INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. 2018/04/05 16:55:57 parsed 1 programs 2018/04/05 16:55:57 executed programs: 0 syzkaller login: [ 20.321512] IPVS: Creating netns size=2536 id=1 [ 20.375648] ================================================================== [ 20.383022] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2565/0x3240 [ 20.389569] Read of size 2081 at addr ffff8801b8567698 by task syz-executor0/3781 [ 20.397156] [ 20.398756] CPU: 0 PID: 3781 Comm: syz-executor0 Not tainted 4.9.92-g7cd9561 #1 [ 20.406167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.415489] ffff8801b6a876d0 ffffffff81d9c489 ffffea0006e15980 ffff8801b8567698 [ 20.423462] 0000000000000000 ffff8801b8567880 ffff8801b8567680 ffff8801b6a87708 [ 20.431427] ffffffff8156556b ffff8801b8567698 0000000000000821 0000000000000000 [ 20.439399] Call Trace: [ 20.441964] [] dump_stack+0xc1/0x128 [ 20.447305] [] print_address_description+0x6c/0x234 [ 20.453953] [] kasan_report.cold.6+0xac/0x2f5 [ 20.460074] [] ? pfkey_add+0x2565/0x3240 [ 20.465757] [] check_memory_region+0x14f/0x1b0 [ 20.471956] [] memcpy+0x23/0x50 [ 20.476853] [] pfkey_add+0x2565/0x3240 [ 20.482358] [] ? pfkey_get+0x660/0x660 [ 20.487865] [] ? __skb_clone+0x25c/0x7d0 [ 20.493543] [] ? pfkey_get+0x660/0x660 [ 20.499047] [] pfkey_process+0x671/0x740 [ 20.504728] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 20.511536] [] pfkey_sendmsg+0x346/0xae0 [ 20.517215] [] ? pfkey_spdget+0x840/0x840 [ 20.522982] [] sock_sendmsg+0xcc/0x110 [ 20.528490] [] ___sys_sendmsg+0x6fc/0x840 [ 20.534255] [] ? copy_msghdr_from_user+0x560/0x560 [ 20.540804] [] ? do_futex+0x174/0x1770 [ 20.546312] [] ? __lru_cache_add+0x187/0x250 [ 20.552341] [] ? exit_robust_list+0x220/0x220 [ 20.558460] [] ? _raw_spin_unlock+0x2c/0x50 [ 20.564400] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 20.571471] [] ? __fget_light+0x169/0x1f0 [ 20.577236] [] ? __fdget+0x18/0x20 [ 20.582395] [] ? sockfd_lookup_light+0xb6/0x160 [ 20.588681] [] __sys_sendmsg+0xd9/0x190 [ 20.594278] [] ? SyS_shutdown+0x1b0/0x1b0 [ 20.600052] [] ? compat_SyS_futex+0x1e1/0x2f0 [ 20.606170] [] compat_SyS_sendmsg+0x2a/0x40 [ 20.612117] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 20.618663] [] do_fast_syscall_32+0x2f7/0x870 [ 20.624776] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.631409] [] entry_SYSENTER_compat+0x90/0xa2 [ 20.637606] [ 20.639205] Allocated by task 3781: [ 20.642801] save_stack_trace+0x16/0x20 [ 20.646742] save_stack+0x43/0xd0 [ 20.650162] kasan_kmalloc+0xc7/0xe0 [ 20.653847] kasan_slab_alloc+0x12/0x20 [ 20.657790] __kmalloc_track_caller+0xdc/0x2b0 [ 20.662339] __kmalloc_reserve.isra.37+0x33/0xc0 [ 20.667069] __alloc_skb+0x11a/0x600 [ 20.670751] pfkey_sendmsg+0xfe/0xae0 [ 20.674519] sock_sendmsg+0xcc/0x110 [ 20.678201] ___sys_sendmsg+0x6fc/0x840 [ 20.682142] __sys_sendmsg+0xd9/0x190 [ 20.685910] compat_SyS_sendmsg+0x2a/0x40 [ 20.690025] do_fast_syscall_32+0x2f7/0x870 [ 20.694315] entry_SYSENTER_compat+0x90/0xa2 [ 20.698695] [ 20.700292] Freed by task 2064: [ 20.703539] save_stack_trace+0x16/0x20 [ 20.707480] save_stack+0x43/0xd0 [ 20.710903] kasan_slab_free+0x72/0xc0 [ 20.714760] kfree+0xfb/0x310 [ 20.717833] kernfs_fop_release+0xff/0x140 [ 20.722036] __fput+0x263/0x700 [ 20.725284] ____fput+0x15/0x20 [ 20.728533] task_work_run+0x10c/0x180 [ 20.732387] exit_to_usermode_loop+0xfc/0x120 [ 20.736851] do_syscall_64+0x364/0x490 [ 20.740704] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.745774] [ 20.747371] The buggy address belongs to the object at ffff8801b8567680 [ 20.747371] which belongs to the cache kmalloc-512 of size 512 [ 20.759994] The buggy address is located 24 bytes inside of [ 20.759994] 512-byte region [ffff8801b8567680, ffff8801b8567880) [ 20.771746] The buggy address belongs to the page: [ 20.776644] page:ffffea0006e15980 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 20.786808] flags: 0x8000000000004080(slab|head) [ 20.791531] page dumped because: kasan: bad access detected [ 20.797203] [ 20.798800] Memory state around the buggy address: [ 20.803695] ffff8801b8567780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.811024] ffff8801b8567800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 20.818350] >ffff8801b8567880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.825673] ^ [ 20.829014] ffff8801b8567900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.836344] ffff8801b8567980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.843666] ================================================================== [ 20.850992] Disabling lock debugging due to kernel taint [ 20.856889] Kernel panic - not syncing: panic_on_warn set ... [ 20.856889] [ 20.864244] CPU: 0 PID: 3781 Comm: syz-executor0 Tainted: G B 4.9.92-g7cd9561 #1 [ 20.872886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.882217] ffff8801b6a87630 ffffffff81d9c489 ffffffff841a85f1 00000000ffffffff [ 20.890182] 0000000000000000 0000000000000000 ffff8801b8567680 ffff8801b6a876f0 [ 20.898147] ffffffff8141fa55 0000000041b58ab3 ffffffff8419bd28 ffffffff8141f896 [ 20.906119] Call Trace: [ 20.908676] [] dump_stack+0xc1/0x128 [ 20.914009] [] panic+0x1bf/0x3bc [ 20.918992] [] ? add_taint.cold.6+0x16/0x16 [ 20.924933] [] ? ___preempt_schedule+0x16/0x18 [ 20.931134] [] kasan_end_report+0x47/0x4f [ 20.936897] [] kasan_report.cold.6+0xc9/0x2f5 [ 20.943009] [] ? pfkey_add+0x2565/0x3240 [ 20.948688] [] check_memory_region+0x14f/0x1b0 [ 20.954888] [] memcpy+0x23/0x50 [ 20.959787] [] pfkey_add+0x2565/0x3240 [ 20.965293] [] ? pfkey_get+0x660/0x660 [ 20.970799] [] ? __skb_clone+0x25c/0x7d0 [ 20.976475] [] ? pfkey_get+0x660/0x660 [ 20.981982] [] pfkey_process+0x671/0x740 [ 20.987661] [] ? pfkey_send_new_mapping+0x1170/0x1170 [ 20.994467] [] pfkey_sendmsg+0x346/0xae0 [ 21.000148] [] ? pfkey_spdget+0x840/0x840 [ 21.005916] [] sock_sendmsg+0xcc/0x110 [ 21.011425] [] ___sys_sendmsg+0x6fc/0x840 [ 21.017195] [] ? copy_msghdr_from_user+0x560/0x560 [ 21.023744] [] ? do_futex+0x174/0x1770 [ 21.029248] [] ? __lru_cache_add+0x187/0x250 [ 21.035273] [] ? exit_robust_list+0x220/0x220 [ 21.041386] [] ? _raw_spin_unlock+0x2c/0x50 [ 21.047326] [] ? do_huge_pmd_anonymous_page+0x648/0x10f0 [ 21.054395] [] ? __fget_light+0x169/0x1f0 [ 21.060167] [] ? __fdget+0x18/0x20 [ 21.065327] [] ? sockfd_lookup_light+0xb6/0x160 [ 21.071612] [] __sys_sendmsg+0xd9/0x190 [ 21.077208] [] ? SyS_shutdown+0x1b0/0x1b0 [ 21.082976] [] ? compat_SyS_futex+0x1e1/0x2f0 [ 21.089088] [] compat_SyS_sendmsg+0x2a/0x40 [ 21.095027] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 21.101576] [] do_fast_syscall_32+0x2f7/0x870 [ 21.107690] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.114324] [] entry_SYSENTER_compat+0x90/0xa2 [ 21.120951] Dumping ftrace buffer: [ 21.124462] (ftrace buffer empty) [ 21.128140] Kernel Offset: disabled [ 21.131734] Rebooting in 86400 seconds..