INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.246781] ================================================================== [ 31.254241] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.261413] Read of size 8 at addr ffff8801d96eb3a0 by task syzkaller045501/4516 [ 31.268923] [ 31.270538] CPU: 1 PID: 4516 Comm: syzkaller045501 Not tainted 4.17.0-rc1+ #10 [ 31.277882] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.287214] Call Trace: [ 31.289788] dump_stack+0x1b9/0x294 [ 31.293399] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.298570] ? printk+0x9e/0xba [ 31.301831] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.306577] ? kasan_check_write+0x14/0x20 [ 31.310802] print_address_description+0x6c/0x20b [ 31.315627] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.320113] kasan_report.cold.7+0x242/0x2fe [ 31.324507] __asan_report_load8_noabort+0x14/0x20 [ 31.329419] __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.333725] sctp_inet6_cmp_addr+0x169/0x1a0 [ 31.338119] sctp_bind_addr_match+0x20b/0x400 [ 31.342606] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 31.347433] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.352954] ? sctp_v4_available+0x1b1/0x200 [ 31.357346] ? sctp_inet6_bind_verify+0xb2/0x500 [ 31.362083] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.367601] sctp_do_bind+0x1c0/0x5f0 [ 31.371391] sctp_bindx_add+0x90/0x1a0 [ 31.375264] sctp_setsockopt_bindx+0x2ad/0x320 [ 31.379842] sctp_setsockopt+0x12c4/0x7000 [ 31.384066] ? mark_held_locks+0xc9/0x160 [ 31.388204] ? page_add_new_anon_rmap+0x3ff/0x850 [ 31.393040] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 31.398739] ? find_held_lock+0x36/0x1c0 [ 31.402788] ? lock_downgrade+0x8e0/0x8e0 [ 31.406918] ? pudp_huge_clear_flush+0x230/0x230 [ 31.411660] ? kasan_check_read+0x11/0x20 [ 31.415791] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.420189] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.424761] ? kasan_check_write+0x14/0x20 [ 31.428987] ? do_raw_spin_lock+0xc1/0x200 [ 31.433216] ? _raw_spin_unlock+0x22/0x30 [ 31.437348] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 31.442613] ? __thp_get_unmapped_area+0x180/0x180 [ 31.447534] ? debug_check_no_locks_freed+0x310/0x310 [ 31.452720] ? alloc_file+0x24/0x3e0 [ 31.456425] ? sock_alloc_file+0x1f3/0x4e0 [ 31.460648] ? __sys_socket+0x16f/0x250 [ 31.464605] ? do_syscall_64+0x1b1/0x800 [ 31.468648] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.474004] ? debug_mutex_init+0x1c/0x60 [ 31.478143] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.483142] ? graph_lock+0x170/0x170 [ 31.486925] ? pud_val+0x80/0xf0 [ 31.490273] ? pmd_val+0xf0/0xf0 [ 31.493625] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.499147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.504665] ? __handle_mm_fault+0x93a/0x4310 [ 31.509145] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 31.513884] ? graph_lock+0x170/0x170 [ 31.517666] ? graph_lock+0x170/0x170 [ 31.521446] ? find_held_lock+0x36/0x1c0 [ 31.525517] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.531058] ? __fget_light+0x2ef/0x430 [ 31.535036] ? fget_raw+0x20/0x20 [ 31.538484] ? lock_downgrade+0x8e0/0x8e0 [ 31.542892] ? handle_mm_fault+0x8c0/0xc70 [ 31.547112] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.552634] ? handle_mm_fault+0x55a/0xc70 [ 31.556859] sock_common_setsockopt+0x9a/0xe0 [ 31.561345] __sys_setsockopt+0x1bd/0x390 [ 31.565495] ? kernel_accept+0x310/0x310 [ 31.569552] ? mm_fault_error+0x380/0x380 [ 31.573687] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.578169] __x64_sys_setsockopt+0xbe/0x150 [ 31.582568] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.587569] do_syscall_64+0x1b1/0x800 [ 31.591442] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.596271] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.601196] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.606112] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.611639] ? retint_user+0x18/0x18 [ 31.615357] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.620198] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.625372] RIP: 0033:0x43fda9 [ 31.628544] RSP: 002b:00007ffc1ffd3ef8 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 31.636244] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 31.643498] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 31.650757] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 31.658021] R10: 0000000020000140 R11: 0000000000000217 R12: 00000000004016d0 [ 31.665284] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 31.672545] [ 31.674161] Allocated by task 4516: [ 31.677775] save_stack+0x43/0xd0 [ 31.681216] kasan_kmalloc+0xc4/0xe0 [ 31.684922] __kmalloc_node+0x47/0x70 [ 31.688704] kvmalloc_node+0x6b/0x100 [ 31.692486] vmemdup_user+0x2d/0xa0 [ 31.696095] sctp_setsockopt_bindx+0x5d/0x320 [ 31.700573] sctp_setsockopt+0x12c4/0x7000 [ 31.704792] sock_common_setsockopt+0x9a/0xe0 [ 31.709272] __sys_setsockopt+0x1bd/0x390 [ 31.713425] __x64_sys_setsockopt+0xbe/0x150 [ 31.717828] do_syscall_64+0x1b1/0x800 [ 31.721699] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.726874] [ 31.728480] Freed by task 2852: [ 31.731745] save_stack+0x43/0xd0 [ 31.735182] __kasan_slab_free+0x11a/0x170 [ 31.739398] kasan_slab_free+0xe/0x10 [ 31.743183] kfree+0xd9/0x260 [ 31.746276] single_release+0x8f/0xb0 [ 31.750068] __fput+0x34d/0x890 [ 31.753338] ____fput+0x15/0x20 [ 31.756617] task_work_run+0x1e4/0x290 [ 31.760496] exit_to_usermode_loop+0x2bd/0x310 [ 31.765059] do_syscall_64+0x6ac/0x800 [ 31.768938] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.774104] [ 31.775720] The buggy address belongs to the object at ffff8801d96eb380 [ 31.775720] which belongs to the cache kmalloc-32 of size 32 [ 31.788186] The buggy address is located 0 bytes to the right of [ 31.788186] 32-byte region [ffff8801d96eb380, ffff8801d96eb3a0) [ 31.800302] The buggy address belongs to the page: [ 31.805226] page:ffffea000765bac0 count:1 mapcount:0 mapping:ffff8801d96eb000 index:0xffff8801d96ebfc1 [ 31.814660] flags: 0x2fffc0000000100(slab) [ 31.818880] raw: 02fffc0000000100 ffff8801d96eb000 ffff8801d96ebfc1 000000010000001e [ 31.826746] raw: ffffea0007652de0 ffffea000766c660 ffff8801da8001c0 0000000000000000 [ 31.834604] page dumped because: kasan: bad access detected [ 31.840296] [ 31.841902] Memory state around the buggy address: [ 31.846817] ffff8801d96eb280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 31.854161] ffff8801d96eb300: 00 00 04 fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 31.861506] >ffff8801d96eb380: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 31.868855] ^ [ 31.873247] ffff8801d96eb400: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 31.880587] ffff8801d96eb480: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 31.887933] ================================================================== [ 31.895307] Disabling lock debugging due to kernel taint [ 31.900824] Kernel panic - not syncing: panic_on_warn set ... [ 31.900824] [ 31.908202] CPU: 1 PID: 4516 Comm: syzkaller045501 Tainted: G B 4.17.0-rc1+ #10 [ 31.916953] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.926293] Call Trace: [ 31.929127] dump_stack+0x1b9/0x294 [ 31.932741] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.937922] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.942666] ? __sctp_v6_cmp_addr+0x4a0/0x530 [ 31.947147] panic+0x22f/0x4de [ 31.950319] ? add_taint.cold.5+0x16/0x16 [ 31.954460] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.958853] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.963245] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.967721] kasan_end_report+0x47/0x4f [ 31.971676] kasan_report.cold.7+0x76/0x2fe [ 31.975982] __asan_report_load8_noabort+0x14/0x20 [ 31.980896] __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.985203] sctp_inet6_cmp_addr+0x169/0x1a0 [ 31.989598] sctp_bind_addr_match+0x20b/0x400 [ 31.994078] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 31.998907] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.004435] ? sctp_v4_available+0x1b1/0x200 [ 32.008840] ? sctp_inet6_bind_verify+0xb2/0x500 [ 32.013582] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.019110] sctp_do_bind+0x1c0/0x5f0 [ 32.022896] sctp_bindx_add+0x90/0x1a0 [ 32.026765] sctp_setsockopt_bindx+0x2ad/0x320 [ 32.031329] sctp_setsockopt+0x12c4/0x7000 [ 32.035544] ? mark_held_locks+0xc9/0x160 [ 32.039674] ? page_add_new_anon_rmap+0x3ff/0x850 [ 32.044498] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 32.050196] ? find_held_lock+0x36/0x1c0 [ 32.054246] ? lock_downgrade+0x8e0/0x8e0 [ 32.058383] ? pudp_huge_clear_flush+0x230/0x230 [ 32.063128] ? kasan_check_read+0x11/0x20 [ 32.067262] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.071656] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.076217] ? kasan_check_write+0x14/0x20 [ 32.080434] ? do_raw_spin_lock+0xc1/0x200 [ 32.084655] ? _raw_spin_unlock+0x22/0x30 [ 32.088786] ? do_huge_pmd_anonymous_page+0x48d/0x1cc0 [ 32.094047] ? __thp_get_unmapped_area+0x180/0x180 [ 32.098960] ? debug_check_no_locks_freed+0x310/0x310 [ 32.104130] ? alloc_file+0x24/0x3e0 [ 32.107835] ? sock_alloc_file+0x1f3/0x4e0 [ 32.112052] ? __sys_socket+0x16f/0x250 [ 32.116009] ? do_syscall_64+0x1b1/0x800 [ 32.120057] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.125403] ? debug_mutex_init+0x1c/0x60 [ 32.129530] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.134523] ? graph_lock+0x170/0x170 [ 32.138302] ? pud_val+0x80/0xf0 [ 32.141649] ? pmd_val+0xf0/0xf0 [ 32.144997] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.150520] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.156040] ? __handle_mm_fault+0x93a/0x4310 [ 32.160517] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 32.165263] ? graph_lock+0x170/0x170 [ 32.169050] ? graph_lock+0x170/0x170 [ 32.172834] ? find_held_lock+0x36/0x1c0 [ 32.176881] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.182413] ? __fget_light+0x2ef/0x430 [ 32.186379] ? fget_raw+0x20/0x20 [ 32.189822] ? lock_downgrade+0x8e0/0x8e0 [ 32.193950] ? handle_mm_fault+0x8c0/0xc70 [ 32.198168] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.203684] ? handle_mm_fault+0x55a/0xc70 [ 32.207897] sock_common_setsockopt+0x9a/0xe0 [ 32.212380] __sys_setsockopt+0x1bd/0x390 [ 32.216525] ? kernel_accept+0x310/0x310 [ 32.220580] ? mm_fault_error+0x380/0x380 [ 32.224710] ? __ia32_sys_fallocate+0xf0/0xf0 [ 32.229195] __x64_sys_setsockopt+0xbe/0x150 [ 32.233585] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.238581] do_syscall_64+0x1b1/0x800 [ 32.242446] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.247268] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.252178] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.257093] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.262617] ? retint_user+0x18/0x18 [ 32.266320] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.271160] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.276326] RIP: 0033:0x43fda9 [ 32.279494] RSP: 002b:00007ffc1ffd3ef8 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 32.287180] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 32.294437] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000003 [ 32.301688] RBP: 00000000006ca018 R08: 0000000000000020 R09: 00000000004002c8 [ 32.308948] R10: 0000000020000140 R11: 0000000000000217 R12: 00000000004016d0 [ 32.316199] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 32.323927] Dumping ftrace buffer: [ 32.327447] (ftrace buffer empty) [ 32.331141] Kernel Offset: disabled [ 32.334756] Rebooting in 86400 seconds..