Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.602007][ T8478] ================================================================== [ 73.610245][ T8478] BUG: KASAN: global-out-of-bounds in netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.622682][ T8478] Read of size 1 at addr ffffffff89cc6f90 by task syz-executor485/8478 [ 73.630919][ T8478] [ 73.633240][ T8478] CPU: 1 PID: 8478 Comm: syz-executor485 Not tainted 5.11.0-rc5-next-20210129-syzkaller #0 [ 73.643635][ T8478] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.654060][ T8478] Call Trace: [ 73.657345][ T8478] dump_stack+0x107/0x163 [ 73.662003][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.668289][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.674545][ T8478] print_address_description.constprop.0.cold+0x5/0x2f8 [ 73.681499][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.687748][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.694411][ T8478] kasan_report.cold+0x7c/0xd8 [ 73.699173][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.705419][ T8478] netlink_policy_dump_add_policy+0x3b6/0x440 [ 73.711504][ T8478] ? __netlink_policy_dump_write_attr+0xb00/0xb00 [ 73.717907][ T8478] ? __radix_tree_lookup+0x211/0x2a0 [ 73.723200][ T8478] ctrl_dumppolicy_start+0x3e1/0x760 [ 73.728478][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 73.733336][ T8478] ? vdpa_nl_cmd_mgmtdev_get_dumpit+0x280/0x280 [ 73.739586][ T8478] ? vdpa_mgmtdev_fill+0x420/0x420 [ 73.744713][ T8478] ? kasan_unpoison+0x2c/0x50 [ 73.749651][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 73.754625][ T8478] genl_start+0x3cc/0x670 [ 73.759399][ T8478] __netlink_dump_start+0x584/0x900 [ 73.764618][ T8478] ? genl_family_rcv_msg_doit+0x320/0x320 [ 73.770424][ T8478] ? ctrl_dumppolicy_prep+0x3f0/0x3f0 [ 73.775797][ T8478] genl_family_rcv_msg_dumpit+0x2af/0x310 [ 73.781527][ T8478] ? genl_rcv+0x40/0x40 [ 73.785683][ T8478] ? mutex_lock_io_nested+0xf60/0xf60 [ 73.791062][ T8478] ? __lock_acquire+0x2506/0x54c0 [ 73.796229][ T8478] ? genl_family_rcv_msg_doit+0x320/0x320 [ 73.801959][ T8478] ? genl_unlock+0x20/0x20 [ 73.806372][ T8478] ? genl_parallel_done+0xc0/0xc0 [ 73.811394][ T8478] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 73.817636][ T8478] ? __radix_tree_lookup+0x211/0x2a0 [ 73.822908][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.829693][ T8478] ? genl_get_cmd+0x3cf/0x480 [ 73.834427][ T8478] genl_rcv_msg+0x434/0x580 [ 73.838961][ T8478] ? genl_get_cmd+0x480/0x480 [ 73.843652][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 73.848508][ T8478] ? ctrl_dumppolicy_prep+0x3f0/0x3f0 [ 73.853917][ T8478] ? lockdep_genl_is_held+0x30/0x30 [ 73.859130][ T8478] ? lock_release+0x710/0x710 [ 73.863833][ T8478] netlink_rcv_skb+0x153/0x420 [ 73.868595][ T8478] ? genl_get_cmd+0x480/0x480 [ 73.873264][ T8478] ? netlink_ack+0xaa0/0xaa0 [ 73.877858][ T8478] ? _copy_from_iter_full+0x2fa/0x1120 [ 73.883323][ T8478] genl_rcv+0x24/0x40 [ 73.887341][ T8478] netlink_unicast+0x533/0x7d0 [ 73.892119][ T8478] ? netlink_attachskb+0x870/0x870 [ 73.897234][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 73.903487][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 73.909742][ T8478] ? __phys_addr_symbol+0x2c/0x70 [ 73.915037][ T8478] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 73.920779][ T8478] ? __check_object_size+0x171/0x3f0 [ 73.926067][ T8478] netlink_sendmsg+0x856/0xd90 [ 73.930955][ T8478] ? netlink_unicast+0x7d0/0x7d0 [ 73.935892][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.944534][ T8478] ? netlink_unicast+0x7d0/0x7d0 [ 73.951060][ T8478] sock_sendmsg+0xcf/0x120 [ 73.955492][ T8478] ____sys_sendmsg+0x6e8/0x810 [ 73.960299][ T8478] ? kernel_sendmsg+0x50/0x50 [ 73.965013][ T8478] ? do_recvmmsg+0x6c0/0x6c0 [ 73.969636][ T8478] ? do_huge_pmd_anonymous_page+0x123b/0x2310 [ 73.975699][ T8478] ? lock_downgrade+0x6d0/0x6d0 [ 73.980644][ T8478] ___sys_sendmsg+0xf3/0x170 [ 73.985232][ T8478] ? sendmsg_copy_msghdr+0x160/0x160 [ 73.990518][ T8478] ? do_huge_pmd_anonymous_page+0x930/0x2310 [ 73.996491][ T8478] ? lock_chain_count+0x20/0x20 [ 74.001335][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.007667][ T8478] ? __handle_mm_fault+0x93c/0x4e20 [ 74.012873][ T8478] ? find_held_lock+0x2d/0x110 [ 74.017646][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.024418][ T8478] ? __fget_light+0x215/0x280 [ 74.029117][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.035356][ T8478] __sys_sendmsg+0xe5/0x1b0 [ 74.039985][ T8478] ? __sys_sendmsg_sock+0xb0/0xb0 [ 74.045017][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.051275][ T8478] ? syscall_enter_from_user_mode+0x1d/0x50 [ 74.057201][ T8478] do_syscall_64+0x2d/0x70 [ 74.061642][ T8478] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.067547][ T8478] RIP: 0033:0x4402f9 [ 74.071442][ T8478] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.091149][ T8478] RSP: 002b:00007fff14c27958 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.099902][ T8478] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402f9 [ 74.107860][ T8478] RDX: 0000000000000000 RSI: 00000000200029c0 RDI: 0000000000000003 [ 74.115831][ T8478] RBP: 00000000006ca018 R08: 0000000000401b90 R09: 00000000004002c8 [ 74.123807][ T8478] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b00 [ 74.131793][ T8478] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 74.139784][ T8478] [ 74.142300][ T8478] The buggy address belongs to the variable: [ 74.148281][ T8478] vdpa_nl_policy+0x90/0x3a00 [ 74.152971][ T8478] [ 74.155304][ T8478] Memory state around the buggy address: [ 74.160934][ T8478] ffffffff89cc6e80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 [ 74.168987][ T8478] ffffffff89cc6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.177043][ T8478] >ffffffff89cc6f80: 00 00 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 [ 74.185091][ T8478] ^ [ 74.189678][ T8478] ffffffff89cc7000: 00 00 07 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 [ 74.197744][ T8478] ffffffff89cc7080: 00 07 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 [ 74.205795][ T8478] ================================================================== [ 74.213841][ T8478] Disabling lock debugging due to kernel taint [ 74.223431][ T8478] Kernel panic - not syncing: panic_on_warn set ... [ 74.230081][ T8478] CPU: 0 PID: 8478 Comm: syz-executor485 Tainted: G B 5.11.0-rc5-next-20210129-syzkaller #0 [ 74.241504][ T8478] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.251713][ T8478] Call Trace: [ 74.254990][ T8478] dump_stack+0x107/0x163 [ 74.259322][ T8478] ? netlink_policy_dump_add_policy+0x380/0x440 [ 74.265551][ T8478] panic+0x306/0x73d [ 74.269436][ T8478] ? __warn_printk+0xf3/0xf3 [ 74.274014][ T8478] ? preempt_schedule_common+0x59/0xc0 [ 74.279474][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 74.285705][ T8478] ? preempt_schedule_thunk+0x16/0x18 [ 74.291065][ T8478] ? trace_hardirqs_on+0x38/0x1c0 [ 74.296088][ T8478] ? trace_hardirqs_on+0x51/0x1c0 [ 74.301114][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 74.307364][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 74.313807][ T8478] end_report.cold+0x5a/0x5a [ 74.318419][ T8478] kasan_report.cold+0x6a/0xd8 [ 74.323205][ T8478] ? netlink_policy_dump_add_policy+0x3b6/0x440 [ 74.329473][ T8478] netlink_policy_dump_add_policy+0x3b6/0x440 [ 74.335568][ T8478] ? __netlink_policy_dump_write_attr+0xb00/0xb00 [ 74.342011][ T8478] ? __radix_tree_lookup+0x211/0x2a0 [ 74.347325][ T8478] ctrl_dumppolicy_start+0x3e1/0x760 [ 74.352641][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 74.357508][ T8478] ? vdpa_nl_cmd_mgmtdev_get_dumpit+0x280/0x280 [ 74.363771][ T8478] ? vdpa_mgmtdev_fill+0x420/0x420 [ 74.368903][ T8478] ? kasan_unpoison+0x2c/0x50 [ 74.373599][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 74.378465][ T8478] genl_start+0x3cc/0x670 [ 74.382809][ T8478] __netlink_dump_start+0x584/0x900 [ 74.387996][ T8478] ? genl_family_rcv_msg_doit+0x320/0x320 [ 74.393709][ T8478] ? ctrl_dumppolicy_prep+0x3f0/0x3f0 [ 74.399062][ T8478] genl_family_rcv_msg_dumpit+0x2af/0x310 [ 74.404769][ T8478] ? genl_rcv+0x40/0x40 [ 74.408905][ T8478] ? mutex_lock_io_nested+0xf60/0xf60 [ 74.416019][ T8478] ? __lock_acquire+0x2506/0x54c0 [ 74.421039][ T8478] ? genl_family_rcv_msg_doit+0x320/0x320 [ 74.426874][ T8478] ? genl_unlock+0x20/0x20 [ 74.431396][ T8478] ? genl_parallel_done+0xc0/0xc0 [ 74.436461][ T8478] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.442703][ T8478] ? __radix_tree_lookup+0x211/0x2a0 [ 74.447999][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.454256][ T8478] ? genl_get_cmd+0x3cf/0x480 [ 74.458926][ T8478] genl_rcv_msg+0x434/0x580 [ 74.463424][ T8478] ? genl_get_cmd+0x480/0x480 [ 74.468106][ T8478] ? ctrl_getfamily+0x5a0/0x5a0 [ 74.472946][ T8478] ? ctrl_dumppolicy_prep+0x3f0/0x3f0 [ 74.478304][ T8478] ? lockdep_genl_is_held+0x30/0x30 [ 74.483500][ T8478] ? lock_release+0x710/0x710 [ 74.488279][ T8478] netlink_rcv_skb+0x153/0x420 [ 74.493034][ T8478] ? genl_get_cmd+0x480/0x480 [ 74.497697][ T8478] ? netlink_ack+0xaa0/0xaa0 [ 74.502288][ T8478] ? _copy_from_iter_full+0x2fa/0x1120 [ 74.507753][ T8478] genl_rcv+0x24/0x40 [ 74.511721][ T8478] netlink_unicast+0x533/0x7d0 [ 74.516507][ T8478] ? netlink_attachskb+0x870/0x870 [ 74.521604][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.527831][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.534062][ T8478] ? __phys_addr_symbol+0x2c/0x70 [ 74.539084][ T8478] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 74.544789][ T8478] ? __check_object_size+0x171/0x3f0 [ 74.550066][ T8478] netlink_sendmsg+0x856/0xd90 [ 74.554819][ T8478] ? netlink_unicast+0x7d0/0x7d0 [ 74.560096][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.566332][ T8478] ? netlink_unicast+0x7d0/0x7d0 [ 74.571268][ T8478] sock_sendmsg+0xcf/0x120 [ 74.575675][ T8478] ____sys_sendmsg+0x6e8/0x810 [ 74.580425][ T8478] ? kernel_sendmsg+0x50/0x50 [ 74.585105][ T8478] ? do_recvmmsg+0x6c0/0x6c0 [ 74.589681][ T8478] ? do_huge_pmd_anonymous_page+0x123b/0x2310 [ 74.595730][ T8478] ? lock_downgrade+0x6d0/0x6d0 [ 74.600570][ T8478] ___sys_sendmsg+0xf3/0x170 [ 74.605145][ T8478] ? sendmsg_copy_msghdr+0x160/0x160 [ 74.610425][ T8478] ? do_huge_pmd_anonymous_page+0x930/0x2310 [ 74.616392][ T8478] ? lock_chain_count+0x20/0x20 [ 74.621230][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.627462][ T8478] ? __handle_mm_fault+0x93c/0x4e20 [ 74.632654][ T8478] ? find_held_lock+0x2d/0x110 [ 74.637405][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.643643][ T8478] ? __fget_light+0x215/0x280 [ 74.648319][ T8478] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.654560][ T8478] __sys_sendmsg+0xe5/0x1b0 [ 74.659084][ T8478] ? __sys_sendmsg_sock+0xb0/0xb0 [ 74.664111][ T8478] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.670348][ T8478] ? syscall_enter_from_user_mode+0x1d/0x50 [ 74.676231][ T8478] do_syscall_64+0x2d/0x70 [ 74.680638][ T8478] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.686514][ T8478] RIP: 0033:0x4402f9 [ 74.690389][ T8478] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.709978][ T8478] RSP: 002b:00007fff14c27958 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.718376][ T8478] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402f9 [ 74.726329][ T8478] RDX: 0000000000000000 RSI: 00000000200029c0 RDI: 0000000000000003 [ 74.734291][ T8478] RBP: 00000000006ca018 R08: 0000000000401b90 R09: 00000000004002c8 [ 74.742243][ T8478] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b00 [ 74.750198][ T8478] R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 [ 74.759018][ T8478] Kernel Offset: disabled [ 74.763343][ T8478] Rebooting in 86400 seconds..