INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.472535] ================================================================== [ 29.480042] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.487228] Read of size 8 at addr ffff8801b58626d0 by task syzkaller106428/4452 [ 29.494747] [ 29.496372] CPU: 1 PID: 4452 Comm: syzkaller106428 Not tainted 4.17.0-rc1+ #10 [ 29.503719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.513067] Call Trace: [ 29.515665] dump_stack+0x1b9/0x294 [ 29.519292] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.524477] ? printk+0x9e/0xba [ 29.527749] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.532498] ? kasan_check_write+0x14/0x20 [ 29.536726] print_address_description+0x6c/0x20b [ 29.541560] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.546053] kasan_report.cold.7+0x242/0x2fe [ 29.550459] __asan_report_load8_noabort+0x14/0x20 [ 29.555380] __sctp_v6_cmp_addr+0x4c7/0x530 [ 29.559697] sctp_inet6_cmp_addr+0x169/0x1a0 [ 29.564105] sctp_bind_addr_conflict+0x28c/0x470 [ 29.568863] ? sctp_bind_addr_match+0x400/0x400 [ 29.573532] ? kasan_check_write+0x14/0x20 [ 29.577762] ? do_raw_spin_lock+0xc1/0x200 [ 29.581995] sctp_get_port_local+0x9fc/0x1540 [ 29.586524] ? print_irqtrace_events+0x95/0x1fa [ 29.591184] ? sctp_set_owner_w+0x530/0x530 [ 29.595498] ? kasan_check_read+0x11/0x20 [ 29.599642] ? rcu_is_watching+0x85/0x140 [ 29.603781] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.608970] ? sctp_bind_addr_match+0x2c6/0x400 [ 29.613635] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 29.618475] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.624004] ? sctp_v4_available+0x1b1/0x200 [ 29.628443] ? sctp_inet6_bind_verify+0xb2/0x500 [ 29.633222] sctp_do_bind+0x21c/0x5f0 [ 29.637023] sctp_bindx_add+0x90/0x1a0 [ 29.640913] sctp_setsockopt_bindx+0x2ad/0x320 [ 29.645486] sctp_setsockopt+0x12c4/0x7000 [ 29.649714] ? __lock_acquire+0x7f5/0x5140 [ 29.653947] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 29.659651] ? debug_check_no_locks_freed+0x310/0x310 [ 29.664838] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.670544] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 29.675676] ? futex_wait+0x5c1/0x9f0 [ 29.679475] ? futex_wait_setup+0x400/0x400 [ 29.683790] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.689009] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.694543] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 29.699637] ? futex_wake+0x2f6/0x750 [ 29.703431] ? get_futex_key+0x1e90/0x1e90 [ 29.707657] ? graph_lock+0x170/0x170 [ 29.711458] ? sock_alloc_file+0x1f3/0x4e0 [ 29.715689] ? __sys_socket+0x16f/0x250 [ 29.719655] ? __x64_sys_socket+0x73/0xb0 [ 29.723798] ? find_held_lock+0x36/0x1c0 [ 29.727855] ? lock_downgrade+0x8e0/0x8e0 [ 29.731999] ? kasan_check_read+0x11/0x20 [ 29.736149] ? rcu_is_watching+0x85/0x140 [ 29.740288] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.745508] ? __fget+0x40c/0x650 [ 29.748988] ? expand_files.part.8+0x9a0/0x9a0 [ 29.753595] ? lock_downgrade+0x8e0/0x8e0 [ 29.757736] ? kasan_check_read+0x11/0x20 [ 29.761886] ? __lock_is_held+0xb5/0x140 [ 29.765939] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.771122] ? __fget_light+0x2ef/0x430 [ 29.775094] ? fget_raw+0x20/0x20 [ 29.778542] ? get_unused_fd_flags+0x190/0x190 [ 29.783119] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.788646] ? alloc_file+0x44/0x3e0 [ 29.792373] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.797962] ? sock_alloc_file+0x2a4/0x4e0 [ 29.802214] sock_common_setsockopt+0x9a/0xe0 [ 29.806716] __sys_setsockopt+0x1bd/0x390 [ 29.810857] ? kernel_accept+0x310/0x310 [ 29.814912] ? do_futex+0x27d0/0x27d0 [ 29.818707] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.823287] __x64_sys_setsockopt+0xbe/0x150 [ 29.827719] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.832729] do_syscall_64+0x1b1/0x800 [ 29.836612] ? finish_task_switch+0x1ca/0x810 [ 29.841144] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.846072] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.850995] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 29.856355] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.861192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.866370] RIP: 0033:0x445839 [ 29.869554] RSP: 002b:00007fbe3f0fdd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 29.877515] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445839 [ 29.884775] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 29.892046] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000a6fe [ 29.899485] R10: 00000000205ba000 R11: 0000000000000246 R12: 0000000000000000 [ 29.906744] R13: 00007ffc1404827f R14: 00007fbe3f0fe9c0 R15: 0000000000000003 [ 29.914015] [ 29.915641] Allocated by task 4452: [ 29.919267] save_stack+0x43/0xd0 [ 29.922709] kasan_kmalloc+0xc4/0xe0 [ 29.926459] __kmalloc_node+0x47/0x70 [ 29.930252] kvmalloc_node+0x6b/0x100 [ 29.934051] vmemdup_user+0x2d/0xa0 [ 29.937675] sctp_setsockopt_bindx+0x5d/0x320 [ 29.942159] sctp_setsockopt+0x12c4/0x7000 [ 29.946385] sock_common_setsockopt+0x9a/0xe0 [ 29.950872] __sys_setsockopt+0x1bd/0x390 [ 29.955014] __x64_sys_setsockopt+0xbe/0x150 [ 29.959421] do_syscall_64+0x1b1/0x800 [ 29.963301] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.968507] [ 29.970127] Freed by task 2818: [ 29.973399] save_stack+0x43/0xd0 [ 29.976843] __kasan_slab_free+0x11a/0x170 [ 29.981099] kasan_slab_free+0xe/0x10 [ 29.984889] kfree+0xd9/0x260 [ 29.988022] single_release+0x8f/0xb0 [ 29.991852] __fput+0x34d/0x890 [ 29.995125] ____fput+0x15/0x20 [ 29.998394] task_work_run+0x1e4/0x290 [ 30.002274] exit_to_usermode_loop+0x2bd/0x310 [ 30.006846] do_syscall_64+0x6ac/0x800 [ 30.010753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.015930] [ 30.017549] The buggy address belongs to the object at ffff8801b58626c0 [ 30.017549] which belongs to the cache kmalloc-32 of size 32 [ 30.030031] The buggy address is located 16 bytes inside of [ 30.030031] 32-byte region [ffff8801b58626c0, ffff8801b58626e0) [ 30.041732] The buggy address belongs to the page: [ 30.046654] page:ffffea0006d61880 count:1 mapcount:0 mapping:ffff8801b5862000 index:0xffff8801b5862fc1 [ 30.056089] flags: 0x2fffc0000000100(slab) [ 30.060319] raw: 02fffc0000000100 ffff8801b5862000 ffff8801b5862fc1 0000000100000032 [ 30.068193] raw: ffffea0006ddd1e0 ffffea0006dd2860 ffff8801da8001c0 0000000000000000 [ 30.076062] page dumped because: kasan: bad access detected [ 30.081761] [ 30.083375] Memory state around the buggy address: [ 30.088294] ffff8801b5862580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.095643] ffff8801b5862600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.102989] >ffff8801b5862680: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 30.110336] ^ [ 30.116294] ffff8801b5862700: 00 00 00 00 fc fc fc fc 00 00 04 fc fc fc fc fc [ 30.123645] ffff8801b5862780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 30.131080] ================================================================== [ 30.138432] Disabling lock debugging due to kernel taint [ 30.143904] Kernel panic - not syncing: panic_on_warn set ... [ 30.143904] [ 30.151278] CPU: 1 PID: 4452 Comm: syzkaller106428 Tainted: G B 4.17.0-rc1+ #10 [ 30.160028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.169379] Call Trace: [ 30.171958] dump_stack+0x1b9/0x294 [ 30.175582] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.180768] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.185516] ? __sctp_v6_cmp_addr+0x4a0/0x530 [ 30.190000] panic+0x22f/0x4de [ 30.193187] ? add_taint.cold.5+0x16/0x16 [ 30.197327] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.201725] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.206113] ? __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.210587] kasan_end_report+0x47/0x4f [ 30.214540] kasan_report.cold.7+0x76/0x2fe [ 30.218854] __asan_report_load8_noabort+0x14/0x20 [ 30.223764] __sctp_v6_cmp_addr+0x4c7/0x530 [ 30.228067] sctp_inet6_cmp_addr+0x169/0x1a0 [ 30.232456] sctp_bind_addr_conflict+0x28c/0x470 [ 30.237205] ? sctp_bind_addr_match+0x400/0x400 [ 30.241853] ? kasan_check_write+0x14/0x20 [ 30.246068] ? do_raw_spin_lock+0xc1/0x200 [ 30.250281] sctp_get_port_local+0x9fc/0x1540 [ 30.254771] ? print_irqtrace_events+0x95/0x1fa [ 30.259419] ? sctp_set_owner_w+0x530/0x530 [ 30.263729] ? kasan_check_read+0x11/0x20 [ 30.267857] ? rcu_is_watching+0x85/0x140 [ 30.271982] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.277156] ? sctp_bind_addr_match+0x2c6/0x400 [ 30.281804] ? sctp_bind_addrs_to_raw+0x370/0x370 [ 30.286629] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.292144] ? sctp_v4_available+0x1b1/0x200 [ 30.296542] ? sctp_inet6_bind_verify+0xb2/0x500 [ 30.301279] sctp_do_bind+0x21c/0x5f0 [ 30.305060] sctp_bindx_add+0x90/0x1a0 [ 30.308926] sctp_setsockopt_bindx+0x2ad/0x320 [ 30.313485] sctp_setsockopt+0x12c4/0x7000 [ 30.317701] ? __lock_acquire+0x7f5/0x5140 [ 30.321916] ? sctp_setsockopt_paddr_thresholds+0x560/0x560 [ 30.327612] ? debug_check_no_locks_freed+0x310/0x310 [ 30.332783] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.338298] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 30.343380] ? futex_wait+0x5c1/0x9f0 [ 30.347162] ? futex_wait_setup+0x400/0x400 [ 30.351467] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.356639] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.362155] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 30.367236] ? futex_wake+0x2f6/0x750 [ 30.371023] ? get_futex_key+0x1e90/0x1e90 [ 30.375262] ? graph_lock+0x170/0x170 [ 30.379046] ? sock_alloc_file+0x1f3/0x4e0 [ 30.383270] ? __sys_socket+0x16f/0x250 [ 30.387225] ? __x64_sys_socket+0x73/0xb0 [ 30.391350] ? find_held_lock+0x36/0x1c0 [ 30.395389] ? lock_downgrade+0x8e0/0x8e0 [ 30.399515] ? kasan_check_read+0x11/0x20 [ 30.403644] ? rcu_is_watching+0x85/0x140 [ 30.407781] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.413066] ? __fget+0x40c/0x650 [ 30.416498] ? expand_files.part.8+0x9a0/0x9a0 [ 30.421059] ? lock_downgrade+0x8e0/0x8e0 [ 30.425190] ? kasan_check_read+0x11/0x20 [ 30.429317] ? __lock_is_held+0xb5/0x140 [ 30.433359] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.438530] ? __fget_light+0x2ef/0x430 [ 30.442483] ? fget_raw+0x20/0x20 [ 30.446167] ? get_unused_fd_flags+0x190/0x190 [ 30.450817] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.456332] ? alloc_file+0x44/0x3e0 [ 30.460035] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.465561] ? sock_alloc_file+0x2a4/0x4e0 [ 30.469781] sock_common_setsockopt+0x9a/0xe0 [ 30.474260] __sys_setsockopt+0x1bd/0x390 [ 30.478384] ? kernel_accept+0x310/0x310 [ 30.482426] ? do_futex+0x27d0/0x27d0 [ 30.486207] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.490768] __x64_sys_setsockopt+0xbe/0x150 [ 30.495156] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.500154] do_syscall_64+0x1b1/0x800 [ 30.504029] ? finish_task_switch+0x1ca/0x810 [ 30.508511] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.513421] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.518332] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 30.523676] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.528497] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.533670] RIP: 0033:0x445839 [ 30.536846] RSP: 002b:00007fbe3f0fdd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 30.544532] RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445839 [ 30.551779] RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004 [ 30.559031] RBP: 00000000006dac20 R08: 0000000000000010 R09: 000000000000a6fe [ 30.566279] R10: 00000000205ba000 R11: 0000000000000246 R12: 0000000000000000 [ 30.573523] R13: 00007ffc1404827f R14: 00007fbe3f0fe9c0 R15: 0000000000000003 [ 30.581264] Dumping ftrace buffer: [ 30.584790] (ftrace buffer empty) [ 30.588474] Kernel Offset: disabled [ 30.592078] Rebooting in 86400 seconds..