[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 63.240956][ T6823] netlink: 8 bytes leftover after parsing attributes in process `syz-executor007'. [ 63.245470][ T6828] netlink: 8 bytes leftover after parsing attributes in process `syz-executor007'. [ 63.260780][ T6829] netlink: 8 bytes leftover after parsing attributes in process `syz-executor007'. [ 63.261877][ T6830] netlink: 8 bytes leftover after parsing attributes in process `syz-executor007'. [ 63.273565][ T6831] netlink: 8 bytes leftover after parsing attributes in process `syz-executor007'. [ 63.282938][ T6830] ================================================================== [ 63.296988][ T6830] BUG: KASAN: use-after-free in tipc_nl_publ_dump+0xae0/0xce0 [ 63.304434][ T6830] Read of size 2 at addr ffff8880a7ee0284 by task syz-executor007/6830 [ 63.312644][ T6830] [ 63.314957][ T6830] CPU: 0 PID: 6830 Comm: syz-executor007 Not tainted 5.8.0-rc2-syzkaller #0 [ 63.323604][ T6830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.333635][ T6830] Call Trace: [ 63.337033][ T6830] dump_stack+0x18f/0x20d [ 63.341347][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 63.346566][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 63.351669][ T6830] print_address_description.constprop.0.cold+0xae/0x436 [ 63.358694][ T6830] ? vprintk_func+0x97/0x1a6 [ 63.363282][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 63.368494][ T6830] kasan_report.cold+0x1f/0x37 [ 63.373260][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 63.378365][ T6830] tipc_nl_publ_dump+0xae0/0xce0 [ 63.383433][ T6830] ? __mutex_lock+0x626/0x10d0 [ 63.388379][ T6830] ? tipc_nl_sk_dump+0x30/0x30 [ 63.393136][ T6830] ? check_preemption_disabled+0x38/0x220 [ 63.398847][ T6830] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 63.404371][ T6830] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 63.410331][ T6830] ? __kmalloc_node_track_caller+0x38/0x60 [ 63.416121][ T6830] ? kasan_unpoison_shadow+0x33/0x40 [ 63.421416][ T6830] ? __phys_addr+0x9a/0x110 [ 63.425901][ T6830] ? memset+0x20/0x40 [ 63.429896][ T6830] genl_lock_dumpit+0x7f/0xb0 [ 63.434554][ T6830] netlink_dump+0x4cd/0xf60 [ 63.439037][ T6830] ? netlink_insert+0x1670/0x1670 [ 63.444047][ T6830] ? __mutex_unlock_slowpath+0xe2/0x610 [ 63.449597][ T6830] ? genl_start+0x45a/0x6e0 [ 63.454108][ T6830] __netlink_dump_start+0x643/0x900 [ 63.459295][ T6830] ? genl_rcv_msg+0x9e0/0x9e0 [ 63.463951][ T6830] ? tipc_nl_sk_dump+0x30/0x30 [ 63.468702][ T6830] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 63.474409][ T6830] ? genl_rcv+0x40/0x40 [ 63.478541][ T6830] ? mutex_lock_io_nested+0xf60/0xf60 [ 63.483895][ T6830] ? mark_lock+0xbc/0x1710 [ 63.488292][ T6830] ? genl_rcv_msg+0x9e0/0x9e0 [ 63.492945][ T6830] ? genl_unlock+0x20/0x20 [ 63.497338][ T6830] ? genl_parallel_done+0x170/0x170 [ 63.502516][ T6830] ? __radix_tree_lookup+0x1f3/0x290 [ 63.507801][ T6830] genl_rcv_msg+0x797/0x9e0 [ 63.512322][ T6830] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 63.519250][ T6830] ? lock_acquire+0x1f1/0xad0 [ 63.523905][ T6830] ? genl_rcv+0x15/0x40 [ 63.528051][ T6830] ? lock_release+0x8d0/0x8d0 [ 63.532713][ T6830] netlink_rcv_skb+0x15a/0x430 [ 63.537458][ T6830] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 63.544372][ T6830] ? netlink_ack+0xa10/0xa10 [ 63.548950][ T6830] genl_rcv+0x24/0x40 [ 63.552913][ T6830] netlink_unicast+0x533/0x7d0 [ 63.557658][ T6830] ? netlink_attachskb+0x810/0x810 [ 63.562744][ T6830] ? _copy_from_iter_full+0x247/0x890 [ 63.568095][ T6830] ? __phys_addr+0x9a/0x110 [ 63.572587][ T6830] ? __phys_addr_symbol+0x2c/0x70 [ 63.577590][ T6830] ? __check_object_size+0x171/0x3e4 [ 63.582859][ T6830] netlink_sendmsg+0x856/0xd90 [ 63.587613][ T6830] ? netlink_unicast+0x7d0/0x7d0 [ 63.592538][ T6830] ? netlink_unicast+0x7d0/0x7d0 [ 63.597464][ T6830] sock_sendmsg+0xcf/0x120 [ 63.601862][ T6830] ____sys_sendmsg+0x6e8/0x810 [ 63.606608][ T6830] ? kernel_sendmsg+0x50/0x50 [ 63.611288][ T6830] ? do_recvmmsg+0x6d0/0x6d0 [ 63.615878][ T6830] ? find_held_lock+0x2d/0x110 [ 63.620630][ T6830] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 63.626589][ T6830] ? lock_downgrade+0x820/0x820 [ 63.631422][ T6830] ___sys_sendmsg+0xf3/0x170 [ 63.636017][ T6830] ? sendmsg_copy_msghdr+0x160/0x160 [ 63.641293][ T6830] ? debug_object_active_state+0x260/0x350 [ 63.647078][ T6830] ? lock_downgrade+0x820/0x820 [ 63.651914][ T6830] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 63.657696][ T6830] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 63.663656][ T6830] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 63.669441][ T6830] ? debug_object_active_state+0x260/0x350 [ 63.675237][ T6830] ? trace_hardirqs_off+0x27/0x210 [ 63.680335][ T6830] ? __fget_light+0x215/0x280 [ 63.684994][ T6830] __sys_sendmsg+0xe5/0x1b0 [ 63.689478][ T6830] ? __sys_sendmsg_sock+0xb0/0xb0 [ 63.694486][ T6830] ? do_syscall_64+0x1c/0xe0 [ 63.699054][ T6830] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 63.705014][ T6830] do_syscall_64+0x60/0xe0 [ 63.709411][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.715279][ T6830] RIP: 0033:0x445f09 [ 63.719145][ T6830] Code: Bad RIP value. [ 63.723184][ T6830] RSP: 002b:00007fffb147d488 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 63.731571][ T6830] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 63.739517][ T6830] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 63.747465][ T6830] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 63.755413][ T6830] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 63.763381][ T6830] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 63.771354][ T6830] [ 63.773672][ T6830] Allocated by task 6828: [ 63.777990][ T6830] save_stack+0x1b/0x40 [ 63.782133][ T6830] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 63.787741][ T6830] __alloc_skb+0xae/0x550 [ 63.792048][ T6830] netlink_sendmsg+0x94f/0xd90 [ 63.796811][ T6830] sock_sendmsg+0xcf/0x120 [ 63.801202][ T6830] ____sys_sendmsg+0x6e8/0x810 [ 63.805942][ T6830] ___sys_sendmsg+0xf3/0x170 [ 63.810538][ T6830] __sys_sendmsg+0xe5/0x1b0 [ 63.815032][ T6830] do_syscall_64+0x60/0xe0 [ 63.819439][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.825311][ T6830] [ 63.827616][ T6830] Freed by task 6828: [ 63.831575][ T6830] save_stack+0x1b/0x40 [ 63.835707][ T6830] __kasan_slab_free+0xf5/0x140 [ 63.840535][ T6830] kfree+0x103/0x2c0 [ 63.844405][ T6830] skb_release_data+0x6d9/0x910 [ 63.849231][ T6830] consume_skb+0xc2/0x160 [ 63.853536][ T6830] netlink_unicast+0x53b/0x7d0 [ 63.858294][ T6830] netlink_sendmsg+0x856/0xd90 [ 63.863039][ T6830] sock_sendmsg+0xcf/0x120 [ 63.867435][ T6830] ____sys_sendmsg+0x6e8/0x810 [ 63.872173][ T6830] ___sys_sendmsg+0xf3/0x170 [ 63.876738][ T6830] __sys_sendmsg+0xe5/0x1b0 [ 63.881216][ T6830] do_syscall_64+0x60/0xe0 [ 63.885611][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.891482][ T6830] [ 63.893802][ T6830] The buggy address belongs to the object at ffff8880a7ee0000 [ 63.893802][ T6830] which belongs to the cache kmalloc-1k of size 1024 [ 63.907897][ T6830] The buggy address is located 644 bytes inside of [ 63.907897][ T6830] 1024-byte region [ffff8880a7ee0000, ffff8880a7ee0400) [ 63.921287][ T6830] The buggy address belongs to the page: [ 63.926911][ T6830] page:ffffea00029fb800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.935988][ T6830] flags: 0xfffe0000000200(slab) [ 63.940820][ T6830] raw: 00fffe0000000200 ffffea000278a308 ffffea00025273c8 ffff8880aa000c40 [ 63.949405][ T6830] raw: 0000000000000000 ffff8880a7ee0000 0000000100000002 0000000000000000 [ 63.957965][ T6830] page dumped because: kasan: bad access detected [ 63.964353][ T6830] [ 63.966667][ T6830] Memory state around the buggy address: [ 63.972275][ T6830] ffff8880a7ee0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.980316][ T6830] ffff8880a7ee0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 63.988386][ T6830] >ffff8880a7ee0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.996434][ T6830] ^ [ 64.000481][ T6830] ffff8880a7ee0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.008524][ T6830] ffff8880a7ee0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.016577][ T6830] ================================================================== [ 64.024609][ T6830] Disabling lock debugging due to kernel taint [ 64.061616][ T6830] Kernel panic - not syncing: panic_on_warn set ... [ 64.068237][ T6830] CPU: 0 PID: 6830 Comm: syz-executor007 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 64.078267][ T6830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.088297][ T6830] Call Trace: [ 64.091565][ T6830] dump_stack+0x18f/0x20d [ 64.095877][ T6830] ? tipc_nl_publ_dump+0xa60/0xce0 [ 64.100961][ T6830] panic+0x2e3/0x75c [ 64.104836][ T6830] ? __warn_printk+0xf3/0xf3 [ 64.109404][ T6830] ? preempt_schedule_common+0x59/0xc0 [ 64.114839][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.119925][ T6830] ? preempt_schedule_thunk+0x16/0x18 [ 64.125290][ T6830] ? trace_hardirqs_on+0x55/0x220 [ 64.130291][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.135379][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.140476][ T6830] end_report+0x4d/0x53 [ 64.144619][ T6830] kasan_report.cold+0xd/0x37 [ 64.149282][ T6830] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.154378][ T6830] tipc_nl_publ_dump+0xae0/0xce0 [ 64.159298][ T6830] ? __mutex_lock+0x626/0x10d0 [ 64.164068][ T6830] ? tipc_nl_sk_dump+0x30/0x30 [ 64.168821][ T6830] ? check_preemption_disabled+0x38/0x220 [ 64.174531][ T6830] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 64.180059][ T6830] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 64.186028][ T6830] ? __kmalloc_node_track_caller+0x38/0x60 [ 64.191827][ T6830] ? kasan_unpoison_shadow+0x33/0x40 [ 64.197095][ T6830] ? __phys_addr+0x9a/0x110 [ 64.201584][ T6830] ? memset+0x20/0x40 [ 64.205557][ T6830] genl_lock_dumpit+0x7f/0xb0 [ 64.210213][ T6830] netlink_dump+0x4cd/0xf60 [ 64.214691][ T6830] ? netlink_insert+0x1670/0x1670 [ 64.219711][ T6830] ? __mutex_unlock_slowpath+0xe2/0x610 [ 64.225261][ T6830] ? genl_start+0x45a/0x6e0 [ 64.229754][ T6830] __netlink_dump_start+0x643/0x900 [ 64.234958][ T6830] ? genl_rcv_msg+0x9e0/0x9e0 [ 64.239626][ T6830] ? tipc_nl_sk_dump+0x30/0x30 [ 64.244368][ T6830] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 64.250069][ T6830] ? genl_rcv+0x40/0x40 [ 64.254203][ T6830] ? mutex_lock_io_nested+0xf60/0xf60 [ 64.259562][ T6830] ? mark_lock+0xbc/0x1710 [ 64.263954][ T6830] ? genl_rcv_msg+0x9e0/0x9e0 [ 64.268604][ T6830] ? genl_unlock+0x20/0x20 [ 64.273043][ T6830] ? genl_parallel_done+0x170/0x170 [ 64.278220][ T6830] ? __radix_tree_lookup+0x1f3/0x290 [ 64.283492][ T6830] genl_rcv_msg+0x797/0x9e0 [ 64.287989][ T6830] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 64.294899][ T6830] ? lock_acquire+0x1f1/0xad0 [ 64.299552][ T6830] ? genl_rcv+0x15/0x40 [ 64.303684][ T6830] ? lock_release+0x8d0/0x8d0 [ 64.308335][ T6830] netlink_rcv_skb+0x15a/0x430 [ 64.313076][ T6830] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 64.319984][ T6830] ? netlink_ack+0xa10/0xa10 [ 64.324552][ T6830] genl_rcv+0x24/0x40 [ 64.328508][ T6830] netlink_unicast+0x533/0x7d0 [ 64.333245][ T6830] ? netlink_attachskb+0x810/0x810 [ 64.338330][ T6830] ? _copy_from_iter_full+0x247/0x890 [ 64.343675][ T6830] ? __phys_addr+0x9a/0x110 [ 64.348158][ T6830] ? __phys_addr_symbol+0x2c/0x70 [ 64.353155][ T6830] ? __check_object_size+0x171/0x3e4 [ 64.358415][ T6830] netlink_sendmsg+0x856/0xd90 [ 64.363165][ T6830] ? netlink_unicast+0x7d0/0x7d0 [ 64.368086][ T6830] ? netlink_unicast+0x7d0/0x7d0 [ 64.373000][ T6830] sock_sendmsg+0xcf/0x120 [ 64.377391][ T6830] ____sys_sendmsg+0x6e8/0x810 [ 64.382129][ T6830] ? kernel_sendmsg+0x50/0x50 [ 64.386794][ T6830] ? do_recvmmsg+0x6d0/0x6d0 [ 64.391384][ T6830] ? find_held_lock+0x2d/0x110 [ 64.396218][ T6830] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 64.402174][ T6830] ? lock_downgrade+0x820/0x820 [ 64.407000][ T6830] ___sys_sendmsg+0xf3/0x170 [ 64.411568][ T6830] ? sendmsg_copy_msghdr+0x160/0x160 [ 64.416837][ T6830] ? debug_object_active_state+0x260/0x350 [ 64.422622][ T6830] ? lock_downgrade+0x820/0x820 [ 64.427449][ T6830] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 64.433228][ T6830] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.439183][ T6830] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 64.445021][ T6830] ? debug_object_active_state+0x260/0x350 [ 64.450812][ T6830] ? trace_hardirqs_off+0x27/0x210 [ 64.455899][ T6830] ? __fget_light+0x215/0x280 [ 64.460558][ T6830] __sys_sendmsg+0xe5/0x1b0 [ 64.465036][ T6830] ? __sys_sendmsg_sock+0xb0/0xb0 [ 64.470035][ T6830] ? do_syscall_64+0x1c/0xe0 [ 64.474621][ T6830] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.480573][ T6830] do_syscall_64+0x60/0xe0 [ 64.484965][ T6830] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.490837][ T6830] RIP: 0033:0x445f09 [ 64.494703][ T6830] Code: Bad RIP value. [ 64.498741][ T6830] RSP: 002b:00007fffb147d488 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 64.507121][ T6830] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 64.515067][ T6830] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 64.523011][ T6830] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 64.530955][ T6830] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 64.538899][ T6830] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 64.548163][ T6830] Kernel Offset: disabled [ 64.552489][ T6830] Rebooting in 86400 seconds..