INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 48.196625] ================================================================== [ 48.204019] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2565/0x3240 [ 48.210569] Read of size 8192 at addr ffff8801b7436f40 by task syzkaller362258/3784 [ 48.218336] [ 48.219939] CPU: 0 PID: 3784 Comm: syzkaller362258 Not tainted 4.9.93-gcb02358 #2 [ 48.227531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.236861] ffff8801d900f6e0 ffffffff81d9c249 ffffea0006dd0d80 ffff8801b7436f40 [ 48.244832] 0000000000000000 ffff8801b7437100 ffff8801b7436f00 ffff8801d900f718 [ 48.252791] ffffffff8156533b ffff8801b7436f40 0000000000002000 0000000000000000 [ 48.260774] Call Trace: [ 48.263342] [] dump_stack+0xc1/0x128 [ 48.268684] [] print_address_description+0x6c/0x234 [ 48.275317] [] kasan_report.cold.6+0xac/0x2f5 [ 48.281436] [] ? pfkey_add+0x2565/0x3240 [ 48.287119] [] check_memory_region+0x14f/0x1b0 [ 48.293319] [] memcpy+0x23/0x50 [ 48.298216] [] pfkey_add+0x2565/0x3240 [ 48.303723] [] ? pfkey_get+0x660/0x660 [ 48.309233] [] ? __skb_clone+0x25c/0x7d0 [ 48.314913] [] ? pfkey_get+0x660/0x660 [ 48.320417] [] pfkey_process+0x671/0x740 [ 48.326095] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 48.332910] [] pfkey_sendmsg+0x346/0xae0 [ 48.338710] [] ? pfkey_spdget+0x840/0x840 [ 48.344481] [] sock_sendmsg+0xcc/0x110 [ 48.350002] [] ___sys_sendmsg+0x6fc/0x840 [ 48.355772] [] ? copy_msghdr_from_user+0x560/0x560 [ 48.362319] [] ? __lru_cache_add+0x187/0x250 [ 48.368349] [] ? native_set_pte_at+0xe0/0xe0 [ 48.374379] [] ? do_huge_pmd_anonymous_page+0xadc/0x10f0 [ 48.381451] [] ? _raw_spin_unlock+0x2c/0x50 [ 48.387401] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 48.394481] [] ? handle_mm_fault+0x6a4/0x28e0 [ 48.400600] [] ? __fget_light+0x169/0x1f0 [ 48.406371] [] ? __fdget+0x18/0x20 [ 48.411533] [] ? sockfd_lookup_light+0xb6/0x160 [ 48.417824] [] __sys_sendmsg+0xd9/0x190 [ 48.423419] [] ? SyS_shutdown+0x1b0/0x1b0 [ 48.429189] [] ? __do_page_fault+0x5dd/0xd50 [ 48.435222] [] SyS_sendmsg+0x2d/0x50 [ 48.440563] [] ? __sys_sendmsg+0x190/0x190 [ 48.446428] [] do_syscall_64+0x1a6/0x490 [ 48.452112] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.459016] [ 48.460614] Allocated by task 3784: [ 48.464221] save_stack_trace+0x16/0x20 [ 48.468166] save_stack+0x43/0xd0 [ 48.471596] kasan_kmalloc+0xc7/0xe0 [ 48.475278] kasan_slab_alloc+0x12/0x20 [ 48.479223] __kmalloc_track_caller+0xdc/0x2b0 [ 48.483779] __kmalloc_reserve.isra.37+0x33/0xc0 [ 48.488514] __alloc_skb+0x11a/0x600 [ 48.492197] pfkey_sendmsg+0xfe/0xae0 [ 48.495967] sock_sendmsg+0xcc/0x110 [ 48.499647] ___sys_sendmsg+0x6fc/0x840 [ 48.503601] __sys_sendmsg+0xd9/0x190 [ 48.507377] SyS_sendmsg+0x2d/0x50 [ 48.510896] do_syscall_64+0x1a6/0x490 [ 48.514758] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.519842] [ 48.521450] Freed by task 2013: [ 48.524712] save_stack_trace+0x16/0x20 [ 48.528665] save_stack+0x43/0xd0 [ 48.532094] kasan_slab_free+0x72/0xc0 [ 48.535957] kfree+0xfb/0x310 [ 48.539043] kernfs_fop_release+0xff/0x140 [ 48.543265] __fput+0x263/0x700 [ 48.546533] ____fput+0x15/0x20 [ 48.549794] task_work_run+0x10c/0x180 [ 48.553659] exit_to_usermode_loop+0xfc/0x120 [ 48.558131] do_syscall_64+0x364/0x490 [ 48.561995] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.567111] [ 48.568714] The buggy address belongs to the object at ffff8801b7436f00 [ 48.568714] which belongs to the cache kmalloc-512 of size 512 [ 48.581352] The buggy address is located 64 bytes inside of [ 48.581352] 512-byte region [ffff8801b7436f00, ffff8801b7437100) [ 48.593111] The buggy address belongs to the page: [ 48.598021] page:ffffea0006dd0d80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 48.608219] flags: 0x8000000000004080(slab|head) [ 48.612945] page dumped because: kasan: bad access detected [ 48.618630] [ 48.620233] Memory state around the buggy address: [ 48.625141] ffff8801b7437000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.632483] ffff8801b7437080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 48.639823] >ffff8801b7437100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.647157] ^ [ 48.650499] ffff8801b7437180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.657834] ffff8801b7437200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.665162] ================================================================== [ 48.672490] Disabling lock debugging due to kernel taint [ 48.678146] Kernel panic - not syncing: panic_on_warn set ... [ 48.678146] [ 48.685500] CPU: 0 PID: 3784 Comm: syzkaller362258 Tainted: G B 4.9.93-gcb02358 #2 [ 48.694318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.703653] ffff8801d900f640 ffffffff81d9c249 ffffffff841a8689 00000000ffffffff [ 48.711625] 0000000000000000 0000000000000000 ffff8801b7436f00 ffff8801d900f700 [ 48.719596] ffffffff8141f825 0000000041b58ab3 ffffffff8419bdc0 ffffffff8141f666 [ 48.727563] Call Trace: [ 48.730129] [] dump_stack+0xc1/0x128 [ 48.735479] [] panic+0x1bf/0x3bc [ 48.740474] [] ? add_taint.cold.6+0x16/0x16 [ 48.746430] [] ? ___preempt_schedule+0x16/0x18 [ 48.752648] [] kasan_end_report+0x47/0x4f [ 48.758436] [] kasan_report.cold.6+0xc9/0x2f5 [ 48.764573] [] ? pfkey_add+0x2565/0x3240 [ 48.770269] [] check_memory_region+0x14f/0x1b0 [ 48.776740] [] memcpy+0x23/0x50 [ 48.781656] [] pfkey_add+0x2565/0x3240 [ 48.787182] [] ? pfkey_get+0x660/0x660 [ 48.792962] [] ? __skb_clone+0x25c/0x7d0 [ 48.798828] [] ? pfkey_get+0x660/0x660 [ 48.804346] [] pfkey_process+0x671/0x740 [ 48.810038] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 48.816865] [] pfkey_sendmsg+0x346/0xae0 [ 48.822568] [] ? pfkey_spdget+0x840/0x840 [ 48.828354] [] sock_sendmsg+0xcc/0x110 [ 48.833899] [] ___sys_sendmsg+0x6fc/0x840 [ 48.839689] [] ? copy_msghdr_from_user+0x560/0x560 [ 48.846271] [] ? __lru_cache_add+0x187/0x250 [ 48.852313] [] ? native_set_pte_at+0xe0/0xe0 [ 48.858355] [] ? do_huge_pmd_anonymous_page+0xadc/0x10f0 [ 48.865441] [] ? _raw_spin_unlock+0x2c/0x50 [ 48.871403] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 48.878494] [] ? handle_mm_fault+0x6a4/0x28e0 [ 48.884618] [] ? __fget_light+0x169/0x1f0 [ 48.890404] [] ? __fdget+0x18/0x20 [ 48.895590] [] ? sockfd_lookup_light+0xb6/0x160 [ 48.901892] [] __sys_sendmsg+0xd9/0x190 [ 48.907504] [] ? SyS_shutdown+0x1b0/0x1b0 [ 48.913287] [] ? __do_page_fault+0x5dd/0xd50 [ 48.919326] [] SyS_sendmsg+0x2d/0x50 [ 48.924678] [] ? __sys_sendmsg+0x190/0x190 [ 48.930554] [] do_syscall_64+0x1a6/0x490 [ 48.936249] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 48.943552] Dumping ftrace buffer: [ 48.947068] (ftrace buffer empty) [ 48.950753] Kernel Offset: disabled [ 48.954363] Rebooting in 86400 seconds..