[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 56.253736][ T25] audit: type=1800 audit(1570408562.247:25): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 56.291543][ T25] audit: type=1800 audit(1570408562.247:26): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 56.332962][ T25] audit: type=1800 audit(1570408562.257:27): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [ 67.659014][ T8670] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.671565][ T8670] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.682190][ T8675] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.690371][ T8675] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.699979][ T8677] netlink: 'syz-executor802': attribute type 6 has an invalid length.
executing program
[ 67.708455][ T8677] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.718054][ T8678] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.726327][ T8678] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.736183][ T8676] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.745076][ T8676] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
executing program
executing program
executing program
executing program
executing program
[ 67.754797][ T8679] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.763187][ T8679] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.778773][ T8680] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.790941][ T8680] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
executing program
executing program
[ 67.802391][ T8681] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.810581][ T8681] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.819967][ T8682] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.828380][ T8682] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.838133][ T8683] netlink: 'syz-executor802': attribute type 6 has an invalid length.
[ 67.846612][ T8683] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'.
[ 67.858616][ T8681] ==================================================================
[ 67.866842][ T8681] BUG: KASAN: use-after-free in nla_memcpy+0xa2/0xb0
[ 67.873517][ T8681] Read of size 2 at addr ffff88808e93d05c by task syz-executor802/8681
[ 67.881755][ T8681]
[ 67.884079][ T8681] CPU: 0 PID: 8681 Comm: syz-executor802 Not tainted 5.4.0-rc1+ #0
[ 67.891961][ T8681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 67.902011][ T8681] Call Trace:
[ 67.905304][ T8681] dump_stack+0x172/0x1f0
[ 67.909617][ T8681] ? nla_memcpy+0xa2/0xb0
[ 67.913948][ T8681] print_address_description.constprop.0.cold+0xd4/0x30b
[ 67.921087][ T8681] ? nla_memcpy+0xa2/0xb0
[ 67.925403][ T8681] ? nla_memcpy+0xa2/0xb0
[ 67.929738][ T8681] __kasan_report.cold+0x1b/0x41
[ 67.934679][ T8681] ? nla_memcpy+0xa2/0xb0
[ 67.939014][ T8681] kasan_report+0x12/0x20
[ 67.943332][ T8681] __asan_report_load2_noabort+0x14/0x20
[ 67.948966][ T8681] nla_memcpy+0xa2/0xb0
[ 67.953153][ T8681] nl802154_dump_wpan_phy+0x636/0xac0
[ 67.958512][ T8681] ? nl802154_dump_llsec_dev+0xba0/0xba0
[ 67.964140][ T8681] genl_lock_dumpit+0x86/0xc0
[ 67.968880][ T8681] netlink_dump+0x558/0xfb0
[ 67.973387][ T8681] ? netlink_broadcast+0x50/0x50
[ 67.978321][ T8681] __netlink_dump_start+0x5b1/0x7d0
[ 67.983503][ T8681] ? genl_lock_dumpit+0xc0/0xc0
[ 67.988460][ T8681] genl_rcv_msg+0xc9b/0x1000
[ 67.993076][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[ 68.000020][ T8681] ? genl_lock_dumpit+0xc0/0xc0
[ 68.004930][ T8681] ? genl_unlock+0x20/0x20
[ 68.009354][ T8681] ? genl_parallel_done+0x1c0/0x1c0
[ 68.014557][ T8681] ? mark_held_locks+0xf0/0xf0
[ 68.019307][ T8681] ? find_held_lock+0x35/0x130
[ 68.024056][ T8681] netlink_rcv_skb+0x177/0x450
[ 68.028902][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[ 68.035820][ T8681] ? netlink_ack+0xb50/0xb50
[ 68.040389][ T8681] ? __kasan_check_write+0x14/0x20
[ 68.045492][ T8681] ? netlink_deliver_tap+0x254/0xbf0
[ 68.050766][ T8681] genl_rcv+0x29/0x40
[ 68.054725][ T8681] netlink_unicast+0x531/0x710
[ 68.059487][ T8681] ? netlink_attachskb+0x7c0/0x7c0
[ 68.064589][ T8681] ? _copy_from_iter_full+0x25d/0x8c0
[ 68.069941][ T8681] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 68.075659][ T8681] ? __check_object_size+0x3d/0x437
[ 68.080855][ T8681] netlink_sendmsg+0x8a5/0xd60
[ 68.085617][ T8681] ? netlink_unicast+0x710/0x710
[ 68.090541][ T8681] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 68.096066][ T8681] ? apparmor_socket_sendmsg+0x2a/0x30
[ 68.101510][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 68.107727][ T8681] ? security_socket_sendmsg+0x8d/0xc0
[ 68.113160][ T8681] ? netlink_unicast+0x710/0x710
[ 68.118087][ T8681] sock_sendmsg+0xd7/0x130
[ 68.122495][ T8681] ___sys_sendmsg+0x803/0x920
[ 68.127160][ T8681] ? copy_msghdr_from_user+0x440/0x440
[ 68.132618][ T8681] ? prep_transhuge_page+0xa0/0xa0
[ 68.137736][ T8681] ? __do_page_fault+0x56a/0xdd0
[ 68.142668][ T8681] ? find_held_lock+0x35/0x130
[ 68.147470][ T8681] ? __do_page_fault+0x56a/0xdd0
[ 68.152397][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 68.158623][ T8681] ? __fget_light+0x1a9/0x230
[ 68.163285][ T8681] ? __fdget+0x1b/0x20
[ 68.167337][ T8681] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 68.173562][ T8681] __sys_sendmsg+0x105/0x1d0
[ 68.178144][ T8681] ? __sys_sendmsg_sock+0xd0/0xd0
[ 68.183167][ T8681] ? down_read_non_owner+0x490/0x490
[ 68.188467][ T8681] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 68.193904][ T8681] ? do_syscall_64+0x26/0x760
[ 68.198564][ T8681] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.204617][ T8681] ? do_syscall_64+0x26/0x760
[ 68.209274][ T8681] __x64_sys_sendmsg+0x78/0xb0
[ 68.214028][ T8681] do_syscall_64+0xfa/0x760
[ 68.218514][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.224384][ T8681] RIP: 0033:0x4412b9
[ 68.228267][ T8681] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[ 68.247947][ T8681] RSP: 002b:00007ffd3ab1ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 68.256334][ T8681] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
[ 68.264283][ T8681] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000003
[ 68.272239][ T8681] RBP: 000000000001083b R08: 00000000004002c8 R09: 00000000004002c8
[ 68.280197][ T8681] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402030
[ 68.288147][ T8681] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
[ 68.296119][ T8681]
[ 68.298428][ T8681] Allocated by task 8686:
[ 68.302741][ T8681] save_stack+0x23/0x90
[ 68.306890][ T8681] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 68.312496][ T8681] kasan_kmalloc+0x9/0x10
[ 68.316801][ T8681] __kmalloc_node_track_caller+0x4e/0x70
[ 68.322413][ T8681] __kmalloc_reserve.isra.0+0x40/0xf0
[ 68.327760][ T8681] __alloc_skb+0x10b/0x5e0
[ 68.332175][ T8681] netlink_sendmsg+0x972/0xd60
[ 68.336915][ T8681] sock_sendmsg+0xd7/0x130
[ 68.341329][ T8681] ___sys_sendmsg+0x803/0x920
[ 68.345994][ T8681] __sys_sendmsg+0x105/0x1d0
[ 68.350561][ T8681] __x64_sys_sendmsg+0x78/0xb0
[ 68.355312][ T8681] do_syscall_64+0xfa/0x760
[ 68.359794][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.365656][ T8681]
[ 68.367960][ T8681] Freed by task 8686:
[ 68.371919][ T8681] save_stack+0x23/0x90
[ 68.376066][ T8681] __kasan_slab_free+0x102/0x150
[ 68.380980][ T8681] kasan_slab_free+0xe/0x10
[ 68.385465][ T8681] kfree+0x10a/0x2c0
[ 68.389359][ T8681] skb_free_head+0x93/0xb0
[ 68.393772][ T8681] skb_release_data+0x42d/0x7c0
[ 68.398601][ T8681] skb_release_all+0x4d/0x60
[ 68.403171][ T8681] consume_skb+0xfb/0x3b0
[ 68.407523][ T8681] netlink_unicast+0x539/0x710
[ 68.412263][ T8681] netlink_sendmsg+0x8a5/0xd60
[ 68.417013][ T8681] sock_sendmsg+0xd7/0x130
[ 68.421532][ T8681] ___sys_sendmsg+0x803/0x920
[ 68.426189][ T8681] __sys_sendmsg+0x105/0x1d0
[ 68.430755][ T8681] __x64_sys_sendmsg+0x78/0xb0
[ 68.435507][ T8681] do_syscall_64+0xfa/0x760
[ 68.439995][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.445963][ T8681]
[ 68.448294][ T8681] The buggy address belongs to the object at ffff88808e93d040
[ 68.448294][ T8681] which belongs to the cache kmalloc-512 of size 512
[ 68.462346][ T8681] The buggy address is located 28 bytes inside of
[ 68.462346][ T8681] 512-byte region [ffff88808e93d040, ffff88808e93d240)
[ 68.475508][ T8681] The buggy address belongs to the page:
[ 68.481135][ T8681] page:ffffea00023a4f40 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff88808e93da40
[ 68.491610][ T8681] flags: 0x1fffc0000000200(slab)
[ 68.496540][ T8681] raw: 01fffc0000000200 ffffea0002729d08 ffffea0002863288 ffff8880aa400a80
[ 68.505123][ T8681] raw: ffff88808e93da40 ffff88808e93d040 0000000100000004 0000000000000000
[ 68.513694][ T8681] page dumped because: kasan: bad access detected
[ 68.520081][ T8681]
[ 68.522390][ T8681] Memory state around the buggy address:
[ 68.528031][ T8681] ffff88808e93cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 68.536076][ T8681] ffff88808e93cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 68.544120][ T8681] >ffff88808e93d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 68.552173][ T8681] ^
executing program
executing program
[ 68.559088][ T8681] ffff88808e93d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.567145][ T8681] ffff88808e93d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.575187][ T8681] ==================================================================
[ 68.583234][ T8681] Disabling lock debugging due to kernel taint
[ 68.590780][ T8681] Kernel panic - not syncing: panic_on_warn set ...
[ 68.597385][ T8681] CPU: 0 PID: 8681 Comm: syz-executor802 Tainted: G B 5.4.0-rc1+ #0
[ 68.606649][ T8681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 68.616687][ T8681] Call Trace:
[ 68.619962][ T8681] dump_stack+0x172/0x1f0
[ 68.624270][ T8681] panic+0x2dc/0x755
[ 68.628140][ T8681] ? add_taint.cold+0x16/0x16
[ 68.632796][ T8681] ? nla_memcpy+0xa2/0xb0
[ 68.637103][ T8681] ? preempt_schedule+0x4b/0x60
[ 68.641934][ T8681] ? ___preempt_schedule+0x16/0x20
[ 68.647027][ T8681] ? trace_hardirqs_on+0x5e/0x240
[ 68.652038][ T8681] ? nla_memcpy+0xa2/0xb0
[ 68.656351][ T8681] end_report+0x47/0x4f
[ 68.660493][ T8681] ? nla_memcpy+0xa2/0xb0
[ 68.664799][ T8681] __kasan_report.cold+0xe/0x41
[ 68.669642][ T8681] ? nla_memcpy+0xa2/0xb0
[ 68.673954][ T8681] kasan_report+0x12/0x20
[ 68.678275][ T8681] __asan_report_load2_noabort+0x14/0x20
[ 68.683884][ T8681] nla_memcpy+0xa2/0xb0
[ 68.688019][ T8681] nl802154_dump_wpan_phy+0x636/0xac0
[ 68.693383][ T8681] ? nl802154_dump_llsec_dev+0xba0/0xba0
[ 68.699008][ T8681] genl_lock_dumpit+0x86/0xc0
[ 68.703677][ T8681] netlink_dump+0x558/0xfb0
[ 68.708162][ T8681] ? netlink_broadcast+0x50/0x50
[ 68.713096][ T8681] __netlink_dump_start+0x5b1/0x7d0
[ 68.718272][ T8681] ? genl_lock_dumpit+0xc0/0xc0
[ 68.723103][ T8681] genl_rcv_msg+0xc9b/0x1000
[ 68.727677][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[ 68.734587][ T8681] ? genl_lock_dumpit+0xc0/0xc0
[ 68.739423][ T8681] ? genl_unlock+0x20/0x20
[ 68.743816][ T8681] ? genl_parallel_done+0x1c0/0x1c0
[ 68.748997][ T8681] ? mark_held_locks+0xf0/0xf0
[ 68.753737][ T8681] ? find_held_lock+0x35/0x130
[ 68.758482][ T8681] netlink_rcv_skb+0x177/0x450
[ 68.763248][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[ 68.770176][ T8681] ? netlink_ack+0xb50/0xb50
[ 68.774837][ T8681] ? __kasan_check_write+0x14/0x20
[ 68.779930][ T8681] ? netlink_deliver_tap+0x254/0xbf0
[ 68.785256][ T8681] genl_rcv+0x29/0x40
[ 68.789218][ T8681] netlink_unicast+0x531/0x710
[ 68.793961][ T8681] ? netlink_attachskb+0x7c0/0x7c0
[ 68.799745][ T8681] ? _copy_from_iter_full+0x25d/0x8c0
[ 68.805107][ T8681] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 68.810804][ T8681] ? __check_object_size+0x3d/0x437
[ 68.815989][ T8681] netlink_sendmsg+0x8a5/0xd60
[ 68.820733][ T8681] ? netlink_unicast+0x710/0x710
[ 68.825648][ T8681] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 68.831171][ T8681] ? apparmor_socket_sendmsg+0x2a/0x30
[ 68.836610][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 68.842831][ T8681] ? security_socket_sendmsg+0x8d/0xc0
[ 68.848796][ T8681] ? netlink_unicast+0x710/0x710
[ 68.853724][ T8681] sock_sendmsg+0xd7/0x130
[ 68.858119][ T8681] ___sys_sendmsg+0x803/0x920
[ 68.862773][ T8681] ? copy_msghdr_from_user+0x440/0x440
[ 68.868213][ T8681] ? prep_transhuge_page+0xa0/0xa0
[ 68.873309][ T8681] ? __do_page_fault+0x56a/0xdd0
[ 68.878230][ T8681] ? find_held_lock+0x35/0x130
[ 68.882979][ T8681] ? __do_page_fault+0x56a/0xdd0
[ 68.887908][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 68.894127][ T8681] ? __fget_light+0x1a9/0x230
[ 68.898782][ T8681] ? __fdget+0x1b/0x20
[ 68.902831][ T8681] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 68.909139][ T8681] __sys_sendmsg+0x105/0x1d0
[ 68.913721][ T8681] ? __sys_sendmsg_sock+0xd0/0xd0
[ 68.918736][ T8681] ? down_read_non_owner+0x490/0x490
[ 68.924005][ T8681] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 68.929444][ T8681] ? do_syscall_64+0x26/0x760
[ 68.934109][ T8681] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.940174][ T8681] ? do_syscall_64+0x26/0x760
[ 68.944829][ T8681] __x64_sys_sendmsg+0x78/0xb0
[ 68.949616][ T8681] do_syscall_64+0xfa/0x760
[ 68.954101][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 68.959970][ T8681] RIP: 0033:0x4412b9
[ 68.963906][ T8681] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[ 68.983489][ T8681] RSP: 002b:00007ffd3ab1ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 68.991880][ T8681] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9
[ 68.999842][ T8681] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000003
[ 69.007792][ T8681] RBP: 000000000001083b R08: 00000000004002c8 R09: 00000000004002c8
[ 69.015741][ T8681] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402030
[ 69.023691][ T8681] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000
[ 69.033038][ T8681] Kernel Offset: disabled
[ 69.037364][ T8681] Rebooting in 86400 seconds..