[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.104' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.420193] ================================================================== [ 28.427627] BUG: KASAN: slab-out-of-bounds in tls_push_record+0x10cc/0x1270 [ 28.434708] Read of size 8 at addr ffff8880ac21ea78 by task syz-executor406/7983 [ 28.442214] [ 28.443907] CPU: 0 PID: 7983 Comm: syz-executor406 Not tainted 4.14.280-syzkaller #0 [ 28.451771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.461102] Call Trace: [ 28.463673] dump_stack+0x1b2/0x281 [ 28.467377] print_address_description.cold+0x54/0x1d3 [ 28.472628] kasan_report_error.cold+0x8a/0x191 [ 28.477272] ? tls_push_record+0x10cc/0x1270 [ 28.481662] __asan_report_load8_noabort+0x68/0x70 [ 28.486566] ? tls_push_record+0x10cc/0x1270 [ 28.490946] tls_push_record+0x10cc/0x1270 [ 28.495156] ? mark_held_locks+0xa6/0xf0 [ 28.499193] ? __local_bh_enable_ip+0xc1/0x170 [ 28.503750] tls_sk_proto_close+0x6f0/0x8b0 [ 28.508048] ? trace_hardirqs_on+0x10/0x10 [ 28.512257] ? tcp_check_oom+0x440/0x440 [ 28.516290] ? tls_write_space+0x2d0/0x2d0 [ 28.520503] ? ip_mc_drop_socket+0x16/0x220 [ 28.524798] inet_release+0xdf/0x1b0 [ 28.528488] inet6_release+0x4c/0x70 [ 28.532176] __sock_release+0xcd/0x2b0 [ 28.536038] ? __sock_release+0x2b0/0x2b0 [ 28.540158] sock_close+0x15/0x20 [ 28.543608] __fput+0x25f/0x7a0 [ 28.546866] task_work_run+0x11f/0x190 [ 28.550737] do_exit+0xa44/0x2850 [ 28.554166] ? __local_bh_enable_ip+0xc1/0x170 [ 28.558727] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 28.563719] ? mm_update_next_owner+0x5b0/0x5b0 [ 28.568364] ? tls_setsockopt+0x95/0x3f0 [ 28.572401] ? do_writev+0x19f/0x2c0 [ 28.576100] do_group_exit+0x100/0x2e0 [ 28.579962] SyS_exit_group+0x19/0x20 [ 28.583737] ? do_group_exit+0x2e0/0x2e0 [ 28.587774] do_syscall_64+0x1d5/0x640 [ 28.591637] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.596800] RIP: 0033:0x7fc1645e9d39 [ 28.600485] RSP: 002b:00007fff17f4dc18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 28.608166] RAX: ffffffffffffffda RBX: 00007fc16465d270 RCX: 00007fc1645e9d39 [ 28.615408] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 28.622651] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 28.629896] R10: 0000000000000028 R11: 0000000000000246 R12: 00007fc16465d270 [ 28.637138] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 28.644385] [ 28.645986] Allocated by task 1: [ 28.649329] kasan_kmalloc+0xeb/0x160 [ 28.653100] __kmalloc+0x15a/0x400 [ 28.656613] cgroup_mkdir+0x1ec/0xd50 [ 28.660392] kernfs_iop_mkdir+0x158/0x1e0 [ 28.664519] vfs_mkdir+0x463/0x6e0 [ 28.668036] SyS_mkdirat+0x1fd/0x270 [ 28.671722] do_syscall_64+0x1d5/0x640 [ 28.675581] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.680740] [ 28.682342] Freed by task 22: [ 28.685427] kasan_slab_free+0xc3/0x1a0 [ 28.689374] kfree+0xc9/0x250 [ 28.692453] scsi_target_dev_release+0x2d/0x50 [ 28.697015] device_release+0xf0/0x1a0 [ 28.700876] kobject_put+0x251/0x550 [ 28.704563] put_device+0x1c/0x30 [ 28.707990] __scsi_scan_target+0x164/0xc20 [ 28.712293] scsi_scan_channel+0x119/0x1a0 [ 28.716499] scsi_scan_host_selected+0x24f/0x330 [ 28.721226] do_scsi_scan_host+0x1db/0x250 [ 28.725431] do_scan_async+0x3e/0x4e0 [ 28.729206] async_run_entry_fn+0xc5/0x680 [ 28.733413] process_one_work+0x793/0x14a0 [ 28.737626] worker_thread+0x5cc/0xff0 [ 28.741484] kthread+0x30d/0x420 [ 28.744825] ret_from_fork+0x24/0x30 [ 28.748507] [ 28.750112] The buggy address belongs to the object at ffff8880ac21e200 [ 28.750112] which belongs to the cache kmalloc-2048 of size 2048 [ 28.762915] The buggy address is located 120 bytes to the right of [ 28.762915] 2048-byte region [ffff8880ac21e200, ffff8880ac21ea00) [ 28.775365] The buggy address belongs to the page: [ 28.780273] page:ffffea0002b08780 count:1 mapcount:0 mapping:ffff8880ac21e200 index:0x0 compound_mapcount: 0 [ 28.790218] flags: 0xfff00000008100(slab|head) [ 28.794779] raw: 00fff00000008100 ffff8880ac21e200 0000000000000000 0000000100000003 [ 28.802634] raw: ffffea00025bea20 ffffea0002933120 ffff88813fe74c40 0000000000000000 [ 28.810483] page dumped because: kasan: bad access detected [ 28.816164] [ 28.817763] Memory state around the buggy address: [ 28.822665] ffff8880ac21e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.829999] ffff8880ac21e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.837333] >ffff8880ac21ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.844665] ^ [ 28.851909] ffff8880ac21ea80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.859241] ffff8880ac21eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.866571] ================================================================== [ 28.873901] Disabling lock debugging due to kernel taint [ 28.890348] Kernel panic - not syncing: panic_on_warn set ... [ 28.890348] [ 28.897722] CPU: 1 PID: 7983 Comm: syz-executor406 Tainted: G B 4.14.280-syzkaller #0 [ 28.906802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.916134] Call Trace: [ 28.918700] dump_stack+0x1b2/0x281 [ 28.922301] panic+0x1f9/0x42d [ 28.925468] ? add_taint.cold+0x16/0x16 [ 28.929417] ? ___preempt_schedule+0x16/0x18 [ 28.933801] kasan_end_report+0x43/0x49 [ 28.937780] kasan_report_error.cold+0xa7/0x191 [ 28.942435] ? tls_push_record+0x10cc/0x1270 [ 28.946823] __asan_report_load8_noabort+0x68/0x70 [ 28.951836] ? tls_push_record+0x10cc/0x1270 [ 28.956224] tls_push_record+0x10cc/0x1270 [ 28.960439] ? mark_held_locks+0xa6/0xf0 [ 28.964475] ? __local_bh_enable_ip+0xc1/0x170 [ 28.969033] tls_sk_proto_close+0x6f0/0x8b0 [ 28.973327] ? trace_hardirqs_on+0x10/0x10 [ 28.977537] ? tcp_check_oom+0x440/0x440 [ 28.981569] ? tls_write_space+0x2d0/0x2d0 [ 28.985779] ? ip_mc_drop_socket+0x16/0x220 [ 28.990073] inet_release+0xdf/0x1b0 [ 28.993758] inet6_release+0x4c/0x70 [ 28.997446] __sock_release+0xcd/0x2b0 [ 29.001307] ? __sock_release+0x2b0/0x2b0 [ 29.005427] sock_close+0x15/0x20 [ 29.008854] __fput+0x25f/0x7a0 [ 29.012109] task_work_run+0x11f/0x190 [ 29.015984] do_exit+0xa44/0x2850 [ 29.019420] ? __local_bh_enable_ip+0xc1/0x170 [ 29.023983] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 29.028995] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.033646] ? tls_setsockopt+0x95/0x3f0 [ 29.037682] ? do_writev+0x19f/0x2c0 [ 29.041382] do_group_exit+0x100/0x2e0 [ 29.045256] SyS_exit_group+0x19/0x20 [ 29.049046] ? do_group_exit+0x2e0/0x2e0 [ 29.053084] do_syscall_64+0x1d5/0x640 [ 29.056952] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.062114] RIP: 0033:0x7fc1645e9d39 [ 29.065804] RSP: 002b:00007fff17f4dc18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.073482] RAX: ffffffffffffffda RBX: 00007fc16465d270 RCX: 00007fc1645e9d39 [ 29.080724] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 29.087965] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 29.095208] R10: 0000000000000028 R11: 0000000000000246 R12: 00007fc16465d270 [ 29.102449] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.109883] Kernel Offset: disabled [ 29.113486] Rebooting in 86400 seconds..