[ 37.086822] audit: type=1800 audit(1548293866.261:28): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.722039] audit: type=1800 audit(1548293866.971:29): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 37.741441] audit: type=1800 audit(1548293866.971:30): pid=7616 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.144' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 45.734566] ================================================================== [ 45.742052] BUG: KASAN: global-out-of-bounds in validate_nla+0x12c4/0x1580 [ 45.749074] Read of size 1 at addr ffffffff88f41fc0 by task syz-executor771/7789 [ 45.756597] [ 45.758212] CPU: 1 PID: 7789 Comm: syz-executor771 Not tainted 5.0.0-rc3+ #40 [ 45.765462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.774809] Call Trace: [ 45.777384] dump_stack+0x1db/0x2d0 [ 45.781095] ? dump_stack_print_info.cold+0x20/0x20 [ 45.786111] ? mark_held_locks+0xb1/0x100 [ 45.790281] ? validate_nla+0x12c4/0x1580 [ 45.794420] print_address_description.cold+0x5/0x20d [ 45.799715] ? validate_nla+0x12c4/0x1580 [ 45.803847] ? validate_nla+0x12c4/0x1580 [ 45.807979] kasan_report.cold+0x1b/0x40 [ 45.812025] ? do_raw_spin_trylock+0x1a0/0x270 [ 45.816589] ? validate_nla+0x12c4/0x1580 [ 45.820725] __asan_report_load1_noabort+0x14/0x20 [ 45.825650] validate_nla+0x12c4/0x1580 [ 45.829610] ? nla_memcpy+0xb0/0xb0 [ 45.833251] ? depot_save_stack+0x1de/0x460 [ 45.837573] ? save_stack+0xa9/0xd0 [ 45.841182] ? save_stack+0x45/0xd0 [ 45.844792] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 45.849965] ? kasan_kmalloc+0x9/0x10 [ 45.853754] nla_validate+0xc1/0x130 [ 45.857452] validate_nla+0x711/0x1580 [ 45.861322] ? print_usage_bug+0xb0/0xd0 [ 45.865366] ? nla_memcpy+0xb0/0xb0 [ 45.869190] ? add_lock_to_list.isra.0+0x450/0x450 [ 45.874104] ? find_held_lock+0x35/0x120 [ 45.878154] ? add_lock_to_list.isra.0+0x450/0x450 [ 45.883101] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.888667] __nla_parse+0x206/0x340 [ 45.892386] nla_parse+0x45/0x60 [ 45.895755] nl80211_dump_wiphy_parse.isra.0.constprop.0+0x133/0x610 [ 45.902252] ? nl80211_set_cqm+0x1e50/0x1e50 [ 45.906655] nl80211_dump_wiphy+0x595/0x760 [ 45.910981] genl_lock_dumpit+0x6d/0xa0 [ 45.914946] netlink_dump+0x5f2/0x1070 [ 45.918841] ? netlink_broadcast+0x50/0x50 [ 45.923096] __netlink_dump_start+0x5b4/0x7e0 [ 45.927588] ? genl_lock_dumpit+0xa0/0xa0 [ 45.931734] genl_family_rcv_msg+0xeb5/0x11a0 [ 45.936216] ? genl_unregister_family+0x8a0/0x8a0 [ 45.941043] ? genl_lock_dumpit+0xa0/0xa0 [ 45.945203] ? genl_lock_done+0xe0/0xe0 [ 45.949166] ? genl_unlock+0x20/0x20 [ 45.952867] ? radix_tree_insert+0x850/0x850 [ 45.957270] ? netlink_deliver_tap+0x32b/0xf40 [ 45.961842] ? lock_downgrade+0x910/0x910 [ 45.965978] ? kasan_check_read+0x11/0x20 [ 45.970114] genl_rcv_msg+0xca/0x16c [ 45.973826] netlink_rcv_skb+0x17d/0x410 [ 45.977870] ? genl_family_rcv_msg+0x11a0/0x11a0 [ 45.982608] ? netlink_ack+0xba0/0xba0 [ 45.986486] ? __down_interruptible+0x740/0x740 [ 45.991153] genl_rcv+0x29/0x40 [ 45.994416] netlink_unicast+0x574/0x770 [ 45.998461] ? netlink_attachskb+0x980/0x980 [ 46.002870] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.008411] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 46.013413] netlink_sendmsg+0xa05/0xf90 [ 46.017457] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.022983] ? netlink_unicast+0x770/0x770 [ 46.027209] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 46.032038] ? apparmor_socket_sendmsg+0x2a/0x30 [ 46.036780] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.042311] ? security_socket_sendmsg+0x93/0xc0 [ 46.047057] ? netlink_unicast+0x770/0x770 [ 46.051288] sock_sendmsg+0xdd/0x130 [ 46.054986] ___sys_sendmsg+0x7ec/0x910 [ 46.058946] ? copy_msghdr_from_user+0x570/0x570 [ 46.063688] ? __handle_mm_fault+0x955/0x55a0 [ 46.068172] ? add_lock_to_list.isra.0+0x450/0x450 [ 46.073088] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 46.077916] ? check_preemption_disabled+0x48/0x290 [ 46.082920] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.088442] ? __fget_light+0x2db/0x420 [ 46.092399] ? fget_raw+0x20/0x20 [ 46.095839] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 46.101100] ? rcu_read_unlock_special+0x380/0x380 [ 46.106022] ? __fdget+0x1b/0x20 [ 46.109369] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.114889] ? sockfd_lookup_light+0xc2/0x160 [ 46.119372] __sys_sendmsg+0x112/0x270 [ 46.123250] ? __ia32_sys_shutdown+0x80/0x80 [ 46.127638] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.133156] ? vmacache_update+0x114/0x140 [ 46.137398] ? __ia32_sys_fallocate+0xf0/0xf0 [ 46.141884] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.147232] ? trace_hardirqs_off_caller+0x300/0x300 [ 46.152321] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.157067] __x64_sys_sendmsg+0x78/0xb0 [ 46.161114] do_syscall_64+0x1a3/0x800 [ 46.164997] ? syscall_return_slowpath+0x5f0/0x5f0 [ 46.169925] ? prepare_exit_to_usermode+0x232/0x3b0 [ 46.174927] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.179768] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.184939] RIP: 0033:0x4400d9 [ 46.188126] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.207013] RSP: 002b:00007ffd4f4bf478 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.214723] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400d9 [ 46.221990] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 46.229342] RBP: 00000000006ca018 R08: 0000000000000006 R09: 00000000004002c8 [ 46.236595] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401960 [ 46.243845] R13: 00000000004019f0 R14: 0000000000000000 R15: 0000000000000000 [ 46.251105] [ 46.252728] The buggy address belongs to the variable: [ 46.257993] nl80211_pmsr_attr_policy+0x60/0x80 [ 46.262639] [ 46.264256] Memory state around the buggy address: [ 46.269170] ffffffff88f41e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 46.276508] ffffffff88f41f00: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 46.284116] >ffffffff88f41f80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 46.291454] ^ [ 46.296885] ffffffff88f42000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 [ 46.304226] ffffffff88f42080: 00 00 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 46.311563] ================================================================== [ 46.318901] Disabling lock debugging due to kernel taint [ 46.324850] Kernel panic - not syncing: panic_on_warn set ... [ 46.330736] CPU: 1 PID: 7789 Comm: syz-executor771 Tainted: G B 5.0.0-rc3+ #40 [ 46.339379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.348709] Call Trace: [ 46.351390] dump_stack+0x1db/0x2d0 [ 46.355014] ? dump_stack_print_info.cold+0x20/0x20 [ 46.360015] panic+0x2cb/0x65c [ 46.363197] ? add_taint.cold+0x16/0x16 [ 46.367153] ? validate_nla+0x12c4/0x1580 [ 46.371282] ? preempt_schedule+0x4b/0x60 [ 46.375410] ? ___preempt_schedule+0x16/0x18 [ 46.379802] ? trace_hardirqs_on+0xb4/0x310 [ 46.384112] ? validate_nla+0x12c4/0x1580 [ 46.388245] end_report+0x47/0x4f [ 46.391683] ? validate_nla+0x12c4/0x1580 [ 46.395812] kasan_report.cold+0xe/0x40 [ 46.399768] ? do_raw_spin_trylock+0x1a0/0x270 [ 46.404332] ? validate_nla+0x12c4/0x1580 [ 46.408463] __asan_report_load1_noabort+0x14/0x20 [ 46.413461] validate_nla+0x12c4/0x1580 [ 46.417419] ? nla_memcpy+0xb0/0xb0 [ 46.421029] ? depot_save_stack+0x1de/0x460 [ 46.425336] ? save_stack+0xa9/0xd0 [ 46.428944] ? save_stack+0x45/0xd0 [ 46.432554] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 46.437639] ? kasan_kmalloc+0x9/0x10 [ 46.441426] nla_validate+0xc1/0x130 [ 46.445153] validate_nla+0x711/0x1580 [ 46.449026] ? print_usage_bug+0xb0/0xd0 [ 46.453069] ? nla_memcpy+0xb0/0xb0 [ 46.456681] ? add_lock_to_list.isra.0+0x450/0x450 [ 46.461592] ? find_held_lock+0x35/0x120 [ 46.465636] ? add_lock_to_list.isra.0+0x450/0x450 [ 46.470553] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.476075] __nla_parse+0x206/0x340 [ 46.479777] nla_parse+0x45/0x60 [ 46.483128] nl80211_dump_wiphy_parse.isra.0.constprop.0+0x133/0x610 [ 46.489606] ? nl80211_set_cqm+0x1e50/0x1e50 [ 46.493997] nl80211_dump_wiphy+0x595/0x760 [ 46.498305] genl_lock_dumpit+0x6d/0xa0 [ 46.502263] netlink_dump+0x5f2/0x1070 [ 46.506139] ? netlink_broadcast+0x50/0x50 [ 46.510363] __netlink_dump_start+0x5b4/0x7e0 [ 46.514846] ? genl_lock_dumpit+0xa0/0xa0 [ 46.518976] genl_family_rcv_msg+0xeb5/0x11a0 [ 46.523455] ? genl_unregister_family+0x8a0/0x8a0 [ 46.528281] ? genl_lock_dumpit+0xa0/0xa0 [ 46.532409] ? genl_lock_done+0xe0/0xe0 [ 46.536361] ? genl_unlock+0x20/0x20 [ 46.540063] ? radix_tree_insert+0x850/0x850 [ 46.544459] ? netlink_deliver_tap+0x32b/0xf40 [ 46.549027] ? lock_downgrade+0x910/0x910 [ 46.553160] ? kasan_check_read+0x11/0x20 [ 46.557294] genl_rcv_msg+0xca/0x16c [ 46.560991] netlink_rcv_skb+0x17d/0x410 [ 46.565037] ? genl_family_rcv_msg+0x11a0/0x11a0 [ 46.569775] ? netlink_ack+0xba0/0xba0 [ 46.573650] ? __down_interruptible+0x740/0x740 [ 46.578333] genl_rcv+0x29/0x40 [ 46.581597] netlink_unicast+0x574/0x770 [ 46.585646] ? netlink_attachskb+0x980/0x980 [ 46.590124] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.595647] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 46.600653] netlink_sendmsg+0xa05/0xf90 [ 46.604718] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.610254] ? netlink_unicast+0x770/0x770 [ 46.614473] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 46.619321] ? apparmor_socket_sendmsg+0x2a/0x30 [ 46.624061] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.629590] ? security_socket_sendmsg+0x93/0xc0 [ 46.634327] ? netlink_unicast+0x770/0x770 [ 46.638545] sock_sendmsg+0xdd/0x130 [ 46.642242] ___sys_sendmsg+0x7ec/0x910 [ 46.646198] ? copy_msghdr_from_user+0x570/0x570 [ 46.650939] ? __handle_mm_fault+0x955/0x55a0 [ 46.655414] ? add_lock_to_list.isra.0+0x450/0x450 [ 46.660328] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 46.665164] ? check_preemption_disabled+0x48/0x290 [ 46.670165] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.675683] ? __fget_light+0x2db/0x420 [ 46.679649] ? fget_raw+0x20/0x20 [ 46.683096] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 46.688354] ? rcu_read_unlock_special+0x380/0x380 [ 46.693283] ? __fdget+0x1b/0x20 [ 46.696637] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.702161] ? sockfd_lookup_light+0xc2/0x160 [ 46.706643] __sys_sendmsg+0x112/0x270 [ 46.710516] ? __ia32_sys_shutdown+0x80/0x80 [ 46.714906] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.720428] ? vmacache_update+0x114/0x140 [ 46.724649] ? __ia32_sys_fallocate+0xf0/0xf0 [ 46.729138] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.734485] ? trace_hardirqs_off_caller+0x300/0x300 [ 46.739571] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.744327] __x64_sys_sendmsg+0x78/0xb0 [ 46.748373] do_syscall_64+0x1a3/0x800 [ 46.752249] ? syscall_return_slowpath+0x5f0/0x5f0 [ 46.757166] ? prepare_exit_to_usermode+0x232/0x3b0 [ 46.762166] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.766992] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.772160] RIP: 0033:0x4400d9 [ 46.775334] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.794304] RSP: 002b:00007ffd4f4bf478 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.802000] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400d9 [ 46.809967] RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 [ 46.817221] RBP: 00000000006ca018 R08: 0000000000000006 R09: 00000000004002c8 [ 46.824476] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401960 [ 46.831726] R13: 00000000004019f0 R14: 0000000000000000 R15: 0000000000000000 [ 46.840191] Kernel Offset: disabled [ 46.843814] Rebooting in 86400 seconds..