INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.111697] ================================================================== [ 30.119144] BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 [ 30.126309] Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482 [ 30.133985] [ 30.135596] CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1 [ 30.142494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.151824] Call Trace: [ 30.154394] dump_stack+0x1b9/0x29f [ 30.158001] ? arch_local_irq_restore+0x52/0x52 [ 30.162656] ? printk+0x9e/0xba [ 30.165913] ? show_regs_print_info+0x18/0x18 [ 30.170389] ? kasan_check_write+0x14/0x20 [ 30.174606] print_address_description+0x6c/0x20b [ 30.179427] ? __ip_tunnel_create+0xca/0x6b0 [ 30.183815] kasan_report.cold.7+0xac/0x2f5 [ 30.188117] check_memory_region+0x13e/0x1b0 [ 30.192505] memcpy+0x37/0x50 [ 30.195593] __ip_tunnel_create+0xca/0x6b0 [ 30.199808] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 30.204545] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.210071] ? ns_capable_common+0x13f/0x170 [ 30.214462] ip_tunnel_ioctl+0x818/0xd40 [ 30.218504] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 30.222895] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.228408] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.233588] ipip_tunnel_ioctl+0x1c5/0x420 [ 30.237809] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.242210] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.247723] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.252889] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.257281] dev_ifsioc+0x43e/0xb90 [ 30.260891] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.266057] ? register_gifconf+0x70/0x70 [ 30.270186] dev_ioctl+0x69a/0xcc0 [ 30.273710] sock_ioctl+0x47e/0x680 [ 30.277316] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.282486] ? dlci_ioctl_set+0x40/0x40 [ 30.286443] ? get_unused_fd_flags+0x190/0x190 [ 30.291002] ? dlci_ioctl_set+0x40/0x40 [ 30.294965] do_vfs_ioctl+0x1cf/0x1650 [ 30.298833] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.303228] ? fget_raw+0x20/0x20 [ 30.306664] ? get_unused_fd_flags+0x121/0x190 [ 30.311225] ? __alloc_fd+0x6e0/0x6e0 [ 30.315008] ? fd_install+0x4d/0x60 [ 30.318625] ? __sys_socket+0x19f/0x250 [ 30.322583] ? security_file_ioctl+0x9b/0xd0 [ 30.326968] ksys_ioctl+0xa9/0xd0 [ 30.330401] SyS_ioctl+0x24/0x30 [ 30.333742] ? ksys_ioctl+0xd0/0xd0 [ 30.337347] do_syscall_64+0x29e/0x9d0 [ 30.341217] ? vmalloc_sync_all+0x30/0x30 [ 30.345341] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.350075] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.354981] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.359891] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.365233] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.370058] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.375224] RIP: 0033:0x43fe19 [ 30.378395] RSP: 002b:00007fff4cb6fc88 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.386084] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 30.393329] RDX: 0000000020000200 RSI: 00000000000089f1 RDI: 0000000000000003 [ 30.400574] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 30.407820] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 30.415162] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 30.422413] [ 30.424020] The buggy address belongs to the page: [ 30.428937] page:ffffea0006b1e7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 30.437055] flags: 0x2fffc0000000000() [ 30.440923] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 30.448781] raw: 0000000000000000 ffffea0006b10101 0000000000000000 0000000000000000 [ 30.456633] page dumped because: kasan: bad access detected [ 30.462315] [ 30.463916] Memory state around the buggy address: [ 30.468821] ffff8801ac79f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.476155] ffff8801ac79f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 30.483489] >ffff8801ac79f800: f1 f1 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 [ 30.490821] ^ [ 30.495206] ffff8801ac79f880: 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f3 f3 f3 [ 30.502540] ffff8801ac79f900: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 30.509872] ================================================================== [ 30.517202] Disabling lock debugging due to kernel taint [ 30.522683] Kernel panic - not syncing: panic_on_warn set ... [ 30.522683] [ 30.530059] CPU: 0 PID: 4482 Comm: syzkaller268107 Tainted: G B 4.16.0+ #1 [ 30.538260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.547588] Call Trace: [ 30.550158] dump_stack+0x1b9/0x29f [ 30.553768] ? arch_local_irq_restore+0x52/0x52 [ 30.558415] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.563148] ? __ip_tunnel_create+0x30/0x6b0 [ 30.567532] panic+0x22f/0x4de [ 30.570701] ? add_taint.cold.5+0x16/0x16 [ 30.574825] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.579209] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.583606] ? __ip_tunnel_create+0xca/0x6b0 [ 30.588001] kasan_end_report+0x47/0x4f [ 30.591961] kasan_report.cold.7+0xc9/0x2f5 [ 30.596263] check_memory_region+0x13e/0x1b0 [ 30.600647] memcpy+0x37/0x50 [ 30.603734] __ip_tunnel_create+0xca/0x6b0 [ 30.607950] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 30.612688] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.618206] ? ns_capable_common+0x13f/0x170 [ 30.622658] ip_tunnel_ioctl+0x818/0xd40 [ 30.626696] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 30.631083] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.636596] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.641762] ipip_tunnel_ioctl+0x1c5/0x420 [ 30.645973] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.650359] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.655870] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.661041] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.665428] dev_ifsioc+0x43e/0xb90 [ 30.669038] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.674211] ? register_gifconf+0x70/0x70 [ 30.678335] dev_ioctl+0x69a/0xcc0 [ 30.681854] sock_ioctl+0x47e/0x680 [ 30.685460] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.690626] ? dlci_ioctl_set+0x40/0x40 [ 30.694579] ? get_unused_fd_flags+0x190/0x190 [ 30.699136] ? dlci_ioctl_set+0x40/0x40 [ 30.703085] do_vfs_ioctl+0x1cf/0x1650 [ 30.706948] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.711330] ? fget_raw+0x20/0x20 [ 30.714759] ? get_unused_fd_flags+0x121/0x190 [ 30.719317] ? __alloc_fd+0x6e0/0x6e0 [ 30.723093] ? fd_install+0x4d/0x60 [ 30.726694] ? __sys_socket+0x19f/0x250 [ 30.730646] ? security_file_ioctl+0x9b/0xd0 [ 30.735037] ksys_ioctl+0xa9/0xd0 [ 30.738467] SyS_ioctl+0x24/0x30 [ 30.741809] ? ksys_ioctl+0xd0/0xd0 [ 30.745412] do_syscall_64+0x29e/0x9d0 [ 30.749276] ? vmalloc_sync_all+0x30/0x30 [ 30.753402] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.758134] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.763041] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.767954] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.773301] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.778121] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.783287] RIP: 0033:0x43fe19 [ 30.786458] RSP: 002b:00007fff4cb6fc88 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.794142] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 30.801388] RDX: 0000000020000200 RSI: 00000000000089f1 RDI: 0000000000000003 [ 30.808633] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 30.815879] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 30.823125] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 30.830830] Dumping ftrace buffer: [ 30.834344] (ftrace buffer empty) [ 30.838050] Kernel Offset: disabled [ 30.841652] Rebooting in 86400 seconds..