
[[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2.
[   26.975767] audit: type=1800 audit(1544707298.077:21): pid=5866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0
[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   49.612465] ==================================================================
[   49.620150] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0
[   49.626978] Read of size 2 at addr ffff8881d8a37f74 by task syz-executor530/6024
[   49.634592] 
[   49.636221] CPU: 1 PID: 6024 Comm: syz-executor530 Not tainted 4.20.0-rc6-next-20181213+ #170
[   49.645091] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.654439] Call Trace:
[   49.657017]  dump_stack+0x244/0x39d
[   49.660635]  ? dump_stack_print_info.cold.1+0x20/0x20
[   49.665823]  ? printk+0xa7/0xcf
[   49.669104]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   49.673856]  print_address_description.cold.4+0x9/0x1ff
[   49.679251]  ? tipc_group_bc_cong+0x327/0x3f0
[   49.683744]  kasan_report.cold.5+0x1b/0x39
[   49.688095]  ? tipc_group_bc_cong+0x327/0x3f0
[   49.692591]  ? tipc_group_bc_cong+0x327/0x3f0
[   49.697074]  __asan_report_load2_noabort+0x14/0x20
[   49.701991]  tipc_group_bc_cong+0x327/0x3f0
[   49.706321]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   49.711423]  ? tipc_group_cong+0x5d0/0x5d0
[   49.715652]  ? remove_wait_queue+0x1a6/0x360
[   49.720184]  ? add_wait_queue+0x2b0/0x2b0
[   49.724334]  ? __local_bh_enable_ip+0x160/0x260
[   49.728998]  tipc_send_group_bcast+0x50a/0xd90
[   49.733598]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[   49.738620]  ? __init_waitqueue_head+0x150/0x150
[   49.743362]  ? refill_pi_state_cache.part.7+0x310/0x310
[   49.748724]  ? mark_held_locks+0x130/0x130
[   49.753072]  ? futex_wait_setup+0x266/0x3e0
[   49.757391]  ? handle_futex_death+0x230/0x230
[   49.761952]  ? print_usage_bug+0xc0/0xc0
[   49.766008]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   49.771189]  __tipc_sendmsg+0xeec/0x1d40
[   49.775238]  ? futex_wait+0x5ec/0xa50
[   49.779029]  ? tipc_sendmcast+0xf50/0xf50
[   49.783165]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   49.788348]  ? graph_lock+0x270/0x270
[   49.792195]  ? print_usage_bug+0xc0/0xc0
[   49.796274]  ? find_held_lock+0x36/0x1c0
[   49.800338]  ? mark_held_locks+0xc7/0x130
[   49.804480]  ? __local_bh_enable_ip+0x160/0x260
[   49.809139]  ? __local_bh_enable_ip+0x160/0x260
[   49.813799]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   49.818411]  ? trace_hardirqs_on+0xbd/0x310
[   49.822736]  ? lock_release+0xa00/0xa00
[   49.826827]  ? lock_sock_nested+0xe2/0x120
[   49.831060]  ? trace_hardirqs_off_caller+0x310/0x310
[   49.836224]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.841758]  ? check_preemption_disabled+0x48/0x280
[   49.846868]  ? lock_sock_nested+0x9a/0x120
[   49.851109]  ? lock_sock_nested+0x9a/0x120
[   49.855343]  ? __local_bh_enable_ip+0x160/0x260
[   49.860018]  tipc_sendmsg+0x50/0x70
[   49.863763]  ? __tipc_sendmsg+0x1d40/0x1d40
[   49.868071]  sock_sendmsg+0xd5/0x120
[   49.871772]  ___sys_sendmsg+0x7fd/0x930
[   49.875732]  ? find_held_lock+0x36/0x1c0
[   49.879779]  ? copy_msghdr_from_user+0x580/0x580
[   49.884519]  ? __fd_install+0x2b5/0x8f0
[   49.888478]  ? check_preemption_disabled+0x48/0x280
[   49.893481]  ? __fget_light+0x2e9/0x430
[   49.897440]  ? fget_raw+0x20/0x20
[   49.900884]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.906408]  ? __fd_install+0x2f9/0x8f0
[   49.910383]  ? get_unused_fd_flags+0x1a0/0x1a0
[   49.915047]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   49.920635]  ? sockfd_lookup_light+0xc5/0x160
[   49.925130]  __sys_sendmsg+0x11d/0x280
[   49.929012]  ? __ia32_sys_shutdown+0x80/0x80
[   49.933426]  ? __x64_sys_futex+0x476/0x690
[   49.937652]  ? do_syscall_64+0x9a/0x820
[   49.941616]  ? do_syscall_64+0x9a/0x820
[   49.945588]  ? trace_hardirqs_off_caller+0x310/0x310
[   49.950684]  __x64_sys_sendmsg+0x78/0xb0
[   49.954748]  do_syscall_64+0x1b9/0x820
[   49.958642]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   49.963996]  ? syscall_return_slowpath+0x5e0/0x5e0
[   49.968976]  ? trace_hardirqs_on_caller+0x310/0x310
[   49.973995]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   49.979007]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   49.985666]  ? __switch_to_asm+0x40/0x70
[   49.989713]  ? __switch_to_asm+0x34/0x70
[   49.993761]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.998594]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.003771] RIP: 0033:0x446389
[   50.006958] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   50.025856] RSP: 002b:00007f58fd1f9db8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   50.033609] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   50.040884] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000005
[   50.048258] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   50.055634] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   50.062890] R13: 00007ffd76b851cf R14: 00007f58fd1fa9c0 R15: 00000000006dad2c
[   50.070252] 
[   50.071867] Allocated by task 6025:
[   50.075486]  save_stack+0x43/0xd0
[   50.078925]  kasan_kmalloc+0xcb/0xd0
[   50.082625]  kmem_cache_alloc_trace+0x154/0x740
[   50.087277]  tipc_group_create+0x152/0xa70
[   50.091493]  tipc_setsockopt+0x2d1/0xd70
[   50.095535]  __sys_setsockopt+0x1ba/0x3c0
[   50.099783]  __x64_sys_setsockopt+0xbe/0x150
[   50.104226]  do_syscall_64+0x1b9/0x820
[   50.108107]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.113274] 
[   50.114883] Freed by task 6025:
[   50.118157]  save_stack+0x43/0xd0
[   50.121607]  __kasan_slab_free+0x102/0x150
[   50.125957]  kasan_slab_free+0xe/0x10
[   50.129748]  kfree+0xcf/0x230
[   50.132843]  tipc_group_delete+0x2e4/0x3f0
[   50.137058]  tipc_sk_leave+0x113/0x220
[   50.140929]  tipc_setsockopt+0x97d/0xd70
[   50.144972]  __sys_setsockopt+0x1ba/0x3c0
[   50.149102]  __x64_sys_setsockopt+0xbe/0x150
[   50.153491]  do_syscall_64+0x1b9/0x820
[   50.157403]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.162585] 
[   50.164195] The buggy address belongs to the object at ffff8881d8a37f00
[   50.164195]  which belongs to the cache kmalloc-192 of size 192
[   50.176832] The buggy address is located 116 bytes inside of
[   50.176832]  192-byte region [ffff8881d8a37f00, ffff8881d8a37fc0)
[   50.188686] The buggy address belongs to the page:
[   50.193642] page:ffffea0007628dc0 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0
[   50.201786] flags: 0x2fffc0000000200(slab)
[   50.206022] raw: 02fffc0000000200 ffffea0007603cc8 ffff8881da801148 ffff8881da800040
[   50.213887] raw: 0000000000000000 ffff8881d8a37000 0000000100000010 0000000000000000
[   50.221858] page dumped because: kasan: bad access detected
[   50.227548] 
[   50.229153] Memory state around the buggy address:
[   50.234164]  ffff8881d8a37e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.241633]  ffff8881d8a37e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   50.248978] >ffff8881d8a37f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.256322]                                                              ^
[   50.263321]  ffff8881d8a37f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   50.270751]  ffff8881d8a38000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   50.278090] ==================================================================
[   50.285433] Disabling lock debugging due to kernel taint
[   50.290998] Kernel panic - not syncing: panic_on_warn set ...
[   50.296876] CPU: 1 PID: 6024 Comm: syz-executor530 Tainted: G    B             4.20.0-rc6-next-20181213+ #170
[   50.306901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.316229] Call Trace:
[   50.318885]  dump_stack+0x244/0x39d
[   50.322502]  ? dump_stack_print_info.cold.1+0x20/0x20
[   50.327685]  ? tipc_group_bc_cong+0x250/0x3f0
[   50.332168]  panic+0x2ad/0x632
[   50.335341]  ? add_taint.cold.5+0x16/0x16
[   50.339471]  ? preempt_schedule+0x4d/0x60
[   50.343601]  ? ___preempt_schedule+0x16/0x18
[   50.347998]  ? trace_hardirqs_on+0xb4/0x310
[   50.352306]  ? tipc_group_bc_cong+0x327/0x3f0
[   50.356785]  end_report+0x47/0x4f
[   50.360222]  kasan_report.cold.5+0xe/0x39
[   50.364359]  ? tipc_group_bc_cong+0x327/0x3f0
[   50.368840]  ? tipc_group_bc_cong+0x327/0x3f0
[   50.373320]  __asan_report_load2_noabort+0x14/0x20
[   50.378230]  tipc_group_bc_cong+0x327/0x3f0
[   50.382533]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   50.387657]  ? tipc_group_cong+0x5d0/0x5d0
[   50.391886]  ? remove_wait_queue+0x1a6/0x360
[   50.396290]  ? add_wait_queue+0x2b0/0x2b0
[   50.400460]  ? __local_bh_enable_ip+0x160/0x260
[   50.405118]  tipc_send_group_bcast+0x50a/0xd90
[   50.409684]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[   50.414682]  ? __init_waitqueue_head+0x150/0x150
[   50.419423]  ? refill_pi_state_cache.part.7+0x310/0x310
[   50.424780]  ? mark_held_locks+0x130/0x130
[   50.428993]  ? futex_wait_setup+0x266/0x3e0
[   50.433294]  ? handle_futex_death+0x230/0x230
[   50.437777]  ? print_usage_bug+0xc0/0xc0
[   50.441824]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   50.447001]  __tipc_sendmsg+0xeec/0x1d40
[   50.451050]  ? futex_wait+0x5ec/0xa50
[   50.454842]  ? tipc_sendmcast+0xf50/0xf50
[   50.458971]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   50.464139]  ? graph_lock+0x270/0x270
[   50.467919]  ? print_usage_bug+0xc0/0xc0
[   50.471973]  ? find_held_lock+0x36/0x1c0
[   50.476030]  ? mark_held_locks+0xc7/0x130
[   50.480168]  ? __local_bh_enable_ip+0x160/0x260
[   50.484819]  ? __local_bh_enable_ip+0x160/0x260
[   50.489471]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   50.494035]  ? trace_hardirqs_on+0xbd/0x310
[   50.498338]  ? lock_release+0xa00/0xa00
[   50.502291]  ? lock_sock_nested+0xe2/0x120
[   50.506504]  ? trace_hardirqs_off_caller+0x310/0x310
[   50.511598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.517130]  ? check_preemption_disabled+0x48/0x280
[   50.522133]  ? lock_sock_nested+0x9a/0x120
[   50.526350]  ? lock_sock_nested+0x9a/0x120
[   50.530568]  ? __local_bh_enable_ip+0x160/0x260
[   50.535226]  tipc_sendmsg+0x50/0x70
[   50.538841]  ? __tipc_sendmsg+0x1d40/0x1d40
[   50.543189]  sock_sendmsg+0xd5/0x120
[   50.546891]  ___sys_sendmsg+0x7fd/0x930
[   50.550850]  ? find_held_lock+0x36/0x1c0
[   50.554894]  ? copy_msghdr_from_user+0x580/0x580
[   50.559638]  ? __fd_install+0x2b5/0x8f0
[   50.563599]  ? check_preemption_disabled+0x48/0x280
[   50.568596]  ? __fget_light+0x2e9/0x430
[   50.572550]  ? fget_raw+0x20/0x20
[   50.575997]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.581529]  ? __fd_install+0x2f9/0x8f0
[   50.585485]  ? get_unused_fd_flags+0x1a0/0x1a0
[   50.590054]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.595578]  ? sockfd_lookup_light+0xc5/0x160
[   50.600059]  __sys_sendmsg+0x11d/0x280
[   50.603936]  ? __ia32_sys_shutdown+0x80/0x80
[   50.608334]  ? __x64_sys_futex+0x476/0x690
[   50.612555]  ? do_syscall_64+0x9a/0x820
[   50.616513]  ? do_syscall_64+0x9a/0x820
[   50.620472]  ? trace_hardirqs_off_caller+0x310/0x310
[   50.625562]  __x64_sys_sendmsg+0x78/0xb0
[   50.629607]  do_syscall_64+0x1b9/0x820
[   50.633547]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   50.638899]  ? syscall_return_slowpath+0x5e0/0x5e0
[   50.643810]  ? trace_hardirqs_on_caller+0x310/0x310
[   50.648903]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   50.653967]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   50.660991]  ? __switch_to_asm+0x40/0x70
[   50.665142]  ? __switch_to_asm+0x34/0x70
[   50.669189]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   50.674014]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.679184] RIP: 0033:0x446389
[   50.682359] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   50.701248] RSP: 002b:00007f58fd1f9db8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   50.708944] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   50.716313] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000005
[   50.723574] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   50.730826] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   50.738222] R13: 00007ffd76b851cf R14: 00007f58fd1fa9c0 R15: 00000000006dad2c
[   50.746350] Kernel Offset: disabled
[   50.749973] Rebooting in 86400 seconds..