[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.150504] kauditd_printk_skb: 8 callbacks suppressed [ 29.150518] audit: type=1800 audit(1543150135.444:29): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.177582] audit: type=1800 audit(1543150135.444:30): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 39.585291] ================================================================== [ 39.592739] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 39.600514] Write of size 262146 at addr ffff8881bf9b13c8 by task syz-executor064/6036 [ 39.608543] [ 39.610164] CPU: 0 PID: 6036 Comm: syz-executor064 Not tainted 4.20.0-rc3+ #348 [ 39.617605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.626938] Call Trace: [ 39.629513] dump_stack+0x244/0x39d [ 39.633124] ? dump_stack_print_info.cold.1+0x20/0x20 [ 39.638304] ? printk+0xa7/0xcf [ 39.641565] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.646315] print_address_description.cold.7+0x9/0x1ff [ 39.651664] kasan_report.cold.8+0x242/0x309 [ 39.656057] ? queue_stack_map_push_elem+0x185/0x290 [ 39.661174] check_memory_region+0x13e/0x1b0 [ 39.665565] memcpy+0x37/0x50 [ 39.668658] queue_stack_map_push_elem+0x185/0x290 [ 39.673574] ? queue_map_pop_elem+0x30/0x30 [ 39.677895] map_update_elem+0x605/0xf60 [ 39.681960] __x64_sys_bpf+0x32d/0x520 [ 39.685848] ? bpf_prog_get+0x20/0x20 [ 39.689675] do_syscall_64+0x1b9/0x820 [ 39.693546] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.698891] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.703801] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.708652] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.713665] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.718681] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.723686] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.728533] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.733706] RIP: 0033:0x4400e9 [ 39.736882] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.755806] RSP: 002b:00007ffd719fbdb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 39.763510] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 39.770777] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 39.778025] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 39.785280] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 39.792575] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 39.799833] [ 39.801442] Allocated by task 6036: [ 39.805084] save_stack+0x43/0xd0 [ 39.808524] kasan_kmalloc+0xc7/0xe0 [ 39.812220] __kmalloc_node+0x50/0x70 [ 39.815998] bpf_map_area_alloc+0x3f/0x90 [ 39.820144] queue_stack_map_alloc+0x192/0x290 [ 39.824741] map_create+0x3bd/0x1110 [ 39.828441] __x64_sys_bpf+0x303/0x520 [ 39.832310] do_syscall_64+0x1b9/0x820 [ 39.836212] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.841381] [ 39.842987] Freed by task 3715: [ 39.846264] save_stack+0x43/0xd0 [ 39.849700] __kasan_slab_free+0x102/0x150 [ 39.853915] kasan_slab_free+0xe/0x10 [ 39.857695] kfree+0xcf/0x230 [ 39.860783] skb_free_head+0x99/0xc0 [ 39.864477] skb_release_data+0x70c/0x9a0 [ 39.868608] skb_release_all+0x4a/0x60 [ 39.872479] consume_skb+0x1ae/0x570 [ 39.876175] skb_free_datagram+0x1a/0xf0 [ 39.880220] unix_dgram_recvmsg+0xd6d/0x1b10 [ 39.884608] sock_recvmsg+0xd0/0x110 [ 39.888304] __sys_recvfrom+0x311/0x5d0 [ 39.892261] __x64_sys_recvfrom+0xe1/0x1a0 [ 39.896476] do_syscall_64+0x1b9/0x820 [ 39.900350] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.905517] [ 39.907126] The buggy address belongs to the object at ffff8881bf9b1280 [ 39.907126] which belongs to the cache kmalloc-512 of size 512 [ 39.919794] The buggy address is located 328 bytes inside of [ 39.919794] 512-byte region [ffff8881bf9b1280, ffff8881bf9b1480) [ 39.931650] The buggy address belongs to the page: [ 39.936574] page:ffffea0006fe6c40 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0 [ 39.944711] flags: 0x2fffc0000000200(slab) [ 39.948931] raw: 02fffc0000000200 ffffea0006fe6c08 ffffea0006fe6d08 ffff8881da800940 [ 39.956792] raw: 0000000000000000 ffff8881bf9b1000 0000000100000006 0000000000000000 [ 39.964671] page dumped because: kasan: bad access detected [ 39.970356] [ 39.971964] Memory state around the buggy address: [ 39.976907] ffff8881bf9b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.984267] ffff8881bf9b1380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.991624] >ffff8881bf9b1400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.998965] ^ [ 40.002310] ffff8881bf9b1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.009649] ffff8881bf9b1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.016986] ================================================================== [ 40.024336] Disabling lock debugging due to kernel taint [ 40.029766] Kernel panic - not syncing: panic_on_warn set ... [ 40.035631] CPU: 0 PID: 6036 Comm: syz-executor064 Tainted: G B 4.20.0-rc3+ #348 [ 40.044445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.053780] Call Trace: [ 40.056348] dump_stack+0x244/0x39d [ 40.059963] ? dump_stack_print_info.cold.1+0x20/0x20 [ 40.065143] panic+0x2ad/0x55c [ 40.068325] ? add_taint.cold.5+0x16/0x16 [ 40.072459] ? add_taint.cold.5+0x5/0x16 [ 40.076500] ? trace_hardirqs_off+0xaf/0x310 [ 40.080890] kasan_end_report+0x47/0x4f [ 40.084844] kasan_report.cold.8+0x76/0x309 [ 40.089158] ? queue_stack_map_push_elem+0x185/0x290 [ 40.094245] check_memory_region+0x13e/0x1b0 [ 40.098654] memcpy+0x37/0x50 [ 40.101743] queue_stack_map_push_elem+0x185/0x290 [ 40.106654] ? queue_map_pop_elem+0x30/0x30 [ 40.110955] map_update_elem+0x605/0xf60 [ 40.114995] __x64_sys_bpf+0x32d/0x520 [ 40.118878] ? bpf_prog_get+0x20/0x20 [ 40.122665] do_syscall_64+0x1b9/0x820 [ 40.126532] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.131877] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.136804] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.141630] ? trace_hardirqs_on_caller+0x310/0x310 [ 40.146643] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.151660] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.156662] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.161489] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.166660] RIP: 0033:0x4400e9 [ 40.169848] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.188730] RSP: 002b:00007ffd719fbdb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 40.196426] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 40.203675] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 40.210942] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 40.218208] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 40.225458] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 40.233693] Kernel Offset: disabled [ 40.237316] Rebooting in 86400 seconds..