INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.957615] ================================================================== [ 23.964989] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2565/0x3240 [ 23.971536] Read of size 2081 at addr ffff8801b6be4798 by task syzkaller049336/3768 [ 23.979293] [ 23.980897] CPU: 1 PID: 3768 Comm: syzkaller049336 Not tainted 4.9.92-g7cd9561 #1 [ 23.988484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.997808] ffff8801b673f6e0 ffffffff81d9c489 ffffea0006daf900 ffff8801b6be4798 [ 24.005773] 0000000000000000 ffff8801b6be4980 ffff8801b6be4780 ffff8801b673f718 [ 24.013731] ffffffff8156556b ffff8801b6be4798 0000000000000821 0000000000000000 [ 24.021695] Call Trace: [ 24.024255] [] dump_stack+0xc1/0x128 [ 24.029589] [] print_address_description+0x6c/0x234 [ 24.036221] [] kasan_report.cold.6+0xac/0x2f5 [ 24.042334] [] ? pfkey_add+0x2565/0x3240 [ 24.048016] [] check_memory_region+0x14f/0x1b0 [ 24.054216] [] memcpy+0x23/0x50 [ 24.059113] [] pfkey_add+0x2565/0x3240 [ 24.064618] [] ? pfkey_get+0x660/0x660 [ 24.070125] [] ? __skb_clone+0x25c/0x7d0 [ 24.075804] [] ? pfkey_get+0x660/0x660 [ 24.081307] [] pfkey_process+0x671/0x740 [ 24.086983] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 24.093789] [] pfkey_sendmsg+0x346/0xae0 [ 24.099468] [] ? pfkey_spdget+0x840/0x840 [ 24.105233] [] sock_sendmsg+0xcc/0x110 [ 24.110738] [] ___sys_sendmsg+0x6fc/0x840 [ 24.116504] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.123052] [] ? __lru_cache_add+0x187/0x250 [ 24.129079] [] ? native_set_pte_at+0xe0/0xe0 [ 24.135108] [] ? do_huge_pmd_anonymous_page+0xadc/0x10f0 [ 24.142175] [] ? _raw_spin_unlock+0x2c/0x50 [ 24.148115] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 24.155191] [] ? handle_mm_fault+0x6a4/0x28e0 [ 24.161306] [] ? __fget_light+0x169/0x1f0 [ 24.167080] [] ? __fdget+0x18/0x20 [ 24.172247] [] ? sockfd_lookup_light+0xb6/0x160 [ 24.178534] [] __sys_sendmsg+0xd9/0x190 [ 24.184123] [] ? SyS_shutdown+0x1b0/0x1b0 [ 24.189893] [] ? __do_page_fault+0x5dd/0xd50 [ 24.195921] [] SyS_sendmsg+0x2d/0x50 [ 24.201255] [] ? __sys_sendmsg+0x190/0x190 [ 24.207112] [] do_syscall_64+0x1a6/0x490 [ 24.212793] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.219691] [ 24.221290] Allocated by task 3768: [ 24.224887] save_stack_trace+0x16/0x20 [ 24.228838] save_stack+0x43/0xd0 [ 24.232271] kasan_kmalloc+0xc7/0xe0 [ 24.235950] kasan_slab_alloc+0x12/0x20 [ 24.239893] __kmalloc_track_caller+0xdc/0x2b0 [ 24.244442] __kmalloc_reserve.isra.37+0x33/0xc0 [ 24.249171] __alloc_skb+0x11a/0x600 [ 24.252854] pfkey_sendmsg+0xfe/0xae0 [ 24.256636] sock_sendmsg+0xcc/0x110 [ 24.260318] ___sys_sendmsg+0x6fc/0x840 [ 24.264259] __sys_sendmsg+0xd9/0x190 [ 24.268024] SyS_sendmsg+0x2d/0x50 [ 24.271533] do_syscall_64+0x1a6/0x490 [ 24.275389] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.280457] [ 24.282053] Freed by task 2048: [ 24.285301] save_stack_trace+0x16/0x20 [ 24.289244] save_stack+0x43/0xd0 [ 24.292663] kasan_slab_free+0x72/0xc0 [ 24.296518] kfree+0xfb/0x310 [ 24.299596] kernfs_fop_release+0xff/0x140 [ 24.304299] __fput+0x263/0x700 [ 24.307549] ____fput+0x15/0x20 [ 24.310795] task_work_run+0x10c/0x180 [ 24.314649] exit_to_usermode_loop+0xfc/0x120 [ 24.319112] do_syscall_64+0x364/0x490 [ 24.322968] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.328033] [ 24.329629] The buggy address belongs to the object at ffff8801b6be4780 [ 24.329629] which belongs to the cache kmalloc-512 of size 512 [ 24.342252] The buggy address is located 24 bytes inside of [ 24.342252] 512-byte region [ffff8801b6be4780, ffff8801b6be4980) [ 24.354004] The buggy address belongs to the page: [ 24.358902] page:ffffea0006daf900 count:1 mapcount:0 mapping: (null) index:0xffff8801b6be5b80 compound_mapcount: 0 [ 24.370378] flags: 0x8000000000004080(slab|head) [ 24.375097] page dumped because: kasan: bad access detected [ 24.380769] [ 24.382363] Memory state around the buggy address: [ 24.387263] ffff8801b6be4880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.394591] ffff8801b6be4900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.401924] >ffff8801b6be4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.409248] ^ [ 24.412581] ffff8801b6be4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.419905] ffff8801b6be4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.427231] ================================================================== [ 24.434561] Disabling lock debugging due to kernel taint [ 24.441508] Kernel panic - not syncing: panic_on_warn set ... [ 24.441508] [ 24.448872] CPU: 1 PID: 3768 Comm: syzkaller049336 Tainted: G B 4.9.92-g7cd9561 #1 [ 24.457674] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.466995] ffff8801b673f640 ffffffff81d9c489 ffffffff841a85f1 00000000ffffffff [ 24.474987] 0000000000000000 0000000000000001 ffff8801b6be4780 ffff8801b673f700 [ 24.482951] ffffffff8141fa55 0000000041b58ab3 ffffffff8419bd28 ffffffff8141f896 [ 24.490917] Call Trace: [ 24.493475] [] dump_stack+0xc1/0x128 [ 24.498809] [] panic+0x1bf/0x3bc [ 24.503794] [] ? add_taint.cold.6+0x16/0x16 [ 24.509734] [] ? ___preempt_schedule+0x16/0x18 [ 24.515938] [] kasan_end_report+0x47/0x4f [ 24.521702] [] kasan_report.cold.6+0xc9/0x2f5 [ 24.527817] [] ? pfkey_add+0x2565/0x3240 [ 24.533500] [] check_memory_region+0x14f/0x1b0 [ 24.539698] [] memcpy+0x23/0x50 [ 24.544595] [] pfkey_add+0x2565/0x3240 [ 24.550098] [] ? pfkey_get+0x660/0x660 [ 24.555609] [] ? __skb_clone+0x25c/0x7d0 [ 24.561288] [] ? pfkey_get+0x660/0x660 [ 24.566793] [] pfkey_process+0x671/0x740 [ 24.572474] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 24.579280] [] pfkey_sendmsg+0x346/0xae0 [ 24.584959] [] ? pfkey_spdget+0x840/0x840 [ 24.590726] [] sock_sendmsg+0xcc/0x110 [ 24.596233] [] ___sys_sendmsg+0x6fc/0x840 [ 24.602001] [] ? copy_msghdr_from_user+0x560/0x560 [ 24.608551] [] ? __lru_cache_add+0x187/0x250 [ 24.614578] [] ? native_set_pte_at+0xe0/0xe0 [ 24.620607] [] ? do_huge_pmd_anonymous_page+0xadc/0x10f0 [ 24.627677] [] ? _raw_spin_unlock+0x2c/0x50 [ 24.633619] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 24.640690] [] ? handle_mm_fault+0x6a4/0x28e0 [ 24.646805] [] ? __fget_light+0x169/0x1f0 [ 24.652570] [] ? __fdget+0x18/0x20 [ 24.657734] [] ? sockfd_lookup_light+0xb6/0x160 [ 24.664020] [] __sys_sendmsg+0xd9/0x190 [ 24.669612] [] ? SyS_shutdown+0x1b0/0x1b0 [ 24.675387] [] ? __do_page_fault+0x5dd/0xd50 [ 24.681412] [] SyS_sendmsg+0x2d/0x50 [ 24.686742] [] ? __sys_sendmsg+0x190/0x190 [ 24.692595] [] do_syscall_64+0x1a6/0x490 [ 24.698277] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.705687] Dumping ftrace buffer: [ 24.709204] (ftrace buffer empty) [ 24.712885] Kernel Offset: disabled [ 24.716480] Rebooting in 86400 seconds..