syzbot


KASAN: wild-memory-access Read of size 2012

Status: closed as invalid on 2017/10/18 09:01
First crash: 2621d, last: 2621d

Sample crash report:
==================================================================
BUG: KASAN: wild-memory-access on address ffe708746c7f1000
Read of size 2012 by task syz-executor0/3449
CPU: 1 PID: 3449 Comm: syz-executor0 Not tainted 4.9.52-gc30c69c #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cdc5fae8 ffffffff81d93149 ffe708746c7f1000 00000000000007dc
 0000000000000000 ffff8801c88459c0 ffe708746c7f1000 ffff8801cdc5fb70
 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d08f>] kasan_report_error mm/kasan/report.c:284 [inline]
 [<ffffffff8153d08f>] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309
 [<ffffffff8153d460>] kasan_report+0x20/0x30 mm/kasan/report.c:296
 [<ffffffff8153bda7>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff8153bda7>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff8153be11>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320
 [<ffffffff826648db>] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
 [<ffffffff826648db>] sg_read_oxfer drivers/scsi/sg.c:1978 [inline]
 [<ffffffff826648db>] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520
 [<ffffffff8156d353>] __vfs_read+0x103/0x670 fs/read_write.c:452
 [<ffffffff8156e8e7>] vfs_read+0x107/0x330 fs/read_write.c:475
 [<ffffffff815724c9>] SYSC_read fs/read_write.c:591 [inline]
 [<ffffffff815724c9>] SyS_read+0xd9/0x1b0 fs/read_write.c:584
 [<ffffffff838ac5c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1025 sclass=netlink_audit_socket pig=3472 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1025 sclass=netlink_audit_socket pig=3478 comm=syz-executor3
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket pig=3559 comm=syz-executor7
TCP: request_sock_TCP: Possible SYN flooding on port 20004. Sending cookies.  Check SNMP counters.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket pig=3575 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket pig=3578 comm=syz-executor7
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=3623 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=3623 comm=syz-executor7
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
syz-executor6 uses obsolete (PF_INET,SOCK_PACKET)
netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'.
binder: 3722:3723 ioctl 8924 20418000 returned -22
device gre0 entered promiscuous mode
binder: 3722:3742 ioctl 8924 20418000 returned -22
devpts: called with bogus options
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
device gre0 entered promiscuous mode
random: crng init done
device lo entered promiscuous mode
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 4083 Comm: syz-executor0 Tainted: G    B           4.9.52-gc30c69c #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c615f9b0 ffffffff81d93149 ffff8801c615fc90 0000000000000000
 ffff8801c6010290 ffff8801c615fb80 ffff8801c6010180 ffff8801c615fba8
 ffffffff81660dc8 ffff8801c615fb00 ffffffff811c9fc7 00000001cd3ef067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad798>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838ac5c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
CPU: 0 PID: 4093 Comm: syz-executor0 Tainted: G    B           4.9.52-gc30c69c #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c8f07780 ffffffff81d93149 ffff8801c8f07a60 0000000000000000
 ffff8801c6010290 ffff8801c8f07950 ffff8801c6010180 ffff8801c8f07978
 ffffffff81660dc8 ffff8801c8f078d0 0000000000000000 00000001cd3ef067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad798>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815b2228>] SYSC_select fs/select.c:652 [inline]
 [<ffffffff815b2228>] SyS_select+0x158/0x1e0 fs/select.c:634
 [<ffffffff838ac5c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
binder_alloc: binder_alloc_mmap_handler: 4236 204f0000-204f4000 already mapped failed -16
sg_write: data in/out 476/6 bytes for SCSI command 0x0-- guessing data in;
   program syz-executor2 not setting count and/or reply_len properly
binder_alloc: binder_alloc_mmap_handler: 4236 204f0000-204f4000 already mapped failed -16
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18513 sclass=netlink_route_socket pig=4312 comm=syz-executor6
binder: 4335:4338 ioctl 641e 0 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18513 sclass=netlink_route_socket pig=4343 comm=syz-executor6
binder: 4335:4349 ioctl 641e 0 returned -22
device gre0 entered promiscuous mode
binder: 4449:4454 ioctl 541d 0 returned -22
binder: 4449:4454 ioctl 541d 0 returned -22
mmap: syz-executor4 (4612) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
IPVS: Creating netns size=2536 id=9
nla_parse: 6 callbacks suppressed
netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'.
device gre0 entered promiscuous mode
loop_reread_partitions: partition scan of loop5 (t?`JzP[ p>TK6C="L l!V#F-') failed (rc=-13)
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
IPv6: NLM_F_CREATE should be specified when creating new route
ALSA: seq fatal error: cannot create timer (-22)
IPv6: NLM_F_REPLACE set, but no existing node found!
device lo entered promiscuous mode
netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
IPv6: NLM_F_REPLACE set, but no existing node found!
device lo left promiscuous mode
ALSA: seq fatal error: cannot create timer (-22)
device lo entered promiscuous mode
device lo left promiscuous mode
netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO
program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5267 comm=syz-executor5
IPVS: Creating netns size=2536 id=10
IPVS: Creating netns size=2536 id=11
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=5477 comm=syz-executor2
device syz7 entered promiscuous mode
device syz7 left promiscuous mode
device syz7 entered promiscuous mode
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
capability: warning: `syz-executor7' uses deprecated v2 capabilities in a way that may be insecure
device syz1 entered promiscuous mode
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=5807 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=5807 comm=syz-executor4
IPVS: Creating netns size=2536 id=12
IPVS: Creating netns size=2536 id=13
keychord: using input dev AT Translated Set 2 keyboard for fevent
device gre0 entered promiscuous mode
binder: 5967:6000 ioctl 4b60 205baf8c returned -22
keychord: invalid keycode count 0
binder: 5967:5989 ioctl 4b60 205baf8c returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: invalid keycode count 0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/29 20:38 https://android.googlesource.com/kernel/common android-4.9 c30c69c76c1d c26ea367 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.