[ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.174' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.024277] ================================================================== [ 29.031719] BUG: KASAN: slab-out-of-bounds in tls_push_record+0x10cc/0x1270 [ 29.038809] Read of size 8 at addr ffff8880b377ca38 by task syz-executor388/7950 [ 29.046313] [ 29.047922] CPU: 0 PID: 7950 Comm: syz-executor388 Not tainted 4.14.304-syzkaller #0 [ 29.055784] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 29.065133] Call Trace: [ 29.067704] dump_stack+0x1b2/0x281 [ 29.071310] print_address_description.cold+0x54/0x1d3 [ 29.076564] kasan_report_error.cold+0x8a/0x191 [ 29.081221] ? tls_push_record+0x10cc/0x1270 [ 29.085611] __asan_report_load8_noabort+0x68/0x70 [ 29.090521] ? tls_push_record+0x10cc/0x1270 [ 29.094902] tls_push_record+0x10cc/0x1270 [ 29.099126] ? mark_held_locks+0xa6/0xf0 [ 29.103197] ? __local_bh_enable_ip+0xc1/0x170 [ 29.107789] tls_sk_proto_close+0x6f0/0x8b0 [ 29.112101] ? trace_hardirqs_on+0x10/0x10 [ 29.116322] ? tcp_check_oom+0x440/0x440 [ 29.120389] ? tls_write_space+0x2d0/0x2d0 [ 29.124612] ? ip_mc_drop_socket+0x16/0x220 [ 29.128927] inet_release+0xdf/0x1b0 [ 29.132619] inet6_release+0x4c/0x70 [ 29.136313] __sock_release+0xcd/0x2b0 [ 29.140180] ? __sock_release+0x2b0/0x2b0 [ 29.144302] sock_close+0x15/0x20 [ 29.147732] __fput+0x25f/0x7a0 [ 29.151004] task_work_run+0x11f/0x190 [ 29.154869] do_exit+0xa44/0x2850 [ 29.158363] ? __do_page_fault+0x571/0xad0 [ 29.162600] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.167267] ? lock_downgrade+0x740/0x740 [ 29.171411] do_group_exit+0x100/0x2e0 [ 29.175278] SyS_exit_group+0x19/0x20 [ 29.179076] ? do_group_exit+0x2e0/0x2e0 [ 29.183119] do_syscall_64+0x1d5/0x640 [ 29.186990] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.192170] RIP: 0033:0x7ff321800da9 [ 29.195867] RSP: 002b:00007fff97b58ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.203662] RAX: ffffffffffffffda RBX: 00007ff321874270 RCX: 00007ff321800da9 [ 29.210917] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 29.218177] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 29.225528] R10: 0000000000000028 R11: 0000000000000246 R12: 00007ff321874270 [ 29.232779] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.240045] [ 29.241659] Allocated by task 7950: [ 29.245338] kasan_kmalloc+0xeb/0x160 [ 29.249128] __kmalloc+0x15a/0x400 [ 29.252656] rw_copy_check_uvector+0x226/0x2b0 [ 29.257245] import_iovec+0x94/0x360 [ 29.260961] vfs_writev+0xae/0x290 [ 29.264501] do_writev+0xfc/0x2c0 [ 29.267941] do_syscall_64+0x1d5/0x640 [ 29.271804] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.276966] [ 29.278568] Freed by task 7950: [ 29.281822] kasan_slab_free+0xc3/0x1a0 [ 29.285771] kfree+0xc9/0x250 [ 29.288849] vfs_writev+0x18d/0x290 [ 29.292447] do_writev+0xfc/0x2c0 [ 29.295873] do_syscall_64+0x1d5/0x640 [ 29.299733] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.304891] [ 29.306513] The buggy address belongs to the object at ffff8880b377c1c0 [ 29.306513] which belongs to the cache kmalloc-2048 of size 2048 [ 29.319340] The buggy address is located 120 bytes to the right of [ 29.319340] 2048-byte region [ffff8880b377c1c0, ffff8880b377c9c0) [ 29.331970] The buggy address belongs to the page: [ 29.336892] page:ffffea0002cddf00 count:1 mapcount:0 mapping:ffff8880b377c1c0 index:0x0 compound_mapcount: 0 [ 29.346858] flags: 0xfff00000008100(slab|head) [ 29.351529] raw: 00fff00000008100 ffff8880b377c1c0 0000000000000000 0000000100000003 [ 29.359388] raw: ffffea0002cc19a0 ffffea0002579aa0 ffff88813fe74c40 0000000000000000 [ 29.367251] page dumped because: kasan: bad access detected [ 29.372957] [ 29.374572] Memory state around the buggy address: [ 29.379488] ffff8880b377c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.386843] ffff8880b377c980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.394267] >ffff8880b377ca00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 29.401696] ^ [ 29.406869] ffff8880b377ca80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.414208] ffff8880b377cb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.421567] ================================================================== [ 29.428896] Disabling lock debugging due to kernel taint [ 29.437353] Kernel panic - not syncing: panic_on_warn set ... [ 29.437353] [ 29.444718] CPU: 1 PID: 7950 Comm: syz-executor388 Tainted: G B 4.14.304-syzkaller #0 [ 29.453822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 29.463158] Call Trace: [ 29.465741] dump_stack+0x1b2/0x281 [ 29.469341] panic+0x1f9/0x42d [ 29.472508] ? add_taint.cold+0x16/0x16 [ 29.476468] ? ___preempt_schedule+0x16/0x18 [ 29.481033] kasan_end_report+0x43/0x49 [ 29.485004] kasan_report_error.cold+0xa7/0x191 [ 29.489663] ? tls_push_record+0x10cc/0x1270 [ 29.494049] __asan_report_load8_noabort+0x68/0x70 [ 29.498956] ? tls_push_record+0x10cc/0x1270 [ 29.503343] tls_push_record+0x10cc/0x1270 [ 29.507558] ? mark_held_locks+0xa6/0xf0 [ 29.511592] ? __local_bh_enable_ip+0xc1/0x170 [ 29.516159] tls_sk_proto_close+0x6f0/0x8b0 [ 29.520466] ? trace_hardirqs_on+0x10/0x10 [ 29.524671] ? tcp_check_oom+0x440/0x440 [ 29.528707] ? tls_write_space+0x2d0/0x2d0 [ 29.532916] ? ip_mc_drop_socket+0x16/0x220 [ 29.537220] inet_release+0xdf/0x1b0 [ 29.540910] inet6_release+0x4c/0x70 [ 29.544595] __sock_release+0xcd/0x2b0 [ 29.548459] ? __sock_release+0x2b0/0x2b0 [ 29.552590] sock_close+0x15/0x20 [ 29.556026] __fput+0x25f/0x7a0 [ 29.559279] task_work_run+0x11f/0x190 [ 29.563210] do_exit+0xa44/0x2850 [ 29.566636] ? __do_page_fault+0x571/0xad0 [ 29.570842] ? mm_update_next_owner+0x5b0/0x5b0 [ 29.575484] ? lock_downgrade+0x740/0x740 [ 29.579604] do_group_exit+0x100/0x2e0 [ 29.583465] SyS_exit_group+0x19/0x20 [ 29.587254] ? do_group_exit+0x2e0/0x2e0 [ 29.591289] do_syscall_64+0x1d5/0x640 [ 29.595148] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 29.600422] RIP: 0033:0x7ff321800da9 [ 29.604110] RSP: 002b:00007fff97b58ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.611989] RAX: ffffffffffffffda RBX: 00007ff321874270 RCX: 00007ff321800da9 [ 29.619243] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 29.626503] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 29.633763] R10: 0000000000000028 R11: 0000000000000246 R12: 00007ff321874270 [ 29.641018] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 29.648755] Kernel Offset: disabled [ 29.652379] Rebooting in 86400 seconds..