INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-1,10.128.15.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.404934] ================================================================== [ 65.406079] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.407151] Read of size 4 at addr ffff8801d2f8f4d0 by task syzkaller249909/2985 [ 65.408159] [ 65.408397] CPU: 0 PID: 2985 Comm: syzkaller249909 Not tainted 4.14.0-rc4-next-20171009+ #33 [ 65.409622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.410846] Call Trace: [ 65.411206] dump_stack+0x194/0x257 [ 65.411702] ? arch_local_irq_restore+0x53/0x53 [ 65.412331] ? show_regs_print_info+0x65/0x65 [ 65.412938] ? lock_release+0xd70/0xd70 [ 65.413477] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.414206] print_address_description+0x73/0x250 [ 65.414853] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.415580] kasan_report+0x25b/0x340 [ 65.416099] __asan_report_load4_noabort+0x14/0x20 [ 65.416758] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.417474] tipc_sendmcast+0x70b/0xe20 [ 65.418012] ? unwind_dump+0x4c0/0x4c0 [ 65.418594] ? tipc_release+0xfd0/0xfd0 [ 65.419132] ? __kernel_text_address+0xd/0x40 [ 65.419736] ? __is_insn_slot_addr+0x1fc/0x330 [ 65.420363] ? lock_downgrade+0x990/0x990 [ 65.420925] ? __save_stack_trace+0x61/0xd0 [ 65.421513] ? SyS_sendmsg+0x2d/0x50 [ 65.422036] ? lock_release+0xd70/0xd70 [ 65.422591] ? is_bpf_text_address+0x7b/0x120 [ 65.423194] ? lock_downgrade+0x990/0x990 [ 65.423786] ? show_initstate+0xb0/0xb0 [ 65.424326] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 65.425482] ? __bfs+0xaa/0x750 [ 65.428740] ? lock_release+0xd70/0xd70 [ 65.432689] ? noop_count+0x40/0x40 [ 65.436295] __tipc_sendmsg+0xf49/0x1590 [ 65.440324] ? __tipc_sendmsg+0xf49/0x1590 [ 65.444533] ? rcutorture_record_progress+0x10/0x10 [ 65.449535] ? tipc_sendmcast+0xe20/0xe20 [ 65.453660] ? check_usage_backwards+0x20a/0x420 [ 65.458863] ? print_shortest_lock_dependencies+0x350/0x350 [ 65.464557] ? save_stack_trace+0x1a/0x20 [ 65.468674] ? save_trace+0x11f/0x350 [ 65.472453] ? mark_held_locks+0xb2/0x100 [ 65.476575] ? __raw_spin_lock_init+0x1c/0x100 [ 65.481130] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.486116] ? __lockdep_init_map+0xe4/0x650 [ 65.490499] ? lockdep_init_map+0x3d/0x70 [ 65.494624] __tipc_sendstream+0x8eb/0xc00 [ 65.498834] ? find_held_lock+0x39/0x1d0 [ 65.502872] ? tipc_connect+0x6d0/0x6d0 [ 65.506816] ? lock_downgrade+0x990/0x990 [ 65.510944] ? lock_acquire+0x1d5/0x580 [ 65.514890] ? tipc_sendstream+0x42/0x70 [ 65.518935] ? mark_held_locks+0xb2/0x100 [ 65.523065] ? __local_bh_enable_ip+0x9d/0x160 [ 65.527623] tipc_sendstream+0x50/0x70 [ 65.531515] tipc_send_packet+0x33/0x50 [ 65.535461] ? tipc_sendstream+0x70/0x70 [ 65.539498] sock_sendmsg+0xca/0x110 [ 65.543186] ___sys_sendmsg+0x75b/0x8a0 [ 65.547137] ? copy_msghdr_from_user+0x590/0x590 [ 65.551881] ? __fget_light+0x29d/0x390 [ 65.555827] ? fget_raw+0x20/0x20 [ 65.559250] ? vmacache_find+0x5f/0x280 [ 65.563216] ? __fdget+0x18/0x20 [ 65.566573] __sys_sendmsg+0xe5/0x210 [ 65.570342] ? __sys_sendmsg+0xe5/0x210 [ 65.574292] ? SyS_shutdown+0x290/0x290 [ 65.578240] ? __do_page_fault+0xd60/0xd60 [ 65.582452] ? fd_install+0x4d/0x60 [ 65.586063] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.591058] SyS_sendmsg+0x2d/0x50 [ 65.594573] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 65.599296] RIP: 0033:0x43fd59 [ 65.602456] RSP: 002b:00007ffce2ab4728 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 65.610137] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 [ 65.617379] RDX: 0000000000000004 RSI: 00000000203bbfc8 RDI: 0000000000000003 [ 65.624622] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 65.631861] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016c0 [ 65.639101] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 65.646361] [ 65.647960] Allocated by task 1: [ 65.651296] save_stack+0x43/0xd0 [ 65.654719] kasan_kmalloc+0xad/0xe0 [ 65.658403] kmem_cache_alloc_trace+0x136/0x750 [ 65.663042] tipc_nameseq_create+0xe8/0x540 [ 65.667335] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 65.672237] tipc_nametbl_publish+0x2aa/0x4f0 [ 65.676700] tipc_bind+0x33a/0x700 [ 65.680208] kernel_bind+0x62/0x80 [ 65.683719] tipc_server_start+0x3a1/0xb60 [ 65.687920] tipc_topsrv_start+0x64f/0x890 [ 65.692123] tipc_init_net+0x3cc/0x570 [ 65.695979] ops_init+0x10a/0x570 [ 65.699402] register_pernet_operations+0x45e/0x980 [ 65.704388] register_pernet_subsys+0x2a/0x40 [ 65.708852] tipc_init+0x83/0x104 [ 65.712276] do_one_initcall+0x9e/0x330 [ 65.716222] kernel_init_freeable+0x469/0x521 [ 65.720686] kernel_init+0x13/0x172 [ 65.724283] ret_from_fork+0x2a/0x40 [ 65.727962] [ 65.729558] Freed by task 0: [ 65.732542] (stack is not available) [ 65.736221] [ 65.737819] The buggy address belongs to the object at ffff8801d2f8f4c0 [ 65.737819] which belongs to the cache kmalloc-32 of size 32 [ 65.750270] The buggy address is located 16 bytes inside of [ 65.750270] 32-byte region [ffff8801d2f8f4c0, ffff8801d2f8f4e0) [ 65.761937] The buggy address belongs to the page: [ 65.766834] page:ffffea00074be3c0 count:1 mapcount:0 mapping:ffff8801d2f8f000 index:0xffff8801d2f8ffc1 [ 65.776251] flags: 0x200000000000100(slab) [ 65.780458] raw: 0200000000000100 ffff8801d2f8f000 ffff8801d2f8ffc1 000000010000003f [ 65.788308] raw: ffffea000753d460 ffffea0007475d60 ffff8801dac001c0 0000000000000000 [ 65.796157] page dumped because: kasan: bad access detected [ 65.801834] [ 65.803430] Memory state around the buggy address: [ 65.808327] ffff8801d2f8f380: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 65.815657] ffff8801d2f8f400: 00 06 fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 65.822986] >ffff8801d2f8f480: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 65.830316] ^ [ 65.836258] ffff8801d2f8f500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 65.843589] ffff8801d2f8f580: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 65.850916] ================================================================== [ 65.858245] Disabling lock debugging due to kernel taint [ 65.863699] Kernel panic - not syncing: panic_on_warn set ... [ 65.863699] [ 65.871031] CPU: 0 PID: 2985 Comm: syzkaller249909 Tainted: G B 4.14.0-rc4-next-20171009+ #33 [ 65.880870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.890188] Call Trace: [ 65.892743] dump_stack+0x194/0x257 [ 65.896338] ? arch_local_irq_restore+0x53/0x53 [ 65.900975] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.905698] ? tipc_nametbl_lookup_dst_nodes+0x3f0/0x4b0 [ 65.911114] panic+0x1e4/0x41c [ 65.914270] ? refcount_error_report+0x214/0x214 [ 65.918996] ? tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.924410] kasan_end_report+0x50/0x50 [ 65.928349] kasan_report+0x144/0x340 [ 65.932116] __asan_report_load4_noabort+0x14/0x20 [ 65.937008] tipc_nametbl_lookup_dst_nodes+0x4a3/0x4b0 [ 65.942256] tipc_sendmcast+0x70b/0xe20 [ 65.946193] ? unwind_dump+0x4c0/0x4c0 [ 65.950049] ? tipc_release+0xfd0/0xfd0 [ 65.953989] ? __kernel_text_address+0xd/0x40 [ 65.958450] ? __is_insn_slot_addr+0x1fc/0x330 [ 65.962995] ? lock_downgrade+0x990/0x990 [ 65.967106] ? __save_stack_trace+0x61/0xd0 [ 65.971396] ? SyS_sendmsg+0x2d/0x50 [ 65.975076] ? lock_release+0xd70/0xd70 [ 65.979016] ? is_bpf_text_address+0x7b/0x120 [ 65.983475] ? lock_downgrade+0x990/0x990 [ 65.987588] ? show_initstate+0xb0/0xb0 [ 65.991536] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 65.997649] ? __bfs+0xaa/0x750 [ 66.000894] ? lock_release+0xd70/0xd70 [ 66.004832] ? noop_count+0x40/0x40 [ 66.008425] __tipc_sendmsg+0xf49/0x1590 [ 66.012448] ? __tipc_sendmsg+0xf49/0x1590 [ 66.016648] ? rcutorture_record_progress+0x10/0x10 [ 66.021633] ? tipc_sendmcast+0xe20/0xe20 [ 66.025747] ? check_usage_backwards+0x20a/0x420 [ 66.030468] ? print_shortest_lock_dependencies+0x350/0x350 [ 66.036146] ? save_stack_trace+0x1a/0x20 [ 66.040259] ? save_trace+0x11f/0x350 [ 66.044026] ? mark_held_locks+0xb2/0x100 [ 66.048138] ? __raw_spin_lock_init+0x1c/0x100 [ 66.052684] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 66.057662] ? __lockdep_init_map+0xe4/0x650 [ 66.062036] ? lockdep_init_map+0x3d/0x70 [ 66.066152] __tipc_sendstream+0x8eb/0xc00 [ 66.070354] ? find_held_lock+0x39/0x1d0 [ 66.074386] ? tipc_connect+0x6d0/0x6d0 [ 66.078327] ? lock_downgrade+0x990/0x990 [ 66.082444] ? lock_acquire+0x1d5/0x580 [ 66.086381] ? tipc_sendstream+0x42/0x70 [ 66.090414] ? mark_held_locks+0xb2/0x100 [ 66.094534] ? __local_bh_enable_ip+0x9d/0x160 [ 66.099082] tipc_sendstream+0x50/0x70 [ 66.102933] tipc_send_packet+0x33/0x50 [ 66.106871] ? tipc_sendstream+0x70/0x70 [ 66.110897] sock_sendmsg+0xca/0x110 [ 66.114575] ___sys_sendmsg+0x75b/0x8a0 [ 66.118520] ? copy_msghdr_from_user+0x590/0x590 [ 66.123249] ? __fget_light+0x29d/0x390 [ 66.127188] ? fget_raw+0x20/0x20 [ 66.130604] ? vmacache_find+0x5f/0x280 [ 66.134556] ? __fdget+0x18/0x20 [ 66.137888] __sys_sendmsg+0xe5/0x210 [ 66.141654] ? __sys_sendmsg+0xe5/0x210 [ 66.145594] ? SyS_shutdown+0x290/0x290 [ 66.149532] ? __do_page_fault+0xd60/0xd60 [ 66.153735] ? fd_install+0x4d/0x60 [ 66.157332] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 66.162317] SyS_sendmsg+0x2d/0x50 [ 66.165822] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 66.170541] RIP: 0033:0x43fd59 [ 66.173697] RSP: 002b:00007ffce2ab4728 EFLAGS: 00000203 ORIG_RAX: 000000000000002e [ 66.181367] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59 [ 66.188601] RDX: 0000000000000004 RSI: 00000000203bbfc8 RDI: 0000000000000003 [ 66.195835] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 66.203070] R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016c0 [ 66.210311] R13: 0000000000401750 R14: 0000000000000000 R15: 0000000000000000 [ 66.217589] Dumping ftrace buffer: [ 66.221095] (ftrace buffer empty) [ 66.224771] Kernel Offset: disabled [ 66.228369] Rebooting in 86400 seconds..