[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.401507][ T6834] sctp: [Deprecated]: syz-executor496 (pid 6834) Use of struct sctp_assoc_value in delayed_ack socket option. [ 58.401507][ T6834] Use struct sctp_sack_info instead [ 58.418425][ T6834] ================================================================== [ 58.426551][ T6834] BUG: KASAN: slab-out-of-bounds in sctp_setsockopt+0x9488/0x95e0 [ 58.434332][ T6834] Write of size 4 at addr ffff8880a2709288 by task syz-executor496/6834 [ 58.442623][ T6834] [ 58.444930][ T6834] CPU: 0 PID: 6834 Comm: syz-executor496 Not tainted 5.8.0-rc4-syzkaller #0 [ 58.453569][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.463614][ T6834] Call Trace: [ 58.466891][ T6834] dump_stack+0x18f/0x20d [ 58.471201][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.476286][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.481375][ T6834] print_address_description.constprop.0.cold+0xae/0x436 [ 58.488372][ T6834] ? printk+0xba/0xed [ 58.492332][ T6834] ? lockdep_hardirqs_off+0x66/0xa0 [ 58.497516][ T6834] ? vprintk_func+0x97/0x1a6 [ 58.502083][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.507166][ T6834] kasan_report.cold+0x1f/0x37 [ 58.511914][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.517007][ T6834] sctp_setsockopt+0x9488/0x95e0 [ 58.521923][ T6834] ? aa_af_perm+0x230/0x230 [ 58.526416][ T6834] ? handle_mm_fault+0xad9/0x43f0 [ 58.531419][ T6834] ? __sctp_setsockopt_connectx+0x140/0x140 [ 58.537333][ T6834] ? sock_common_recvmsg+0x1a0/0x1a0 [ 58.542599][ T6834] __sys_setsockopt+0x337/0x6a0 [ 58.547428][ T6834] ? __ia32_sys_recv+0x100/0x100 [ 58.552438][ T6834] ? vmacache_update+0xce/0x140 [ 58.557294][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 58.562213][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 58.567130][ T6834] __x64_sys_setsockopt+0xba/0x150 [ 58.572223][ T6834] ? lockdep_hardirqs_on+0x6a/0xe0 [ 58.577318][ T6834] do_syscall_64+0x60/0xe0 [ 58.581716][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.587592][ T6834] RIP: 0033:0x440229 [ 58.591455][ T6834] Code: Bad RIP value. [ 58.595494][ T6834] RSP: 002b:00007ffc07ceda28 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 58.603878][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 58.611824][ T6834] RDX: 0000000000000010 RSI: 0000000000000084 RDI: 0000000000000003 [ 58.619780][ T6834] RBP: 00000000006ca018 R08: 0000000000000008 R09: 00000000004002c8 [ 58.627735][ T6834] R10: 0000000020000100 R11: 0000000000000246 R12: 0000000000401a30 [ 58.635691][ T6834] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 58.643645][ T6834] [ 58.645948][ T6834] Allocated by task 6834: [ 58.650256][ T6834] save_stack+0x1b/0x40 [ 58.654386][ T6834] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 58.660006][ T6834] __kmalloc_track_caller+0x178/0x330 [ 58.665352][ T6834] memdup_user+0x22/0xd0 [ 58.669570][ T6834] sctp_setsockopt+0x17a/0x95e0 [ 58.674394][ T6834] __sys_setsockopt+0x337/0x6a0 [ 58.679231][ T6834] __x64_sys_setsockopt+0xba/0x150 [ 58.684326][ T6834] do_syscall_64+0x60/0xe0 [ 58.688719][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.694580][ T6834] [ 58.696881][ T6834] Freed by task 4827: [ 58.700846][ T6834] save_stack+0x1b/0x40 [ 58.705061][ T6834] __kasan_slab_free+0xf5/0x140 [ 58.709888][ T6834] kfree+0x103/0x2c0 [ 58.713774][ T6834] tomoyo_path2_perm+0x28a/0x600 [ 58.718698][ T6834] tomoyo_path_rename+0xd2/0x130 [ 58.723608][ T6834] security_path_rename+0x1b5/0x2e0 [ 58.728782][ T6834] do_renameat2+0x481/0xbf0 [ 58.733256][ T6834] __x64_sys_rename+0x5d/0x80 [ 58.737907][ T6834] do_syscall_64+0x60/0xe0 [ 58.742299][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.748159][ T6834] [ 58.750477][ T6834] The buggy address belongs to the object at ffff8880a2709280 [ 58.750477][ T6834] which belongs to the cache kmalloc-32 of size 32 [ 58.764330][ T6834] The buggy address is located 8 bytes inside of [ 58.764330][ T6834] 32-byte region [ffff8880a2709280, ffff8880a27092a0) [ 58.777320][ T6834] The buggy address belongs to the page: [ 58.782930][ T6834] page:ffffea000289c240 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a2709fc1 [ 58.793325][ T6834] flags: 0xfffe0000000200(slab) [ 58.798164][ T6834] raw: 00fffe0000000200 ffffea00026c1108 ffffea00026ae848 ffff8880aa0001c0 [ 58.806909][ T6834] raw: ffff8880a2709fc1 ffff8880a2709000 000000010000003f 0000000000000000 [ 58.815724][ T6834] page dumped because: kasan: bad access detected [ 58.822118][ T6834] [ 58.824418][ T6834] Memory state around the buggy address: [ 58.830034][ T6834] ffff8880a2709180: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 58.838068][ T6834] ffff8880a2709200: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 58.846104][ T6834] >ffff8880a2709280: 00 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc [ 58.854134][ T6834] ^ [ 58.858435][ T6834] ffff8880a2709300: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc [ 58.866483][ T6834] ffff8880a2709380: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 58.874526][ T6834] ================================================================== [ 58.882557][ T6834] Disabling lock debugging due to kernel taint [ 58.918603][ T6834] Kernel panic - not syncing: panic_on_warn set ... [ 58.925212][ T6834] CPU: 0 PID: 6834 Comm: syz-executor496 Tainted: G B 5.8.0-rc4-syzkaller #0 [ 58.935263][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.945306][ T6834] Call Trace: [ 58.948596][ T6834] dump_stack+0x18f/0x20d [ 58.952922][ T6834] ? sctp_setsockopt+0x93f0/0x95e0 [ 58.958037][ T6834] panic+0x2e3/0x75c [ 58.961918][ T6834] ? __warn_printk+0xf3/0xf3 [ 58.966485][ T6834] ? preempt_schedule_common+0x59/0xc0 [ 58.971916][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.977003][ T6834] ? preempt_schedule_thunk+0x16/0x18 [ 58.982361][ T6834] ? trace_hardirqs_on+0x55/0x220 [ 58.987356][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.992437][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 58.997518][ T6834] end_report+0x4d/0x53 [ 59.001647][ T6834] kasan_report.cold+0xd/0x37 [ 59.006315][ T6834] ? sctp_setsockopt+0x9488/0x95e0 [ 59.011399][ T6834] sctp_setsockopt+0x9488/0x95e0 [ 59.016314][ T6834] ? aa_af_perm+0x230/0x230 [ 59.020790][ T6834] ? handle_mm_fault+0xad9/0x43f0 [ 59.025795][ T6834] ? __sctp_setsockopt_connectx+0x140/0x140 [ 59.031676][ T6834] ? sock_common_recvmsg+0x1a0/0x1a0 [ 59.036930][ T6834] __sys_setsockopt+0x337/0x6a0 [ 59.041760][ T6834] ? __ia32_sys_recv+0x100/0x100 [ 59.046680][ T6834] ? vmacache_update+0xce/0x140 [ 59.051517][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 59.056425][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 59.061335][ T6834] __x64_sys_setsockopt+0xba/0x150 [ 59.066419][ T6834] ? lockdep_hardirqs_on+0x6a/0xe0 [ 59.071503][ T6834] do_syscall_64+0x60/0xe0 [ 59.075894][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.081756][ T6834] RIP: 0033:0x440229 [ 59.085645][ T6834] Code: Bad RIP value. [ 59.089692][ T6834] RSP: 002b:00007ffc07ceda28 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 59.098083][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 59.106039][ T6834] RDX: 0000000000000010 RSI: 0000000000000084 RDI: 0000000000000003 [ 59.113983][ T6834] RBP: 00000000006ca018 R08: 0000000000000008 R09: 00000000004002c8 [ 59.121927][ T6834] R10: 0000000020000100 R11: 0000000000000246 R12: 0000000000401a30 [ 59.129890][ T6834] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 59.138913][ T6834] Kernel Offset: disabled [ 59.143239][ T6834] Rebooting in 86400 seconds..