[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.36' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.162031][ T6548] ================================================================== [ 73.170314][ T6548] BUG: KASAN: slab-out-of-bounds in sk_psock_get+0x123/0x410 [ 73.177700][ T6548] Read of size 4 at addr ffff8880247142b8 by task syz-executor272/6548 [ 73.186396][ T6548] [ 73.188737][ T6548] CPU: 0 PID: 6548 Comm: syz-executor272 Not tainted 5.15.0-rc1-syzkaller #0 [ 73.197505][ T6548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.207666][ T6548] Call Trace: [ 73.210969][ T6548] dump_stack_lvl+0xcd/0x134 [ 73.215817][ T6548] print_address_description.constprop.0.cold+0x6c/0x309 [ 73.222840][ T6548] ? sk_psock_get+0x123/0x410 [ 73.227510][ T6548] ? sk_psock_get+0x123/0x410 [ 73.232199][ T6548] kasan_report.cold+0x83/0xdf [ 73.236959][ T6548] ? sk_psock_get+0x123/0x410 [ 73.241624][ T6548] kasan_check_range+0x13d/0x180 [ 73.246556][ T6548] sk_psock_get+0x123/0x410 [ 73.251052][ T6548] ? tls_encrypt_done+0x560/0x560 [ 73.256073][ T6548] ? aa_profile_af_perm+0x2e0/0x2e0 [ 73.261284][ T6548] tls_sw_recvmsg+0x19e/0x1670 [ 73.266050][ T6548] ? __lock_acquire+0x162f/0x54a0 [ 73.271079][ T6548] ? decrypt_skb+0xc0/0xc0 [ 73.275500][ T6548] ? aa_sk_perm+0x311/0xab0 [ 73.280011][ T6548] inet_recvmsg+0x11b/0x5e0 [ 73.284512][ T6548] ? inet_sendpage+0x140/0x140 [ 73.289288][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.295533][ T6548] ? security_socket_recvmsg+0x8f/0xc0 [ 73.300995][ T6548] ? inet_sendpage+0x140/0x140 [ 73.305766][ T6548] ____sys_recvmsg+0x2c4/0x600 [ 73.310543][ T6548] ? kernel_recvmsg+0x160/0x160 [ 73.315388][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.321618][ T6548] ? __import_iovec+0x2b5/0x580 [ 73.326466][ T6548] ? import_iovec+0x10c/0x150 [ 73.331147][ T6548] ___sys_recvmsg+0x127/0x200 [ 73.335817][ T6548] ? __copy_msghdr_from_user+0x4b0/0x4b0 [ 73.341450][ T6548] ? mark_lock+0xef/0x17b0 [ 73.345858][ T6548] ? lock_chain_count+0x20/0x20 [ 73.350705][ T6548] ? lockdep_hardirqs_on+0x79/0x100 [ 73.355897][ T6548] ? kcm_ioctl+0xee6/0x1180 [ 73.360409][ T6548] ? __local_bh_enable_ip+0xa0/0x120 [ 73.365688][ T6548] ? kcm_ioctl+0xb5/0x1180 [ 73.370113][ T6548] ? tomoyo_path_number_perm+0x24e/0x590 [ 73.375749][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.381998][ T6548] ? __fget_light+0x215/0x280 [ 73.386684][ T6548] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 73.392920][ T6548] do_recvmmsg+0x24d/0x6d0 [ 73.397334][ T6548] ? ___sys_recvmsg+0x200/0x200 [ 73.402176][ T6548] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.408147][ T6548] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.414129][ T6548] ? __context_tracking_exit+0xb8/0xe0 [ 73.419592][ T6548] ? lock_downgrade+0x6e0/0x6e0 [ 73.424435][ T6548] ? lock_downgrade+0x6e0/0x6e0 [ 73.429280][ T6548] __x64_sys_recvmmsg+0x20b/0x260 [ 73.434298][ T6548] ? __do_sys_socketcall+0x590/0x590 [ 73.439574][ T6548] ? syscall_enter_from_user_mode+0x21/0x70 [ 73.445459][ T6548] do_syscall_64+0x35/0xb0 [ 73.449866][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.455752][ T6548] RIP: 0033:0x7ff9ad0f1689 [ 73.460202][ T6548] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 73.479985][ T6548] RSP: 002b:00007fff2cb7ea18 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 73.488472][ T6548] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9ad0f1689 [ 73.496446][ T6548] RDX: 000000000000000a RSI: 00000000200030c0 RDI: 0000000000000005 [ 73.504403][ T6548] RBP: 00007ff9ad0b5670 R08: 0000000000000000 R09: 0000000000000000 [ 73.512363][ T6548] R10: 0000000000010000 R11: 0000000000000246 R12: 00007ff9ad0b5700 [ 73.520320][ T6548] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 73.528302][ T6548] [ 73.530614][ T6548] Allocated by task 6548: [ 73.534921][ T6548] kasan_save_stack+0x1b/0x40 [ 73.539592][ T6548] __kasan_slab_alloc+0x83/0xb0 [ 73.544432][ T6548] kmem_cache_alloc+0x209/0x390 [ 73.549284][ T6548] kcm_ioctl+0x7f1/0x1180 [ 73.553603][ T6548] sock_do_ioctl+0xcc/0x230 [ 73.558102][ T6548] sock_ioctl+0x2f1/0x640 [ 73.562435][ T6548] __x64_sys_ioctl+0x193/0x200 [ 73.567208][ T6548] do_syscall_64+0x35/0xb0 [ 73.571615][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.577515][ T6548] [ 73.579822][ T6548] Last potentially related work creation: [ 73.585516][ T6548] kasan_save_stack+0x1b/0x40 [ 73.590201][ T6548] kasan_record_aux_stack+0xe9/0x110 [ 73.595476][ T6548] insert_work+0x48/0x370 [ 73.599796][ T6548] __queue_work+0x5ca/0xee0 [ 73.604306][ T6548] queue_work_on+0xee/0x110 [ 73.608802][ T6548] kcm_ioctl+0xede/0x1180 [ 73.613122][ T6548] sock_do_ioctl+0xcc/0x230 [ 73.617614][ T6548] sock_ioctl+0x2f1/0x640 [ 73.621933][ T6548] __x64_sys_ioctl+0x193/0x200 [ 73.626690][ T6548] do_syscall_64+0x35/0xb0 [ 73.631092][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.636984][ T6548] [ 73.639289][ T6548] The buggy address belongs to the object at ffff888024714000 [ 73.639289][ T6548] which belongs to the cache kcm_psock_cache of size 568 [ 73.653679][ T6548] The buggy address is located 128 bytes to the right of [ 73.653679][ T6548] 568-byte region [ffff888024714000, ffff888024714238) [ 73.667567][ T6548] The buggy address belongs to the page: [ 73.673191][ T6548] page:ffffea000091c500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24714 [ 73.683345][ T6548] head:ffffea000091c500 order:2 compound_mapcount:0 compound_pincount:0 [ 73.691672][ T6548] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 73.699653][ T6548] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888147930140 [ 73.708443][ T6548] raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000 [ 73.717029][ T6548] page dumped because: kasan: bad access detected [ 73.723437][ T6548] page_owner tracks the page as allocated [ 73.729165][ T6548] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6548, ts 73161895412, free_ts 73161458429 [ 73.748339][ T6548] get_page_from_freelist+0xa72/0x2f80 [ 73.753794][ T6548] __alloc_pages+0x1b2/0x500 [ 73.758374][ T6548] alloc_pages+0x1a7/0x300 [ 73.762783][ T6548] new_slab+0x319/0x490 [ 73.766929][ T6548] ___slab_alloc+0x921/0xfe0 [ 73.771506][ T6548] __slab_alloc.constprop.0+0x4d/0xa0 [ 73.776869][ T6548] kmem_cache_alloc+0x365/0x390 [ 73.781722][ T6548] kcm_ioctl+0x7f1/0x1180 [ 73.786041][ T6548] sock_do_ioctl+0xcc/0x230 [ 73.790529][ T6548] sock_ioctl+0x2f1/0x640 [ 73.794862][ T6548] __x64_sys_ioctl+0x193/0x200 [ 73.799624][ T6548] do_syscall_64+0x35/0xb0 [ 73.804035][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.809929][ T6548] page last free stack trace: [ 73.814582][ T6548] free_pcp_prepare+0x2c5/0x780 [ 73.819422][ T6548] free_unref_page+0x19/0x690 [ 73.824101][ T6548] stack_depot_save+0x162/0x4e0 [ 73.828939][ T6548] kasan_save_stack+0x32/0x40 [ 73.833607][ T6548] __kasan_kmalloc+0xa4/0xd0 [ 73.838184][ T6548] crypto_aead_setkey+0x15c/0x290 [ 73.843210][ T6548] tls_set_sw_offload+0x96d/0x1390 [ 73.848330][ T6548] tls_setsockopt+0xb48/0xe60 [ 73.853011][ T6548] __sys_setsockopt+0x2db/0x610 [ 73.857855][ T6548] __x64_sys_setsockopt+0xba/0x150 [ 73.862955][ T6548] do_syscall_64+0x35/0xb0 [ 73.867362][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.873247][ T6548] [ 73.875552][ T6548] Memory state around the buggy address: [ 73.881252][ T6548] ffff888024714180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.889481][ T6548] ffff888024714200: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 73.897530][ T6548] >ffff888024714280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.905571][ T6548] ^ [ 73.911443][ T6548] ffff888024714300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.919491][ T6548] ffff888024714380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.927534][ T6548] ================================================================== [ 73.935575][ T6548] Disabling lock debugging due to kernel taint [ 73.942069][ T6548] Kernel panic - not syncing: panic_on_warn set ... [ 73.948661][ T6548] CPU: 0 PID: 6548 Comm: syz-executor272 Tainted: G B 5.15.0-rc1-syzkaller #0 [ 73.958822][ T6548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.968872][ T6548] Call Trace: [ 73.972160][ T6548] dump_stack_lvl+0xcd/0x134 [ 73.976753][ T6548] panic+0x2b0/0x6dd [ 73.980641][ T6548] ? __warn_printk+0xf3/0xf3 [ 73.985246][ T6548] ? preempt_schedule_common+0x59/0xc0 [ 73.990709][ T6548] ? sk_psock_get+0x123/0x410 [ 73.995385][ T6548] ? preempt_schedule_thunk+0x16/0x18 [ 74.000846][ T6548] ? trace_hardirqs_on+0x38/0x1c0 [ 74.005866][ T6548] ? trace_hardirqs_on+0x51/0x1c0 [ 74.010895][ T6548] ? sk_psock_get+0x123/0x410 [ 74.015579][ T6548] ? sk_psock_get+0x123/0x410 [ 74.020268][ T6548] end_report.cold+0x63/0x6f [ 74.024879][ T6548] kasan_report.cold+0x71/0xdf [ 74.029678][ T6548] ? sk_psock_get+0x123/0x410 [ 74.034354][ T6548] kasan_check_range+0x13d/0x180 [ 74.039292][ T6548] sk_psock_get+0x123/0x410 [ 74.043797][ T6548] ? tls_encrypt_done+0x560/0x560 [ 74.048818][ T6548] ? aa_profile_af_perm+0x2e0/0x2e0 [ 74.054026][ T6548] tls_sw_recvmsg+0x19e/0x1670 [ 74.058788][ T6548] ? __lock_acquire+0x162f/0x54a0 [ 74.063812][ T6548] ? decrypt_skb+0xc0/0xc0 [ 74.068255][ T6548] ? aa_sk_perm+0x311/0xab0 [ 74.072867][ T6548] inet_recvmsg+0x11b/0x5e0 [ 74.077367][ T6548] ? inet_sendpage+0x140/0x140 [ 74.082127][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.088372][ T6548] ? security_socket_recvmsg+0x8f/0xc0 [ 74.093828][ T6548] ? inet_sendpage+0x140/0x140 [ 74.098589][ T6548] ____sys_recvmsg+0x2c4/0x600 [ 74.103354][ T6548] ? kernel_recvmsg+0x160/0x160 [ 74.108204][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.114453][ T6548] ? __import_iovec+0x2b5/0x580 [ 74.119312][ T6548] ? import_iovec+0x10c/0x150 [ 74.123993][ T6548] ___sys_recvmsg+0x127/0x200 [ 74.128668][ T6548] ? __copy_msghdr_from_user+0x4b0/0x4b0 [ 74.134311][ T6548] ? mark_lock+0xef/0x17b0 [ 74.138729][ T6548] ? lock_chain_count+0x20/0x20 [ 74.143577][ T6548] ? lockdep_hardirqs_on+0x79/0x100 [ 74.148770][ T6548] ? kcm_ioctl+0xee6/0x1180 [ 74.153273][ T6548] ? __local_bh_enable_ip+0xa0/0x120 [ 74.158557][ T6548] ? kcm_ioctl+0xb5/0x1180 [ 74.162971][ T6548] ? tomoyo_path_number_perm+0x24e/0x590 [ 74.168608][ T6548] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.174846][ T6548] ? __fget_light+0x215/0x280 [ 74.179519][ T6548] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.185771][ T6548] do_recvmmsg+0x24d/0x6d0 [ 74.190191][ T6548] ? ___sys_recvmsg+0x200/0x200 [ 74.195039][ T6548] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.201018][ T6548] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.207089][ T6548] ? __context_tracking_exit+0xb8/0xe0 [ 74.212548][ T6548] ? lock_downgrade+0x6e0/0x6e0 [ 74.217396][ T6548] ? lock_downgrade+0x6e0/0x6e0 [ 74.222246][ T6548] __x64_sys_recvmmsg+0x20b/0x260 [ 74.227269][ T6548] ? __do_sys_socketcall+0x590/0x590 [ 74.232557][ T6548] ? syscall_enter_from_user_mode+0x21/0x70 [ 74.238469][ T6548] do_syscall_64+0x35/0xb0 [ 74.242886][ T6548] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.248784][ T6548] RIP: 0033:0x7ff9ad0f1689 [ 74.253195][ T6548] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 74.272797][ T6548] RSP: 002b:00007fff2cb7ea18 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 74.281207][ T6548] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9ad0f1689 [ 74.289175][ T6548] RDX: 000000000000000a RSI: 00000000200030c0 RDI: 0000000000000005 [ 74.297224][ T6548] RBP: 00007ff9ad0b5670 R08: 0000000000000000 R09: 0000000000000000 [ 74.305193][ T6548] R10: 0000000000010000 R11: 0000000000000246 R12: 00007ff9ad0b5700 [ 74.313159][ T6548] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 74.321407][ T6548] Kernel Offset: disabled [ 74.325723][ T6548] Rebooting in 86400 seconds..