[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.651931][ T8497] ================================================================== [ 62.660228][ T8497] BUG: KASAN: slab-out-of-bounds in xfrm_attr_cpy32+0x15a/0x1d0 [ 62.667870][ T8497] Write of size 4 at addr ffff888147aba4fc by task syz-executor829/8497 [ 62.676368][ T8497] [ 62.678711][ T8497] CPU: 0 PID: 8497 Comm: syz-executor829 Not tainted 5.10.0-rc2-syzkaller #0 [ 62.687474][ T8497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.697535][ T8497] Call Trace: [ 62.700846][ T8497] dump_stack+0x107/0x163 [ 62.705328][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 62.710249][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 62.715199][ T8497] print_address_description.constprop.0.cold+0xae/0x4c8 [ 62.722222][ T8497] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 62.727582][ T8497] ? vprintk_func+0x95/0x1e0 [ 62.732155][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 62.737244][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 62.742158][ T8497] kasan_report.cold+0x1f/0x37 [ 62.746900][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 62.751834][ T8497] check_memory_region+0x13d/0x180 [ 62.756982][ T8497] memset+0x20/0x40 [ 62.760773][ T8497] xfrm_attr_cpy32+0x15a/0x1d0 [ 62.765536][ T8497] xfrm_user_rcv_msg_compat+0x76b/0x1040 [ 62.771170][ T8497] ? xfrm_alloc_compat+0x10d0/0x10d0 [ 62.776440][ T8497] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 62.782403][ T8497] ? mark_lock+0xafe/0x24c0 [ 62.787161][ T8497] ? security_capable+0x8f/0xc0 [ 62.791998][ T8497] ? xfrm_alloc_compat+0x10d0/0x10d0 [ 62.797357][ T8497] xfrm_user_rcv_msg+0x55b/0x8b0 [ 62.802274][ T8497] ? mark_lock+0xf7/0x24c0 [ 62.806693][ T8497] ? xfrm_do_migrate+0x800/0x800 [ 62.811610][ T8497] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 62.817585][ T8497] ? lock_release+0x710/0x710 [ 62.822265][ T8497] ? __mutex_lock+0x626/0x10e0 [ 62.827013][ T8497] netlink_rcv_skb+0x153/0x420 [ 62.831756][ T8497] ? xfrm_do_migrate+0x800/0x800 [ 62.836670][ T8497] ? netlink_ack+0xaa0/0xaa0 [ 62.841247][ T8497] xfrm_netlink_rcv+0x6b/0x90 [ 62.845898][ T8497] netlink_unicast+0x533/0x7d0 [ 62.850643][ T8497] ? netlink_attachskb+0x810/0x810 [ 62.855735][ T8497] ? __phys_addr_symbol+0x2c/0x70 [ 62.860750][ T8497] ? __check_object_size+0x171/0x3f0 [ 62.866022][ T8497] netlink_sendmsg+0x856/0xd90 [ 62.871392][ T8497] ? netlink_unicast+0x7d0/0x7d0 [ 62.876341][ T8497] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 62.881619][ T8497] ? netlink_unicast+0x7d0/0x7d0 [ 62.886540][ T8497] sock_sendmsg+0xcf/0x120 [ 62.890960][ T8497] ____sys_sendmsg+0x6e8/0x810 [ 62.895720][ T8497] ? kernel_sendmsg+0x50/0x50 [ 62.900721][ T8497] ? do_recvmmsg+0x6c0/0x6c0 [ 62.908684][ T8497] ? find_held_lock+0x2d/0x110 [ 62.913434][ T8497] ___sys_sendmsg+0xf3/0x170 [ 62.918004][ T8497] ? sendmsg_copy_msghdr+0x160/0x160 [ 62.923278][ T8497] ? do_huge_pmd_anonymous_page+0x8e9/0x2050 [ 62.929273][ T8497] ? __fget_light+0x215/0x280 [ 62.933943][ T8497] __sys_sendmsg+0xe5/0x1b0 [ 62.938448][ T8497] ? __sys_sendmsg_sock+0xb0/0xb0 [ 62.943476][ T8497] ? syscall_enter_from_user_mode_prepare+0x13/0x20 [ 62.950046][ T8497] __do_fast_syscall_32+0x56/0x80 [ 62.955048][ T8497] do_fast_syscall_32+0x2f/0x70 [ 62.959967][ T8497] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 62.966272][ T8497] RIP: 0023:0xf7fb2549 [ 62.970321][ T8497] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 62.990869][ T8497] RSP: 002b:00000000ffdebbcc EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 63.000064][ T8497] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 63.008016][ T8497] RDX: 0000000000000000 RSI: 00000000080ea078 RDI: 00000000ffdebc20 [ 63.016243][ T8497] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 63.024193][ T8497] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 63.032150][ T8497] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 63.040127][ T8497] [ 63.042434][ T8497] Allocated by task 8497: [ 63.046741][ T8497] kasan_save_stack+0x1b/0x40 [ 63.051395][ T8497] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 63.057113][ T8497] kvmalloc_node+0x61/0xf0 [ 63.061527][ T8497] xfrm_user_rcv_msg_compat+0x3cd/0x1040 [ 63.067262][ T8497] xfrm_user_rcv_msg+0x55b/0x8b0 [ 63.072184][ T8497] netlink_rcv_skb+0x153/0x420 [ 63.076930][ T8497] xfrm_netlink_rcv+0x6b/0x90 [ 63.081589][ T8497] netlink_unicast+0x533/0x7d0 [ 63.086331][ T8497] netlink_sendmsg+0x856/0xd90 [ 63.091092][ T8497] sock_sendmsg+0xcf/0x120 [ 63.095486][ T8497] ____sys_sendmsg+0x6e8/0x810 [ 63.100235][ T8497] ___sys_sendmsg+0xf3/0x170 [ 63.104804][ T8497] __sys_sendmsg+0xe5/0x1b0 [ 63.109296][ T8497] __do_fast_syscall_32+0x56/0x80 [ 63.114300][ T8497] do_fast_syscall_32+0x2f/0x70 [ 63.119129][ T8497] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 63.125960][ T8497] [ 63.128276][ T8497] Last call_rcu(): [ 63.132678][ T8497] kasan_save_stack+0x1b/0x40 [ 63.137361][ T8497] kasan_record_aux_stack+0xc0/0xf0 [ 63.142557][ T8497] call_rcu+0xbb/0x700 [ 63.146618][ T8497] rht_deferred_worker+0x10f4/0x1d40 [ 63.152412][ T8497] process_one_work+0x933/0x15a0 [ 63.157355][ T8497] worker_thread+0x64c/0x1120 [ 63.162023][ T8497] kthread+0x3af/0x4a0 [ 63.166170][ T8497] ret_from_fork+0x1f/0x30 [ 63.170776][ T8497] [ 63.173088][ T8497] The buggy address belongs to the object at ffff888147aba400 [ 63.173088][ T8497] which belongs to the cache kmalloc-256 of size 256 [ 63.187135][ T8497] The buggy address is located 252 bytes inside of [ 63.187135][ T8497] 256-byte region [ffff888147aba400, ffff888147aba500) [ 63.200797][ T8497] The buggy address belongs to the page: [ 63.206417][ T8497] page:00000000e11e2d62 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888147abbe00 pfn:0x147aba [ 63.217943][ T8497] head:00000000e11e2d62 order:1 compound_mapcount:0 [ 63.224596][ T8497] flags: 0x57ff00000010200(slab|head) [ 63.229951][ T8497] raw: 057ff00000010200 ffffea000084e900 0000000700000007 ffff8880100413c0 [ 63.238600][ T8497] raw: ffff888147abbe00 000000008010000f 00000001ffffffff 0000000000000000 [ 63.247174][ T8497] page dumped because: kasan: bad access detected [ 63.253559][ T8497] [ 63.256128][ T8497] Memory state around the buggy address: [ 63.261796][ T8497] ffff888147aba380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.269842][ T8497] ffff888147aba400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 63.278674][ T8497] >ffff888147aba480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 [ 63.286734][ T8497] ^ [ 63.294771][ T8497] ffff888147aba500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.302816][ T8497] ffff888147aba580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.311479][ T8497] ================================================================== [ 63.319532][ T8497] Disabling lock debugging due to kernel taint [ 63.326366][ T8497] Kernel panic - not syncing: panic_on_warn set ... [ 63.332967][ T8497] CPU: 0 PID: 8497 Comm: syz-executor829 Tainted: G B 5.10.0-rc2-syzkaller #0 [ 63.343106][ T8497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.353154][ T8497] Call Trace: [ 63.356435][ T8497] dump_stack+0x107/0x163 [ 63.360761][ T8497] ? xfrm_attr_cpy32+0xc0/0x1d0 [ 63.365592][ T8497] panic+0x306/0x73d [ 63.369465][ T8497] ? __warn_printk+0xf3/0xf3 [ 63.374050][ T8497] ? preempt_schedule_common+0x59/0xc0 [ 63.379485][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 63.384397][ T8497] ? preempt_schedule_thunk+0x16/0x18 [ 63.389766][ T8497] ? trace_hardirqs_on+0x51/0x1c0 [ 63.395919][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 63.400829][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 63.405750][ T8497] end_report+0x58/0x5e [ 63.409903][ T8497] kasan_report.cold+0xd/0x37 [ 63.414643][ T8497] ? xfrm_attr_cpy32+0x15a/0x1d0 [ 63.419557][ T8497] check_memory_region+0x13d/0x180 [ 63.424642][ T8497] memset+0x20/0x40 [ 63.428456][ T8497] xfrm_attr_cpy32+0x15a/0x1d0 [ 63.433208][ T8497] xfrm_user_rcv_msg_compat+0x76b/0x1040 [ 63.438819][ T8497] ? xfrm_alloc_compat+0x10d0/0x10d0 [ 63.444088][ T8497] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 63.450068][ T8497] ? mark_lock+0xafe/0x24c0 [ 63.454554][ T8497] ? security_capable+0x8f/0xc0 [ 63.459398][ T8497] ? xfrm_alloc_compat+0x10d0/0x10d0 [ 63.464664][ T8497] xfrm_user_rcv_msg+0x55b/0x8b0 [ 63.469593][ T8497] ? mark_lock+0xf7/0x24c0 [ 63.474008][ T8497] ? xfrm_do_migrate+0x800/0x800 [ 63.478924][ T8497] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 63.484900][ T8497] ? lock_release+0x710/0x710 [ 63.489568][ T8497] ? __mutex_lock+0x626/0x10e0 [ 63.494497][ T8497] netlink_rcv_skb+0x153/0x420 [ 63.499257][ T8497] ? xfrm_do_migrate+0x800/0x800 [ 63.504169][ T8497] ? netlink_ack+0xaa0/0xaa0 [ 63.508736][ T8497] xfrm_netlink_rcv+0x6b/0x90 [ 63.513388][ T8497] netlink_unicast+0x533/0x7d0 [ 63.518129][ T8497] ? netlink_attachskb+0x810/0x810 [ 63.523229][ T8497] ? __phys_addr_symbol+0x2c/0x70 [ 63.528227][ T8497] ? __check_object_size+0x171/0x3f0 [ 63.533500][ T8497] netlink_sendmsg+0x856/0xd90 [ 63.538260][ T8497] ? netlink_unicast+0x7d0/0x7d0 [ 63.543180][ T8497] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 63.548554][ T8497] ? netlink_unicast+0x7d0/0x7d0 [ 63.553501][ T8497] sock_sendmsg+0xcf/0x120 [ 63.557981][ T8497] ____sys_sendmsg+0x6e8/0x810 [ 63.562734][ T8497] ? kernel_sendmsg+0x50/0x50 [ 63.567405][ T8497] ? do_recvmmsg+0x6c0/0x6c0 [ 63.571977][ T8497] ? find_held_lock+0x2d/0x110 [ 63.576713][ T8497] ___sys_sendmsg+0xf3/0x170 [ 63.581284][ T8497] ? sendmsg_copy_msghdr+0x160/0x160 [ 63.586560][ T8497] ? do_huge_pmd_anonymous_page+0x8e9/0x2050 [ 63.592518][ T8497] ? __fget_light+0x215/0x280 [ 63.597345][ T8497] __sys_sendmsg+0xe5/0x1b0 [ 63.601832][ T8497] ? __sys_sendmsg_sock+0xb0/0xb0 [ 63.606850][ T8497] ? syscall_enter_from_user_mode_prepare+0x13/0x20 [ 63.613461][ T8497] __do_fast_syscall_32+0x56/0x80 [ 63.618483][ T8497] do_fast_syscall_32+0x2f/0x70 [ 63.623324][ T8497] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 63.629637][ T8497] RIP: 0023:0xf7fb2549 [ 63.633686][ T8497] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 63.653393][ T8497] RSP: 002b:00000000ffdebbcc EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 63.661786][ T8497] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 63.669752][ T8497] RDX: 0000000000000000 RSI: 00000000080ea078 RDI: 00000000ffdebc20 [ 63.677700][ T8497] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 63.685648][ T8497] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 63.693615][ T8497] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 63.702353][ T8497] Kernel Offset: disabled [ 63.706663][ T8497] Rebooting in 86400 seconds..