[ 19.492953] default_idle_call+0x36/0x90 [ 19.496976] do_idle+0x24e/0x3b0 [ 19.500306] cpu_startup_entry+0x18/0x20 [ 19.504329] rest_init+0xed/0xf0 [ 19.507661] start_kernel+0x72e/0x754 [ 19.511424] ? mem_encrypt_init+0xb/0xb [ 19.515366] ? memcpy_orig+0x54/0x110 [ 19.519129] x86_64_start_reservations+0x2a/0x2c [ 19.523845] x86_64_start_kernel+0x77/0x7a [ 19.528041] secondary_startup_64+0xa5/0xa5 Warning: Permanently added 'ci-upstream-net-kasan-gce-2,10.128.0.62' (ECDSA) to the list of known hosts. executing program [ 32.038764] ================================================================== [ 32.046140] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 32.052685] Read of size 4 at addr ffff8801d2958a6c by task syzkaller027452/2996 [ 32.060180] [ 32.061775] CPU: 1 PID: 2996 Comm: syzkaller027452 Not tainted 4.14.0-rc4+ #84 [ 32.069104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.078422] Call Trace: [ 32.080973] dump_stack+0x194/0x257 [ 32.084567] ? arch_local_irq_restore+0x53/0x53 [ 32.089204] ? show_regs_print_info+0x65/0x65 [ 32.093667] ? lock_sock_nested+0xa3/0x110 [ 32.097866] ? tipc_group_self+0x1a2/0x1b0 [ 32.102065] print_address_description+0x73/0x250 [ 32.106873] ? tipc_group_self+0x1a2/0x1b0 [ 32.111073] kasan_report+0x25b/0x340 [ 32.114842] __asan_report_load4_noabort+0x14/0x20 [ 32.119735] tipc_group_self+0x1a2/0x1b0 [ 32.123760] tipc_sk_leave+0xfc/0x200 [ 32.127525] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 32.131813] ? lock_sock_nested+0x44/0x110 [ 32.136010] ? lock_sock_nested+0x91/0x110 [ 32.140212] ? trace_hardirqs_on+0xd/0x10 [ 32.144325] ? __local_bh_enable_ip+0x9d/0x160 [ 32.148873] tipc_release+0x154/0xfd0 [ 32.152641] ? lock_acquire+0x1d5/0x580 [ 32.156580] ? mnt_get_count+0x150/0x150 [ 32.160604] ? tipc_sk_backlog_rcv+0x370/0x370 [ 32.165149] ? lock_release+0xd70/0xd70 [ 32.169091] ? trace_hardirqs_on+0xd/0x10 [ 32.173204] ? kmem_cache_free+0x21b/0x280 [ 32.177402] ? dentry_free+0xd2/0x130 [ 32.181174] ? locks_remove_file+0x3fa/0x5a0 [ 32.185547] ? fcntl_setlk+0x10d0/0x10d0 [ 32.189572] ? mnt_get_count+0x150/0x150 [ 32.193595] ? __fsnotify_parent+0xb4/0x3a0 [ 32.197887] ? fsnotify+0x1af0/0x1af0 [ 32.201649] ? dput.part.24+0x2a/0x740 [ 32.205505] sock_release+0x8d/0x1e0 [ 32.209185] ? sock_release+0x1e0/0x1e0 [ 32.213122] sock_close+0x16/0x20 [ 32.216552] __fput+0x333/0x7f0 [ 32.219802] ? fput+0x140/0x140 [ 32.223050] ? check_same_owner+0x320/0x320 [ 32.227339] ? do_raw_spin_trylock+0x190/0x190 [ 32.231891] ____fput+0x15/0x20 [ 32.235140] task_work_run+0x199/0x270 [ 32.238994] ? task_work_cancel+0x210/0x210 [ 32.243286] ? _raw_spin_unlock+0x22/0x30 [ 32.247400] ? switch_task_namespaces+0x87/0xc0 [ 32.252040] do_exit+0x9d2/0x1af0 [ 32.255464] ? tipc_accept_from_sock+0x531/0x580 [ 32.260185] ? mm_update_next_owner+0x930/0x930 [ 32.264826] ? release_sock+0x1d4/0x2a0 [ 32.268768] ? lock_downgrade+0x990/0x990 [ 32.272883] ? lock_downgrade+0x990/0x990 [ 32.277085] ? lock_acquire+0x1d5/0x580 [ 32.281024] ? release_sock+0x74/0x2a0 [ 32.284881] ? do_raw_spin_trylock+0x190/0x190 [ 32.289429] ? tipc_group_delete+0x2c0/0x3c0 [ 32.293802] ? lock_release+0xcb0/0xd70 [ 32.297743] ? trace_hardirqs_on+0xd/0x10 [ 32.301855] ? __local_bh_enable_ip+0x9d/0x160 [ 32.306417] ? release_sock+0x1d4/0x2a0 [ 32.310360] ? tipc_nametbl_build_group+0x27a/0x370 [ 32.315342] ? tipc_setsockopt+0x703/0xc00 [ 32.319542] ? tipc_sk_leave+0x200/0x200 [ 32.323574] ? security_socket_setsockopt+0x89/0xb0 [ 32.328557] ? SyS_setsockopt+0x215/0x360 [ 32.332670] do_group_exit+0x149/0x400 [ 32.336521] ? SyS_recv+0x40/0x40 [ 32.339939] ? SyS_exit+0x30/0x30 [ 32.343361] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.348084] SyS_exit_group+0x1d/0x20 [ 32.351851] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.356569] RIP: 0033:0x43e978 [ 32.359723] RSP: 002b:00007ffd9aac8a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.367395] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 32.374630] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 32.381863] RBP: 00000000006ca018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 32.389096] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 32.396334] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 32.403578] [ 32.405170] Allocated by task 2996: [ 32.408762] save_stack_trace+0x16/0x20 [ 32.412699] save_stack+0x43/0xd0 [ 32.416123] kasan_kmalloc+0xad/0xe0 [ 32.419802] kmem_cache_alloc_trace+0x136/0x750 [ 32.424434] tipc_group_create+0x116/0x9c0 [ 32.428632] tipc_setsockopt+0x25e/0xc00 [ 32.432657] SyS_setsockopt+0x189/0x360 [ 32.436593] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.441308] [ 32.442898] Freed by task 2996: [ 32.446142] save_stack_trace+0x16/0x20 [ 32.450081] save_stack+0x43/0xd0 [ 32.453498] kasan_slab_free+0x71/0xc0 [ 32.457348] kfree+0xca/0x250 [ 32.460415] tipc_group_delete+0x2c0/0x3c0 [ 32.464611] tipc_setsockopt+0xb33/0xc00 [ 32.468637] SyS_setsockopt+0x189/0x360 [ 32.472573] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.477290] [ 32.478882] The buggy address belongs to the object at ffff8801d2958a00 [ 32.478882] which belongs to the cache kmalloc-192 of size 192 [ 32.491500] The buggy address is located 108 bytes inside of [ 32.491500] 192-byte region [ffff8801d2958a00, ffff8801d2958ac0) [ 32.503334] The buggy address belongs to the page: [ 32.508226] page:ffffea00074a5600 count:1 mapcount:0 mapping:ffff8801d2958000 index:0xffff8801d2958000 [ 32.517641] flags: 0x200000000000100(slab) [ 32.521840] raw: 0200000000000100 ffff8801d2958000 ffff8801d2958000 0000000100000009 [ 32.529686] raw: ffff8801dac01140 ffffea0007650420 ffff8801dac00040 0000000000000000 [ 32.537530] page dumped because: kasan: bad access detected [ 32.543201] [ 32.544792] Memory state around the buggy address: [ 32.549685] ffff8801d2958900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.557023] ffff8801d2958980: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.564347] >ffff8801d2958a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.571667] ^ [ 32.578380] ffff8801d2958a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.585704] ffff8801d2958b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.593026] ================================================================== [ 32.600405] Kernel panic - not syncing: panic_on_warn set ... [ 32.600405] [ 32.607738] CPU: 1 PID: 2996 Comm: syzkaller027452 Tainted: G B 4.14.0-rc4+ #84 [ 32.616276] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.625594] Call Trace: [ 32.628152] dump_stack+0x194/0x257 [ 32.631747] ? arch_local_irq_restore+0x53/0x53 [ 32.636380] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.641107] ? tipc_group_self+0x190/0x1b0 [ 32.645309] panic+0x1e4/0x417 [ 32.648465] ? __warn+0x1d9/0x1d9 [ 32.651890] ? tipc_group_self+0x1a2/0x1b0 [ 32.656092] kasan_end_report+0x50/0x50 [ 32.660030] kasan_report+0x144/0x340 [ 32.663797] __asan_report_load4_noabort+0x14/0x20 [ 32.668688] tipc_group_self+0x1a2/0x1b0 [ 32.672714] tipc_sk_leave+0xfc/0x200 [ 32.676482] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 32.680769] ? lock_sock_nested+0x44/0x110 [ 32.684967] ? lock_sock_nested+0x91/0x110 [ 32.689165] ? trace_hardirqs_on+0xd/0x10 [ 32.693277] ? __local_bh_enable_ip+0x9d/0x160 [ 32.697826] tipc_release+0x154/0xfd0 [ 32.701592] ? lock_acquire+0x1d5/0x580 [ 32.705531] ? mnt_get_count+0x150/0x150 [ 32.709559] ? tipc_sk_backlog_rcv+0x370/0x370 [ 32.714109] ? lock_release+0xd70/0xd70 [ 32.718049] ? trace_hardirqs_on+0xd/0x10 [ 32.722176] ? kmem_cache_free+0x21b/0x280 [ 32.726378] ? dentry_free+0xd2/0x130 [ 32.730148] ? locks_remove_file+0x3fa/0x5a0 [ 32.734520] ? fcntl_setlk+0x10d0/0x10d0 [ 32.738547] ? mnt_get_count+0x150/0x150 [ 32.742579] ? __fsnotify_parent+0xb4/0x3a0 [ 32.746867] ? fsnotify+0x1af0/0x1af0 [ 32.750629] ? dput.part.24+0x2a/0x740 [ 32.754482] sock_release+0x8d/0x1e0 [ 32.758162] ? sock_release+0x1e0/0x1e0 [ 32.762101] sock_close+0x16/0x20 [ 32.765519] __fput+0x333/0x7f0 [ 32.768766] ? fput+0x140/0x140 [ 32.772010] ? check_same_owner+0x320/0x320 [ 32.776296] ? do_raw_spin_trylock+0x190/0x190 [ 32.780842] ____fput+0x15/0x20 [ 32.784089] task_work_run+0x199/0x270 [ 32.787945] ? task_work_cancel+0x210/0x210 [ 32.792230] ? _raw_spin_unlock+0x22/0x30 [ 32.796342] ? switch_task_namespaces+0x87/0xc0 [ 32.800978] do_exit+0x9d2/0x1af0 [ 32.804397] ? tipc_accept_from_sock+0x531/0x580 [ 32.809115] ? mm_update_next_owner+0x930/0x930 [ 32.813749] ? release_sock+0x1d4/0x2a0 [ 32.817687] ? lock_downgrade+0x990/0x990 [ 32.821797] ? lock_downgrade+0x990/0x990 [ 32.825909] ? lock_acquire+0x1d5/0x580 [ 32.829847] ? release_sock+0x74/0x2a0 [ 32.833702] ? do_raw_spin_trylock+0x190/0x190 [ 32.838248] ? tipc_group_delete+0x2c0/0x3c0 [ 32.842621] ? lock_release+0xcb0/0xd70 [ 32.846561] ? trace_hardirqs_on+0xd/0x10 [ 32.850671] ? __local_bh_enable_ip+0x9d/0x160 [ 32.855216] ? release_sock+0x1d4/0x2a0 [ 32.859166] ? tipc_nametbl_build_group+0x27a/0x370 [ 32.864153] ? tipc_setsockopt+0x703/0xc00 [ 32.868354] ? tipc_sk_leave+0x200/0x200 [ 32.872387] ? security_socket_setsockopt+0x89/0xb0 [ 32.877372] ? SyS_setsockopt+0x215/0x360 [ 32.882179] do_group_exit+0x149/0x400 [ 32.886029] ? SyS_recv+0x40/0x40 [ 32.889449] ? SyS_exit+0x30/0x30 [ 32.892869] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.897591] SyS_exit_group+0x1d/0x20 [ 32.901356] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 32.906076] RIP: 0033:0x43e978 [ 32.909232] RSP: 002b:00007ffd9aac8a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.916902] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 32.924137] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 32.931372] RBP: 00000000006ca018 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 32.938604] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 32.945837] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 32.953499] Dumping ftrace buffer: [ 32.957004] (ftrace buffer empty) [ 32.960679] Kernel Offset: disabled [ 32.964273] Rebooting in 86400 seconds..