[ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started System Logging Service. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. syzkaller login: [ 60.305786][ T6827] IPVS: ftp: loaded support on port[0] = 21 [ 60.307606][ T6830] IPVS: ftp: loaded support on port[0] = 21 [ 60.323718][ T6832] IPVS: ftp: loaded support on port[0] = 21 [ 60.325038][ T6824] IPVS: ftp: loaded support on port[0] = 21 [ 60.341568][ T6829] IPVS: ftp: loaded support on port[0] = 21 [ 60.356127][ T6831] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 60.464030][ T6887] netlink: 'syz-executor532': attribute type 6 has an invalid length. [ 60.481749][ T6887] netlink: 'syz-executor532': attribute type 3 has an invalid length. executing program executing program [ 60.516690][ T6926] netlink: 'syz-executor532': attribute type 6 has an invalid length. [ 60.518571][ T6933] netlink: 'syz-executor532': attribute type 6 has an invalid length. [ 60.531471][ T6936] netlink: 'syz-executor532': attribute type 6 has an invalid length. [ 60.545239][ T6926] netlink: 'syz-executor532': attribute type 3 has an invalid length. [ 60.548744][ T6937] netlink: 'syz-executor532': attribute type 6 has an invalid length. executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 60.574492][ T6936] netlink: 'syz-executor532': attribute type 3 has an invalid length. [ 60.576845][ T6933] netlink: 'syz-executor532': attribute type 3 has an invalid length. [ 60.598447][ T6937] netlink: 'syz-executor532': attribute type 3 has an invalid length. executing program [ 60.618960][ T6937] ================================================================== [ 60.627225][ T6937] BUG: KASAN: use-after-free in nla_memcpy+0x9c/0xa0 [ 60.633894][ T6937] Read of size 2 at addr ffff8880a46aec14 by task syz-executor532/6937 [ 60.642117][ T6937] [ 60.644486][ T6937] CPU: 1 PID: 6937 Comm: syz-executor532 Not tainted 5.8.0-rc1-syzkaller #0 [ 60.653136][ T6937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.663172][ T6937] Call Trace: [ 60.666452][ T6937] dump_stack+0x18f/0x20d [ 60.670906][ T6937] ? nla_memcpy+0x9c/0xa0 [ 60.675223][ T6937] ? nla_memcpy+0x9c/0xa0 [ 60.680022][ T6937] print_address_description.constprop.0.cold+0xae/0x436 [ 60.687068][ T6937] ? vprintk_func+0x97/0x1a6 [ 60.691656][ T6937] ? nla_memcpy+0x9c/0xa0 [ 60.695997][ T6937] kasan_report.cold+0x1f/0x37 [ 60.700769][ T6937] ? nla_memcpy+0x9c/0xa0 [ 60.705172][ T6937] nla_memcpy+0x9c/0xa0 [ 60.709437][ T6937] nl802154_dump_wpan_phy+0x59b/0x9c0 [ 60.714844][ T6937] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 60.720813][ T6937] ? __kmalloc_node_track_caller+0x38/0x60 [ 60.726616][ T6937] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.733365][ T6937] ? __phys_addr+0x9a/0x110 [ 60.737912][ T6937] ? memset+0x20/0x40 [ 60.741883][ T6937] genl_lock_dumpit+0x7f/0xb0 [ 60.746646][ T6937] netlink_dump+0x4cd/0xf60 [ 60.751204][ T6937] ? netlink_insert+0x1670/0x1670 [ 60.756239][ T6937] ? __mutex_unlock_slowpath+0xe2/0x610 [ 60.761769][ T6937] ? genl_start+0x45a/0x6e0 [ 60.766259][ T6937] __netlink_dump_start+0x643/0x900 [ 60.771764][ T6937] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.776449][ T6937] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 60.783212][ T6937] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 60.788934][ T6937] ? genl_rcv+0x40/0x40 [ 60.793171][ T6937] ? mutex_lock_io_nested+0xf60/0xf60 [ 60.798720][ T6937] ? mark_lock+0xbc/0x1710 [ 60.803130][ T6937] ? genl_rcv_msg+0x9e0/0x9e0 [ 60.807789][ T6937] ? genl_unlock+0x20/0x20 [ 60.812287][ T6937] ? genl_parallel_done+0x170/0x170 [ 60.817514][ T6937] ? __radix_tree_lookup+0x1f3/0x290 [ 60.822876][ T6937] genl_rcv_msg+0x797/0x9e0 [ 60.827375][ T6937] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 60.834439][ T6937] ? lock_acquire+0x1f1/0xad0 [ 60.839114][ T6937] ? genl_rcv+0x15/0x40 [ 60.843255][ T6937] ? lock_release+0x8d0/0x8d0 [ 60.847918][ T6937] netlink_rcv_skb+0x15a/0x430 [ 60.852952][ T6937] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 60.859878][ T6937] ? netlink_ack+0xa10/0xa10 [ 60.864478][ T6937] genl_rcv+0x24/0x40 [ 60.868470][ T6937] netlink_unicast+0x533/0x7d0 [ 60.873222][ T6937] ? netlink_attachskb+0x810/0x810 [ 60.878583][ T6937] ? _copy_from_iter_full+0x247/0x890 [ 60.883943][ T6937] ? __phys_addr+0x9a/0x110 [ 60.888431][ T6937] ? __phys_addr_symbol+0x2c/0x70 [ 60.893449][ T6937] ? __check_object_size+0x171/0x3e4 [ 60.898748][ T6937] netlink_sendmsg+0x856/0xd90 [ 60.903518][ T6937] ? netlink_unicast+0x7d0/0x7d0 [ 60.908626][ T6937] ? netlink_unicast+0x7d0/0x7d0 [ 60.913648][ T6937] sock_sendmsg+0xcf/0x120 [ 60.918069][ T6937] ____sys_sendmsg+0x6e8/0x810 [ 60.922961][ T6937] ? kernel_sendmsg+0x50/0x50 [ 60.927646][ T6937] ? do_recvmmsg+0x6d0/0x6d0 [ 60.932230][ T6937] ? release_pages+0x641/0x17a0 [ 60.937317][ T6937] ___sys_sendmsg+0xf3/0x170 [ 60.942006][ T6937] ? sendmsg_copy_msghdr+0x160/0x160 [ 60.947720][ T6937] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 60.954660][ T6937] ? check_preemption_disabled+0x38/0x220 [ 60.960393][ T6937] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 60.966386][ T6937] ? handle_mm_fault+0xad9/0x4420 [ 60.971425][ T6937] ? __fget_light+0x215/0x280 [ 60.976114][ T6937] __sys_sendmsg+0xe5/0x1b0 [ 60.980632][ T6937] ? __sys_sendmsg_sock+0xb0/0xb0 [ 60.985661][ T6937] ? check_preemption_disabled+0x38/0x220 [ 60.991377][ T6937] ? do_syscall_64+0x1c/0xe0 [ 60.995972][ T6937] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.001940][ T6937] do_syscall_64+0x60/0xe0 [ 61.006351][ T6937] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.012240][ T6937] RIP: 0033:0x441409 [ 61.016115][ T6937] Code: Bad RIP value. [ 61.020158][ T6937] RSP: 002b:00007ffda49cc2b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.028547][ T6937] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 61.036773][ T6937] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 61.044827][ T6937] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 61.053059][ T6937] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 61.061030][ T6937] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 61.068998][ T6937] [ 61.071308][ T6937] Allocated by task 6962: [ 61.075729][ T6937] save_stack+0x1b/0x40 [ 61.079872][ T6937] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.085496][ T6937] __alloc_skb+0xae/0x550 [ 61.089806][ T6937] netlink_sendmsg+0x94f/0xd90 [ 61.094631][ T6937] sock_sendmsg+0xcf/0x120 [ 61.099115][ T6937] ____sys_sendmsg+0x6e8/0x810 [ 61.103860][ T6937] ___sys_sendmsg+0xf3/0x170 [ 61.108427][ T6937] __sys_sendmsg+0xe5/0x1b0 [ 61.112908][ T6937] do_syscall_64+0x60/0xe0 [ 61.117315][ T6937] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.123199][ T6937] [ 61.125569][ T6937] Freed by task 6962: [ 61.129531][ T6937] save_stack+0x1b/0x40 [ 61.133689][ T6937] __kasan_slab_free+0xf5/0x140 [ 61.138520][ T6937] kfree+0x103/0x2c0 [ 61.142413][ T6937] skb_release_data+0x6d9/0x910 [ 61.147419][ T6937] consume_skb+0xc2/0x160 [ 61.151736][ T6937] netlink_unicast+0x53b/0x7d0 [ 61.156481][ T6937] netlink_sendmsg+0x856/0xd90 [ 61.161227][ T6937] sock_sendmsg+0xcf/0x120 [ 61.165719][ T6937] ____sys_sendmsg+0x6e8/0x810 [ 61.170479][ T6937] ___sys_sendmsg+0xf3/0x170 [ 61.175076][ T6937] __sys_sendmsg+0xe5/0x1b0 [ 61.179570][ T6937] do_syscall_64+0x60/0xe0 [ 61.183979][ T6937] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.189929][ T6937] [ 61.192511][ T6937] The buggy address belongs to the object at ffff8880a46aec00 [ 61.192511][ T6937] which belongs to the cache kmalloc-512 of size 512 [ 61.207761][ T6937] The buggy address is located 20 bytes inside of [ 61.207761][ T6937] 512-byte region [ffff8880a46aec00, ffff8880a46aee00) [ 61.221044][ T6937] The buggy address belongs to the page: [ 61.226689][ T6937] page:ffffea000291ab80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.235781][ T6937] flags: 0xfffe0000000200(slab) [ 61.240618][ T6937] raw: 00fffe0000000200 ffffea00028dee88 ffffea0002548e08 ffff8880aa000a80 [ 61.249186][ T6937] raw: 0000000000000000 ffff8880a46ae000 0000000100000004 0000000000000000 [ 61.257756][ T6937] page dumped because: kasan: bad access detected [ 61.264286][ T6937] [ 61.266668][ T6937] Memory state around the buggy address: [ 61.272319][ T6937] ffff8880a46aeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.280460][ T6937] ffff8880a46aeb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.289555][ T6937] >ffff8880a46aec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.298616][ T6937] ^ [ 61.303216][ T6937] ffff8880a46aec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.311278][ T6937] ffff8880a46aed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.320452][ T6937] ================================================================== [ 61.328518][ T6937] Disabling lock debugging due to kernel taint [ 61.335165][ T6937] Kernel panic - not syncing: panic_on_warn set ... [ 61.341776][ T6937] CPU: 1 PID: 6937 Comm: syz-executor532 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 61.351929][ T6937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.362213][ T6937] Call Trace: [ 61.365680][ T6937] dump_stack+0x18f/0x20d [ 61.370018][ T6937] ? nla_memcpy+0x60/0xa0 [ 61.374348][ T6937] panic+0x2e3/0x75c [ 61.378353][ T6937] ? __warn_printk+0xf3/0xf3 [ 61.383118][ T6937] ? preempt_schedule_common+0x59/0xc0 [ 61.388568][ T6937] ? nla_memcpy+0x9c/0xa0 [ 61.392894][ T6937] ? preempt_schedule_thunk+0x16/0x18 [ 61.398340][ T6937] ? trace_hardirqs_on+0x55/0x220 [ 61.403436][ T6937] ? nla_memcpy+0x9c/0xa0 [ 61.407754][ T6937] ? nla_memcpy+0x9c/0xa0 [ 61.412099][ T6937] end_report+0x4d/0x53 [ 61.416239][ T6937] kasan_report.cold+0xd/0x37 [ 61.420899][ T6937] ? nla_memcpy+0x9c/0xa0 [ 61.425487][ T6937] nla_memcpy+0x9c/0xa0 [ 61.429636][ T6937] nl802154_dump_wpan_phy+0x59b/0x9c0 [ 61.435080][ T6937] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 61.441041][ T6937] ? __kmalloc_node_track_caller+0x38/0x60 [ 61.446830][ T6937] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 61.453609][ T6937] ? __phys_addr+0x9a/0x110 [ 61.458208][ T6937] ? memset+0x20/0x40 [ 61.462216][ T6937] genl_lock_dumpit+0x7f/0xb0 [ 61.466930][ T6937] netlink_dump+0x4cd/0xf60 [ 61.471423][ T6937] ? netlink_insert+0x1670/0x1670 [ 61.476429][ T6937] ? __mutex_unlock_slowpath+0xe2/0x610 [ 61.481969][ T6937] ? genl_start+0x45a/0x6e0 [ 61.486479][ T6937] __netlink_dump_start+0x643/0x900 [ 61.491660][ T6937] ? genl_rcv_msg+0x9e0/0x9e0 [ 61.496410][ T6937] ? nl802154_send_wpan_phy.constprop.0+0x21d0/0x21d0 [ 61.503182][ T6937] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 61.508886][ T6937] ? genl_rcv+0x40/0x40 [ 61.513195][ T6937] ? mutex_lock_io_nested+0xf60/0xf60 [ 61.518559][ T6937] ? mark_lock+0xbc/0x1710 [ 61.522968][ T6937] ? genl_rcv_msg+0x9e0/0x9e0 [ 61.527624][ T6937] ? genl_unlock+0x20/0x20 [ 61.532036][ T6937] ? genl_parallel_done+0x170/0x170 [ 61.537235][ T6937] ? __radix_tree_lookup+0x1f3/0x290 [ 61.542515][ T6937] genl_rcv_msg+0x797/0x9e0 [ 61.547004][ T6937] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 61.553920][ T6937] ? lock_acquire+0x1f1/0xad0 [ 61.558752][ T6937] ? genl_rcv+0x15/0x40 [ 61.562888][ T6937] ? lock_release+0x8d0/0x8d0 [ 61.567545][ T6937] netlink_rcv_skb+0x15a/0x430 [ 61.572485][ T6937] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 61.579423][ T6937] ? netlink_ack+0xa10/0xa10 [ 61.584026][ T6937] genl_rcv+0x24/0x40 [ 61.588006][ T6937] netlink_unicast+0x533/0x7d0 [ 61.592773][ T6937] ? netlink_attachskb+0x810/0x810 [ 61.597877][ T6937] ? _copy_from_iter_full+0x247/0x890 [ 61.603239][ T6937] ? __phys_addr+0x9a/0x110 [ 61.608013][ T6937] ? __phys_addr_symbol+0x2c/0x70 [ 61.613017][ T6937] ? __check_object_size+0x171/0x3e4 [ 61.618295][ T6937] netlink_sendmsg+0x856/0xd90 [ 61.623046][ T6937] ? netlink_unicast+0x7d0/0x7d0 [ 61.627971][ T6937] ? netlink_unicast+0x7d0/0x7d0 [ 61.632887][ T6937] sock_sendmsg+0xcf/0x120 [ 61.637291][ T6937] ____sys_sendmsg+0x6e8/0x810 [ 61.642037][ T6937] ? kernel_sendmsg+0x50/0x50 [ 61.646784][ T6937] ? do_recvmmsg+0x6d0/0x6d0 [ 61.651353][ T6937] ? release_pages+0x641/0x17a0 [ 61.656192][ T6937] ___sys_sendmsg+0xf3/0x170 [ 61.660799][ T6937] ? sendmsg_copy_msghdr+0x160/0x160 [ 61.666126][ T6937] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 61.672180][ T6937] ? check_preemption_disabled+0x38/0x220 [ 61.677907][ T6937] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 61.683894][ T6937] ? handle_mm_fault+0xad9/0x4420 [ 61.688916][ T6937] ? __fget_light+0x215/0x280 [ 61.693774][ T6937] __sys_sendmsg+0xe5/0x1b0 [ 61.698270][ T6937] ? __sys_sendmsg_sock+0xb0/0xb0 [ 61.703297][ T6937] ? check_preemption_disabled+0x38/0x220 [ 61.709001][ T6937] ? do_syscall_64+0x1c/0xe0 [ 61.713572][ T6937] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.719556][ T6937] do_syscall_64+0x60/0xe0 [ 61.724041][ T6937] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.729979][ T6937] RIP: 0033:0x441409 [ 61.733879][ T6937] Code: Bad RIP value. [ 61.737924][ T6937] RSP: 002b:00007ffda49cc2b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.746684][ T6937] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441409 [ 61.754632][ T6937] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 61.762587][ T6937] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 61.771523][ T6937] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 61.779667][ T6937] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 61.789648][ T6937] Kernel Offset: disabled [ 61.793990][ T6937] Rebooting in 86400 seconds..