Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.575667] ================================================================== [ 28.583256] BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 28.591381] Read of size 4 at addr ffff8880a4cda790 by task syz-executor045/7980 [ 28.598894] [ 28.600514] CPU: 0 PID: 7980 Comm: syz-executor045 Not tainted 4.14.202-syzkaller #0 [ 28.608370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.617701] Call Trace: [ 28.620267] dump_stack+0x1b2/0x283 [ 28.623875] print_address_description.cold+0x54/0x1d3 [ 28.629134] kasan_report_error.cold+0x8a/0x194 [ 28.633783] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 28.639208] __asan_report_load4_noabort+0x68/0x70 [ 28.644112] ? tipc_addr_node_valid+0x30/0x60 [ 28.648581] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 28.654007] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 28.659262] tipc_sendmcast+0x51a/0xac0 [ 28.663214] ? check_usage_forwards+0x2d0/0x2d0 [ 28.667875] ? tipc_shutdown+0x2f0/0x2f0 [ 28.671930] ? __save_stack_trace+0x63/0x160 [ 28.676314] ? deref_stack_reg+0x124/0x1a0 [ 28.680525] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 28.686390] ? lock_downgrade+0x740/0x740 [ 28.690530] ? unwind_next_frame+0xe54/0x17d0 [ 28.695005] ? bpf_prog_kallsyms_find.part.0+0x164/0x240 [ 28.700447] ? is_bpf_text_address+0xb8/0x150 [ 28.704933] __tipc_sendmsg+0xbab/0xf90 [ 28.708892] ? check_usage_forwards+0x2d0/0x2d0 [ 28.713552] ? tipc_sendmcast+0xac0/0xac0 [ 28.717682] ? save_trace+0xd6/0x290 [ 28.721481] ? mark_lock+0x64e/0x1050 [ 28.725257] ? check_usage_forwards+0x2d0/0x2d0 [ 28.729904] ? mark_held_locks+0xa6/0xf0 [ 28.733946] ? __local_bh_enable_ip+0xc1/0x170 [ 28.738510] tipc_sendmsg+0x4c/0x70 [ 28.742143] ? __tipc_sendmsg+0xf90/0xf90 [ 28.746321] sock_sendmsg+0xb5/0x100 [ 28.750031] ___sys_sendmsg+0x6c8/0x800 [ 28.753988] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.758759] ? lock_downgrade+0x740/0x740 [ 28.762893] ? do_raw_spin_unlock+0x164/0x220 [ 28.767381] ? _raw_spin_unlock+0x29/0x40 [ 28.771511] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 28.776763] ? prep_transhuge_page+0xa0/0xa0 [ 28.781257] ? vm_insert_page+0x7c0/0x7c0 [ 28.785411] ? __fdget+0x167/0x1f0 [ 28.788935] ? sockfd_lookup_light+0xb2/0x160 [ 28.793429] __sys_sendmsg+0xa3/0x120 [ 28.797212] ? SyS_shutdown+0x160/0x160 [ 28.801200] ? up_read+0x17/0x30 [ 28.804556] ? __do_page_fault+0x159/0xad0 [ 28.808770] SyS_sendmsg+0x27/0x40 [ 28.812292] ? __sys_sendmsg+0x120/0x120 [ 28.816331] do_syscall_64+0x1d5/0x640 [ 28.820214] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.825396] RIP: 0033:0x440299 [ 28.828587] RSP: 002b:00007fffd19c9a58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.836274] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440299 [ 28.843519] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 28.850764] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 28.858281] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401aa0 [ 28.865604] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000 [ 28.872873] [ 28.874510] Allocated by task 1: [ 28.877866] kasan_kmalloc+0xeb/0x160 [ 28.883125] __kmalloc+0x15a/0x400 [ 28.886651] tipc_nameseq_create+0x53/0x290 [ 28.890946] tipc_nametbl_insert_publ+0xb37/0x14e0 [ 28.895869] tipc_nametbl_publish+0x211/0x3f0 [ 28.900342] tipc_bind+0x2c4/0x600 [ 28.903858] tipc_server_start+0x31f/0x880 [ 28.908068] tipc_topsrv_init_net+0x53b/0x730 [ 28.912540] ops_init+0xaa/0x3e0 [ 28.915915] register_pernet_operations+0x32f/0x750 [ 28.922123] register_pernet_device+0x28/0x70 [ 28.926596] tipc_init+0x7d/0x137 [ 28.930026] do_one_initcall+0x88/0x202 [ 28.933977] kernel_init_freeable+0x553/0x614 [ 28.938449] kernel_init+0xd/0x162 [ 28.941967] ret_from_fork+0x24/0x30 [ 28.945653] [ 28.947352] Freed by task 0: [ 28.950354] (stack is not available) [ 28.954098] [ 28.955727] The buggy address belongs to the object at ffff8880a4cda780 [ 28.955727] which belongs to the cache kmalloc-32 of size 32 [ 28.968190] The buggy address is located 16 bytes inside of [ 28.968190] 32-byte region [ffff8880a4cda780, ffff8880a4cda7a0) [ 28.979869] The buggy address belongs to the page: [ 28.984778] page:ffffea0002933680 count:1 mapcount:0 mapping:ffff8880a4cda000 index:0xffff8880a4cdafc1 [ 28.994203] flags: 0xfff00000000100(slab) [ 28.998331] raw: 00fff00000000100 ffff8880a4cda000 ffff8880a4cdafc1 0000000100000032 [ 29.006197] raw: ffffea0002bd0ca0 ffffea0002a509e0 ffff88813fe801c0 0000000000000000 [ 29.014065] page dumped because: kasan: bad access detected [ 29.019772] [ 29.021393] Memory state around the buggy address: [ 29.026307] ffff8880a4cda680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.033648] ffff8880a4cda700: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 29.041006] >ffff8880a4cda780: 00 00 fc fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 29.048366] ^ [ 29.052238] ffff8880a4cda800: fb fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 29.059600] ffff8880a4cda880: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 29.066933] ================================================================== [ 29.074344] Disabling lock debugging due to kernel taint [ 29.079878] Kernel panic - not syncing: panic_on_warn set ... [ 29.079878] [ 29.087237] CPU: 0 PID: 7980 Comm: syz-executor045 Tainted: G B 4.14.202-syzkaller #0 [ 29.096596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.105945] Call Trace: [ 29.108531] dump_stack+0x1b2/0x283 [ 29.112154] panic+0x1f9/0x42d [ 29.115379] ? add_taint.cold+0x16/0x16 [ 29.119483] kasan_end_report+0x43/0x49 [ 29.123441] kasan_report_error.cold+0xa7/0x194 [ 29.128094] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 29.133542] __asan_report_load4_noabort+0x68/0x70 [ 29.138543] ? tipc_addr_node_valid+0x30/0x60 [ 29.143017] ? tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 29.148460] tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 [ 29.153766] tipc_sendmcast+0x51a/0xac0 [ 29.157745] ? check_usage_forwards+0x2d0/0x2d0 [ 29.162590] ? tipc_shutdown+0x2f0/0x2f0 [ 29.166665] ? __save_stack_trace+0x63/0x160 [ 29.171287] ? deref_stack_reg+0x124/0x1a0 [ 29.175956] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 29.182048] ? lock_downgrade+0x740/0x740 [ 29.186350] ? unwind_next_frame+0xe54/0x17d0 [ 29.190868] ? bpf_prog_kallsyms_find.part.0+0x164/0x240 [ 29.196395] ? is_bpf_text_address+0xb8/0x150 [ 29.200869] __tipc_sendmsg+0xbab/0xf90 [ 29.204836] ? check_usage_forwards+0x2d0/0x2d0 [ 29.210798] ? tipc_sendmcast+0xac0/0xac0 [ 29.214934] ? save_trace+0xd6/0x290 [ 29.218644] ? mark_lock+0x64e/0x1050 [ 29.222418] ? check_usage_forwards+0x2d0/0x2d0 [ 29.227598] ? mark_held_locks+0xa6/0xf0 [ 29.231647] ? __local_bh_enable_ip+0xc1/0x170 [ 29.236207] tipc_sendmsg+0x4c/0x70 [ 29.240156] ? __tipc_sendmsg+0xf90/0xf90 [ 29.244536] sock_sendmsg+0xb5/0x100 [ 29.248244] ___sys_sendmsg+0x6c8/0x800 [ 29.252192] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 29.256918] ? lock_downgrade+0x740/0x740 [ 29.261047] ? do_raw_spin_unlock+0x164/0x220 [ 29.265611] ? _raw_spin_unlock+0x29/0x40 [ 29.269730] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 29.274982] ? prep_transhuge_page+0xa0/0xa0 [ 29.279375] ? vm_insert_page+0x7c0/0x7c0 [ 29.283499] ? __fdget+0x167/0x1f0 [ 29.287010] ? sockfd_lookup_light+0xb2/0x160 [ 29.291489] __sys_sendmsg+0xa3/0x120 [ 29.295267] ? SyS_shutdown+0x160/0x160 [ 29.299213] ? up_read+0x17/0x30 [ 29.302575] ? __do_page_fault+0x159/0xad0 [ 29.306803] SyS_sendmsg+0x27/0x40 [ 29.310401] ? __sys_sendmsg+0x120/0x120 [ 29.314446] do_syscall_64+0x1d5/0x640 [ 29.318312] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.323476] RIP: 0033:0x440299 [ 29.326648] RSP: 002b:00007fffd19c9a58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.334621] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440299 [ 29.342822] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 29.350083] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 29.357329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401aa0 [ 29.364628] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000 [ 29.372756] Kernel Offset: disabled [ 29.376364] Rebooting in 86400 seconds..