INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 44.728919] ================================================================== [ 44.736379] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 44.743547] Read of size 8 at addr ffff8801d7536910 by task syzkaller460329/4414 [ 44.751054] [ 44.752669] CPU: 1 PID: 4414 Comm: syzkaller460329 Not tainted 4.17.0-rc1+ #10 [ 44.760004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.769332] Call Trace: [ 44.771902] dump_stack+0x1b9/0x294 [ 44.775516] ? dump_stack_print_info.cold.2+0x52/0x52 [ 44.780686] ? printk+0x9e/0xba [ 44.783946] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 44.788691] ? kasan_check_write+0x14/0x20 [ 44.792904] print_address_description+0x6c/0x20b [ 44.797725] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 44.802210] kasan_report.cold.7+0x242/0x2fe [ 44.806601] __asan_report_load8_noabort+0x14/0x20 [ 44.811509] __sctp_v6_cmp_addr+0x4c7/0x530 [ 44.815812] sctp_inet6_cmp_addr+0x169/0x1a0 [ 44.820209] sctp_bind_addr_conflict+0x28c/0x470 [ 44.824944] ? sctp_bind_addr_match+0x400/0x400 [ 44.829594] ? kasan_check_write+0x14/0x20 [ 44.833808] ? do_raw_spin_lock+0xc1/0x200 [ 44.838023] sctp_get_port_local+0x9fc/0x1540 [ 44.842497] ? print_irqtrace_events+0x95/0x1fa [ 44.847145] ? sctp_set_owner_w+0x530/0x530 [ 44.851624] ? kasan_check_read+0x11/0x20 [ 44.855750] ? rcu_is_watching+0x85/0x140 [ 44.859880] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 44.865053] ? sctp_bind_addr_match+0x2c6/0x400 [ 44.869701] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 44.874526] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.880039] ? sctp_v4_available+0x1b1/0x200 [ 44.884428] ? sctp_inet6_bind_verify+0xb2/0x500 [ 44.889160] sctp_do_bind+0x21c/0x5f0 [ 44.892941] sctp_bindx_add+0x90/0x1a0 [ 44.896815] sctp_setsockopt_bindx+0x2ad/0x320 [ 44.901374] sctp_setsockopt+0x12c4/0x7000 [ 44.905595] ? __lock_acquire+0x7f5/0x5140 [ 44.909810] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 44.915502] ? debug_check_no_locks_freed+0x310/0x310 [ 44.920671] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.926185] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 44.931266] ? futex_wait+0x5c1/0x9f0 [ 44.935050] ? futex_wait_setup+0x400/0x400 [ 44.939353] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 44.944525] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.950128] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 44.955214] ? futex_wake+0x2f6/0x750 [ 44.958995] ? get_futex_key+0x1e90/0x1e90 [ 44.963211] ? graph_lock+0x170/0x170 [ 44.966995] ? sock_alloc_file+0x1f3/0x4e0 [ 44.971208] ? __sys_socket+0x16f/0x250 [ 44.975158] ? __x64_sys_socket+0x73/0xb0 [ 44.979289] ? find_held_lock+0x36/0x1c0 [ 44.983330] ? lock_downgrade+0x8e0/0x8e0 [ 44.987458] ? kasan_check_read+0x11/0x20 [ 44.991582] ? rcu_is_watching+0x85/0x140 [ 44.995710] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 45.000896] ? __fget+0x40c/0x650 [ 45.004329] ? expand_files.part.8+0x9a0/0x9a0 [ 45.008890] ? lock_downgrade+0x8e0/0x8e0 [ 45.013019] ? kasan_check_read+0x11/0x20 [ 45.017143] ? __lock_is_held+0xb5/0x140 [ 45.021181] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 45.026348] ? __fget_light+0x2ef/0x430 [ 45.030307] ? fget_raw+0x20/0x20 [ 45.033739] ? get_unused_fd_flags+0x190/0x190 [ 45.038309] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.043828] ? alloc_file+0x44/0x3e0 [ 45.047520] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 45.053037] ? sock_alloc_file+0x2a4/0x4e0 [ 45.057260] sock_common_setsockopt+0x9a/0xe0 [ 45.061735] __sys_setsockopt+0x1bd/0x390 [ 45.065864] ? kernel_accept+0x310/0x310 [ 45.069904] ? do_futex+0x27d0/0x27d0 [ 45.073772] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 45.078334] __x64_sys_setsockopt+0xbe/0x150 [ 45.082719] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.087714] do_syscall_64+0x1b1/0x800 [ 45.091582] ? finish_task_switch+0x1ca/0x810 [ 45.096058] ? syscall_return_slowpath+0x5c0/0x5c0 [ 45.100965] ? syscall_return_slowpath+0x30f/0x5c0 [ 45.105874] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 45.111218] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.116039] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.121211] RIP: 0033:0x445829 [ 45.124375] RSP: 002b:00007fc7427cad98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 45.132060] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445829 [ 45.139304] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 45.146550] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000e6af [ 45.153794] R10: 0000000020223fd4 R11: 0000000000000246 R12: 0000000000000000 [ 45.161040] R13: 00007ffd5e2ee04f R14: 00007fc7427cb9c0 R15: 0000000000000003 [ 45.168291] [ 45.169894] Allocated by task 4414: [ 45.173499] save_stack+0x43/0xd0 [ 45.176929] kasan_kmalloc+0xc4/0xe0 [ 45.180620] __kmalloc_node+0x47/0x70 [ 45.184395] kvmalloc_node+0x6b/0x100 [ 45.188169] vmemdup_user+0x2d/0xa0 [ 45.191773] sctp_setsockopt_bindx+0x5d/0x320 [ 45.196241] sctp_setsockopt+0x12c4/0x7000 [ 45.200452] sock_common_setsockopt+0x9a/0xe0 [ 45.204923] __sys_setsockopt+0x1bd/0x390 [ 45.209045] __x64_sys_setsockopt+0xbe/0x150 [ 45.213431] do_syscall_64+0x1b1/0x800 [ 45.217295] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.222456] [ 45.224056] Freed by task 2735: [ 45.227311] save_stack+0x43/0xd0 [ 45.230739] __kasan_slab_free+0x11a/0x170 [ 45.234951] kasan_slab_free+0xe/0x10 [ 45.238728] kfree+0xd9/0x260 [ 45.241812] single_release+0x8f/0xb0 [ 45.245592] __fput+0x34d/0x890 [ 45.248847] ____fput+0x15/0x20 [ 45.252102] task_work_run+0x1e4/0x290 [ 45.255967] exit_to_usermode_loop+0x2bd/0x310 [ 45.260526] do_syscall_64+0x6ac/0x800 [ 45.264387] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.269545] [ 45.271150] The buggy address belongs to the object at ffff8801d7536900 [ 45.271150] which belongs to the cache kmalloc-32 of size 32 [ 45.283608] The buggy address is located 16 bytes inside of [ 45.283608] 32-byte region [ffff8801d7536900, ffff8801d7536920) [ 45.295280] The buggy address belongs to the page: [ 45.300184] page:ffffea00075d4d80 count:1 mapcount:0 mapping:ffff8801d7536000 index:0xffff8801d7536fc1 [ 45.309604] flags: 0x2fffc0000000100(slab) [ 45.313817] raw: 02fffc0000000100 ffff8801d7536000 ffff8801d7536fc1 000000010000003f [ 45.321676] raw: ffffea00075d4b20 ffffea00075d6120 ffff8801da8001c0 0000000000000000 [ 45.329527] page dumped because: kasan: bad access detected [ 45.335217] [ 45.336820] Memory state around the buggy address: [ 45.341723] ffff8801d7536800: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 45.349063] ffff8801d7536880: 00 00 04 fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 45.356398] >ffff8801d7536900: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 45.363728] ^ [ 45.367593] ffff8801d7536980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.374928] ffff8801d7536a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.382257] ================================================================== [ 45.389588] Disabling lock debugging due to kernel taint [ 45.395052] Kernel panic - not syncing: panic_on_warn set ... [ 45.395052] [ 45.402396] CPU: 1 PID: 4414 Comm: syzkaller460329 Tainted: G B 4.17.0-rc1+ #10 [ 45.411119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.420449] Call Trace: [ 45.423019] dump_stack+0x1b9/0x294 [ 45.426623] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.431790] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 45.436521] ? __sctp_v6_cmp_addr+0x4a0/0x530 [ 45.440991] panic+0x22f/0x4de [ 45.444159] ? add_taint.cold.5+0x16/0x16 [ 45.448291] ? do_raw_spin_unlock+0x9e/0x2e0 [ 45.452677] ? do_raw_spin_unlock+0x9e/0x2e0 [ 45.457062] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 45.461548] kasan_end_report+0x47/0x4f [ 45.465503] kasan_report.cold.7+0x76/0x2fe [ 45.469805] __asan_report_load8_noabort+0x14/0x20 [ 45.474711] __sctp_v6_cmp_addr+0x4c7/0x530 [ 45.479010] sctp_inet6_cmp_addr+0x169/0x1a0 [ 45.483402] sctp_bind_addr_conflict+0x28c/0x470 [ 45.488135] ? sctp_bind_addr_match+0x400/0x400 [ 45.492783] ? kasan_check_write+0x14/0x20 [ 45.497003] ? do_raw_spin_lock+0xc1/0x200 [ 45.501216] sctp_get_port_local+0x9fc/0x1540 [ 45.505689] ? print_irqtrace_events+0x95/0x1fa [ 45.510334] ? sctp_set_owner_w+0x530/0x530 [ 45.514631] ? kasan_check_read+0x11/0x20 [ 45.518753] ? rcu_is_watching+0x85/0x140 [ 45.522879] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 45.528049] ? sctp_bind_addr_match+0x2c6/0x400 [ 45.532696] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 45.537519] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 45.543039] ? sctp_v4_available+0x1b1/0x200 [ 45.547428] ? sctp_inet6_bind_verify+0xb2/0x500 [ 45.552162] sctp_do_bind+0x21c/0x5f0 [ 45.555940] sctp_bindx_add+0x90/0x1a0 [ 45.559811] sctp_setsockopt_bindx+0x2ad/0x320 [ 45.564370] sctp_setsockopt+0x12c4/0x7000 [ 45.568585] ? __lock_acquire+0x7f5/0x5140 [ 45.572796] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 45.578484] ? debug_check_no_locks_freed+0x310/0x310 [ 45.583656] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 45.589263] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 45.594342] ? futex_wait+0x5c1/0x9f0 [ 45.598121] ? futex_wait_setup+0x400/0x400 [ 45.602432] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 45.607598] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 45.613109] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 45.618187] ? futex_wake+0x2f6/0x750 [ 45.621970] ? get_futex_key+0x1e90/0x1e90 [ 45.626183] ? graph_lock+0x170/0x170 [ 45.629966] ? sock_alloc_file+0x1f3/0x4e0 [ 45.634178] ? __sys_socket+0x16f/0x250 [ 45.638130] ? __x64_sys_socket+0x73/0xb0 [ 45.642257] ? find_held_lock+0x36/0x1c0 [ 45.646295] ? lock_downgrade+0x8e0/0x8e0 [ 45.650424] ? kasan_check_read+0x11/0x20 [ 45.654561] ? rcu_is_watching+0x85/0x140 [ 45.658685] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 45.663854] ? __fget+0x40c/0x650 [ 45.667285] ? expand_files.part.8+0x9a0/0x9a0 [ 45.671845] ? lock_downgrade+0x8e0/0x8e0 [ 45.675968] ? kasan_check_read+0x11/0x20 [ 45.680090] ? __lock_is_held+0xb5/0x140 [ 45.684125] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 45.689291] ? __fget_light+0x2ef/0x430 [ 45.693242] ? fget_raw+0x20/0x20 [ 45.696671] ? get_unused_fd_flags+0x190/0x190 [ 45.701230] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.706742] ? alloc_file+0x44/0x3e0 [ 45.710433] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 45.715948] ? sock_alloc_file+0x2a4/0x4e0 [ 45.720159] sock_common_setsockopt+0x9a/0xe0 [ 45.724638] __sys_setsockopt+0x1bd/0x390 [ 45.728763] ? kernel_accept+0x310/0x310 [ 45.732799] ? do_futex+0x27d0/0x27d0 [ 45.736576] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 45.741142] __x64_sys_setsockopt+0xbe/0x150 [ 45.745526] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.750521] do_syscall_64+0x1b1/0x800 [ 45.754388] ? finish_task_switch+0x1ca/0x810 [ 45.758859] ? syscall_return_slowpath+0x5c0/0x5c0 [ 45.763765] ? syscall_return_slowpath+0x30f/0x5c0 [ 45.768671] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 45.774009] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.778826] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.783989] RIP: 0033:0x445829 [ 45.787170] RSP: 002b:00007fc7427cad98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 45.794856] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445829 [ 45.802108] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 45.809354] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000e6af [ 45.816599] R10: 0000000020223fd4 R11: 0000000000000246 R12: 0000000000000000 [ 45.823847] R13: 00007ffd5e2ee04f R14: 00007fc7427cb9c0 R15: 0000000000000003 [ 45.831464] Dumping ftrace buffer: [ 45.834978] (ftrace buffer empty) [ 45.838664] Kernel Offset: disabled [ 45.842275] Rebooting in 86400 seconds..