[ 29.015253] audit: type=1800 audit(1543147209.201:27): pid=5893 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 29.047337] audit: type=1800 audit(1543147209.201:28): pid=5893 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.774182] audit: type=1800 audit(1543147209.951:29): pid=5893 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.795154] audit: type=1800 audit(1543147209.961:30): pid=5893 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.345080] ================================================================== [ 39.352677] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 39.360459] Write of size 262146 at addr ffff8881d97ca708 by task syz-executor070/6049 [ 39.368490] [ 39.370106] CPU: 1 PID: 6049 Comm: syz-executor070 Not tainted 4.20.0-rc3+ #251 [ 39.377548] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.386899] Call Trace: [ 39.389513] dump_stack+0x244/0x39d [ 39.393142] ? dump_stack_print_info.cold.1+0x20/0x20 [ 39.398332] ? printk+0xa7/0xcf [ 39.401594] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.406355] print_address_description.cold.7+0x9/0x1ff [ 39.411703] kasan_report.cold.8+0x242/0x309 [ 39.416090] ? queue_stack_map_push_elem+0x185/0x290 [ 39.421194] check_memory_region+0x13e/0x1b0 [ 39.425603] memcpy+0x37/0x50 [ 39.428695] queue_stack_map_push_elem+0x185/0x290 [ 39.433604] ? queue_map_pop_elem+0x30/0x30 [ 39.437912] map_update_elem+0x605/0xf60 [ 39.441989] __ia32_sys_bpf+0x32d/0x520 [ 39.445948] ? __x64_sys_bpf+0x520/0x520 [ 39.449998] ? __do_page_fault+0x491/0xe60 [ 39.454240] do_fast_syscall_32+0x34d/0xfb2 [ 39.458551] ? do_int80_syscall_32+0x890/0x890 [ 39.463124] ? entry_SYSENTER_compat+0x68/0x7f [ 39.467707] ? trace_hardirqs_off_caller+0xbb/0x310 [ 39.472719] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.477633] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.482463] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.487291] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.492292] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.497314] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.502144] entry_SYSENTER_compat+0x70/0x7f [ 39.506579] RIP: 0023:0xf7f63a29 [ 39.509932] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 39.528817] RSP: 002b:00000000ffa8a38c EFLAGS: 00000213 ORIG_RAX: 0000000000000165 [ 39.536509] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000020000040 [ 39.543781] RDX: 0000000000000020 RSI: 00000000080ea078 RDI: 00000000ffa8a3e0 [ 39.551033] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 39.558287] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 39.565549] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.572809] [ 39.574426] Allocated by task 6049: [ 39.578058] save_stack+0x43/0xd0 [ 39.581497] kasan_kmalloc+0xc7/0xe0 [ 39.585195] __kmalloc_node+0x50/0x70 [ 39.588979] bpf_map_area_alloc+0x3f/0x90 [ 39.593108] queue_stack_map_alloc+0x192/0x290 [ 39.597686] map_create+0x3bd/0x1110 [ 39.601382] __ia32_sys_bpf+0x303/0x520 [ 39.605343] do_fast_syscall_32+0x34d/0xfb2 [ 39.609683] entry_SYSENTER_compat+0x70/0x7f [ 39.614084] [ 39.615693] Freed by task 3715: [ 39.618961] save_stack+0x43/0xd0 [ 39.622399] __kasan_slab_free+0x102/0x150 [ 39.626622] kasan_slab_free+0xe/0x10 [ 39.630407] kfree+0xcf/0x230 [ 39.633497] skb_free_head+0x99/0xc0 [ 39.637194] skb_release_data+0x70c/0x9a0 [ 39.641324] skb_release_all+0x4a/0x60 [ 39.645195] consume_skb+0x1ae/0x570 [ 39.648915] skb_free_datagram+0x1a/0xf0 [ 39.652985] netlink_recvmsg+0x70f/0x1480 [ 39.657146] sock_recvmsg+0xd0/0x110 [ 39.660844] ___sys_recvmsg+0x2b6/0x680 [ 39.664803] __sys_recvmsg+0x11a/0x280 [ 39.668699] __x64_sys_recvmsg+0x78/0xb0 [ 39.672742] do_syscall_64+0x1b9/0x820 [ 39.676617] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.681819] [ 39.683457] The buggy address belongs to the object at ffff8881d97ca5c0 [ 39.683457] which belongs to the cache kmalloc-512 of size 512 [ 39.696123] The buggy address is located 328 bytes inside of [ 39.696123] 512-byte region [ffff8881d97ca5c0, ffff8881d97ca7c0) [ 39.707989] The buggy address belongs to the page: [ 39.712919] page:ffffea000765f280 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0 [ 39.721071] flags: 0x2fffc0000000200(slab) [ 39.725343] raw: 02fffc0000000200 ffffea000764c508 ffffea0007669848 ffff8881da800940 [ 39.733216] raw: 0000000000000000 ffff8881d97ca0c0 0000000100000006 0000000000000000 [ 39.741140] page dumped because: kasan: bad access detected [ 39.746840] [ 39.748450] Memory state around the buggy address: [ 39.753365] ffff8881d97ca600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.760713] ffff8881d97ca680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.768061] >ffff8881d97ca700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 39.775415] ^ [ 39.780861] ffff8881d97ca780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.788223] ffff8881d97ca800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 39.795588] ================================================================== [ 39.802931] Disabling lock debugging due to kernel taint [ 39.808366] Kernel panic - not syncing: panic_on_warn set ... [ 39.814236] CPU: 1 PID: 6049 Comm: syz-executor070 Tainted: G B 4.20.0-rc3+ #251 [ 39.823054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.832395] Call Trace: [ 39.834989] dump_stack+0x244/0x39d [ 39.838613] ? dump_stack_print_info.cold.1+0x20/0x20 [ 39.843805] panic+0x2ad/0x55c [ 39.846985] ? add_taint.cold.5+0x16/0x16 [ 39.851117] ? add_taint.cold.5+0x5/0x16 [ 39.855160] ? trace_hardirqs_off+0xaf/0x310 [ 39.859555] kasan_end_report+0x47/0x4f [ 39.863522] kasan_report.cold.8+0x76/0x309 [ 39.867867] ? queue_stack_map_push_elem+0x185/0x290 [ 39.872957] check_memory_region+0x13e/0x1b0 [ 39.877350] memcpy+0x37/0x50 [ 39.880440] queue_stack_map_push_elem+0x185/0x290 [ 39.885352] ? queue_map_pop_elem+0x30/0x30 [ 39.889655] map_update_elem+0x605/0xf60 [ 39.893699] __ia32_sys_bpf+0x32d/0x520 [ 39.897656] ? __x64_sys_bpf+0x520/0x520 [ 39.901719] ? __do_page_fault+0x491/0xe60 [ 39.905942] do_fast_syscall_32+0x34d/0xfb2 [ 39.910250] ? do_int80_syscall_32+0x890/0x890 [ 39.914859] ? entry_SYSENTER_compat+0x68/0x7f [ 39.919431] ? trace_hardirqs_off_caller+0xbb/0x310 [ 39.924431] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.929341] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.934165] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.939013] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.944014] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.949018] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.953868] entry_SYSENTER_compat+0x70/0x7f [ 39.958261] RIP: 0023:0xf7f63a29 [ 39.961610] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 39.980511] RSP: 002b:00000000ffa8a38c EFLAGS: 00000213 ORIG_RAX: 0000000000000165 [ 39.988219] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000020000040 [ 39.995482] RDX: 0000000000000020 RSI: 00000000080ea078 RDI: 00000000ffa8a3e0 [ 40.002745] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 40.010006] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 40.017283] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 40.025524] Kernel Offset: disabled [ 40.029157] Rebooting in 86400 seconds..