[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.346117] ================================================================== [ 33.353556] BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0xb0/0x130 [ 33.360732] Write of size 4096 at addr ffff88809bfd0000 by task syz-executor348/8107 [ 33.368587] [ 33.370210] CPU: 1 PID: 8107 Comm: syz-executor348 Not tainted 4.19.203-syzkaller #0 [ 33.378101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.387439] Call Trace: [ 33.390029] dump_stack+0x1fc/0x2ef [ 33.393641] print_address_description.cold+0x54/0x219 [ 33.398919] kasan_report_error.cold+0x8a/0x1b9 [ 33.403658] ? skcipher_null_crypt+0xb0/0x130 [ 33.408144] kasan_report+0x8f/0xa0 [ 33.411751] ? skcipher_null_crypt+0xb0/0x130 [ 33.416236] memcpy+0x35/0x50 [ 33.419324] skcipher_null_crypt+0xb0/0x130 [ 33.423629] ? null_crypt+0x30/0x30 [ 33.427242] ? mark_held_locks+0xf0/0xf0 [ 33.431283] ? kasan_unpoison_shadow+0x33/0x40 [ 33.435845] ? __asan_alloca_poison+0x7a/0xb0 [ 33.440318] ? null_crypt+0x30/0x30 [ 33.443935] skcipher_encrypt_blkcipher+0x1c6/0x290 [ 33.448933] ? skcipher_encrypt_ablkcipher+0x470/0x470 [ 33.454191] ? sg_next+0x76/0xc0 [ 33.457539] ? scatterwalk_ffwd+0x2a3/0x370 [ 33.461840] crypto_authenc_encrypt+0x723/0xad0 [ 33.466495] esp6_output_tail+0x87a/0x1920 [ 33.470716] esp6_output+0x48d/0xa60 [ 33.474414] ? xfrm_output_resume+0x688/0x22b0 [ 33.478987] ? esp_input_done_esn+0x80/0x80 [ 33.483289] ? mark_lock+0xc16/0x1160 [ 33.487070] ? __local_bh_enable_ip+0x159/0x270 [ 33.491718] xfrm_output_resume+0x81d/0x22b0 [ 33.496108] ? xfrm_inner_extract_output+0x3d0/0x3d0 [ 33.501192] ? ip6t_alloc_initial_table+0x6a0/0x6a0 [ 33.506188] ? esp6_get_mtu+0x101/0x1b0 [ 33.510146] ? ah6_err+0x3b0/0x3b0 [ 33.513664] ? xfrm_dev_offload_ok+0xc2/0x690 [ 33.518147] xfrm_output+0x266/0x980 [ 33.521842] ? memset+0x20/0x40 [ 33.525112] __xfrm6_output+0x1c6/0x11e0 [ 33.529164] ? ipv6_confirm+0x41b/0x520 [ 33.533119] ? ip6t_alloc_initial_table+0x630/0x6a0 [ 33.538113] ? xfrm6_local_dontfrag.isra.0+0x1c0/0x1c0 [ 33.543365] ? xfrm6_output+0x2e6/0x510 [ 33.547325] ? lock_downgrade+0x720/0x720 [ 33.551459] ? check_preemption_disabled+0x41/0x280 [ 33.556455] xfrm6_output+0x127/0x510 [ 33.560236] ? xfrm6_output_finish+0x70/0x70 [ 33.564622] ? ip6_output+0x770/0x770 [ 33.568401] ? xfrm6_local_dontfrag.isra.0+0x1c0/0x1c0 [ 33.573656] ? ip6_sk_dst_lookup_flow+0xa70/0xa70 [ 33.578494] ip6_local_out+0xaf/0x170 [ 33.582272] ip6_send_skb+0xb3/0x300 [ 33.585977] ip6_push_pending_frames+0xbd/0xe0 [ 33.590543] rawv6_sendmsg+0x2a81/0x36a0 [ 33.594598] ? compat_rawv6_setsockopt+0x140/0x140 [ 33.599505] ? __might_fault+0xef/0x1d0 [ 33.603467] ? aa_profile_af_perm+0x2e0/0x2e0 [ 33.607971] ? __might_fault+0x192/0x1d0 [ 33.612012] ? _copy_from_user+0xd2/0x130 [ 33.616139] ? rw_copy_check_uvector+0x27c/0x340 [ 33.620881] ? aa_af_perm+0x230/0x230 [ 33.624676] ? kernel_recvmsg+0x220/0x220 [ 33.628820] inet_sendmsg+0x132/0x5a0 [ 33.632610] ? security_socket_sendmsg+0x83/0xb0 [ 33.637366] ? inet_recvmsg+0x5c0/0x5c0 [ 33.641328] sock_sendmsg+0xc3/0x120 [ 33.645111] ___sys_sendmsg+0x7bb/0x8e0 [ 33.649085] ? copy_msghdr_from_user+0x440/0x440 [ 33.653841] ? release_sock+0x1b/0x1b0 [ 33.657713] ? prandom_u32+0x171/0x1f0 [ 33.661600] ? ip6_datagram_connect_v6_only+0x78/0xa0 [ 33.666781] ? aa_sk_perm+0x534/0x930 [ 33.670572] ? inet_autobind+0x190/0x190 [ 33.674631] ? aa_af_perm+0x230/0x230 [ 33.678420] ? __fdget+0x1a0/0x230 [ 33.681947] __x64_sys_sendmsg+0x132/0x220 [ 33.686166] ? __sys_sendmsg+0x1b0/0x1b0 [ 33.690225] ? kernel_accept+0x310/0x310 [ 33.694335] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.699688] ? trace_hardirqs_off_caller+0x6e/0x210 [ 33.704689] ? do_syscall_64+0x21/0x620 [ 33.708646] do_syscall_64+0xf9/0x620 [ 33.712439] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.717607] RIP: 0033:0x43f4b9 [ 33.720780] Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 33.739661] RSP: 002b:00007ffffc29d778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.747350] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9 [ 33.754599] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 33.761857] RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e [ 33.769109] R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0 [ 33.776387] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 33.783642] [ 33.785254] Allocated by task 6253: [ 33.788864] kmem_cache_alloc+0x122/0x370 [ 33.792996] getname_flags+0xce/0x590 [ 33.796775] do_sys_open+0x26c/0x520 [ 33.800469] do_syscall_64+0xf9/0x620 [ 33.804270] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.809437] [ 33.811043] Freed by task 6253: [ 33.814305] kmem_cache_free+0x7f/0x260 [ 33.818259] putname+0xe1/0x120 [ 33.821525] do_sys_open+0x2ba/0x520 [ 33.825219] do_syscall_64+0xf9/0x620 [ 33.829001] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.834163] [ 33.835776] The buggy address belongs to the object at ffff88809bfd0940 [ 33.835776] which belongs to the cache names_cache of size 4096 [ 33.848497] The buggy address is located 2368 bytes to the left of [ 33.848497] 4096-byte region [ffff88809bfd0940, ffff88809bfd1940) [ 33.860952] The buggy address belongs to the page: [ 33.865860] page:ffffea00026ff400 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0 [ 33.875801] flags: 0xfff00000008100(slab|head) [ 33.880362] raw: 00fff00000008100 ffffea00026d1b88 ffffea00026ff488 ffff88823b843380 [ 33.888221] raw: 0000000000000000 ffff88809bfd0940 0000000100000001 0000000000000000 [ 33.896071] page dumped because: kasan: bad access detected [ 33.901759] [ 33.903362] Memory state around the buggy address: [ 33.908270] ffff88809bfcff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.915607] ffff88809bfcff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.923002] >ffff88809bfd0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.930340] ^ [ 33.933685] ffff88809bfd0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.941032] ffff88809bfd0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.948370] ================================================================== [ 33.955708] Disabling lock debugging due to kernel taint [ 33.961226] Kernel panic - not syncing: panic_on_warn set ... [ 33.961226] [ 33.968586] CPU: 1 PID: 8107 Comm: syz-executor348 Tainted: G B 4.19.203-syzkaller #0 [ 33.977848] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.987188] Call Trace: [ 33.989776] dump_stack+0x1fc/0x2ef [ 33.993400] panic+0x26a/0x50e [ 33.996586] ? __warn_printk+0xf3/0xf3 [ 34.000469] ? retint_kernel+0x2d/0x2d [ 34.004347] ? trace_hardirqs_on+0x55/0x210 [ 34.008647] kasan_end_report+0x43/0x49 [ 34.012599] kasan_report_error.cold+0xa7/0x1b9 [ 34.017247] ? skcipher_null_crypt+0xb0/0x130 [ 34.021721] kasan_report+0x8f/0xa0 [ 34.025326] ? skcipher_null_crypt+0xb0/0x130 [ 34.029799] memcpy+0x35/0x50 [ 34.032882] skcipher_null_crypt+0xb0/0x130 [ 34.037188] ? null_crypt+0x30/0x30 [ 34.040802] ? mark_held_locks+0xf0/0xf0 [ 34.044839] ? kasan_unpoison_shadow+0x33/0x40 [ 34.049397] ? __asan_alloca_poison+0x7a/0xb0 [ 34.053870] ? null_crypt+0x30/0x30 [ 34.057476] skcipher_encrypt_blkcipher+0x1c6/0x290 [ 34.062471] ? skcipher_encrypt_ablkcipher+0x470/0x470 [ 34.067725] ? sg_next+0x76/0xc0 [ 34.071087] ? scatterwalk_ffwd+0x2a3/0x370 [ 34.075388] crypto_authenc_encrypt+0x723/0xad0 [ 34.080039] esp6_output_tail+0x87a/0x1920 [ 34.084256] esp6_output+0x48d/0xa60 [ 34.087945] ? xfrm_output_resume+0x688/0x22b0 [ 34.092505] ? esp_input_done_esn+0x80/0x80 [ 34.096807] ? mark_lock+0xc16/0x1160 [ 34.100584] ? __local_bh_enable_ip+0x159/0x270 [ 34.105234] xfrm_output_resume+0x81d/0x22b0 [ 34.109619] ? xfrm_inner_extract_output+0x3d0/0x3d0 [ 34.114800] ? ip6t_alloc_initial_table+0x6a0/0x6a0 [ 34.119795] ? esp6_get_mtu+0x101/0x1b0 [ 34.123749] ? ah6_err+0x3b0/0x3b0 [ 34.127266] ? xfrm_dev_offload_ok+0xc2/0x690 [ 34.131740] xfrm_output+0x266/0x980 [ 34.135498] ? memset+0x20/0x40 [ 34.138762] __xfrm6_output+0x1c6/0x11e0 [ 34.142820] ? ipv6_confirm+0x41b/0x520 [ 34.146777] ? ip6t_alloc_initial_table+0x630/0x6a0 [ 34.151772] ? xfrm6_local_dontfrag.isra.0+0x1c0/0x1c0 [ 34.157029] ? xfrm6_output+0x2e6/0x510 [ 34.161002] ? lock_downgrade+0x720/0x720 [ 34.165130] ? check_preemption_disabled+0x41/0x280 [ 34.170137] xfrm6_output+0x127/0x510 [ 34.173916] ? xfrm6_output_finish+0x70/0x70 [ 34.178320] ? ip6_output+0x770/0x770 [ 34.182111] ? xfrm6_local_dontfrag.isra.0+0x1c0/0x1c0 [ 34.187365] ? ip6_sk_dst_lookup_flow+0xa70/0xa70 [ 34.192186] ip6_local_out+0xaf/0x170 [ 34.195963] ip6_send_skb+0xb3/0x300 [ 34.199660] ip6_push_pending_frames+0xbd/0xe0 [ 34.204221] rawv6_sendmsg+0x2a81/0x36a0 [ 34.208261] ? compat_rawv6_setsockopt+0x140/0x140 [ 34.213166] ? __might_fault+0xef/0x1d0 [ 34.217119] ? aa_profile_af_perm+0x2e0/0x2e0 [ 34.221591] ? __might_fault+0x192/0x1d0 [ 34.225629] ? _copy_from_user+0xd2/0x130 [ 34.229757] ? rw_copy_check_uvector+0x27c/0x340 [ 34.234492] ? aa_af_perm+0x230/0x230 [ 34.238286] ? kernel_recvmsg+0x220/0x220 [ 34.242414] inet_sendmsg+0x132/0x5a0 [ 34.246192] ? security_socket_sendmsg+0x83/0xb0 [ 34.250922] ? inet_recvmsg+0x5c0/0x5c0 [ 34.254872] sock_sendmsg+0xc3/0x120 [ 34.258565] ___sys_sendmsg+0x7bb/0x8e0 [ 34.262516] ? copy_msghdr_from_user+0x440/0x440 [ 34.267251] ? release_sock+0x1b/0x1b0 [ 34.271118] ? prandom_u32+0x171/0x1f0 [ 34.274983] ? ip6_datagram_connect_v6_only+0x78/0xa0 [ 34.280173] ? aa_sk_perm+0x534/0x930 [ 34.283978] ? inet_autobind+0x190/0x190 [ 34.288019] ? aa_af_perm+0x230/0x230 [ 34.291802] ? __fdget+0x1a0/0x230 [ 34.295323] __x64_sys_sendmsg+0x132/0x220 [ 34.299546] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.303586] ? kernel_accept+0x310/0x310 [ 34.307628] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.313010] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.318005] ? do_syscall_64+0x21/0x620 [ 34.321959] do_syscall_64+0xf9/0x620 [ 34.325751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.330916] RIP: 0033:0x43f4b9 [ 34.334088] Code: 1d 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.352965] RSP: 002b:00007ffffc29d778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.360648] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f4b9 [ 34.367893] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 34.375149] RBP: 0000000000000005 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e [ 34.382397] R10: 00000000000000e8 R11: 0000000000000246 R12: 00000000004034b0 [ 34.389650] R13: 0000000000000000 R14: 00000000004ad018 R15: 0000000000400488 [ 34.398130] Kernel Offset: disabled [ 34.401741] Rebooting in 86400 seconds..