[info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 19.615319] sshd (4444) used greatest stack depth: 16248 bytes left Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.059868] ================================================================== [ 26.067331] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 26.074498] Read of size 8 at addr ffff8801d9693190 by task syzkaller162543/4490 [ 26.082004] [ 26.083622] CPU: 0 PID: 4490 Comm: syzkaller162543 Not tainted 4.17.0-rc1+ #10 [ 26.090973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.100302] Call Trace: [ 26.102871] dump_stack+0x1b9/0x294 [ 26.106480] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.111647] ? printk+0x9e/0xba [ 26.114905] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 26.119642] ? kasan_check_write+0x14/0x20 [ 26.123856] print_address_description+0x6c/0x20b [ 26.128676] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 26.133149] kasan_report.cold.7+0x242/0x2fe [ 26.137537] __asan_report_load8_noabort+0x14/0x20 [ 26.142444] __sctp_v6_cmp_addr+0x4c7/0x530 [ 26.146744] sctp_inet6_cmp_addr+0x169/0x1a0 [ 26.151133] sctp_bind_addr_conflict+0x28c/0x470 [ 26.155868] ? sctp_bind_addr_match+0x400/0x400 [ 26.160518] ? kasan_check_write+0x14/0x20 [ 26.164730] ? do_raw_spin_lock+0xc1/0x200 [ 26.168944] sctp_get_port_local+0x9fc/0x1540 [ 26.173417] ? print_irqtrace_events+0x95/0x1fa [ 26.178063] ? sctp_set_owner_w+0x530/0x530 [ 26.182365] ? kasan_check_read+0x11/0x20 [ 26.186494] ? rcu_is_watching+0x85/0x140 [ 26.190623] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 26.195804] ? sctp_bind_addr_match+0x2c6/0x400 [ 26.200460] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 26.205284] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.210799] ? sctp_v4_available+0x1b1/0x200 [ 26.215190] ? sctp_inet6_bind_verify+0xb2/0x500 [ 26.219925] sctp_do_bind+0x21c/0x5f0 [ 26.223707] sctp_bindx_add+0x90/0x1a0 [ 26.227574] sctp_setsockopt_bindx+0x2ad/0x320 [ 26.232139] sctp_setsockopt+0x12c4/0x7000 [ 26.236355] ? __lock_acquire+0x7f5/0x5140 [ 26.240567] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 26.246259] ? debug_check_no_locks_freed+0x310/0x310 [ 26.251430] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.256948] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 26.262034] ? futex_wait+0x5c1/0x9f0 [ 26.265819] ? futex_wait_setup+0x400/0x400 [ 26.270120] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 26.275291] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.280805] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 26.285885] ? futex_wake+0x2f6/0x750 [ 26.289665] ? get_futex_key+0x1e90/0x1e90 [ 26.293877] ? graph_lock+0x170/0x170 [ 26.297663] ? sock_alloc_file+0x1f3/0x4e0 [ 26.301876] ? __sys_socket+0x16f/0x250 [ 26.305828] ? __x64_sys_socket+0x73/0xb0 [ 26.309956] ? find_held_lock+0x36/0x1c0 [ 26.314012] ? lock_downgrade+0x8e0/0x8e0 [ 26.318150] ? kasan_check_read+0x11/0x20 [ 26.322278] ? rcu_is_watching+0x85/0x140 [ 26.326405] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 26.331582] ? __fget+0x40c/0x650 [ 26.335026] ? expand_files.part.8+0x9a0/0x9a0 [ 26.339590] ? lock_downgrade+0x8e0/0x8e0 [ 26.343720] ? kasan_check_read+0x11/0x20 [ 26.347847] ? __lock_is_held+0xb5/0x140 [ 26.351887] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 26.357060] ? __fget_light+0x2ef/0x430 [ 26.361024] ? fget_raw+0x20/0x20 [ 26.364461] ? get_unused_fd_flags+0x190/0x190 [ 26.369033] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.374548] ? alloc_file+0x44/0x3e0 [ 26.378244] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.383758] ? sock_alloc_file+0x2a4/0x4e0 [ 26.387974] sock_common_setsockopt+0x9a/0xe0 [ 26.392708] __sys_setsockopt+0x1bd/0x390 [ 26.396836] ? kernel_accept+0x310/0x310 [ 26.400878] ? do_futex+0x27d0/0x27d0 [ 26.404658] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 26.409223] __x64_sys_setsockopt+0xbe/0x150 [ 26.413607] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.418602] do_syscall_64+0x1b1/0x800 [ 26.422466] ? finish_task_switch+0x1ca/0x810 [ 26.426937] ? syscall_return_slowpath+0x5c0/0x5c0 [ 26.431847] ? syscall_return_slowpath+0x30f/0x5c0 [ 26.436755] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 26.442150] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.446971] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.452137] RIP: 0033:0x445839 [ 26.455303] RSP: 002b:00007ff9161e2d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 26.462989] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445839 [ 26.470238] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 26.477485] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000a6fe [ 26.484733] R10: 00000000205ba000 R11: 0000000000000246 R12: 0000000000000000 [ 26.491982] R13: 00007fff0159530f R14: 00007ff9161e39c0 R15: 0000000000000003 [ 26.499237] [ 26.500841] Allocated by task 4490: [ 26.504452] save_stack+0x43/0xd0 [ 26.507881] kasan_kmalloc+0xc4/0xe0 [ 26.511574] __kmalloc_node+0x47/0x70 [ 26.515350] kvmalloc_node+0x6b/0x100 [ 26.519138] vmemdup_user+0x2d/0xa0 [ 26.522753] sctp_setsockopt_bindx+0x5d/0x320 [ 26.527231] sctp_setsockopt+0x12c4/0x7000 [ 26.531444] sock_common_setsockopt+0x9a/0xe0 [ 26.535919] __sys_setsockopt+0x1bd/0x390 [ 26.540045] __x64_sys_setsockopt+0xbe/0x150 [ 26.544435] do_syscall_64+0x1b1/0x800 [ 26.548300] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.553462] [ 26.555073] Freed by task 2842: [ 26.558333] save_stack+0x43/0xd0 [ 26.561762] __kasan_slab_free+0x11a/0x170 [ 26.565975] kasan_slab_free+0xe/0x10 [ 26.569750] kfree+0xd9/0x260 [ 26.572836] single_release+0x8f/0xb0 [ 26.576613] __fput+0x34d/0x890 [ 26.579867] ____fput+0x15/0x20 [ 26.583124] task_work_run+0x1e4/0x290 [ 26.586989] exit_to_usermode_loop+0x2bd/0x310 [ 26.591550] do_syscall_64+0x6ac/0x800 [ 26.595427] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.600588] [ 26.602194] The buggy address belongs to the object at ffff8801d9693180 [ 26.602194] which belongs to the cache kmalloc-32 of size 32 [ 26.614653] The buggy address is located 16 bytes inside of [ 26.614653] 32-byte region [ffff8801d9693180, ffff8801d96931a0) [ 26.626327] The buggy address belongs to the page: [ 26.631231] page:ffffea000765a4c0 count:1 mapcount:0 mapping:ffff8801d9693000 index:0xffff8801d9693fc1 [ 26.640652] flags: 0x2fffc0000000100(slab) [ 26.644868] raw: 02fffc0000000100 ffff8801d9693000 ffff8801d9693fc1 0000000100000016 [ 26.652733] raw: ffffea000766c660 ffffea000765a220 ffff8801da8001c0 0000000000000000 [ 26.660587] page dumped because: kasan: bad access detected [ 26.666269] [ 26.667870] Memory state around the buggy address: [ 26.672777] ffff8801d9693080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.680128] ffff8801d9693100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.687466] >ffff8801d9693180: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 26.694799] ^ [ 26.698662] ffff8801d9693200: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.705999] ffff8801d9693280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 26.713340] ================================================================== [ 26.720673] Disabling lock debugging due to kernel taint [ 26.726150] Kernel panic - not syncing: panic_on_warn set ... [ 26.726150] [ 26.733515] CPU: 0 PID: 4490 Comm: syzkaller162543 Tainted: G B 4.17.0-rc1+ #10 [ 26.742251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.751580] Call Trace: [ 26.754153] dump_stack+0x1b9/0x294 [ 26.757756] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.762924] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.767656] ? __sctp_v6_cmp_addr+0x4a0/0x530 [ 26.772129] panic+0x22f/0x4de [ 26.775298] ? add_taint.cold.5+0x16/0x16 [ 26.779426] ? do_raw_spin_unlock+0x9e/0x2e0 [ 26.783812] ? do_raw_spin_unlock+0x9e/0x2e0 [ 26.788196] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 26.792667] kasan_end_report+0x47/0x4f [ 26.796623] kasan_report.cold.7+0x76/0x2fe [ 26.800927] __asan_report_load8_noabort+0x14/0x20 [ 26.805832] __sctp_v6_cmp_addr+0x4c7/0x530 [ 26.810128] sctp_inet6_cmp_addr+0x169/0x1a0 [ 26.814515] sctp_bind_addr_conflict+0x28c/0x470 [ 26.819247] ? sctp_bind_addr_match+0x400/0x400 [ 26.823895] ? kasan_check_write+0x14/0x20 [ 26.828107] ? do_raw_spin_lock+0xc1/0x200 [ 26.832319] sctp_get_port_local+0x9fc/0x1540 [ 26.836794] ? print_irqtrace_events+0x95/0x1fa [ 26.841437] ? sctp_set_owner_w+0x530/0x530 [ 26.845736] ? kasan_check_read+0x11/0x20 [ 26.849859] ? rcu_is_watching+0x85/0x140 [ 26.853986] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 26.859160] ? sctp_bind_addr_match+0x2c6/0x400 [ 26.863810] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 26.868631] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.874144] ? sctp_v4_available+0x1b1/0x200 [ 26.878529] ? sctp_inet6_bind_verify+0xb2/0x500 [ 26.883270] sctp_do_bind+0x21c/0x5f0 [ 26.887052] sctp_bindx_add+0x90/0x1a0 [ 26.890921] sctp_setsockopt_bindx+0x2ad/0x320 [ 26.895482] sctp_setsockopt+0x12c4/0x7000 [ 26.899697] ? __lock_acquire+0x7f5/0x5140 [ 26.903911] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 26.909600] ? debug_check_no_locks_freed+0x310/0x310 [ 26.914768] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.920282] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 26.925361] ? futex_wait+0x5c1/0x9f0 [ 26.929140] ? futex_wait_setup+0x400/0x400 [ 26.933437] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 26.938604] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.944120] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 26.949198] ? futex_wake+0x2f6/0x750 [ 26.952975] ? get_futex_key+0x1e90/0x1e90 [ 26.957186] ? graph_lock+0x170/0x170 [ 26.960968] ? sock_alloc_file+0x1f3/0x4e0 [ 26.965177] ? __sys_socket+0x16f/0x250 [ 26.969129] ? __x64_sys_socket+0x73/0xb0 [ 26.973254] ? find_held_lock+0x36/0x1c0 [ 26.977293] ? lock_downgrade+0x8e0/0x8e0 [ 26.981419] ? kasan_check_read+0x11/0x20 [ 26.985545] ? rcu_is_watching+0x85/0x140 [ 26.989672] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 26.994843] ? __fget+0x40c/0x650 [ 26.998274] ? expand_files.part.8+0x9a0/0x9a0 [ 27.002834] ? lock_downgrade+0x8e0/0x8e0 [ 27.006963] ? kasan_check_read+0x11/0x20 [ 27.011089] ? __lock_is_held+0xb5/0x140 [ 27.015128] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 27.020299] ? __fget_light+0x2ef/0x430 [ 27.024260] ? fget_raw+0x20/0x20 [ 27.027691] ? get_unused_fd_flags+0x190/0x190 [ 27.032251] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.037765] ? alloc_file+0x44/0x3e0 [ 27.041460] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.046976] ? sock_alloc_file+0x2a4/0x4e0 [ 27.051189] sock_common_setsockopt+0x9a/0xe0 [ 27.055661] __sys_setsockopt+0x1bd/0x390 [ 27.059786] ? kernel_accept+0x310/0x310 [ 27.063825] ? do_futex+0x27d0/0x27d0 [ 27.067603] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 27.072166] __x64_sys_setsockopt+0xbe/0x150 [ 27.076551] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.081551] do_syscall_64+0x1b1/0x800 [ 27.085415] ? finish_task_switch+0x1ca/0x810 [ 27.089889] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.094795] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.099705] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 27.105049] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.109868] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.115038] RIP: 0033:0x445839 [ 27.118204] RSP: 002b:00007ff9161e2d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 27.125887] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445839 [ 27.133131] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 27.140374] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000a6fe [ 27.147620] R10: 00000000205ba000 R11: 0000000000000246 R12: 0000000000000000 [ 27.154864] R13: 00007fff0159530f R14: 00007ff9161e39c0 R15: 0000000000000003 [ 27.162649] Dumping ftrace buffer: [ 27.166178] (ftrace buffer empty) [ 27.169861] Kernel Offset: disabled [ 27.173463] Rebooting in 86400 seconds..