[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.361715][ T6834] ================================================================== [ 58.369946][ T6834] BUG: KASAN: slab-out-of-bounds in xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.378262][ T6834] Read of size 4 at addr ffff88809a3fe000 by task syz-executor597/6834 [ 58.386498][ T6834] CPU: 1 PID: 6834 Comm: syz-executor597 Not tainted 5.8.0-rc5-next-20200716-syzkaller #0 [ 58.396361][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.406396][ T6834] Call Trace: [ 58.409669][ T6834] dump_stack+0x18f/0x20d [ 58.413990][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.419510][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.425175][ T6834] print_address_description.constprop.0.cold+0xae/0x497 [ 58.432175][ T6834] ? xfrm6_tunnel_alloc_spi+0x1e2/0x8a0 [ 58.437700][ T6834] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.442881][ T6834] ? vprintk_func+0x97/0x1a6 [ 58.447497][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.453036][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.458575][ T6834] kasan_report.cold+0x1f/0x37 [ 58.463328][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.468858][ T6834] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 58.474331][ T6834] ipcomp6_init_state+0x2af/0x700 [ 58.479351][ T6834] __xfrm_init_state+0x9a6/0x14b0 [ 58.484366][ T6834] xfrm_init_state+0x1a/0x70 [ 58.488941][ T6834] pfkey_add+0x1a10/0x2b70 [ 58.493338][ T6834] ? pfkey_get+0x700/0x700 [ 58.497739][ T6834] ? kfree_skbmem+0xef/0x1b0 [ 58.502306][ T6834] ? kfree_skb+0x7d/0x100 [ 58.506612][ T6834] ? pfkey_broadcast+0x3e1/0x630 [ 58.511524][ T6834] ? pfkey_get+0x700/0x700 [ 58.515918][ T6834] pfkey_process+0x66d/0x7a0 [ 58.520490][ T6834] ? pfkey_broadcast+0x630/0x630 [ 58.525403][ T6834] ? __mutex_lock+0x626/0x10d0 [ 58.530154][ T6834] ? _copy_from_iter_full+0x247/0x890 [ 58.535504][ T6834] ? __phys_addr+0x9a/0x110 [ 58.539988][ T6834] ? __phys_addr_symbol+0x2c/0x70 [ 58.545058][ T6834] ? __check_object_size+0x171/0x3e4 [ 58.550382][ T6834] pfkey_sendmsg+0x42d/0x800 [ 58.554954][ T6834] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 58.560653][ T6834] sock_sendmsg+0xcf/0x120 [ 58.565058][ T6834] ____sys_sendmsg+0x331/0x810 [ 58.569802][ T6834] ? kernel_sendmsg+0x50/0x50 [ 58.574498][ T6834] ? do_recvmmsg+0x6d0/0x6d0 [ 58.579080][ T6834] ? __lock_acquire+0x16e3/0x56e0 [ 58.584091][ T6834] ___sys_sendmsg+0xf3/0x170 [ 58.588674][ T6834] ? sendmsg_copy_msghdr+0x160/0x160 [ 58.593954][ T6834] ? __pagevec_lru_add_fn+0x588/0x16c0 [ 58.599404][ T6834] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 58.605555][ T6834] ? lock_acquire+0x1f1/0xad0 [ 58.610220][ T6834] ? __might_fault+0xef/0x1d0 [ 58.614881][ T6834] ? find_held_lock+0x2d/0x110 [ 58.619630][ T6834] ? __might_fault+0x11f/0x1d0 [ 58.624378][ T6834] ? lock_downgrade+0x820/0x820 [ 58.629238][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 58.634162][ T6834] __sys_sendmmsg+0x195/0x480 [ 58.638828][ T6834] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 58.643834][ T6834] ? handle_mm_fault+0xb78/0x45e0 [ 58.648845][ T6834] ? sockfd_lookup_light+0xc6/0x170 [ 58.654022][ T6834] ? __sys_sendmsg+0x10c/0x1b0 [ 58.658768][ T6834] ? __sys_sendmsg_sock+0xb0/0xb0 [ 58.663776][ T6834] ? vmacache_update+0xce/0x140 [ 58.668614][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 58.673555][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 58.678479][ T6834] __x64_sys_sendmmsg+0x99/0x100 [ 58.683394][ T6834] ? lockdep_hardirqs_on+0x6a/0xe0 [ 58.688485][ T6834] do_syscall_64+0x60/0xe0 [ 58.692879][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.698753][ T6834] RIP: 0033:0x440409 [ 58.702624][ T6834] Code: Bad RIP value. [ 58.706678][ T6834] RSP: 002b:00007ffea3e50018 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 58.715247][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440409 [ 58.723199][ T6834] RDX: 0400000000000282 RSI: 0000000020000180 RDI: 0000000000000003 [ 58.731152][ T6834] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.739125][ T6834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 58.747078][ T6834] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 58.755059][ T6834] Allocated by task 6731: [ 58.759383][ T6834] kasan_save_stack+0x1b/0x40 [ 58.764040][ T6834] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.769677][ T6834] kmem_cache_alloc+0x138/0x3a0 [ 58.774752][ T6834] dup_fd+0x89/0xc90 [ 58.778638][ T6834] copy_process+0x1dd0/0x6b70 [ 58.783300][ T6834] _do_fork+0xe8/0xb10 [ 58.787348][ T6834] __do_sys_clone+0xc8/0x110 [ 58.791917][ T6834] do_syscall_64+0x60/0xe0 [ 58.796321][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.802195][ T6834] The buggy address belongs to the object at ffff88809a3fe0c0 [ 58.802195][ T6834] which belongs to the cache files_cache of size 832 [ 58.816373][ T6834] The buggy address is located 192 bytes to the left of [ 58.816373][ T6834] 832-byte region [ffff88809a3fe0c0, ffff88809a3fe400) [ 58.830095][ T6834] The buggy address belongs to the page: [ 58.835719][ T6834] page:000000007671797d refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809a3fec00 pfn:0x9a3fe [ 58.847153][ T6834] flags: 0xfffe0000000200(slab) [ 58.851981][ T6834] raw: 00fffe0000000200 ffffea00027a5248 ffffea0002a3b648 ffff88821bc47600 [ 58.860543][ T6834] raw: ffff88809a3fec00 ffff88809a3fe0c0 0000000100000003 0000000000000000 [ 58.869098][ T6834] page dumped because: kasan: bad access detected [ 58.875490][ T6834] Memory state around the buggy address: [ 58.881129][ T6834] ffff88809a3fdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.889178][ T6834] ffff88809a3fdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.897217][ T6834] >ffff88809a3fe000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.905270][ T6834] ^ [ 58.909316][ T6834] ffff88809a3fe080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 58.917373][ T6834] ffff88809a3fe100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.925406][ T6834] ================================================================== [ 58.933439][ T6834] Disabling lock debugging due to kernel taint [ 58.939638][ T6834] Kernel panic - not syncing: panic_on_warn set ... [ 58.946228][ T6834] CPU: 1 PID: 6834 Comm: syz-executor597 Tainted: G B 5.8.0-rc5-next-20200716-syzkaller #0 [ 58.957517][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.967575][ T6834] Call Trace: [ 58.970869][ T6834] dump_stack+0x18f/0x20d [ 58.975176][ T6834] ? xfrm6_tunnel_alloc_spi+0x770/0x8a0 [ 58.980699][ T6834] panic+0x2e3/0x75c [ 58.984569][ T6834] ? __warn_printk+0xf3/0xf3 [ 58.989135][ T6834] ? asm_common_interrupt+0x1e/0x40 [ 58.994307][ T6834] ? trace_hardirqs_on+0x55/0x220 [ 58.999306][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 59.004824][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 59.010343][ T6834] end_report+0x4d/0x53 [ 59.014590][ T6834] kasan_report.cold+0xd/0x37 [ 59.019242][ T6834] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 59.024759][ T6834] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 59.030109][ T6834] ipcomp6_init_state+0x2af/0x700 [ 59.035166][ T6834] __xfrm_init_state+0x9a6/0x14b0 [ 59.040169][ T6834] xfrm_init_state+0x1a/0x70 [ 59.044735][ T6834] pfkey_add+0x1a10/0x2b70 [ 59.049172][ T6834] ? pfkey_get+0x700/0x700 [ 59.053562][ T6834] ? kfree_skbmem+0xef/0x1b0 [ 59.058129][ T6834] ? kfree_skb+0x7d/0x100 [ 59.062433][ T6834] ? pfkey_broadcast+0x3e1/0x630 [ 59.067345][ T6834] ? pfkey_get+0x700/0x700 [ 59.071745][ T6834] pfkey_process+0x66d/0x7a0 [ 59.076313][ T6834] ? pfkey_broadcast+0x630/0x630 [ 59.081224][ T6834] ? __mutex_lock+0x626/0x10d0 [ 59.085970][ T6834] ? _copy_from_iter_full+0x247/0x890 [ 59.091318][ T6834] ? __phys_addr+0x9a/0x110 [ 59.095897][ T6834] ? __phys_addr_symbol+0x2c/0x70 [ 59.100915][ T6834] ? __check_object_size+0x171/0x3e4 [ 59.106185][ T6834] pfkey_sendmsg+0x42d/0x800 [ 59.110777][ T6834] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 59.116734][ T6834] sock_sendmsg+0xcf/0x120 [ 59.121125][ T6834] ____sys_sendmsg+0x331/0x810 [ 59.125871][ T6834] ? kernel_sendmsg+0x50/0x50 [ 59.130523][ T6834] ? do_recvmmsg+0x6d0/0x6d0 [ 59.135091][ T6834] ? __lock_acquire+0x16e3/0x56e0 [ 59.140095][ T6834] ___sys_sendmsg+0xf3/0x170 [ 59.144664][ T6834] ? sendmsg_copy_msghdr+0x160/0x160 [ 59.149927][ T6834] ? __pagevec_lru_add_fn+0x588/0x16c0 [ 59.155360][ T6834] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 59.161317][ T6834] ? lock_acquire+0x1f1/0xad0 [ 59.166764][ T6834] ? __might_fault+0xef/0x1d0 [ 59.171412][ T6834] ? find_held_lock+0x2d/0x110 [ 59.176148][ T6834] ? __might_fault+0x11f/0x1d0 [ 59.180884][ T6834] ? lock_downgrade+0x820/0x820 [ 59.185709][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 59.190636][ T6834] __sys_sendmmsg+0x195/0x480 [ 59.195295][ T6834] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 59.200407][ T6834] ? handle_mm_fault+0xb78/0x45e0 [ 59.205437][ T6834] ? sockfd_lookup_light+0xc6/0x170 [ 59.210627][ T6834] ? __sys_sendmsg+0x10c/0x1b0 [ 59.215364][ T6834] ? __sys_sendmsg_sock+0xb0/0xb0 [ 59.220365][ T6834] ? vmacache_update+0xce/0x140 [ 59.225192][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 59.230107][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 59.235500][ T6834] __x64_sys_sendmmsg+0x99/0x100 [ 59.240492][ T6834] ? lockdep_hardirqs_on+0x6a/0xe0 [ 59.245587][ T6834] do_syscall_64+0x60/0xe0 [ 59.249987][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.255868][ T6834] RIP: 0033:0x440409 [ 59.259803][ T6834] Code: Bad RIP value. [ 59.263859][ T6834] RSP: 002b:00007ffea3e50018 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 59.272255][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440409 [ 59.280205][ T6834] RDX: 0400000000000282 RSI: 0000000020000180 RDI: 0000000000000003 [ 59.288862][ T6834] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 59.296817][ T6834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 59.304764][ T6834] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 59.313949][ T6834] Kernel Offset: disabled [ 59.318267][ T6834] Rebooting in 86400 seconds..