Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.288057][ T6829] ================================================================== [ 42.296442][ T6829] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x659/0x1150 [ 42.305264][ T6829] Read of size 4294967294 at addr ffff8880a30c5b10 by task syz-executor633/6829 [ 42.314273][ T6829] [ 42.316588][ T6829] CPU: 0 PID: 6829 Comm: syz-executor633 Not tainted 5.8.0-rc7-syzkaller #0 [ 42.325229][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.335322][ T6829] Call Trace: [ 42.338590][ T6829] dump_stack+0x1f0/0x31e [ 42.342898][ T6829] print_address_description+0x66/0x5a0 [ 42.348423][ T6829] ? printk+0x62/0x83 [ 42.354296][ T6829] ? vprintk_emit+0x339/0x3c0 [ 42.358959][ T6829] kasan_report+0x132/0x1d0 [ 42.363445][ T6829] ? qrtr_endpoint_post+0x659/0x1150 [ 42.368717][ T6829] check_memory_region+0x2b5/0x2f0 [ 42.373809][ T6829] ? qrtr_endpoint_post+0x659/0x1150 [ 42.379087][ T6829] memcpy+0x25/0x60 [ 42.382919][ T6829] qrtr_endpoint_post+0x659/0x1150 [ 42.388039][ T6829] qrtr_tun_write_iter+0xc6/0x120 [ 42.393045][ T6829] vfs_write+0xa08/0xc70 [ 42.397357][ T6829] ksys_write+0x11b/0x220 [ 42.401762][ T6829] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.407808][ T6829] do_syscall_64+0x73/0xe0 [ 42.412206][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.418078][ T6829] RIP: 0033:0x440259 [ 42.421951][ T6829] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.441628][ T6829] RSP: 002b:00007ffeb88718b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 42.450016][ T6829] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 42.457966][ T6829] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 42.465936][ T6829] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.473884][ T6829] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 42.481835][ T6829] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 42.489796][ T6829] [ 42.492104][ T6829] Allocated by task 6829: [ 42.496434][ T6829] __kasan_kmalloc+0x103/0x140 [ 42.501169][ T6829] __kmalloc+0x24b/0x330 [ 42.505405][ T6829] kzalloc+0x16/0x30 [ 42.509274][ T6829] qrtr_tun_write_iter+0x76/0x120 [ 42.514273][ T6829] vfs_write+0xa08/0xc70 [ 42.518490][ T6829] ksys_write+0x11b/0x220 [ 42.522793][ T6829] do_syscall_64+0x73/0xe0 [ 42.527188][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.533077][ T6829] [ 42.535401][ T6829] Freed by task 1: [ 42.539105][ T6829] __kasan_slab_free+0x114/0x170 [ 42.544018][ T6829] kfree+0x10a/0x220 [ 42.547919][ T6829] tomoyo_path_perm+0x59b/0x740 [ 42.552758][ T6829] security_inode_getattr+0xc0/0x140 [ 42.558043][ T6829] vfs_statx+0x118/0x380 [ 42.562279][ T6829] __x64_sys_newlstat+0x81/0xd0 [ 42.567111][ T6829] do_syscall_64+0x73/0xe0 [ 42.571503][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.577385][ T6829] [ 42.579689][ T6829] The buggy address belongs to the object at ffff8880a30c5b00 [ 42.579689][ T6829] which belongs to the cache kmalloc-32 of size 32 [ 42.593551][ T6829] The buggy address is located 16 bytes inside of [ 42.593551][ T6829] 32-byte region [ffff8880a30c5b00, ffff8880a30c5b20) [ 42.606683][ T6829] The buggy address belongs to the page: [ 42.612297][ T6829] page:ffffea00028c3140 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a30c5fc1 [ 42.622766][ T6829] flags: 0xfffe0000000200(slab) [ 42.627593][ T6829] raw: 00fffe0000000200 ffffea0002685bc8 ffffea00029247c8 ffff8880aa4001c0 [ 42.636153][ T6829] raw: ffff8880a30c5fc1 ffff8880a30c5000 000000010000003f 0000000000000000 [ 42.644710][ T6829] page dumped because: kasan: bad access detected [ 42.651119][ T6829] [ 42.653427][ T6829] Memory state around the buggy address: [ 42.659148][ T6829] ffff8880a30c5a00: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc [ 42.668506][ T6829] ffff8880a30c5a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 42.676563][ T6829] >ffff8880a30c5b00: 00 00 fc fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 42.684596][ T6829] ^ [ 42.689184][ T6829] ffff8880a30c5b80: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 42.697257][ T6829] ffff8880a30c5c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 42.705291][ T6829] ================================================================== [ 42.713342][ T6829] Disabling lock debugging due to kernel taint [ 42.732700][ T6829] Kernel panic - not syncing: panic_on_warn set ... [ 42.739321][ T6829] CPU: 0 PID: 6829 Comm: syz-executor633 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 42.749356][ T6829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.759386][ T6829] Call Trace: [ 42.762653][ T6829] dump_stack+0x1f0/0x31e [ 42.766975][ T6829] panic+0x264/0x7a0 [ 42.770843][ T6829] ? trace_hardirqs_on+0x30/0x80 [ 42.775753][ T6829] kasan_report+0x1c9/0x1d0 [ 42.780230][ T6829] ? qrtr_endpoint_post+0x659/0x1150 [ 42.785502][ T6829] check_memory_region+0x2b5/0x2f0 [ 42.790593][ T6829] ? qrtr_endpoint_post+0x659/0x1150 [ 42.795856][ T6829] memcpy+0x25/0x60 [ 42.799645][ T6829] qrtr_endpoint_post+0x659/0x1150 [ 42.804748][ T6829] qrtr_tun_write_iter+0xc6/0x120 [ 42.809744][ T6829] vfs_write+0xa08/0xc70 [ 42.813975][ T6829] ksys_write+0x11b/0x220 [ 42.818282][ T6829] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.824320][ T6829] do_syscall_64+0x73/0xe0 [ 42.828711][ T6829] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 42.834581][ T6829] RIP: 0033:0x440259 [ 42.838460][ T6829] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.858058][ T6829] RSP: 002b:00007ffeb88718b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 42.866458][ T6829] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 42.874404][ T6829] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 42.882347][ T6829] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 42.890378][ T6829] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 42.898324][ T6829] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 42.907666][ T6829] Kernel Offset: disabled [ 42.911991][ T6829] Rebooting in 86400 seconds..