[ 43.966038] ? trace_hardirqs_on+0xd/0x10 [ 43.970154] default_idle+0xbf/0x460 [ 43.973836] ? __sched_text_end+0x4/0x4 [ 43.977780] arch_cpu_idle+0xa/0x10 [ 43.981372] default_idle_call+0x36/0x90 [ 43.985399] do_idle+0x24e/0x3b0 [ 43.988730] ? complete+0x62/0x80 [ 43.992151] cpu_startup_entry+0x18/0x20 [ 43.996179] start_secondary+0x2ea/0x3f0 [ 44.000206] secondary_startup_64+0xa5/0xa5 Warning: Permanently added 'ci-upstream-net-kasan-gce-9,10.128.15.193' (ECDSA) to the list of known hosts. executing program [ 50.222714] ================================================================== [ 50.230103] BUG: KASAN: use-after-free in tipc_group_self+0x1a2/0x1b0 [ 50.236651] Read of size 4 at addr ffff8801d8ab9d6c by task syzkaller125265/2986 [ 50.244149] [ 50.245751] CPU: 1 PID: 2986 Comm: syzkaller125265 Not tainted 4.14.0-rc5+ #90 [ 50.253076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.262398] Call Trace: [ 50.264960] dump_stack+0x194/0x257 [ 50.268558] ? arch_local_irq_restore+0x53/0x53 [ 50.273197] ? show_regs_print_info+0x65/0x65 [ 50.277668] ? tipc_group_self+0x1a2/0x1b0 [ 50.281872] print_address_description+0x73/0x250 [ 50.286683] ? tipc_group_self+0x1a2/0x1b0 [ 50.290884] kasan_report+0x25b/0x340 [ 50.294658] __asan_report_load4_noabort+0x14/0x20 [ 50.299554] tipc_group_self+0x1a2/0x1b0 [ 50.303584] tipc_sk_leave+0xfc/0x200 [ 50.307361] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 50.311655] ? lock_sock_nested+0x44/0x110 [ 50.315859] ? lock_sock_nested+0x91/0x110 [ 50.320064] ? trace_hardirqs_on+0xd/0x10 [ 50.324177] ? __local_bh_enable_ip+0x9d/0x160 [ 50.328729] tipc_release+0x154/0xfe0 [ 50.332501] ? kernel_text_address+0x102/0x140 [ 50.337051] ? tipc_sk_backlog_rcv+0x370/0x370 [ 50.341600] ? __kernel_text_address+0xd/0x40 [ 50.346063] ? unwind_get_return_address+0x61/0xa0 [ 50.350970] ? __save_stack_trace+0x7e/0xd0 [ 50.355261] ? depot_save_stack+0x12c/0x490 [ 50.359554] ? free_fs_struct+0x4f/0x60 [ 50.363496] ? locks_remove_file+0x3fa/0x5a0 [ 50.367871] ? fcntl_setlk+0x10c0/0x10c0 [ 50.371902] ? kmem_cache_free+0x77/0x280 [ 50.376015] ? exit_fs+0xe1/0x120 [ 50.379435] ? do_exit+0x996/0x1ad0 [ 50.383027] ? __fsnotify_parent+0xb4/0x3a0 [ 50.387316] ? fsnotify+0x1af0/0x1af0 [ 50.391088] sock_release+0x8d/0x1e0 [ 50.394770] ? sock_release+0x1e0/0x1e0 [ 50.398713] sock_close+0x16/0x20 [ 50.402133] __fput+0x327/0x7e0 [ 50.405381] ? fput+0x140/0x140 [ 50.408632] ? do_raw_spin_trylock+0x190/0x190 [ 50.413182] ____fput+0x15/0x20 [ 50.416430] task_work_run+0x199/0x270 [ 50.420284] ? task_work_cancel+0x210/0x210 [ 50.424573] ? _raw_spin_unlock+0x22/0x30 [ 50.428690] ? switch_task_namespaces+0x87/0xc0 [ 50.433331] do_exit+0x9b5/0x1ad0 [ 50.436758] ? tipc_accept_from_sock+0x551/0x580 [ 50.441478] ? mm_update_next_owner+0x930/0x930 [ 50.446111] ? tipc_accept_from_sock+0x580/0x580 [ 50.450837] ? trace_hardirqs_off+0xd/0x10 [ 50.455040] ? release_sock+0x1d4/0x2a0 [ 50.458979] ? lock_downgrade+0x990/0x990 [ 50.463093] ? lock_downgrade+0x990/0x990 [ 50.467212] ? do_raw_spin_trylock+0x190/0x190 [ 50.471768] ? tipc_group_delete+0x2c0/0x3c0 [ 50.476143] ? lock_release+0x9e0/0xa40 [ 50.480084] ? trace_hardirqs_on+0xd/0x10 [ 50.484200] ? __local_bh_enable_ip+0x9d/0x160 [ 50.488751] ? release_sock+0x1d4/0x2a0 [ 50.492696] ? tipc_nametbl_build_group+0x27a/0x370 [ 50.497682] ? tipc_setsockopt+0x703/0xc00 [ 50.501883] ? tipc_sk_leave+0x200/0x200 [ 50.505919] ? security_socket_setsockopt+0x89/0xb0 [ 50.510906] ? SyS_setsockopt+0x215/0x360 [ 50.515021] do_group_exit+0x149/0x400 [ 50.518873] ? SyS_recv+0x40/0x40 [ 50.522293] ? SyS_exit+0x30/0x30 [ 50.525713] ? find_mergeable_anon_vma+0xd0/0xd0 [ 50.530443] ? SyS_read+0x220/0x220 [ 50.534038] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.538771] SyS_exit_group+0x1d/0x20 [ 50.542540] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.547260] RIP: 0033:0x43e978 [ 50.550415] RSP: 002b:00007ffeaf4d3468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 50.558089] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 50.565324] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 50.572559] RBP: 00000000000014b1 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 50.579795] R10: 0000000020000fe4 R11: 0000000000000246 R12: 00000000006ca858 [ 50.587031] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 50.594282] [ 50.595877] Allocated by task 2986: [ 50.599476] save_stack_trace+0x16/0x20 [ 50.603417] save_stack+0x43/0xd0 [ 50.606836] kasan_kmalloc+0xad/0xe0 [ 50.610514] kmem_cache_alloc_trace+0x136/0x750 [ 50.615152] tipc_group_create+0x116/0x9c0 [ 50.619352] tipc_setsockopt+0x25e/0xc00 [ 50.623380] SyS_setsockopt+0x189/0x360 [ 50.627322] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.632039] [ 50.633632] Freed by task 2986: [ 50.636879] save_stack_trace+0x16/0x20 [ 50.640819] save_stack+0x43/0xd0 [ 50.644237] kasan_slab_free+0x71/0xc0 [ 50.648088] kfree+0xca/0x250 [ 50.651161] tipc_group_delete+0x2c0/0x3c0 [ 50.655358] tipc_setsockopt+0xb33/0xc00 [ 50.659385] SyS_setsockopt+0x189/0x360 [ 50.663326] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 50.668046] [ 50.669640] The buggy address belongs to the object at ffff8801d8ab9d00 [ 50.669640] which belongs to the cache kmalloc-192 of size 192 [ 50.682264] The buggy address is located 108 bytes inside of [ 50.682264] 192-byte region [ffff8801d8ab9d00, ffff8801d8ab9dc0) [ 50.694100] The buggy address belongs to the page: [ 50.699001] page:ffffea000762ae40 count:1 mapcount:0 mapping:ffff8801d8ab9000 index:0xffff8801d8ab9f00 [ 50.708412] flags: 0x200000000000100(slab) [ 50.712617] raw: 0200000000000100 ffff8801d8ab9000 ffff8801d8ab9f00 000000010000000d [ 50.720463] raw: ffff8801dac01138 ffffea0007610ce0 ffff8801dac00040 0000000000000000 [ 50.728307] page dumped because: kasan: bad access detected [ 50.733983] [ 50.735577] Memory state around the buggy address: [ 50.740472] ffff8801d8ab9c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.747796] ffff8801d8ab9c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.755120] >ffff8801d8ab9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.762445] ^ [ 50.769163] ffff8801d8ab9d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.776486] ffff8801d8ab9e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 50.783811] ================================================================== [ 50.791203] Kernel panic - not syncing: panic_on_warn set ... [ 50.791203] [ 50.798538] CPU: 1 PID: 2986 Comm: syzkaller125265 Tainted: G B 4.14.0-rc5+ #90 [ 50.807085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.816409] Call Trace: [ 50.818972] dump_stack+0x194/0x257 [ 50.822567] ? arch_local_irq_restore+0x53/0x53 [ 50.827202] ? kasan_end_report+0x32/0x50 [ 50.831323] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 50.836046] ? tipc_group_self+0xd0/0x1b0 [ 50.840164] panic+0x1e4/0x417 [ 50.843323] ? __warn+0x1d9/0x1d9 [ 50.846747] ? tipc_group_self+0x1a2/0x1b0 [ 50.850946] kasan_end_report+0x50/0x50 [ 50.854885] kasan_report+0x144/0x340 [ 50.858652] __asan_report_load4_noabort+0x14/0x20 [ 50.863542] tipc_group_self+0x1a2/0x1b0 [ 50.867571] tipc_sk_leave+0xfc/0x200 [ 50.871339] ? tipc_sk_withdraw+0x6b0/0x6b0 [ 50.875628] ? lock_sock_nested+0x44/0x110 [ 50.879826] ? lock_sock_nested+0x91/0x110 [ 50.884027] ? trace_hardirqs_on+0xd/0x10 [ 50.888140] ? __local_bh_enable_ip+0x9d/0x160 [ 50.892698] tipc_release+0x154/0xfe0 [ 50.896469] ? kernel_text_address+0x102/0x140 [ 50.901017] ? tipc_sk_backlog_rcv+0x370/0x370 [ 50.905562] ? __kernel_text_address+0xd/0x40 [ 50.910025] ? unwind_get_return_address+0x61/0xa0 [ 50.914922] ? __save_stack_trace+0x7e/0xd0 [ 50.919212] ? depot_save_stack+0x12c/0x490 [ 50.923504] ? free_fs_struct+0x4f/0x60 [ 50.927444] ? locks_remove_file+0x3fa/0x5a0 [ 50.931819] ? fcntl_setlk+0x10c0/0x10c0 [ 50.935845] ? kmem_cache_free+0x77/0x280 [ 50.939959] ? exit_fs+0xe1/0x120 [ 50.943376] ? do_exit+0x996/0x1ad0 [ 50.946971] ? __fsnotify_parent+0xb4/0x3a0 [ 50.951259] ? fsnotify+0x1af0/0x1af0 [ 50.955030] sock_release+0x8d/0x1e0 [ 50.958710] ? sock_release+0x1e0/0x1e0 [ 50.962648] sock_close+0x16/0x20 [ 50.966068] __fput+0x327/0x7e0 [ 50.969316] ? fput+0x140/0x140 [ 50.972565] ? do_raw_spin_trylock+0x190/0x190 [ 50.977114] ____fput+0x15/0x20 [ 50.980360] task_work_run+0x199/0x270 [ 50.984213] ? task_work_cancel+0x210/0x210 [ 50.988502] ? _raw_spin_unlock+0x22/0x30 [ 50.992617] ? switch_task_namespaces+0x87/0xc0 [ 50.997253] do_exit+0x9b5/0x1ad0 [ 51.000676] ? tipc_accept_from_sock+0x551/0x580 [ 51.005397] ? mm_update_next_owner+0x930/0x930 [ 51.010033] ? tipc_accept_from_sock+0x580/0x580 [ 51.014759] ? trace_hardirqs_off+0xd/0x10 [ 51.018961] ? release_sock+0x1d4/0x2a0 [ 51.022902] ? lock_downgrade+0x990/0x990 [ 51.027015] ? lock_downgrade+0x990/0x990 [ 51.031130] ? do_raw_spin_trylock+0x190/0x190 [ 51.035682] ? tipc_group_delete+0x2c0/0x3c0 [ 51.040058] ? lock_release+0x9e0/0xa40 [ 51.044000] ? trace_hardirqs_on+0xd/0x10 [ 51.048114] ? __local_bh_enable_ip+0x9d/0x160 [ 51.052665] ? release_sock+0x1d4/0x2a0 [ 51.056608] ? tipc_nametbl_build_group+0x27a/0x370 [ 51.061591] ? tipc_setsockopt+0x703/0xc00 [ 51.065793] ? tipc_sk_leave+0x200/0x200 [ 51.069828] ? security_socket_setsockopt+0x89/0xb0 [ 51.074829] ? SyS_setsockopt+0x215/0x360 [ 51.078968] do_group_exit+0x149/0x400 [ 51.082837] ? SyS_recv+0x40/0x40 [ 51.086258] ? SyS_exit+0x30/0x30 [ 51.089680] ? find_mergeable_anon_vma+0xd0/0xd0 [ 51.094400] ? SyS_read+0x220/0x220 [ 51.097996] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.102737] SyS_exit_group+0x1d/0x20 [ 51.106509] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 51.111229] RIP: 0033:0x43e978 [ 51.114385] RSP: 002b:00007ffeaf4d3468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.122057] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043e978 [ 51.129294] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 51.136538] RBP: 00000000000014b1 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 51.143773] R10: 0000000020000fe4 R11: 0000000000000246 R12: 00000000006ca858 [ 51.151009] R13: 00000000006ca858 R14: 0000000000000000 R15: 0000000000002710 [ 51.158304] Dumping ftrace buffer: [ 51.161813] (ftrace buffer empty) [ 51.165495] Kernel Offset: disabled [ 51.169089] Rebooting in 86400 seconds..