KASAN: slab-out-of-bounds Read in native_queued_spin_lock

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-44	KASAN: slab-out-of-bounds Read in native_queued_spin_lock_slowpath				1	2341d	2341d	0/2	closed as invalid on 2017/12/12 13:35
android-49	KASAN: slab-out-of-bounds Read in native_queued_spin_lock_slowpath				1168	2334d	2396d	0/3	closed as invalid on 2019/01/01 20:10

SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=6 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=6 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=6 cpu=0 pid=6756 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=7 cpu=0 pid=3 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 __slab_free+0x18c/0x2b0 mm/slub.c:2685 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 entry_SYSCALL_64_fastpath+0x16/0x76 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ----------------------------------------------------------------------------- [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 entry_SYSCALL_64_fastpath+0x16/0x76 entry_SYSCALL_64_fastpath+0x16/0x76 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 entry_SYSCALL_64_fastpath+0x16/0x76 __slab_free+0x18c/0x2b0 mm/slub.c:2685 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 Call Trace: Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Read of size 4 by task syz-executor1/6756 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Call Trace: ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=117 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=117 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=117 cpu=0 pid=6756 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Call Trace: __do_softirq+0x24d/0xa60 kernel/softirq.c:273 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 Call Trace: [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ^ ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ ^ [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Read of size 4 by task syz-executor1/6756 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 Read of size 4 by task syz-executor1/6756 ================================================================== Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 ============================================================================= [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ================================================================== Read of size 4 by task syz-executor1/6756 [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 Read of size 4 by task syz-executor1/6756 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Call Trace: __do_softirq+0x24d/0xa60 kernel/softirq.c:273 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Memory state around the buggy address: Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 kthread+0x245/0x310 kernel/kthread.c:211 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ----------------------------------------------------------------------------- CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 BUG fasync_cache (Tainted: G B ): kasan: bad access detected 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 __slab_free+0x18c/0x2b0 mm/slub.c:2685 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=236 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=236 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=236 cpu=0 pid=6756 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f entry_SYSCALL_64_fastpath+0x16/0x76 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=261 cpu=0 pid=3 __slab_free+0x18c/0x2b0 mm/slub.c:2685 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Call Trace: Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Memory state around the buggy address: Memory state around the buggy address: [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Call Trace: INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Memory state around the buggy address: Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... kthread+0x245/0x310 kernel/kthread.c:211 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ================================================================== __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ^ ----------------------------------------------------------------------------- Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 Memory state around the buggy address: CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=297 cpu=0 pid=3 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ Memory state around the buggy address: [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ----------------------------------------------------------------------------- setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 kthread+0x245/0x310 kernel/kthread.c:211 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 ============================================================================= __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ============================================================================= INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 kthread+0x245/0x310 kernel/kthread.c:211 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Memory state around the buggy address: [<ffffffff8123b9c6>] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [<ffffffff8123b9c6>] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [<ffffffff8123b9c6>] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [<ffffffff8123b9c6>] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ================================================================== INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=348 cpu=0 pid=3 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 kthread+0x245/0x310 kernel/kthread.c:211 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ============================================================================= ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=381 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=381 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=381 cpu=0 pid=6756 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Call Trace: Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 Call Trace: [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ----------------------------------------------------------------------------- sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ^ [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [<ffffffff82564a50>] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=457 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=457 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=457 cpu=0 pid=6756 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ================================================================== Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Read of size 4 by task syz-executor1/6756 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ^ >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [<ffffffff8123b9c6>] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [<ffffffff8123b9c6>] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [<ffffffff8123b9c6>] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [<ffffffff8123b9c6>] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Memory state around the buggy address: [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Call Trace: ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Memory state around the buggy address: INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=524 cpu=0 pid=3 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Call Trace: INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ----------------------------------------------------------------------------- Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f BUG fasync_cache (Tainted: G B ): kasan: bad access detected [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 ================================================================== [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 __slab_free+0x18c/0x2b0 mm/slub.c:2685 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 entry_SYSCALL_64_fastpath+0x16/0x76 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 __slab_free+0x18c/0x2b0 mm/slub.c:2685 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ================================================================== [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ^ __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 Call Trace: >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: [<ffffffff8123b9c6>] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [<ffffffff8123b9c6>] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [<ffffffff8123b9c6>] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [<ffffffff8123b9c6>] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ================================================================== [<ffffffff8123648d>] __read_once_size include/linux/compiler.h:218 [inline] [<ffffffff8123648d>] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [<ffffffff8123648d>] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [<ffffffff8123648d>] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff82564a50>] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff82564a50>] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 Call Trace: ^ Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Memory state around the buggy address: ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ============================================================================= >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f kthread+0x245/0x310 kernel/kthread.c:211 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff82564a50>] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 Memory state around the buggy address: [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 Call Trace: INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 __slab_free+0x18c/0x2b0 mm/slub.c:2685 [<ffffffff8123b9c6>] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [<ffffffff8123b9c6>] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [<ffffffff8123b9c6>] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [<ffffffff8123b9c6>] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ================================================================== [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 ================================================================== Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Call Trace: ================================================================== Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_free+0x18c/0x2b0 mm/slub.c:2685 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 ^ Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_free+0x18c/0x2b0 mm/slub.c:2685 kthread+0x245/0x310 kernel/kthread.c:211 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Memory state around the buggy address: ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Call Trace: __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [<ffffffff8374a8b6>] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [<ffffffff8374a8b6>] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=756 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=756 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=756 cpu=0 pid=6756 run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Call Trace: [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Read of size 4 by task syz-executor1/6756 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 __slab_free+0x18c/0x2b0 mm/slub.c:2685 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=778 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=778 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=778 cpu=0 pid=6756 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ^ __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 __slab_free+0x18c/0x2b0 mm/slub.c:2685 [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ffff8800b7eb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ^ ================================================================== [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=805 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=805 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=805 cpu=0 pid=6756 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 ----------------------------------------------------------------------------- ^ 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=812 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=812 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=812 cpu=0 pid=6756 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 Memory state around the buggy address: ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 Memory state around the buggy address: __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 ^ ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc BUG fasync_cache (Tainted: G B ): kasan: bad access detected __do_softirq+0x24d/0xa60 kernel/softirq.c:273 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... [<ffffffff814db589>] kasan_report mm/kasan/report.c:282 [inline] [<ffffffff814db589>] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ^ [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f __slab_free+0x18c/0x2b0 mm/slub.c:2685 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ================================================================== ^ ============================================================================= [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Read of size 4 by task syz-executor1/6756 [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ __slab_free+0x18c/0x2b0 mm/slub.c:2685 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Read of size 4 by task syz-executor1/6756 Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=900 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=900 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=900 cpu=0 pid=6756 Object ffff8800b7eb5780: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 Call Trace: INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ================================================================== [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=909 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=909 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=909 cpu=0 pid=6756 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=911 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=911 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=911 cpu=0 pid=6756 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Slab 0xffffea0002dfad00 objects=20 used=3 fp=0xffff8800b7eb5a90 flags=0x4000000000004080 __slab_free+0x18c/0x2b0 mm/slub.c:2685 Object ffff8800b7eb57a0: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=920 cpu=0 pid=6756 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=920 cpu=0 pid=6756 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=920 cpu=0 pid=6756 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f Memory state around the buggy address: __slab_free+0x18c/0x2b0 mm/slub.c:2685 smpboot_thread_fn+0x55f/0x920 kernel/smpboot.c:163 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b7eb57d4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8800b7eb57d4 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8800b7eb5790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 Bytes b4 ffff8800b7eb5760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline] [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline] [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [<ffffffff814f6d8a>] __vfs_read+0xda/0x3e0 fs/read_write.c:432 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ----------------------------------------------------------------------------- [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [<ffffffff8123b9c6>] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [<ffffffff8123b9c6>] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [<ffffffff8123b9c6>] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [<ffffffff8123b9c6>] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8800b7eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [<ffffffff814f8a21>] vfs_read+0xe1/0x340 fs/read_write.c:454 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff8800b7eb5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 [<ffffffff82564a50>] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 Call Trace: run_ksoftirqd+0x20/0x60 kernel/softirq.c:662 >ffff8800b7eb5780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682 Read of size 4 by task syz-executor1/6756 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8800b7eb4010 ffff8800b7eb5770 ffff8801d2e979e0 ffffffff814d3af4 Object ffff8800b7eb5770: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8800b7eb57b0: 00 00 00 00 00 00 00 00 00 cc 1c b7 00 88 ff ff ................ [<ffffffff82564ff5>] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [<ffffffff8123ab47>] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [<ffffffff8123ab47>] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=983 cpu=0 pid=3 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 CPU: 0 PID: 6756 Comm: syz-executor1 Tainted: G B 4.4.105-ge303a83 #5 Object ffff8800b7eb57c0: 00 c3 82 d2 01 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 [<ffffffff82566a87>] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f [<ffffffff814fb393>] SYSC_read fs/read_write.c:569 [inline] [<ffffffff814fb393>] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ffff8800b7eb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d9402c00 ffffea0002dfad00 ffff8800b7eb5770 0000000000000000 INFO: Object 0xffff8800b7eb5770 @offset=6000 fp=0xdead4ead00000000 ================================================================== 0000000000000000 263dc65b38caca23 ffff8801d2e979b0 ffffffff81cc9b4f setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2017/12/13 09:46	https://android.googlesource.com/kernel/common android-4.4	e303a832d93e	ce7f2399	.config	console log	report	ci-android-44-kasan-gce
2017/12/13 00:18	https://android.googlesource.com/kernel/common android-4.4	e303a832d93e	414a185f	.config	console log	report	ci-android-44-kasan-gce
2017/12/12 20:02	https://android.googlesource.com/kernel/common android-4.4	e303a832d93e	414a185f	.config	console log	report	ci-android-44-kasan-gce
2017/12/12 15:02	https://android.googlesource.com/kernel/common android-4.4	36205b7fa963	414a185f	.config	console log	report	ci-android-44-kasan-gce

Crashes (4):

Assets (help?)