[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.152478] kauditd_printk_skb: 7 callbacks suppressed [ 28.152490] audit: type=1800 audit(1543149685.216:29): pid=5837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.177328] audit: type=1800 audit(1543149685.216:30): pid=5837 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.406027] ================================================================== [ 39.413474] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 39.421268] Write of size 262146 at addr ffff8801d8c123c8 by task syz-executor281/5991 [ 39.429295] [ 39.430908] CPU: 0 PID: 5991 Comm: syz-executor281 Not tainted 4.20.0-rc1-next-20181109+ #110 [ 39.439563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.448901] Call Trace: [ 39.451474] dump_stack+0x244/0x39d [ 39.455085] ? dump_stack_print_info.cold.1+0x20/0x20 [ 39.460271] ? printk+0xa7/0xcf [ 39.463533] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.468278] print_address_description.cold.7+0x9/0x1ff [ 39.473622] kasan_report.cold.8+0x242/0x309 [ 39.478028] ? queue_stack_map_push_elem+0x185/0x290 [ 39.483119] check_memory_region+0x13e/0x1b0 [ 39.487512] memcpy+0x37/0x50 [ 39.490610] queue_stack_map_push_elem+0x185/0x290 [ 39.495520] ? queue_map_pop_elem+0x30/0x30 [ 39.499828] map_update_elem+0x605/0xf60 [ 39.503875] __x64_sys_bpf+0x32d/0x520 [ 39.507745] ? bpf_prog_get+0x20/0x20 [ 39.511536] do_syscall_64+0x1b9/0x820 [ 39.515440] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.520784] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.525695] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.530521] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.535534] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.540533] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.545532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.550363] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.555530] RIP: 0033:0x4400e9 [ 39.558703] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.577585] RSP: 002b:00007fff07944848 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 39.585289] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 39.592537] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 39.599817] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 39.607076] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 39.614360] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 39.621622] [ 39.623228] Allocated by task 5991: [ 39.626836] save_stack+0x43/0xd0 [ 39.630313] kasan_kmalloc+0xc7/0xe0 [ 39.634004] __kmalloc_node+0x50/0x70 [ 39.637787] bpf_map_area_alloc+0x3f/0x90 [ 39.641914] queue_stack_map_alloc+0x192/0x290 [ 39.646472] map_create+0x3bd/0x1110 [ 39.650162] __x64_sys_bpf+0x303/0x520 [ 39.654028] do_syscall_64+0x1b9/0x820 [ 39.657898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.663061] [ 39.664665] Freed by task 3699: [ 39.667926] save_stack+0x43/0xd0 [ 39.671361] __kasan_slab_free+0x102/0x150 [ 39.675580] kasan_slab_free+0xe/0x10 [ 39.679386] kfree+0xcf/0x230 [ 39.682505] skb_free_head+0x99/0xc0 [ 39.686199] skb_release_data+0x6a4/0x880 [ 39.690327] skb_release_all+0x4a/0x60 [ 39.694195] consume_skb+0x1a9/0x560 [ 39.697891] skb_free_datagram+0x1a/0xf0 [ 39.701932] netlink_recvmsg+0x70f/0x1480 [ 39.706059] sock_recvmsg+0xd0/0x110 [ 39.709754] ___sys_recvmsg+0x2b6/0x680 [ 39.713707] __sys_recvmsg+0x11a/0x280 [ 39.717575] __x64_sys_recvmsg+0x78/0xb0 [ 39.721657] do_syscall_64+0x1b9/0x820 [ 39.725549] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.730712] [ 39.732322] The buggy address belongs to the object at ffff8801d8c12280 [ 39.732322] which belongs to the cache kmalloc-512 of size 512 [ 39.744962] The buggy address is located 328 bytes inside of [ 39.744962] 512-byte region [ffff8801d8c12280, ffff8801d8c12480) [ 39.756816] The buggy address belongs to the page: [ 39.761725] page:ffffea0007630480 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 39.769848] flags: 0x2fffc0000000200(slab) [ 39.774069] raw: 02fffc0000000200 ffffea0007641d08 ffffea000763b088 ffff8801da800940 [ 39.781934] raw: 0000000000000000 ffff8801d8c12000 0000000100000006 0000000000000000 [ 39.789804] page dumped because: kasan: bad access detected [ 39.795490] [ 39.797097] Memory state around the buggy address: [ 39.802018] ffff8801d8c12300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.809361] ffff8801d8c12380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.816701] >ffff8801d8c12400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.824036] ^ [ 39.827381] ffff8801d8c12480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.834721] ffff8801d8c12500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.842054] ================================================================== [ 39.849527] Disabling lock debugging due to kernel taint [ 39.854957] Kernel panic - not syncing: panic_on_warn set ... [ 39.860825] CPU: 0 PID: 5991 Comm: syz-executor281 Tainted: G B 4.20.0-rc1-next-20181109+ #110 [ 39.870854] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.880184] Call Trace: [ 39.882753] dump_stack+0x244/0x39d [ 39.886358] ? dump_stack_print_info.cold.1+0x20/0x20 [ 39.891534] panic+0x2ad/0x55c [ 39.894897] ? add_taint.cold.5+0x16/0x16 [ 39.899029] ? add_taint.cold.5+0x5/0x16 [ 39.903069] ? trace_hardirqs_off+0xaf/0x310 [ 39.907457] kasan_end_report+0x47/0x4f [ 39.911411] kasan_report.cold.8+0x76/0x309 [ 39.915712] ? queue_stack_map_push_elem+0x185/0x290 [ 39.920801] check_memory_region+0x13e/0x1b0 [ 39.925191] memcpy+0x37/0x50 [ 39.928279] queue_stack_map_push_elem+0x185/0x290 [ 39.933187] ? queue_map_pop_elem+0x30/0x30 [ 39.937492] map_update_elem+0x605/0xf60 [ 39.941533] __x64_sys_bpf+0x32d/0x520 [ 39.945399] ? bpf_prog_get+0x20/0x20 [ 39.949187] do_syscall_64+0x1b9/0x820 [ 39.953056] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.958417] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.963324] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.968146] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.973151] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.978147] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.983142] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.987965] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.993134] RIP: 0033:0x4400e9 [ 39.996305] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.015199] RSP: 002b:00007fff07944848 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 40.022885] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 40.030134] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 40.037386] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 40.044633] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 40.051879] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 40.060033] Kernel Offset: disabled [ 40.063662] Rebooting in 86400 seconds..