INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.073617] ================================================================== [ 29.081078] BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 [ 29.088511] Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466 [ 29.096193] [ 29.097806] CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1 [ 29.104708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.114055] Call Trace: [ 29.116628] dump_stack+0x1b9/0x29f [ 29.120243] ? arch_local_irq_restore+0x52/0x52 [ 29.124891] ? printk+0x9e/0xba [ 29.128147] ? show_regs_print_info+0x18/0x18 [ 29.132630] ? kasan_check_write+0x14/0x20 [ 29.136847] print_address_description+0x6c/0x20b [ 29.141670] ? ip6gre_tunnel_locate+0x334/0x860 [ 29.146315] kasan_report.cold.7+0xac/0x2f5 [ 29.150617] check_memory_region+0x13e/0x1b0 [ 29.155007] memcpy+0x37/0x50 [ 29.158104] ip6gre_tunnel_locate+0x334/0x860 [ 29.162580] ? ip6gre_tunnel_find+0x760/0x760 [ 29.167063] ? __might_sleep+0x95/0x190 [ 29.171042] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 29.176563] ? ip6gre_tnl_parm_from_user+0x5f9/0x780 [ 29.181661] ip6gre_tunnel_ioctl+0x69d/0x12e0 [ 29.186142] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.190791] ? find_held_lock+0x36/0x1c0 [ 29.194844] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.199492] dev_ifsioc+0x43e/0xb90 [ 29.203098] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.208093] ? dev_ifsioc+0x43e/0xb90 [ 29.211873] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.217047] ? register_gifconf+0x70/0x70 [ 29.221179] dev_ioctl+0x69a/0xcc0 [ 29.224702] sock_ioctl+0x47e/0x680 [ 29.228307] ? dlci_ioctl_set+0x40/0x40 [ 29.232275] ? find_held_lock+0x36/0x1c0 [ 29.236329] ? dlci_ioctl_set+0x40/0x40 [ 29.240285] do_vfs_ioctl+0x1cf/0x1650 [ 29.244158] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.248554] ? fget_raw+0x20/0x20 [ 29.252012] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.257541] ? __do_page_fault+0x441/0xe40 [ 29.261756] ? fd_install+0x4d/0x60 [ 29.265366] ? security_file_ioctl+0x9b/0xd0 [ 29.269757] ksys_ioctl+0xa9/0xd0 [ 29.273196] SyS_ioctl+0x24/0x30 [ 29.276543] ? ksys_ioctl+0xd0/0xd0 [ 29.280153] do_syscall_64+0x29e/0x9d0 [ 29.284023] ? vmalloc_sync_all+0x30/0x30 [ 29.288159] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.292895] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.297801] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.302712] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.308228] ? retint_user+0x18/0x18 [ 29.311923] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.316766] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.321931] RIP: 0033:0x43fd19 [ 29.325098] RSP: 002b:00007ffd4c8e5ef8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 29.332785] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 29.340042] RDX: 00000000200000c0 RSI: 00000000000089f1 RDI: 0000000000000003 [ 29.347297] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.354542] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 29.361788] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 29.369046] [ 29.370651] The buggy address belongs to the page: [ 29.375570] page:ffffea0006bee7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 29.383697] flags: 0x2fffc0000000000() [ 29.387567] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 29.395434] raw: 0000000000000000 ffffea0006be0101 0000000000000000 0000000000000000 [ 29.403290] page dumped because: kasan: bad access detected [ 29.408983] [ 29.410591] Memory state around the buggy address: [ 29.415501] ffff8801afb9f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.422838] ffff8801afb9f700: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 [ 29.430176] >ffff8801afb9f780: f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 00 00 00 [ 29.437510] ^ [ 29.443197] ffff8801afb9f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [ 29.450534] ffff8801afb9f880: f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 [ 29.457867] ================================================================== [ 29.465202] Disabling lock debugging due to kernel taint [ 29.470679] Kernel panic - not syncing: panic_on_warn set ... [ 29.470679] [ 29.478042] CPU: 1 PID: 4466 Comm: syzkaller851048 Tainted: G B 4.16.0+ #1 [ 29.486259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.495587] Call Trace: [ 29.498157] dump_stack+0x1b9/0x29f [ 29.501769] ? arch_local_irq_restore+0x52/0x52 [ 29.506418] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.511153] ? ip6gre_tunnel_locate+0x2e0/0x860 [ 29.515802] panic+0x22f/0x4de [ 29.518989] ? add_taint.cold.5+0x16/0x16 [ 29.523128] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.527514] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.531900] ? ip6gre_tunnel_locate+0x334/0x860 [ 29.536556] kasan_end_report+0x47/0x4f [ 29.540507] kasan_report.cold.7+0xc9/0x2f5 [ 29.544819] check_memory_region+0x13e/0x1b0 [ 29.549203] memcpy+0x37/0x50 [ 29.552289] ip6gre_tunnel_locate+0x334/0x860 [ 29.556762] ? ip6gre_tunnel_find+0x760/0x760 [ 29.561233] ? __might_sleep+0x95/0x190 [ 29.565191] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 29.570707] ? ip6gre_tnl_parm_from_user+0x5f9/0x780 [ 29.575785] ip6gre_tunnel_ioctl+0x69d/0x12e0 [ 29.580264] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.584913] ? find_held_lock+0x36/0x1c0 [ 29.588958] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.593605] dev_ifsioc+0x43e/0xb90 [ 29.597224] ? ip6gre_tunnel_locate+0x860/0x860 [ 29.601873] ? dev_ifsioc+0x43e/0xb90 [ 29.605657] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.610826] ? register_gifconf+0x70/0x70 [ 29.614957] dev_ioctl+0x69a/0xcc0 [ 29.618484] sock_ioctl+0x47e/0x680 [ 29.622100] ? dlci_ioctl_set+0x40/0x40 [ 29.626055] ? find_held_lock+0x36/0x1c0 [ 29.630097] ? dlci_ioctl_set+0x40/0x40 [ 29.634050] do_vfs_ioctl+0x1cf/0x1650 [ 29.637914] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.642310] ? fget_raw+0x20/0x20 [ 29.645753] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.651266] ? __do_page_fault+0x441/0xe40 [ 29.655486] ? fd_install+0x4d/0x60 [ 29.659093] ? security_file_ioctl+0x9b/0xd0 [ 29.663482] ksys_ioctl+0xa9/0xd0 [ 29.666914] SyS_ioctl+0x24/0x30 [ 29.670255] ? ksys_ioctl+0xd0/0xd0 [ 29.673859] do_syscall_64+0x29e/0x9d0 [ 29.677721] ? vmalloc_sync_all+0x30/0x30 [ 29.681847] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.686583] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.691490] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.696397] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.701915] ? retint_user+0x18/0x18 [ 29.705610] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.710434] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.715609] RIP: 0033:0x43fd19 [ 29.718775] RSP: 002b:00007ffd4c8e5ef8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 29.726465] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19 [ 29.733714] RDX: 00000000200000c0 RSI: 00000000000089f1 RDI: 0000000000000003 [ 29.740965] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.748212] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640 [ 29.755462] R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000 [ 29.763200] Dumping ftrace buffer: [ 29.766719] (ftrace buffer empty) [ 29.770406] Kernel Offset: disabled [ 29.774011] Rebooting in 86400 seconds..