf278fc1 [ 41.197851] flags: 0x200000000000100(slab) [ 41.202055] raw: 0200000000000100 ffff8801cf278000 ffff8801cf278fc1 000000010000003f [ 41.209904] raw: ffffea00073c0f20 ffffea000738ea60 ffff8801dac001c0 0000000000000000 [ 41.217750] page dumped because: kasan: bad access detected [ 41.223442] [ 41.225038] Memory state around the buggy address: [ 41.229936] ffff8801cf278e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 41.237263] ffff8801cf278e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 41.244591] >ffff8801cf278f00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 41.251917] ^ [ 41.255772] ffff8801cf278f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 41.263100] ffff8801cf279000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.270435] ================================================================== [ 41.277765] Disabling lock debugging due to kernel taint [ 41.283216] Kernel panic - not syncing: panic_on_warn set ... [ 41.283216] [ 41.290546] CPU: 0 PID: 2982 Comm: syzkaller212669 Tainted: G B 4.14.0-rc2-mm1+ #9 [ 41.299344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.308661] Call Trace: [ 41.311223] dump_stack+0x194/0x257 [ 41.314818] ? arch_local_irq_restore+0x53/0x53 [ 41.319455] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.324179] ? tipc_nametbl_lookup_dst_nodes+0x3e0/0x4b0 [ 41.329592] panic+0x1e4/0x417 [ 41.332748] ? __warn+0x1d9/0x1d9 [ 41.336171] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 41.341584] kasan_end_report+0x50/0x50 [ 41.345523] kasan_report+0x144/0x340 [ 41.349291] __asan_report_load4_noabort+0x14/0x20 [ 41.354184] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 41.359430] tipc_sendmcast+0x70b/0xe20 [ 41.363374] ? tipc_release+0xfd0/0xfd0 [ 41.367316] ? pgtable_trans_huge_deposit+0x342/0x6d0 [ 41.372471] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 41.377202] ? check_noncircular+0x20/0x20 [ 41.381402] ? _cond_resched+0x14/0x30 [ 41.385256] ? _raw_spin_unlock+0x22/0x30 [ 41.389367] ? do_huge_pmd_anonymous_page+0xb1d/0x1b00 [ 41.394609] ? check_noncircular+0x20/0x20 [ 41.398808] ? find_held_lock+0x39/0x1d0 [ 41.402843] __tipc_sendmsg+0xf49/0x1590 [ 41.406868] ? __tipc_sendmsg+0xf49/0x1590 [ 41.411070] ? cpuacct_all_seq_show+0x152/0x210 [ 41.415704] ? tipc_sendmcast+0xe20/0xe20 [ 41.419825] ? lock_downgrade+0x990/0x990 [ 41.423935] ? trace_event_raw_event_sched_switch+0x770/0x770 [ 41.429788] ? lock_acquire+0x1d5/0x580 [ 41.433726] ? tipc_sendmsg+0x42/0x70 [ 41.437497] ? mark_held_locks+0xb2/0x100 [ 41.441609] ? __local_bh_enable_ip+0x9d/0x160 [ 41.446156] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.451139] ? lock_sock_nested+0x91/0x110 [ 41.455339] ? trace_hardirqs_on+0xd/0x10 [ 41.459451] ? __local_bh_enable_ip+0x9d/0x160 [ 41.463998] tipc_sendmsg+0x50/0x70 [ 41.467589] ? __tipc_sendmsg+0x1590/0x1590 [ 41.471877] sock_sendmsg+0xca/0x110 [ 41.475555] ___sys_sendmsg+0x75b/0x8a0 [ 41.479496] ? copy_msghdr_from_user+0x590/0x590 [ 41.484218] ? lock_downgrade+0x990/0x990 [ 41.488338] ? __fget_light+0x29d/0x390 [ 41.492276] ? fget_raw+0x20/0x20 [ 41.495697] ? handle_mm_fault+0x410/0x8d0 [ 41.499894] ? down_read_trylock+0xdb/0x170 [ 41.504179] ? __do_page_fault+0x2b8/0xb60 [ 41.508384] ? __fdget+0x18/0x20 [ 41.511715] __sys_sendmsg+0xe5/0x210 [ 41.515476] ? __sys_sendmsg+0xe5/0x210 [ 41.519415] ? SyS_shutdown+0x290/0x290 [ 41.523365] ? __do_page_fault+0xb60/0xb60 [ 41.527569] ? fd_install+0x4d/0x60 [ 41.531167] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.536151] SyS_sendmsg+0x2d/0x50 [ 41.539655] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 41.544387] RIP: 0033:0x43fdf9 [ 41.547540] RSP: 002b:00007fff30dd04f8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e [ 41.555209] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdf9 [ 41.562443] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 41.569676] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 [ 41.576910] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401760 [ 41.584145] R13: 00000000004017f0 R14: 0000000000000000 R15: 0000000000000000 [ 41.591421] Dumping ftrace buffer: [ 41.594924] (ftrace buffer empty) [ 41.598598] Kernel Offset: disabled [ 41.602194] Rebooting in 86400 seconds..