[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.53' (ECDSA) to the list of known hosts. syzkaller login: [ 66.347918][ T6839] IPVS: ftp: loaded support on port[0] = 21 [ 66.348764][ T6840] IPVS: ftp: loaded support on port[0] = 21 [ 66.359273][ T6838] IPVS: ftp: loaded support on port[0] = 21 [ 66.364855][ T6837] IPVS: ftp: loaded support on port[0] = 21 [ 66.376156][ T6841] IPVS: ftp: loaded support on port[0] = 21 [ 66.386617][ T6842] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program [ 66.632554][ T6950] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.644177][ T6957] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.655208][ T6965] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.664047][ T6962] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.669590][ T6969] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.673402][ T6966] netlink: 'syz-executor553': attribute type 3 has an invalid length. [ 66.681820][ T6965] netlink: 'syz-executor553': attribute type 8 has an invalid length. [ 66.689612][ T6950] netlink: 'syz-executor553': attribute type 8 has an invalid length. [ 66.698985][ T6969] netlink: 'syz-executor553': attribute type 8 has an invalid length. [ 66.712853][ T6957] netlink: 'syz-executor553': attribute type 8 has an invalid length. [ 66.716333][ T6965] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.725634][ T6966] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.734653][ T6969] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.745562][ T6957] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.755816][ T6962] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. executing program executing program executing program executing program executing program executing program executing program [ 66.765815][ T6950] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.791539][ T6970] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.801687][ T6972] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.805782][ T6971] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. [ 66.821194][ T6973] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor553'. executing program executing program [ 66.840168][ T6972] ================================================================== [ 66.848505][ T6972] BUG: KASAN: vmalloc-out-of-bounds in nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.857556][ T6972] Read of size 4 at addr ffffc900020c5018 by task syz-executor553/6972 [ 66.865814][ T6972] [ 66.868425][ T6972] CPU: 0 PID: 6972 Comm: syz-executor553 Not tainted 5.8.0-rc1-syzkaller #0 [ 66.877467][ T6972] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.889095][ T6972] Call Trace: [ 66.892407][ T6972] dump_stack+0x18f/0x20d [ 66.896738][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.902470][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.908487][ T6972] print_address_description.constprop.0.cold+0x5/0x436 [ 66.915439][ T6972] ? check_preemption_disabled+0x38/0x220 [ 66.921171][ T6972] ? vprintk_func+0x97/0x1a6 [ 66.925784][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.931335][ T6972] kasan_report.cold+0x1f/0x37 [ 66.936399][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.942657][ T6972] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 66.948273][ T6972] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 66.954254][ T6972] ? __kmalloc_node_track_caller+0x38/0x60 [ 66.960063][ T6972] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 66.968476][ T6972] ? __phys_addr+0x9a/0x110 [ 66.973003][ T6972] ? memset+0x20/0x40 [ 66.977668][ T6972] genl_lock_dumpit+0x7f/0xb0 [ 66.982538][ T6972] netlink_dump+0x4cd/0xf60 [ 66.987271][ T6972] ? netlink_insert+0x1670/0x1670 [ 66.992511][ T6972] ? __mutex_unlock_slowpath+0xe2/0x610 [ 66.998177][ T6972] ? genl_start+0x45a/0x6e0 [ 67.002895][ T6972] __netlink_dump_start+0x643/0x900 [ 67.008231][ T6972] ? genl_rcv_msg+0x9e0/0x9e0 [ 67.013031][ T6972] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 67.020263][ T6972] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 67.026175][ T6972] ? genl_rcv+0x40/0x40 [ 67.030608][ T6972] ? mutex_lock_io_nested+0xf60/0xf60 [ 67.035983][ T6972] ? mark_lock+0xbc/0x1710 [ 67.040593][ T6972] ? genl_rcv_msg+0x9e0/0x9e0 [ 67.045377][ T6972] ? genl_unlock+0x20/0x20 [ 67.049784][ T6972] ? genl_parallel_done+0x170/0x170 [ 67.055173][ T6972] ? __radix_tree_lookup+0x1f3/0x290 [ 67.060481][ T6972] genl_rcv_msg+0x797/0x9e0 [ 67.065348][ T6972] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 67.072987][ T6972] ? lock_acquire+0x1f1/0xad0 [ 67.078700][ T6972] ? genl_rcv+0x15/0x40 [ 67.082931][ T6972] ? lock_release+0x8d0/0x8d0 [ 67.088051][ T6972] netlink_rcv_skb+0x15a/0x430 [ 67.093321][ T6972] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 67.100355][ T6972] ? netlink_ack+0xa10/0xa10 [ 67.105016][ T6972] genl_rcv+0x24/0x40 [ 67.109441][ T6972] netlink_unicast+0x533/0x7d0 [ 67.114259][ T6972] ? netlink_attachskb+0x810/0x810 [ 67.119367][ T6972] ? _copy_from_iter_full+0x247/0x890 [ 67.129329][ T6972] ? __phys_addr_symbol+0x2c/0x70 [ 67.134720][ T6972] ? __check_object_size+0x171/0x3e4 [ 67.140108][ T6972] netlink_sendmsg+0x856/0xd90 [ 67.144898][ T6972] ? netlink_unicast+0x7d0/0x7d0 [ 67.150211][ T6972] ? netlink_unicast+0x7d0/0x7d0 [ 67.155162][ T6972] sock_sendmsg+0xcf/0x120 [ 67.159609][ T6972] ____sys_sendmsg+0x6e8/0x810 [ 67.164388][ T6972] ? kernel_sendmsg+0x50/0x50 [ 67.169205][ T6972] ? do_recvmmsg+0x6d0/0x6d0 [ 67.173822][ T6972] ? release_pages+0x641/0x17a0 [ 67.178816][ T6972] ___sys_sendmsg+0xf3/0x170 [ 67.183508][ T6972] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.188811][ T6972] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 67.196493][ T6972] ? check_preemption_disabled+0x38/0x220 [ 67.202943][ T6972] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 67.208946][ T6972] ? handle_mm_fault+0xad9/0x4420 [ 67.213994][ T6972] ? __fget_light+0x215/0x280 [ 67.218689][ T6972] __sys_sendmsg+0xe5/0x1b0 [ 67.223201][ T6972] ? __sys_sendmsg_sock+0xb0/0xb0 [ 67.229202][ T6972] ? check_preemption_disabled+0x38/0x220 [ 67.235012][ T6972] ? do_syscall_64+0x1c/0xe0 [ 67.239711][ T6972] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 67.246230][ T6972] do_syscall_64+0x60/0xe0 [ 67.250652][ T6972] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.257182][ T6972] RIP: 0033:0x441409 [ 67.261080][ T6972] Code: Bad RIP value. [ 67.265155][ T6972] RSP: 002b:00007ffff258c788 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 67.273773][ T6972] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 67.281758][ T6972] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 67.289730][ T6972] RBP: 0000000000010458 R08: 0000000100000000 R09: 0000000100000000 [ 67.297698][ T6972] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 67.305761][ T6972] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 67.313999][ T6972] [ 67.316498][ T6972] [ 67.318829][ T6972] Memory state around the buggy address: [ 67.324560][ T6972] ffffc900020c4f00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 67.332621][ T6972] ffffc900020c4f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 67.340697][ T6972] >ffffc900020c5000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 67.348846][ T6972] ^ [ 67.353698][ T6972] ffffc900020c5080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 67.361835][ T6972] ffffc900020c5100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 67.373188][ T6972] ================================================================== [ 67.385982][ T6972] Disabling lock debugging due to kernel taint [ 67.397074][ T6972] Kernel panic - not syncing: panic_on_warn set ... [ 67.403871][ T6972] CPU: 0 PID: 6972 Comm: syz-executor553 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 67.416633][ T6972] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.428408][ T6972] Call Trace: [ 67.431721][ T6972] dump_stack+0x18f/0x20d [ 67.436070][ T6972] ? nl802154_dump_wpan_phy+0x8f0/0x9c0 [ 67.441638][ T6972] panic+0x2e3/0x75c [ 67.445666][ T6972] ? __warn_printk+0xf3/0xf3 [ 67.450252][ T6972] ? preempt_schedule_common+0x59/0xc0 [ 67.456136][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 67.463418][ T6972] ? preempt_schedule_thunk+0x16/0x18 [ 67.468886][ T6972] ? trace_hardirqs_on+0x55/0x220 [ 67.473902][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 67.479683][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 67.485579][ T6972] end_report+0x4d/0x53 [ 67.489741][ T6972] kasan_report.cold+0xd/0x37 [ 67.494520][ T6972] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 67.500777][ T6972] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 67.506633][ T6972] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 67.512724][ T6972] ? __kmalloc_node_track_caller+0x38/0x60 [ 67.518775][ T6972] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 67.525542][ T6972] ? __phys_addr+0x9a/0x110 [ 67.530944][ T6972] ? memset+0x20/0x40 [ 67.535061][ T6972] genl_lock_dumpit+0x7f/0xb0 [ 67.539735][ T6972] netlink_dump+0x4cd/0xf60 [ 67.544439][ T6972] ? netlink_insert+0x1670/0x1670 [ 67.549542][ T6972] ? __mutex_unlock_slowpath+0xe2/0x610 [ 67.555081][ T6972] ? genl_start+0x45a/0x6e0 [ 67.559569][ T6972] __netlink_dump_start+0x643/0x900 [ 67.564891][ T6972] ? genl_rcv_msg+0x9e0/0x9e0 [ 67.569583][ T6972] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 67.576369][ T6972] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 67.582186][ T6972] ? genl_rcv+0x40/0x40 [ 67.586332][ T6972] ? mutex_lock_io_nested+0xf60/0xf60 [ 67.591947][ T6972] ? mark_lock+0xbc/0x1710 [ 67.596361][ T6972] ? genl_rcv_msg+0x9e0/0x9e0 [ 67.601156][ T6972] ? genl_unlock+0x20/0x20 [ 67.605660][ T6972] ? genl_parallel_done+0x170/0x170 [ 67.611045][ T6972] ? __radix_tree_lookup+0x1f3/0x290 [ 67.616421][ T6972] genl_rcv_msg+0x797/0x9e0 [ 67.622173][ T6972] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 67.629362][ T6972] ? lock_acquire+0x1f1/0xad0 [ 67.634677][ T6972] ? genl_rcv+0x15/0x40 [ 67.638951][ T6972] ? lock_release+0x8d0/0x8d0 [ 67.643629][ T6972] netlink_rcv_skb+0x15a/0x430 [ 67.648399][ T6972] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 67.655360][ T6972] ? netlink_ack+0xa10/0xa10 [ 67.661936][ T6972] genl_rcv+0x24/0x40 [ 67.666039][ T6972] netlink_unicast+0x533/0x7d0 [ 67.670807][ T6972] ? netlink_attachskb+0x810/0x810 [ 67.676273][ T6972] ? _copy_from_iter_full+0x247/0x890 [ 67.682294][ T6972] ? __phys_addr_symbol+0x2c/0x70 [ 67.688044][ T6972] ? __check_object_size+0x171/0x3e4 [ 67.693329][ T6972] netlink_sendmsg+0x856/0xd90 [ 67.698295][ T6972] ? netlink_unicast+0x7d0/0x7d0 [ 67.704453][ T6972] ? netlink_unicast+0x7d0/0x7d0 [ 67.709768][ T6972] sock_sendmsg+0xcf/0x120 [ 67.714186][ T6972] ____sys_sendmsg+0x6e8/0x810 [ 67.719490][ T6972] ? kernel_sendmsg+0x50/0x50 [ 67.724362][ T6972] ? do_recvmmsg+0x6d0/0x6d0 [ 67.729498][ T6972] ? release_pages+0x641/0x17a0 [ 67.734473][ T6972] ___sys_sendmsg+0xf3/0x170 [ 67.739153][ T6972] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.744730][ T6972] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 67.750894][ T6972] ? check_preemption_disabled+0x38/0x220 [ 67.756928][ T6972] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 67.763133][ T6972] ? handle_mm_fault+0xad9/0x4420 [ 67.768156][ T6972] ? __fget_light+0x215/0x280 [ 67.772841][ T6972] __sys_sendmsg+0xe5/0x1b0 [ 67.777595][ T6972] ? __sys_sendmsg_sock+0xb0/0xb0 [ 67.782974][ T6972] ? check_preemption_disabled+0x38/0x220 [ 67.788797][ T6972] ? do_syscall_64+0x1c/0xe0 [ 67.793716][ T6972] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 67.799759][ T6972] do_syscall_64+0x60/0xe0 [ 67.804466][ T6972] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.810875][ T6972] RIP: 0033:0x441409 [ 67.814787][ T6972] Code: Bad RIP value. [ 67.818838][ T6972] RSP: 002b:00007ffff258c788 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 67.829066][ T6972] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 67.841026][ T6972] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 67.849102][ T6972] RBP: 0000000000010458 R08: 0000000100000000 R09: 0000000100000000 [ 67.857250][ T6972] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 67.865246][ T6972] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 67.875129][ T6972] Kernel Offset: disabled [ 67.879485][ T6972] Rebooting in 86400 seconds..