[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 54.958024][ T7031] netlink: 1996 bytes leftover after parsing attributes in process `syz-executor373'. [ 54.967958][ T7031] sch_tbf: burst 549 is lower than device lo mtu (65550) ! [ 54.979016][ T7031] ================================================================== [ 54.987304][ T7031] BUG: KASAN: slab-out-of-bounds in skb_gso_transport_seglen+0x344/0x360 [ 54.995716][ T7031] Read of size 2 at addr ffff8880a84ec25c by task syz-executor373/7031 [ 55.004154][ T7031] [ 55.006476][ T7031] CPU: 0 PID: 7031 Comm: syz-executor373 Not tainted 5.7.0-rc1-syzkaller #0 [ 55.015148][ T7031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.025278][ T7031] Call Trace: [ 55.028582][ T7031] dump_stack+0x188/0x20d [ 55.032917][ T7031] print_address_description.constprop.0.cold+0xd3/0x315 [ 55.039940][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.045664][ T7031] __kasan_report.cold+0x35/0x4d [ 55.050636][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.056353][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.062123][ T7031] kasan_report+0x33/0x50 [ 55.066453][ T7031] skb_gso_transport_seglen+0x344/0x360 [ 55.071984][ T7031] skb_gso_validate_mac_len+0x85/0x290 [ 55.077444][ T7031] tbf_enqueue+0x1f2/0x990 [ 55.081853][ T7031] ? rwlock_bug.part.0+0x90/0x90 [ 55.086800][ T7031] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 55.092090][ T7031] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 55.097633][ T7031] __dev_queue_xmit+0x154a/0x30a0 [ 55.102666][ T7031] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 55.107939][ T7031] ? copyin+0x10e/0x140 [ 55.112271][ T7031] ? copy_page_from_iter+0x5de/0x840 [ 55.117561][ T7031] ? packet_parse_headers.isra.0+0x117/0x470 [ 55.123564][ T7031] ? __unregister_prot_hook+0x320/0x320 [ 55.129107][ T7031] ? packet_sendmsg+0x23cc/0x5ce0 [ 55.134130][ T7031] packet_sendmsg+0x23cc/0x5ce0 [ 55.138976][ T7031] ? mark_held_locks+0xe0/0xe0 [ 55.143738][ T7031] ? aa_label_sk_perm+0x89/0xe0 [ 55.148689][ T7031] ? aa_sk_perm+0x319/0xab0 [ 55.153175][ T7031] ? packet_notifier+0x860/0x860 [ 55.158111][ T7031] ? aa_af_perm+0x260/0x260 [ 55.162598][ T7031] ? packet_do_bind+0x452/0xc00 [ 55.167443][ T7031] ? packet_notifier+0x860/0x860 [ 55.172361][ T7031] sock_sendmsg+0xcf/0x120 [ 55.176771][ T7031] __sys_sendto+0x220/0x330 [ 55.181297][ T7031] ? __ia32_sys_getpeername+0xb0/0xb0 [ 55.186650][ T7031] ? packet_do_bind+0x452/0xc00 [ 55.191536][ T7031] ? __sys_bind+0x13e/0x250 [ 55.196050][ T7031] ? __ia32_sys_socketpair+0xf0/0xf0 [ 55.201345][ T7031] ? sock_create_kern+0x40/0x40 [ 55.206213][ T7031] ? fpregs_mark_activate+0x320/0x320 [ 55.211695][ T7031] __x64_sys_sendto+0xdd/0x1b0 [ 55.216476][ T7031] ? lockdep_hardirqs_on+0x463/0x620 [ 55.221871][ T7031] do_syscall_64+0xf6/0x7d0 [ 55.226391][ T7031] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.232285][ T7031] RIP: 0033:0x440419 [ 55.236185][ T7031] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.255803][ T7031] RSP: 002b:00007ffdc977f428 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 55.264229][ T7031] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440419 [ 55.272204][ T7031] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 55.280165][ T7031] RBP: 00000000006cb018 R08: 0000000000000000 R09: fffffffffffffe5d [ 55.288237][ T7031] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000401ca0 [ 55.296199][ T7031] R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000 [ 55.304187][ T7031] [ 55.306518][ T7031] Allocated by task 7031: [ 55.310845][ T7031] save_stack+0x1b/0x40 [ 55.315109][ T7031] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 55.320728][ T7031] __kmalloc_reserve.isra.0+0x39/0xe0 [ 55.326200][ T7031] __alloc_skb+0xef/0x5a0 [ 55.330681][ T7031] alloc_skb_with_frags+0x92/0x560 [ 55.335773][ T7031] sock_alloc_send_pskb+0x734/0x890 [ 55.341043][ T7031] packet_sendmsg+0x1947/0x5ce0 [ 55.345887][ T7031] sock_sendmsg+0xcf/0x120 [ 55.350333][ T7031] __sys_sendto+0x220/0x330 [ 55.354837][ T7031] __x64_sys_sendto+0xdd/0x1b0 [ 55.359588][ T7031] do_syscall_64+0xf6/0x7d0 [ 55.364077][ T7031] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.369952][ T7031] [ 55.372264][ T7031] Freed by task 17: [ 55.376208][ T7031] save_stack+0x1b/0x40 [ 55.380357][ T7031] __kasan_slab_free+0xf7/0x140 [ 55.385249][ T7031] kmem_cache_free_bulk+0x7d/0x280 [ 55.390379][ T7031] kfree_rcu_work+0x1a1/0x480 [ 55.395045][ T7031] process_one_work+0x965/0x16a0 [ 55.399975][ T7031] worker_thread+0x96/0xe20 [ 55.404463][ T7031] kthread+0x388/0x470 [ 55.408517][ T7031] ret_from_fork+0x24/0x30 [ 55.412964][ T7031] [ 55.415289][ T7031] The buggy address belongs to the object at ffff8880a84ec000 [ 55.415289][ T7031] which belongs to the cache kmalloc-512 of size 512 [ 55.429424][ T7031] The buggy address is located 92 bytes to the right of [ 55.429424][ T7031] 512-byte region [ffff8880a84ec000, ffff8880a84ec200) [ 55.443160][ T7031] The buggy address belongs to the page: [ 55.448909][ T7031] page:ffffea0002a13b00 refcount:1 mapcount:0 mapping:00000000d23c3060 index:0x0 [ 55.458028][ T7031] flags: 0xfffe0000000200(slab) [ 55.462904][ T7031] raw: 00fffe0000000200 ffffea00027c4588 ffffea00029c0688 ffff8880aa000a80 [ 55.471479][ T7031] raw: 0000000000000000 ffff8880a84ec000 0000000100000004 0000000000000000 [ 55.480047][ T7031] page dumped because: kasan: bad access detected [ 55.486442][ T7031] [ 55.488747][ T7031] Memory state around the buggy address: [ 55.494390][ T7031] ffff8880a84ec100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.502513][ T7031] ffff8880a84ec180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.510574][ T7031] >ffff8880a84ec200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.518614][ T7031] ^ [ 55.525533][ T7031] ffff8880a84ec280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.533586][ T7031] ffff8880a84ec300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.541680][ T7031] ================================================================== [ 55.549731][ T7031] Disabling lock debugging due to kernel taint [ 55.555926][ T7031] Kernel panic - not syncing: panic_on_warn set ... [ 55.562665][ T7031] CPU: 0 PID: 7031 Comm: syz-executor373 Tainted: G B 5.7.0-rc1-syzkaller #0 [ 55.572826][ T7031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.582880][ T7031] Call Trace: [ 55.586174][ T7031] dump_stack+0x188/0x20d [ 55.590495][ T7031] panic+0x2e3/0x75c [ 55.594484][ T7031] ? add_taint.cold+0x16/0x16 [ 55.599141][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.604837][ T7031] ? trace_hardirqs_on+0x55/0x220 [ 55.609837][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.615532][ T7031] end_report+0x4d/0x53 [ 55.619668][ T7031] __kasan_report.cold+0xd/0x4d [ 55.624526][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.630219][ T7031] ? skb_gso_transport_seglen+0x344/0x360 [ 55.635938][ T7031] kasan_report+0x33/0x50 [ 55.640255][ T7031] skb_gso_transport_seglen+0x344/0x360 [ 55.645783][ T7031] skb_gso_validate_mac_len+0x85/0x290 [ 55.651217][ T7031] tbf_enqueue+0x1f2/0x990 [ 55.655624][ T7031] ? rwlock_bug.part.0+0x90/0x90 [ 55.660561][ T7031] ? rcu_read_lock_bh_held+0x5a/0xb0 [ 55.665901][ T7031] ? rcu_read_lock_sched_held+0xd0/0xd0 [ 55.671475][ T7031] __dev_queue_xmit+0x154a/0x30a0 [ 55.676488][ T7031] ? netdev_core_pick_tx+0x2e0/0x2e0 [ 55.681763][ T7031] ? copyin+0x10e/0x140 [ 55.685896][ T7031] ? copy_page_from_iter+0x5de/0x840 [ 55.691185][ T7031] ? packet_parse_headers.isra.0+0x117/0x470 [ 55.697150][ T7031] ? __unregister_prot_hook+0x320/0x320 [ 55.702707][ T7031] ? packet_sendmsg+0x23cc/0x5ce0 [ 55.707723][ T7031] packet_sendmsg+0x23cc/0x5ce0 [ 55.712562][ T7031] ? mark_held_locks+0xe0/0xe0 [ 55.717319][ T7031] ? aa_label_sk_perm+0x89/0xe0 [ 55.722152][ T7031] ? aa_sk_perm+0x319/0xab0 [ 55.726701][ T7031] ? packet_notifier+0x860/0x860 [ 55.731643][ T7031] ? aa_af_perm+0x260/0x260 [ 55.736162][ T7031] ? packet_do_bind+0x452/0xc00 [ 55.740994][ T7031] ? packet_notifier+0x860/0x860 [ 55.745913][ T7031] sock_sendmsg+0xcf/0x120 [ 55.750308][ T7031] __sys_sendto+0x220/0x330 [ 55.754786][ T7031] ? __ia32_sys_getpeername+0xb0/0xb0 [ 55.760135][ T7031] ? packet_do_bind+0x452/0xc00 [ 55.764961][ T7031] ? __sys_bind+0x13e/0x250 [ 55.769439][ T7031] ? __ia32_sys_socketpair+0xf0/0xf0 [ 55.774699][ T7031] ? sock_create_kern+0x40/0x40 [ 55.779531][ T7031] ? fpregs_mark_activate+0x320/0x320 [ 55.784899][ T7031] __x64_sys_sendto+0xdd/0x1b0 [ 55.789693][ T7031] ? lockdep_hardirqs_on+0x463/0x620 [ 55.795087][ T7031] do_syscall_64+0xf6/0x7d0 [ 55.799582][ T7031] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 55.805548][ T7031] RIP: 0033:0x440419 [ 55.809424][ T7031] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.829011][ T7031] RSP: 002b:00007ffdc977f428 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 55.837406][ T7031] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440419 [ 55.845352][ T7031] RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005 [ 55.853568][ T7031] RBP: 00000000006cb018 R08: 0000000000000000 R09: fffffffffffffe5d [ 55.861522][ T7031] R10: 0000000000000810 R11: 0000000000000246 R12: 0000000000401ca0 [ 55.869475][ T7031] R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000 [ 55.879068][ T7031] Kernel Offset: disabled [ 55.883403][ T7031] Rebooting in 86400 seconds..