Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.946877][ T7097] netlink: 1996 bytes leftover after parsing attributes in process `syz-executor411'. [ 63.957114][ T7097] sch_tbf: burst 549 is lower than device lo mtu (65550) ! [ 63.968121][ T7097] ================================================================== [ 63.976416][ T7097] BUG: KASAN: slab-out-of-bounds in skb_gso_transport_seglen+0x344/0x360 [ 63.985078][ T7097] Read of size 2 at addr ffff8880a72d2a5c by task syz-executor411/7097 [ 63.993427][ T7097] [ 63.995745][ T7097] CPU: 0 PID: 7097 Comm: syz-executor411 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 [ 64.005612][ T7097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.015746][ T7097] Call Trace: [ 64.019039][ T7097] dump_stack+0x188/0x20d [ 64.023356][ T7097] print_address_description.constprop.0.cold+0xd3/0x315 [ 64.030385][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.036123][ T7097] __kasan_report.cold+0x35/0x4d [ 64.041041][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.046748][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.052448][ T7097] kasan_report+0x33/0x50 [ 64.056764][ T7097] skb_gso_transport_seglen+0x344/0x360 [ 64.062290][ T7097] skb_gso_validate_mac_len+0x85/0x290 [ 64.067735][ T7097] tbf_enqueue+0x1f2/0x990 [ 64.072133][ T7097] ? rwlock_bug.part.0+0x90/0x90 [ 64.077072][ T7097] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 64.082334][ T7097] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 64.087868][ T7097] __dev_queue_xmit+0x154a/0x3070 [ 64.092897][ T7097] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 64.098160][ T7097] ? copyin+0x10e/0x140 [ 64.102489][ T7097] ? copy_page_from_iter+0x5de/0x840 [ 64.107773][ T7097] ? packet_parse_headers.isra.0+0x117/0x470 [ 64.113739][ T7097] ? __unregister_prot_hook+0x320/0x320 [ 64.119268][ T7097] ? packet_sendmsg+0x23cc/0x5ce0 [ 64.124298][ T7097] packet_sendmsg+0x23cc/0x5ce0 [ 64.129151][ T7097] ? mark_held_locks+0xe0/0xe0 [ 64.133915][ T7097] ? aa_label_sk_perm+0x89/0xe0 [ 64.138834][ T7097] ? aa_sk_perm+0x319/0xac0 [ 64.143342][ T7097] ? packet_notifier+0x860/0x860 [ 64.148265][ T7097] ? aa_af_perm+0x260/0x260 [ 64.152758][ T7097] ? packet_do_bind+0x452/0xc00 [ 64.157791][ T7097] ? packet_notifier+0x860/0x860 [ 64.162728][ T7097] sock_sendmsg+0xcf/0x120 [ 64.167147][ T7097] __sys_sendto+0x220/0x330 [ 64.171638][ T7097] ? __ia32_sys_getpeername+0xb0/0xb0 [ 64.176989][ T7097] ? packet_do_bind+0x452/0xc00 [ 64.181825][ T7097] ? __sys_bind+0x13e/0x250 [ 64.186315][ T7097] ? __ia32_sys_socketpair+0xf0/0xf0 [ 64.191600][ T7097] ? sock_create_kern+0x40/0x40 [ 64.196443][ T7097] ? fpregs_mark_activate+0x320/0x320 [ 64.201893][ T7097] __x64_sys_sendto+0xdd/0x1b0 [ 64.206665][ T7097] ? lockdep_hardirqs_on+0x463/0x620 [ 64.211950][ T7097] do_syscall_64+0xf6/0x7d0 [ 64.216565][ T7097] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.222577][ T7097] RIP: 0033:0x440b09 [ 64.226466][ T7097] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.247106][ T7097] RSP: 002b:00007ffd69315698 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 64.255594][ T7097] RAX: ffffffffffffffda RBX: 00007ffd693156b0 RCX: 0000000000440b09 [ 64.263564][ T7097] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 64.271551][ T7097] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffffffffffe5d [ 64.279516][ T7097] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000402390 [ 64.287493][ T7097] R13: 0000000000402420 R14: 0000000000000000 R15: 0000000000000000 [ 64.295460][ T7097] [ 64.297768][ T7097] Allocated by task 7097: [ 64.302077][ T7097] save_stack+0x1b/0x40 [ 64.306215][ T7097] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.311838][ T7097] __kmalloc_reserve.isra.0+0x39/0xe0 [ 64.317285][ T7097] __alloc_skb+0xef/0x5a0 [ 64.321593][ T7097] alloc_skb_with_frags+0x92/0x560 [ 64.326689][ T7097] sock_alloc_send_pskb+0x734/0x890 [ 64.331874][ T7097] packet_sendmsg+0x1947/0x5ce0 [ 64.336714][ T7097] sock_sendmsg+0xcf/0x120 [ 64.341123][ T7097] __sys_sendto+0x220/0x330 [ 64.345605][ T7097] __x64_sys_sendto+0xdd/0x1b0 [ 64.350470][ T7097] do_syscall_64+0xf6/0x7d0 [ 64.354965][ T7097] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.360828][ T7097] [ 64.363133][ T7097] Freed by task 5127: [ 64.367090][ T7097] save_stack+0x1b/0x40 [ 64.371223][ T7097] __kasan_slab_free+0xf7/0x140 [ 64.376061][ T7097] kfree+0x109/0x2b0 [ 64.379936][ T7097] ep_eventpoll_release+0x41/0x60 [ 64.384938][ T7097] __fput+0x33e/0x880 [ 64.388917][ T7097] task_work_run+0xf4/0x1b0 [ 64.393396][ T7097] exit_to_usermode_loop+0x2fa/0x360 [ 64.398657][ T7097] do_syscall_64+0x6b1/0x7d0 [ 64.403226][ T7097] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.409101][ T7097] [ 64.411416][ T7097] The buggy address belongs to the object at ffff8880a72d2800 [ 64.411416][ T7097] which belongs to the cache kmalloc-512 of size 512 [ 64.426071][ T7097] The buggy address is located 92 bytes to the right of [ 64.426071][ T7097] 512-byte region [ffff8880a72d2800, ffff8880a72d2a00) [ 64.439838][ T7097] The buggy address belongs to the page: [ 64.445467][ T7097] page:ffffea00029cb480 refcount:1 mapcount:0 mapping:000000004b08503b index:0x0 [ 64.454558][ T7097] flags: 0xfffe0000000200(slab) [ 64.459392][ T7097] raw: 00fffe0000000200 ffffea000282ba88 ffffea00027c8c08 ffff8880aa000a80 [ 64.467978][ T7097] raw: 0000000000000000 ffff8880a72d2000 0000000100000004 0000000000000000 [ 64.476539][ T7097] page dumped because: kasan: bad access detected [ 64.482945][ T7097] [ 64.485250][ T7097] Memory state around the buggy address: [ 64.490873][ T7097] ffff8880a72d2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.498913][ T7097] ffff8880a72d2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.506963][ T7097] >ffff8880a72d2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.515014][ T7097] ^ [ 64.522532][ T7097] ffff8880a72d2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.530577][ T7097] ffff8880a72d2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.538610][ T7097] ================================================================== [ 64.546647][ T7097] Disabling lock debugging due to kernel taint [ 64.552844][ T7097] Kernel panic - not syncing: panic_on_warn set ... [ 64.559438][ T7097] CPU: 0 PID: 7097 Comm: syz-executor411 Tainted: G B 5.7.0-rc1-next-20200415-syzkaller #0 [ 64.570967][ T7097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.581163][ T7097] Call Trace: [ 64.584464][ T7097] dump_stack+0x188/0x20d [ 64.588794][ T7097] panic+0x2e3/0x75c [ 64.592666][ T7097] ? add_taint.cold+0x16/0x16 [ 64.597339][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.603062][ T7097] ? trace_hardirqs_on+0x55/0x220 [ 64.608078][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.613776][ T7097] end_report+0x4d/0x53 [ 64.617906][ T7097] __kasan_report.cold+0xd/0x4d [ 64.622753][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.628446][ T7097] ? skb_gso_transport_seglen+0x344/0x360 [ 64.634140][ T7097] kasan_report+0x33/0x50 [ 64.638444][ T7097] skb_gso_transport_seglen+0x344/0x360 [ 64.643985][ T7097] skb_gso_validate_mac_len+0x85/0x290 [ 64.649426][ T7097] tbf_enqueue+0x1f2/0x990 [ 64.653817][ T7097] ? rwlock_bug.part.0+0x90/0x90 [ 64.658748][ T7097] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 64.664009][ T7097] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 64.669549][ T7097] __dev_queue_xmit+0x154a/0x3070 [ 64.674590][ T7097] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 64.679850][ T7097] ? copyin+0x10e/0x140 [ 64.683981][ T7097] ? copy_page_from_iter+0x5de/0x840 [ 64.689243][ T7097] ? packet_parse_headers.isra.0+0x117/0x470 [ 64.695512][ T7097] ? __unregister_prot_hook+0x320/0x320 [ 64.701132][ T7097] ? packet_sendmsg+0x23cc/0x5ce0 [ 64.706139][ T7097] packet_sendmsg+0x23cc/0x5ce0 [ 64.710993][ T7097] ? mark_held_locks+0xe0/0xe0 [ 64.715739][ T7097] ? aa_label_sk_perm+0x89/0xe0 [ 64.720583][ T7097] ? aa_sk_perm+0x319/0xac0 [ 64.725066][ T7097] ? packet_notifier+0x860/0x860 [ 64.729985][ T7097] ? aa_af_perm+0x260/0x260 [ 64.734484][ T7097] ? packet_do_bind+0x452/0xc00 [ 64.739334][ T7097] ? packet_notifier+0x860/0x860 [ 64.744274][ T7097] sock_sendmsg+0xcf/0x120 [ 64.748747][ T7097] __sys_sendto+0x220/0x330 [ 64.753262][ T7097] ? __ia32_sys_getpeername+0xb0/0xb0 [ 64.758703][ T7097] ? packet_do_bind+0x452/0xc00 [ 64.763637][ T7097] ? __sys_bind+0x13e/0x250 [ 64.768270][ T7097] ? __ia32_sys_socketpair+0xf0/0xf0 [ 64.773628][ T7097] ? sock_create_kern+0x40/0x40 [ 64.778464][ T7097] ? fpregs_mark_activate+0x320/0x320 [ 64.783860][ T7097] __x64_sys_sendto+0xdd/0x1b0 [ 64.788648][ T7097] ? lockdep_hardirqs_on+0x463/0x620 [ 64.794198][ T7097] do_syscall_64+0xf6/0x7d0 [ 64.798683][ T7097] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.804653][ T7097] RIP: 0033:0x440b09 [ 64.808753][ T7097] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.828559][ T7097] RSP: 002b:00007ffd69315698 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 64.837038][ T7097] RAX: ffffffffffffffda RBX: 00007ffd693156b0 RCX: 0000000000440b09 [ 64.845009][ T7097] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 64.852968][ T7097] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffffffffffe5d [ 64.861248][ T7097] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000402390 [ 64.869201][ T7097] R13: 0000000000402420 R14: 0000000000000000 R15: 0000000000000000 [ 64.878627][ T7097] Kernel Offset: disabled [ 64.882977][ T7097] Rebooting in 86400 seconds..