[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.746936][ T6859] ================================================================== [ 60.755156][ T6859] BUG: KASAN: slab-out-of-bounds in xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.764206][ T6859] Read of size 4 at addr ffff88809a0f0000 by task syz-executor548/6859 [ 60.772434][ T6859] CPU: 0 PID: 6859 Comm: syz-executor548 Not tainted 5.8.0-rc5-next-20200716-syzkaller #0 [ 60.782312][ T6859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.792374][ T6859] Call Trace: [ 60.795658][ T6859] dump_stack+0x18f/0x20d [ 60.799988][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.805514][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.811045][ T6859] print_address_description.constprop.0.cold+0xae/0x497 [ 60.818062][ T6859] ? xfrm6_tunnel_alloc_spi+0x1e2/0x8a0 [ 60.823591][ T6859] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.828785][ T6859] ? vprintk_func+0x97/0x1a6 [ 60.833374][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.838910][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.844437][ T6859] kasan_report.cold+0x1f/0x37 [ 60.849209][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.854738][ T6859] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 60.860105][ T6859] ipcomp6_init_state+0x2af/0x700 [ 60.865115][ T6859] __xfrm_init_state+0x9a6/0x14b0 [ 60.870125][ T6859] xfrm_add_sa+0x1db9/0x34f0 [ 60.874699][ T6859] ? xfrm_send_policy_notify+0x17a0/0x17a0 [ 60.880498][ T6859] ? security_capable+0x8f/0xc0 [ 60.885331][ T6859] ? __nla_parse+0x3d/0x4a [ 60.889752][ T6859] ? xfrm_send_policy_notify+0x17a0/0x17a0 [ 60.895547][ T6859] xfrm_user_rcv_msg+0x414/0x700 [ 60.900473][ T6859] ? xfrm_do_migrate+0x800/0x800 [ 60.905394][ T6859] ? mark_lock+0xbc/0x1710 [ 60.909928][ T6859] ? __mutex_lock+0x626/0x10d0 [ 60.914680][ T6859] ? netlink_deliver_tap+0x146/0xb70 [ 60.919948][ T6859] netlink_rcv_skb+0x15a/0x430 [ 60.924709][ T6859] ? xfrm_do_migrate+0x800/0x800 [ 60.929628][ T6859] ? netlink_ack+0xa10/0xa10 [ 60.934209][ T6859] ? lock_is_held_type+0xb0/0xe0 [ 60.939138][ T6859] xfrm_netlink_rcv+0x6b/0x90 [ 60.943813][ T6859] netlink_unicast+0x533/0x7d0 [ 60.948574][ T6859] ? netlink_attachskb+0x810/0x810 [ 60.953692][ T6859] ? _copy_from_iter_full+0x247/0x890 [ 60.959073][ T6859] ? __phys_addr+0x9a/0x110 [ 60.963572][ T6859] ? __phys_addr_symbol+0x2c/0x70 [ 60.968591][ T6859] ? __check_object_size+0x171/0x3e4 [ 60.973879][ T6859] netlink_sendmsg+0x856/0xd90 [ 60.978643][ T6859] ? netlink_unicast+0x7d0/0x7d0 [ 60.983568][ T6859] ? netlink_unicast+0x7d0/0x7d0 [ 60.988486][ T6859] sock_sendmsg+0xcf/0x120 [ 60.992887][ T6859] ____sys_sendmsg+0x6e8/0x810 [ 60.997650][ T6859] ? kernel_sendmsg+0x50/0x50 [ 61.002310][ T6859] ? do_recvmmsg+0x6d0/0x6d0 [ 61.006903][ T6859] ? lock_acquire+0x1f1/0xad0 [ 61.011574][ T6859] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 61.017626][ T6859] ? find_held_lock+0x2d/0x110 [ 61.022373][ T6859] ___sys_sendmsg+0xf3/0x170 [ 61.026965][ T6859] ? sendmsg_copy_msghdr+0x160/0x160 [ 61.032232][ T6859] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.038196][ T6859] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 61.044166][ T6859] ? handle_mm_fault+0xb78/0x45e0 [ 61.049173][ T6859] ? find_held_lock+0x2d/0x110 [ 61.053920][ T6859] ? __fget_light+0x215/0x280 [ 61.058584][ T6859] __sys_sendmsg+0xe5/0x1b0 [ 61.063073][ T6859] ? __sys_sendmsg_sock+0xb0/0xb0 [ 61.068082][ T6859] ? vmacache_update+0xce/0x140 [ 61.072919][ T6859] ? do_syscall_64+0x1c/0xe0 [ 61.077508][ T6859] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.083472][ T6859] do_syscall_64+0x60/0xe0 [ 61.087867][ T6859] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.093740][ T6859] RIP: 0033:0x440589 [ 61.097605][ T6859] Code: Bad RIP value. [ 61.101648][ T6859] RSP: 002b:00007fffac3b0bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.110061][ T6859] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440589 [ 61.118016][ T6859] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 [ 61.125997][ T6859] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.134001][ T6859] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401d90 [ 61.141953][ T6859] R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000 [ 61.149920][ T6859] Allocated by task 1: [ 61.153977][ T6859] kasan_save_stack+0x1b/0x40 [ 61.158630][ T6859] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.164238][ T6859] kmem_cache_alloc+0x138/0x3a0 [ 61.169068][ T6859] __alloc_file+0x21/0x350 [ 61.174591][ T6859] alloc_empty_file+0x6d/0x170 [ 61.179346][ T6859] path_openat+0xe3/0x2720 [ 61.183761][ T6859] do_filp_open+0x17e/0x3c0 [ 61.189197][ T6859] do_sys_openat2+0x16d/0x3e0 [ 61.193850][ T6859] __x64_sys_open+0x119/0x1c0 [ 61.198514][ T6859] do_syscall_64+0x60/0xe0 [ 61.202908][ T6859] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.209833][ T6859] Freed by task 16: [ 61.213635][ T6859] kasan_save_stack+0x1b/0x40 [ 61.218302][ T6859] kasan_set_track+0x1c/0x30 [ 61.222884][ T6859] kasan_set_free_info+0x1b/0x30 [ 61.227814][ T6859] __kasan_slab_free+0xd8/0x120 [ 61.232660][ T6859] kmem_cache_free.part.0+0x67/0x1f0 [ 61.237957][ T6859] rcu_core+0x5dc/0x11d0 [ 61.242207][ T6859] __do_softirq+0x34c/0xa60 [ 61.246692][ T6859] Last call_rcu(): [ 61.250396][ T6859] kasan_save_stack+0x1b/0x40 [ 61.255053][ T6859] kasan_record_aux_stack+0x82/0xb0 [ 61.260231][ T6859] call_rcu+0x14f/0x7e0 [ 61.264392][ T6859] task_work_run+0xdd/0x190 [ 61.268902][ T6859] __prepare_exit_to_usermode+0x1e0/0x1f0 [ 61.274613][ T6859] do_syscall_64+0x6c/0xe0 [ 61.279021][ T6859] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.284899][ T6859] Second to last call_rcu(): [ 61.289480][ T6859] kasan_save_stack+0x1b/0x40 [ 61.294162][ T6859] kasan_record_aux_stack+0x82/0xb0 [ 61.299344][ T6859] call_rcu+0x14f/0x7e0 [ 61.303484][ T6859] task_work_run+0xdd/0x190 [ 61.307969][ T6859] __prepare_exit_to_usermode+0x1e0/0x1f0 [ 61.313685][ T6859] do_syscall_64+0x6c/0xe0 [ 61.318081][ T6859] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.323968][ T6859] The buggy address belongs to the object at ffff88809a0f00c0 [ 61.323968][ T6859] which belongs to the cache filp of size 488 [ 61.337397][ T6859] The buggy address is located 192 bytes to the left of [ 61.337397][ T6859] 488-byte region [ffff88809a0f00c0, ffff88809a0f02a8) [ 61.351094][ T6859] The buggy address belongs to the page: [ 61.356733][ T6859] page:00000000d795ace4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9a0f0 [ 61.366865][ T6859] flags: 0xfffe0000000200(slab) [ 61.371699][ T6859] raw: 00fffe0000000200 ffffea00029cbfc8 ffffea00024090c8 ffff8880aa203d00 [ 61.380294][ T6859] raw: 0000000000000000 ffff88809a0f00c0 0000000100000006 0000000000000000 [ 61.388859][ T6859] page dumped because: kasan: bad access detected [ 61.395259][ T6859] Memory state around the buggy address: [ 61.400874][ T6859] ffff88809a0eff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.408961][ T6859] ffff88809a0eff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.417008][ T6859] >ffff88809a0f0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.425051][ T6859] ^ [ 61.429115][ T6859] ffff88809a0f0080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 61.437157][ T6859] ffff88809a0f0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.445194][ T6859] ================================================================== [ 61.453231][ T6859] Disabling lock debugging due to kernel taint [ 61.459429][ T6859] Kernel panic - not syncing: panic_on_warn set ... [ 61.466017][ T6859] CPU: 0 PID: 6859 Comm: syz-executor548 Tainted: G B 5.8.0-rc5-next-20200716-syzkaller #0 [ 61.477296][ T6859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.487360][ T6859] Call Trace: [ 61.490657][ T6859] dump_stack+0x18f/0x20d [ 61.494997][ T6859] ? xfrm6_tunnel_alloc_spi+0x770/0x8a0 [ 61.500543][ T6859] panic+0x2e3/0x75c [ 61.504440][ T6859] ? __warn_printk+0xf3/0xf3 [ 61.509005][ T6859] ? asm_common_interrupt+0x1e/0x40 [ 61.514206][ T6859] ? trace_hardirqs_on+0x55/0x220 [ 61.519211][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 61.524747][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 61.530281][ T6859] end_report+0x4d/0x53 [ 61.534440][ T6859] kasan_report.cold+0xd/0x37 [ 61.539096][ T6859] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 61.554614][ T6859] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 61.559977][ T6859] ipcomp6_init_state+0x2af/0x700 [ 61.564986][ T6859] __xfrm_init_state+0x9a6/0x14b0 [ 61.570008][ T6859] xfrm_add_sa+0x1db9/0x34f0 [ 61.574582][ T6859] ? xfrm_send_policy_notify+0x17a0/0x17a0 [ 61.580403][ T6859] ? security_capable+0x8f/0xc0 [ 61.585249][ T6859] ? __nla_parse+0x3d/0x4a [ 61.589653][ T6859] ? xfrm_send_policy_notify+0x17a0/0x17a0 [ 61.595439][ T6859] xfrm_user_rcv_msg+0x414/0x700 [ 61.600369][ T6859] ? xfrm_do_migrate+0x800/0x800 [ 61.605289][ T6859] ? mark_lock+0xbc/0x1710 [ 61.609687][ T6859] ? __mutex_lock+0x626/0x10d0 [ 61.614429][ T6859] ? netlink_deliver_tap+0x146/0xb70 [ 61.619708][ T6859] netlink_rcv_skb+0x15a/0x430 [ 61.624466][ T6859] ? xfrm_do_migrate+0x800/0x800 [ 61.629380][ T6859] ? netlink_ack+0xa10/0xa10 [ 61.633955][ T6859] ? lock_is_held_type+0xb0/0xe0 [ 61.638871][ T6859] xfrm_netlink_rcv+0x6b/0x90 [ 61.643527][ T6859] netlink_unicast+0x533/0x7d0 [ 61.648272][ T6859] ? netlink_attachskb+0x810/0x810 [ 61.653386][ T6859] ? _copy_from_iter_full+0x247/0x890 [ 61.658736][ T6859] ? __phys_addr+0x9a/0x110 [ 61.663214][ T6859] ? __phys_addr_symbol+0x2c/0x70 [ 61.668215][ T6859] ? __check_object_size+0x171/0x3e4 [ 61.673478][ T6859] netlink_sendmsg+0x856/0xd90 [ 61.678219][ T6859] ? netlink_unicast+0x7d0/0x7d0 [ 61.683132][ T6859] ? netlink_unicast+0x7d0/0x7d0 [ 61.689089][ T6859] sock_sendmsg+0xcf/0x120 [ 61.693482][ T6859] ____sys_sendmsg+0x6e8/0x810 [ 61.698220][ T6859] ? kernel_sendmsg+0x50/0x50 [ 61.702872][ T6859] ? do_recvmmsg+0x6d0/0x6d0 [ 61.707439][ T6859] ? lock_acquire+0x1f1/0xad0 [ 61.712089][ T6859] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 61.718131][ T6859] ? find_held_lock+0x2d/0x110 [ 61.722888][ T6859] ___sys_sendmsg+0xf3/0x170 [ 61.727452][ T6859] ? sendmsg_copy_msghdr+0x160/0x160 [ 61.732735][ T6859] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.738704][ T6859] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 61.744674][ T6859] ? handle_mm_fault+0xb78/0x45e0 [ 61.749691][ T6859] ? find_held_lock+0x2d/0x110 [ 61.754442][ T6859] ? __fget_light+0x215/0x280 [ 61.759106][ T6859] __sys_sendmsg+0xe5/0x1b0 [ 61.764066][ T6859] ? __sys_sendmsg_sock+0xb0/0xb0 [ 61.769081][ T6859] ? vmacache_update+0xce/0x140 [ 61.774704][ T6859] ? do_syscall_64+0x1c/0xe0 [ 61.779286][ T6859] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.785261][ T6859] do_syscall_64+0x60/0xe0 [ 61.789671][ T6859] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.795552][ T6859] RIP: 0033:0x440589 [ 61.799420][ T6859] Code: Bad RIP value. [ 61.803466][ T6859] RSP: 002b:00007fffac3b0bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.811943][ T6859] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440589 [ 61.819912][ T6859] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 [ 61.827867][ T6859] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.835819][ T6859] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401d90 [ 61.843784][ T6859] R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000 [ 61.852828][ T6859] Kernel Offset: disabled [ 61.857147][ T6859] Rebooting in 86400 seconds..