Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 549.836334][ T6808] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. [ 549.842720][ T6813] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. [ 549.854262][ T6814] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. [ 549.856687][ T6815] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. [ 549.865594][ T6816] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. executing program executing program [ 549.876283][ T6813] netlink: 'syz-executor982': attribute type 6 has an invalid length. [ 549.885055][ T6817] netlink: 26 bytes leftover after parsing attributes in process `syz-executor982'. [ 549.895636][ T6815] netlink: 'syz-executor982': attribute type 6 has an invalid length. [ 549.902212][ T6814] netlink: 'syz-executor982': attribute type 6 has an invalid length. [ 549.911125][ T6808] netlink: 'syz-executor982': attribute type 6 has an invalid length. [ 549.918695][ T6817] netlink: 'syz-executor982': attribute type 6 has an invalid length. [ 549.935353][ T6816] ================================================================== [ 549.943725][ T6816] BUG: KASAN: use-after-free in nla_memcpy+0x9c/0xa0 [ 549.950399][ T6816] Read of size 2 at addr ffff8880a0ca8414 by task syz-executor982/6816 [ 549.958612][ T6816] [ 549.960926][ T6816] CPU: 0 PID: 6816 Comm: syz-executor982 Not tainted 5.8.0-rc2-syzkaller #0 [ 549.969591][ T6816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 549.979695][ T6816] Call Trace: [ 549.982972][ T6816] dump_stack+0x18f/0x20d [ 549.987328][ T6816] ? nla_memcpy+0x9c/0xa0 [ 549.991636][ T6816] ? nla_memcpy+0x9c/0xa0 [ 549.996037][ T6816] print_address_description.constprop.0.cold+0xae/0x436 [ 550.003123][ T6816] ? vprintk_func+0x97/0x1a6 [ 550.007705][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.012016][ T6816] kasan_report.cold+0x1f/0x37 [ 550.016762][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.021075][ T6816] nla_memcpy+0x9c/0xa0 [ 550.025343][ T6816] __cfg802154_wpan_dev_from_attrs+0x3e0/0x510 [ 550.031552][ T6816] ? lock_acquire+0x1f1/0xad0 [ 550.036253][ T6816] ? nl802154_post_doit+0x1f0/0x1f0 [ 550.041432][ T6816] ? lock_release+0x8d0/0x8d0 [ 550.046148][ T6816] ? genl_rcv+0x24/0x40 [ 550.050281][ T6816] ? netlink_unicast+0x533/0x7d0 [ 550.055201][ T6816] ? netlink_sendmsg+0x856/0xd90 [ 550.060134][ T6816] nl802154_prepare_wpan_dev_dump.constprop.0+0xf9/0x490 [ 550.067137][ T6816] nl802154_dump_llsec_dev+0xc0/0xb10 [ 550.072529][ T6816] ? __mutex_lock+0x626/0x10d0 [ 550.077272][ T6816] ? genl_lock_dumpit+0x5b/0xb0 [ 550.082113][ T6816] ? nl802154_get_interface+0x230/0x230 [ 550.087662][ T6816] ? mutex_lock_io_nested+0xf60/0xf60 [ 550.093037][ T6816] ? check_preemption_disabled+0x38/0x220 [ 550.098780][ T6816] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 550.104304][ T6816] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 550.110270][ T6816] ? __kmalloc_node_track_caller+0x38/0x60 [ 550.116064][ T6816] ? kasan_unpoison_shadow+0x33/0x40 [ 550.121399][ T6816] ? __phys_addr+0x9a/0x110 [ 550.125903][ T6816] ? memset+0x20/0x40 [ 550.129886][ T6816] genl_lock_dumpit+0x7f/0xb0 [ 550.134601][ T6816] netlink_dump+0x4cd/0xf60 [ 550.139099][ T6816] ? netlink_insert+0x1670/0x1670 [ 550.144101][ T6816] ? __mutex_unlock_slowpath+0xe2/0x610 [ 550.149638][ T6816] ? genl_start+0x45a/0x6e0 [ 550.154128][ T6816] __netlink_dump_start+0x643/0x900 [ 550.159316][ T6816] ? genl_rcv_msg+0x9e0/0x9e0 [ 550.163989][ T6816] ? nl802154_get_interface+0x230/0x230 [ 550.169521][ T6816] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 550.175271][ T6816] ? genl_rcv+0x40/0x40 [ 550.179448][ T6816] ? mutex_lock_io_nested+0xf60/0xf60 [ 550.184908][ T6816] ? apparmor_capable+0x1d8/0x460 [ 550.189914][ T6816] ? genl_rcv_msg+0x9e0/0x9e0 [ 550.194566][ T6816] ? genl_unlock+0x20/0x20 [ 550.198960][ T6816] ? genl_parallel_done+0x170/0x170 [ 550.204192][ T6816] ? ns_capable+0xde/0x100 [ 550.208602][ T6816] genl_rcv_msg+0x797/0x9e0 [ 550.213134][ T6816] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 550.220051][ T6816] ? lock_acquire+0x1f1/0xad0 [ 550.224703][ T6816] ? genl_rcv+0x15/0x40 [ 550.228838][ T6816] ? lock_release+0x8d0/0x8d0 [ 550.233500][ T6816] netlink_rcv_skb+0x15a/0x430 [ 550.238244][ T6816] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 550.245156][ T6816] ? netlink_ack+0xa10/0xa10 [ 550.249733][ T6816] genl_rcv+0x24/0x40 [ 550.253699][ T6816] netlink_unicast+0x533/0x7d0 [ 550.258458][ T6816] ? netlink_attachskb+0x810/0x810 [ 550.263856][ T6816] ? _copy_from_iter_full+0x247/0x890 [ 550.269206][ T6816] ? __phys_addr+0x9a/0x110 [ 550.273688][ T6816] ? __phys_addr_symbol+0x2c/0x70 [ 550.278782][ T6816] ? __check_object_size+0x171/0x3e4 [ 550.284049][ T6816] netlink_sendmsg+0x856/0xd90 [ 550.289489][ T6816] ? netlink_unicast+0x7d0/0x7d0 [ 550.294424][ T6816] ? netlink_unicast+0x7d0/0x7d0 [ 550.299449][ T6816] sock_sendmsg+0xcf/0x120 [ 550.303847][ T6816] ____sys_sendmsg+0x6e8/0x810 [ 550.308590][ T6816] ? kernel_sendmsg+0x50/0x50 [ 550.313250][ T6816] ? do_recvmmsg+0x6d0/0x6d0 [ 550.317861][ T6816] ? release_pages+0x641/0x17a0 [ 550.322699][ T6816] ___sys_sendmsg+0xf3/0x170 [ 550.327975][ T6816] ? sendmsg_copy_msghdr+0x160/0x160 [ 550.333325][ T6816] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 550.339390][ T6816] ? check_preemption_disabled+0x38/0x220 [ 550.345112][ T6816] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 550.351150][ T6816] ? handle_mm_fault+0xad9/0x4420 [ 550.356176][ T6816] ? __fget_light+0x215/0x280 [ 550.360839][ T6816] __sys_sendmsg+0xe5/0x1b0 [ 550.365322][ T6816] ? __sys_sendmsg_sock+0xb0/0xb0 [ 550.370328][ T6816] ? check_preemption_disabled+0x38/0x220 [ 550.376047][ T6816] ? do_syscall_64+0x1c/0xe0 [ 550.380625][ T6816] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 550.386586][ T6816] do_syscall_64+0x60/0xe0 [ 550.390989][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 550.396869][ T6816] RIP: 0033:0x4413c9 [ 550.400751][ T6816] Code: Bad RIP value. [ 550.404811][ T6816] RSP: 002b:00007fff5b30bca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 550.413196][ T6816] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413c9 [ 550.421149][ T6816] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 550.429107][ T6816] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 550.437074][ T6816] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402140 [ 550.445124][ T6816] R13: 00000000004021d0 R14: 0000000000000000 R15: 0000000000000000 [ 550.453107][ T6816] [ 550.455476][ T6816] Allocated by task 6815: [ 550.459797][ T6816] save_stack+0x1b/0x40 [ 550.463940][ T6816] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 550.469565][ T6816] __alloc_skb+0xae/0x550 [ 550.473871][ T6816] netlink_sendmsg+0x94f/0xd90 [ 550.478635][ T6816] sock_sendmsg+0xcf/0x120 [ 550.483037][ T6816] ____sys_sendmsg+0x6e8/0x810 [ 550.487775][ T6816] ___sys_sendmsg+0xf3/0x170 [ 550.492356][ T6816] __sys_sendmsg+0xe5/0x1b0 [ 550.496856][ T6816] do_syscall_64+0x60/0xe0 [ 550.501259][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 550.507123][ T6816] [ 550.509428][ T6816] Freed by task 6815: [ 550.513387][ T6816] save_stack+0x1b/0x40 [ 550.517531][ T6816] __kasan_slab_free+0xf5/0x140 [ 550.522367][ T6816] kfree+0x103/0x2c0 [ 550.526240][ T6816] skb_release_data+0x6d9/0x910 [ 550.531066][ T6816] consume_skb+0xc2/0x160 [ 550.535372][ T6816] netlink_unicast+0x53b/0x7d0 [ 550.540110][ T6816] netlink_sendmsg+0x856/0xd90 [ 550.544865][ T6816] sock_sendmsg+0xcf/0x120 [ 550.549259][ T6816] ____sys_sendmsg+0x6e8/0x810 [ 550.554015][ T6816] ___sys_sendmsg+0xf3/0x170 [ 550.558579][ T6816] __sys_sendmsg+0xe5/0x1b0 [ 550.563075][ T6816] do_syscall_64+0x60/0xe0 [ 550.567468][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 550.573328][ T6816] [ 550.575634][ T6816] The buggy address belongs to the object at ffff8880a0ca8400 [ 550.575634][ T6816] which belongs to the cache kmalloc-512 of size 512 [ 550.589662][ T6816] The buggy address is located 20 bytes inside of [ 550.589662][ T6816] 512-byte region [ffff8880a0ca8400, ffff8880a0ca8600) [ 550.602816][ T6816] The buggy address belongs to the page: [ 550.608426][ T6816] page:ffffea0002832a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 550.617514][ T6816] flags: 0xfffe0000000200(slab) [ 550.622371][ T6816] raw: 00fffe0000000200 ffffea00029e1288 ffffea00028ef888 ffff8880aa000a80 [ 550.630931][ T6816] raw: 0000000000000000 ffff8880a0ca8000 0000000100000004 0000000000000000 [ 550.639503][ T6816] page dumped because: kasan: bad access detected [ 550.645887][ T6816] [ 550.648189][ T6816] Memory state around the buggy address: [ 550.653797][ T6816] ffff8880a0ca8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 550.661833][ T6816] ffff8880a0ca8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 550.669887][ T6816] >ffff8880a0ca8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 550.677918][ T6816] ^ [ 550.682482][ T6816] ffff8880a0ca8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 550.690518][ T6816] ffff8880a0ca8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 550.698550][ T6816] ================================================================== [ 550.706581][ T6816] Disabling lock debugging due to kernel taint [ 550.713678][ T6816] Kernel panic - not syncing: panic_on_warn set ... [ 550.720269][ T6816] CPU: 0 PID: 6816 Comm: syz-executor982 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 550.730317][ T6816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 550.740360][ T6816] Call Trace: [ 550.743644][ T6816] dump_stack+0x18f/0x20d [ 550.747969][ T6816] ? nla_memcpy+0x50/0xa0 [ 550.752354][ T6816] panic+0x2e3/0x75c [ 550.756279][ T6816] ? __warn_printk+0xf3/0xf3 [ 550.760861][ T6816] ? preempt_schedule_common+0x59/0xc0 [ 550.766295][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.770681][ T6816] ? preempt_schedule_thunk+0x16/0x18 [ 550.776058][ T6816] ? trace_hardirqs_on+0x55/0x220 [ 550.781060][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.785362][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.789667][ T6816] end_report+0x4d/0x53 [ 550.793798][ T6816] kasan_report.cold+0xd/0x37 [ 550.798449][ T6816] ? nla_memcpy+0x9c/0xa0 [ 550.802770][ T6816] nla_memcpy+0x9c/0xa0 [ 550.806915][ T6816] __cfg802154_wpan_dev_from_attrs+0x3e0/0x510 [ 550.813051][ T6816] ? lock_acquire+0x1f1/0xad0 [ 550.817708][ T6816] ? nl802154_post_doit+0x1f0/0x1f0 [ 550.822879][ T6816] ? lock_release+0x8d0/0x8d0 [ 550.827548][ T6816] ? genl_rcv+0x24/0x40 [ 550.831677][ T6816] ? netlink_unicast+0x533/0x7d0 [ 550.836604][ T6816] ? netlink_sendmsg+0x856/0xd90 [ 550.841530][ T6816] nl802154_prepare_wpan_dev_dump.constprop.0+0xf9/0x490 [ 550.848543][ T6816] nl802154_dump_llsec_dev+0xc0/0xb10 [ 550.853890][ T6816] ? __mutex_lock+0x626/0x10d0 [ 550.858635][ T6816] ? genl_lock_dumpit+0x5b/0xb0 [ 550.863470][ T6816] ? nl802154_get_interface+0x230/0x230 [ 550.868988][ T6816] ? mutex_lock_io_nested+0xf60/0xf60 [ 550.874332][ T6816] ? check_preemption_disabled+0x38/0x220 [ 550.880027][ T6816] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 550.885547][ T6816] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 550.891517][ T6816] ? __kmalloc_node_track_caller+0x38/0x60 [ 550.897308][ T6816] ? kasan_unpoison_shadow+0x33/0x40 [ 550.902577][ T6816] ? __phys_addr+0x9a/0x110 [ 550.907084][ T6816] ? memset+0x20/0x40 [ 550.911058][ T6816] genl_lock_dumpit+0x7f/0xb0 [ 550.915709][ T6816] netlink_dump+0x4cd/0xf60 [ 550.920190][ T6816] ? netlink_insert+0x1670/0x1670 [ 550.925205][ T6816] ? __mutex_unlock_slowpath+0xe2/0x610 [ 550.930726][ T6816] ? genl_start+0x45a/0x6e0 [ 550.935207][ T6816] __netlink_dump_start+0x643/0x900 [ 550.940383][ T6816] ? genl_rcv_msg+0x9e0/0x9e0 [ 550.945055][ T6816] ? nl802154_get_interface+0x230/0x230 [ 550.950597][ T6816] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 550.956290][ T6816] ? genl_rcv+0x40/0x40 [ 550.960425][ T6816] ? mutex_lock_io_nested+0xf60/0xf60 [ 550.966139][ T6816] ? apparmor_capable+0x1d8/0x460 [ 550.971137][ T6816] ? genl_rcv_msg+0x9e0/0x9e0 [ 550.975788][ T6816] ? genl_unlock+0x20/0x20 [ 550.980174][ T6816] ? genl_parallel_done+0x170/0x170 [ 550.985349][ T6816] ? ns_capable+0xde/0x100 [ 550.989741][ T6816] genl_rcv_msg+0x797/0x9e0 [ 550.994223][ T6816] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 551.001169][ T6816] ? lock_acquire+0x1f1/0xad0 [ 551.005833][ T6816] ? genl_rcv+0x15/0x40 [ 551.009981][ T6816] ? lock_release+0x8d0/0x8d0 [ 551.014637][ T6816] netlink_rcv_skb+0x15a/0x430 [ 551.019378][ T6816] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 551.026284][ T6816] ? netlink_ack+0xa10/0xa10 [ 551.030857][ T6816] genl_rcv+0x24/0x40 [ 551.034821][ T6816] netlink_unicast+0x533/0x7d0 [ 551.039581][ T6816] ? netlink_attachskb+0x810/0x810 [ 551.044691][ T6816] ? _copy_from_iter_full+0x247/0x890 [ 551.050037][ T6816] ? __phys_addr+0x9a/0x110 [ 551.054513][ T6816] ? __phys_addr_symbol+0x2c/0x70 [ 551.059513][ T6816] ? __check_object_size+0x171/0x3e4 [ 551.064796][ T6816] netlink_sendmsg+0x856/0xd90 [ 551.069545][ T6816] ? netlink_unicast+0x7d0/0x7d0 [ 551.074465][ T6816] ? netlink_unicast+0x7d0/0x7d0 [ 551.079385][ T6816] sock_sendmsg+0xcf/0x120 [ 551.083795][ T6816] ____sys_sendmsg+0x6e8/0x810 [ 551.088543][ T6816] ? kernel_sendmsg+0x50/0x50 [ 551.093194][ T6816] ? do_recvmmsg+0x6d0/0x6d0 [ 551.097763][ T6816] ? release_pages+0x641/0x17a0 [ 551.102594][ T6816] ___sys_sendmsg+0xf3/0x170 [ 551.107171][ T6816] ? sendmsg_copy_msghdr+0x160/0x160 [ 551.112430][ T6816] ? do_huge_pmd_anonymous_page+0x1b94/0x2230 [ 551.118471][ T6816] ? check_preemption_disabled+0x38/0x220 [ 551.124164][ T6816] ? do_huge_pmd_anonymous_page+0x8ef/0x2230 [ 551.130122][ T6816] ? handle_mm_fault+0xad9/0x4420 [ 551.135122][ T6816] ? __fget_light+0x215/0x280 [ 551.139777][ T6816] __sys_sendmsg+0xe5/0x1b0 [ 551.144252][ T6816] ? __sys_sendmsg_sock+0xb0/0xb0 [ 551.149872][ T6816] ? check_preemption_disabled+0x38/0x220 [ 551.155568][ T6816] ? do_syscall_64+0x1c/0xe0 [ 551.160144][ T6816] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 551.166173][ T6816] do_syscall_64+0x60/0xe0 [ 551.170572][ T6816] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 551.176442][ T6816] RIP: 0033:0x4413c9 [ 551.180325][ T6816] Code: Bad RIP value. [ 551.184362][ T6816] RSP: 002b:00007fff5b30bca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 551.192760][ T6816] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413c9 [ 551.200705][ T6816] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 551.208650][ T6816] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 551.216647][ T6816] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402140 [ 551.224591][ T6816] R13: 00000000004021d0 R14: 0000000000000000 R15: 0000000000000000 [ 551.233719][ T6816] Kernel Offset: disabled [ 551.238050][ T6816] Rebooting in 86400 seconds..