[ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.4' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.272931][ T8497] ================================================================== [ 67.281684][ T8497] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 67.289660][ T8497] Read of size 4294967293 at addr ffff88802042efa0 by task syz-executor672/8497 [ 67.298679][ T8497] [ 67.301093][ T8497] CPU: 1 PID: 8497 Comm: syz-executor672 Not tainted 5.10.0-rc1-next-20201030-syzkaller #0 [ 67.311093][ T8497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.321455][ T8497] Call Trace: [ 67.324802][ T8497] dump_stack+0x107/0x163 [ 67.329161][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.334447][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.339739][ T8497] print_address_description.constprop.0.cold+0xae/0x4c8 [ 67.346900][ T8497] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 67.352300][ T8497] ? vprintk_func+0x95/0x1e0 [ 67.357115][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.362418][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.367714][ T8497] kasan_report.cold+0x1f/0x37 [ 67.372483][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.377801][ T8497] check_memory_region+0x13d/0x180 [ 67.382930][ T8497] memcpy+0x20/0x60 [ 67.386750][ T8497] qrtr_endpoint_post+0x5c1/0x1050 [ 67.391944][ T8497] qrtr_tun_write_iter+0xf5/0x180 [ 67.396973][ T8497] new_sync_write+0x426/0x650 [ 67.401645][ T8497] ? new_sync_read+0x6e0/0x6e0 [ 67.406404][ T8497] ? kmem_cache_free+0x315/0x350 [ 67.411346][ T8497] ? apparmor_file_permission+0x26e/0x4e0 [ 67.417084][ T8497] ? build_open_flags+0x650/0x650 [ 67.422124][ T8497] vfs_write+0x57d/0x700 [ 67.426373][ T8497] ksys_write+0x12d/0x250 [ 67.430818][ T8497] ? __ia32_sys_read+0xb0/0xb0 [ 67.435594][ T8497] ? syscall_enter_from_user_mode+0x1d/0x50 [ 67.441499][ T8497] do_syscall_64+0x2d/0x70 [ 67.445925][ T8497] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.451817][ T8497] RIP: 0033:0x440279 [ 67.455787][ T8497] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.475403][ T8497] RSP: 002b:00007ffc6b4d5d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 67.484028][ T8497] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 67.492205][ T8497] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 67.500196][ T8497] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 67.508186][ T8497] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 67.516163][ T8497] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 67.525567][ T8497] [ 67.528088][ T8497] Allocated by task 8497: [ 67.532587][ T8497] kasan_save_stack+0x1b/0x40 [ 67.537275][ T8497] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 67.542943][ T8497] qrtr_tun_write_iter+0x8a/0x180 [ 67.548231][ T8497] new_sync_write+0x426/0x650 [ 67.552921][ T8497] vfs_write+0x57d/0x700 [ 67.558127][ T8497] ksys_write+0x12d/0x250 [ 67.562462][ T8497] do_syscall_64+0x2d/0x70 [ 67.566895][ T8497] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.572778][ T8497] [ 67.575098][ T8497] The buggy address belongs to the object at ffff88802042ef80 [ 67.575098][ T8497] which belongs to the cache kmalloc-32 of size 32 [ 67.589255][ T8497] The buggy address is located 0 bytes to the right of [ 67.589255][ T8497] 32-byte region [ffff88802042ef80, ffff88802042efa0) [ 67.603747][ T8497] The buggy address belongs to the page: [ 67.609560][ T8497] page:00000000c4a65a52 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2042e [ 67.619980][ T8497] flags: 0xfff00000000200(slab) [ 67.624863][ T8497] raw: 00fff00000000200 ffffea00006cc8c0 0000000600000006 ffff888010041a00 [ 67.633645][ T8497] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 [ 67.642585][ T8497] page dumped because: kasan: bad access detected [ 67.649089][ T8497] [ 67.651512][ T8497] Memory state around the buggy address: [ 67.658465][ T8497] ffff88802042ee80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 67.666567][ T8497] ffff88802042ef00: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 67.674629][ T8497] >ffff88802042ef80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 67.682692][ T8497] ^ [ 67.687818][ T8497] ffff88802042f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.696397][ T8497] ffff88802042f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 [ 67.704445][ T8497] ================================================================== [ 67.712513][ T8497] Disabling lock debugging due to kernel taint [ 67.719090][ T8497] Kernel panic - not syncing: panic_on_warn set ... [ 67.725813][ T8497] CPU: 1 PID: 8497 Comm: syz-executor672 Tainted: G B 5.10.0-rc1-next-20201030-syzkaller #0 [ 67.737180][ T8497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.747247][ T8497] Call Trace: [ 67.750539][ T8497] dump_stack+0x107/0x163 [ 67.755490][ T8497] ? qrtr_endpoint_post+0x520/0x1050 [ 67.760850][ T8497] panic+0x306/0x73d [ 67.764787][ T8497] ? __warn_printk+0xf3/0xf3 [ 67.769372][ T8497] ? preempt_schedule_common+0x59/0xc0 [ 67.774833][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.780101][ T8497] ? preempt_schedule_thunk+0x16/0x18 [ 67.785481][ T8497] ? trace_hardirqs_on+0x51/0x1c0 [ 67.790601][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.795877][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.801282][ T8497] end_report+0x58/0x5e [ 67.805451][ T8497] kasan_report.cold+0xd/0x37 [ 67.810121][ T8497] ? qrtr_endpoint_post+0x5c1/0x1050 [ 67.815430][ T8497] check_memory_region+0x13d/0x180 [ 67.820544][ T8497] memcpy+0x20/0x60 [ 67.824345][ T8497] qrtr_endpoint_post+0x5c1/0x1050 [ 67.829702][ T8497] qrtr_tun_write_iter+0xf5/0x180 [ 67.834724][ T8497] new_sync_write+0x426/0x650 [ 67.839390][ T8497] ? new_sync_read+0x6e0/0x6e0 [ 67.844172][ T8497] ? kmem_cache_free+0x315/0x350 [ 67.849109][ T8497] ? apparmor_file_permission+0x26e/0x4e0 [ 67.854819][ T8497] ? build_open_flags+0x650/0x650 [ 67.859860][ T8497] vfs_write+0x57d/0x700 [ 67.864097][ T8497] ksys_write+0x12d/0x250 [ 67.868600][ T8497] ? __ia32_sys_read+0xb0/0xb0 [ 67.873359][ T8497] ? syscall_enter_from_user_mode+0x1d/0x50 [ 67.879349][ T8497] do_syscall_64+0x2d/0x70 [ 67.884196][ T8497] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.890090][ T8497] RIP: 0033:0x440279 [ 67.893985][ T8497] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.914805][ T8497] RSP: 002b:00007ffc6b4d5d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 67.923207][ T8497] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 67.931241][ T8497] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 67.939226][ T8497] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 67.947189][ T8497] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 67.955155][ T8497] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 67.963566][ T8497] Kernel Offset: disabled [ 67.968009][ T8497] Rebooting in 86400 seconds..