[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.148' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 33.972655] ================================================================== [ 33.980130] BUG: KASAN: use-after-free in rtnl_newlink+0x1530/0x15c0 [ 33.986613] Read of size 1 at addr ffff8880953dc7a8 by task syz-executor890/8109 [ 33.994145] [ 33.995760] CPU: 1 PID: 8109 Comm: syz-executor890 Not tainted 4.19.211-syzkaller #0 [ 34.003625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 34.012972] Call Trace: [ 34.015547] dump_stack+0x1fc/0x2ef [ 34.019157] print_address_description.cold+0x54/0x219 [ 34.024417] kasan_report_error.cold+0x8a/0x1b9 [ 34.029066] ? rtnl_newlink+0x1530/0x15c0 [ 34.033197] __asan_report_load1_noabort+0x88/0x90 [ 34.038120] ? rtnl_newlink+0x1530/0x15c0 [ 34.042251] rtnl_newlink+0x1530/0x15c0 [ 34.046213] ? rtnl_getlink+0x620/0x620 [ 34.050179] ? get_reg+0x1f0/0x1f0 [ 34.053699] ? unwind_next_frame+0xeee/0x1400 [ 34.058181] ? __save_stack_trace+0x72/0x190 [ 34.062570] ? deref_stack_reg+0x134/0x1d0 [ 34.066784] ? get_reg+0x176/0x1f0 [ 34.070308] ? mark_held_locks+0xf0/0xf0 [ 34.074354] ? unwind_next_frame+0xeee/0x1400 [ 34.078835] ? __lock_acquire+0x6de/0x3ff0 [ 34.083069] ? get_reg+0x1f0/0x1f0 [ 34.086597] ? is_bpf_text_address+0xd5/0x1b0 [ 34.091089] ? __lock_acquire+0x6de/0x3ff0 [ 34.095312] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 34.101186] ? deref_stack_reg+0x1d0/0x1d0 [ 34.105411] ? __lock_acquire+0x6de/0x3ff0 [ 34.109632] ? __lock_acquire+0x6de/0x3ff0 [ 34.113851] ? mark_held_locks+0xf0/0xf0 [ 34.117893] ? get_reg+0x1f0/0x1f0 [ 34.121416] ? unwind_next_frame+0xeee/0x1400 [ 34.125908] ? mutex_trylock+0x1a0/0x1a0 [ 34.129958] ? rtnl_getlink+0x620/0x620 [ 34.133916] rtnetlink_rcv_msg+0x453/0xb80 [ 34.138141] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.142644] ? __netlink_lookup+0x3fc/0x730 [ 34.146949] ? lock_downgrade+0x720/0x720 [ 34.151079] ? check_preemption_disabled+0x41/0x280 [ 34.156164] netlink_rcv_skb+0x160/0x440 [ 34.160215] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.164689] ? netlink_ack+0xae0/0xae0 [ 34.168562] netlink_unicast+0x4d5/0x690 [ 34.172613] ? netlink_sendskb+0x110/0x110 [ 34.177099] ? _copy_from_iter_full+0x229/0x7c0 [ 34.181753] ? __phys_addr_symbol+0x2c/0x70 [ 34.186056] ? __check_object_size+0x17b/0x3e0 [ 34.190624] netlink_sendmsg+0x6c3/0xc50 [ 34.194668] ? aa_af_perm+0x230/0x230 [ 34.198448] ? nlmsg_notify+0x1f0/0x1f0 [ 34.202401] ? kernel_recvmsg+0x220/0x220 [ 34.206536] ? nlmsg_notify+0x1f0/0x1f0 [ 34.210499] sock_sendmsg+0xc3/0x120 [ 34.214204] ___sys_sendmsg+0x7bb/0x8e0 [ 34.218169] ? copy_msghdr_from_user+0x440/0x440 [ 34.222904] ? do_wp_page+0x2dc/0x2210 [ 34.226771] ? finish_mkwrite_fault+0x640/0x640 [ 34.231419] ? __handle_mm_fault+0x15f6/0x41c0 [ 34.235981] ? mark_held_locks+0xf0/0xf0 [ 34.240026] ? __handle_mm_fault+0xf34/0x41c0 [ 34.244502] ? errseq_sample+0x56/0x70 [ 34.248371] ? vm_insert_page+0x9c0/0x9c0 [ 34.252687] ? __do_page_fault+0x6d1/0xd60 [ 34.256901] ? __fdget+0x1a0/0x230 [ 34.260425] __x64_sys_sendmsg+0x132/0x220 [ 34.264641] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.268700] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.274048] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.279046] ? do_syscall_64+0x21/0x620 [ 34.283005] do_syscall_64+0xf9/0x620 [ 34.286789] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.291958] RIP: 0033:0x7fbf7b199f59 [ 34.295651] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.314533] RSP: 002b:00007fff9a2e55f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.322230] RAX: ffffffffffffffda RBX: 0000000000008496 RCX: 00007fbf7b199f59 [ 34.329488] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 [ 34.337138] RBP: 0000000000000000 R08: 00007fff9a2e5798 R09: 00007fff9a2e5798 [ 34.344387] R10: 00007fff9a2e5798 R11: 0000000000000246 R12: 00007fff9a2e560c [ 34.351642] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 34.358899] [ 34.360506] Allocated by task 8109: [ 34.364130] __kmalloc_node+0x4c/0x70 [ 34.367917] kvmalloc_node+0xb4/0xf0 [ 34.371612] alloc_netdev_mqs+0x97/0xd50 [ 34.375652] rtnl_create_link+0x1d4/0xa40 [ 34.379783] rtnl_newlink+0xf45/0x15c0 [ 34.383650] rtnetlink_rcv_msg+0x453/0xb80 [ 34.387864] netlink_rcv_skb+0x160/0x440 [ 34.391908] netlink_unicast+0x4d5/0x690 [ 34.395948] netlink_sendmsg+0x6c3/0xc50 [ 34.399988] sock_sendmsg+0xc3/0x120 [ 34.403768] ___sys_sendmsg+0x7bb/0x8e0 [ 34.407721] __x64_sys_sendmsg+0x132/0x220 [ 34.411933] do_syscall_64+0xf9/0x620 [ 34.415716] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.420881] [ 34.422495] Freed by task 8109: [ 34.425762] kfree+0xcc/0x210 [ 34.428873] kvfree+0x59/0x60 [ 34.431971] free_netdev+0x364/0x410 [ 34.435674] device_release+0x76/0x210 [ 34.439541] kobject_put+0x28b/0x5d0 [ 34.443232] device_unregister+0x35/0xc0 [ 34.447271] register_netdevice+0x901/0x10f0 [ 34.451666] nsim_newlink+0x162/0x1c0 [ 34.455454] rtnl_newlink+0x1030/0x15c0 [ 34.459405] rtnetlink_rcv_msg+0x453/0xb80 [ 34.463627] netlink_rcv_skb+0x160/0x440 [ 34.467672] netlink_unicast+0x4d5/0x690 [ 34.471715] netlink_sendmsg+0x6c3/0xc50 [ 34.475766] sock_sendmsg+0xc3/0x120 [ 34.479463] ___sys_sendmsg+0x7bb/0x8e0 [ 34.483418] __x64_sys_sendmsg+0x132/0x220 [ 34.487634] do_syscall_64+0xf9/0x620 [ 34.491417] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.496599] [ 34.498206] The buggy address belongs to the object at ffff8880953dc240 [ 34.498206] which belongs to the cache kmalloc-8192 of size 8192 [ 34.511022] The buggy address is located 1384 bytes inside of [ 34.511022] 8192-byte region [ffff8880953dc240, ffff8880953de240) [ 34.523046] The buggy address belongs to the page: [ 34.527970] page:ffffea000254f700 count:1 mapcount:0 mapping:ffff88813bff2080 index:0x0 compound_mapcount: 0 [ 34.538006] flags: 0xfff00000008100(slab|head) [ 34.542575] raw: 00fff00000008100 ffffea0002c58608 ffff88813bff1b48 ffff88813bff2080 [ 34.550563] raw: 0000000000000000 ffff8880953dc240 0000000100000001 0000000000000000 [ 34.558426] page dumped because: kasan: bad access detected [ 34.564108] [ 34.565710] Memory state around the buggy address: [ 34.570618] ffff8880953dc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.577963] ffff8880953dc700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.585312] >ffff8880953dc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.592650] ^ [ 34.597305] ffff8880953dc800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.604644] ffff8880953dc880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.611989] ================================================================== [ 34.619323] Disabling lock debugging due to kernel taint [ 34.625861] Kernel panic - not syncing: panic_on_warn set ... [ 34.625861] [ 34.633246] CPU: 0 PID: 8109 Comm: syz-executor890 Tainted: G B 4.19.211-syzkaller #0 [ 34.642509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 34.651857] Call Trace: [ 34.654444] dump_stack+0x1fc/0x2ef [ 34.658076] panic+0x26a/0x50e [ 34.661266] ? __warn_printk+0xf3/0xf3 [ 34.665147] ? preempt_schedule_common+0x45/0xc0 [ 34.669891] ? ___preempt_schedule+0x16/0x18 [ 34.674277] ? trace_hardirqs_on+0x55/0x210 [ 34.678576] kasan_end_report+0x43/0x49 [ 34.682530] kasan_report_error.cold+0xa7/0x1b9 [ 34.687306] ? rtnl_newlink+0x1530/0x15c0 [ 34.691434] __asan_report_load1_noabort+0x88/0x90 [ 34.696345] ? rtnl_newlink+0x1530/0x15c0 [ 34.700470] rtnl_newlink+0x1530/0x15c0 [ 34.704424] ? rtnl_getlink+0x620/0x620 [ 34.708381] ? get_reg+0x1f0/0x1f0 [ 34.711902] ? unwind_next_frame+0xeee/0x1400 [ 34.716376] ? __save_stack_trace+0x72/0x190 [ 34.720760] ? deref_stack_reg+0x134/0x1d0 [ 34.724971] ? get_reg+0x176/0x1f0 [ 34.728489] ? mark_held_locks+0xf0/0xf0 [ 34.732529] ? unwind_next_frame+0xeee/0x1400 [ 34.737009] ? __lock_acquire+0x6de/0x3ff0 [ 34.741230] ? get_reg+0x1f0/0x1f0 [ 34.744746] ? is_bpf_text_address+0xd5/0x1b0 [ 34.749224] ? __lock_acquire+0x6de/0x3ff0 [ 34.753440] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 34.759301] ? deref_stack_reg+0x1d0/0x1d0 [ 34.763515] ? __lock_acquire+0x6de/0x3ff0 [ 34.767734] ? __lock_acquire+0x6de/0x3ff0 [ 34.771954] ? mark_held_locks+0xf0/0xf0 [ 34.776002] ? get_reg+0x1f0/0x1f0 [ 34.779521] ? unwind_next_frame+0xeee/0x1400 [ 34.784004] ? mutex_trylock+0x1a0/0x1a0 [ 34.788045] ? rtnl_getlink+0x620/0x620 [ 34.791994] rtnetlink_rcv_msg+0x453/0xb80 [ 34.796210] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.800681] ? __netlink_lookup+0x3fc/0x730 [ 34.804980] ? lock_downgrade+0x720/0x720 [ 34.809108] ? check_preemption_disabled+0x41/0x280 [ 34.814103] netlink_rcv_skb+0x160/0x440 [ 34.818146] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.822628] ? netlink_ack+0xae0/0xae0 [ 34.826496] netlink_unicast+0x4d5/0x690 [ 34.830538] ? netlink_sendskb+0x110/0x110 [ 34.834751] ? _copy_from_iter_full+0x229/0x7c0 [ 34.839397] ? __phys_addr_symbol+0x2c/0x70 [ 34.843697] ? __check_object_size+0x17b/0x3e0 [ 34.848256] netlink_sendmsg+0x6c3/0xc50 [ 34.852296] ? aa_af_perm+0x230/0x230 [ 34.856072] ? nlmsg_notify+0x1f0/0x1f0 [ 34.860028] ? kernel_recvmsg+0x220/0x220 [ 34.864162] ? nlmsg_notify+0x1f0/0x1f0 [ 34.868118] sock_sendmsg+0xc3/0x120 [ 34.871827] ___sys_sendmsg+0x7bb/0x8e0 [ 34.875778] ? copy_msghdr_from_user+0x440/0x440 [ 34.880509] ? do_wp_page+0x2dc/0x2210 [ 34.884384] ? finish_mkwrite_fault+0x640/0x640 [ 34.889028] ? __handle_mm_fault+0x15f6/0x41c0 [ 34.893678] ? mark_held_locks+0xf0/0xf0 [ 34.897716] ? __handle_mm_fault+0xf34/0x41c0 [ 34.902206] ? errseq_sample+0x56/0x70 [ 34.906074] ? vm_insert_page+0x9c0/0x9c0 [ 34.910218] ? __do_page_fault+0x6d1/0xd60 [ 34.914453] ? __fdget+0x1a0/0x230 [ 34.917981] __x64_sys_sendmsg+0x132/0x220 [ 34.922199] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.926251] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.931598] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.936592] ? do_syscall_64+0x21/0x620 [ 34.940544] do_syscall_64+0xf9/0x620 [ 34.944325] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.949505] RIP: 0033:0x7fbf7b199f59 [ 34.953217] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 34.972095] RSP: 002b:00007fff9a2e55f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.979782] RAX: ffffffffffffffda RBX: 0000000000008496 RCX: 00007fbf7b199f59 [ 34.987041] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 [ 34.994292] RBP: 0000000000000000 R08: 00007fff9a2e5798 R09: 00007fff9a2e5798 [ 35.001539] R10: 00007fff9a2e5798 R11: 0000000000000246 R12: 00007fff9a2e560c [ 35.008787] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 35.016214] Kernel Offset: disabled [ 35.019826] Rebooting in 86400 seconds..