executing program syzkaller login: [ 18.907259] ================================================================== [ 18.908109] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.909094] Read of size 4 at addr ffff88006d8499d0 by task syzkaller492056/2989 [ 18.909894] [ 18.910055] CPU: 2 PID: 2989 Comm: syzkaller492056 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 18.910837] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 18.911595] Call Trace: [ 18.911866] dump_stack+0x194/0x257 [ 18.912220] ? arch_local_irq_restore+0x53/0x53 [ 18.912658] ? show_regs_print_info+0x65/0x65 [ 18.913083] ? lock_release+0xa40/0xa40 [ 18.913461] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.913973] print_address_description+0x73/0x250 [ 18.914433] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.914951] kasan_report+0x25b/0x340 [ 18.915378] __asan_report_load4_noabort+0x14/0x20 [ 18.915842] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.916346] tipc_sendmcast+0x794/0xe70 [ 18.917031] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 18.917535] ? tipc_release+0xfe0/0xfe0 [ 18.917911] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 18.918404] ? do_huge_pmd_anonymous_page+0xab4/0x1b00 [ 18.918905] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 18.919373] ? _cond_resched+0x14/0x30 [ 18.919972] ? _raw_spin_unlock+0x22/0x30 [ 18.920354] ? do_huge_pmd_anonymous_page+0xb21/0x1b00 [ 18.920851] __tipc_sendmsg+0xebf/0x1b20 [ 18.921222] ? __tipc_sendmsg+0xebf/0x1b20 [ 18.921612] ? check_noncircular+0x20/0x20 [ 18.922010] ? tipc_sendmcast+0xe70/0xe70 [ 18.922393] ? print_irqtrace_events+0x270/0x270 [ 18.922832] ? find_held_lock+0x35/0x1d0 [ 18.923214] ? __might_fault+0x110/0x1d0 [ 18.923690] ? lock_downgrade+0x990/0x990 [ 18.924086] ? find_held_lock+0x35/0x1d0 [ 18.924460] ? lock_acquire+0x1d5/0x580 [ 18.924818] ? lock_sock_nested+0xa3/0x110 [ 18.925197] ? lock_acquire+0x1d5/0x580 [ 18.925556] ? tipc_sendmsg+0x42/0x70 [ 18.925915] ? mark_held_locks+0xaf/0x100 [ 18.926290] ? __local_bh_enable_ip+0x9d/0x160 [ 18.926703] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.927152] ? lock_sock_nested+0x91/0x110 [ 18.927533] ? trace_hardirqs_on+0xd/0x10 [ 18.927936] ? __local_bh_enable_ip+0x9d/0x160 [ 18.928359] tipc_sendmsg+0x50/0x70 [ 18.928685] ? __tipc_sendmsg+0x1b20/0x1b20 [ 18.929076] sock_sendmsg+0xca/0x110 [ 18.929417] ___sys_sendmsg+0x755/0x890 [ 18.929775] ? find_held_lock+0x35/0x1d0 [ 18.930145] ? copy_msghdr_from_user+0x590/0x590 [ 18.930578] ? __do_page_fault+0x64c/0xd60 [ 18.930966] ? lock_downgrade+0x990/0x990 [ 18.931350] ? handle_mm_fault+0x410/0x8d0 [ 18.931768] ? __fget_light+0x297/0x380 [ 18.932134] ? fget_raw+0x20/0x20 [ 18.932564] ? up_read+0x1a/0x40 [ 18.932886] ? __fdget+0x18/0x20 [ 18.933200] __sys_sendmsg+0xe5/0x210 [ 18.933542] ? __sys_sendmsg+0xe5/0x210 [ 18.933902] ? SyS_shutdown+0x290/0x290 [ 18.934271] ? fd_install+0x4d/0x60 [ 18.934615] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.935072] SyS_sendmsg+0x2d/0x50 [ 18.935398] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 18.935854] RIP: 0033:0x435019 [ 18.936146] RSP: 002b:00007fff5170dfd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.936839] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435019 [ 18.937485] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 18.938510] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 18.939049] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 18.939669] R13: 0000000000401990 R14: 0000000000401a20 R15: 0000000000000000 [ 18.940355] [ 18.940509] Allocated by task 2989: [ 18.940841] save_stack+0x43/0xd0 [ 18.941158] kasan_kmalloc+0xad/0xe0 [ 18.941497] kmem_cache_alloc_trace+0x136/0x750 [ 18.941885] tipc_nameseq_create+0xe8/0x540 [ 18.942277] tipc_nametbl_insert_publ+0xf77/0x17c0 [ 18.942699] tipc_nametbl_publish+0x2aa/0x4f0 [ 18.943102] tipc_sk_publish+0x1f5/0x4b0 [ 18.943468] tipc_bind+0x1a9/0x2d0 [ 18.943832] SYSC_bind+0x1b4/0x3f0 [ 18.944154] SyS_bind+0x24/0x30 [ 18.944449] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 18.944875] [ 18.945026] Freed by task 2677: [ 18.945324] save_stack+0x43/0xd0 [ 18.945638] kasan_slab_free+0x71/0xc0 [ 18.945987] kfree+0xca/0x250 [ 18.946269] selinux_cred_free+0x48/0x70 [ 18.946637] security_cred_free+0x48/0x80 [ 18.947010] put_cred_rcu+0x106/0x400 [ 18.947354] rcu_process_callbacks+0xd74/0x17d0 [ 18.947808] __do_softirq+0x2d7/0xb85 [ 18.948148] [ 18.948304] The buggy address belongs to the object at ffff88006d8499c0 [ 18.948304] which belongs to the cache kmalloc-32 of size 32 [ 18.949407] The buggy address is located 16 bytes inside of [ 18.949407] 32-byte region [ffff88006d8499c0, ffff88006d8499e0) [ 18.950514] The buggy address belongs to the page: [ 18.950957] page:ffffea0001b61240 count:1 mapcount:0 mapping:ffff88006d849000 index:0xffff88006d849fc1 [ 18.951797] flags: 0x500000000000100(slab) [ 18.952179] raw: 0500000000000100 ffff88006d849000 ffff88006d849fc1 000000010000003f [ 18.952879] raw: ffffea0001b61c60 ffff88006d800248 ffff88003e8001c0 0000000000000000 [ 18.953576] page dumped because: kasan: bad access detected [ 18.954080] [ 18.954230] Memory state around the buggy address: [ 18.954671] ffff88006d849880: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.955324] ffff88006d849900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 18.956010] >ffff88006d849980: 00 00 00 00 fc fc fc fc 00 00 fc fc fc fc fc fc [ 18.956664] ^ [ 18.957192] ffff88006d849a00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 18.957844] ffff88006d849a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 18.958496] ================================================================== [ 18.959146] Disabling lock debugging due to kernel taint [ 18.959916] Kernel panic - not syncing: panic_on_warn set ... [ 18.959916] [ 18.960360] CPU: 2 PID: 2989 Comm: syzkaller492056 Tainted: G B 4.14.0-rc5-next-20171018+ #8 [ 18.960937] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 18.961421] Call Trace: [ 18.961580] dump_stack+0x194/0x257 [ 18.961799] ? arch_local_irq_restore+0x53/0x53 [ 18.962077] ? kasan_end_report+0x32/0x50 [ 18.962325] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 18.962635] ? vsnprintf+0x1ed/0x1900 [ 18.962877] ? tipc_nametbl_lookup_dst_nodes+0x380/0x4b0 [ 18.963316] panic+0x1e4/0x41c [ 18.963589] ? refcount_error_report+0x214/0x214 [ 18.964069] ? add_taint+0x1c/0x50 [ 18.964390] ? add_taint+0x1c/0x50 [ 18.964691] ? tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.965213] kasan_end_report+0x50/0x50 [ 18.965573] kasan_report+0x144/0x340 [ 18.965918] __asan_report_load4_noabort+0x14/0x20 [ 18.966361] tipc_nametbl_lookup_dst_nodes+0x448/0x4b0 [ 18.966835] tipc_sendmcast+0x794/0xe70 [ 18.967201] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 18.967683] ? tipc_release+0xfe0/0xfe0 [ 18.968048] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 18.968525] ? do_huge_pmd_anonymous_page+0xab4/0x1b00 [ 18.969010] ? pudp_huge_clear_flush+0x1f0/0x1f0 [ 18.969444] ? _cond_resched+0x14/0x30 [ 18.969797] ? _raw_spin_unlock+0x22/0x30 [ 18.970178] ? do_huge_pmd_anonymous_page+0xb21/0x1b00 [ 18.970666] __tipc_sendmsg+0xebf/0x1b20 [ 18.971036] ? __tipc_sendmsg+0xebf/0x1b20 [ 18.971422] ? check_noncircular+0x20/0x20 [ 18.971866] ? tipc_sendmcast+0xe70/0xe70 [ 18.972261] ? print_irqtrace_events+0x270/0x270 [ 18.972705] ? find_held_lock+0x35/0x1d0 [ 18.973083] ? __might_fault+0x110/0x1d0 [ 18.973460] ? lock_downgrade+0x990/0x990 [ 18.973845] ? find_held_lock+0x35/0x1d0 [ 18.974226] ? lock_acquire+0x1d5/0x580 [ 18.974594] ? lock_sock_nested+0xa3/0x110 [ 18.974983] ? lock_acquire+0x1d5/0x580 [ 18.975352] ? tipc_sendmsg+0x42/0x70 [ 18.975906] ? mark_held_locks+0xaf/0x100 [ 18.976308] ? __local_bh_enable_ip+0x9d/0x160 [ 18.976735] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.977237] ? lock_sock_nested+0x91/0x110 [ 18.977629] ? trace_hardirqs_on+0xd/0x10 [ 18.978016] ? __local_bh_enable_ip+0x9d/0x160 [ 18.978448] tipc_sendmsg+0x50/0x70 [ 18.978797] ? __tipc_sendmsg+0x1b20/0x1b20 [ 18.979190] sock_sendmsg+0xca/0x110 [ 18.979529] ___sys_sendmsg+0x755/0x890 [ 18.979908] ? find_held_lock+0x35/0x1d0 [ 18.980303] ? copy_msghdr_from_user+0x590/0x590 [ 18.981087] ? __do_page_fault+0x64c/0xd60 [ 18.981410] ? lock_downgrade+0x990/0x990 [ 18.981706] ? handle_mm_fault+0x410/0x8d0 [ 18.982005] ? __fget_light+0x297/0x380 [ 18.982291] ? fget_raw+0x20/0x20 [ 18.982539] ? up_read+0x1a/0x40 [ 18.982781] ? __fdget+0x18/0x20 [ 18.983025] __sys_sendmsg+0xe5/0x210 [ 18.983291] ? __sys_sendmsg+0xe5/0x210 [ 18.983570] ? SyS_shutdown+0x290/0x290 [ 18.983844] ? fd_install+0x4d/0x60 [ 18.984098] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 18.984451] SyS_sendmsg+0x2d/0x50 [ 18.984700] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 18.985042] RIP: 0033:0x435019 [ 18.985266] RSP: 002b:00007fff5170dfd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.985972] RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000435019 [ 18.986648] RDX: 0000000000000000 RSI: 0000000020316000 RDI: 0000000000000004 [ 18.987326] RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 [ 18.988656] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 18.989333] R13: 0000000000401990 R14: 0000000000401a20 R15: 0000000000000000 [ 18.990048] Dumping ftrace buffer: [ 18.990379] (ftrace buffer empty) [ 18.990732] Kernel Offset: disabled [ 18.991064] Rebooting in 86400 seconds..