[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.810520][ T7027] netlink: 1996 bytes leftover after parsing attributes in process `syz-executor368'. [ 57.820604][ T7027] sch_tbf: burst 549 is lower than device lo mtu (65550) ! [ 57.831328][ T7027] ================================================================== [ 57.839505][ T7027] BUG: KASAN: slab-out-of-bounds in skb_gso_transport_seglen+0x344/0x360 [ 57.847903][ T7027] Read of size 2 at addr ffff888094fa2a5c by task syz-executor368/7027 [ 57.856130][ T7027] [ 57.858500][ T7027] CPU: 0 PID: 7027 Comm: syz-executor368 Not tainted 5.7.0-rc1-syzkaller #0 [ 57.867173][ T7027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.877214][ T7027] Call Trace: [ 57.880506][ T7027] dump_stack+0x188/0x20d [ 57.884835][ T7027] print_address_description.constprop.0.cold+0xd3/0x315 [ 57.891845][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 57.897569][ T7027] __kasan_report.cold+0x35/0x4d [ 57.902502][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 57.908201][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 57.913895][ T7027] kasan_report+0x33/0x50 [ 57.918206][ T7027] skb_gso_transport_seglen+0x344/0x360 [ 57.924615][ T7027] skb_gso_validate_mac_len+0x85/0x290 [ 57.930066][ T7027] tbf_enqueue+0x1f2/0x990 [ 57.934460][ T7027] ? rwlock_bug.part.0+0x90/0x90 [ 57.939390][ T7027] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 57.944656][ T7027] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 57.950187][ T7027] __dev_queue_xmit+0x154a/0x30a0 [ 57.955195][ T7027] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 57.960477][ T7027] ? copyin+0x10e/0x140 [ 57.964617][ T7027] ? copy_page_from_iter+0x5de/0x840 [ 57.969907][ T7027] ? packet_parse_headers.isra.0+0x117/0x470 [ 57.975866][ T7027] ? __unregister_prot_hook+0x320/0x320 [ 57.981397][ T7027] ? packet_sendmsg+0x23cc/0x5ce0 [ 57.986414][ T7027] packet_sendmsg+0x23cc/0x5ce0 [ 57.991256][ T7027] ? mark_held_locks+0xe0/0xe0 [ 57.996015][ T7027] ? aa_label_sk_perm+0x89/0xe0 [ 58.000851][ T7027] ? aa_sk_perm+0x319/0xab0 [ 58.005339][ T7027] ? packet_notifier+0x860/0x860 [ 58.010269][ T7027] ? aa_af_perm+0x260/0x260 [ 58.014766][ T7027] ? packet_do_bind+0x452/0xc00 [ 58.019617][ T7027] ? packet_notifier+0x860/0x860 [ 58.024542][ T7027] sock_sendmsg+0xcf/0x120 [ 58.028948][ T7027] __sys_sendto+0x220/0x330 [ 58.033434][ T7027] ? __ia32_sys_getpeername+0xb0/0xb0 [ 58.038805][ T7027] ? packet_do_bind+0x452/0xc00 [ 58.043639][ T7027] ? __sys_bind+0x13e/0x250 [ 58.048148][ T7027] ? __ia32_sys_socketpair+0xf0/0xf0 [ 58.053430][ T7027] ? sock_create_kern+0x40/0x40 [ 58.058284][ T7027] ? fpregs_mark_activate+0x320/0x320 [ 58.063650][ T7027] __x64_sys_sendto+0xdd/0x1b0 [ 58.068398][ T7027] ? lockdep_hardirqs_on+0x463/0x620 [ 58.073693][ T7027] do_syscall_64+0xf6/0x7d0 [ 58.078198][ T7027] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.084181][ T7027] RIP: 0033:0x440419 [ 58.088078][ T7027] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.107682][ T7027] RSP: 002b:00007ffefbbf8588 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 58.116073][ T7027] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440419 [ 58.124085][ T7027] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 58.132065][ T7027] RBP: 00000000006cb018 R08: 0000000000000000 R09: fffffffffffffe5d [ 58.140027][ T7027] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000401ca0 [ 58.147999][ T7027] R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000 [ 58.155978][ T7027] [ 58.158290][ T7027] Allocated by task 7027: [ 58.162603][ T7027] save_stack+0x1b/0x40 [ 58.166745][ T7027] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.173168][ T7027] __kmalloc_reserve.isra.0+0x39/0xe0 [ 58.178544][ T7027] __alloc_skb+0xef/0x5a0 [ 58.182906][ T7027] alloc_skb_with_frags+0x92/0x560 [ 58.188002][ T7027] sock_alloc_send_pskb+0x734/0x890 [ 58.193178][ T7027] packet_sendmsg+0x1947/0x5ce0 [ 58.198024][ T7027] sock_sendmsg+0xcf/0x120 [ 58.202427][ T7027] __sys_sendto+0x220/0x330 [ 58.206917][ T7027] __x64_sys_sendto+0xdd/0x1b0 [ 58.211675][ T7027] do_syscall_64+0xf6/0x7d0 [ 58.216172][ T7027] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.222051][ T7027] [ 58.224360][ T7027] Freed by task 6792: [ 58.228325][ T7027] save_stack+0x1b/0x40 [ 58.232496][ T7027] __kasan_slab_free+0xf7/0x140 [ 58.237325][ T7027] kfree+0x109/0x2b0 [ 58.241277][ T7027] __do_execve_file.isra.0+0x1a90/0x2270 [ 58.246938][ T7027] __x64_sys_execve+0x8a/0xb0 [ 58.251630][ T7027] do_syscall_64+0xf6/0x7d0 [ 58.256164][ T7027] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.262034][ T7027] [ 58.264346][ T7027] The buggy address belongs to the object at ffff888094fa2800 [ 58.264346][ T7027] which belongs to the cache kmalloc-512 of size 512 [ 58.278464][ T7027] The buggy address is located 92 bytes to the right of [ 58.278464][ T7027] 512-byte region [ffff888094fa2800, ffff888094fa2a00) [ 58.292144][ T7027] The buggy address belongs to the page: [ 58.297787][ T7027] page:ffffea000253e880 refcount:1 mapcount:0 mapping:00000000b7493817 index:0x0 [ 58.306895][ T7027] flags: 0xfffe0000000200(slab) [ 58.311742][ T7027] raw: 00fffe0000000200 ffffea00029a7808 ffffea00027902c8 ffff8880aa000a80 [ 58.320304][ T7027] raw: 0000000000000000 ffff888094fa2000 0000000100000004 0000000000000000 [ 58.328873][ T7027] page dumped because: kasan: bad access detected [ 58.335340][ T7027] [ 58.337651][ T7027] Memory state around the buggy address: [ 58.343389][ T7027] ffff888094fa2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.351438][ T7027] ffff888094fa2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.359536][ T7027] >ffff888094fa2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.367584][ T7027] ^ [ 58.374521][ T7027] ffff888094fa2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.382563][ T7027] ffff888094fa2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.390605][ T7027] ================================================================== [ 58.398657][ T7027] Disabling lock debugging due to kernel taint [ 58.404859][ T7027] Kernel panic - not syncing: panic_on_warn set ... [ 58.411453][ T7027] CPU: 0 PID: 7027 Comm: syz-executor368 Tainted: G B 5.7.0-rc1-syzkaller #0 [ 58.421511][ T7027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.431574][ T7027] Call Trace: [ 58.434876][ T7027] dump_stack+0x188/0x20d [ 58.439202][ T7027] panic+0x2e3/0x75c [ 58.443091][ T7027] ? add_taint.cold+0x16/0x16 [ 58.447762][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 58.453460][ T7027] ? trace_hardirqs_on+0x55/0x220 [ 58.458462][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 58.465984][ T7027] end_report+0x4d/0x53 [ 58.470119][ T7027] __kasan_report.cold+0xd/0x4d [ 58.474948][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 58.480643][ T7027] ? skb_gso_transport_seglen+0x344/0x360 [ 58.486345][ T7027] kasan_report+0x33/0x50 [ 58.490657][ T7027] skb_gso_transport_seglen+0x344/0x360 [ 58.496182][ T7027] skb_gso_validate_mac_len+0x85/0x290 [ 58.501621][ T7027] tbf_enqueue+0x1f2/0x990 [ 58.506028][ T7027] ? rwlock_bug.part.0+0x90/0x90 [ 58.510943][ T7027] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 58.516205][ T7027] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 58.521744][ T7027] __dev_queue_xmit+0x154a/0x30a0 [ 58.526750][ T7027] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 58.532028][ T7027] ? copyin+0x10e/0x140 [ 58.536162][ T7027] ? copy_page_from_iter+0x5de/0x840 [ 58.541441][ T7027] ? packet_parse_headers.isra.0+0x117/0x470 [ 58.547402][ T7027] ? __unregister_prot_hook+0x320/0x320 [ 58.552933][ T7027] ? packet_sendmsg+0x23cc/0x5ce0 [ 58.557941][ T7027] packet_sendmsg+0x23cc/0x5ce0 [ 58.562775][ T7027] ? mark_held_locks+0xe0/0xe0 [ 58.567517][ T7027] ? aa_label_sk_perm+0x89/0xe0 [ 58.572342][ T7027] ? aa_sk_perm+0x319/0xab0 [ 58.576825][ T7027] ? packet_notifier+0x860/0x860 [ 58.581739][ T7027] ? aa_af_perm+0x260/0x260 [ 58.586219][ T7027] ? packet_do_bind+0x452/0xc00 [ 58.591065][ T7027] ? packet_notifier+0x860/0x860 [ 58.596004][ T7027] sock_sendmsg+0xcf/0x120 [ 58.600409][ T7027] __sys_sendto+0x220/0x330 [ 58.604895][ T7027] ? __ia32_sys_getpeername+0xb0/0xb0 [ 58.610265][ T7027] ? packet_do_bind+0x452/0xc00 [ 58.615139][ T7027] ? __sys_bind+0x13e/0x250 [ 58.619665][ T7027] ? __ia32_sys_socketpair+0xf0/0xf0 [ 58.624952][ T7027] ? sock_create_kern+0x40/0x40 [ 58.629844][ T7027] ? fpregs_mark_activate+0x320/0x320 [ 58.635267][ T7027] __x64_sys_sendto+0xdd/0x1b0 [ 58.640017][ T7027] ? lockdep_hardirqs_on+0x463/0x620 [ 58.645337][ T7027] do_syscall_64+0xf6/0x7d0 [ 58.649874][ T7027] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.655743][ T7027] RIP: 0033:0x440419 [ 58.659615][ T7027] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.679195][ T7027] RSP: 002b:00007ffefbbf8588 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 58.687587][ T7027] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440419 [ 58.695538][ T7027] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 58.703625][ T7027] RBP: 00000000006cb018 R08: 0000000000000000 R09: fffffffffffffe5d [ 58.711611][ T7027] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000401ca0 [ 58.719564][ T7027] R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000 [ 58.728232][ T7027] Kernel Offset: disabled [ 58.732572][ T7027] Rebooting in 86400 seconds..