Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.492065][ T8436] ================================================================== [ 64.500297][ T8436] BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 [ 64.507841][ T8436] Write of size 4 at addr ffff88802117d258 by task syz-executor205/8436 [ 64.516144][ T8436] [ 64.518447][ T8436] CPU: 1 PID: 8436 Comm: syz-executor205 Tainted: G W 5.14.0-rc1-syzkaller #0 [ 64.528582][ T8436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.538615][ T8436] Call Trace: [ 64.541895][ T8436] dump_stack_lvl+0xcd/0x134 [ 64.546474][ T8436] print_address_description.constprop.0.cold+0x6c/0x309 [ 64.553490][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 64.558674][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 64.563901][ T8436] kasan_report.cold+0x83/0xdf [ 64.568779][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 64.573961][ T8436] kasan_check_range+0x13d/0x180 [ 64.578937][ T8436] sctp_auth_shkey_hold+0x22/0xa0 [ 64.583940][ T8436] sctp_sendmsg_to_asoc+0x152e/0x2180 [ 64.589302][ T8436] ? kasan_set_track+0x1c/0x30 [ 64.594051][ T8436] ? kasan_set_free_info+0x20/0x30 [ 64.599160][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 64.604610][ T8436] ? lock_release+0x720/0x720 [ 64.609358][ T8436] ? sctp_set_owner_w+0x4d0/0x4d0 [ 64.614371][ T8436] ? do_raw_spin_lock+0x120/0x2b0 [ 64.619563][ T8436] ? rwlock_bug.part.0+0x90/0x90 [ 64.624484][ T8436] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 64.630712][ T8436] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0 [ 64.636520][ T8436] sctp_sendmsg+0x103b/0x1d30 [ 64.641186][ T8436] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 64.647130][ T8436] ? sctp_setsockopt+0xa880/0xa880 [ 64.652230][ T8436] ? aa_af_perm+0x230/0x230 [ 64.656977][ T8436] ? kfree+0xeb/0x650 [ 64.660941][ T8436] ? sctp_setsockopt+0x368/0xa880 [ 64.665963][ T8436] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 64.672290][ T8436] inet_sendmsg+0x99/0xe0 [ 64.676612][ T8436] ? inet_send_prepare+0x4e0/0x4e0 [ 64.681712][ T8436] sock_sendmsg+0xcf/0x120 [ 64.686115][ T8436] __sys_sendto+0x21c/0x320 [ 64.690614][ T8436] ? __ia32_sys_getpeername+0xb0/0xb0 [ 64.695989][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 64.701541][ T8436] ? kfree+0x226/0x650 [ 64.705628][ T8436] ? lock_acquire+0x442/0x510 [ 64.710476][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 64.715925][ T8436] ? lock_release+0x522/0x720 [ 64.720589][ T8436] ? __context_tracking_exit+0xb8/0xe0 [ 64.726126][ T8436] ? lock_downgrade+0x6e0/0x6e0 [ 64.730962][ T8436] ? lock_downgrade+0x6e0/0x6e0 [ 64.735804][ T8436] ? get_vtime_delta+0x26e/0x420 [ 64.740734][ T8436] __x64_sys_sendto+0xdd/0x1b0 [ 64.745546][ T8436] ? syscall_enter_from_user_mode+0x21/0x70 [ 64.751432][ T8436] do_syscall_64+0x35/0xb0 [ 64.755834][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 64.761718][ T8436] RIP: 0033:0x43efe9 [ 64.765598][ T8436] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 64.785189][ T8436] RSP: 002b:00007ffdbdc702a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 64.793586][ T8436] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9 [ 64.801541][ T8436] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003 [ 64.809509][ T8436] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000 [ 64.817645][ T8436] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060 [ 64.825618][ T8436] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 64.833605][ T8436] [ 64.835921][ T8436] Allocated by task 8436: [ 64.840229][ T8436] kasan_save_stack+0x1b/0x40 [ 64.844901][ T8436] __kasan_kmalloc+0x9b/0xd0 [ 64.849477][ T8436] sctp_auth_shkey_create+0x85/0x1f0 [ 64.854761][ T8436] sctp_auth_asoc_copy_shkeys+0x1e8/0x350 [ 64.860464][ T8436] sctp_association_new+0x1829/0x2250 [ 64.865821][ T8436] sctp_connect_new_asoc+0x1ac/0x770 [ 64.871092][ T8436] __sctp_connect+0x3d0/0xc30 [ 64.875756][ T8436] sctp_inet_connect+0x15e/0x200 [ 64.880680][ T8436] __sys_connect_file+0x155/0x1a0 [ 64.885707][ T8436] __sys_connect+0x161/0x190 [ 64.890283][ T8436] __x64_sys_connect+0x6f/0xb0 [ 64.895030][ T8436] do_syscall_64+0x35/0xb0 [ 64.899429][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 64.905311][ T8436] [ 64.907613][ T8436] Freed by task 8436: [ 64.911573][ T8436] kasan_save_stack+0x1b/0x40 [ 64.916233][ T8436] kasan_set_track+0x1c/0x30 [ 64.920821][ T8436] kasan_set_free_info+0x20/0x30 [ 64.925754][ T8436] __kasan_slab_free+0xfb/0x130 [ 64.930607][ T8436] slab_free_freelist_hook+0xdf/0x240 [ 64.936050][ T8436] kfree+0xeb/0x650 [ 64.939840][ T8436] sctp_auth_shkey_release+0x100/0x160 [ 64.945284][ T8436] sctp_auth_set_key+0x508/0x6d0 [ 64.950206][ T8436] sctp_setsockopt+0x4bbc/0xa880 [ 64.955128][ T8436] __sys_setsockopt+0x2db/0x610 [ 64.959965][ T8436] __x64_sys_setsockopt+0xba/0x150 [ 64.965058][ T8436] do_syscall_64+0x35/0xb0 [ 64.969555][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 64.975447][ T8436] [ 64.977755][ T8436] The buggy address belongs to the object at ffff88802117d240 [ 64.977755][ T8436] which belongs to the cache kmalloc-32 of size 32 [ 64.991623][ T8436] The buggy address is located 24 bytes inside of [ 64.991623][ T8436] 32-byte region [ffff88802117d240, ffff88802117d260) [ 65.004791][ T8436] The buggy address belongs to the page: [ 65.011178][ T8436] page:ffffea0000845f40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802117d980 pfn:0x2117d [ 65.022630][ T8436] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 65.030166][ T8436] raw: 00fff00000000200 ffffea00051e2800 0000000500000005 ffff888010841500 [ 65.038822][ T8436] raw: ffff88802117d980 0000000080400034 00000001ffffffff 0000000000000000 [ 65.047557][ T8436] page dumped because: kasan: bad access detected [ 65.054296][ T8436] page_owner tracks the page as allocated [ 65.060175][ T8436] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9952055174, free_ts 9918160267 [ 65.076043][ T8436] get_page_from_freelist+0xa72/0x2f80 [ 65.081510][ T8436] __alloc_pages+0x1b2/0x500 [ 65.086084][ T8436] alloc_page_interleave+0x1e/0x200 [ 65.091361][ T8436] alloc_pages+0x238/0x2a0 [ 65.095850][ T8436] allocate_slab+0x32b/0x4c0 [ 65.100427][ T8436] ___slab_alloc+0x4ba/0x820 [ 65.105001][ T8436] __slab_alloc.constprop.0+0xa7/0xf0 [ 65.110358][ T8436] __kmalloc+0x312/0x330 [ 65.114585][ T8436] kobject_get_path+0xbe/0x230 [ 65.119346][ T8436] kobject_uevent_env+0x265/0x1650 [ 65.124533][ T8436] driver_register+0x2db/0x3a0 [ 65.129304][ T8436] usb_serial_register_drivers+0x5b9/0xc10 [ 65.135102][ T8436] do_one_initcall+0x103/0x650 [ 65.139943][ T8436] kernel_init_freeable+0x6b8/0x741 [ 65.145214][ T8436] kernel_init+0x1a/0x1d0 [ 65.149535][ T8436] ret_from_fork+0x1f/0x30 [ 65.154114][ T8436] page last free stack trace: [ 65.158764][ T8436] free_pcp_prepare+0x2c5/0x780 [ 65.163605][ T8436] free_unref_page+0x19/0x690 [ 65.168296][ T8436] __vunmap+0x783/0xb70 [ 65.172472][ T8436] free_work+0x58/0x70 [ 65.176528][ T8436] process_one_work+0x98d/0x1630 [ 65.181456][ T8436] worker_thread+0x658/0x11f0 [ 65.187333][ T8436] kthread+0x3e5/0x4d0 [ 65.191480][ T8436] ret_from_fork+0x1f/0x30 [ 65.195989][ T8436] [ 65.198320][ T8436] Memory state around the buggy address: [ 65.203947][ T8436] ffff88802117d100: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 65.212078][ T8436] ffff88802117d180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 65.220233][ T8436] >ffff88802117d200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 65.228283][ T8436] ^ [ 65.235220][ T8436] ffff88802117d280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 65.243273][ T8436] ffff88802117d300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 65.251405][ T8436] ================================================================== [ 65.266758][ T8436] Kernel panic - not syncing: panic_on_warn set ... [ 65.273365][ T8436] CPU: 1 PID: 8436 Comm: syz-executor205 Tainted: G B W 5.14.0-rc1-syzkaller #0 [ 65.284158][ T8436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.295001][ T8436] Call Trace: [ 65.298288][ T8436] dump_stack_lvl+0xcd/0x134 [ 65.302876][ T8436] panic+0x306/0x73d [ 65.306762][ T8436] ? __warn_printk+0xf3/0xf3 [ 65.311341][ T8436] ? preempt_schedule_common+0x59/0xc0 [ 65.316788][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 65.321974][ T8436] ? preempt_schedule_thunk+0x16/0x18 [ 65.327782][ T8436] ? trace_hardirqs_on+0x38/0x1c0 [ 65.332817][ T8436] ? trace_hardirqs_on+0x51/0x1c0 [ 65.337827][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 65.343108][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 65.348293][ T8436] end_report.cold+0x5a/0x5a [ 65.352875][ T8436] kasan_report.cold+0x71/0xdf [ 65.357628][ T8436] ? sctp_auth_shkey_hold+0x22/0xa0 [ 65.362819][ T8436] kasan_check_range+0x13d/0x180 [ 65.367761][ T8436] sctp_auth_shkey_hold+0x22/0xa0 [ 65.372968][ T8436] sctp_sendmsg_to_asoc+0x152e/0x2180 [ 65.378383][ T8436] ? kasan_set_track+0x1c/0x30 [ 65.383134][ T8436] ? kasan_set_free_info+0x20/0x30 [ 65.388254][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 65.393705][ T8436] ? lock_release+0x720/0x720 [ 65.398471][ T8436] ? sctp_set_owner_w+0x4d0/0x4d0 [ 65.403492][ T8436] ? do_raw_spin_lock+0x120/0x2b0 [ 65.408851][ T8436] ? rwlock_bug.part.0+0x90/0x90 [ 65.413774][ T8436] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 65.420100][ T8436] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0 [ 65.425995][ T8436] sctp_sendmsg+0x103b/0x1d30 [ 65.431013][ T8436] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 65.437092][ T8436] ? sctp_setsockopt+0xa880/0xa880 [ 65.442458][ T8436] ? aa_af_perm+0x230/0x230 [ 65.446959][ T8436] ? kfree+0xeb/0x650 [ 65.450933][ T8436] ? sctp_setsockopt+0x368/0xa880 [ 65.455948][ T8436] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 65.462705][ T8436] inet_sendmsg+0x99/0xe0 [ 65.467022][ T8436] ? inet_send_prepare+0x4e0/0x4e0 [ 65.472122][ T8436] sock_sendmsg+0xcf/0x120 [ 65.476523][ T8436] __sys_sendto+0x21c/0x320 [ 65.481013][ T8436] ? __ia32_sys_getpeername+0xb0/0xb0 [ 65.486371][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 65.491835][ T8436] ? kfree+0x226/0x650 [ 65.495982][ T8436] ? lock_acquire+0x442/0x510 [ 65.500644][ T8436] ? rcu_read_lock_sched_held+0xd/0x70 [ 65.506177][ T8436] ? lock_release+0x522/0x720 [ 65.510851][ T8436] ? __context_tracking_exit+0xb8/0xe0 [ 65.516408][ T8436] ? lock_downgrade+0x6e0/0x6e0 [ 65.521245][ T8436] ? lock_downgrade+0x6e0/0x6e0 [ 65.526084][ T8436] ? get_vtime_delta+0x26e/0x420 [ 65.531015][ T8436] __x64_sys_sendto+0xdd/0x1b0 [ 65.535769][ T8436] ? syscall_enter_from_user_mode+0x21/0x70 [ 65.541741][ T8436] do_syscall_64+0x35/0xb0 [ 65.546152][ T8436] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.552127][ T8436] RIP: 0033:0x43efe9 [ 65.556119][ T8436] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 65.575799][ T8436] RSP: 002b:00007ffdbdc702a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 65.584212][ T8436] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9 [ 65.592258][ T8436] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003 [ 65.600222][ T8436] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000 [ 65.608263][ T8436] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060 [ 65.616234][ T8436] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 65.626998][ T8436] Kernel Offset: disabled [ 65.631314][ T8436] Rebooting in 86400 seconds..