[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.177762][ T6812] IPVS: ftp: loaded support on port[0] = 21 [ 59.214465][ T6812] ================================================================== [ 59.222874][ T6812] BUG: KASAN: global-out-of-bounds in __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.231601][ T6812] Read of size 8 at addr ffffffff884ba1e0 by task syz-executor372/6812 [ 59.239820][ T6812] CPU: 0 PID: 6812 Comm: syz-executor372 Not tainted 5.8.0-rc4-next-20200713-syzkaller #0 [ 59.249814][ T6812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.259848][ T6812] Call Trace: [ 59.263121][ T6812] dump_stack+0x18f/0x20d [ 59.267431][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.273214][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.279000][ T6812] print_address_description.constprop.0.cold+0x5/0x497 [ 59.285915][ T6812] ? __xfrm6_tunnel_spi_lookup+0x142/0x3b0 [ 59.291695][ T6812] ? lockdep_hardirqs_off+0x66/0xa0 [ 59.296871][ T6812] ? vprintk_func+0x97/0x1a6 [ 59.301454][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.307250][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.313038][ T6812] kasan_report.cold+0x1f/0x37 [ 59.317786][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.323573][ T6812] __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.329188][ T6812] xfrm6_tunnel_spi_lookup+0x8a/0x1d0 [ 59.334544][ T6812] xfrmi6_rcv_tunnel+0xb9/0x100 [ 59.339789][ T6812] tunnel6_rcv+0xef/0x2b0 [ 59.344101][ T6812] ip6_protocol_deliver_rcu+0x2e8/0x1670 [ 59.349859][ T6812] ip6_input_finish+0x7f/0x160 [ 59.354602][ T6812] ip6_input+0x9c/0xd0 [ 59.358650][ T6812] ip6_mc_input+0x411/0xea0 [ 59.363132][ T6812] ? ip6_input+0xd0/0xd0 [ 59.367357][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 59.372297][ T6812] ipv6_rcv+0x28e/0x3c0 [ 59.376445][ T6812] ? ip6_rcv_core+0x1bb0/0x1bb0 [ 59.381275][ T6812] __netif_receive_skb_one_core+0x114/0x180 [ 59.387145][ T6812] ? __netif_receive_skb_core+0x3690/0x3690 [ 59.393021][ T6812] ? lockdep_hardirqs_on+0x6a/0xe0 [ 59.398112][ T6812] ? read_seqcount_begin.constprop.0+0x139/0x1f0 [ 59.404416][ T6812] ? ktime_get_with_offset+0x130/0x1a0 [ 59.409850][ T6812] __netif_receive_skb+0x27/0x1c0 [ 59.414852][ T6812] netif_receive_skb+0x159/0x990 [ 59.419790][ T6812] ? __netif_receive_skb+0x1c0/0x1c0 [ 59.425056][ T6812] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 59.431014][ T6812] ? skb_set_owner_w+0x24e/0x400 [ 59.435930][ T6812] ? __tun_build_skb+0x1cd/0x260 [ 59.440847][ T6812] tun_rx_batched.isra.0+0x460/0x720 [ 59.446177][ T6812] ? tun_get_user+0x197f/0x35b0 [ 59.451009][ T6812] ? tun_sock_write_space+0x1d0/0x1d0 [ 59.456360][ T6812] ? lock_release+0x8d0/0x8d0 [ 59.461032][ T6812] ? lock_downgrade+0x820/0x820 [ 59.465864][ T6812] ? eth_type_trans+0x360/0x690 [ 59.470698][ T6812] ? __local_bh_enable_ip+0x159/0x250 [ 59.476048][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.482007][ T6812] ? tun_get_user+0x231f/0x35b0 [ 59.486840][ T6812] ? trace_hardirqs_on+0x5f/0x220 [ 59.491847][ T6812] tun_get_user+0x23b2/0x35b0 [ 59.496511][ T6812] ? lock_acquire+0x1f1/0xad0 [ 59.501167][ T6812] ? tun_build_skb+0xf30/0xf30 [ 59.505908][ T6812] ? tun_get+0x160/0x280 [ 59.510131][ T6812] ? aa_file_perm+0x5e2/0x1100 [ 59.514882][ T6812] tun_chr_write_iter+0xba/0x151 [ 59.519797][ T6812] new_sync_write+0x422/0x650 [ 59.524453][ T6812] ? new_sync_read+0x6e0/0x6e0 [ 59.529199][ T6812] ? apparmor_file_permission+0x26e/0x4e0 [ 59.534900][ T6812] ? __up_read+0x1a1/0x7b0 [ 59.539323][ T6812] vfs_write+0x59d/0x6b0 [ 59.543552][ T6812] ksys_write+0x12d/0x250 [ 59.547989][ T6812] ? __ia32_sys_read+0xb0/0xb0 [ 59.552731][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 59.557648][ T6812] ? do_syscall_64+0x1c/0xe0 [ 59.562229][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.568195][ T6812] do_syscall_64+0x60/0xe0 [ 59.572592][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.578512][ T6812] RIP: 0033:0x4013a0 [ 59.582379][ T6812] Code: Bad RIP value. [ 59.586424][ T6812] RSP: 002b:00007ffdf3de1d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 59.594812][ T6812] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004013a0 [ 59.602762][ T6812] RDX: 000000000000005e RSI: 0000000020000ac0 RDI: 00000000000000f0 [ 59.610710][ T6812] RBP: 00007ffdf3de1db0 R08: 0000000000000000 R09: 0000000000000000 [ 59.618658][ T6812] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 59.628168][ T6812] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 59.636131][ T6812] The buggy address belongs to the variable: [ 59.642088][ T6812] psi_io_proc_ops+0xa0/0x4fe0 [ 59.646851][ T6812] Memory state around the buggy address: [ 59.652465][ T6812] ffffffff884ba080: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 [ 59.660677][ T6812] ffffffff884ba100: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 [ 59.668719][ T6812] >ffffffff884ba180: 00 00 00 00 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 [ 59.676764][ T6812] ^ [ 59.683942][ T6812] ffffffff884ba200: 00 00 00 07 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 [ 59.691981][ T6812] ffffffff884ba280: 00 00 07 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 [ 59.700017][ T6812] ================================================================== [ 59.708059][ T6812] Disabling lock debugging due to kernel taint [ 59.714277][ T6812] Kernel panic - not syncing: panic_on_warn set ... [ 59.720864][ T6812] CPU: 0 PID: 6812 Comm: syz-executor372 Tainted: G B 5.8.0-rc4-next-20200713-syzkaller #0 [ 59.732346][ T6812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.742388][ T6812] Call Trace: [ 59.745654][ T6812] dump_stack+0x18f/0x20d [ 59.749961][ T6812] ? __xfrm6_tunnel_spi_lookup+0x2e0/0x3b0 [ 59.755745][ T6812] panic+0x2e3/0x75c [ 59.759615][ T6812] ? __warn_printk+0xf3/0xf3 [ 59.764181][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.769961][ T6812] ? trace_hardirqs_on+0x55/0x220 [ 59.775048][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.780873][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.786656][ T6812] end_report+0x4d/0x53 [ 59.790784][ T6812] kasan_report.cold+0xd/0x37 [ 59.795440][ T6812] ? __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.801220][ T6812] __xfrm6_tunnel_spi_lookup+0x367/0x3b0 [ 59.806830][ T6812] xfrm6_tunnel_spi_lookup+0x8a/0x1d0 [ 59.812195][ T6812] xfrmi6_rcv_tunnel+0xb9/0x100 [ 59.817022][ T6812] tunnel6_rcv+0xef/0x2b0 [ 59.821336][ T6812] ip6_protocol_deliver_rcu+0x2e8/0x1670 [ 59.826957][ T6812] ip6_input_finish+0x7f/0x160 [ 59.831697][ T6812] ip6_input+0x9c/0xd0 [ 59.835745][ T6812] ip6_mc_input+0x411/0xea0 [ 59.840230][ T6812] ? ip6_input+0xd0/0xd0 [ 59.844448][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 59.849359][ T6812] ipv6_rcv+0x28e/0x3c0 [ 59.853490][ T6812] ? ip6_rcv_core+0x1bb0/0x1bb0 [ 59.858313][ T6812] __netif_receive_skb_one_core+0x114/0x180 [ 59.864177][ T6812] ? __netif_receive_skb_core+0x3690/0x3690 [ 59.870045][ T6812] ? lockdep_hardirqs_on+0x6a/0xe0 [ 59.875133][ T6812] ? read_seqcount_begin.constprop.0+0x139/0x1f0 [ 59.881432][ T6812] ? ktime_get_with_offset+0x130/0x1a0 [ 59.886868][ T6812] __netif_receive_skb+0x27/0x1c0 [ 59.891866][ T6812] netif_receive_skb+0x159/0x990 [ 59.896776][ T6812] ? __netif_receive_skb+0x1c0/0x1c0 [ 59.902037][ T6812] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 59.907990][ T6812] ? skb_set_owner_w+0x24e/0x400 [ 59.913163][ T6812] ? __tun_build_skb+0x1cd/0x260 [ 59.918074][ T6812] tun_rx_batched.isra.0+0x460/0x720 [ 59.923333][ T6812] ? tun_get_user+0x197f/0x35b0 [ 59.928160][ T6812] ? tun_sock_write_space+0x1d0/0x1d0 [ 59.933506][ T6812] ? lock_release+0x8d0/0x8d0 [ 59.938159][ T6812] ? lock_downgrade+0x820/0x820 [ 59.943088][ T6812] ? eth_type_trans+0x360/0x690 [ 59.947915][ T6812] ? __local_bh_enable_ip+0x159/0x250 [ 59.953264][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.959215][ T6812] ? tun_get_user+0x231f/0x35b0 [ 59.964059][ T6812] ? trace_hardirqs_on+0x5f/0x220 [ 59.969056][ T6812] tun_get_user+0x23b2/0x35b0 [ 59.973710][ T6812] ? lock_acquire+0x1f1/0xad0 [ 59.978359][ T6812] ? tun_build_skb+0xf30/0xf30 [ 59.983097][ T6812] ? tun_get+0x160/0x280 [ 59.987317][ T6812] ? aa_file_perm+0x5e2/0x1100 [ 59.992057][ T6812] tun_chr_write_iter+0xba/0x151 [ 59.996979][ T6812] new_sync_write+0x422/0x650 [ 60.001633][ T6812] ? new_sync_read+0x6e0/0x6e0 [ 60.006375][ T6812] ? apparmor_file_permission+0x26e/0x4e0 [ 60.012081][ T6812] ? __up_read+0x1a1/0x7b0 [ 60.016483][ T6812] vfs_write+0x59d/0x6b0 [ 60.020701][ T6812] ksys_write+0x12d/0x250 [ 60.025005][ T6812] ? __ia32_sys_read+0xb0/0xb0 [ 60.029741][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 60.034655][ T6812] ? do_syscall_64+0x1c/0xe0 [ 60.039222][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.045175][ T6812] do_syscall_64+0x60/0xe0 [ 60.049567][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.055431][ T6812] RIP: 0033:0x4013a0 [ 60.059309][ T6812] Code: Bad RIP value. [ 60.063348][ T6812] RSP: 002b:00007ffdf3de1d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.071734][ T6812] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004013a0 [ 60.079679][ T6812] RDX: 000000000000005e RSI: 0000000020000ac0 RDI: 00000000000000f0 [ 60.087629][ T6812] RBP: 00007ffdf3de1db0 R08: 0000000000000000 R09: 0000000000000000 [ 60.095767][ T6812] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 60.103713][ T6812] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 60.113005][ T6812] Kernel Offset: disabled [ 60.117322][ T6812] Rebooting in 86400 seconds..