Warning: Permanently added '10.128.1.94' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 31.660598] ================================================================== [ 31.668068] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 31.674718] Read of size 8 at addr ffff8880b0237e20 by task kworker/u4:2/67 [ 31.681805] [ 31.683426] CPU: 0 PID: 67 Comm: kworker/u4:2 Not tainted 4.14.227-syzkaller #0 [ 31.690860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.700200] Workqueue: tipc_rcv tipc_recv_work [ 31.704765] Call Trace: [ 31.707329] dump_stack+0x1b2/0x281 [ 31.710935] print_address_description.cold+0x54/0x1d3 [ 31.716205] kasan_report_error.cold+0x8a/0x191 [ 31.720866] ? __lock_acquire+0x2c57/0x3f20 [ 31.725178] __asan_report_load8_noabort+0x68/0x70 [ 31.730089] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 31.734661] ? __lock_acquire+0x2c57/0x3f20 [ 31.738959] __lock_acquire+0x2c57/0x3f20 [ 31.743085] ? io_schedule_timeout+0x140/0x140 [ 31.747661] ? __wake_up_common_lock+0xcd/0x140 [ 31.752394] ? trace_hardirqs_on+0x10/0x10 [ 31.756636] ? trace_hardirqs_on+0x10/0x10 [ 31.760848] ? preempt_schedule_common+0x45/0xc0 [ 31.765603] ? ___preempt_schedule+0x16/0x18 [ 31.770007] ? tipc_recvmsg+0x43e/0x9e0 [ 31.773964] ? __local_bh_enable_ip+0x132/0x170 [ 31.778645] lock_acquire+0x170/0x3f0 [ 31.782424] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 31.786986] _raw_spin_lock_bh+0x2f/0x40 [ 31.791043] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 31.795601] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 31.799988] tipc_receive_from_sock+0x25c/0x450 [ 31.804651] ? trace_hardirqs_on+0x10/0x10 [ 31.808864] ? lock_acquire+0x170/0x3f0 [ 31.812814] ? tipc_close_conn+0x200/0x200 [ 31.817024] tipc_recv_work+0x75/0xd0 [ 31.820804] process_one_work+0x793/0x14a0 [ 31.825014] ? work_busy+0x320/0x320 [ 31.828721] ? worker_thread+0x158/0xff0 [ 31.832780] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.837254] worker_thread+0x5cc/0xff0 [ 31.841122] ? rescuer_thread+0xc80/0xc80 [ 31.845260] kthread+0x30d/0x420 [ 31.848603] ? kthread_create_on_node+0xd0/0xd0 [ 31.853265] ret_from_fork+0x24/0x30 [ 31.856978] [ 31.858580] Allocated by task 67: [ 31.862009] kasan_kmalloc+0xeb/0x160 [ 31.865833] kmem_cache_alloc_trace+0x131/0x3d0 [ 31.870483] tipc_subscrb_connect_cb+0x40/0x150 [ 31.875143] tipc_accept_from_sock+0x25b/0x400 [ 31.879699] tipc_recv_work+0x75/0xd0 [ 31.883475] process_one_work+0x793/0x14a0 [ 31.887696] worker_thread+0x5cc/0xff0 [ 31.891558] kthread+0x30d/0x420 [ 31.894902] ret_from_fork+0x24/0x30 [ 31.898586] [ 31.900184] Freed by task 22: [ 31.903263] kasan_slab_free+0xc3/0x1a0 [ 31.907223] kfree+0xc9/0x250 [ 31.910303] tipc_subscrb_put+0x22/0x30 [ 31.914262] tipc_close_conn+0x16a/0x200 [ 31.918297] tipc_send_work+0x41e/0x520 [ 31.922245] process_one_work+0x793/0x14a0 [ 31.926467] worker_thread+0x5cc/0xff0 [ 31.930345] kthread+0x30d/0x420 [ 31.933705] ret_from_fork+0x24/0x30 [ 31.937390] [ 31.938993] The buggy address belongs to the object at ffff8880b0237e00 [ 31.938993] which belongs to the cache kmalloc-96 of size 96 [ 31.951455] The buggy address is located 32 bytes inside of [ 31.951455] 96-byte region [ffff8880b0237e00, ffff8880b0237e60) [ 31.963153] The buggy address belongs to the page: [ 31.968057] page:ffffea0002c08dc0 count:1 mapcount:0 mapping:ffff8880b0237000 index:0xffff8880b0237c80 [ 31.977525] flags: 0xfff00000000100(slab) [ 31.981652] raw: 00fff00000000100 ffff8880b0237000 ffff8880b0237c80 000000010000001b [ 31.989527] raw: ffffea0002cbd9a0 ffffea0002c5de20 ffff88813fe804c0 0000000000000000 [ 31.997387] page dumped because: kasan: bad access detected [ 32.003097] [ 32.004698] Memory state around the buggy address: [ 32.009602] ffff8880b0237d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.016959] ffff8880b0237d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.024295] >ffff8880b0237e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.031631] ^ [ 32.036115] ffff8880b0237e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.043482] ffff8880b0237f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.050830] ================================================================== [ 32.058193] Disabling lock debugging due to kernel taint [ 32.063633] Kernel panic - not syncing: panic_on_warn set ... [ 32.063633] [ 32.071061] CPU: 0 PID: 67 Comm: kworker/u4:2 Tainted: G B 4.14.227-syzkaller #0 [ 32.079701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.089046] Workqueue: tipc_rcv tipc_recv_work [ 32.093606] Call Trace: [ 32.096175] dump_stack+0x1b2/0x281 [ 32.099784] panic+0x1f9/0x42d [ 32.102970] ? add_taint.cold+0x16/0x16 [ 32.106922] ? lock_downgrade+0x740/0x740 [ 32.111048] kasan_end_report+0x43/0x49 [ 32.114999] kasan_report_error.cold+0xa7/0x191 [ 32.119645] ? __lock_acquire+0x2c57/0x3f20 [ 32.123971] __asan_report_load8_noabort+0x68/0x70 [ 32.128888] ? tipc_subscrb_rcv_cb+0x2f0/0xa40 [ 32.133450] ? __lock_acquire+0x2c57/0x3f20 [ 32.137777] __lock_acquire+0x2c57/0x3f20 [ 32.141915] ? io_schedule_timeout+0x140/0x140 [ 32.146493] ? __wake_up_common_lock+0xcd/0x140 [ 32.151143] ? trace_hardirqs_on+0x10/0x10 [ 32.155378] ? trace_hardirqs_on+0x10/0x10 [ 32.159592] ? preempt_schedule_common+0x45/0xc0 [ 32.164338] ? ___preempt_schedule+0x16/0x18 [ 32.168838] ? tipc_recvmsg+0x43e/0x9e0 [ 32.172791] ? __local_bh_enable_ip+0x132/0x170 [ 32.177435] lock_acquire+0x170/0x3f0 [ 32.181215] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 32.185772] _raw_spin_lock_bh+0x2f/0x40 [ 32.189822] ? tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 32.194403] tipc_subscrb_rcv_cb+0x4d4/0xa40 [ 32.198798] tipc_receive_from_sock+0x25c/0x450 [ 32.203443] ? trace_hardirqs_on+0x10/0x10 [ 32.207662] ? lock_acquire+0x170/0x3f0 [ 32.211613] ? tipc_close_conn+0x200/0x200 [ 32.215842] tipc_recv_work+0x75/0xd0 [ 32.219631] process_one_work+0x793/0x14a0 [ 32.223862] ? work_busy+0x320/0x320 [ 32.227579] ? worker_thread+0x158/0xff0 [ 32.231624] ? _raw_spin_unlock_irq+0x24/0x80 [ 32.236110] worker_thread+0x5cc/0xff0 [ 32.239990] ? rescuer_thread+0xc80/0xc80 [ 32.244129] kthread+0x30d/0x420 [ 32.247483] ? kthread_create_on_node+0xd0/0xd0 [ 32.252147] ret_from_fork+0x24/0x30 [ 32.256234] Kernel Offset: disabled [ 32.259847] Rebooting in 86400 seconds..