[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.253736][ T25] audit: type=1800 audit(1570408562.247:25): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.291543][ T25] audit: type=1800 audit(1570408562.247:26): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.332962][ T25] audit: type=1800 audit(1570408562.257:27): pid=8513 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 67.659014][ T8670] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.671565][ T8670] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.682190][ T8675] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.690371][ T8675] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.699979][ T8677] netlink: 'syz-executor802': attribute type 6 has an invalid length. executing program [ 67.708455][ T8677] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.718054][ T8678] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.726327][ T8678] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.736183][ T8676] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.745076][ T8676] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. executing program executing program executing program executing program executing program [ 67.754797][ T8679] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.763187][ T8679] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.778773][ T8680] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.790941][ T8680] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. executing program executing program [ 67.802391][ T8681] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.810581][ T8681] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.819967][ T8682] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.828380][ T8682] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.838133][ T8683] netlink: 'syz-executor802': attribute type 6 has an invalid length. [ 67.846612][ T8683] netlink: 2 bytes leftover after parsing attributes in process `syz-executor802'. [ 67.858616][ T8681] ================================================================== [ 67.866842][ T8681] BUG: KASAN: use-after-free in nla_memcpy+0xa2/0xb0 [ 67.873517][ T8681] Read of size 2 at addr ffff88808e93d05c by task syz-executor802/8681 [ 67.881755][ T8681] [ 67.884079][ T8681] CPU: 0 PID: 8681 Comm: syz-executor802 Not tainted 5.4.0-rc1+ #0 [ 67.891961][ T8681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.902011][ T8681] Call Trace: [ 67.905304][ T8681] dump_stack+0x172/0x1f0 [ 67.909617][ T8681] ? nla_memcpy+0xa2/0xb0 [ 67.913948][ T8681] print_address_description.constprop.0.cold+0xd4/0x30b [ 67.921087][ T8681] ? nla_memcpy+0xa2/0xb0 [ 67.925403][ T8681] ? nla_memcpy+0xa2/0xb0 [ 67.929738][ T8681] __kasan_report.cold+0x1b/0x41 [ 67.934679][ T8681] ? nla_memcpy+0xa2/0xb0 [ 67.939014][ T8681] kasan_report+0x12/0x20 [ 67.943332][ T8681] __asan_report_load2_noabort+0x14/0x20 [ 67.948966][ T8681] nla_memcpy+0xa2/0xb0 [ 67.953153][ T8681] nl802154_dump_wpan_phy+0x636/0xac0 [ 67.958512][ T8681] ? nl802154_dump_llsec_dev+0xba0/0xba0 [ 67.964140][ T8681] genl_lock_dumpit+0x86/0xc0 [ 67.968880][ T8681] netlink_dump+0x558/0xfb0 [ 67.973387][ T8681] ? netlink_broadcast+0x50/0x50 [ 67.978321][ T8681] __netlink_dump_start+0x5b1/0x7d0 [ 67.983503][ T8681] ? genl_lock_dumpit+0xc0/0xc0 [ 67.988460][ T8681] genl_rcv_msg+0xc9b/0x1000 [ 67.993076][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0 [ 68.000020][ T8681] ? genl_lock_dumpit+0xc0/0xc0 [ 68.004930][ T8681] ? genl_unlock+0x20/0x20 [ 68.009354][ T8681] ? genl_parallel_done+0x1c0/0x1c0 [ 68.014557][ T8681] ? mark_held_locks+0xf0/0xf0 [ 68.019307][ T8681] ? find_held_lock+0x35/0x130 [ 68.024056][ T8681] netlink_rcv_skb+0x177/0x450 [ 68.028902][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0 [ 68.035820][ T8681] ? netlink_ack+0xb50/0xb50 [ 68.040389][ T8681] ? __kasan_check_write+0x14/0x20 [ 68.045492][ T8681] ? netlink_deliver_tap+0x254/0xbf0 [ 68.050766][ T8681] genl_rcv+0x29/0x40 [ 68.054725][ T8681] netlink_unicast+0x531/0x710 [ 68.059487][ T8681] ? netlink_attachskb+0x7c0/0x7c0 [ 68.064589][ T8681] ? _copy_from_iter_full+0x25d/0x8c0 [ 68.069941][ T8681] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 68.075659][ T8681] ? __check_object_size+0x3d/0x437 [ 68.080855][ T8681] netlink_sendmsg+0x8a5/0xd60 [ 68.085617][ T8681] ? netlink_unicast+0x710/0x710 [ 68.090541][ T8681] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 68.096066][ T8681] ? apparmor_socket_sendmsg+0x2a/0x30 [ 68.101510][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.107727][ T8681] ? security_socket_sendmsg+0x8d/0xc0 [ 68.113160][ T8681] ? netlink_unicast+0x710/0x710 [ 68.118087][ T8681] sock_sendmsg+0xd7/0x130 [ 68.122495][ T8681] ___sys_sendmsg+0x803/0x920 [ 68.127160][ T8681] ? copy_msghdr_from_user+0x440/0x440 [ 68.132618][ T8681] ? prep_transhuge_page+0xa0/0xa0 [ 68.137736][ T8681] ? __do_page_fault+0x56a/0xdd0 [ 68.142668][ T8681] ? find_held_lock+0x35/0x130 [ 68.147470][ T8681] ? __do_page_fault+0x56a/0xdd0 [ 68.152397][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.158623][ T8681] ? __fget_light+0x1a9/0x230 [ 68.163285][ T8681] ? __fdget+0x1b/0x20 [ 68.167337][ T8681] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 68.173562][ T8681] __sys_sendmsg+0x105/0x1d0 [ 68.178144][ T8681] ? __sys_sendmsg_sock+0xd0/0xd0 [ 68.183167][ T8681] ? down_read_non_owner+0x490/0x490 [ 68.188467][ T8681] ? trace_hardirqs_on_thunk+0x1a/0x20 [ 68.193904][ T8681] ? do_syscall_64+0x26/0x760 [ 68.198564][ T8681] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.204617][ T8681] ? do_syscall_64+0x26/0x760 [ 68.209274][ T8681] __x64_sys_sendmsg+0x78/0xb0 [ 68.214028][ T8681] do_syscall_64+0xfa/0x760 [ 68.218514][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.224384][ T8681] RIP: 0033:0x4412b9 [ 68.228267][ T8681] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.247947][ T8681] RSP: 002b:00007ffd3ab1ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.256334][ T8681] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 68.264283][ T8681] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000003 [ 68.272239][ T8681] RBP: 000000000001083b R08: 00000000004002c8 R09: 00000000004002c8 [ 68.280197][ T8681] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402030 [ 68.288147][ T8681] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000 [ 68.296119][ T8681] [ 68.298428][ T8681] Allocated by task 8686: [ 68.302741][ T8681] save_stack+0x23/0x90 [ 68.306890][ T8681] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 68.312496][ T8681] kasan_kmalloc+0x9/0x10 [ 68.316801][ T8681] __kmalloc_node_track_caller+0x4e/0x70 [ 68.322413][ T8681] __kmalloc_reserve.isra.0+0x40/0xf0 [ 68.327760][ T8681] __alloc_skb+0x10b/0x5e0 [ 68.332175][ T8681] netlink_sendmsg+0x972/0xd60 [ 68.336915][ T8681] sock_sendmsg+0xd7/0x130 [ 68.341329][ T8681] ___sys_sendmsg+0x803/0x920 [ 68.345994][ T8681] __sys_sendmsg+0x105/0x1d0 [ 68.350561][ T8681] __x64_sys_sendmsg+0x78/0xb0 [ 68.355312][ T8681] do_syscall_64+0xfa/0x760 [ 68.359794][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.365656][ T8681] [ 68.367960][ T8681] Freed by task 8686: [ 68.371919][ T8681] save_stack+0x23/0x90 [ 68.376066][ T8681] __kasan_slab_free+0x102/0x150 [ 68.380980][ T8681] kasan_slab_free+0xe/0x10 [ 68.385465][ T8681] kfree+0x10a/0x2c0 [ 68.389359][ T8681] skb_free_head+0x93/0xb0 [ 68.393772][ T8681] skb_release_data+0x42d/0x7c0 [ 68.398601][ T8681] skb_release_all+0x4d/0x60 [ 68.403171][ T8681] consume_skb+0xfb/0x3b0 [ 68.407523][ T8681] netlink_unicast+0x539/0x710 [ 68.412263][ T8681] netlink_sendmsg+0x8a5/0xd60 [ 68.417013][ T8681] sock_sendmsg+0xd7/0x130 [ 68.421532][ T8681] ___sys_sendmsg+0x803/0x920 [ 68.426189][ T8681] __sys_sendmsg+0x105/0x1d0 [ 68.430755][ T8681] __x64_sys_sendmsg+0x78/0xb0 [ 68.435507][ T8681] do_syscall_64+0xfa/0x760 [ 68.439995][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.445963][ T8681] [ 68.448294][ T8681] The buggy address belongs to the object at ffff88808e93d040 [ 68.448294][ T8681] which belongs to the cache kmalloc-512 of size 512 [ 68.462346][ T8681] The buggy address is located 28 bytes inside of [ 68.462346][ T8681] 512-byte region [ffff88808e93d040, ffff88808e93d240) [ 68.475508][ T8681] The buggy address belongs to the page: [ 68.481135][ T8681] page:ffffea00023a4f40 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff88808e93da40 [ 68.491610][ T8681] flags: 0x1fffc0000000200(slab) [ 68.496540][ T8681] raw: 01fffc0000000200 ffffea0002729d08 ffffea0002863288 ffff8880aa400a80 [ 68.505123][ T8681] raw: ffff88808e93da40 ffff88808e93d040 0000000100000004 0000000000000000 [ 68.513694][ T8681] page dumped because: kasan: bad access detected [ 68.520081][ T8681] [ 68.522390][ T8681] Memory state around the buggy address: [ 68.528031][ T8681] ffff88808e93cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.536076][ T8681] ffff88808e93cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.544120][ T8681] >ffff88808e93d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 68.552173][ T8681] ^ executing program executing program [ 68.559088][ T8681] ffff88808e93d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.567145][ T8681] ffff88808e93d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.575187][ T8681] ================================================================== [ 68.583234][ T8681] Disabling lock debugging due to kernel taint [ 68.590780][ T8681] Kernel panic - not syncing: panic_on_warn set ... [ 68.597385][ T8681] CPU: 0 PID: 8681 Comm: syz-executor802 Tainted: G B 5.4.0-rc1+ #0 [ 68.606649][ T8681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.616687][ T8681] Call Trace: [ 68.619962][ T8681] dump_stack+0x172/0x1f0 [ 68.624270][ T8681] panic+0x2dc/0x755 [ 68.628140][ T8681] ? add_taint.cold+0x16/0x16 [ 68.632796][ T8681] ? nla_memcpy+0xa2/0xb0 [ 68.637103][ T8681] ? preempt_schedule+0x4b/0x60 [ 68.641934][ T8681] ? ___preempt_schedule+0x16/0x20 [ 68.647027][ T8681] ? trace_hardirqs_on+0x5e/0x240 [ 68.652038][ T8681] ? nla_memcpy+0xa2/0xb0 [ 68.656351][ T8681] end_report+0x47/0x4f [ 68.660493][ T8681] ? nla_memcpy+0xa2/0xb0 [ 68.664799][ T8681] __kasan_report.cold+0xe/0x41 [ 68.669642][ T8681] ? nla_memcpy+0xa2/0xb0 [ 68.673954][ T8681] kasan_report+0x12/0x20 [ 68.678275][ T8681] __asan_report_load2_noabort+0x14/0x20 [ 68.683884][ T8681] nla_memcpy+0xa2/0xb0 [ 68.688019][ T8681] nl802154_dump_wpan_phy+0x636/0xac0 [ 68.693383][ T8681] ? nl802154_dump_llsec_dev+0xba0/0xba0 [ 68.699008][ T8681] genl_lock_dumpit+0x86/0xc0 [ 68.703677][ T8681] netlink_dump+0x558/0xfb0 [ 68.708162][ T8681] ? netlink_broadcast+0x50/0x50 [ 68.713096][ T8681] __netlink_dump_start+0x5b1/0x7d0 [ 68.718272][ T8681] ? genl_lock_dumpit+0xc0/0xc0 [ 68.723103][ T8681] genl_rcv_msg+0xc9b/0x1000 [ 68.727677][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0 [ 68.734587][ T8681] ? genl_lock_dumpit+0xc0/0xc0 [ 68.739423][ T8681] ? genl_unlock+0x20/0x20 [ 68.743816][ T8681] ? genl_parallel_done+0x1c0/0x1c0 [ 68.748997][ T8681] ? mark_held_locks+0xf0/0xf0 [ 68.753737][ T8681] ? find_held_lock+0x35/0x130 [ 68.758482][ T8681] netlink_rcv_skb+0x177/0x450 [ 68.763248][ T8681] ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0 [ 68.770176][ T8681] ? netlink_ack+0xb50/0xb50 [ 68.774837][ T8681] ? __kasan_check_write+0x14/0x20 [ 68.779930][ T8681] ? netlink_deliver_tap+0x254/0xbf0 [ 68.785256][ T8681] genl_rcv+0x29/0x40 [ 68.789218][ T8681] netlink_unicast+0x531/0x710 [ 68.793961][ T8681] ? netlink_attachskb+0x7c0/0x7c0 [ 68.799745][ T8681] ? _copy_from_iter_full+0x25d/0x8c0 [ 68.805107][ T8681] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 68.810804][ T8681] ? __check_object_size+0x3d/0x437 [ 68.815989][ T8681] netlink_sendmsg+0x8a5/0xd60 [ 68.820733][ T8681] ? netlink_unicast+0x710/0x710 [ 68.825648][ T8681] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 68.831171][ T8681] ? apparmor_socket_sendmsg+0x2a/0x30 [ 68.836610][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.842831][ T8681] ? security_socket_sendmsg+0x8d/0xc0 [ 68.848796][ T8681] ? netlink_unicast+0x710/0x710 [ 68.853724][ T8681] sock_sendmsg+0xd7/0x130 [ 68.858119][ T8681] ___sys_sendmsg+0x803/0x920 [ 68.862773][ T8681] ? copy_msghdr_from_user+0x440/0x440 [ 68.868213][ T8681] ? prep_transhuge_page+0xa0/0xa0 [ 68.873309][ T8681] ? __do_page_fault+0x56a/0xdd0 [ 68.878230][ T8681] ? find_held_lock+0x35/0x130 [ 68.882979][ T8681] ? __do_page_fault+0x56a/0xdd0 [ 68.887908][ T8681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.894127][ T8681] ? __fget_light+0x1a9/0x230 [ 68.898782][ T8681] ? __fdget+0x1b/0x20 [ 68.902831][ T8681] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 68.909139][ T8681] __sys_sendmsg+0x105/0x1d0 [ 68.913721][ T8681] ? __sys_sendmsg_sock+0xd0/0xd0 [ 68.918736][ T8681] ? down_read_non_owner+0x490/0x490 [ 68.924005][ T8681] ? trace_hardirqs_on_thunk+0x1a/0x20 [ 68.929444][ T8681] ? do_syscall_64+0x26/0x760 [ 68.934109][ T8681] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.940174][ T8681] ? do_syscall_64+0x26/0x760 [ 68.944829][ T8681] __x64_sys_sendmsg+0x78/0xb0 [ 68.949616][ T8681] do_syscall_64+0xfa/0x760 [ 68.954101][ T8681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.959970][ T8681] RIP: 0033:0x4412b9 [ 68.963906][ T8681] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.983489][ T8681] RSP: 002b:00007ffd3ab1ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.991880][ T8681] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 68.999842][ T8681] RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000003 [ 69.007792][ T8681] RBP: 000000000001083b R08: 00000000004002c8 R09: 00000000004002c8 [ 69.015741][ T8681] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402030 [ 69.023691][ T8681] R13: 00000000004020c0 R14: 0000000000000000 R15: 0000000000000000 [ 69.033038][ T8681] Kernel Offset: disabled [ 69.037364][ T8681] Rebooting in 86400 seconds..