INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.504811] ================================================================== [ 31.512290] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.519458] Read of size 8 at addr ffff8801d9105510 by task syzkaller834247/4542 [ 31.526966] [ 31.528576] CPU: 1 PID: 4542 Comm: syzkaller834247 Not tainted 4.17.0-rc1+ #10 [ 31.535908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.545240] Call Trace: [ 31.547809] dump_stack+0x1b9/0x294 [ 31.551419] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.556587] ? printk+0x9e/0xba [ 31.559846] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.564585] ? kasan_check_write+0x14/0x20 [ 31.568797] print_address_description+0x6c/0x20b [ 31.573619] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.578092] kasan_report.cold.7+0x242/0x2fe [ 31.582480] __asan_report_load8_noabort+0x14/0x20 [ 31.587386] __sctp_v6_cmp_addr+0x4c7/0x530 [ 31.591687] sctp_inet6_cmp_addr+0x169/0x1a0 [ 31.596078] sctp_bind_addr_conflict+0x28c/0x470 [ 31.600812] ? sctp_bind_addr_match+0x400/0x400 [ 31.605472] ? kasan_check_write+0x14/0x20 [ 31.609684] ? do_raw_spin_lock+0xc1/0x200 [ 31.613896] sctp_get_port_local+0x9fc/0x1540 [ 31.618372] ? print_irqtrace_events+0x95/0x1fa [ 31.623029] ? sctp_set_owner_w+0x530/0x530 [ 31.627329] ? kasan_check_read+0x11/0x20 [ 31.631457] ? rcu_is_watching+0x85/0x140 [ 31.635583] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.640755] ? sctp_bind_addr_match+0x2c6/0x400 [ 31.645403] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 31.650226] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.655738] ? sctp_v4_available+0x1b1/0x200 [ 31.660125] ? sctp_inet6_bind_verify+0xb2/0x500 [ 31.664860] sctp_do_bind+0x21c/0x5f0 [ 31.668642] sctp_bindx_add+0x90/0x1a0 [ 31.672512] sctp_setsockopt_bindx+0x2ad/0x320 [ 31.677073] sctp_setsockopt+0x12c4/0x7000 [ 31.681286] ? __lock_acquire+0x7f5/0x5140 [ 31.685498] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 31.691191] ? debug_check_no_locks_freed+0x310/0x310 [ 31.696361] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.701879] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.706961] ? futex_wait+0x5c1/0x9f0 [ 31.710745] ? futex_wait_setup+0x400/0x400 [ 31.715046] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.720215] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.725732] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.730813] ? futex_wake+0x2f6/0x750 [ 31.734592] ? get_futex_key+0x1e90/0x1e90 [ 31.738803] ? graph_lock+0x170/0x170 [ 31.742589] ? sock_alloc_file+0x1f3/0x4e0 [ 31.746798] ? __sys_socket+0x16f/0x250 [ 31.750748] ? __x64_sys_socket+0x73/0xb0 [ 31.754877] ? find_held_lock+0x36/0x1c0 [ 31.758922] ? lock_downgrade+0x8e0/0x8e0 [ 31.763050] ? kasan_check_read+0x11/0x20 [ 31.767176] ? rcu_is_watching+0x85/0x140 [ 31.771302] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.776476] ? __fget+0x40c/0x650 [ 31.780139] ? expand_files.part.8+0x9a0/0x9a0 [ 31.784706] ? lock_downgrade+0x8e0/0x8e0 [ 31.788835] ? kasan_check_read+0x11/0x20 [ 31.792962] ? __lock_is_held+0xb5/0x140 [ 31.797002] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.802179] ? __fget_light+0x2ef/0x430 [ 31.806132] ? fget_raw+0x20/0x20 [ 31.809572] ? get_unused_fd_flags+0x190/0x190 [ 31.814144] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.819671] ? alloc_file+0x44/0x3e0 [ 31.823378] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.828901] ? sock_alloc_file+0x2a4/0x4e0 [ 31.833124] sock_common_setsockopt+0x9a/0xe0 [ 31.837614] __sys_setsockopt+0x1bd/0x390 [ 31.841752] ? kernel_accept+0x310/0x310 [ 31.845795] ? do_futex+0x27d0/0x27d0 [ 31.849577] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.854142] __x64_sys_setsockopt+0xbe/0x150 [ 31.858529] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.863523] do_syscall_64+0x1b1/0x800 [ 31.867390] ? finish_task_switch+0x1ca/0x810 [ 31.871864] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.876774] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.881685] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.887036] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.891863] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.897032] RIP: 0033:0x445829 [ 31.900198] RSP: 002b:00007f619f0add98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 31.907884] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445829 [ 31.915132] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 31.922381] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000e6af [ 31.929626] R10: 0000000020223fd4 R11: 0000000000000246 R12: 0000000000000000 [ 31.936871] R13: 00007fff183fcc8f R14: 00007f619f0ae9c0 R15: 0000000000000003 [ 31.944124] [ 31.945730] Allocated by task 4542: [ 31.949338] save_stack+0x43/0xd0 [ 31.952766] kasan_kmalloc+0xc4/0xe0 [ 31.956457] __kmalloc_node+0x47/0x70 [ 31.960233] kvmalloc_node+0x6b/0x100 [ 31.964013] vmemdup_user+0x2d/0xa0 [ 31.967625] sctp_setsockopt_bindx+0x5d/0x320 [ 31.972095] sctp_setsockopt+0x12c4/0x7000 [ 31.976305] sock_common_setsockopt+0x9a/0xe0 [ 31.980775] __sys_setsockopt+0x1bd/0x390 [ 31.984899] __x64_sys_setsockopt+0xbe/0x150 [ 31.989282] do_syscall_64+0x1b1/0x800 [ 31.993147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.998314] [ 31.999915] Freed by task 2839: [ 32.003170] save_stack+0x43/0xd0 [ 32.006600] __kasan_slab_free+0x11a/0x170 [ 32.010811] kasan_slab_free+0xe/0x10 [ 32.014585] kfree+0xd9/0x260 [ 32.017668] single_release+0x8f/0xb0 [ 32.021445] __fput+0x34d/0x890 [ 32.024699] ____fput+0x15/0x20 [ 32.027954] task_work_run+0x1e4/0x290 [ 32.031818] exit_to_usermode_loop+0x2bd/0x310 [ 32.036376] do_syscall_64+0x6ac/0x800 [ 32.040240] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.045398] [ 32.047007] The buggy address belongs to the object at ffff8801d9105500 [ 32.047007] which belongs to the cache kmalloc-32 of size 32 [ 32.059478] The buggy address is located 16 bytes inside of [ 32.059478] 32-byte region [ffff8801d9105500, ffff8801d9105520) [ 32.071150] The buggy address belongs to the page: [ 32.076062] page:ffffea0007644140 count:1 mapcount:0 mapping:ffff8801d9105000 index:0xffff8801d9105fc1 [ 32.085488] flags: 0x2fffc0000000100(slab) [ 32.089703] raw: 02fffc0000000100 ffff8801d9105000 ffff8801d9105fc1 0000000100000022 [ 32.097561] raw: ffffea000766c660 ffffea000766f460 ffff8801da8001c0 0000000000000000 [ 32.105413] page dumped because: kasan: bad access detected [ 32.111094] [ 32.112695] Memory state around the buggy address: [ 32.117599] ffff8801d9105400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.124935] ffff8801d9105480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.132276] >ffff8801d9105500: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 32.139608] ^ [ 32.143468] ffff8801d9105580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.150803] ffff8801d9105600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 32.158135] ================================================================== [ 32.165465] Disabling lock debugging due to kernel taint [ 32.170931] Kernel panic - not syncing: panic_on_warn set ... [ 32.170931] [ 32.178290] CPU: 1 PID: 4542 Comm: syzkaller834247 Tainted: G B 4.17.0-rc1+ #10 [ 32.187031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.196360] Call Trace: [ 32.198926] dump_stack+0x1b9/0x294 [ 32.202529] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.207697] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.212429] ? __sctp_v6_cmp_addr+0x4a0/0x530 [ 32.216899] panic+0x22f/0x4de [ 32.220068] ? add_taint.cold.5+0x16/0x16 [ 32.224192] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.228578] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.232961] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 32.237433] kasan_end_report+0x47/0x4f [ 32.241382] kasan_report.cold.7+0x76/0x2fe [ 32.245683] __asan_report_load8_noabort+0x14/0x20 [ 32.250586] __sctp_v6_cmp_addr+0x4c7/0x530 [ 32.254883] sctp_inet6_cmp_addr+0x169/0x1a0 [ 32.259268] sctp_bind_addr_conflict+0x28c/0x470 [ 32.264003] ? sctp_bind_addr_match+0x400/0x400 [ 32.268656] ? kasan_check_write+0x14/0x20 [ 32.272867] ? do_raw_spin_lock+0xc1/0x200 [ 32.277078] sctp_get_port_local+0x9fc/0x1540 [ 32.281548] ? print_irqtrace_events+0x95/0x1fa [ 32.286193] ? sctp_set_owner_w+0x530/0x530 [ 32.290489] ? kasan_check_read+0x11/0x20 [ 32.294613] ? rcu_is_watching+0x85/0x140 [ 32.298736] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.303905] ? sctp_bind_addr_match+0x2c6/0x400 [ 32.308551] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 32.313374] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.318884] ? sctp_v4_available+0x1b1/0x200 [ 32.323266] ? sctp_inet6_bind_verify+0xb2/0x500 [ 32.328005] sctp_do_bind+0x21c/0x5f0 [ 32.331796] sctp_bindx_add+0x90/0x1a0 [ 32.335666] sctp_setsockopt_bindx+0x2ad/0x320 [ 32.340223] sctp_setsockopt+0x12c4/0x7000 [ 32.344432] ? __lock_acquire+0x7f5/0x5140 [ 32.348650] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 32.354338] ? debug_check_no_locks_freed+0x310/0x310 [ 32.359510] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.365027] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 32.370108] ? futex_wait+0x5c1/0x9f0 [ 32.373885] ? futex_wait_setup+0x400/0x400 [ 32.378182] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.383350] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.388861] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 32.393939] ? futex_wake+0x2f6/0x750 [ 32.397717] ? get_futex_key+0x1e90/0x1e90 [ 32.401926] ? graph_lock+0x170/0x170 [ 32.405704] ? sock_alloc_file+0x1f3/0x4e0 [ 32.409912] ? __sys_socket+0x16f/0x250 [ 32.413863] ? __x64_sys_socket+0x73/0xb0 [ 32.417985] ? find_held_lock+0x36/0x1c0 [ 32.422029] ? lock_downgrade+0x8e0/0x8e0 [ 32.426154] ? kasan_check_read+0x11/0x20 [ 32.430278] ? rcu_is_watching+0x85/0x140 [ 32.434414] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.439582] ? __fget+0x40c/0x650 [ 32.443018] ? expand_files.part.8+0x9a0/0x9a0 [ 32.447578] ? lock_downgrade+0x8e0/0x8e0 [ 32.451703] ? kasan_check_read+0x11/0x20 [ 32.455825] ? __lock_is_held+0xb5/0x140 [ 32.459862] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.465032] ? __fget_light+0x2ef/0x430 [ 32.468983] ? fget_raw+0x20/0x20 [ 32.472413] ? get_unused_fd_flags+0x190/0x190 [ 32.476973] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.482485] ? alloc_file+0x44/0x3e0 [ 32.486178] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.491689] ? sock_alloc_file+0x2a4/0x4e0 [ 32.495899] sock_common_setsockopt+0x9a/0xe0 [ 32.500372] __sys_setsockopt+0x1bd/0x390 [ 32.504494] ? kernel_accept+0x310/0x310 [ 32.508533] ? do_futex+0x27d0/0x27d0 [ 32.512310] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.516870] __x64_sys_setsockopt+0xbe/0x150 [ 32.521255] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.526249] do_syscall_64+0x1b1/0x800 [ 32.530112] ? finish_task_switch+0x1ca/0x810 [ 32.534583] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.539488] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.544396] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.549737] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.554556] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.559724] RIP: 0033:0x445829 [ 32.562894] RSP: 002b:00007f619f0add98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 32.570577] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445829 [ 32.577821] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 32.585064] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000e6af [ 32.592307] R10: 0000000020223fd4 R11: 0000000000000246 R12: 0000000000000000 [ 32.599550] R13: 00007fff183fcc8f R14: 00007f619f0ae9c0 R15: 0000000000000003 [ 32.607290] Dumping ftrace buffer: [ 32.610805] (ftrace buffer empty) [ 32.614488] Kernel Offset: disabled [ 32.618089] Rebooting in 86400 seconds..