INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-mmots-kasan-gce-1,10.128.0.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.098626] ================================================================== [ 57.099746] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 57.100626] Read of size 4 at addr ffff8801d647356c by task syzkaller224569/2991 [ 57.101614] [ 57.101864] CPU: 1 PID: 2991 Comm: syzkaller224569 Not tainted 4.14.0-rc5-mm1+ #19 [ 57.102935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.104186] Call Trace: [ 57.104549] dump_stack+0x194/0x257 [ 57.105044] ? arch_local_irq_restore+0x53/0x53 [ 57.105669] ? show_regs_print_info+0x65/0x65 [ 57.106288] ? tipc_group_self+0x1a2/0x1b0 [ 57.106860] print_address_description+0x73/0x250 [ 57.107508] ? tipc_group_self+0x1a2/0x1b0 [ 57.108078] kasan_report+0x25b/0x340 [ 57.108593] __asan_report_load4_noabort+0x14/0x20 [ 57.109250] tipc_group_self+0x1a2/0x1b0 [ 57.109800] tipc_sk_leave+0xfc/0x200 [ 57.110318] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 57.110898] ? __local_bh_enable_ip+0x9d/0x160 [ 57.111511] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.112241] ? lock_sock_nested+0x91/0x110 [ 57.112808] ? trace_hardirqs_on+0xd/0x10 [ 57.113365] ? __local_bh_enable_ip+0x9d/0x160 [ 57.114077] tipc_release+0x154/0xfe0 [ 57.114594] ? mntput_no_expire+0x130/0xa90 [ 57.115174] ? tipc_sk_backlog_rcv+0x370/0x370 [ 57.115786] ? lock_release+0xa40/0xa40 [ 57.116332] ? dentry_free+0xcd/0x130 [ 57.116862] ? rcu_read_lock_sched_held+0x108/0x120 [ 57.117557] ? kmem_cache_free+0x249/0x280 [ 57.118160] ? dentry_free+0xd2/0x130 [ 57.118680] ? locks_remove_file+0x3fa/0x5a0 [ 57.122555] ? fcntl_setlk+0x10c0/0x10c0 [ 57.126586] ? __fsnotify_parent+0xb4/0x3a0 [ 57.130877] ? fsnotify+0x1af0/0x1af0 [ 57.134646] ? rcu_note_context_switch+0x710/0x710 [ 57.139543] sock_release+0x8d/0x1e0 [ 57.143223] ? sock_release+0x1e0/0x1e0 [ 57.147162] sock_close+0x16/0x20 [ 57.150581] __fput+0x327/0x7e0 [ 57.153832] ? fput+0x140/0x140 [ 57.157078] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 57.162926] ? _raw_spin_unlock_irq+0x27/0x70 [ 57.167393] ____fput+0x15/0x20 [ 57.170638] task_work_run+0x199/0x270 [ 57.174494] ? task_work_cancel+0x210/0x210 [ 57.178783] ? _raw_spin_unlock+0x22/0x30 [ 57.182898] ? switch_task_namespaces+0x87/0xc0 [ 57.187536] do_exit+0x9b5/0x1ad0 [ 57.190960] ? mm_update_next_owner+0x930/0x930 [ 57.195594] ? reacquire_held_locks+0x1fd/0x3d0 [ 57.200234] ? find_held_lock+0x35/0x1d0 [ 57.204268] ? release_sock+0x1d4/0x2a0 [ 57.208207] ? lock_downgrade+0x990/0x990 [ 57.212320] ? lock_downgrade+0x990/0x990 [ 57.216436] ? do_raw_spin_trylock+0x190/0x190 [ 57.220989] ? tipc_group_delete+0x2c0/0x3c0 [ 57.225365] ? __local_bh_enable_ip+0x9d/0x160 [ 57.229914] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.234895] ? trace_hardirqs_on+0xd/0x10 [ 57.239006] ? __local_bh_enable_ip+0x9d/0x160 [ 57.243557] ? release_sock+0x1d4/0x2a0 [ 57.247503] ? tipc_nametbl_build_group+0x27a/0x370 [ 57.252491] ? tipc_setsockopt+0x703/0xc00 [ 57.256695] ? tipc_sk_leave+0x200/0x200 [ 57.260735] ? security_socket_setsockopt+0x89/0xb0 [ 57.265723] ? SyS_setsockopt+0x215/0x360 [ 57.269841] do_group_exit+0x149/0x400 [ 57.273693] ? SyS_recv+0x40/0x40 [ 57.277113] ? SyS_exit+0x30/0x30 [ 57.280532] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.285516] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.290241] SyS_exit_group+0x1d/0x20 [ 57.294007] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 57.298727] RIP: 0033:0x43e978 [ 57.301890] RSP: 002b:00007ffdce6870a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.309563] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 57.316819] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.324053] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.331288] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 57.338539] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 57.345798] [ 57.347393] Allocated by task 2991: [ 57.350988] save_stack+0x43/0xd0 [ 57.354404] kasan_kmalloc+0xad/0xe0 [ 57.358082] kmem_cache_alloc_trace+0x136/0x750 [ 57.362715] tipc_group_create+0x116/0x9c0 [ 57.366911] tipc_setsockopt+0x25e/0xc00 [ 57.370936] SyS_setsockopt+0x189/0x360 [ 57.374876] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 57.379592] [ 57.381182] Freed by task 2991: [ 57.384424] save_stack+0x43/0xd0 [ 57.387843] kasan_slab_free+0x71/0xc0 [ 57.391695] kfree+0xca/0x250 [ 57.394766] tipc_group_delete+0x2c0/0x3c0 [ 57.398966] tipc_setsockopt+0xb33/0xc00 [ 57.402991] SyS_setsockopt+0x189/0x360 [ 57.406928] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 57.411654] [ 57.413249] The buggy address belongs to the object at ffff8801d6473500 [ 57.413249] which belongs to the cache kmalloc-192 of size 192 [ 57.425869] The buggy address is located 108 bytes inside of [ 57.425869] 192-byte region [ffff8801d6473500, ffff8801d64735c0) [ 57.437713] The buggy address belongs to the page: [ 57.442609] page:ffffea0007591cc0 count:1 mapcount:0 mapping:ffff8801d6473000 index:0xffff8801d6473f00 [ 57.452019] flags: 0x200000000000100(slab) [ 57.456306] raw: 0200000000000100 ffff8801d6473000 ffff8801d6473f00 0000000100000006 [ 57.464154] raw: ffffea000752a1a0 ffff8801dac01138 ffff8801dac00040 0000000000000000 [ 57.471998] page dumped because: kasan: bad access detected [ 57.477670] [ 57.479262] Memory state around the buggy address: [ 57.484154] ffff8801d6473400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.491479] ffff8801d6473480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.498801] >ffff8801d6473500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.506124] ^ [ 57.512846] ffff8801d6473580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.520168] ffff8801d6473600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.527501] ================================================================== [ 57.534826] Disabling lock debugging due to kernel taint [ 57.540297] Kernel panic - not syncing: panic_on_warn set ... [ 57.540297] [ 57.547627] CPU: 1 PID: 2991 Comm: syzkaller224569 Tainted: G B 4.14.0-rc5-mm1+ #19 [ 57.556604] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.565923] Call Trace: [ 57.568484] dump_stack+0x194/0x257 [ 57.572078] ? arch_local_irq_restore+0x53/0x53 [ 57.576717] ? kasan_end_report+0x32/0x50 [ 57.580832] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.585553] ? vsnprintf+0x1ed/0x1900 [ 57.589319] ? tipc_group_self+0xb0/0x1b0 [ 57.593435] panic+0x1e4/0x41c [ 57.596591] ? refcount_error_report+0x214/0x214 [ 57.601315] ? add_taint+0x1c/0x50 [ 57.604818] ? add_taint+0x1c/0x50 [ 57.608324] ? tipc_group_self+0x1a2/0x1b0 [ 57.612521] kasan_end_report+0x50/0x50 [ 57.616458] kasan_report+0x144/0x340 [ 57.620224] __asan_report_load4_noabort+0x14/0x20 [ 57.625121] tipc_group_self+0x1a2/0x1b0 [ 57.629148] tipc_sk_leave+0xfc/0x200 [ 57.632913] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 57.637200] ? __local_bh_enable_ip+0x9d/0x160 [ 57.641749] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.646733] ? lock_sock_nested+0x91/0x110 [ 57.650930] ? trace_hardirqs_on+0xd/0x10 [ 57.655043] ? __local_bh_enable_ip+0x9d/0x160 [ 57.659592] tipc_release+0x154/0xfe0 [ 57.663360] ? mntput_no_expire+0x130/0xa90 [ 57.667648] ? tipc_sk_backlog_rcv+0x370/0x370 [ 57.672203] ? lock_release+0xa40/0xa40 [ 57.676140] ? dentry_free+0xcd/0x130 [ 57.679905] ? rcu_read_lock_sched_held+0x108/0x120 [ 57.684888] ? kmem_cache_free+0x249/0x280 [ 57.689089] ? dentry_free+0xd2/0x130 [ 57.692855] ? locks_remove_file+0x3fa/0x5a0 [ 57.697227] ? fcntl_setlk+0x10c0/0x10c0 [ 57.701254] ? __fsnotify_parent+0xb4/0x3a0 [ 57.705543] ? fsnotify+0x1af0/0x1af0 [ 57.709306] ? rcu_note_context_switch+0x710/0x710 [ 57.714201] sock_release+0x8d/0x1e0 [ 57.717880] ? sock_release+0x1e0/0x1e0 [ 57.721818] sock_close+0x16/0x20 [ 57.725238] __fput+0x327/0x7e0 [ 57.728486] ? fput+0x140/0x140 [ 57.731732] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 57.737580] ? _raw_spin_unlock_irq+0x27/0x70 [ 57.742042] ____fput+0x15/0x20 [ 57.745286] task_work_run+0x199/0x270 [ 57.749137] ? task_work_cancel+0x210/0x210 [ 57.753425] ? _raw_spin_unlock+0x22/0x30 [ 57.757536] ? switch_task_namespaces+0x87/0xc0 [ 57.762171] do_exit+0x9b5/0x1ad0 [ 57.765593] ? mm_update_next_owner+0x930/0x930 [ 57.770225] ? reacquire_held_locks+0x1fd/0x3d0 [ 57.774860] ? find_held_lock+0x35/0x1d0 [ 57.778890] ? release_sock+0x1d4/0x2a0 [ 57.782828] ? lock_downgrade+0x990/0x990 [ 57.786938] ? lock_downgrade+0x990/0x990 [ 57.791048] ? do_raw_spin_trylock+0x190/0x190 [ 57.795596] ? tipc_group_delete+0x2c0/0x3c0 [ 57.799966] ? __local_bh_enable_ip+0x9d/0x160 [ 57.804516] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.809495] ? trace_hardirqs_on+0xd/0x10 [ 57.813609] ? __local_bh_enable_ip+0x9d/0x160 [ 57.818160] ? release_sock+0x1d4/0x2a0 [ 57.822104] ? tipc_nametbl_build_group+0x27a/0x370 [ 57.827086] ? tipc_setsockopt+0x703/0xc00 [ 57.831288] ? tipc_sk_leave+0x200/0x200 [ 57.835319] ? security_socket_setsockopt+0x89/0xb0 [ 57.840301] ? SyS_setsockopt+0x215/0x360 [ 57.844415] do_group_exit+0x149/0x400 [ 57.848265] ? SyS_recv+0x40/0x40 [ 57.851683] ? SyS_exit+0x30/0x30 [ 57.855100] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 57.860081] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.864805] SyS_exit_group+0x1d/0x20 [ 57.868576] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 57.873293] RIP: 0033:0x43e978 [ 57.876450] RSP: 002b:00007ffdce6870a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.884123] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 57.891357] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.898590] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.905828] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 57.913064] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 57.920639] Dumping ftrace buffer: [ 57.924151] (ftrace buffer empty) [ 57.927830] Kernel Offset: disabled [ 57.931423] Rebooting in 86400 seconds..