[ 34.793496] default_idle_call+0x36/0x90 [ 34.797521] do_idle+0x24e/0x3b0 [ 34.800854] cpu_startup_entry+0x18/0x20 [ 34.804881] rest_init+0xed/0xf0 [ 34.808217] start_kernel+0x72e/0x754 [ 34.811983] ? mem_encrypt_init+0xb/0xb [ 34.815924] ? memcpy_orig+0x54/0x110 [ 34.819697] x86_64_start_reservations+0x2a/0x2c [ 34.824419] x86_64_start_kernel+0x77/0x7a [ 34.828620] secondary_startup_64+0xa5/0xa5 Warning: Permanently added 'ci-upstream-net-kasan-gce-5,10.128.15.220' (ECDSA) to the list of known hosts. executing program [ 43.259936] ================================================================== [ 43.267359] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 43.273904] Read of size 4 at addr ffff8801d526436c by task syzkaller237209/3002 [ 43.281397] [ 43.282993] CPU: 1 PID: 3002 Comm: syzkaller237209 Not tainted 4.14.0-rc4+ #84 [ 43.290316] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.299634] Call Trace: [ 43.302192] dump_stack+0x194/0x257 [ 43.305790] ? arch_local_irq_restore+0x53/0x53 [ 43.310431] ? show_regs_print_info+0x65/0x65 [ 43.314897] ? tipc_group_self+0x1a2/0x1b0 [ 43.319104] print_address_description+0x73/0x250 [ 43.323912] ? tipc_group_self+0x1a2/0x1b0 [ 43.328124] kasan_report+0x25b/0x340 [ 43.331894] __asan_report_load4_noabort+0x14/0x20 [ 43.336789] tipc_group_self+0x1a2/0x1b0 [ 43.340821] tipc_sk_leave+0xfc/0x200 [ 43.344592] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 43.348882] ? lock_sock_nested+0x44/0x110 [ 43.353088] ? lock_sock_nested+0x91/0x110 [ 43.357290] ? trace_hardirqs_on+0xd/0x10 [ 43.361407] ? __local_bh_enable_ip+0x9d/0x160 [ 43.365955] tipc_release+0x154/0xfd0 [ 43.369730] ? lock_acquire+0x1d5/0x580 [ 43.373672] ? mnt_get_count+0x150/0x150 [ 43.377701] ? tipc_sk_backlog_rcv+0x370/0x370 [ 43.382250] ? lock_release+0xd70/0xd70 [ 43.386193] ? trace_hardirqs_on+0xd/0x10 [ 43.390307] ? kmem_cache_free+0x21b/0x280 [ 43.394509] ? dentry_free+0xd2/0x130 [ 43.398277] ? locks_remove_file+0x3fa/0x5a0 [ 43.402654] ? fcntl_setlk+0x10d0/0x10d0 [ 43.406680] ? mnt_get_count+0x150/0x150 [ 43.410705] ? __fsnotify_parent+0xb4/0x3a0 [ 43.415002] ? fsnotify+0x1af0/0x1af0 [ 43.418767] ? dput.part.24+0x2a/0x740 [ 43.422623] sock_release+0x8d/0x1e0 [ 43.426302] ? sock_release+0x1e0/0x1e0 [ 43.430240] sock_close+0x16/0x20 [ 43.433665] __fput+0x333/0x7f0 [ 43.436917] ? fput+0x140/0x140 [ 43.440163] ? check_same_owner+0x320/0x320 [ 43.444448] ? do_raw_spin_trylock+0x190/0x190 [ 43.448998] ____fput+0x15/0x20 [ 43.452244] task_work_run+0x199/0x270 [ 43.456099] ? task_work_cancel+0x210/0x210 [ 43.460386] ? _raw_spin_unlock+0x22/0x30 [ 43.464500] ? switch_task_namespaces+0x87/0xc0 [ 43.469136] do_exit+0x9d2/0x1af0 [ 43.472559] ? tipc_accept_from_sock+0x531/0x580 [ 43.477280] ? mm_update_next_owner+0x930/0x930 [ 43.481921] ? release_sock+0x1d4/0x2a0 [ 43.485874] ? lock_downgrade+0x990/0x990 [ 43.489988] ? lock_downgrade+0x990/0x990 [ 43.494104] ? lock_acquire+0x1d5/0x580 [ 43.498042] ? release_sock+0x74/0x2a0 [ 43.501901] ? do_raw_spin_trylock+0x190/0x190 [ 43.506448] ? tipc_group_delete+0x2c0/0x3c0 [ 43.510821] ? lock_release+0xcb0/0xd70 [ 43.514762] ? trace_hardirqs_on+0xd/0x10 [ 43.518873] ? __local_bh_enable_ip+0x9d/0x160 [ 43.523421] ? release_sock+0x1d4/0x2a0 [ 43.527364] ? tipc_nametbl_build_group+0x27a/0x370 [ 43.532349] ? tipc_setsockopt+0x703/0xc00 [ 43.536549] ? tipc_sk_leave+0x200/0x200 [ 43.540584] ? security_socket_setsockopt+0x89/0xb0 [ 43.545568] ? SyS_setsockopt+0x215/0x360 [ 43.549694] do_group_exit+0x149/0x400 [ 43.553548] ? SyS_recv+0x40/0x40 [ 43.556968] ? SyS_exit+0x30/0x30 [ 43.560388] ? find_mergeable_anon_vma+0xd0/0xd0 [ 43.565112] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.569833] SyS_exit_group+0x1d/0x20 [ 43.573600] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.578319] RIP: 0033:0x43e978 [ 43.581476] RSP: 002b:00007ffee45f1d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.589150] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 43.596387] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 43.603623] RBP: 00000000000014b1 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 43.610856] R10: 000000002010e000 R11: 0000000000000246 R12: 00000000006ca858 [ 43.618089] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 43.625332] [ 43.626942] Allocated by task 3002: [ 43.630534] save_stack_trace+0x16/0x20 [ 43.634472] save_stack+0x43/0xd0 [ 43.637967] kasan_kmalloc+0xad/0xe0 [ 43.641650] kmem_cache_alloc_trace+0x136/0x750 [ 43.646283] tipc_group_create+0x116/0x9c0 [ 43.650481] tipc_setsockopt+0x25e/0xc00 [ 43.654505] SyS_setsockopt+0x189/0x360 [ 43.658444] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.663158] [ 43.664749] Freed by task 3002: [ 43.667992] save_stack_trace+0x16/0x20 [ 43.671928] save_stack+0x43/0xd0 [ 43.675344] kasan_slab_free+0x71/0xc0 [ 43.679192] kfree+0xca/0x250 [ 43.682259] tipc_group_delete+0x2c0/0x3c0 [ 43.686456] tipc_setsockopt+0xb33/0xc00 [ 43.690479] SyS_setsockopt+0x189/0x360 [ 43.694414] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 43.699130] [ 43.700723] The buggy address belongs to the object at ffff8801d5264300 [ 43.700723] which belongs to the cache kmalloc-192 of size 192 [ 43.713341] The buggy address is located 108 bytes inside of [ 43.713341] 192-byte region [ffff8801d5264300, ffff8801d52643c0) [ 43.725176] The buggy address belongs to the page: [ 43.730072] page:ffffea0007549900 count:1 mapcount:0 mapping:ffff8801d5264000 index:0xffff8801d5264900 [ 43.739481] flags: 0x200000000000100(slab) [ 43.743685] raw: 0200000000000100 ffff8801d5264000 ffff8801d5264900 000000010000000c [ 43.751529] raw: ffffea00075382a0 ffff8801dac01140 ffff8801dac00040 0000000000000000 [ 43.759369] page dumped because: kasan: bad access detected [ 43.765042] [ 43.766633] Memory state around the buggy address: [ 43.771522] ffff8801d5264200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.778843] ffff8801d5264280: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.786180] >ffff8801d5264300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.793505] ^ [ 43.800220] ffff8801d5264380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.807539] ffff8801d5264400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.814858] ================================================================== [ 43.822378] Kernel panic - not syncing: panic_on_warn set ... [ 43.822378] [ 43.829710] CPU: 1 PID: 3002 Comm: syzkaller237209 Tainted: G B 4.14.0-rc4+ #84 [ 43.838247] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.847566] Call Trace: [ 43.850141] dump_stack+0x194/0x257 [ 43.853739] ? arch_local_irq_restore+0x53/0x53 [ 43.858375] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.863096] ? tipc_group_self+0x190/0x1b0 [ 43.867301] panic+0x1e4/0x417 [ 43.870456] ? __warn+0x1d9/0x1d9 [ 43.873881] ? tipc_group_self+0x1a2/0x1b0 [ 43.878089] kasan_end_report+0x50/0x50 [ 43.882027] kasan_report+0x144/0x340 [ 43.885793] __asan_report_load4_noabort+0x14/0x20 [ 43.890684] tipc_group_self+0x1a2/0x1b0 [ 43.894710] tipc_sk_leave+0xfc/0x200 [ 43.898476] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 43.902766] ? lock_sock_nested+0x44/0x110 [ 43.906964] ? lock_sock_nested+0x91/0x110 [ 43.911164] ? trace_hardirqs_on+0xd/0x10 [ 43.915276] ? __local_bh_enable_ip+0x9d/0x160 [ 43.919823] tipc_release+0x154/0xfd0 [ 43.923609] ? lock_acquire+0x1d5/0x580 [ 43.927547] ? mnt_get_count+0x150/0x150 [ 43.931571] ? tipc_sk_backlog_rcv+0x370/0x370 [ 43.936119] ? lock_release+0xd70/0xd70 [ 43.940057] ? trace_hardirqs_on+0xd/0x10 [ 43.944169] ? kmem_cache_free+0x21b/0x280 [ 43.948370] ? dentry_free+0xd2/0x130 [ 43.952157] ? locks_remove_file+0x3fa/0x5a0 [ 43.956533] ? fcntl_setlk+0x10d0/0x10d0 [ 43.960556] ? mnt_get_count+0x150/0x150 [ 43.964583] ? __fsnotify_parent+0xb4/0x3a0 [ 43.968871] ? fsnotify+0x1af0/0x1af0 [ 43.972633] ? dput.part.24+0x2a/0x740 [ 43.976488] sock_release+0x8d/0x1e0 [ 43.980165] ? sock_release+0x1e0/0x1e0 [ 43.984104] sock_close+0x16/0x20 [ 43.987522] __fput+0x333/0x7f0 [ 43.990769] ? fput+0x140/0x140 [ 43.994014] ? check_same_owner+0x320/0x320 [ 43.998300] ? do_raw_spin_trylock+0x190/0x190 [ 44.002850] ____fput+0x15/0x20 [ 44.006097] task_work_run+0x199/0x270 [ 44.009949] ? task_work_cancel+0x210/0x210 [ 44.014237] ? _raw_spin_unlock+0x22/0x30 [ 44.018348] ? switch_task_namespaces+0x87/0xc0 [ 44.022981] do_exit+0x9d2/0x1af0 [ 44.026402] ? tipc_accept_from_sock+0x531/0x580 [ 44.031122] ? mm_update_next_owner+0x930/0x930 [ 44.035756] ? release_sock+0x1d4/0x2a0 [ 44.039693] ? lock_downgrade+0x990/0x990 [ 44.043804] ? lock_downgrade+0x990/0x990 [ 44.047917] ? lock_acquire+0x1d5/0x580 [ 44.051853] ? release_sock+0x74/0x2a0 [ 44.055707] ? do_raw_spin_trylock+0x190/0x190 [ 44.060254] ? tipc_group_delete+0x2c0/0x3c0 [ 44.064626] ? lock_release+0xcb0/0xd70 [ 44.068564] ? trace_hardirqs_on+0xd/0x10 [ 44.072675] ? __local_bh_enable_ip+0x9d/0x160 [ 44.077222] ? release_sock+0x1d4/0x2a0 [ 44.081164] ? tipc_nametbl_build_group+0x27a/0x370 [ 44.086150] ? tipc_setsockopt+0x703/0xc00 [ 44.090354] ? tipc_sk_leave+0x200/0x200 [ 44.094391] ? security_socket_setsockopt+0x89/0xb0 [ 44.099379] ? SyS_setsockopt+0x215/0x360 [ 44.103582] do_group_exit+0x149/0x400 [ 44.107435] ? SyS_recv+0x40/0x40 [ 44.110854] ? SyS_exit+0x30/0x30 [ 44.114273] ? find_mergeable_anon_vma+0xd0/0xd0 [ 44.118998] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.123720] SyS_exit_group+0x1d/0x20 [ 44.127485] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 44.132205] RIP: 0033:0x43e978 [ 44.135360] RSP: 002b:00007ffee45f1d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.143033] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 44.150269] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 44.157507] RBP: 00000000000014b1 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.164741] R10: 000000002010e000 R11: 0000000000000246 R12: 00000000006ca858 [ 44.171977] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 44.179268] Dumping ftrace buffer: [ 44.182774] (ftrace buffer empty) [ 44.186452] Kernel Offset: disabled [ 44.190048] Rebooting in 86400 seconds..