Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 28.670865] ================================================================== [ 28.678256] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 28.684940] Read of size 8 at addr ffff8880b496ffa0 by task kworker/u4:0/5 [ 28.691924] [ 28.693528] CPU: 0 PID: 5 Comm: kworker/u4:0 Not tainted 4.14.206-syzkaller #0 [ 28.700857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.710187] Workqueue: tipc_rcv tipc_recv_work [ 28.714739] Call Trace: [ 28.717298] dump_stack+0x1b2/0x283 [ 28.720962] print_address_description.cold+0x54/0x1d3 [ 28.726212] kasan_report_error.cold+0x8a/0x194 [ 28.730854] ? __lock_acquire+0x2c57/0x3f20 [ 28.735146] __asan_report_load8_noabort+0x68/0x70 [ 28.740086] ? tipc_subscrb_rcv_cb+0x2b0/0xa40 [ 28.744650] ? __lock_acquire+0x2c57/0x3f20 [ 28.748941] __lock_acquire+0x2c57/0x3f20 [ 28.753061] ? io_schedule_timeout+0x140/0x140 [ 28.757611] ? __wake_up_common_lock+0xcd/0x140 [ 28.762249] ? trace_hardirqs_on+0x10/0x10 [ 28.766456] ? trace_hardirqs_on+0x10/0x10 [ 28.770661] ? preempt_schedule_common+0x45/0xc0 [ 28.775390] ? ___preempt_schedule+0x16/0x18 [ 28.779772] ? tipc_recvmsg+0x43e/0x9e0 [ 28.783718] ? __local_bh_enable_ip+0x132/0x170 [ 28.788357] lock_acquire+0x170/0x3f0 [ 28.792143] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.796697] _raw_spin_lock_bh+0x2f/0x40 [ 28.800739] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.805290] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 28.809842] tipc_receive_from_sock+0x25c/0x450 [ 28.814496] ? trace_hardirqs_on+0x10/0x10 [ 28.818790] ? lock_acquire+0x170/0x3f0 [ 28.822733] ? tipc_close_conn+0x200/0x200 [ 28.826939] tipc_recv_work+0x75/0xd0 [ 28.830714] process_one_work+0x793/0x14a0 [ 28.834919] ? work_busy+0x320/0x320 [ 28.838602] ? worker_thread+0x158/0xff0 [ 28.842634] ? _raw_spin_unlock_irq+0x24/0x80 [ 28.847108] worker_thread+0x5cc/0xff0 [ 28.850968] ? rescuer_thread+0xc80/0xc80 [ 28.855095] kthread+0x30d/0x420 [ 28.858433] ? kthread_create_on_node+0xd0/0xd0 [ 28.863074] ret_from_fork+0x24/0x30 [ 28.866757] [ 28.868368] Allocated by task 7955: [ 28.871967] kasan_kmalloc+0xeb/0x160 [ 28.875739] kmem_cache_alloc_trace+0x131/0x3d0 [ 28.880393] tipc_subscrb_connect_cb+0x40/0x150 [ 28.885032] tipc_accept_from_sock+0x25b/0x400 [ 28.889583] tipc_recv_work+0x75/0xd0 [ 28.893354] process_one_work+0x793/0x14a0 [ 28.897558] worker_thread+0x5cc/0xff0 [ 28.901415] kthread+0x30d/0x420 [ 28.904753] ret_from_fork+0x24/0x30 [ 28.908447] [ 28.910045] Freed by task 7955: [ 28.913294] kasan_slab_free+0xc3/0x1a0 [ 28.917238] kfree+0xc9/0x250 [ 28.920315] tipc_subscrb_put+0x22/0x30 [ 28.924259] tipc_close_conn+0x16a/0x200 [ 28.928289] tipc_send_work+0x41e/0x520 [ 28.932235] process_one_work+0x793/0x14a0 [ 28.936437] worker_thread+0x5cc/0xff0 [ 28.940293] kthread+0x30d/0x420 [ 28.943631] ret_from_fork+0x24/0x30 [ 28.947312] [ 28.948924] The buggy address belongs to the object at ffff8880b496ff80 [ 28.948924] which belongs to the cache kmalloc-96 of size 96 [ 28.961375] The buggy address is located 32 bytes inside of [ 28.961375] 96-byte region [ffff8880b496ff80, ffff8880b496ffe0) [ 28.973040] The buggy address belongs to the page: [ 28.977940] page:ffffea0002d25bc0 count:1 mapcount:0 mapping:ffff8880b496f000 index:0x0 [ 28.986052] flags: 0xfff00000000100(slab) [ 28.990181] raw: 00fff00000000100 ffff8880b496f000 0000000000000000 0000000100000020 [ 28.998037] raw: ffffea0002d26ee0 ffffea0002d164a0 ffff88813fe824c0 0000000000000000 [ 29.005886] page dumped because: kasan: bad access detected [ 29.011754] [ 29.013351] Memory state around the buggy address: [ 29.018250] ffff8880b496fe80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.025578] ffff8880b496ff00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.032909] >ffff8880b496ff80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 29.040323] ^ [ 29.044700] ffff8880b4970000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.052029] ffff8880b4970080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.059356] ================================================================== [ 29.066684] Disabling lock debugging due to kernel taint [ 29.072115] Kernel panic - not syncing: panic_on_warn set ... [ 29.072115] [ 29.079462] CPU: 0 PID: 5 Comm: kworker/u4:0 Tainted: G B 4.14.206-syzkaller #0 [ 29.088009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.097349] Workqueue: tipc_rcv tipc_recv_work [ 29.101900] Call Trace: [ 29.104471] dump_stack+0x1b2/0x283 [ 29.108085] panic+0x1f9/0x42d [ 29.111267] ? add_taint.cold+0x16/0x16 [ 29.115223] ? lock_downgrade+0x740/0x740 [ 29.119355] kasan_end_report+0x43/0x49 [ 29.123298] kasan_report_error.cold+0xa7/0x194 [ 29.127940] ? __lock_acquire+0x2c57/0x3f20 [ 29.132232] __asan_report_load8_noabort+0x68/0x70 [ 29.137134] ? tipc_subscrb_rcv_cb+0x2b0/0xa40 [ 29.141700] ? __lock_acquire+0x2c57/0x3f20 [ 29.145994] __lock_acquire+0x2c57/0x3f20 [ 29.150127] ? io_schedule_timeout+0x140/0x140 [ 29.154700] ? __wake_up_common_lock+0xcd/0x140 [ 29.159339] ? trace_hardirqs_on+0x10/0x10 [ 29.163543] ? trace_hardirqs_on+0x10/0x10 [ 29.167761] ? preempt_schedule_common+0x45/0xc0 [ 29.172503] ? ___preempt_schedule+0x16/0x18 [ 29.176916] ? tipc_recvmsg+0x43e/0x9e0 [ 29.180864] ? __local_bh_enable_ip+0x132/0x170 [ 29.185509] lock_acquire+0x170/0x3f0 [ 29.189280] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.193843] _raw_spin_lock_bh+0x2f/0x40 [ 29.197881] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.202438] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 29.206819] tipc_receive_from_sock+0x25c/0x450 [ 29.211462] ? trace_hardirqs_on+0x10/0x10 [ 29.215667] ? lock_acquire+0x170/0x3f0 [ 29.219623] ? tipc_close_conn+0x200/0x200 [ 29.223832] tipc_recv_work+0x75/0xd0 [ 29.227603] process_one_work+0x793/0x14a0 [ 29.231810] ? work_busy+0x320/0x320 [ 29.235493] ? worker_thread+0x158/0xff0 [ 29.239538] ? _raw_spin_unlock_irq+0x24/0x80 [ 29.244004] worker_thread+0x5cc/0xff0 [ 29.247865] ? rescuer_thread+0xc80/0xc80 [ 29.252003] kthread+0x30d/0x420 [ 29.255341] ? kthread_create_on_node+0xd0/0xd0 [ 29.259995] ret_from_fork+0x24/0x30 [ 29.264519] Kernel Offset: disabled [ 29.268147] Rebooting in 86400 seconds..