[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 56.029340][ T6813] ================================================================== [ 56.037616][ T6813] BUG: KASAN: slab-out-of-bounds in xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.045879][ T6813] Read of size 4 at addr ffff888214c81c00 by task syz-executor719/6813 [ 56.054112][ T6813] CPU: 1 PID: 6813 Comm: syz-executor719 Not tainted 5.8.0-rc5-next-20200716-syzkaller #0 [ 56.063972][ T6813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.074036][ T6813] Call Trace: [ 56.077312][ T6813] dump_stack+0x18f/0x20d [ 56.081625][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.087312][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.092868][ T6813] print_address_description.constprop.0.cold+0xae/0x497 [ 56.099879][ T6813] ? xfrm6_tunnel_alloc_spi+0x1e2/0x8a0 [ 56.106380][ T6813] ? lockdep_hardirqs_off+0x66/0xa0 [ 56.111562][ T6813] ? vprintk_func+0x97/0x1a6 [ 56.116134][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.121669][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.127196][ T6813] kasan_report.cold+0x1f/0x37 [ 56.131987][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.137568][ T6813] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.142929][ T6813] ipcomp6_init_state+0x2af/0x700 [ 56.147988][ T6813] __xfrm_init_state+0x9a6/0x14b0 [ 56.153073][ T6813] xfrm_init_state+0x1a/0x70 [ 56.157644][ T6813] pfkey_add+0x1a10/0x2b70 [ 56.162057][ T6813] ? pfkey_get+0x700/0x700 [ 56.166456][ T6813] ? kfree_skbmem+0xef/0x1b0 [ 56.171022][ T6813] ? kfree_skb+0x7d/0x100 [ 56.175329][ T6813] ? pfkey_broadcast+0x3e1/0x630 [ 56.180242][ T6813] ? pfkey_get+0x700/0x700 [ 56.184639][ T6813] pfkey_process+0x66d/0x7a0 [ 56.189212][ T6813] ? pfkey_broadcast+0x630/0x630 [ 56.194131][ T6813] ? __mutex_lock+0x626/0x10d0 [ 56.198885][ T6813] ? _copy_from_iter_full+0x247/0x890 [ 56.204262][ T6813] ? __phys_addr+0x9a/0x110 [ 56.208757][ T6813] ? __phys_addr_symbol+0x2c/0x70 [ 56.213780][ T6813] ? __check_object_size+0x171/0x3e4 [ 56.219050][ T6813] pfkey_sendmsg+0x42d/0x800 [ 56.223621][ T6813] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 56.229328][ T6813] sock_sendmsg+0xcf/0x120 [ 56.233727][ T6813] ____sys_sendmsg+0x331/0x810 [ 56.238472][ T6813] ? kernel_sendmsg+0x50/0x50 [ 56.243125][ T6813] ? do_recvmmsg+0x6d0/0x6d0 [ 56.247709][ T6813] ? __lock_acquire+0x16e3/0x56e0 [ 56.252737][ T6813] ___sys_sendmsg+0xf3/0x170 [ 56.257322][ T6813] ? sendmsg_copy_msghdr+0x160/0x160 [ 56.262614][ T6813] ? __pagevec_lru_add_fn+0x588/0x16c0 [ 56.268169][ T6813] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.274133][ T6813] ? lock_acquire+0x1f1/0xad0 [ 56.278797][ T6813] ? __might_fault+0xef/0x1d0 [ 56.283449][ T6813] ? find_held_lock+0x2d/0x110 [ 56.288192][ T6813] ? __might_fault+0x11f/0x1d0 [ 56.292935][ T6813] ? lock_downgrade+0x820/0x820 [ 56.297768][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.302697][ T6813] __sys_sendmmsg+0x195/0x480 [ 56.307384][ T6813] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 56.312388][ T6813] ? handle_mm_fault+0xb78/0x45e0 [ 56.317396][ T6813] ? sockfd_lookup_light+0xc6/0x170 [ 56.322745][ T6813] ? __sys_sendmsg+0x10c/0x1b0 [ 56.327508][ T6813] ? __sys_sendmsg_sock+0xb0/0xb0 [ 56.332510][ T6813] ? vmacache_update+0xce/0x140 [ 56.337360][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.342274][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.347279][ T6813] __x64_sys_sendmmsg+0x99/0x100 [ 56.352210][ T6813] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.357297][ T6813] do_syscall_64+0x60/0xe0 [ 56.361693][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.367564][ T6813] RIP: 0033:0x440409 [ 56.371517][ T6813] Code: Bad RIP value. [ 56.375559][ T6813] RSP: 002b:00007fffb7d79f48 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 56.383949][ T6813] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440409 [ 56.391903][ T6813] RDX: 0400000000000282 RSI: 0000000020000180 RDI: 0000000000000003 [ 56.399853][ T6813] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 56.407830][ T6813] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 56.415781][ T6813] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 56.423742][ T6813] Allocated by task 1: [ 56.427792][ T6813] kasan_save_stack+0x1b/0x40 [ 56.432466][ T6813] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.438146][ T6813] __kmalloc+0x1a8/0x320 [ 56.442373][ T6813] arpt_alloc_initial_table+0x66/0x6a0 [ 56.448182][ T6813] arptable_filter_init+0xcd/0x149 [ 56.453276][ T6813] do_one_initcall+0x10a/0x7b0 [ 56.458021][ T6813] kernel_init_freeable+0x4f4/0x5a3 [ 56.463255][ T6813] kernel_init+0xd/0x1c0 [ 56.467482][ T6813] ret_from_fork+0x1f/0x30 [ 56.471881][ T6813] The buggy address belongs to the object at ffff888214c81000 [ 56.471881][ T6813] which belongs to the cache kmalloc-2k of size 2048 [ 56.485911][ T6813] The buggy address is located 1024 bytes to the right of [ 56.485911][ T6813] 2048-byte region [ffff888214c81000, ffff888214c81800) [ 56.500081][ T6813] The buggy address belongs to the page: [ 56.505700][ T6813] page:00000000eedb9c72 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888214c81000 pfn:0x214c81 [ 56.517235][ T6813] flags: 0x57ffe0000000200(slab) [ 56.522155][ T6813] raw: 057ffe0000000200 ffffea00085e0188 ffffea0008534348 ffff8880aa000800 [ 56.530724][ T6813] raw: ffff888214c81000 ffff888214c81000 0000000100000000 0000000000000000 [ 56.539285][ T6813] page dumped because: kasan: bad access detected [ 56.545677][ T6813] Memory state around the buggy address: [ 56.551290][ T6813] ffff888214c81b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.559332][ T6813] ffff888214c81b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.567376][ T6813] >ffff888214c81c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.575413][ T6813] ^ [ 56.579460][ T6813] ffff888214c81c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.587502][ T6813] ffff888214c81d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.595559][ T6813] ================================================================== [ 56.603598][ T6813] Disabling lock debugging due to kernel taint [ 56.610073][ T6813] Kernel panic - not syncing: panic_on_warn set ... [ 56.616687][ T6813] CPU: 1 PID: 6813 Comm: syz-executor719 Tainted: G B 5.8.0-rc5-next-20200716-syzkaller #0 [ 56.627965][ T6813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.638022][ T6813] Call Trace: [ 56.641307][ T6813] dump_stack+0x18f/0x20d [ 56.645640][ T6813] ? xfrm6_tunnel_alloc_spi+0x770/0x8a0 [ 56.651229][ T6813] panic+0x2e3/0x75c [ 56.655107][ T6813] ? __warn_printk+0xf3/0xf3 [ 56.659829][ T6813] ? asm_common_interrupt+0x1e/0x40 [ 56.665096][ T6813] ? trace_hardirqs_on+0x55/0x220 [ 56.670145][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.675668][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.681329][ T6813] end_report+0x4d/0x53 [ 56.685487][ T6813] kasan_report.cold+0xd/0x37 [ 56.690147][ T6813] ? xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.695668][ T6813] xfrm6_tunnel_alloc_spi+0x779/0x8a0 [ 56.701021][ T6813] ipcomp6_init_state+0x2af/0x700 [ 56.706026][ T6813] __xfrm_init_state+0x9a6/0x14b0 [ 56.711028][ T6813] xfrm_init_state+0x1a/0x70 [ 56.715593][ T6813] pfkey_add+0x1a10/0x2b70 [ 56.719990][ T6813] ? pfkey_get+0x700/0x700 [ 56.724384][ T6813] ? kfree_skbmem+0xef/0x1b0 [ 56.728967][ T6813] ? kfree_skb+0x7d/0x100 [ 56.733269][ T6813] ? pfkey_broadcast+0x3e1/0x630 [ 56.738180][ T6813] ? pfkey_get+0x700/0x700 [ 56.742573][ T6813] pfkey_process+0x66d/0x7a0 [ 56.747144][ T6813] ? pfkey_broadcast+0x630/0x630 [ 56.752058][ T6813] ? __mutex_lock+0x626/0x10d0 [ 56.756818][ T6813] ? _copy_from_iter_full+0x247/0x890 [ 56.762188][ T6813] ? __phys_addr+0x9a/0x110 [ 56.766674][ T6813] ? __phys_addr_symbol+0x2c/0x70 [ 56.771678][ T6813] ? __check_object_size+0x171/0x3e4 [ 56.776973][ T6813] pfkey_sendmsg+0x42d/0x800 [ 56.781541][ T6813] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 56.787253][ T6813] sock_sendmsg+0xcf/0x120 [ 56.791675][ T6813] ____sys_sendmsg+0x331/0x810 [ 56.796426][ T6813] ? kernel_sendmsg+0x50/0x50 [ 56.801082][ T6813] ? do_recvmmsg+0x6d0/0x6d0 [ 56.805652][ T6813] ? __lock_acquire+0x16e3/0x56e0 [ 56.810667][ T6813] ___sys_sendmsg+0xf3/0x170 [ 56.815239][ T6813] ? sendmsg_copy_msghdr+0x160/0x160 [ 56.820504][ T6813] ? __pagevec_lru_add_fn+0x588/0x16c0 [ 56.825972][ T6813] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 56.831935][ T6813] ? lock_acquire+0x1f1/0xad0 [ 56.836591][ T6813] ? __might_fault+0xef/0x1d0 [ 56.841247][ T6813] ? find_held_lock+0x2d/0x110 [ 56.845988][ T6813] ? __might_fault+0x11f/0x1d0 [ 56.850732][ T6813] ? lock_downgrade+0x820/0x820 [ 56.855567][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.860487][ T6813] __sys_sendmmsg+0x195/0x480 [ 56.865178][ T6813] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 56.870186][ T6813] ? handle_mm_fault+0xb78/0x45e0 [ 56.875193][ T6813] ? sockfd_lookup_light+0xc6/0x170 [ 56.880438][ T6813] ? __sys_sendmsg+0x10c/0x1b0 [ 56.885274][ T6813] ? __sys_sendmsg_sock+0xb0/0xb0 [ 56.890322][ T6813] ? vmacache_update+0xce/0x140 [ 56.895159][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.900080][ T6813] ? lock_is_held_type+0xb0/0xe0 [ 56.905006][ T6813] __x64_sys_sendmmsg+0x99/0x100 [ 56.909977][ T6813] ? lockdep_hardirqs_on+0x6a/0xe0 [ 56.915088][ T6813] do_syscall_64+0x60/0xe0 [ 56.919495][ T6813] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.925378][ T6813] RIP: 0033:0x440409 [ 56.929247][ T6813] Code: Bad RIP value. [ 56.933348][ T6813] RSP: 002b:00007fffb7d79f48 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 56.941756][ T6813] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440409 [ 56.949712][ T6813] RDX: 0400000000000282 RSI: 0000000020000180 RDI: 0000000000000003 [ 56.957667][ T6813] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 56.965709][ T6813] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10 [ 56.973774][ T6813] R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000 [ 56.983046][ T6813] Kernel Offset: disabled [ 56.987373][ T6813] Rebooting in 86400 seconds..