[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Found device /dev/ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.226' (ECDSA) to the list of known hosts. syzkaller login: [ 42.099455] IPVS: ftp: loaded support on port[0] = 21 [ 42.172522] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 42.182374] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 42.193708] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 executing program executing program executing program executing program executing program executing program executing program [ 42.220161] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 42.231119] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 42.239433] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 42.247782] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 42.257200] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 42.296137] ================================================================== [ 42.304758] BUG: KASAN: slab-out-of-bounds in ieee80211_key_free+0xf0/0x110 [ 42.313489] Read of size 2 at addr ffff8880a9757ce8 by task syz-executor537/8133 [ 42.321756] [ 42.323388] CPU: 1 PID: 8133 Comm: syz-executor537 Not tainted 4.19.187-syzkaller #0 [ 42.332313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.343088] Call Trace: [ 42.345912] dump_stack+0x1fc/0x2ef [ 42.350071] print_address_description.cold+0x54/0x219 [ 42.356227] kasan_report_error.cold+0x8a/0x1b9 [ 42.361836] ? ieee80211_key_free+0xf0/0x110 [ 42.367604] __asan_report_load2_noabort+0x88/0x90 [ 42.373260] ? ieee80211_key_free+0xf0/0x110 [ 42.378290] ieee80211_key_free+0xf0/0x110 [ 42.382857] ieee80211_del_key+0x162/0x3d0 [ 42.388575] nl80211_del_key+0x43e/0xc20 [ 42.393636] ? nl80211_parse_key+0xed0/0xed0 [ 42.398840] ? nl80211_pre_doit+0xa2/0x620 [ 42.403557] ? __cfg80211_rdev_from_attrs+0x700/0x700 [ 42.409138] genl_family_rcv_msg+0x642/0xc40 [ 42.413771] ? genl_rcv+0x40/0x40 [ 42.417407] ? genl_rcv_msg+0x12f/0x160 [ 42.422199] ? __mutex_add_waiter+0x160/0x160 [ 42.427734] ? __radix_tree_lookup+0x216/0x370 [ 42.432550] genl_rcv_msg+0xbf/0x160 [ 42.436581] netlink_rcv_skb+0x160/0x440 [ 42.440973] ? genl_family_rcv_msg+0xc40/0xc40 [ 42.445999] ? netlink_ack+0xae0/0xae0 [ 42.450154] ? genl_rcv+0x15/0x40 [ 42.454235] genl_rcv+0x24/0x40 [ 42.457796] netlink_unicast+0x4d5/0x690 [ 42.462758] ? netlink_sendskb+0x110/0x110 [ 42.467333] ? _copy_from_iter_full+0x229/0x7c0 [ 42.473353] ? __phys_addr_symbol+0x2c/0x70 [ 42.478416] ? __check_object_size+0x17b/0x3e0 [ 42.484815] netlink_sendmsg+0x6bb/0xc40 [ 42.489407] ? aa_af_perm+0x230/0x230 [ 42.493336] ? nlmsg_notify+0x1a0/0x1a0 [ 42.497714] ? kernel_recvmsg+0x220/0x220 [ 42.502165] ? nlmsg_notify+0x1a0/0x1a0 [ 42.506166] sock_sendmsg+0xc3/0x120 [ 42.510060] ___sys_sendmsg+0x7bb/0x8e0 [ 42.514028] ? copy_msghdr_from_user+0x440/0x440 [ 42.519261] ? sock_ioctl+0x30e/0x5d0 [ 42.523055] ? dlci_ioctl_set+0x30/0x30 [ 42.527202] ? lock_downgrade+0x720/0x720 [ 42.531833] ? lock_acquire+0x170/0x3c0 [ 42.536001] ? debug_object_active_state+0x104/0x330 [ 42.541371] ? mark_held_locks+0xf0/0xf0 [ 42.545557] ? dlci_ioctl_set+0x30/0x30 [ 42.549610] ? do_vfs_ioctl+0x110/0x12e0 [ 42.553674] ? ioctl_preallocate+0x200/0x200 [ 42.558406] ? __fdget+0x1a0/0x230 [ 42.562035] __x64_sys_sendmsg+0x132/0x220 [ 42.568237] ? __sys_sendmsg+0x1b0/0x1b0 [ 42.573693] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 42.580190] ? trace_hardirqs_off_caller+0x6e/0x210 [ 42.585981] ? do_syscall_64+0x21/0x620 [ 42.590603] do_syscall_64+0xf9/0x620 [ 42.594599] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.600169] RIP: 0033:0x440f09 [ 42.603358] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 42.623268] RSP: 002b:00007fff9efd1268 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.631268] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440f09 [ 42.640712] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003 [ 42.648355] RBP: 0000000000000000 R08: 0000000c00000000 R09: 0000000c00000000 [ 42.655797] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000a536 [ 42.664475] R13: 00007fff9efd12d0 R14: 00007fff9efd12c0 R15: 00007fff9efd128c [ 42.672375] [ 42.674186] Allocated by task 1: [ 42.678194] __kmalloc+0x15a/0x3c0 [ 42.682443] kernfs_fop_write+0x32f/0x470 [ 42.686881] __vfs_write+0xf7/0x770 [ 42.690611] vfs_write+0x1f3/0x540 [ 42.694497] ksys_write+0x12b/0x2a0 [ 42.698309] do_syscall_64+0xf9/0x620 [ 42.702120] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.707531] [ 42.709469] Freed by task 1: [ 42.712728] kfree+0xcc/0x210 [ 42.716189] kernfs_fop_write+0x188/0x470 [ 42.720878] __vfs_write+0xf7/0x770 [ 42.724599] vfs_write+0x1f3/0x540 [ 42.728407] ksys_write+0x12b/0x2a0 [ 42.732312] do_syscall_64+0xf9/0x620 [ 42.736476] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.742246] [ 42.744163] The buggy address belongs to the object at ffff8880a9757cc0 [ 42.744163] which belongs to the cache kmalloc-32 of size 32 [ 42.757486] The buggy address is located 8 bytes to the right of [ 42.757486] 32-byte region [ffff8880a9757cc0, ffff8880a9757ce0) [ 42.771279] The buggy address belongs to the page: [ 42.776569] page:ffffea0002a5d5c0 count:1 mapcount:0 mapping:ffff88813bff01c0 index:0xffff8880a9757fc1 [ 42.788973] flags: 0xfff00000000100(slab) [ 42.793507] raw: 00fff00000000100 ffffea0002a60388 ffffea0002a5d7c8 ffff88813bff01c0 [ 42.801759] raw: ffff8880a9757fc1 ffff8880a9757000 000000010000003f 0000000000000000 [ 42.810364] page dumped because: kasan: bad access detected [ 42.816263] [ 42.817991] Memory state around the buggy address: [ 42.823196] ffff8880a9757b80: 00 00 00 00 fc fc fc fc 00 00 00 fc fc fc fc fc [ 42.831440] ffff8880a9757c00: fb fb fb fb fc fc fc fc 00 00 06 fc fc fc fc fc [ 42.839412] >ffff8880a9757c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 42.847033] ^ [ 42.854160] ffff8880a9757d00: 00 04 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 42.861782] ffff8880a9757d80: 00 01 fc fc fc fc fc fc 00 05 fc fc fc fc fc fc [ 42.871466] ================================================================== [ 42.879453] Disabling lock debugging due to kernel taint [ 42.888236] Kernel panic - not syncing: panic_on_warn set ... [ 42.888236] [ 42.896592] CPU: 1 PID: 8133 Comm: syz-executor537 Tainted: G B 4.19.187-syzkaller #0 [ 42.906613] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.916584] Call Trace: [ 42.919190] dump_stack+0x1fc/0x2ef [ 42.923099] panic+0x26a/0x50e [ 42.926647] ? __warn_printk+0xf3/0xf3 [ 42.930539] ? preempt_schedule_common+0x45/0xc0 [ 42.935470] ? ___preempt_schedule+0x16/0x18 [ 42.939867] ? trace_hardirqs_on+0x55/0x210 [ 42.944462] kasan_end_report+0x43/0x49 [ 42.948470] kasan_report_error.cold+0xa7/0x1b9 [ 42.953317] ? ieee80211_key_free+0xf0/0x110 [ 42.958769] __asan_report_load2_noabort+0x88/0x90 [ 42.964687] ? ieee80211_key_free+0xf0/0x110 [ 42.970119] ieee80211_key_free+0xf0/0x110 [ 42.978275] ieee80211_del_key+0x162/0x3d0 [ 42.983336] nl80211_del_key+0x43e/0xc20 [ 42.989698] ? nl80211_parse_key+0xed0/0xed0 [ 42.994848] ? nl80211_pre_doit+0xa2/0x620 [ 42.999969] ? __cfg80211_rdev_from_attrs+0x700/0x700 [ 43.006328] genl_family_rcv_msg+0x642/0xc40 [ 43.011406] ? genl_rcv+0x40/0x40 [ 43.015116] ? genl_rcv_msg+0x12f/0x160 [ 43.019354] ? __mutex_add_waiter+0x160/0x160 [ 43.024409] ? __radix_tree_lookup+0x216/0x370 [ 43.029707] genl_rcv_msg+0xbf/0x160 [ 43.033612] netlink_rcv_skb+0x160/0x440 [ 43.038322] ? genl_family_rcv_msg+0xc40/0xc40 [ 43.043407] ? netlink_ack+0xae0/0xae0 [ 43.047850] ? genl_rcv+0x15/0x40 [ 43.051319] genl_rcv+0x24/0x40 [ 43.054729] netlink_unicast+0x4d5/0x690 [ 43.059131] ? netlink_sendskb+0x110/0x110 [ 43.063935] ? _copy_from_iter_full+0x229/0x7c0 [ 43.068870] ? __phys_addr_symbol+0x2c/0x70 [ 43.073307] ? __check_object_size+0x17b/0x3e0 [ 43.078540] netlink_sendmsg+0x6bb/0xc40 [ 43.082842] ? aa_af_perm+0x230/0x230 [ 43.086868] ? nlmsg_notify+0x1a0/0x1a0 [ 43.091578] ? kernel_recvmsg+0x220/0x220 [ 43.096075] ? nlmsg_notify+0x1a0/0x1a0 [ 43.100568] sock_sendmsg+0xc3/0x120 [ 43.105246] ___sys_sendmsg+0x7bb/0x8e0 [ 43.110262] ? copy_msghdr_from_user+0x440/0x440 [ 43.115918] ? sock_ioctl+0x30e/0x5d0 [ 43.120788] ? dlci_ioctl_set+0x30/0x30 [ 43.125564] ? lock_downgrade+0x720/0x720 [ 43.130254] ? lock_acquire+0x170/0x3c0 [ 43.135452] ? debug_object_active_state+0x104/0x330 [ 43.140915] ? mark_held_locks+0xf0/0xf0 [ 43.145870] ? dlci_ioctl_set+0x30/0x30 [ 43.150162] ? do_vfs_ioctl+0x110/0x12e0 [ 43.154825] ? ioctl_preallocate+0x200/0x200 [ 43.160913] ? __fdget+0x1a0/0x230 [ 43.165180] __x64_sys_sendmsg+0x132/0x220 [ 43.169859] ? __sys_sendmsg+0x1b0/0x1b0 [ 43.174286] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 43.182246] ? trace_hardirqs_off_caller+0x6e/0x210 [ 43.188063] ? do_syscall_64+0x21/0x620 [ 43.192406] do_syscall_64+0xf9/0x620 [ 43.196907] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.203070] RIP: 0033:0x440f09 [ 43.206521] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.226962] RSP: 002b:00007fff9efd1268 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.235414] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440f09 [ 43.243319] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000003 [ 43.251439] RBP: 0000000000000000 R08: 0000000c00000000 R09: 0000000c00000000 [ 43.259253] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000a536 [ 43.266897] R13: 00007fff9efd12d0 R14: 00007fff9efd12c0 R15: 00007fff9efd128c [ 43.276413] Kernel Offset: disabled [ 43.280220] Rebooting in 86400 seconds..