INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.851325] ================================================================== [ 29.858781] BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 [ 29.865950] Write of size 20 at addr ffff8801ad4af810 by task syzkaller369768/4480 [ 29.873631] [ 29.875241] CPU: 0 PID: 4480 Comm: syzkaller369768 Not tainted 4.16.0+ #2 [ 29.882140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.891466] Call Trace: [ 29.894044] dump_stack+0x1b9/0x29f [ 29.897660] ? arch_local_irq_restore+0x52/0x52 [ 29.902306] ? printk+0x9e/0xba [ 29.905562] ? show_regs_print_info+0x18/0x18 [ 29.910047] ? kasan_check_write+0x14/0x20 [ 29.914265] print_address_description+0x6c/0x20b [ 29.919092] ? __ip_tunnel_create+0xca/0x6b0 [ 29.923487] kasan_report.cold.7+0xac/0x2f5 [ 29.927789] check_memory_region+0x13e/0x1b0 [ 29.932177] memcpy+0x37/0x50 [ 29.935266] __ip_tunnel_create+0xca/0x6b0 [ 29.939483] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 29.944219] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.949758] ? ns_capable_common+0x13f/0x170 [ 29.954148] ip_tunnel_ioctl+0x818/0xd40 [ 29.958191] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 29.962580] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.968096] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.973270] ipip_tunnel_ioctl+0x1c5/0x420 [ 29.977485] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.981883] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.987397] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.992570] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 29.996957] dev_ifsioc+0x43e/0xb90 [ 30.000570] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.005741] ? register_gifconf+0x70/0x70 [ 30.009871] dev_ioctl+0x69a/0xcc0 [ 30.013397] sock_ioctl+0x47e/0x680 [ 30.017007] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.022197] ? dlci_ioctl_set+0x40/0x40 [ 30.026163] ? get_unused_fd_flags+0x190/0x190 [ 30.030726] ? dlci_ioctl_set+0x40/0x40 [ 30.034681] do_vfs_ioctl+0x1cf/0x1650 [ 30.038552] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.042941] ? fget_raw+0x20/0x20 [ 30.046372] ? get_unused_fd_flags+0x121/0x190 [ 30.050932] ? __alloc_fd+0x6e0/0x6e0 [ 30.054714] ? fd_install+0x4d/0x60 [ 30.058323] ? __sys_socket+0x19f/0x250 [ 30.062291] ? security_file_ioctl+0x9b/0xd0 [ 30.066683] ksys_ioctl+0xa9/0xd0 [ 30.070115] SyS_ioctl+0x24/0x30 [ 30.073458] ? ksys_ioctl+0xd0/0xd0 [ 30.077065] do_syscall_64+0x29e/0x9d0 [ 30.080931] ? vmalloc_sync_all+0x30/0x30 [ 30.085055] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.089790] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.094697] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.099609] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.105043] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.109867] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.115039] RIP: 0033:0x43fe19 [ 30.118208] RSP: 002b:00007ffd5e73d7b8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.125895] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 30.133140] RDX: 0000000020000240 RSI: 00000000000089f1 RDI: 0000000000000003 [ 30.140384] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 30.147632] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 30.154876] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 30.162128] [ 30.163728] The buggy address belongs to the page: [ 30.168635] page:ffffea0006b52bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 30.177176] flags: 0x2fffc0000000000() [ 30.181045] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 30.188902] raw: 0000000000000000 ffffea0006b50101 0000000000000000 0000000000000000 [ 30.196755] page dumped because: kasan: bad access detected [ 30.202445] [ 30.204059] Memory state around the buggy address: [ 30.208962] ffff8801ad4af700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.216297] ffff8801ad4af780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 30.223633] >ffff8801ad4af800: f1 f1 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 [ 30.230964] ^ [ 30.235347] ffff8801ad4af880: 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f3 f3 f3 [ 30.242685] ffff8801ad4af900: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 30.250022] ================================================================== [ 30.257361] Disabling lock debugging due to kernel taint [ 30.262843] Kernel panic - not syncing: panic_on_warn set ... [ 30.262843] [ 30.270200] CPU: 0 PID: 4480 Comm: syzkaller369768 Tainted: G B 4.16.0+ #2 [ 30.278399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.287724] Call Trace: [ 30.290291] dump_stack+0x1b9/0x29f [ 30.293898] ? arch_local_irq_restore+0x52/0x52 [ 30.298544] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.303291] ? ip_tunnel_encap_del_ops+0x50/0x70 [ 30.308035] panic+0x22f/0x4de [ 30.311211] ? add_taint.cold.5+0x16/0x16 [ 30.315341] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.319733] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.324120] ? __ip_tunnel_create+0xca/0x6b0 [ 30.328516] kasan_end_report+0x47/0x4f [ 30.332468] kasan_report.cold.7+0xc9/0x2f5 [ 30.336783] check_memory_region+0x13e/0x1b0 [ 30.341166] memcpy+0x37/0x50 [ 30.344249] __ip_tunnel_create+0xca/0x6b0 [ 30.348459] ? ip_tunnel_encap_del_ops+0x70/0x70 [ 30.353191] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.358703] ? ns_capable_common+0x13f/0x170 [ 30.363090] ip_tunnel_ioctl+0x818/0xd40 [ 30.367126] ? ip_tunnel_newlink+0x9f0/0x9f0 [ 30.371510] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.377032] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.382198] ipip_tunnel_ioctl+0x1c5/0x420 [ 30.386409] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.390794] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.396309] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.401473] ? ipip_tunnel_setup+0x1d0/0x1d0 [ 30.405861] dev_ifsioc+0x43e/0xb90 [ 30.409463] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.414636] ? register_gifconf+0x70/0x70 [ 30.418766] dev_ioctl+0x69a/0xcc0 [ 30.422288] sock_ioctl+0x47e/0x680 [ 30.425889] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.431056] ? dlci_ioctl_set+0x40/0x40 [ 30.435025] ? get_unused_fd_flags+0x190/0x190 [ 30.439592] ? dlci_ioctl_set+0x40/0x40 [ 30.443540] do_vfs_ioctl+0x1cf/0x1650 [ 30.447403] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.451788] ? fget_raw+0x20/0x20 [ 30.455219] ? get_unused_fd_flags+0x121/0x190 [ 30.459782] ? __alloc_fd+0x6e0/0x6e0 [ 30.463559] ? fd_install+0x4d/0x60 [ 30.467161] ? __sys_socket+0x19f/0x250 [ 30.471110] ? security_file_ioctl+0x9b/0xd0 [ 30.475497] ksys_ioctl+0xa9/0xd0 [ 30.478927] SyS_ioctl+0x24/0x30 [ 30.482268] ? ksys_ioctl+0xd0/0xd0 [ 30.485871] do_syscall_64+0x29e/0x9d0 [ 30.489734] ? vmalloc_sync_all+0x30/0x30 [ 30.493858] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.498592] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.503494] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.508402] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 30.513746] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.518569] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.523732] RIP: 0033:0x43fe19 [ 30.526896] RSP: 002b:00007ffd5e73d7b8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.534578] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe19 [ 30.541821] RDX: 0000000020000240 RSI: 00000000000089f1 RDI: 0000000000000003 [ 30.549064] RBP: 00000000006ca018 R08: 000000000000001c R09: 00000000004002c8 [ 30.556310] R10: 000000000000001c R11: 0000000000000213 R12: 0000000000401740 [ 30.563554] R13: 00000000004017d0 R14: 0000000000000000 R15: 0000000000000000 [ 30.571261] Dumping ftrace buffer: [ 30.574774] (ftrace buffer empty) [ 30.578463] Kernel Offset: disabled [ 30.582068] Rebooting in 86400 seconds..