[ 36.027572] audit: type=1800 audit(1548292666.706:28): pid=7563 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.611653] audit: type=1800 audit(1548292667.366:29): pid=7563 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.631069] audit: type=1800 audit(1548292667.366:30): pid=7563 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 78.852376] ================================================================== [ 78.859840] BUG: KASAN: global-out-of-bounds in validate_nla+0x12c4/0x1580 [ 78.866934] Read of size 1 at addr ffffffff88f41a40 by task syz-executor022/7737 [ 78.874588] [ 78.876206] CPU: 1 PID: 7737 Comm: syz-executor022 Not tainted 5.0.0-rc3+ #17 [ 78.883456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.892859] Call Trace: [ 78.895531] dump_stack+0x1db/0x2d0 [ 78.899148] ? dump_stack_print_info.cold+0x20/0x20 [ 78.904148] ? mark_held_locks+0xb1/0x100 [ 78.908277] ? validate_nla+0x12c4/0x1580 [ 78.912411] print_address_description.cold+0x5/0x20d [ 78.917583] ? validate_nla+0x12c4/0x1580 [ 78.921711] ? validate_nla+0x12c4/0x1580 [ 78.925853] kasan_report.cold+0x1b/0x40 [ 78.929904] ? do_raw_spin_trylock+0x210/0x270 [ 78.934565] ? validate_nla+0x12c4/0x1580 [ 78.938852] __asan_report_load1_noabort+0x14/0x20 [ 78.943765] validate_nla+0x12c4/0x1580 [ 78.947723] ? nla_memcpy+0xb0/0xb0 [ 78.951457] ? depot_save_stack+0x1de/0x460 [ 78.955768] ? save_stack+0xa9/0xd0 [ 78.959376] ? save_stack+0x45/0xd0 [ 78.962985] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 78.968078] ? kasan_kmalloc+0x9/0x10 [ 78.971866] nla_validate+0xc1/0x130 [ 78.975563] validate_nla+0x711/0x1580 [ 78.979442] ? print_usage_bug+0x20/0xd0 [ 78.983635] ? nla_memcpy+0xb0/0xb0 [ 78.987255] ? add_lock_to_list.isra.0+0x450/0x450 [ 78.992177] ? __lock_is_held+0xb6/0x140 [ 78.996223] ? add_lock_to_list.isra.0+0x450/0x450 [ 79.001305] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.006827] __nla_parse+0x206/0x340 [ 79.010530] nla_parse+0x45/0x60 [ 79.013892] nl80211_dump_wiphy_parse.isra.0.constprop.0+0x133/0x610 [ 79.020373] ? nl80211_set_cqm+0x1e50/0x1e50 [ 79.024853] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.030378] nl80211_dump_wiphy+0x595/0x760 [ 79.034693] genl_lock_dumpit+0x6d/0xa0 [ 79.038653] netlink_dump+0x5f2/0x1070 [ 79.042703] ? netlink_broadcast+0x50/0x50 [ 79.046939] __netlink_dump_start+0x5b4/0x7e0 [ 79.051422] ? genl_lock_dumpit+0xa0/0xa0 [ 79.055565] genl_family_rcv_msg+0xeb5/0x11a0 [ 79.060046] ? genl_unregister_family+0x8a0/0x8a0 [ 79.064884] ? genl_lock_dumpit+0xa0/0xa0 [ 79.069021] ? genl_lock_done+0xe0/0xe0 [ 79.072973] ? genl_unlock+0x20/0x20 [ 79.076673] ? radix_tree_insert+0x850/0x850 [ 79.081065] ? netlink_deliver_tap+0x32b/0xf40 [ 79.085642] ? lock_downgrade+0x910/0x910 [ 79.089775] ? kasan_check_read+0x11/0x20 [ 79.093917] genl_rcv_msg+0xca/0x16c [ 79.097667] netlink_rcv_skb+0x17d/0x410 [ 79.101719] ? genl_family_rcv_msg+0x11a0/0x11a0 [ 79.106476] ? netlink_ack+0xba0/0xba0 [ 79.110353] ? __down_interruptible+0x740/0x740 [ 79.115011] genl_rcv+0x29/0x40 [ 79.118272] netlink_unicast+0x574/0x770 [ 79.122316] ? netlink_attachskb+0x980/0x980 [ 79.126721] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.132251] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 79.137430] netlink_sendmsg+0xa05/0xf90 [ 79.141479] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.147006] ? netlink_unicast+0x770/0x770 [ 79.151387] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 79.157287] ? apparmor_socket_sendmsg+0x2a/0x30 [ 79.162385] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.168095] ? security_socket_sendmsg+0x93/0xc0 [ 79.172853] ? netlink_unicast+0x770/0x770 [ 79.177893] sock_sendmsg+0xdd/0x130 [ 79.182007] ___sys_sendmsg+0x7ec/0x910 [ 79.185968] ? copy_msghdr_from_user+0x570/0x570 [ 79.190955] ? __handle_mm_fault+0x955/0x55a0 [ 79.195451] ? add_lock_to_list.isra.0+0x450/0x450 [ 79.200724] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 79.205557] ? check_preemption_disabled+0x48/0x290 [ 79.210574] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.216539] ? __fget_light+0x2db/0x420 [ 79.220502] ? fget_raw+0x20/0x20 [ 79.223944] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 79.229225] ? rcu_read_unlock_special+0x380/0x380 [ 79.234142] ? __fdget+0x1b/0x20 [ 79.237498] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.243022] ? sockfd_lookup_light+0xc2/0x160 [ 79.247518] __sys_sendmsg+0x112/0x270 [ 79.251394] ? __ia32_sys_shutdown+0x80/0x80 [ 79.255797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.261402] ? vmacache_update+0x114/0x140 [ 79.265892] ? __ia32_sys_fallocate+0xf0/0xf0 [ 79.270379] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.275728] ? trace_hardirqs_off_caller+0x300/0x300 [ 79.280834] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.285579] __x64_sys_sendmsg+0x78/0xb0 [ 79.289635] do_syscall_64+0x1a3/0x800 [ 79.293665] ? syscall_return_slowpath+0x5f0/0x5f0 [ 79.298585] ? prepare_exit_to_usermode+0x232/0x3b0 [ 79.303604] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 79.308440] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.313614] RIP: 0033:0x4400d9 [ 79.316800] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.335695] RSP: 002b:00007ffe321d90b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.343497] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400d9 [ 79.350754] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 79.358016] RBP: 00000000006ca018 R08: 0000000000000006 R09: 00000000004002c8 [ 79.365267] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401960 [ 79.372519] R13: 00000000004019f0 R14: 0000000000000000 R15: 0000000000000000 [ 79.379779] [ 79.381386] The buggy address belongs to the variable: [ 79.386649] nl80211_pmsr_attr_policy+0x60/0x80 [ 79.391294] [ 79.392899] Memory state around the buggy address: [ 79.397810] ffffffff88f41900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.405160] ffffffff88f41980: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 79.412585] >ffffffff88f41a00: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 79.419928] ^ [ 79.425369] ffffffff88f41a80: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 [ 79.432712] ffffffff88f41b00: 00 00 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 79.440119] ================================================================== [ 79.447462] Disabling lock debugging due to kernel taint [ 79.453377] Kernel panic - not syncing: panic_on_warn set ... [ 79.459375] CPU: 1 PID: 7737 Comm: syz-executor022 Tainted: G B 5.0.0-rc3+ #17 [ 79.468014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.477349] Call Trace: [ 79.479921] dump_stack+0x1db/0x2d0 [ 79.483526] ? dump_stack_print_info.cold+0x20/0x20 [ 79.488591] panic+0x2cb/0x65c [ 79.491773] ? add_taint.cold+0x16/0x16 [ 79.495731] ? validate_nla+0x12c4/0x1580 [ 79.499874] ? preempt_schedule+0x4b/0x60 [ 79.504003] ? ___preempt_schedule+0x16/0x18 [ 79.508390] ? trace_hardirqs_on+0xb4/0x310 [ 79.512692] ? validate_nla+0x12c4/0x1580 [ 79.516817] end_report+0x47/0x4f [ 79.520255] ? validate_nla+0x12c4/0x1580 [ 79.524391] kasan_report.cold+0xe/0x40 [ 79.528356] ? do_raw_spin_trylock+0x210/0x270 [ 79.532927] ? validate_nla+0x12c4/0x1580 [ 79.537060] __asan_report_load1_noabort+0x14/0x20 [ 79.541969] validate_nla+0x12c4/0x1580 [ 79.545927] ? nla_memcpy+0xb0/0xb0 [ 79.549534] ? depot_save_stack+0x1de/0x460 [ 79.553841] ? save_stack+0xa9/0xd0 [ 79.557451] ? save_stack+0x45/0xd0 [ 79.561059] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 79.566143] ? kasan_kmalloc+0x9/0x10 [ 79.569927] nla_validate+0xc1/0x130 [ 79.573622] validate_nla+0x711/0x1580 [ 79.577489] ? print_usage_bug+0x20/0xd0 [ 79.581528] ? nla_memcpy+0xb0/0xb0 [ 79.585135] ? add_lock_to_list.isra.0+0x450/0x450 [ 79.590041] ? __lock_is_held+0xb6/0x140 [ 79.594083] ? add_lock_to_list.isra.0+0x450/0x450 [ 79.598992] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.604595] __nla_parse+0x206/0x340 [ 79.608302] nla_parse+0x45/0x60 [ 79.611678] nl80211_dump_wiphy_parse.isra.0.constprop.0+0x133/0x610 [ 79.618160] ? nl80211_set_cqm+0x1e50/0x1e50 [ 79.622569] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.628093] nl80211_dump_wiphy+0x595/0x760 [ 79.632411] genl_lock_dumpit+0x6d/0xa0 [ 79.636373] netlink_dump+0x5f2/0x1070 [ 79.640270] ? netlink_broadcast+0x50/0x50 [ 79.644584] __netlink_dump_start+0x5b4/0x7e0 [ 79.649074] ? genl_lock_dumpit+0xa0/0xa0 [ 79.653249] genl_family_rcv_msg+0xeb5/0x11a0 [ 79.657748] ? genl_unregister_family+0x8a0/0x8a0 [ 79.662584] ? genl_lock_dumpit+0xa0/0xa0 [ 79.666710] ? genl_lock_done+0xe0/0xe0 [ 79.670664] ? genl_unlock+0x20/0x20 [ 79.674358] ? radix_tree_insert+0x850/0x850 [ 79.678747] ? netlink_deliver_tap+0x32b/0xf40 [ 79.683315] ? lock_downgrade+0x910/0x910 [ 79.687445] ? kasan_check_read+0x11/0x20 [ 79.691595] genl_rcv_msg+0xca/0x16c [ 79.695293] netlink_rcv_skb+0x17d/0x410 [ 79.699356] ? genl_family_rcv_msg+0x11a0/0x11a0 [ 79.704102] ? netlink_ack+0xba0/0xba0 [ 79.707975] ? __down_interruptible+0x740/0x740 [ 79.712638] genl_rcv+0x29/0x40 [ 79.715911] netlink_unicast+0x574/0x770 [ 79.719954] ? netlink_attachskb+0x980/0x980 [ 79.724342] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.729859] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 79.734857] netlink_sendmsg+0xa05/0xf90 [ 79.738900] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.744432] ? netlink_unicast+0x770/0x770 [ 79.748654] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 79.753493] ? apparmor_socket_sendmsg+0x2a/0x30 [ 79.758345] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.763876] ? security_socket_sendmsg+0x93/0xc0 [ 79.768614] ? netlink_unicast+0x770/0x770 [ 79.772839] sock_sendmsg+0xdd/0x130 [ 79.776543] ___sys_sendmsg+0x7ec/0x910 [ 79.780503] ? copy_msghdr_from_user+0x570/0x570 [ 79.785241] ? __handle_mm_fault+0x955/0x55a0 [ 79.789721] ? add_lock_to_list.isra.0+0x450/0x450 [ 79.794633] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 79.799459] ? check_preemption_disabled+0x48/0x290 [ 79.804463] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.809990] ? __fget_light+0x2db/0x420 [ 79.813954] ? fget_raw+0x20/0x20 [ 79.817395] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 79.822652] ? rcu_read_unlock_special+0x380/0x380 [ 79.827572] ? __fdget+0x1b/0x20 [ 79.830919] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.836579] ? sockfd_lookup_light+0xc2/0x160 [ 79.841068] __sys_sendmsg+0x112/0x270 [ 79.844936] ? __ia32_sys_shutdown+0x80/0x80 [ 79.849324] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.854842] ? vmacache_update+0x114/0x140 [ 79.859072] ? __ia32_sys_fallocate+0xf0/0xf0 [ 79.863558] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.868913] ? trace_hardirqs_off_caller+0x300/0x300 [ 79.874002] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 79.878746] __x64_sys_sendmsg+0x78/0xb0 [ 79.882795] do_syscall_64+0x1a3/0x800 [ 79.886665] ? syscall_return_slowpath+0x5f0/0x5f0 [ 79.891580] ? prepare_exit_to_usermode+0x232/0x3b0 [ 79.896580] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 79.901421] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.906600] RIP: 0033:0x4400d9 [ 79.909823] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.928710] RSP: 002b:00007ffe321d90b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.936407] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400d9 [ 79.943658] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 79.950923] RBP: 00000000006ca018 R08: 0000000000000006 R09: 00000000004002c8 [ 79.958185] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401960 [ 79.965436] R13: 00000000004019f0 R14: 0000000000000000 R15: 0000000000000000 [ 79.973698] Kernel Offset: disabled [ 79.977316] Rebooting in 86400 seconds..