[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.112' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.840446][ T7036] ================================================================== [ 68.848648][ T7036] BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x23e/0x450 [ 68.856959][ T7036] Read of size 768 at addr ffff88808d161934 by task syz-executor391/7036 [ 68.865339][ T7036] [ 68.867669][ T7036] CPU: 0 PID: 7036 Comm: syz-executor391 Not tainted 5.6.0-rc7-syzkaller #0 [ 68.876310][ T7036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.886354][ T7036] Call Trace: [ 68.889648][ T7036] dump_stack+0x188/0x20d [ 68.893970][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 68.899592][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 68.905204][ T7036] print_address_description.constprop.0.cold+0xd3/0x315 [ 68.912311][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 68.917941][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 68.923556][ T7036] __kasan_report.cold+0x1a/0x32 [ 68.928505][ T7036] ? __kmalloc+0x5e0/0x7a0 [ 68.932903][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 68.938522][ T7036] kasan_report+0xe/0x20 [ 68.942746][ T7036] check_memory_region+0x128/0x190 [ 68.947909][ T7036] memcpy+0x20/0x50 [ 68.951718][ T7036] selinux_xfrm_alloc_user+0x23e/0x450 [ 68.957344][ T7036] security_xfrm_policy_alloc+0x6c/0xb0 [ 68.962886][ T7036] xfrm_policy_construct+0x2a8/0x660 [ 68.968168][ T7036] xfrm_add_acquire+0x215/0x9f0 [ 68.973018][ T7036] ? __nla_validate_parse+0x2af/0x1cd0 [ 68.978473][ T7036] ? xfrm_get_policy+0xaf0/0xaf0 [ 68.983409][ T7036] ? ns_capable_common+0xe2/0x100 [ 68.988432][ T7036] ? __nla_parse+0x2e/0x60 [ 68.992844][ T7036] ? xfrm_get_policy+0xaf0/0xaf0 [ 68.997765][ T7036] xfrm_user_rcv_msg+0x414/0x700 [ 69.002832][ T7036] ? copy_to_user_state_extra+0xca0/0xca0 [ 69.008575][ T7036] ? __lock_acquire+0x80b/0x3ca0 [ 69.013666][ T7036] ? __mutex_lock+0x458/0x13c0 [ 69.018421][ T7036] ? xfrm_netlink_rcv+0x5c/0x90 [ 69.023251][ T7036] ? mark_held_locks+0xe0/0xe0 [ 69.028031][ T7036] netlink_rcv_skb+0x15a/0x410 [ 69.032815][ T7036] ? copy_to_user_state_extra+0xca0/0xca0 [ 69.038640][ T7036] ? netlink_ack+0xa10/0xa10 [ 69.043252][ T7036] xfrm_netlink_rcv+0x6b/0x90 [ 69.047930][ T7036] netlink_unicast+0x537/0x740 [ 69.052681][ T7036] ? netlink_attachskb+0x810/0x810 [ 69.057906][ T7036] ? _copy_from_iter_full+0x25c/0x870 [ 69.063309][ T7036] netlink_sendmsg+0x882/0xe10 [ 69.068185][ T7036] ? netlink_unicast+0x740/0x740 [ 69.073128][ T7036] ? netlink_unicast+0x740/0x740 [ 69.078047][ T7036] sock_sendmsg+0xcf/0x120 [ 69.082445][ T7036] ____sys_sendmsg+0x6b9/0x7d0 [ 69.087202][ T7036] ? kernel_sendmsg+0x50/0x50 [ 69.091874][ T7036] ? mark_lock+0xbc/0x1220 [ 69.096278][ T7036] ___sys_sendmsg+0x100/0x170 [ 69.100938][ T7036] ? lockdep_hardirqs_on+0x417/0x5d0 [ 69.106225][ T7036] ? sendmsg_copy_msghdr+0x70/0x70 [ 69.111325][ T7036] ? prep_transhuge_page+0xa0/0xa0 [ 69.116516][ T7036] ? pud_val+0x7c/0xf0 [ 69.120585][ T7036] ? pmd_val+0xf0/0xf0 [ 69.124676][ T7036] ? find_held_lock+0x2d/0x110 [ 69.129646][ T7036] ? do_page_fault+0x58b/0x12da [ 69.134487][ T7036] ? apply_to_existing_page_range+0x40/0x40 [ 69.140390][ T7036] ? lock_downgrade+0x7f0/0x7f0 [ 69.145236][ T7036] ? __fget_light+0x1a5/0x270 [ 69.149907][ T7036] __sys_sendmsg+0xec/0x1b0 [ 69.154478][ T7036] ? __sys_sendmsg_sock+0xb0/0xb0 [ 69.159496][ T7036] ? mark_held_locks+0x9f/0xe0 [ 69.164437][ T7036] ? trace_hardirqs_off_caller+0x55/0x230 [ 69.170140][ T7036] ? do_syscall_64+0x21/0x7d0 [ 69.174799][ T7036] do_syscall_64+0xf6/0x7d0 [ 69.179287][ T7036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.185259][ T7036] RIP: 0033:0x4405f9 [ 69.189232][ T7036] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.208876][ T7036] RSP: 002b:00007fffabe06278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 69.217321][ T7036] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9 [ 69.225273][ T7036] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 69.233675][ T7036] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 69.241632][ T7036] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80 [ 69.249598][ T7036] R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000 [ 69.257579][ T7036] [ 69.259887][ T7036] Allocated by task 7036: [ 69.264215][ T7036] save_stack+0x1b/0x80 [ 69.268352][ T7036] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.274054][ T7036] __kmalloc_reserve.isra.0+0x39/0xe0 [ 69.279402][ T7036] __alloc_skb+0xef/0x5a0 [ 69.283721][ T7036] netlink_sendmsg+0x97b/0xe10 [ 69.288462][ T7036] sock_sendmsg+0xcf/0x120 [ 69.293047][ T7036] ____sys_sendmsg+0x6b9/0x7d0 [ 69.298409][ T7036] ___sys_sendmsg+0x100/0x170 [ 69.303087][ T7036] __sys_sendmsg+0xec/0x1b0 [ 69.307719][ T7036] do_syscall_64+0xf6/0x7d0 [ 69.312221][ T7036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.318283][ T7036] [ 69.320681][ T7036] Freed by task 5010: [ 69.324732][ T7036] save_stack+0x1b/0x80 [ 69.329049][ T7036] __kasan_slab_free+0xf7/0x140 [ 69.334258][ T7036] kfree+0x109/0x2b0 [ 69.338148][ T7036] skb_free_head+0x8b/0xa0 [ 69.344283][ T7036] skb_release_data+0x42e/0x8b0 [ 69.349114][ T7036] skb_release_all+0x46/0x60 [ 69.353690][ T7036] consume_skb+0xf3/0x400 [ 69.358088][ T7036] netlink_unicast+0x53f/0x740 [ 69.363005][ T7036] netlink_sendmsg+0x882/0xe10 [ 69.367774][ T7036] sock_sendmsg+0xcf/0x120 [ 69.372184][ T7036] ____sys_sendmsg+0x6b9/0x7d0 [ 69.376924][ T7036] ___sys_sendmsg+0x100/0x170 [ 69.381574][ T7036] __sys_sendmsg+0xec/0x1b0 [ 69.386355][ T7036] do_syscall_64+0xf6/0x7d0 [ 69.390947][ T7036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.396830][ T7036] [ 69.399139][ T7036] The buggy address belongs to the object at ffff88808d161800 [ 69.399139][ T7036] which belongs to the cache kmalloc-1k of size 1024 [ 69.413982][ T7036] The buggy address is located 308 bytes inside of [ 69.413982][ T7036] 1024-byte region [ffff88808d161800, ffff88808d161c00) [ 69.427422][ T7036] The buggy address belongs to the page: [ 69.433035][ T7036] page:ffffea0002345840 refcount:1 mapcount:0 mapping:ffff8880aa000c40 index:0x0 [ 69.442142][ T7036] flags: 0xfffe0000000200(slab) [ 69.447027][ T7036] raw: 00fffe0000000200 ffffea00023d3008 ffffea00029cb048 ffff8880aa000c40 [ 69.455770][ T7036] raw: 0000000000000000 ffff88808d161000 0000000100000002 0000000000000000 [ 69.464590][ T7036] page dumped because: kasan: bad access detected [ 69.471093][ T7036] [ 69.473503][ T7036] Memory state around the buggy address: [ 69.479122][ T7036] ffff88808d161b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.487438][ T7036] ffff88808d161b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.495655][ T7036] >ffff88808d161c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.503736][ T7036] ^ [ 69.507894][ T7036] ffff88808d161c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.515953][ T7036] ffff88808d161d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.525245][ T7036] ================================================================== [ 69.533305][ T7036] Disabling lock debugging due to kernel taint [ 69.540044][ T7036] Kernel panic - not syncing: panic_on_warn set ... [ 69.546639][ T7036] CPU: 0 PID: 7036 Comm: syz-executor391 Tainted: G B 5.6.0-rc7-syzkaller #0 [ 69.556869][ T7036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.567263][ T7036] Call Trace: [ 69.570558][ T7036] dump_stack+0x188/0x20d [ 69.574890][ T7036] panic+0x2e3/0x75c [ 69.578780][ T7036] ? add_taint.cold+0x16/0x16 [ 69.583443][ T7036] ? preempt_schedule_common+0x5e/0xc0 [ 69.588884][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 69.594665][ T7036] ? ___preempt_schedule+0x16/0x18 [ 69.599783][ T7036] ? trace_hardirqs_on+0x55/0x220 [ 69.605130][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 69.610753][ T7036] end_report+0x43/0x49 [ 69.614901][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 69.622103][ T7036] __kasan_report.cold+0xd/0x32 [ 69.626938][ T7036] ? __kmalloc+0x5e0/0x7a0 [ 69.631343][ T7036] ? selinux_xfrm_alloc_user+0x23e/0x450 [ 69.636977][ T7036] kasan_report+0xe/0x20 [ 69.641212][ T7036] check_memory_region+0x128/0x190 [ 69.646319][ T7036] memcpy+0x20/0x50 [ 69.650128][ T7036] selinux_xfrm_alloc_user+0x23e/0x450 [ 69.655580][ T7036] security_xfrm_policy_alloc+0x6c/0xb0 [ 69.661287][ T7036] xfrm_policy_construct+0x2a8/0x660 [ 69.666742][ T7036] xfrm_add_acquire+0x215/0x9f0 [ 69.671759][ T7036] ? __nla_validate_parse+0x2af/0x1cd0 [ 69.677197][ T7036] ? xfrm_get_policy+0xaf0/0xaf0 [ 69.682122][ T7036] ? ns_capable_common+0xe2/0x100 [ 69.687126][ T7036] ? __nla_parse+0x2e/0x60 [ 69.691520][ T7036] ? xfrm_get_policy+0xaf0/0xaf0 [ 69.696430][ T7036] xfrm_user_rcv_msg+0x414/0x700 [ 69.701355][ T7036] ? copy_to_user_state_extra+0xca0/0xca0 [ 69.707414][ T7036] ? __lock_acquire+0x80b/0x3ca0 [ 69.712351][ T7036] ? __mutex_lock+0x458/0x13c0 [ 69.717106][ T7036] ? xfrm_netlink_rcv+0x5c/0x90 [ 69.721958][ T7036] ? mark_held_locks+0xe0/0xe0 [ 69.726713][ T7036] netlink_rcv_skb+0x15a/0x410 [ 69.731458][ T7036] ? copy_to_user_state_extra+0xca0/0xca0 [ 69.737688][ T7036] ? netlink_ack+0xa10/0xa10 [ 69.742284][ T7036] xfrm_netlink_rcv+0x6b/0x90 [ 69.746940][ T7036] netlink_unicast+0x537/0x740 [ 69.751680][ T7036] ? netlink_attachskb+0x810/0x810 [ 69.757022][ T7036] ? _copy_from_iter_full+0x25c/0x870 [ 69.762374][ T7036] netlink_sendmsg+0x882/0xe10 [ 69.767120][ T7036] ? netlink_unicast+0x740/0x740 [ 69.772146][ T7036] ? netlink_unicast+0x740/0x740 [ 69.777061][ T7036] sock_sendmsg+0xcf/0x120 [ 69.781507][ T7036] ____sys_sendmsg+0x6b9/0x7d0 [ 69.786265][ T7036] ? kernel_sendmsg+0x50/0x50 [ 69.790976][ T7036] ? mark_lock+0xbc/0x1220 [ 69.795389][ T7036] ___sys_sendmsg+0x100/0x170 [ 69.800158][ T7036] ? lockdep_hardirqs_on+0x417/0x5d0 [ 69.805441][ T7036] ? sendmsg_copy_msghdr+0x70/0x70 [ 69.810564][ T7036] ? prep_transhuge_page+0xa0/0xa0 [ 69.815697][ T7036] ? pud_val+0x7c/0xf0 [ 69.819744][ T7036] ? pmd_val+0xf0/0xf0 [ 69.823811][ T7036] ? find_held_lock+0x2d/0x110 [ 69.828661][ T7036] ? do_page_fault+0x58b/0x12da [ 69.833498][ T7036] ? apply_to_existing_page_range+0x40/0x40 [ 69.839383][ T7036] ? lock_downgrade+0x7f0/0x7f0 [ 69.844213][ T7036] ? __fget_light+0x1a5/0x270 [ 69.848891][ T7036] __sys_sendmsg+0xec/0x1b0 [ 69.853374][ T7036] ? __sys_sendmsg_sock+0xb0/0xb0 [ 69.858462][ T7036] ? mark_held_locks+0x9f/0xe0 [ 69.863208][ T7036] ? trace_hardirqs_off_caller+0x55/0x230 [ 69.868921][ T7036] ? do_syscall_64+0x21/0x7d0 [ 69.874273][ T7036] do_syscall_64+0xf6/0x7d0 [ 69.878761][ T7036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.884628][ T7036] RIP: 0033:0x4405f9 [ 69.888502][ T7036] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.908084][ T7036] RSP: 002b:00007fffabe06278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 69.916769][ T7036] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9 [ 69.925623][ T7036] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 [ 69.933937][ T7036] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 69.943094][ T7036] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80 [ 69.951064][ T7036] R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000 [ 69.960519][ T7036] Kernel Offset: disabled [ 69.964843][ T7036] Rebooting in 86400 seconds..