[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   54.977096][   T26] audit: type=1800 audit(1570404286.093:25): pid=8551 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   55.033148][   T26] audit: type=1800 audit(1570404286.093:26): pid=8551 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   55.065532][   T26] audit: type=1800 audit(1570404286.103:27): pid=8551 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   70.737359][ T8707] netlink: 'syz-executor134': attribute type 6 has an invalid length.
[   70.752750][ T8712] netlink: 'syz-executor134': attribute type 6 has an invalid length.
[   70.762873][ T8714] netlink: 'syz-executor134': attribute type 6 has an invalid length.
[   70.771296][ T8715] netlink: 'syz-executor134': attribute type 6 has an invalid length.
[   70.779783][ T8713] netlink: 'syz-executor134': attribute type 6 has an invalid length.
executing program
executing program
[   70.788774][ T8716] netlink: 'syz-executor134': attribute type 6 has an invalid length.
[   70.800499][ T8714] ==================================================================
[   70.808699][ T8714] BUG: KASAN: use-after-free in nla_memcpy+0xa2/0xb0
[   70.815416][ T8714] Read of size 2 at addr ffff8880a74fba94 by task syz-executor134/8714
[   70.823643][ T8714] 
[   70.825979][ T8714] CPU: 1 PID: 8714 Comm: syz-executor134 Not tainted 5.4.0-rc1+ #0
[   70.833845][ T8714] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   70.843884][ T8714] Call Trace:
[   70.847169][ T8714]  dump_stack+0x172/0x1f0
[   70.851491][ T8714]  ? nla_memcpy+0xa2/0xb0
[   70.855836][ T8714]  print_address_description.constprop.0.cold+0xd4/0x30b
[   70.862864][ T8714]  ? nla_memcpy+0xa2/0xb0
[   70.867181][ T8714]  ? nla_memcpy+0xa2/0xb0
[   70.871504][ T8714]  __kasan_report.cold+0x1b/0x41
[   70.876435][ T8714]  ? nla_memcpy+0xa2/0xb0
[   70.880764][ T8714]  kasan_report+0x12/0x20
[   70.885102][ T8714]  __asan_report_load2_noabort+0x14/0x20
[   70.891327][ T8714]  nla_memcpy+0xa2/0xb0
[   70.895482][ T8714]  __cfg802154_wpan_dev_from_attrs+0x41b/0x550
[   70.901662][ T8714]  ? nl802154_post_doit+0x200/0x200
[   70.906860][ T8714]  nl802154_prepare_wpan_dev_dump.isra.0.constprop.0+0xf7/0x4b0
[   70.914493][ T8714]  nl802154_dump_llsec_seclevel+0xb9/0xae0
[   70.920304][ T8714]  ? mutex_trylock+0x2d0/0x2d0
[   70.925769][ T8714]  ? kasan_kmalloc+0x9/0x10
[   70.930277][ T8714]  ? __kmalloc_node_track_caller+0x4e/0x70
[   70.936077][ T8714]  ? nl802154_dump_llsec_key+0xc80/0xc80
[   70.941702][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   70.947932][ T8714]  ? __alloc_skb+0x3d0/0x5e0
[   70.952527][ T8714]  genl_lock_dumpit+0x86/0xc0
[   70.957194][ T8714]  netlink_dump+0x558/0xfb0
[   70.961688][ T8714]  ? netlink_broadcast+0x50/0x50
[   70.966625][ T8714]  __netlink_dump_start+0x5b1/0x7d0
[   70.971806][ T8714]  ? genl_lock_dumpit+0xc0/0xc0
[   70.976651][ T8714]  genl_rcv_msg+0xc9b/0x1000
[   70.981238][ T8714]  ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[   70.988157][ T8714]  ? genl_lock_dumpit+0xc0/0xc0
[   70.992995][ T8714]  ? genl_unlock+0x20/0x20
[   70.997417][ T8714]  ? genl_parallel_done+0x1c0/0x1c0
[   71.002602][ T8714]  ? mark_held_locks+0xf0/0xf0
[   71.009348][ T8714]  ? find_held_lock+0x35/0x130
[   71.014126][ T8714]  netlink_rcv_skb+0x177/0x450
[   71.018903][ T8714]  ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[   71.025839][ T8714]  ? netlink_ack+0xb50/0xb50
[   71.030429][ T8714]  ? __kasan_check_write+0x14/0x20
[   71.035538][ T8714]  ? netlink_deliver_tap+0x254/0xbf0
[   71.040811][ T8714]  genl_rcv+0x29/0x40
[   71.044796][ T8714]  netlink_unicast+0x531/0x710
[   71.049557][ T8714]  ? netlink_attachskb+0x7c0/0x7c0
[   71.054666][ T8714]  ? _copy_from_iter_full+0x25d/0x8c0
[   71.060049][ T8714]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   71.065773][ T8714]  ? __check_object_size+0x3d/0x437
[   71.071003][ T8714]  netlink_sendmsg+0x8a5/0xd60
[   71.075755][ T8714]  ? netlink_unicast+0x710/0x710
[   71.080698][ T8714]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[   71.086229][ T8714]  ? apparmor_socket_sendmsg+0x2a/0x30
[   71.091694][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.097933][ T8714]  ? security_socket_sendmsg+0x8d/0xc0
[   71.103392][ T8714]  ? netlink_unicast+0x710/0x710
[   71.108328][ T8714]  sock_sendmsg+0xd7/0x130
[   71.112728][ T8714]  ___sys_sendmsg+0x803/0x920
[   71.117401][ T8714]  ? copy_msghdr_from_user+0x440/0x440
[   71.122872][ T8714]  ? prep_transhuge_page+0xa0/0xa0
[   71.127998][ T8714]  ? __do_page_fault+0x56a/0xdd0
[   71.132921][ T8714]  ? find_held_lock+0x35/0x130
[   71.137686][ T8714]  ? __do_page_fault+0x56a/0xdd0
[   71.142615][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.148841][ T8714]  ? __fget_light+0x1a9/0x230
[   71.153521][ T8714]  ? __fdget+0x1b/0x20
[   71.157590][ T8714]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   71.163819][ T8714]  __sys_sendmsg+0x105/0x1d0
[   71.168398][ T8714]  ? __sys_sendmsg_sock+0xd0/0xd0
[   71.173440][ T8714]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   71.178988][ T8714]  ? trace_hardirqs_on_thunk+0x1a/0x20
[   71.184449][ T8714]  ? do_syscall_64+0x26/0x760
[   71.189117][ T8714]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.195168][ T8714]  ? do_syscall_64+0x26/0x760
[   71.199869][ T8714]  __x64_sys_sendmsg+0x78/0xb0
[   71.204634][ T8714]  do_syscall_64+0xfa/0x760
[   71.209171][ T8714]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.215049][ T8714] RIP: 0033:0x441399
[   71.218944][ T8714] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   71.238668][ T8714] RSP: 002b:00007ffe350885d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   71.247121][ T8714] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399
[   71.255113][ T8714] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
[   71.263081][ T8714] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   71.271046][ T8714] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402110
[   71.279002][ T8714] R13: 00000000004021a0 R14: 0000000000000000 R15: 0000000000000000
[   71.286963][ T8714] 
[   71.289272][ T8714] Allocated by task 8716:
[   71.293605][ T8714]  save_stack+0x23/0x90
[   71.297749][ T8714]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   71.303377][ T8714]  kasan_kmalloc+0x9/0x10
[   71.307693][ T8714]  __kmalloc_node_track_caller+0x4e/0x70
[   71.313306][ T8714]  __kmalloc_reserve.isra.0+0x40/0xf0
[   71.318673][ T8714]  __alloc_skb+0x10b/0x5e0
[   71.323071][ T8714]  netlink_sendmsg+0x972/0xd60
[   71.327814][ T8714]  sock_sendmsg+0xd7/0x130
[   71.332208][ T8714]  ___sys_sendmsg+0x803/0x920
[   71.336880][ T8714]  __sys_sendmsg+0x105/0x1d0
[   71.341472][ T8714]  __x64_sys_sendmsg+0x78/0xb0
[   71.346217][ T8714]  do_syscall_64+0xfa/0x760
[   71.350699][ T8714]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.356563][ T8714] 
[   71.358870][ T8714] Freed by task 8716:
[   71.362834][ T8714]  save_stack+0x23/0x90
[   71.366975][ T8714]  __kasan_slab_free+0x102/0x150
[   71.371899][ T8714]  kasan_slab_free+0xe/0x10
[   71.376409][ T8714]  kfree+0x10a/0x2c0
[   71.380293][ T8714]  skb_free_head+0x93/0xb0
[   71.384686][ T8714]  skb_release_data+0x42d/0x7c0
[   71.389514][ T8714]  skb_release_all+0x4d/0x60
[   71.394083][ T8714]  consume_skb+0xfb/0x3b0
[   71.398403][ T8714]  netlink_unicast+0x539/0x710
[   71.403170][ T8714]  netlink_sendmsg+0x8a5/0xd60
[   71.407984][ T8714]  sock_sendmsg+0xd7/0x130
[   71.412384][ T8714]  ___sys_sendmsg+0x803/0x920
[   71.417041][ T8714]  __sys_sendmsg+0x105/0x1d0
[   71.421615][ T8714]  __x64_sys_sendmsg+0x78/0xb0
[   71.426359][ T8714]  do_syscall_64+0xfa/0x760
[   71.430900][ T8714]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.436774][ T8714] 
[   71.439153][ T8714] The buggy address belongs to the object at ffff8880a74fba80
[   71.439153][ T8714]  which belongs to the cache kmalloc-512 of size 512
[   71.453185][ T8714] The buggy address is located 20 bytes inside of
[   71.453185][ T8714]  512-byte region [ffff8880a74fba80, ffff8880a74fbc80)
[   71.466347][ T8714] The buggy address belongs to the page:
[   71.471959][ T8714] page:ffffea00029d3ec0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0
[   71.481048][ T8714] flags: 0x1fffc0000000200(slab)
[   71.485978][ T8714] raw: 01fffc0000000200 ffffea000232e1c8 ffffea00028722c8 ffff8880aa400a80
[   71.494555][ T8714] raw: 0000000000000000 ffff8880a74fb080 0000000100000006 0000000000000000
[   71.503113][ T8714] page dumped because: kasan: bad access detected
[   71.509500][ T8714] 
[   71.511808][ T8714] Memory state around the buggy address:
[   71.517418][ T8714]  ffff8880a74fb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   71.525539][ T8714]  ffff8880a74fba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   71.533582][ T8714] >ffff8880a74fba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.541632][ T8714]                          ^
[   71.546210][ T8714]  ffff8880a74fbb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.554253][ T8714]  ffff8880a74fbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.562296][ T8714] ==================================================================
[   71.570373][ T8714] Disabling lock debugging due to kernel taint
[   71.579624][ T8714] Kernel panic - not syncing: panic_on_warn set ...
[   71.586350][ T8714] CPU: 0 PID: 8714 Comm: syz-executor134 Tainted: G    B             5.4.0-rc1+ #0
[   71.595603][ T8714] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   71.605631][ T8714] Call Trace:
[   71.608902][ T8714]  dump_stack+0x172/0x1f0
[   71.613206][ T8714]  panic+0x2dc/0x755
[   71.617085][ T8714]  ? add_taint.cold+0x16/0x16
[   71.621737][ T8714]  ? nla_memcpy+0xa2/0xb0
[   71.626043][ T8714]  ? preempt_schedule+0x4b/0x60
[   71.630891][ T8714]  ? ___preempt_schedule+0x16/0x20
[   71.635986][ T8714]  ? trace_hardirqs_on+0x5e/0x240
[   71.640983][ T8714]  ? nla_memcpy+0xa2/0xb0
[   71.645288][ T8714]  end_report+0x47/0x4f
[   71.649414][ T8714]  ? nla_memcpy+0xa2/0xb0
[   71.653717][ T8714]  __kasan_report.cold+0xe/0x41
[   71.658539][ T8714]  ? nla_memcpy+0xa2/0xb0
[   71.662842][ T8714]  kasan_report+0x12/0x20
[   71.667145][ T8714]  __asan_report_load2_noabort+0x14/0x20
[   71.672747][ T8714]  nla_memcpy+0xa2/0xb0
[   71.676878][ T8714]  __cfg802154_wpan_dev_from_attrs+0x41b/0x550
[   71.683017][ T8714]  ? nl802154_post_doit+0x200/0x200
[   71.688195][ T8714]  nl802154_prepare_wpan_dev_dump.isra.0.constprop.0+0xf7/0x4b0
[   71.695802][ T8714]  nl802154_dump_llsec_seclevel+0xb9/0xae0
[   71.701581][ T8714]  ? mutex_trylock+0x2d0/0x2d0
[   71.706320][ T8714]  ? kasan_kmalloc+0x9/0x10
[   71.710795][ T8714]  ? __kmalloc_node_track_caller+0x4e/0x70
[   71.716573][ T8714]  ? nl802154_dump_llsec_key+0xc80/0xc80
[   71.722179][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.728394][ T8714]  ? __alloc_skb+0x3d0/0x5e0
[   71.732969][ T8714]  genl_lock_dumpit+0x86/0xc0
[   71.737626][ T8714]  netlink_dump+0x558/0xfb0
[   71.742104][ T8714]  ? netlink_broadcast+0x50/0x50
[   71.747020][ T8714]  __netlink_dump_start+0x5b1/0x7d0
[   71.752191][ T8714]  ? genl_lock_dumpit+0xc0/0xc0
[   71.757016][ T8714]  genl_rcv_msg+0xc9b/0x1000
[   71.761580][ T8714]  ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[   71.768514][ T8714]  ? genl_lock_dumpit+0xc0/0xc0
[   71.773336][ T8714]  ? genl_unlock+0x20/0x20
[   71.777727][ T8714]  ? genl_parallel_done+0x1c0/0x1c0
[   71.782903][ T8714]  ? mark_held_locks+0xf0/0xf0
[   71.787645][ T8714]  ? find_held_lock+0x35/0x130
[   71.792388][ T8714]  netlink_rcv_skb+0x177/0x450
[   71.797128][ T8714]  ? genl_family_rcv_msg_attrs_parse.isra.0+0x3a0/0x3a0
[   71.804039][ T8714]  ? netlink_ack+0xb50/0xb50
[   71.808602][ T8714]  ? __kasan_check_write+0x14/0x20
[   71.813700][ T8714]  ? netlink_deliver_tap+0x254/0xbf0
[   71.818961][ T8714]  genl_rcv+0x29/0x40
[   71.822926][ T8714]  netlink_unicast+0x531/0x710
[   71.827668][ T8714]  ? netlink_attachskb+0x7c0/0x7c0
[   71.832756][ T8714]  ? _copy_from_iter_full+0x25d/0x8c0
[   71.838114][ T8714]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   71.843808][ T8714]  ? __check_object_size+0x3d/0x437
[   71.848992][ T8714]  netlink_sendmsg+0x8a5/0xd60
[   71.853735][ T8714]  ? netlink_unicast+0x710/0x710
[   71.858657][ T8714]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[   71.864177][ T8714]  ? apparmor_socket_sendmsg+0x2a/0x30
[   71.869611][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.875840][ T8714]  ? security_socket_sendmsg+0x8d/0xc0
[   71.881271][ T8714]  ? netlink_unicast+0x710/0x710
[   71.886192][ T8714]  sock_sendmsg+0xd7/0x130
[   71.890580][ T8714]  ___sys_sendmsg+0x803/0x920
[   71.895242][ T8714]  ? copy_msghdr_from_user+0x440/0x440
[   71.900689][ T8714]  ? prep_transhuge_page+0xa0/0xa0
[   71.905777][ T8714]  ? __do_page_fault+0x56a/0xdd0
[   71.910689][ T8714]  ? find_held_lock+0x35/0x130
[   71.915427][ T8714]  ? __do_page_fault+0x56a/0xdd0
[   71.920340][ T8714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   71.926555][ T8714]  ? __fget_light+0x1a9/0x230
[   71.931207][ T8714]  ? __fdget+0x1b/0x20
[   71.935263][ T8714]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   71.941504][ T8714]  __sys_sendmsg+0x105/0x1d0
[   71.946079][ T8714]  ? __sys_sendmsg_sock+0xd0/0xd0
[   71.951087][ T8714]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   71.956620][ T8714]  ? trace_hardirqs_on_thunk+0x1a/0x20
[   71.962054][ T8714]  ? do_syscall_64+0x26/0x760
[   71.966705][ T8714]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.972745][ T8714]  ? do_syscall_64+0x26/0x760
[   71.977398][ T8714]  __x64_sys_sendmsg+0x78/0xb0
[   71.982140][ T8714]  do_syscall_64+0xfa/0x760
[   71.986619][ T8714]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   71.992484][ T8714] RIP: 0033:0x441399
[   71.996360][ T8714] Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   72.016044][ T8714] RSP: 002b:00007ffe350885d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   72.024449][ T8714] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399
[   72.032449][ T8714] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
[   72.040562][ T8714] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
[   72.048557][ T8714] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402110
[   72.056507][ T8714] R13: 00000000004021a0 R14: 0000000000000000 R15: 0000000000000000
[   72.065737][ T8714] Kernel Offset: disabled
[   72.070110][ T8714] Rebooting in 86400 seconds..