[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.207' (ECDSA) to the list of known hosts. syzkaller login: [ 69.435482][ T27] audit: type=1400 audit(1593893703.183:8): avc: denied { execmem } for pid=6806 comm="syz-executor410" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 69.456154][ T6815] IPVS: ftp: loaded support on port[0] = 21 [ 69.465560][ T6814] IPVS: ftp: loaded support on port[0] = 21 [ 69.479921][ T6817] IPVS: ftp: loaded support on port[0] = 21 [ 69.493010][ T6813] IPVS: ftp: loaded support on port[0] = 21 [ 69.500114][ T6816] IPVS: ftp: loaded support on port[0] = 21 [ 69.515384][ T6818] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 69.641777][ T6909] netlink: 'syz-executor410': attribute type 3 has an invalid length. [ 69.652927][ T6909] netlink: 'syz-executor410': attribute type 8 has an invalid length. [ 69.665692][ T6920] netlink: 'syz-executor410': attribute type 3 has an invalid length. [ 69.674638][ T6909] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. executing program executing program executing program executing program [ 69.684472][ T6920] netlink: 'syz-executor410': attribute type 8 has an invalid length. [ 69.697694][ T6938] netlink: 'syz-executor410': attribute type 3 has an invalid length. [ 69.703179][ T6920] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.717223][ T6938] netlink: 'syz-executor410': attribute type 8 has an invalid length. [ 69.720205][ T6939] netlink: 'syz-executor410': attribute type 3 has an invalid length. [ 69.730283][ T6944] netlink: 'syz-executor410': attribute type 3 has an invalid length. executing program executing program [ 69.734993][ T6937] netlink: 'syz-executor410': attribute type 3 has an invalid length. [ 69.742349][ T6938] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.753607][ T6937] netlink: 'syz-executor410': attribute type 8 has an invalid length. [ 69.762788][ T6944] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.770278][ T6945] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. executing program executing program executing program [ 69.787892][ T6939] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.788660][ T6946] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.802211][ T6947] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.812435][ T6948] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. [ 69.817841][ T6937] netlink: 16602 bytes leftover after parsing attributes in process `syz-executor410'. executing program executing program [ 69.837166][ T6939] ================================================================== [ 69.845496][ T6939] BUG: KASAN: vmalloc-out-of-bounds in nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.853988][ T6939] Read of size 4 at addr ffffc90001d67018 by task syz-executor410/6939 [ 69.862200][ T6939] [ 69.864519][ T6939] CPU: 0 PID: 6939 Comm: syz-executor410 Not tainted 5.8.0-rc3-syzkaller #0 [ 69.873165][ T6939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.883207][ T6939] Call Trace: [ 69.886487][ T6939] dump_stack+0x18f/0x20d [ 69.890843][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.896380][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.901921][ T6939] print_address_description.constprop.0.cold+0x5/0x436 [ 69.908859][ T6939] ? lockdep_hardirqs_off+0x66/0xa0 [ 69.914050][ T6939] ? vprintk_func+0x97/0x1a6 [ 69.918646][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.924186][ T6939] kasan_report.cold+0x1f/0x37 [ 69.928950][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.934479][ T6939] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 69.939853][ T6939] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 69.945828][ T6939] ? __kmalloc_node_track_caller+0x38/0x60 [ 69.951618][ T6939] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 69.958415][ T6939] ? __phys_addr+0x9a/0x110 [ 69.962920][ T6939] ? memset+0x20/0x40 [ 69.966884][ T6939] genl_lock_dumpit+0x7f/0xb0 [ 69.971539][ T6939] netlink_dump+0x4cd/0xf60 [ 69.976024][ T6939] ? netlink_insert+0x1670/0x1670 [ 69.981092][ T6939] ? __mutex_unlock_slowpath+0xe2/0x610 [ 69.986641][ T6939] ? genl_start+0x45a/0x6e0 [ 69.991147][ T6939] __netlink_dump_start+0x643/0x900 [ 69.996335][ T6939] ? genl_rcv_msg+0x9e0/0x9e0 [ 70.001037][ T6939] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 70.007779][ T6939] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 70.013506][ T6939] ? genl_rcv+0x40/0x40 [ 70.017729][ T6939] ? mutex_lock_io_nested+0xf60/0xf60 [ 70.023085][ T6939] ? mark_lock+0xbc/0x1710 [ 70.027480][ T6939] ? genl_rcv_msg+0x9e0/0x9e0 [ 70.032136][ T6939] ? genl_unlock+0x20/0x20 [ 70.036576][ T6939] ? genl_parallel_done+0x170/0x170 [ 70.041754][ T6939] ? __radix_tree_lookup+0x1f3/0x290 [ 70.047021][ T6939] genl_rcv_msg+0x797/0x9e0 [ 70.051513][ T6939] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 70.058429][ T6939] ? lock_acquire+0x1f1/0xad0 [ 70.063084][ T6939] ? genl_rcv+0x15/0x40 [ 70.067223][ T6939] ? lock_release+0x8d0/0x8d0 [ 70.071881][ T6939] netlink_rcv_skb+0x15a/0x430 [ 70.076646][ T6939] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 70.083579][ T6939] ? netlink_ack+0xa10/0xa10 [ 70.088177][ T6939] genl_rcv+0x24/0x40 [ 70.092160][ T6939] netlink_unicast+0x533/0x7d0 [ 70.096912][ T6939] ? netlink_attachskb+0x810/0x810 [ 70.102005][ T6939] ? _copy_from_iter_full+0x247/0x890 [ 70.107360][ T6939] netlink_sendmsg+0x856/0xd90 [ 70.112115][ T6939] ? netlink_unicast+0x7d0/0x7d0 [ 70.117064][ T6939] ? netlink_unicast+0x7d0/0x7d0 [ 70.121983][ T6939] sock_sendmsg+0xcf/0x120 [ 70.126383][ T6939] ____sys_sendmsg+0x6e8/0x810 [ 70.131129][ T6939] ? kernel_sendmsg+0x50/0x50 [ 70.135788][ T6939] ? do_recvmmsg+0x6d0/0x6d0 [ 70.140372][ T6939] ? lock_acquire+0x1f1/0xad0 [ 70.145033][ T6939] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 70.151076][ T6939] ? find_held_lock+0x2d/0x110 [ 70.155824][ T6939] ___sys_sendmsg+0xf3/0x170 [ 70.160396][ T6939] ? sendmsg_copy_msghdr+0x160/0x160 [ 70.165680][ T6939] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 70.171646][ T6939] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 70.177609][ T6939] ? handle_mm_fault+0xad9/0x43f0 [ 70.182620][ T6939] ? find_held_lock+0x2d/0x110 [ 70.187378][ T6939] ? __fget_light+0x215/0x280 [ 70.192043][ T6939] __sys_sendmsg+0xe5/0x1b0 [ 70.196528][ T6939] ? __sys_sendmsg_sock+0xb0/0xb0 [ 70.201556][ T6939] ? do_syscall_64+0x1c/0xe0 [ 70.206135][ T6939] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 70.212109][ T6939] do_syscall_64+0x60/0xe0 [ 70.216507][ T6939] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.222377][ T6939] RIP: 0033:0x441409 [ 70.226243][ T6939] Code: Bad RIP value. [ 70.230290][ T6939] RSP: 002b:00007ffd7f8b2a78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 70.238708][ T6939] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 70.246658][ T6939] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 70.254615][ T6939] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 70.262573][ T6939] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 70.270529][ T6939] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 70.278492][ T6939] [ 70.280853][ T6939] [ 70.283191][ T6939] Memory state around the buggy address: [ 70.288818][ T6939] ffffc90001d66f00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 70.296911][ T6939] ffffc90001d66f80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 70.304977][ T6939] >ffffc90001d67000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 70.313101][ T6939] ^ [ 70.317971][ T6939] ffffc90001d67080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 70.326010][ T6939] ffffc90001d67100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 [ 70.334045][ T6939] ================================================================== [ 70.342080][ T6939] Disabling lock debugging due to kernel taint [ 70.348873][ T6939] Kernel panic - not syncing: panic_on_warn set ... [ 70.355471][ T6939] CPU: 0 PID: 6939 Comm: syz-executor410 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 70.365536][ T6939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.375581][ T6939] Call Trace: [ 70.378852][ T6939] dump_stack+0x18f/0x20d [ 70.383163][ T6939] ? nl802154_dump_wpan_phy+0x8b0/0x9c0 [ 70.388685][ T6939] panic+0x2e3/0x75c [ 70.392566][ T6939] ? __warn_printk+0xf3/0xf3 [ 70.397196][ T6939] ? preempt_schedule_common+0x59/0xc0 [ 70.402635][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 70.408165][ T6939] ? preempt_schedule_thunk+0x16/0x18 [ 70.413517][ T6939] ? trace_hardirqs_on+0x55/0x220 [ 70.418532][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 70.424062][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 70.429644][ T6939] end_report+0x4d/0x53 [ 70.433839][ T6939] kasan_report.cold+0xd/0x37 [ 70.438544][ T6939] ? nl802154_dump_wpan_phy+0x98e/0x9c0 [ 70.444088][ T6939] nl802154_dump_wpan_phy+0x98e/0x9c0 [ 70.449450][ T6939] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 70.455413][ T6939] ? __kmalloc_node_track_caller+0x38/0x60 [ 70.461195][ T6939] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 70.468019][ T6939] ? __phys_addr+0x9a/0x110 [ 70.472501][ T6939] ? memset+0x20/0x40 [ 70.476459][ T6939] genl_lock_dumpit+0x7f/0xb0 [ 70.481111][ T6939] netlink_dump+0x4cd/0xf60 [ 70.485639][ T6939] ? netlink_insert+0x1670/0x1670 [ 70.490647][ T6939] ? __mutex_unlock_slowpath+0xe2/0x610 [ 70.496183][ T6939] ? genl_start+0x45a/0x6e0 [ 70.500678][ T6939] __netlink_dump_start+0x643/0x900 [ 70.505852][ T6939] ? genl_rcv_msg+0x9e0/0x9e0 [ 70.510508][ T6939] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 70.517255][ T6939] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 70.523014][ T6939] ? genl_rcv+0x40/0x40 [ 70.527147][ T6939] ? mutex_lock_io_nested+0xf60/0xf60 [ 70.532544][ T6939] ? mark_lock+0xbc/0x1710 [ 70.536972][ T6939] ? genl_rcv_msg+0x9e0/0x9e0 [ 70.541652][ T6939] ? genl_unlock+0x20/0x20 [ 70.546058][ T6939] ? genl_parallel_done+0x170/0x170 [ 70.551243][ T6939] ? __radix_tree_lookup+0x1f3/0x290 [ 70.556504][ T6939] genl_rcv_msg+0x797/0x9e0 [ 70.561093][ T6939] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 70.568003][ T6939] ? lock_acquire+0x1f1/0xad0 [ 70.572659][ T6939] ? genl_rcv+0x15/0x40 [ 70.576818][ T6939] ? lock_release+0x8d0/0x8d0 [ 70.581474][ T6939] netlink_rcv_skb+0x15a/0x430 [ 70.586227][ T6939] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 70.593136][ T6939] ? netlink_ack+0xa10/0xa10 [ 70.597704][ T6939] genl_rcv+0x24/0x40 [ 70.601661][ T6939] netlink_unicast+0x533/0x7d0 [ 70.606399][ T6939] ? netlink_attachskb+0x810/0x810 [ 70.611503][ T6939] ? _copy_from_iter_full+0x247/0x890 [ 70.616850][ T6939] netlink_sendmsg+0x856/0xd90 [ 70.622206][ T6939] ? netlink_unicast+0x7d0/0x7d0 [ 70.627123][ T6939] ? netlink_unicast+0x7d0/0x7d0 [ 70.632053][ T6939] sock_sendmsg+0xcf/0x120 [ 70.636473][ T6939] ____sys_sendmsg+0x6e8/0x810 [ 70.641234][ T6939] ? kernel_sendmsg+0x50/0x50 [ 70.645892][ T6939] ? do_recvmmsg+0x6d0/0x6d0 [ 70.650488][ T6939] ? lock_acquire+0x1f1/0xad0 [ 70.655150][ T6939] ? do_huge_pmd_anonymous_page+0x120d/0x2230 [ 70.661197][ T6939] ? find_held_lock+0x2d/0x110 [ 70.665935][ T6939] ___sys_sendmsg+0xf3/0x170 [ 70.670508][ T6939] ? sendmsg_copy_msghdr+0x160/0x160 [ 70.675777][ T6939] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 70.681749][ T6939] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 70.687910][ T6939] ? handle_mm_fault+0xad9/0x43f0 [ 70.692934][ T6939] ? find_held_lock+0x2d/0x110 [ 70.697682][ T6939] ? __fget_light+0x215/0x280 [ 70.702335][ T6939] __sys_sendmsg+0xe5/0x1b0 [ 70.706818][ T6939] ? __sys_sendmsg_sock+0xb0/0xb0 [ 70.711828][ T6939] ? do_syscall_64+0x1c/0xe0 [ 70.716408][ T6939] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 70.722377][ T6939] do_syscall_64+0x60/0xe0 [ 70.726839][ T6939] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.732717][ T6939] RIP: 0033:0x441409 [ 70.736645][ T6939] Code: Bad RIP value. [ 70.740699][ T6939] RSP: 002b:00007ffd7f8b2a78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 70.749081][ T6939] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 70.757032][ T6939] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 70.764980][ T6939] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 70.773016][ T6939] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 70.781303][ T6939] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 70.790528][ T6939] Kernel Offset: disabled [ 70.795276][ T6939] Rebooting in 86400 seconds..