Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.261272][ T7226] ================================================================== [ 62.269466][ T7226] BUG: KASAN: slab-out-of-bounds in fl6_update_dst+0x2bb/0x2c0 [ 62.277138][ T7226] Read of size 16 at addr ffff8880a6bc2cd8 by task syz-executor799/7226 [ 62.285491][ T7226] [ 62.287823][ T7226] CPU: 1 PID: 7226 Comm: syz-executor799 Not tainted 5.7.0-rc4-syzkaller #0 [ 62.296469][ T7226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.306505][ T7226] Call Trace: [ 62.309789][ T7226] dump_stack+0x188/0x20d [ 62.314103][ T7226] print_address_description.constprop.0.cold+0xd3/0x315 [ 62.321107][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.325963][ T7226] __kasan_report.cold+0x35/0x4d [ 62.330921][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.335756][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.340592][ T7226] kasan_report+0x33/0x50 [ 62.345030][ T7226] fl6_update_dst+0x2bb/0x2c0 [ 62.349696][ T7226] sctp_v6_get_dst+0x5e7/0x1c30 [ 62.354531][ T7226] ? _get_random_bytes+0x183/0x420 [ 62.359649][ T7226] ? sctp_v6_copy_addrlist+0x650/0x650 [ 62.365087][ T7226] ? mark_held_locks+0x9f/0xe0 [ 62.369836][ T7226] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 62.375624][ T7226] ? memset+0x20/0x40 [ 62.379606][ T7226] ? sctp_transport_route+0x125/0x350 [ 62.384962][ T7226] sctp_transport_route+0x125/0x350 [ 62.390165][ T7226] sctp_assoc_add_peer+0x5a0/0x1030 [ 62.395355][ T7226] sctp_connect_new_asoc+0x19b/0x580 [ 62.400627][ T7226] ? security_sctp_bind_connect+0x8e/0xc0 [ 62.406330][ T7226] sctp_sendmsg+0x1396/0x1f30 [ 62.411007][ T7226] ? __might_fault+0x11f/0x1d0 [ 62.415778][ T7226] ? __sctp_setsockopt_connectx+0x180/0x180 [ 62.421677][ T7226] ? aa_af_perm+0x260/0x260 [ 62.426164][ T7226] ? import_iovec+0x236/0x3d0 [ 62.430842][ T7226] inet_sendmsg+0x99/0xe0 [ 62.435171][ T7226] ? inet_send_prepare+0x4d0/0x4d0 [ 62.440353][ T7226] sock_sendmsg+0xcf/0x120 [ 62.444880][ T7226] ____sys_sendmsg+0x308/0x7e0 [ 62.449660][ T7226] ? kernel_sendmsg+0x50/0x50 [ 62.454562][ T7226] ___sys_sendmsg+0x100/0x170 [ 62.459237][ T7226] ? sendmsg_copy_msghdr+0x70/0x70 [ 62.464365][ T7226] ? __fget_files+0x32f/0x500 [ 62.469056][ T7226] ? do_futex+0x167/0x1ad0 [ 62.473461][ T7226] ? __fget_light+0x20e/0x270 [ 62.478124][ T7226] __sys_sendmmsg+0x195/0x480 [ 62.482805][ T7226] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 62.487833][ T7226] ? aa_af_perm+0x260/0x260 [ 62.492391][ T7226] ? fput_many+0x2f/0x1a0 [ 62.496708][ T7226] ? __sys_setsockopt+0x2eb/0x480 [ 62.501890][ T7226] ? __x64_sys_futex+0x376/0x4f0 [ 62.506812][ T7226] ? __x64_sys_futex+0x380/0x4f0 [ 62.511983][ T7226] ? switch_fpu_return+0x1db/0x4b0 [ 62.517079][ T7226] ? fpregs_mark_activate+0x320/0x320 [ 62.522463][ T7226] __x64_sys_sendmmsg+0x99/0x100 [ 62.527486][ T7226] ? lockdep_hardirqs_on+0x463/0x620 [ 62.532756][ T7226] do_syscall_64+0xf6/0x7d0 [ 62.537246][ T7226] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.543139][ T7226] RIP: 0033:0x445979 [ 62.547011][ T7226] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.566618][ T7226] RSP: 002b:00007fc8d5b22d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 62.575018][ T7226] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445979 [ 62.583073][ T7226] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000003 [ 62.591043][ T7226] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 62.599093][ T7226] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 62.607044][ T7226] R13: 0502020000000000 R14: 0000000000000000 R15: 00000000010402ff [ 62.615006][ T7226] [ 62.617340][ T7226] Allocated by task 7226: [ 62.621666][ T7226] save_stack+0x1b/0x40 [ 62.625810][ T7226] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.631433][ T7226] __kmalloc+0x161/0x7a0 [ 62.635659][ T7226] sock_kmalloc+0xb5/0x100 [ 62.640054][ T7226] ipv6_renew_options+0x274/0x940 [ 62.645076][ T7226] do_ipv6_setsockopt.isra.0+0x2eaf/0x42f0 [ 62.650859][ T7226] ipv6_setsockopt+0xfb/0x180 [ 62.655515][ T7226] sctp_setsockopt+0x13e/0x7090 [ 62.660344][ T7226] __sys_setsockopt+0x248/0x480 [ 62.665168][ T7226] __x64_sys_setsockopt+0xba/0x150 [ 62.670277][ T7226] do_syscall_64+0xf6/0x7d0 [ 62.674773][ T7226] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.680634][ T7226] [ 62.682938][ T7226] Freed by task 5242: [ 62.686898][ T7226] save_stack+0x1b/0x40 [ 62.691030][ T7226] __kasan_slab_free+0xf7/0x140 [ 62.695962][ T7226] kfree+0x109/0x2b0 [ 62.699836][ T7226] tomoyo_path_perm+0x236/0x400 [ 62.704682][ T7226] security_inode_getattr+0xeb/0x150 [ 62.709947][ T7226] vfs_getattr+0x22/0x60 [ 62.714163][ T7226] vfs_statx_fd+0x6a/0xb0 [ 62.718485][ T7226] __do_sys_newfstat+0x8b/0x100 [ 62.723315][ T7226] do_syscall_64+0xf6/0x7d0 [ 62.727797][ T7226] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.733661][ T7226] [ 62.735972][ T7226] The buggy address belongs to the object at ffff8880a6bc2c80 [ 62.735972][ T7226] which belongs to the cache kmalloc-96 of size 96 [ 62.749843][ T7226] The buggy address is located 88 bytes inside of [ 62.749843][ T7226] 96-byte region [ffff8880a6bc2c80, ffff8880a6bc2ce0) [ 62.762932][ T7226] The buggy address belongs to the page: [ 62.768547][ T7226] page:ffffea00029af080 refcount:1 mapcount:0 mapping:0000000048fbe195 index:0xffff8880a6bc2e00 [ 62.778937][ T7226] flags: 0xfffe0000000200(slab) [ 62.783772][ T7226] raw: 00fffe0000000200 ffff8880aa001440 ffffea000274adc8 ffff8880aa000540 [ 62.792353][ T7226] raw: ffff8880a6bc2e00 ffff8880a6bc2000 000000010000001c 0000000000000000 [ 62.800913][ T7226] page dumped because: kasan: bad access detected [ 62.807318][ T7226] [ 62.809624][ T7226] Memory state around the buggy address: [ 62.815235][ T7226] ffff8880a6bc2b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 62.823273][ T7226] ffff8880a6bc2c00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 62.831314][ T7226] >ffff8880a6bc2c80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 62.839365][ T7226] ^ [ 62.846276][ T7226] ffff8880a6bc2d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.854315][ T7226] ffff8880a6bc2d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 62.862352][ T7226] ================================================================== [ 62.870388][ T7226] Disabling lock debugging due to kernel taint [ 62.876914][ T7226] Kernel panic - not syncing: panic_on_warn set ... [ 62.883519][ T7226] CPU: 1 PID: 7226 Comm: syz-executor799 Tainted: G B 5.7.0-rc4-syzkaller #0 [ 62.893578][ T7226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.903666][ T7226] Call Trace: [ 62.906963][ T7226] dump_stack+0x188/0x20d [ 62.911288][ T7226] panic+0x2e3/0x75c [ 62.915160][ T7226] ? add_taint.cold+0x16/0x16 [ 62.919833][ T7226] ? preempt_schedule_common+0x5e/0xc0 [ 62.925269][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.930097][ T7226] ? preempt_schedule_thunk+0x16/0x18 [ 62.935447][ T7226] ? trace_hardirqs_on+0x55/0x220 [ 62.940448][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.945272][ T7226] end_report+0x4d/0x53 [ 62.949405][ T7226] __kasan_report.cold+0xd/0x4d [ 62.954232][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.959062][ T7226] ? fl6_update_dst+0x2bb/0x2c0 [ 62.963889][ T7226] kasan_report+0x33/0x50 [ 62.968195][ T7226] fl6_update_dst+0x2bb/0x2c0 [ 62.972853][ T7226] sctp_v6_get_dst+0x5e7/0x1c30 [ 62.977681][ T7226] ? _get_random_bytes+0x183/0x420 [ 62.982773][ T7226] ? sctp_v6_copy_addrlist+0x650/0x650 [ 62.988211][ T7226] ? mark_held_locks+0x9f/0xe0 [ 62.992952][ T7226] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 62.998734][ T7226] ? memset+0x20/0x40 [ 63.002718][ T7226] ? sctp_transport_route+0x125/0x350 [ 63.008079][ T7226] sctp_transport_route+0x125/0x350 [ 63.013273][ T7226] sctp_assoc_add_peer+0x5a0/0x1030 [ 63.018469][ T7226] sctp_connect_new_asoc+0x19b/0x580 [ 63.023735][ T7226] ? security_sctp_bind_connect+0x8e/0xc0 [ 63.029446][ T7226] sctp_sendmsg+0x1396/0x1f30 [ 63.034100][ T7226] ? __might_fault+0x11f/0x1d0 [ 63.038843][ T7226] ? __sctp_setsockopt_connectx+0x180/0x180 [ 63.044718][ T7226] ? aa_af_perm+0x260/0x260 [ 63.049215][ T7226] ? import_iovec+0x236/0x3d0 [ 63.053870][ T7226] inet_sendmsg+0x99/0xe0 [ 63.058178][ T7226] ? inet_send_prepare+0x4d0/0x4d0 [ 63.063266][ T7226] sock_sendmsg+0xcf/0x120 [ 63.067675][ T7226] ____sys_sendmsg+0x308/0x7e0 [ 63.072417][ T7226] ? kernel_sendmsg+0x50/0x50 [ 63.077075][ T7226] ___sys_sendmsg+0x100/0x170 [ 63.081728][ T7226] ? sendmsg_copy_msghdr+0x70/0x70 [ 63.086816][ T7226] ? __fget_files+0x32f/0x500 [ 63.091474][ T7226] ? do_futex+0x167/0x1ad0 [ 63.095903][ T7226] ? __fget_light+0x20e/0x270 [ 63.100570][ T7226] __sys_sendmmsg+0x195/0x480 [ 63.105229][ T7226] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 63.110245][ T7226] ? aa_af_perm+0x260/0x260 [ 63.114726][ T7226] ? fput_many+0x2f/0x1a0 [ 63.119030][ T7226] ? __sys_setsockopt+0x2eb/0x480 [ 63.124031][ T7226] ? __x64_sys_futex+0x376/0x4f0 [ 63.128960][ T7226] ? __x64_sys_futex+0x380/0x4f0 [ 63.133895][ T7226] ? switch_fpu_return+0x1db/0x4b0 [ 63.138982][ T7226] ? fpregs_mark_activate+0x320/0x320 [ 63.144344][ T7226] __x64_sys_sendmmsg+0x99/0x100 [ 63.149258][ T7226] ? lockdep_hardirqs_on+0x463/0x620 [ 63.154516][ T7226] do_syscall_64+0xf6/0x7d0 [ 63.159005][ T7226] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.164885][ T7226] RIP: 0033:0x445979 [ 63.168770][ T7226] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.188348][ T7226] RSP: 002b:00007fc8d5b22d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 63.196732][ T7226] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445979 [ 63.204677][ T7226] RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000003 [ 63.212622][ T7226] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 63.220587][ T7226] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 63.228553][ T7226] R13: 0502020000000000 R14: 0000000000000000 R15: 00000000010402ff [ 63.238054][ T7226] Kernel Offset: disabled [ 63.242376][ T7226] Rebooting in 86400 seconds..