[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.331421] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.255691] random: sshd: uninitialized urandom read (32 bytes read) [ 23.727422] random: sshd: uninitialized urandom read (32 bytes read) [ 24.416372] random: sshd: uninitialized urandom read (32 bytes read) [ 24.577473] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 30.068443] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.164384] ================================================================== [ 30.171857] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.179039] Read of size 8 at addr ffff8801d7050e60 by task syz-executor457/4481 [ 30.186569] [ 30.188197] CPU: 0 PID: 4481 Comm: syz-executor457 Not tainted 4.17.0-rc2+ #17 [ 30.195535] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.204865] Call Trace: [ 30.207437] dump_stack+0x1b9/0x294 [ 30.211049] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.216219] ? printk+0x9e/0xba [ 30.219480] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.224219] ? kasan_check_write+0x14/0x20 [ 30.228432] print_address_description+0x6c/0x20b [ 30.233256] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.237728] kasan_report.cold.7+0x242/0x2fe [ 30.242129] __asan_report_load8_noabort+0x14/0x20 [ 30.247042] __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.251343] sctp_inet6_cmp_addr+0x169/0x1a0 [ 30.255747] sctp_bind_addr_match+0x20b/0x400 [ 30.260233] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 30.265061] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.270592] ? sctp_v4_available+0x1b1/0x200 [ 30.274993] ? sctp_inet6_bind_verify+0xb2/0x500 [ 30.279735] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.285257] sctp_do_bind+0x1c0/0x5f0 [ 30.289043] sctp_bindx_add+0x90/0x1a0 [ 30.292912] sctp_setsockopt_bindx+0x2ad/0x320 [ 30.297478] sctp_setsockopt+0x12c4/0x7000 [ 30.301709] ? mark_held_locks+0xc9/0x160 [ 30.305838] ? page_add_new_anon_rmap+0x3ff/0x850 [ 30.310659] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 30.316353] ? find_held_lock+0x36/0x1c0 [ 30.320397] ? lock_downgrade+0x8e0/0x8e0 [ 30.324524] ? pudp_huge_clear_flush+0x230/0x230 [ 30.329262] ? kasan_check_read+0x11/0x20 [ 30.333397] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.337786] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.342351] ? kasan_check_write+0x14/0x20 [ 30.346566] ? do_raw_spin_lock+0xc1/0x200 [ 30.350784] ? _raw_spin_unlock+0x22/0x30 [ 30.354912] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 30.360173] ? __thp_get_unmapped_area+0x180/0x180 [ 30.365086] ? debug_check_no_locks_freed+0x310/0x310 [ 30.370262] ? alloc_file+0x24/0x3e0 [ 30.373959] ? sock_alloc_file+0x1f3/0x4e0 [ 30.378173] ? __sys_socket+0x16f/0x250 [ 30.382144] ? do_syscall_64+0x1b1/0x800 [ 30.386186] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.391539] ? debug_mutex_init+0x1c/0x60 [ 30.395670] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.400670] ? graph_lock+0x170/0x170 [ 30.404449] ? pud_val+0x80/0xf0 [ 30.407793] ? pmd_val+0xf0/0xf0 [ 30.411144] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.416666] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.422199] ? __handle_mm_fault+0x93a/0x4310 [ 30.426683] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 30.431422] ? graph_lock+0x170/0x170 [ 30.435214] ? graph_lock+0x170/0x170 [ 30.439001] ? find_held_lock+0x36/0x1c0 [ 30.443063] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.448591] ? __fget_light+0x2ef/0x430 [ 30.452557] ? fget_raw+0x20/0x20 [ 30.455997] ? lock_downgrade+0x8e0/0x8e0 [ 30.460144] ? handle_mm_fault+0x8c0/0xc70 [ 30.464370] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.469892] ? handle_mm_fault+0x55a/0xc70 [ 30.474138] sock_common_setsockopt+0x9a/0xe0 [ 30.478633] __sys_setsockopt+0x1bd/0x390 [ 30.482772] ? kernel_accept+0x310/0x310 [ 30.487253] ? mm_fault_error+0x380/0x380 [ 30.491385] ? __ia32_sys_fallocate+0xf0/0xf0 [ 30.495868] __x64_sys_setsockopt+0xbe/0x150 [ 30.500263] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.505273] do_syscall_64+0x1b1/0x800 [ 30.509144] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.514066] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.518982] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.524330] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.529158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.534326] RIP: 0033:0x43fda9 [ 30.537492] RSP: 002b:00007ffd826d9c38 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 30.545190] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 30.552438] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 30.559686] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 30.566935] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 30.574184] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 30.581442] [ 30.583054] Allocated by task 4481: [ 30.586687] save_stack+0x43/0xd0 [ 30.590120] kasan_kmalloc+0xc4/0xe0 [ 30.593811] __kmalloc_node+0x47/0x70 [ 30.597590] kvmalloc_node+0x6b/0x100 [ 30.601381] vmemdup_user+0x2d/0xa0 [ 30.604988] sctp_setsockopt_bindx+0x5d/0x320 [ 30.609467] sctp_setsockopt+0x12c4/0x7000 [ 30.613687] sock_common_setsockopt+0x9a/0xe0 [ 30.618169] __sys_setsockopt+0x1bd/0x390 [ 30.622297] __x64_sys_setsockopt+0xbe/0x150 [ 30.626685] do_syscall_64+0x1b1/0x800 [ 30.630572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.635735] [ 30.637340] Freed by task 2831: [ 30.640607] save_stack+0x43/0xd0 [ 30.644045] __kasan_slab_free+0x11a/0x170 [ 30.648611] kasan_slab_free+0xe/0x10 [ 30.652391] kfree+0xd9/0x260 [ 30.655478] single_release+0x8f/0xb0 [ 30.659272] __fput+0x34d/0x890 [ 30.662531] ____fput+0x15/0x20 [ 30.665800] task_work_run+0x1e4/0x290 [ 30.669669] exit_to_usermode_loop+0x2bd/0x310 [ 30.674229] do_syscall_64+0x6ac/0x800 [ 30.678095] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.683259] [ 30.684868] The buggy address belongs to the object at ffff8801d7050e40 [ 30.684868] which belongs to the cache kmalloc-32 of size 32 [ 30.697340] The buggy address is located 0 bytes to the right of [ 30.697340] 32-byte region [ffff8801d7050e40, ffff8801d7050e60) [ 30.709453] The buggy address belongs to the page: [ 30.714370] page:ffffea00075c1400 count:1 mapcount:0 mapping:ffff8801d7050000 index:0xffff8801d7050fc1 [ 30.723795] flags: 0x2fffc0000000100(slab) [ 30.728020] raw: 02fffc0000000100 ffff8801d7050000 ffff8801d7050fc1 0000000100000014 [ 30.735891] raw: ffffea00075c12e0 ffffea0006c3d3a0 ffff8801da8001c0 0000000000000000 [ 30.743748] page dumped because: kasan: bad access detected [ 30.749432] [ 30.751038] Memory state around the buggy address: [ 30.755953] ffff8801d7050d00: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.763296] ffff8801d7050d80: 00 02 fc fc fc fc fc fc 00 02 fc fc fc fc fc fc [ 30.770637] >ffff8801d7050e00: 00 02 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 30.777970] ^ [ 30.784451] ffff8801d7050e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.791791] ffff8801d7050f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.799127] ================================================================== [ 30.806461] Disabling lock debugging due to kernel taint [ 30.811989] Kernel panic - not syncing: panic_on_warn set ... [ 30.811989] [ 30.819368] CPU: 0 PID: 4481 Comm: syz-executor457 Tainted: G B 4.17.0-rc2+ #17 [ 30.828108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.837437] Call Trace: [ 30.840017] dump_stack+0x1b9/0x294 [ 30.843645] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.848826] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.853571] ? __sctp_v6_cmp_addr+0x3f0/0x530 [ 30.858056] panic+0x22f/0x4de [ 30.861231] ? add_taint.cold.5+0x16/0x16 [ 30.865362] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.869759] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.874148] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.878629] kasan_end_report+0x47/0x4f [ 30.882590] kasan_report.cold.7+0x76/0x2fe [ 30.886893] __asan_report_load8_noabort+0x14/0x20 [ 30.891801] __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.896102] sctp_inet6_cmp_addr+0x169/0x1a0 [ 30.900496] sctp_bind_addr_match+0x20b/0x400 [ 30.904972] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 30.909793] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.915308] ? sctp_v4_available+0x1b1/0x200 [ 30.919696] ? sctp_inet6_bind_verify+0xb2/0x500 [ 30.924431] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.930049] sctp_do_bind+0x1c0/0x5f0 [ 30.933830] sctp_bindx_add+0x90/0x1a0 [ 30.937706] sctp_setsockopt_bindx+0x2ad/0x320 [ 30.942266] sctp_setsockopt+0x12c4/0x7000 [ 30.946479] ? mark_held_locks+0xc9/0x160 [ 30.950623] ? page_add_new_anon_rmap+0x3ff/0x850 [ 30.955443] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 30.961136] ? find_held_lock+0x36/0x1c0 [ 30.965178] ? lock_downgrade+0x8e0/0x8e0 [ 30.969305] ? pudp_huge_clear_flush+0x230/0x230 [ 30.974042] ? kasan_check_read+0x11/0x20 [ 30.978167] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.982557] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.987123] ? kasan_check_write+0x14/0x20 [ 30.991337] ? do_raw_spin_lock+0xc1/0x200 [ 30.995553] ? _raw_spin_unlock+0x22/0x30 [ 30.999683] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 31.004939] ? __thp_get_unmapped_area+0x180/0x180 [ 31.009852] ? debug_check_no_locks_freed+0x310/0x310 [ 31.015024] ? alloc_file+0x24/0x3e0 [ 31.018723] ? sock_alloc_file+0x1f3/0x4e0 [ 31.022933] ? __sys_socket+0x16f/0x250 [ 31.026887] ? do_syscall_64+0x1b1/0x800 [ 31.030936] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.036280] ? debug_mutex_init+0x1c/0x60 [ 31.040404] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.045400] ? graph_lock+0x170/0x170 [ 31.049189] ? pud_val+0x80/0xf0 [ 31.052544] ? pmd_val+0xf0/0xf0 [ 31.055893] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.061409] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.066926] ? __handle_mm_fault+0x93a/0x4310 [ 31.071400] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 31.076134] ? graph_lock+0x170/0x170 [ 31.079912] ? graph_lock+0x170/0x170 [ 31.083689] ? find_held_lock+0x36/0x1c0 [ 31.087733] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.093247] ? __fget_light+0x2ef/0x430 [ 31.097197] ? fget_raw+0x20/0x20 [ 31.100630] ? lock_downgrade+0x8e0/0x8e0 [ 31.104759] ? handle_mm_fault+0x8c0/0xc70 [ 31.108975] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.114488] ? handle_mm_fault+0x55a/0xc70 [ 31.118709] sock_common_setsockopt+0x9a/0xe0 [ 31.123182] __sys_setsockopt+0x1bd/0x390 [ 31.127311] ? kernel_accept+0x310/0x310 [ 31.131365] ? mm_fault_error+0x380/0x380 [ 31.135495] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.139970] __x64_sys_setsockopt+0xbe/0x150 [ 31.144360] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.149360] do_syscall_64+0x1b1/0x800 [ 31.153229] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.158135] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.163048] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.168389] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.173212] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.178377] RIP: 0033:0x43fda9 [ 31.181541] RSP: 002b:00007ffd826d9c38 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.189227] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 31.196472] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 31.203723] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 31.210970] R10: 0000000020d24000 R11: 0000000000000217 R12: 00000000004016d0 [ 31.218217] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 31.225947] Dumping ftrace buffer: [ 31.229473] (ftrace buffer empty) [ 31.233158] Kernel Offset: disabled [ 31.236762] Rebooting in 86400 seconds..