[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 61.480160][ T6822] netlink: 8 bytes leftover after parsing attributes in process `syz-executor275'. [ 61.485043][ T6827] netlink: 8 bytes leftover after parsing attributes in process `syz-executor275'. [ 61.498754][ T6828] netlink: 8 bytes leftover after parsing attributes in process `syz-executor275'. [ 61.502609][ T6829] netlink: 8 bytes leftover after parsing attributes in process `syz-executor275'. [ 61.511449][ T6830] netlink: 8 bytes leftover after parsing attributes in process `syz-executor275'. [ 61.524548][ T6829] ================================================================== [ 61.536914][ T6829] BUG: KASAN: use-after-free in tipc_nl_publ_dump+0xae0/0xce0 [ 61.544360][ T6829] Read of size 2 at addr ffff888096c51a84 by task syz-executor275/6829 [ 61.552575][ T6829] [ 61.554888][ T6829] CPU: 0 PID: 6829 Comm: syz-executor275 Not tainted 5.8.0-rc2-next-20200626-syzkaller #0 [ 61.564857][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.574923][ T6829] Call Trace: [ 61.578200][ T6829] dump_stack+0x18f/0x20d [ 61.582515][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 61.588165][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 61.593259][ T6829] print_address_description.constprop.0.cold+0xae/0x436 [ 61.600271][ T6829] ? lockdep_hardirqs_off+0x66/0xa0 [ 61.605455][ T6829] ? vprintk_func+0x97/0x1a6 [ 61.610025][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 61.615153][ T6829] kasan_report.cold+0x1f/0x37 [ 61.619900][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 61.624989][ T6829] tipc_nl_publ_dump+0xae0/0xce0 [ 61.629918][ T6829] ? __mutex_lock+0x626/0x10d0 [ 61.634679][ T6829] ? tipc_nl_sk_dump+0x30/0x30 [ 61.639500][ T6829] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 61.645270][ T6829] ? kmem_cache_alloc_node_trace+0x4c2/0x590 [ 61.651335][ T6829] ? __kmalloc_node_track_caller+0x38/0x60 [ 61.657127][ T6829] ? kasan_unpoison_shadow+0x33/0x40 [ 61.662419][ T6829] ? __phys_addr+0x9a/0x110 [ 61.666904][ T6829] ? memset+0x20/0x40 [ 61.670892][ T6829] genl_lock_dumpit+0x7f/0xb0 [ 61.675554][ T6829] netlink_dump+0x4cd/0xf60 [ 61.680075][ T6829] ? netlink_insert+0x1670/0x1670 [ 61.685081][ T6829] ? __mutex_unlock_slowpath+0xe2/0x610 [ 61.690627][ T6829] ? genl_start+0x45a/0x6e0 [ 61.695116][ T6829] __netlink_dump_start+0x643/0x900 [ 61.700311][ T6829] ? genl_rcv_msg+0x9e0/0x9e0 [ 61.705244][ T6829] ? tipc_nl_sk_dump+0x30/0x30 [ 61.710119][ T6829] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 61.716330][ T6829] ? genl_rcv+0x40/0x40 [ 61.720632][ T6829] ? mutex_lock_io_nested+0xf60/0xf60 [ 61.726003][ T6829] ? mark_lock+0xbc/0x1710 [ 61.730462][ T6829] ? genl_rcv_msg+0x9e0/0x9e0 [ 61.735118][ T6829] ? genl_unlock+0x20/0x20 [ 61.739518][ T6829] ? genl_parallel_done+0x170/0x170 [ 61.745051][ T6829] ? __radix_tree_lookup+0x1f3/0x290 [ 61.750333][ T6829] genl_rcv_msg+0x797/0x9e0 [ 61.754832][ T6829] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 61.761923][ T6829] ? lock_acquire+0x1f1/0xad0 [ 61.766585][ T6829] ? genl_rcv+0x15/0x40 [ 61.771517][ T6829] ? lock_release+0x8d0/0x8d0 [ 61.776205][ T6829] netlink_rcv_skb+0x15a/0x430 [ 61.780952][ T6829] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 61.787868][ T6829] ? netlink_ack+0xa10/0xa10 [ 61.792445][ T6829] ? lock_is_held_type+0xb0/0xe0 [ 61.797467][ T6829] genl_rcv+0x24/0x40 [ 61.801438][ T6829] netlink_unicast+0x533/0x7d0 [ 61.806186][ T6829] ? netlink_attachskb+0x810/0x810 [ 61.811278][ T6829] ? _copy_from_iter_full+0x247/0x890 [ 61.816743][ T6829] ? __phys_addr+0x9a/0x110 [ 61.821225][ T6829] ? __phys_addr_symbol+0x2c/0x70 [ 61.826228][ T6829] ? __check_object_size+0x171/0x3e4 [ 61.831508][ T6829] netlink_sendmsg+0x856/0xd90 [ 61.838464][ T6829] ? netlink_unicast+0x7d0/0x7d0 [ 61.843397][ T6829] ? netlink_unicast+0x7d0/0x7d0 [ 61.848327][ T6829] sock_sendmsg+0xcf/0x120 [ 61.852741][ T6829] ____sys_sendmsg+0x6e8/0x810 [ 61.857505][ T6829] ? kernel_sendmsg+0x50/0x50 [ 61.862169][ T6829] ? do_recvmmsg+0x6d0/0x6d0 [ 61.866793][ T6829] ? find_held_lock+0x2d/0x110 [ 61.871537][ T6829] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 61.877505][ T6829] ? lock_downgrade+0x820/0x820 [ 61.883072][ T6829] ___sys_sendmsg+0xf3/0x170 [ 61.887654][ T6829] ? sendmsg_copy_msghdr+0x160/0x160 [ 61.892918][ T6829] ? debug_object_active_state+0x260/0x350 [ 61.898734][ T6829] ? lock_downgrade+0x820/0x820 [ 61.903581][ T6829] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 61.909366][ T6829] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.915321][ T6829] ? trace_hardirqs_on+0x5f/0x220 [ 61.920325][ T6829] ? lockdep_hardirqs_on+0x6a/0xe0 [ 61.925416][ T6829] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 61.931204][ T6829] ? debug_object_active_state+0x260/0x350 [ 61.936989][ T6829] ? check_preemption_disabled+0x50/0x130 [ 61.942694][ T6829] ? __fget_light+0x215/0x280 [ 61.947350][ T6829] __sys_sendmsg+0xe5/0x1b0 [ 61.951834][ T6829] ? __sys_sendmsg_sock+0xb0/0xb0 [ 61.956840][ T6829] ? lock_is_held_type+0xb0/0xe0 [ 61.961934][ T6829] ? do_syscall_64+0x1c/0xe0 [ 61.966503][ T6829] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.972479][ T6829] do_syscall_64+0x60/0xe0 [ 61.976897][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.982915][ T6829] RIP: 0033:0x445f09 [ 61.986784][ T6829] Code: Bad RIP value. [ 61.990826][ T6829] RSP: 002b:00007ffecde70ef8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.999408][ T6829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 62.007565][ T6829] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 62.015517][ T6829] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 62.023488][ T6829] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 62.031528][ T6829] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 62.039508][ T6829] [ 62.041828][ T6829] Allocated by task 6827: [ 62.046147][ T6829] save_stack+0x1b/0x40 [ 62.050288][ T6829] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.055922][ T6829] __alloc_skb+0xae/0x550 [ 62.060232][ T6829] netlink_sendmsg+0x94f/0xd90 [ 62.064990][ T6829] sock_sendmsg+0xcf/0x120 [ 62.069383][ T6829] ____sys_sendmsg+0x6e8/0x810 [ 62.074219][ T6829] ___sys_sendmsg+0xf3/0x170 [ 62.078801][ T6829] __sys_sendmsg+0xe5/0x1b0 [ 62.083287][ T6829] do_syscall_64+0x60/0xe0 [ 62.087691][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.093567][ T6829] [ 62.096048][ T6829] Freed by task 6827: [ 62.100019][ T6829] save_stack+0x1b/0x40 [ 62.104156][ T6829] __kasan_slab_free+0xf2/0x130 [ 62.108991][ T6829] kfree+0x103/0x2c0 [ 62.112895][ T6829] skb_release_data+0x6d9/0x910 [ 62.117728][ T6829] consume_skb+0xc2/0x160 [ 62.122037][ T6829] netlink_unicast+0x53b/0x7d0 [ 62.126777][ T6829] netlink_sendmsg+0x856/0xd90 [ 62.131519][ T6829] sock_sendmsg+0xcf/0x120 [ 62.135923][ T6829] ____sys_sendmsg+0x6e8/0x810 [ 62.140667][ T6829] ___sys_sendmsg+0xf3/0x170 [ 62.145235][ T6829] __sys_sendmsg+0xe5/0x1b0 [ 62.149715][ T6829] do_syscall_64+0x60/0xe0 [ 62.154136][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.160007][ T6829] [ 62.162319][ T6829] The buggy address belongs to the object at ffff888096c51800 [ 62.162319][ T6829] which belongs to the cache kmalloc-1k of size 1024 [ 62.176354][ T6829] The buggy address is located 644 bytes inside of [ 62.176354][ T6829] 1024-byte region [ffff888096c51800, ffff888096c51c00) [ 62.189775][ T6829] The buggy address belongs to the page: [ 62.195391][ T6829] page:ffffea00025b1440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888096c51000 [ 62.205802][ T6829] flags: 0xfffe0000000200(slab) [ 62.210649][ T6829] raw: 00fffe0000000200 ffffea000254a648 ffffea0002684748 ffff8880aa000700 [ 62.219220][ T6829] raw: ffff888096c51000 ffff888096c51000 0000000100000001 0000000000000000 [ 62.227782][ T6829] page dumped because: kasan: bad access detected [ 62.234192][ T6829] [ 62.236500][ T6829] Memory state around the buggy address: [ 62.242127][ T6829] ffff888096c51980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.250186][ T6829] ffff888096c51a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.258588][ T6829] >ffff888096c51a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.266633][ T6829] ^ [ 62.270732][ T6829] ffff888096c51b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.278843][ T6829] ffff888096c51b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.286889][ T6829] ================================================================== [ 62.294968][ T6829] Disabling lock debugging due to kernel taint [ 62.302442][ T6829] Kernel panic - not syncing: panic_on_warn set ... [ 62.309041][ T6829] CPU: 0 PID: 6829 Comm: syz-executor275 Tainted: G B 5.8.0-rc2-next-20200626-syzkaller #0 [ 62.320316][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.330450][ T6829] Call Trace: executing program [ 62.333742][ T6829] dump_stack+0x18f/0x20d [ 62.338073][ T6829] ? tipc_nl_publ_dump+0xa10/0xce0 [ 62.343174][ T6829] panic+0x2e3/0x75c [ 62.347052][ T6829] ? __warn_printk+0xf3/0xf3 [ 62.351640][ T6829] ? preempt_schedule_common+0x59/0xc0 [ 62.357231][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 62.362326][ T6829] ? preempt_schedule_thunk+0x16/0x18 [ 62.367762][ T6829] ? trace_hardirqs_on+0x55/0x220 [ 62.372766][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 62.377860][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 62.382950][ T6829] end_report+0x4d/0x53 [ 62.387085][ T6829] kasan_report.cold+0xd/0x37 [ 62.391742][ T6829] ? tipc_nl_publ_dump+0xae0/0xce0 [ 62.396854][ T6829] tipc_nl_publ_dump+0xae0/0xce0 [ 62.401779][ T6829] ? __mutex_lock+0x626/0x10d0 [ 62.406530][ T6829] ? tipc_nl_sk_dump+0x30/0x30 [ 62.411283][ T6829] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 62.416911][ T6829] ? kmem_cache_alloc_node_trace+0x4c2/0x590 [ 62.422889][ T6829] ? __kmalloc_node_track_caller+0x38/0x60 [ 62.428672][ T6829] ? kasan_unpoison_shadow+0x33/0x40 [ 62.434029][ T6829] ? __phys_addr+0x9a/0x110 [ 62.438662][ T6829] ? memset+0x20/0x40 [ 62.442621][ T6829] genl_lock_dumpit+0x7f/0xb0 [ 62.447327][ T6829] netlink_dump+0x4cd/0xf60 [ 62.451823][ T6829] ? netlink_insert+0x1670/0x1670 [ 62.456833][ T6829] ? __mutex_unlock_slowpath+0xe2/0x610 [ 62.462536][ T6829] ? genl_start+0x45a/0x6e0 [ 62.467017][ T6829] __netlink_dump_start+0x643/0x900 [ 62.472281][ T6829] ? genl_rcv_msg+0x9e0/0x9e0 [ 62.476937][ T6829] ? tipc_nl_sk_dump+0x30/0x30 [ 62.481701][ T6829] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 62.487397][ T6829] ? genl_rcv+0x40/0x40 [ 62.491618][ T6829] ? mutex_lock_io_nested+0xf60/0xf60 [ 62.496989][ T6829] ? mark_lock+0xbc/0x1710 [ 62.501384][ T6829] ? genl_rcv_msg+0x9e0/0x9e0 [ 62.506053][ T6829] ? genl_unlock+0x20/0x20 [ 62.510469][ T6829] ? genl_parallel_done+0x170/0x170 [ 62.515650][ T6829] ? __radix_tree_lookup+0x1f3/0x290 [ 62.520913][ T6829] genl_rcv_msg+0x797/0x9e0 [ 62.525484][ T6829] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 62.532395][ T6829] ? lock_acquire+0x1f1/0xad0 [ 62.537046][ T6829] ? genl_rcv+0x15/0x40 [ 62.541177][ T6829] ? lock_release+0x8d0/0x8d0 [ 62.545832][ T6829] netlink_rcv_skb+0x15a/0x430 [ 62.550576][ T6829] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 62.559574][ T6829] ? netlink_ack+0xa10/0xa10 [ 62.564186][ T6829] ? lock_is_held_type+0xb0/0xe0 [ 62.569108][ T6829] genl_rcv+0x24/0x40 [ 62.575625][ T6829] netlink_unicast+0x533/0x7d0 [ 62.580381][ T6829] ? netlink_attachskb+0x810/0x810 [ 62.585499][ T6829] ? _copy_from_iter_full+0x247/0x890 [ 62.590849][ T6829] ? __phys_addr+0x9a/0x110 [ 62.595417][ T6829] ? __phys_addr_symbol+0x2c/0x70 [ 62.600441][ T6829] ? __check_object_size+0x171/0x3e4 [ 62.606188][ T6829] netlink_sendmsg+0x856/0xd90 [ 62.610948][ T6829] ? netlink_unicast+0x7d0/0x7d0 [ 62.615865][ T6829] ? netlink_unicast+0x7d0/0x7d0 [ 62.620798][ T6829] sock_sendmsg+0xcf/0x120 [ 62.625193][ T6829] ____sys_sendmsg+0x6e8/0x810 [ 62.629943][ T6829] ? kernel_sendmsg+0x50/0x50 [ 62.634593][ T6829] ? do_recvmmsg+0x6d0/0x6d0 [ 62.639163][ T6829] ? find_held_lock+0x2d/0x110 [ 62.644086][ T6829] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 62.650070][ T6829] ? lock_downgrade+0x820/0x820 [ 62.654905][ T6829] ___sys_sendmsg+0xf3/0x170 [ 62.659474][ T6829] ? sendmsg_copy_msghdr+0x160/0x160 [ 62.664773][ T6829] ? debug_object_active_state+0x260/0x350 [ 62.670562][ T6829] ? lock_downgrade+0x820/0x820 [ 62.675406][ T6829] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 62.681211][ T6829] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 62.687165][ T6829] ? trace_hardirqs_on+0x5f/0x220 [ 62.692173][ T6829] ? lockdep_hardirqs_on+0x6a/0xe0 [ 62.697264][ T6829] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 62.703054][ T6829] ? debug_object_active_state+0x260/0x350 [ 62.708838][ T6829] ? check_preemption_disabled+0x50/0x130 [ 62.714569][ T6829] ? __fget_light+0x215/0x280 [ 62.719231][ T6829] __sys_sendmsg+0xe5/0x1b0 [ 62.723717][ T6829] ? __sys_sendmsg_sock+0xb0/0xb0 [ 62.728714][ T6829] ? lock_is_held_type+0xb0/0xe0 [ 62.733633][ T6829] ? do_syscall_64+0x1c/0xe0 [ 62.738225][ T6829] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 62.744180][ T6829] do_syscall_64+0x60/0xe0 [ 62.748769][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.754660][ T6829] RIP: 0033:0x445f09 [ 62.758566][ T6829] Code: Bad RIP value. [ 62.762604][ T6829] RSP: 002b:00007ffecde70ef8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 62.770989][ T6829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 62.778936][ T6829] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 62.786903][ T6829] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 62.794848][ T6829] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 62.802798][ T6829] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 62.812496][ T6829] Kernel Offset: disabled [ 62.816854][ T6829] Rebooting in 86400 seconds..