INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-next-kasan-gce-8,10.128.15.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.912774] ================================================================== [ 47.913919] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 47.914786] Read of size 4 at addr ffff8801d650dd6c by task syzkaller520625/2992 [ 47.915773] [ 47.916006] CPU: 1 PID: 2992 Comm: syzkaller520625 Not tainted 4.14.0-rc5-next-20171018+ #36 [ 47.917135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.918366] Call Trace: [ 47.918725] dump_stack+0x194/0x257 [ 47.919217] ? arch_local_irq_restore+0x53/0x53 [ 47.919842] ? show_regs_print_info+0x65/0x65 [ 47.920452] ? tipc_group_self+0x1a2/0x1b0 [ 47.921022] print_address_description+0x73/0x250 [ 47.921679] ? tipc_group_self+0x1a2/0x1b0 [ 47.922246] kasan_report+0x25b/0x340 [ 47.922762] __asan_report_load4_noabort+0x14/0x20 [ 47.923419] tipc_group_self+0x1a2/0x1b0 [ 47.923967] tipc_sk_leave+0xfc/0x200 [ 47.924480] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 47.925060] ? __local_bh_enable_ip+0x9d/0x160 [ 47.925692] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 47.926362] ? lock_sock_nested+0x91/0x110 [ 47.926928] ? trace_hardirqs_on+0xd/0x10 [ 47.927483] ? __local_bh_enable_ip+0x9d/0x160 [ 47.928100] tipc_release+0x154/0xfe0 [ 47.928618] ? mntput_no_expire+0x130/0xa90 [ 47.929198] ? tipc_sk_backlog_rcv+0x370/0x370 [ 47.929810] ? lock_release+0xa40/0xa40 [ 47.930347] ? dentry_free+0xcd/0x130 [ 47.930860] ? rcu_read_lock_sched_held+0x108/0x120 [ 47.931529] ? kmem_cache_free+0x249/0x280 [ 47.932099] ? dentry_free+0xd2/0x130 [ 47.932618] ? locks_remove_file+0x3fa/0x5a0 [ 47.933209] ? fcntl_setlk+0x10c0/0x10c0 [ 47.937262] ? __fsnotify_parent+0xb4/0x3a0 [ 47.941554] ? fsnotify+0x1af0/0x1af0 [ 47.945475] ? rcu_note_context_switch+0x710/0x710 [ 47.950385] sock_release+0x8d/0x1e0 [ 47.954073] ? sock_release+0x1e0/0x1e0 [ 47.958017] sock_close+0x16/0x20 [ 47.961442] __fput+0x327/0x7e0 [ 47.964701] ? fput+0x140/0x140 [ 47.967956] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 47.973812] ? _raw_spin_unlock_irq+0x27/0x70 [ 47.978285] ____fput+0x15/0x20 [ 47.981534] task_work_run+0x199/0x270 [ 47.985397] ? task_work_cancel+0x210/0x210 [ 47.989688] ? _raw_spin_unlock+0x22/0x30 [ 47.993804] ? switch_task_namespaces+0x87/0xc0 [ 47.998443] do_exit+0x9b5/0x1ad0 [ 48.001869] ? mm_update_next_owner+0x930/0x930 [ 48.006508] ? reacquire_held_locks+0x1fd/0x3d0 [ 48.011148] ? find_held_lock+0x35/0x1d0 [ 48.015184] ? release_sock+0x1d4/0x2a0 [ 48.019125] ? lock_downgrade+0x990/0x990 [ 48.023239] ? lock_downgrade+0x990/0x990 [ 48.027358] ? do_raw_spin_trylock+0x190/0x190 [ 48.031909] ? tipc_group_delete+0x2c0/0x3c0 [ 48.036284] ? __local_bh_enable_ip+0x9d/0x160 [ 48.040835] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.045817] ? trace_hardirqs_on+0xd/0x10 [ 48.049932] ? __local_bh_enable_ip+0x9d/0x160 [ 48.054490] ? release_sock+0x1d4/0x2a0 [ 48.058439] ? tipc_nametbl_build_group+0x27a/0x370 [ 48.063429] ? tipc_setsockopt+0x703/0xc00 [ 48.067633] ? tipc_sk_leave+0x200/0x200 [ 48.071673] ? security_socket_setsockopt+0x89/0xb0 [ 48.076661] ? SyS_setsockopt+0x215/0x360 [ 48.080778] do_group_exit+0x149/0x400 [ 48.084631] ? SyS_recv+0x40/0x40 [ 48.088052] ? SyS_exit+0x30/0x30 [ 48.091474] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.096461] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.101189] SyS_exit_group+0x1d/0x20 [ 48.104960] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.109683] RIP: 0033:0x43e978 [ 48.112842] RSP: 002b:00007ffd4bef95b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 48.120516] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 48.127753] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 48.134991] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 48.142227] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 48.149461] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 48.156717] [ 48.158314] Allocated by task 2992: [ 48.161908] save_stack+0x43/0xd0 [ 48.165328] kasan_kmalloc+0xad/0xe0 [ 48.169006] kmem_cache_alloc_trace+0x136/0x750 [ 48.173639] tipc_group_create+0x116/0x9c0 [ 48.177841] tipc_setsockopt+0x25e/0xc00 [ 48.181866] SyS_setsockopt+0x189/0x360 [ 48.185804] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.190523] [ 48.192118] Freed by task 2992: [ 48.195364] save_stack+0x43/0xd0 [ 48.198781] kasan_slab_free+0x71/0xc0 [ 48.202634] kfree+0xca/0x250 [ 48.205705] tipc_group_delete+0x2c0/0x3c0 [ 48.209907] tipc_setsockopt+0xb33/0xc00 [ 48.213934] SyS_setsockopt+0x189/0x360 [ 48.217872] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.222590] [ 48.224185] The buggy address belongs to the object at ffff8801d650dd00 [ 48.224185] which belongs to the cache kmalloc-192 of size 192 [ 48.236808] The buggy address is located 108 bytes inside of [ 48.236808] 192-byte region [ffff8801d650dd00, ffff8801d650ddc0) [ 48.248647] The buggy address belongs to the page: [ 48.253542] page:ffffea0007594340 count:1 mapcount:0 mapping:ffff8801d650d000 index:0xffff8801d650df00 [ 48.262953] flags: 0x200000000000100(slab) [ 48.267157] raw: 0200000000000100 ffff8801d650d000 ffff8801d650df00 000000010000000e [ 48.275009] raw: ffffea0007599060 ffff8801dac01138 ffff8801dac00040 0000000000000000 [ 48.282854] page dumped because: kasan: bad access detected [ 48.288530] [ 48.290125] Memory state around the buggy address: [ 48.295019] ffff8801d650dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.302346] ffff8801d650dc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.309668] >ffff8801d650dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.316992] ^ [ 48.323712] ffff8801d650dd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.331039] ffff8801d650de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.338361] ================================================================== [ 48.345684] Disabling lock debugging due to kernel taint [ 48.351161] Kernel panic - not syncing: panic_on_warn set ... [ 48.351161] [ 48.358497] CPU: 1 PID: 2992 Comm: syzkaller520625 Tainted: G B 4.14.0-rc5-next-20171018+ #36 [ 48.368339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.377658] Call Trace: [ 48.380217] dump_stack+0x194/0x257 [ 48.383812] ? arch_local_irq_restore+0x53/0x53 [ 48.388447] ? kasan_end_report+0x32/0x50 [ 48.392564] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.397288] ? vsnprintf+0x1ed/0x1900 [ 48.401054] ? tipc_group_self+0xb0/0x1b0 [ 48.405170] panic+0x1e4/0x41c [ 48.408331] ? refcount_error_report+0x214/0x214 [ 48.413053] ? add_taint+0x1c/0x50 [ 48.416558] ? add_taint+0x1c/0x50 [ 48.420063] ? tipc_group_self+0x1a2/0x1b0 [ 48.424265] kasan_end_report+0x50/0x50 [ 48.428203] kasan_report+0x144/0x340 [ 48.431973] __asan_report_load4_noabort+0x14/0x20 [ 48.436866] tipc_group_self+0x1a2/0x1b0 [ 48.440894] tipc_sk_leave+0xfc/0x200 [ 48.444660] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 48.448949] ? __local_bh_enable_ip+0x9d/0x160 [ 48.453498] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.458480] ? lock_sock_nested+0x91/0x110 [ 48.462680] ? trace_hardirqs_on+0xd/0x10 [ 48.466792] ? __local_bh_enable_ip+0x9d/0x160 [ 48.471341] tipc_release+0x154/0xfe0 [ 48.475112] ? mntput_no_expire+0x130/0xa90 [ 48.479401] ? tipc_sk_backlog_rcv+0x370/0x370 [ 48.483950] ? lock_release+0xa40/0xa40 [ 48.487892] ? dentry_free+0xcd/0x130 [ 48.491661] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.496643] ? kmem_cache_free+0x249/0x280 [ 48.500844] ? dentry_free+0xd2/0x130 [ 48.504613] ? locks_remove_file+0x3fa/0x5a0 [ 48.508985] ? fcntl_setlk+0x10c0/0x10c0 [ 48.513013] ? __fsnotify_parent+0xb4/0x3a0 [ 48.517304] ? fsnotify+0x1af0/0x1af0 [ 48.521071] ? rcu_note_context_switch+0x710/0x710 [ 48.525967] sock_release+0x8d/0x1e0 [ 48.529649] ? sock_release+0x1e0/0x1e0 [ 48.533590] sock_close+0x16/0x20 [ 48.537009] __fput+0x327/0x7e0 [ 48.540255] ? fput+0x140/0x140 [ 48.543503] ? trace_event_raw_event_sched_switch+0x8a0/0x8a0 [ 48.549354] ? _raw_spin_unlock_irq+0x27/0x70 [ 48.553822] ____fput+0x15/0x20 [ 48.557070] task_work_run+0x199/0x270 [ 48.560924] ? task_work_cancel+0x210/0x210 [ 48.565213] ? _raw_spin_unlock+0x22/0x30 [ 48.569328] ? switch_task_namespaces+0x87/0xc0 [ 48.573962] do_exit+0x9b5/0x1ad0 [ 48.577385] ? mm_update_next_owner+0x930/0x930 [ 48.582018] ? reacquire_held_locks+0x1fd/0x3d0 [ 48.586653] ? find_held_lock+0x35/0x1d0 [ 48.590685] ? release_sock+0x1d4/0x2a0 [ 48.594622] ? lock_downgrade+0x990/0x990 [ 48.598734] ? lock_downgrade+0x990/0x990 [ 48.602847] ? do_raw_spin_trylock+0x190/0x190 [ 48.607397] ? tipc_group_delete+0x2c0/0x3c0 [ 48.611771] ? __local_bh_enable_ip+0x9d/0x160 [ 48.616318] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.621299] ? trace_hardirqs_on+0xd/0x10 [ 48.625413] ? __local_bh_enable_ip+0x9d/0x160 [ 48.629961] ? release_sock+0x1d4/0x2a0 [ 48.633906] ? tipc_nametbl_build_group+0x27a/0x370 [ 48.638889] ? tipc_setsockopt+0x703/0xc00 [ 48.643090] ? tipc_sk_leave+0x200/0x200 [ 48.647121] ? security_socket_setsockopt+0x89/0xb0 [ 48.652105] ? SyS_setsockopt+0x215/0x360 [ 48.656217] do_group_exit+0x149/0x400 [ 48.660069] ? SyS_recv+0x40/0x40 [ 48.663487] ? SyS_exit+0x30/0x30 [ 48.666905] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.671886] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.676607] SyS_exit_group+0x1d/0x20 [ 48.680377] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 48.685096] RIP: 0033:0x43e978 [ 48.688255] RSP: 002b:00007ffd4bef95b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 48.695924] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 48.703161] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 48.710408] RBP: 0000000000000082 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 48.717644] R10: 0000000020004fe4 R11: 0000000000000246 R12: 00000000004016a0 [ 48.724880] R13: 0000000000401730 R14: 0000000000000000 R15: 0000000000000000 [ 48.732157] Dumping ftrace buffer: [ 48.735661] (ftrace buffer empty) [ 48.739338] Kernel Offset: disabled [ 48.742932] Rebooting in 86400 seconds..