[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts. syzkaller login: [ 59.884079][ T6808] IPVS: ftp: loaded support on port[0] = 21 [ 59.887361][ T6807] IPVS: ftp: loaded support on port[0] = 21 [ 59.895087][ T6810] IPVS: ftp: loaded support on port[0] = 21 [ 59.905533][ T6802] IPVS: ftp: loaded support on port[0] = 21 [ 59.917742][ T6809] IPVS: ftp: loaded support on port[0] = 21 [ 59.924370][ T6805] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 60.038939][ T6861] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.047914][ T6861] netlink: 'syz-executor989': attribute type 8 has an invalid length. [ 60.061626][ T6861] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.076374][ T6900] netlink: 'syz-executor989': attribute type 3 has an invalid length. executing program executing program executing program [ 60.088685][ T6900] netlink: 'syz-executor989': attribute type 8 has an invalid length. [ 60.102363][ T6900] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.124545][ T6919] netlink: 'syz-executor989': attribute type 3 has an invalid length. executing program executing program executing program [ 60.137342][ T6930] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.137473][ T6937] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.147546][ T6933] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.160188][ T6934] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.166845][ T6938] netlink: 'syz-executor989': attribute type 3 has an invalid length. [ 60.171471][ T6934] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. executing program [ 60.178531][ T6919] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.190136][ T6937] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.198905][ T6938] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.217504][ T6939] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.220695][ T6930] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. executing program executing program executing program [ 60.228443][ T6933] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.241625][ T6940] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor989'. [ 60.253658][ T6933] ================================================================== [ 60.264422][ T6933] BUG: KASAN: vmalloc-out-of-bounds in nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.272909][ T6933] Read of size 4 at addr ffffc900021c3018 by task syz-executor989/6933 [ 60.281116][ T6933] [ 60.283426][ T6933] CPU: 0 PID: 6933 Comm: syz-executor989 Not tainted 5.8.0-rc1-syzkaller #0 [ 60.292084][ T6933] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.302119][ T6933] Call Trace: [ 60.305389][ T6933] dump_stack+0x18f/0x20d [ 60.309698][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.315221][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.320866][ T6933] print_address_description.constprop.0.cold+0x5/0x436 [ 60.327788][ T6933] ? check_preemption_disabled+0x38/0x220 [ 60.333509][ T6933] ? vprintk_func+0x97/0x1a6 [ 60.338082][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.343609][ T6933] kasan_report.cold+0x1f/0x37 [ 60.348353][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.353874][ T6933] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.359229][ T6933] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 60.365183][ T6933] ? __kmalloc_node_track_caller+0x38/0x60 [ 60.370967][ T6933] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.377712][ T6933] ? __phys_addr+0x9a/0x110 [ 60.382216][ T6933] ? memset+0x20/0x40 [ 60.386192][ T6933] genl_lock_dumpit+0x7f/0xb0 executing program [ 60.390855][ T6933] netlink_dump+0x4cd/0xf60 [ 60.395341][ T6933] ? netlink_insert+0x1670/0x1670 [ 60.400341][ T6933] ? __mutex_unlock_slowpath+0xe2/0x610 [ 60.408486][ T6933] ? genl_start+0x45a/0x6e0 [ 60.413006][ T6933] __netlink_dump_start+0x643/0x900 [ 60.418200][ T6933] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.422862][ T6933] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.429604][ T6933] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 60.435319][ T6933] ? genl_rcv+0x40/0x40 [ 60.439464][ T6933] ? mutex_lock_io_nested+0xf60/0xf60 [ 60.444815][ T6933] ? mark_lock+0xbc/0x1710 [ 60.449211][ T6933] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.453915][ T6933] ? genl_unlock+0x20/0x20 [ 60.458311][ T6933] ? genl_parallel_done+0x170/0x170 [ 60.463500][ T6933] ? __radix_tree_lookup+0x1f3/0x290 [ 60.468804][ T6933] genl_rcv_msg+0x797/0x9e0 [ 60.473311][ T6933] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 60.480236][ T6933] ? lock_acquire+0x1f1/0xad0 [ 60.484888][ T6933] ? genl_rcv+0x15/0x40 [ 60.489033][ T6933] ? lock_release+0x8d0/0x8d0 [ 60.493702][ T6933] netlink_rcv_skb+0x15a/0x430 [ 60.498480][ T6933] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 60.505410][ T6933] ? netlink_ack+0xa10/0xa10 [ 60.509991][ T6933] genl_rcv+0x24/0x40 [ 60.513953][ T6933] netlink_unicast+0x533/0x7d0 [ 60.518697][ T6933] ? netlink_attachskb+0x810/0x810 [ 60.523794][ T6933] ? _copy_from_iter_full+0x247/0x890 [ 60.529152][ T6933] ? __phys_addr_symbol+0x2c/0x70 [ 60.534209][ T6933] ? __check_object_size+0x171/0x3e4 [ 60.539517][ T6933] netlink_sendmsg+0x856/0xd90 [ 60.544263][ T6933] ? netlink_unicast+0x7d0/0x7d0 [ 60.549200][ T6933] ? netlink_unicast+0x7d0/0x7d0 [ 60.554124][ T6933] sock_sendmsg+0xcf/0x120 [ 60.558521][ T6933] ____sys_sendmsg+0x6e8/0x810 [ 60.563262][ T6933] ? kernel_sendmsg+0x50/0x50 [ 60.567913][ T6933] ? do_recvmmsg+0x6d0/0x6d0 [ 60.572488][ T6933] ? release_pages+0x641/0x17a0 [ 60.577336][ T6933] ___sys_sendmsg+0xf3/0x170 [ 60.581905][ T6933] ? sendmsg_copy_msghdr+0x160/0x160 [ 60.587172][ T6933] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 60.595387][ T6933] ? check_preemption_disabled+0x38/0x220 [ 60.601099][ T6933] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 60.607077][ T6933] ? handle_mm_fault+0xad9/0x4420 [ 60.612083][ T6933] ? __fget_light+0x215/0x280 [ 60.616743][ T6933] __sys_sendmsg+0xe5/0x1b0 [ 60.621252][ T6933] ? __sys_sendmsg_sock+0xb0/0xb0 [ 60.626254][ T6933] ? check_preemption_disabled+0x38/0x220 [ 60.631958][ T6933] ? do_syscall_64+0x1c/0xe0 [ 60.636697][ T6933] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.642654][ T6933] do_syscall_64+0x60/0xe0 [ 60.647055][ T6933] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.652932][ T6933] RIP: 0033:0x441409 [ 60.656799][ T6933] Code: Bad RIP value. [ 60.660840][ T6933] RSP: 002b:00007ffd962e3de8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.669244][ T6933] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 60.677219][ T6933] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 60.685174][ T6933] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 60.693213][ T6933] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 60.701164][ T6933] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 60.709137][ T6933] [ 60.711441][ T6933] [ 60.713743][ T6933] Memory state around the buggy address: [ 60.719357][ T6933] ffffc900021c2f00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 60.727429][ T6933] ffffc900021c2f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 60.735484][ T6933] >ffffc900021c3000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 60.743530][ T6933] ^ [ 60.748368][ T6933] ffffc900021c3080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 60.756406][ T6933] ffffc900021c3100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 60.764456][ T6933] ================================================================== [ 60.772506][ T6933] Disabling lock debugging due to kernel taint [ 60.779061][ T6933] Kernel panic - not syncing: panic_on_warn set ... [ 60.785650][ T6933] CPU: 0 PID: 6933 Comm: syz-executor989 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 60.795700][ T6933] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.805743][ T6933] Call Trace: [ 60.809023][ T6933] dump_stack+0x18f/0x20d [ 60.813337][ T6933] ? nl802154_dump_wpan_phy+0x8e0/0x9c0 [ 60.818876][ T6933] panic+0x2e3/0x75c [ 60.822764][ T6933] ? __warn_printk+0xf3/0xf3 [ 60.827330][ T6933] ? preempt_schedule_common+0x59/0xc0 [ 60.832762][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.838372][ T6933] ? preempt_schedule_thunk+0x16/0x18 [ 60.843717][ T6933] ? trace_hardirqs_on+0x55/0x220 [ 60.848724][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.854265][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.859787][ T6933] end_report+0x4d/0x53 [ 60.863915][ T6933] kasan_report.cold+0xd/0x37 [ 60.868566][ T6933] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.874080][ T6933] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 60.879428][ T6933] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 60.885382][ T6933] ? __kmalloc_node_track_caller+0x38/0x60 [ 60.891162][ T6933] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.897895][ T6933] ? __phys_addr+0x9a/0x110 [ 60.902371][ T6933] ? memset+0x20/0x40 [ 60.906329][ T6933] genl_lock_dumpit+0x7f/0xb0 [ 60.910991][ T6933] netlink_dump+0x4cd/0xf60 [ 60.915474][ T6933] ? netlink_insert+0x1670/0x1670 [ 60.920480][ T6933] ? __mutex_unlock_slowpath+0xe2/0x610 [ 60.926018][ T6933] ? genl_start+0x45a/0x6e0 [ 60.930508][ T6933] __netlink_dump_start+0x643/0x900 [ 60.935693][ T6933] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.940357][ T6933] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.947110][ T6933] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 60.952818][ T6933] ? genl_rcv+0x40/0x40 [ 60.956952][ T6933] ? mutex_lock_io_nested+0xf60/0xf60 [ 60.962305][ T6933] ? mark_lock+0xbc/0x1710 [ 60.966716][ T6933] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.971374][ T6933] ? genl_unlock+0x20/0x20 [ 60.975765][ T6933] ? genl_parallel_done+0x170/0x170 [ 60.980938][ T6933] ? __radix_tree_lookup+0x1f3/0x290 [ 60.986226][ T6933] genl_rcv_msg+0x797/0x9e0 [ 60.990714][ T6933] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 60.997621][ T6933] ? lock_acquire+0x1f1/0xad0 [ 61.002272][ T6933] ? genl_rcv+0x15/0x40 [ 61.006404][ T6933] ? lock_release+0x8d0/0x8d0 [ 61.011055][ T6933] netlink_rcv_skb+0x15a/0x430 [ 61.015803][ T6933] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 61.022721][ T6933] ? netlink_ack+0xa10/0xa10 [ 61.027300][ T6933] genl_rcv+0x24/0x40 [ 61.031257][ T6933] netlink_unicast+0x533/0x7d0 [ 61.035996][ T6933] ? netlink_attachskb+0x810/0x810 [ 61.041093][ T6933] ? _copy_from_iter_full+0x247/0x890 [ 61.046471][ T6933] ? __phys_addr_symbol+0x2c/0x70 [ 61.051504][ T6933] ? __check_object_size+0x171/0x3e4 [ 61.056770][ T6933] netlink_sendmsg+0x856/0xd90 [ 61.061523][ T6933] ? netlink_unicast+0x7d0/0x7d0 [ 61.066471][ T6933] ? netlink_unicast+0x7d0/0x7d0 [ 61.071384][ T6933] sock_sendmsg+0xcf/0x120 [ 61.075775][ T6933] ____sys_sendmsg+0x6e8/0x810 [ 61.080646][ T6933] ? kernel_sendmsg+0x50/0x50 [ 61.085293][ T6933] ? do_recvmmsg+0x6d0/0x6d0 [ 61.089863][ T6933] ? release_pages+0x641/0x17a0 [ 61.094701][ T6933] ___sys_sendmsg+0xf3/0x170 [ 61.099266][ T6933] ? sendmsg_copy_msghdr+0x160/0x160 [ 61.104564][ T6933] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 61.110605][ T6933] ? check_preemption_disabled+0x38/0x220 [ 61.116302][ T6933] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 61.122258][ T6933] ? handle_mm_fault+0xad9/0x4420 [ 61.127266][ T6933] ? __fget_light+0x215/0x280 [ 61.131923][ T6933] __sys_sendmsg+0xe5/0x1b0 [ 61.136439][ T6933] ? __sys_sendmsg_sock+0xb0/0xb0 [ 61.141444][ T6933] ? check_preemption_disabled+0x38/0x220 [ 61.147143][ T6933] ? do_syscall_64+0x1c/0xe0 [ 61.151706][ T6933] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.157660][ T6933] do_syscall_64+0x60/0xe0 [ 61.162056][ T6933] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.167932][ T6933] RIP: 0033:0x441409 [ 61.171810][ T6933] Code: Bad RIP value. [ 61.175845][ T6933] RSP: 002b:00007ffd962e3de8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.184228][ T6933] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 61.192190][ T6933] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 61.200145][ T6933] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 61.208135][ T6933] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 61.216104][ T6933] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 61.225219][ T6933] Kernel Offset: disabled [ 61.229536][ T6933] Rebooting in 86400 seconds..