Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. syzkaller login: [ 55.847004][ T6825] IPVS: ftp: loaded support on port[0] = 21 [ 55.849906][ T6821] IPVS: ftp: loaded support on port[0] = 21 [ 55.859337][ T6827] IPVS: ftp: loaded support on port[0] = 21 [ 55.865462][ T6829] IPVS: ftp: loaded support on port[0] = 21 [ 55.880307][ T6828] IPVS: ftp: loaded support on port[0] = 21 [ 55.886686][ T6826] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 55.989521][ T6898] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 55.999145][ T6898] netlink: 'syz-executor005': attribute type 8 has an invalid length. [ 56.010809][ T6898] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. executing program executing program executing program [ 56.045760][ T6925] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 56.048339][ T6921] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 56.065868][ T6921] netlink: 'syz-executor005': attribute type 8 has an invalid length. [ 56.069484][ T6925] netlink: 'syz-executor005': attribute type 8 has an invalid length. executing program executing program [ 56.089506][ T6925] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.094870][ T6940] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 56.111228][ T6938] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 56.111691][ T6947] netlink: 'syz-executor005': attribute type 3 has an invalid length. [ 56.120692][ T6921] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.134617][ T6947] netlink: 'syz-executor005': attribute type 8 has an invalid length. executing program executing program executing program executing program [ 56.139198][ T6938] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.147312][ T6947] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.157998][ T6940] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.169871][ T6957] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.175931][ T6956] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.192942][ T6958] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.199019][ T6959] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor005'. [ 56.212673][ T6938] ================================================================== [ 56.221528][ T6938] BUG: KASAN: vmalloc-out-of-bounds in nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.230010][ T6938] Read of size 4 at addr ffffc90001f89018 by task syz-executor005/6938 [ 56.238222][ T6938] [ 56.240537][ T6938] CPU: 0 PID: 6938 Comm: syz-executor005 Not tainted 5.8.0-rc3-syzkaller #0 [ 56.249181][ T6938] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.259212][ T6938] Call Trace: [ 56.262478][ T6938] dump_stack+0x18f/0x20d [ 56.266798][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.272327][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.277852][ T6938] print_address_description.constprop.0.cold+0x5/0x436 [ 56.284762][ T6938] ? lockdep_hardirqs_off+0x66/0xa0 [ 56.289934][ T6938] ? vprintk_func+0x97/0x1a6 [ 56.294501][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.300019][ T6938] kasan_report.cold+0x1f/0x37 [ 56.304758][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.310280][ T6938] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.315631][ T6938] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 56.321585][ T6938] ? __kmalloc_node_track_caller+0x38/0x60 [ 56.327366][ T6938] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 56.334101][ T6938] ? __phys_addr+0x9a/0x110 [ 56.338582][ T6938] ? memset+0x20/0x40 [ 56.342546][ T6938] genl_lock_dumpit+0x7f/0xb0 [ 56.347200][ T6938] netlink_dump+0x4cd/0xf60 [ 56.351722][ T6938] ? netlink_insert+0x1670/0x1670 [ 56.356726][ T6938] ? __mutex_unlock_slowpath+0xe2/0x610 [ 56.362249][ T6938] ? genl_start+0x45a/0x6e0 [ 56.366729][ T6938] __netlink_dump_start+0x643/0x900 [ 56.371900][ T6938] ? genl_rcv_msg+0x9e0/0x9e0 [ 56.376553][ T6938] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 56.383291][ T6938] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 56.388984][ T6938] ? genl_rcv+0x40/0x40 [ 56.393112][ T6938] ? mutex_lock_io_nested+0xf60/0xf60 [ 56.398461][ T6938] ? mark_lock+0xbc/0x1710 [ 56.402849][ T6938] ? genl_rcv_msg+0x9e0/0x9e0 [ 56.407499][ T6938] ? genl_unlock+0x20/0x20 [ 56.411885][ T6938] ? genl_parallel_done+0x170/0x170 [ 56.417060][ T6938] ? __radix_tree_lookup+0x1f3/0x290 [ 56.422320][ T6938] genl_rcv_msg+0x797/0x9e0 [ 56.426802][ T6938] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 56.433711][ T6938] ? lock_acquire+0x1f1/0xad0 [ 56.438361][ T6938] ? genl_rcv+0x15/0x40 [ 56.442496][ T6938] ? lock_release+0x8d0/0x8d0 [ 56.447150][ T6938] netlink_rcv_skb+0x15a/0x430 [ 56.451888][ T6938] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 56.458799][ T6938] ? netlink_ack+0xa10/0xa10 [ 56.463368][ T6938] genl_rcv+0x24/0x40 [ 56.467324][ T6938] netlink_unicast+0x533/0x7d0 [ 56.472077][ T6938] ? netlink_attachskb+0x810/0x810 [ 56.477163][ T6938] ? _copy_from_iter_full+0x247/0x890 [ 56.482545][ T6938] ? __phys_addr_symbol+0x2c/0x70 [ 56.487553][ T6938] ? __check_object_size+0x171/0x3e4 [ 56.492841][ T6938] netlink_sendmsg+0x856/0xd90 [ 56.497583][ T6938] ? netlink_unicast+0x7d0/0x7d0 [ 56.502498][ T6938] ? netlink_unicast+0x7d0/0x7d0 [ 56.507423][ T6938] sock_sendmsg+0xcf/0x120 [ 56.511812][ T6938] ____sys_sendmsg+0x6e8/0x810 [ 56.516572][ T6938] ? kernel_sendmsg+0x50/0x50 [ 56.521220][ T6938] ? do_recvmmsg+0x6d0/0x6d0 [ 56.525785][ T6938] ? lock_acquire+0x1f1/0xad0 [ 56.530438][ T6938] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 56.536492][ T6938] ___sys_sendmsg+0xf3/0x170 [ 56.541065][ T6938] ? sendmsg_copy_msghdr+0x160/0x160 [ 56.546328][ T6938] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 56.552369][ T6938] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.558324][ T6938] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 56.564280][ T6938] ? handle_mm_fault+0xad9/0x43f0 [ 56.569296][ T6938] ? __fget_light+0x215/0x280 [ 56.573952][ T6938] __sys_sendmsg+0xe5/0x1b0 [ 56.578428][ T6938] ? __sys_sendmsg_sock+0xb0/0xb0 [ 56.583429][ T6938] ? lock_is_held_type+0xb0/0xe0 [ 56.588344][ T6938] ? lock_is_held_type+0xb0/0xe0 [ 56.593254][ T6938] ? do_fast_syscall_32+0x40/0x120 [ 56.598338][ T6938] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.604293][ T6938] do_syscall_32_irqs_on+0x3f/0x60 [ 56.609377][ T6938] do_fast_syscall_32+0x7f/0x120 [ 56.614289][ T6938] entry_SYSENTER_compat+0x6d/0x7c [ 56.619371][ T6938] RIP: 0023:0xf7f7b569 [ 56.623405][ T6938] Code: Bad RIP value. [ 56.627441][ T6938] RSP: 002b:00000000ffb40eec EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 56.635820][ T6938] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000000 [ 56.643765][ T6938] RDX: 0000000000000000 RSI: 000000000000000d RDI: 0000000000000001 [ 56.651708][ T6938] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 56.659654][ T6938] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 56.667612][ T6938] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 56.675564][ T6938] [ 56.677863][ T6938] [ 56.680169][ T6938] Memory state around the buggy address: [ 56.685771][ T6938] ffffc90001f88f00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 executing program [ 56.693804][ T6938] ffffc90001f88f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 56.701837][ T6938] >ffffc90001f89000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 56.709866][ T6938] ^ [ 56.714698][ T6938] ffffc90001f89080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 56.722731][ T6938] ffffc90001f89100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 56.730759][ T6938] ================================================================== [ 56.738787][ T6938] Disabling lock debugging due to kernel taint [ 56.750866][ T6938] Kernel panic - not syncing: panic_on_warn set ... [ 56.757465][ T6938] CPU: 0 PID: 6938 Comm: syz-executor005 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 56.767521][ T6938] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.777572][ T6938] Call Trace: [ 56.780846][ T6938] dump_stack+0x18f/0x20d [ 56.785151][ T6938] ? nl802154_dump_wpan_phy+0x8b0/0x9c0 [ 56.790668][ T6938] panic+0x2e3/0x75c [ 56.794539][ T6938] ? __warn_printk+0xf3/0xf3 [ 56.799104][ T6938] ? preempt_schedule_common+0x59/0xc0 [ 56.804537][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.810054][ T6938] ? preempt_schedule_thunk+0x16/0x18 [ 56.815406][ T6938] ? trace_hardirqs_on+0x55/0x220 [ 56.820413][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.825933][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.831451][ T6938] end_report+0x4d/0x53 [ 56.835579][ T6938] kasan_report.cold+0xd/0x37 [ 56.840240][ T6938] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.845796][ T6938] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 56.851146][ T6938] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 56.857097][ T6938] ? __kmalloc_node_track_caller+0x38/0x60 [ 56.862877][ T6938] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 56.869639][ T6938] ? __phys_addr+0x9a/0x110 [ 56.874120][ T6938] ? memset+0x20/0x40 [ 56.878184][ T6938] genl_lock_dumpit+0x7f/0xb0 [ 56.882881][ T6938] netlink_dump+0x4cd/0xf60 [ 56.887388][ T6938] ? netlink_insert+0x1670/0x1670 [ 56.892385][ T6938] ? __mutex_unlock_slowpath+0xe2/0x610 [ 56.897906][ T6938] ? genl_start+0x45a/0x6e0 [ 56.902385][ T6938] __netlink_dump_start+0x643/0x900 [ 56.907556][ T6938] ? genl_rcv_msg+0x9e0/0x9e0 [ 56.912209][ T6938] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 56.918943][ T6938] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 56.924633][ T6938] ? genl_rcv+0x40/0x40 [ 56.928760][ T6938] ? mutex_lock_io_nested+0xf60/0xf60 [ 56.934103][ T6938] ? mark_lock+0xbc/0x1710 [ 56.938489][ T6938] ? genl_rcv_msg+0x9e0/0x9e0 [ 56.943138][ T6938] ? genl_unlock+0x20/0x20 [ 56.947564][ T6938] ? genl_parallel_done+0x170/0x170 [ 56.952735][ T6938] ? __radix_tree_lookup+0x1f3/0x290 [ 56.958030][ T6938] genl_rcv_msg+0x797/0x9e0 [ 56.962509][ T6938] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 56.969414][ T6938] ? lock_acquire+0x1f1/0xad0 [ 56.974059][ T6938] ? genl_rcv+0x15/0x40 [ 56.978188][ T6938] ? lock_release+0x8d0/0x8d0 [ 56.982842][ T6938] netlink_rcv_skb+0x15a/0x430 [ 56.987585][ T6938] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 56.994494][ T6938] ? netlink_ack+0xa10/0xa10 [ 56.999057][ T6938] genl_rcv+0x24/0x40 [ 57.003010][ T6938] netlink_unicast+0x533/0x7d0 [ 57.007746][ T6938] ? netlink_attachskb+0x810/0x810 [ 57.012828][ T6938] ? _copy_from_iter_full+0x247/0x890 [ 57.018171][ T6938] ? __phys_addr_symbol+0x2c/0x70 [ 57.023170][ T6938] ? __check_object_size+0x171/0x3e4 [ 57.028427][ T6938] netlink_sendmsg+0x856/0xd90 [ 57.033164][ T6938] ? netlink_unicast+0x7d0/0x7d0 [ 57.038081][ T6938] ? netlink_unicast+0x7d0/0x7d0 [ 57.043001][ T6938] sock_sendmsg+0xcf/0x120 [ 57.047392][ T6938] ____sys_sendmsg+0x6e8/0x810 [ 57.052133][ T6938] ? kernel_sendmsg+0x50/0x50 [ 57.056783][ T6938] ? do_recvmmsg+0x6d0/0x6d0 [ 57.061353][ T6938] ? lock_acquire+0x1f1/0xad0 [ 57.066013][ T6938] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 57.072059][ T6938] ___sys_sendmsg+0xf3/0x170 [ 57.076621][ T6938] ? sendmsg_copy_msghdr+0x160/0x160 [ 57.081879][ T6938] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 57.087926][ T6938] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 57.093889][ T6938] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 57.099853][ T6938] ? handle_mm_fault+0xad9/0x43f0 [ 57.104857][ T6938] ? __fget_light+0x215/0x280 [ 57.109506][ T6938] __sys_sendmsg+0xe5/0x1b0 [ 57.113983][ T6938] ? __sys_sendmsg_sock+0xb0/0xb0 [ 57.118982][ T6938] ? lock_is_held_type+0xb0/0xe0 [ 57.123894][ T6938] ? lock_is_held_type+0xb0/0xe0 [ 57.128805][ T6938] ? do_fast_syscall_32+0x40/0x120 [ 57.133888][ T6938] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 57.139842][ T6938] do_syscall_32_irqs_on+0x3f/0x60 [ 57.144929][ T6938] do_fast_syscall_32+0x7f/0x120 [ 57.149841][ T6938] entry_SYSENTER_compat+0x6d/0x7c [ 57.154922][ T6938] RIP: 0023:0xf7f7b569 [ 57.158956][ T6938] Code: Bad RIP value. [ 57.162991][ T6938] RSP: 002b:00000000ffb40eec EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 57.171368][ T6938] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000000 [ 57.179314][ T6938] RDX: 0000000000000000 RSI: 000000000000000d RDI: 0000000000000001 [ 57.187256][ T6938] RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000 [ 57.195198][ T6938] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 57.203158][ T6938] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 57.212356][ T6938] Kernel Offset: disabled [ 57.216678][ T6938] Rebooting in 86400 seconds..