[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.254898] kauditd_printk_skb: 7 callbacks suppressed [ 28.254909] audit: type=1800 audit(1543152275.543:29): pid=5835 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.281092] audit: type=1800 audit(1543152275.543:30): pid=5835 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.470440] sshd (5973) used greatest stack depth: 15632 bytes left Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts. executing program [ 54.288743] ================================================================== [ 54.296188] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 54.303970] Write of size 262146 at addr ffff8801b793a188 by task syz-executor219/5991 [ 54.312002] [ 54.313618] CPU: 1 PID: 5991 Comm: syz-executor219 Not tainted 4.20.0-rc1-next-20181109+ #110 [ 54.322262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.331601] Call Trace: [ 54.334177] dump_stack+0x244/0x39d [ 54.337797] ? dump_stack_print_info.cold.1+0x20/0x20 [ 54.342976] ? printk+0xa7/0xcf [ 54.346238] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 54.350978] print_address_description.cold.7+0x9/0x1ff [ 54.356329] kasan_report.cold.8+0x242/0x309 [ 54.360719] ? queue_stack_map_push_elem+0x185/0x290 [ 54.365811] check_memory_region+0x13e/0x1b0 [ 54.370214] memcpy+0x37/0x50 [ 54.373312] queue_stack_map_push_elem+0x185/0x290 [ 54.378236] ? queue_map_pop_elem+0x30/0x30 [ 54.382547] map_update_elem+0x605/0xf60 [ 54.386704] __x64_sys_bpf+0x32d/0x520 [ 54.390583] ? bpf_prog_get+0x20/0x20 [ 54.394379] do_syscall_64+0x1b9/0x820 [ 54.398264] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.403621] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.408536] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.413368] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.418370] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.423371] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.428379] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.433215] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.438389] RIP: 0033:0x4400e9 [ 54.441569] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.460531] RSP: 002b:00007ffe2072e068 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 54.468297] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 54.475557] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 54.482812] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.490132] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 54.497396] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 54.504655] [ 54.506265] Allocated by task 5991: [ 54.509881] save_stack+0x43/0xd0 [ 54.513319] kasan_kmalloc+0xc7/0xe0 [ 54.517013] __kmalloc_node+0x50/0x70 [ 54.520794] bpf_map_area_alloc+0x3f/0x90 [ 54.524928] queue_stack_map_alloc+0x192/0x290 [ 54.529493] map_create+0x3bd/0x1110 [ 54.533190] __x64_sys_bpf+0x303/0x520 [ 54.537060] do_syscall_64+0x1b9/0x820 [ 54.540934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.546100] [ 54.547708] Freed by task 3699: [ 54.550972] save_stack+0x43/0xd0 [ 54.554411] __kasan_slab_free+0x102/0x150 [ 54.558733] kasan_slab_free+0xe/0x10 [ 54.562523] kfree+0xcf/0x230 [ 54.565653] skb_free_head+0x99/0xc0 [ 54.569356] skb_release_data+0x6a4/0x880 [ 54.573589] skb_release_all+0x4a/0x60 [ 54.577459] consume_skb+0x1a9/0x560 [ 54.581230] skb_free_datagram+0x1a/0xf0 [ 54.585391] netlink_recvmsg+0x70f/0x1480 [ 54.589529] sock_recvmsg+0xd0/0x110 [ 54.593336] ___sys_recvmsg+0x2b6/0x680 [ 54.597295] __sys_recvmsg+0x11a/0x280 [ 54.601162] __x64_sys_recvmsg+0x78/0xb0 [ 54.605205] do_syscall_64+0x1b9/0x820 [ 54.609080] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.614262] [ 54.615886] The buggy address belongs to the object at ffff8801b793a040 [ 54.615886] which belongs to the cache kmalloc-512 of size 512 [ 54.628527] The buggy address is located 328 bytes inside of [ 54.628527] 512-byte region [ffff8801b793a040, ffff8801b793a240) [ 54.640384] The buggy address belongs to the page: [ 54.645300] page:ffffea0006de4e80 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 54.653431] flags: 0x2fffc0000000200(slab) [ 54.657661] raw: 02fffc0000000200 ffffea0006de4ec8 ffffea0006f00308 ffff8801da800940 [ 54.665524] raw: 0000000000000000 ffff8801b793a040 0000000100000006 0000000000000000 [ 54.673381] page dumped because: kasan: bad access detected [ 54.679068] [ 54.680679] Memory state around the buggy address: [ 54.685594] ffff8801b793a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.692936] ffff8801b793a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.700554] >ffff8801b793a180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 54.707895] ^ [ 54.713331] ffff8801b793a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.720737] ffff8801b793a280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 54.728139] ================================================================== [ 54.735485] Disabling lock debugging due to kernel taint [ 54.740916] Kernel panic - not syncing: panic_on_warn set ... [ 54.746878] CPU: 1 PID: 5991 Comm: syz-executor219 Tainted: G B 4.20.0-rc1-next-20181109+ #110 [ 54.756915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.766251] Call Trace: [ 54.768835] dump_stack+0x244/0x39d [ 54.772455] ? dump_stack_print_info.cold.1+0x20/0x20 [ 54.777693] panic+0x2ad/0x55c [ 54.780875] ? add_taint.cold.5+0x16/0x16 [ 54.785014] ? add_taint.cold.5+0x5/0x16 [ 54.789061] ? trace_hardirqs_off+0xaf/0x310 [ 54.793573] kasan_end_report+0x47/0x4f [ 54.797531] kasan_report.cold.8+0x76/0x309 [ 54.801833] ? queue_stack_map_push_elem+0x185/0x290 [ 54.806927] check_memory_region+0x13e/0x1b0 [ 54.811314] memcpy+0x37/0x50 [ 54.814403] queue_stack_map_push_elem+0x185/0x290 [ 54.819377] ? queue_map_pop_elem+0x30/0x30 [ 54.823690] map_update_elem+0x605/0xf60 [ 54.827738] __x64_sys_bpf+0x32d/0x520 [ 54.831607] ? bpf_prog_get+0x20/0x20 [ 54.835395] do_syscall_64+0x1b9/0x820 [ 54.839266] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.844610] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.849550] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.854381] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.859378] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.864385] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.869385] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.874212] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.879384] RIP: 0033:0x4400e9 [ 54.882560] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.901450] RSP: 002b:00007ffe2072e068 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 54.909253] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 54.916505] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 54.923755] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.931004] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 54.938257] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 54.946613] Kernel Offset: disabled [ 54.950283] Rebooting in 86400 seconds..