INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.335396] ================================================================== [ 29.342854] BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 [ 29.350030] Write of size 20 at addr ffff8801ac427810 by task syzkaller981338/4466 [ 29.357715] [ 29.359323] CPU: 1 PID: 4466 Comm: syzkaller981338 Not tainted 4.16.0+ #2 [ 29.366223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.375557] Call Trace: [ 29.378129] dump_stack+0x1b9/0x29f [ 29.381736] ? arch_local_irq_restore+0x52/0x52 [ 29.386384] ? printk+0x9e/0xba [ 29.389643] ? show_regs_print_info+0x18/0x18 [ 29.394121] ? kasan_check_write+0x14/0x20 [ 29.398337] print_address_description+0x6c/0x20b [ 29.403159] ? __ip_tunnel_create+0xca/0x6b0 [ 29.407550] kasan_report.cold.7+0xac/0x2f5 [ 29.411853] check_memory_region+0x13e/0x1b0 [ 29.416238] memcpy+0x37/0x50 [ 29.419322] __ip_tunnel_create+0xca/0x6b0 [ 29.423543] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 29.428283] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.433799] ? ns_capable_common+0x13f/0x170 [ 29.438189] ip_tunnel_ioctl+0x818/0xd40 [ 29.442232] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 29.446620] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.452135] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.457305] ipip_tunnel_ioctl+0x1c5/0x420 [ 29.461520] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.465910] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.471425] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.476592] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.480980] dev_ifsioc+0x43e/0xb90 [ 29.484585] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.489756] ? register_gifconf+0x70/0x70 [ 29.493894] dev_ioctl+0x69a/0xcc0 [ 29.497415] sock_ioctl+0x47e/0x680 [ 29.501029] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.506208] ? dlci_ioctl_set+0x40/0x40 [ 29.510169] ? get_unused_fd_flags+0x190/0x190 [ 29.514740] ? dlci_ioctl_set+0x40/0x40 [ 29.518693] do_vfs_ioctl+0x1cf/0x1650 [ 29.522561] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.526949] ? fget_raw+0x20/0x20 [ 29.530381] ? get_unused_fd_flags+0x121/0x190 [ 29.534940] ? __alloc_fd+0x6e0/0x6e0 [ 29.538722] ? fd_install+0x4d/0x60 [ 29.542330] ? __sys_socket+0x19f/0x250 [ 29.546291] ? security_file_ioctl+0x9b/0xd0 [ 29.550681] ksys_ioctl+0xa9/0xd0 [ 29.554118] SyS_ioctl+0x24/0x30 [ 29.557468] ? ksys_ioctl+0xd0/0xd0 [ 29.561075] do_syscall_64+0x29e/0x9d0 [ 29.564940] ? vmalloc_sync_all+0x30/0x30 [ 29.569073] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.573810] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.578791] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.583705] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.589063] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.593891] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.599059] RIP: 0033:0x43fe19 [ 29.602224] RSP: 002b:00007ffe0f9231d8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 29.609931] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 29.617179] RDX: 0000000020000240 RSI: 00000000000089f1 RDI: 0000000000000003 [ 29.624433] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 29.631684] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 29.638933] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 29.646185] [ 29.647789] The buggy address belongs to the page: [ 29.652697] page:ffffea0006b109c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 29.660832] flags: 0x2fffc0000000000() [ 29.664701] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 29.672560] raw: 0000000000000000 ffffea0006b10101 0000000000000000 0000000000000000 [ 29.680414] page dumped because: kasan: bad access detected [ 29.686099] [ 29.687704] Memory state around the buggy address: [ 29.692611] ffff8801ac427700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.699946] ffff8801ac427780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 29.707284] >ffff8801ac427800: f1 f1 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 [ 29.714616] ^ [ 29.719002] ffff8801ac427880: 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f3 f3 f3 [ 29.726345] ffff8801ac427900: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 29.733680] ================================================================== [ 29.741017] Disabling lock debugging due to kernel taint [ 29.746533] Kernel panic - not syncing: panic_on_warn set ... [ 29.746533] [ 29.753891] CPU: 1 PID: 4466 Comm: syzkaller981338 Tainted: G B 4.16.0+ #2 [ 29.762093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.771421] Call Trace: [ 29.773989] dump_stack+0x1b9/0x29f [ 29.777596] ? arch_local_irq_restore+0x52/0x52 [ 29.782243] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.786976] ? __ip_tunnel_create+0x90/0x6b0 [ 29.791365] panic+0x22f/0x4de [ 29.794533] ? add_taint.cold.5+0x16/0x16 [ 29.798659] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.803055] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.807444] ? __ip_tunnel_create+0xca/0x6b0 [ 29.811829] kasan_end_report+0x47/0x4f [ 29.815779] kasan_report.cold.7+0xc9/0x2f5 [ 29.820079] check_memory_region+0x13e/0x1b0 [ 29.824462] memcpy+0x37/0x50 [ 29.827543] __ip_tunnel_create+0xca/0x6b0 [ 29.831756] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 29.836491] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.842006] ? ns_capable_common+0x13f/0x170 [ 29.846400] ip_tunnel_ioctl+0x818/0xd40 [ 29.850439] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 29.854824] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.860338] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.865505] ipip_tunnel_ioctl+0x1c5/0x420 [ 29.869715] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.874101] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.879613] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.884778] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.889165] dev_ifsioc+0x43e/0xb90 [ 29.892774] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.897943] ? register_gifconf+0x70/0x70 [ 29.902070] dev_ioctl+0x69a/0xcc0 [ 29.905589] sock_ioctl+0x47e/0x680 [ 29.909194] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.914361] ? dlci_ioctl_set+0x40/0x40 [ 29.918318] ? get_unused_fd_flags+0x190/0x190 [ 29.922876] ? dlci_ioctl_set+0x40/0x40 [ 29.926828] do_vfs_ioctl+0x1cf/0x1650 [ 29.930694] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.935079] ? fget_raw+0x20/0x20 [ 29.938507] ? get_unused_fd_flags+0x121/0x190 [ 29.943066] ? __alloc_fd+0x6e0/0x6e0 [ 29.946845] ? fd_install+0x4d/0x60 [ 29.950452] ? __sys_socket+0x19f/0x250 [ 29.954404] ? security_file_ioctl+0x9b/0xd0 [ 29.958789] ksys_ioctl+0xa9/0xd0 [ 29.962220] SyS_ioctl+0x24/0x30 [ 29.965562] ? ksys_ioctl+0xd0/0xd0 [ 29.969169] do_syscall_64+0x29e/0x9d0 [ 29.973037] ? vmalloc_sync_all+0x30/0x30 [ 29.977162] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.981894] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.986799] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.991712] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.997055] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.001875] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.007047] RIP: 0033:0x43fe19 [ 30.010212] RSP: 002b:00007ffe0f9231d8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.017895] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 30.025141] RDX: 0000000020000240 RSI: 00000000000089f1 RDI: 0000000000000003 [ 30.032387] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 30.039631] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 30.046883] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 30.054665] Dumping ftrace buffer: [ 30.058181] (ftrace buffer empty) [ 30.061864] Kernel Offset: disabled [ 30.065470] Rebooting in 86400 seconds..