[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 68.922696][ T8468] ==================================================================
[ 68.930875][ T8468] BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0
[ 68.938429][ T8468] Write of size 4 at addr ffff888027eb5018 by task syz-executor843/8468
[ 68.946736][ T8468]
[ 68.949045][ T8468] CPU: 1 PID: 8468 Comm: syz-executor843 Not tainted 5.14.0-rc1-syzkaller #0
[ 68.959004][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.969044][ T8468] Call Trace:
[ 68.972327][ T8468] dump_stack_lvl+0xcd/0x134
[ 68.976937][ T8468] print_address_description.constprop.0.cold+0x6c/0x309
[ 68.983964][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 68.989150][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 68.994333][ T8468] kasan_report.cold+0x83/0xdf
[ 68.999087][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 69.004291][ T8468] kasan_check_range+0x13d/0x180
[ 69.009229][ T8468] sctp_auth_shkey_hold+0x22/0xa0
[ 69.014253][ T8468] sctp_sendmsg_to_asoc+0x152e/0x2180
[ 69.019632][ T8468] ? lock_release+0x720/0x720
[ 69.024306][ T8468] ? sctp_set_owner_w+0x4d0/0x4d0
[ 69.029316][ T8468] ? do_raw_spin_lock+0x120/0x2b0
[ 69.034330][ T8468] ? mark_held_locks+0x9f/0xe0
[ 69.039081][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 69.045482][ T8468] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0
[ 69.051373][ T8468] sctp_sendmsg+0x103b/0x1d30
[ 69.056043][ T8468] ? sctp_setsockopt+0xa5e0/0xa5e0
[ 69.061149][ T8468] ? aa_af_perm+0x230/0x230
[ 69.065639][ T8468] ? kfree+0xeb/0x650
[ 69.069613][ T8468] ? sctp_setsockopt+0x348/0xa5e0
[ 69.074711][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 69.080939][ T8468] inet_sendmsg+0x99/0xe0
[ 69.085259][ T8468] ? inet_send_prepare+0x4e0/0x4e0
[ 69.090357][ T8468] sock_sendmsg+0xcf/0x120
[ 69.094762][ T8468] __sys_sendto+0x21c/0x320
[ 69.099250][ T8468] ? __ia32_sys_getpeername+0xb0/0xb0
[ 69.104610][ T8468] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 69.110584][ T8468] ? kfree+0x226/0x650
[ 69.114650][ T8468] ? __context_tracking_exit+0xb8/0xe0
[ 69.120099][ T8468] ? lock_downgrade+0x6e0/0x6e0
[ 69.124938][ T8468] ? lock_downgrade+0x6e0/0x6e0
[ 69.129784][ T8468] __x64_sys_sendto+0xdd/0x1b0
[ 69.134535][ T8468] ? lockdep_hardirqs_on+0x79/0x100
[ 69.139723][ T8468] ? syscall_enter_from_user_mode+0x21/0x70
[ 69.145690][ T8468] do_syscall_64+0x35/0xb0
[ 69.150091][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.155984][ T8468] RIP: 0033:0x43efe9
[ 69.159878][ T8468] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 69.179556][ T8468] RSP: 002b:00007fff191e50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 69.187954][ T8468] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9
[ 69.196084][ T8468] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003
[ 69.204042][ T8468] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000
[ 69.212011][ T8468] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060
[ 69.219969][ T8468] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
[ 69.227938][ T8468]
[ 69.230245][ T8468] Allocated by task 8468:
[ 69.234576][ T8468] kasan_save_stack+0x1b/0x40
[ 69.239259][ T8468] __kasan_kmalloc+0x9b/0xd0
[ 69.243947][ T8468] sctp_auth_shkey_create+0x85/0x1f0
[ 69.249215][ T8468] sctp_auth_asoc_copy_shkeys+0x1e8/0x350
[ 69.254923][ T8468] sctp_association_new+0x1829/0x2250
[ 69.260283][ T8468] sctp_connect_new_asoc+0x1ac/0x770
[ 69.265552][ T8468] __sctp_connect+0x3d0/0xc30
[ 69.270212][ T8468] sctp_inet_connect+0x15e/0x200
[ 69.275132][ T8468] __sys_connect_file+0x155/0x1a0
[ 69.280139][ T8468] __sys_connect+0x161/0x190
[ 69.284816][ T8468] __x64_sys_connect+0x6f/0xb0
[ 69.289562][ T8468] do_syscall_64+0x35/0xb0
[ 69.293983][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.299859][ T8468]
[ 69.302166][ T8468] Freed by task 8468:
[ 69.306125][ T8468] kasan_save_stack+0x1b/0x40
[ 69.310788][ T8468] kasan_set_track+0x1c/0x30
[ 69.315361][ T8468] kasan_set_free_info+0x20/0x30
[ 69.320286][ T8468] __kasan_slab_free+0xfb/0x130
[ 69.325119][ T8468] slab_free_freelist_hook+0xdf/0x240
[ 69.330474][ T8468] kfree+0xeb/0x650
[ 69.334281][ T8468] sctp_auth_shkey_release+0x100/0x160
[ 69.339723][ T8468] sctp_auth_set_key+0x508/0x6d0
[ 69.344644][ T8468] sctp_setsockopt+0x4919/0xa5e0
[ 69.349566][ T8468] __sys_setsockopt+0x2db/0x610
[ 69.354401][ T8468] __x64_sys_setsockopt+0xba/0x150
[ 69.359502][ T8468] do_syscall_64+0x35/0xb0
[ 69.363911][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.369808][ T8468]
[ 69.372117][ T8468] The buggy address belongs to the object at ffff888027eb5000
[ 69.372117][ T8468] which belongs to the cache kmalloc-32 of size 32
[ 69.385977][ T8468] The buggy address is located 24 bytes inside of
[ 69.385977][ T8468] 32-byte region [ffff888027eb5000, ffff888027eb5020)
[ 69.399060][ T8468] The buggy address belongs to the page:
[ 69.404694][ T8468] page:ffffea00009fad40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27eb5
[ 69.414833][ T8468] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 69.422898][ T8468] raw: 00fff00000000200 ffffea000056e240 0000000d0000000d ffff888010841500
[ 69.431480][ T8468] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 69.440325][ T8468] page dumped because: kasan: bad access detected
[ 69.446723][ T8468] page_owner tracks the page as allocated
[ 69.452418][ T8468] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 15828671942, free_ts 14464854502
[ 69.468024][ T8468] get_page_from_freelist+0xa72/0x2f80
[ 69.473494][ T8468] __alloc_pages+0x1b2/0x500
[ 69.478153][ T8468] alloc_pages+0x18c/0x2a0
[ 69.482556][ T8468] allocate_slab+0x32b/0x4c0
[ 69.487143][ T8468] ___slab_alloc+0x4ba/0x820
[ 69.491728][ T8468] __slab_alloc.constprop.0+0xa7/0xf0
[ 69.497085][ T8468] __kmalloc+0x312/0x330
[ 69.501413][ T8468] tomoyo_encode2.part.0+0xe9/0x3a0
[ 69.506596][ T8468] tomoyo_encode+0x28/0x50
[ 69.511617][ T8468] tomoyo_realpath_from_path+0x186/0x620
[ 69.517251][ T8468] tomoyo_check_open_permission+0x272/0x380
[ 69.523136][ T8468] tomoyo_file_open+0xa3/0xd0
[ 69.527803][ T8468] security_file_open+0x52/0x4f0
[ 69.532778][ T8468] do_dentry_open+0x353/0x11d0
[ 69.537533][ T8468] path_openat+0x1c23/0x27f0
[ 69.542109][ T8468] do_filp_open+0x1aa/0x400
[ 69.546694][ T8468] page last free stack trace:
[ 69.551350][ T8468] free_pcp_prepare+0x2c5/0x780
[ 69.556239][ T8468] free_unref_page+0x19/0x690
[ 69.560904][ T8468] kasan_depopulate_vmalloc_pte+0x5c/0x70
[ 69.566616][ T8468] __apply_to_page_range+0x694/0x1080
[ 69.572004][ T8468] kasan_release_vmalloc+0xa7/0xc0
[ 69.577116][ T8468] __purge_vmap_area_lazy+0x8f9/0x1c50
[ 69.582563][ T8468] _vm_unmap_aliases.part.0+0x3f0/0x500
[ 69.588096][ T8468] vm_unmap_aliases+0x47/0x50
[ 69.592781][ T8468] change_page_attr_set_clr+0x241/0x500
[ 69.598312][ T8468] set_memory_nx+0xb2/0x110
[ 69.602806][ T8468] free_init_pages+0x73/0xc0
[ 69.607385][ T8468] kernel_init+0x24/0x1d0
[ 69.611714][ T8468] ret_from_fork+0x1f/0x30
[ 69.616119][ T8468]
[ 69.618423][ T8468] Memory state around the buggy address:
[ 69.624038][ T8468] ffff888027eb4f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 69.632092][ T8468] ffff888027eb4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.640135][ T8468] >ffff888027eb5000: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 69.648184][ T8468] ^
[ 69.653024][ T8468] ffff888027eb5080: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[ 69.661075][ T8468] ffff888027eb5100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 69.669118][ T8468] ==================================================================
[ 69.677160][ T8468] Disabling lock debugging due to kernel taint
[ 69.683432][ T8468] Kernel panic - not syncing: panic_on_warn set ...
[ 69.690027][ T8468] CPU: 0 PID: 8468 Comm: syz-executor843 Tainted: G B 5.14.0-rc1-syzkaller #0
[ 69.700179][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 69.710362][ T8468] Call Trace:
[ 69.713636][ T8468] dump_stack_lvl+0xcd/0x134
[ 69.718229][ T8468] panic+0x306/0x73d
[ 69.722146][ T8468] ? __warn_printk+0xf3/0xf3
[ 69.726756][ T8468] ? preempt_schedule_common+0x59/0xc0
[ 69.732220][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 69.737421][ T8468] ? preempt_schedule_thunk+0x16/0x18
[ 69.742795][ T8468] ? trace_hardirqs_on+0x38/0x1c0
[ 69.747815][ T8468] ? trace_hardirqs_on+0x51/0x1c0
[ 69.752841][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 69.758042][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 69.763247][ T8468] end_report.cold+0x5a/0x5a
[ 69.767851][ T8468] kasan_report.cold+0x71/0xdf
[ 69.772719][ T8468] ? sctp_auth_shkey_hold+0x22/0xa0
[ 69.777925][ T8468] kasan_check_range+0x13d/0x180
[ 69.782871][ T8468] sctp_auth_shkey_hold+0x22/0xa0
[ 69.787900][ T8468] sctp_sendmsg_to_asoc+0x152e/0x2180
[ 69.793277][ T8468] ? lock_release+0x720/0x720
[ 69.798212][ T8468] ? sctp_set_owner_w+0x4d0/0x4d0
[ 69.803237][ T8468] ? do_raw_spin_lock+0x120/0x2b0
[ 69.808275][ T8468] ? mark_held_locks+0x9f/0xe0
[ 69.813036][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 69.819268][ T8468] ? sctp_sendmsg_check_sflags+0x1b2/0x2e0
[ 69.825072][ T8468] sctp_sendmsg+0x103b/0x1d30
[ 69.829748][ T8468] ? sctp_setsockopt+0xa5e0/0xa5e0
[ 69.834873][ T8468] ? aa_af_perm+0x230/0x230
[ 69.839541][ T8468] ? kfree+0xeb/0x650
[ 69.843616][ T8468] ? sctp_setsockopt+0x348/0xa5e0
[ 69.848638][ T8468] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80
[ 69.854887][ T8468] inet_sendmsg+0x99/0xe0
[ 69.859211][ T8468] ? inet_send_prepare+0x4e0/0x4e0
[ 69.864337][ T8468] sock_sendmsg+0xcf/0x120
[ 69.868746][ T8468] __sys_sendto+0x21c/0x320
[ 69.873243][ T8468] ? __ia32_sys_getpeername+0xb0/0xb0
[ 69.878606][ T8468] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 69.884580][ T8468] ? kfree+0x226/0x650
[ 69.888657][ T8468] ? __context_tracking_exit+0xb8/0xe0
[ 69.894112][ T8468] ? lock_downgrade+0x6e0/0x6e0
[ 69.898951][ T8468] ? lock_downgrade+0x6e0/0x6e0
[ 69.903794][ T8468] __x64_sys_sendto+0xdd/0x1b0
[ 69.908550][ T8468] ? lockdep_hardirqs_on+0x79/0x100
[ 69.913744][ T8468] ? syscall_enter_from_user_mode+0x21/0x70
[ 69.919634][ T8468] do_syscall_64+0x35/0xb0
[ 69.924042][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 69.929952][ T8468] RIP: 0033:0x43efe9
[ 69.933936][ T8468] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 69.953531][ T8468] RSP: 002b:00007fff191e50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 69.962028][ T8468] RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 000000000043efe9
[ 69.969998][ T8468] RDX: 000000000000ffa0 RSI: 0000000020000140 RDI: 0000000000000003
[ 69.977955][ T8468] RBP: 0000000000402fd0 R08: 0000000000000000 R09: 0000000000000000
[ 69.985924][ T8468] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403060
[ 69.993882][ T8468] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
[ 70.003134][ T8468] Kernel Offset: disabled
[ 70.007452][ T8468] Rebooting in 86400 seconds..