[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.735053][ T6847] ================================================================== [ 57.743277][ T6847] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 57.751251][ T6847] Read of size 4294967293 at addr ffff8880a62dc160 by task syz-executor167/6847 [ 57.760251][ T6847] [ 57.762567][ T6847] CPU: 1 PID: 6847 Comm: syz-executor167 Not tainted 5.9.0-rc6-syzkaller #0 [ 57.771222][ T6847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.781252][ T6847] Call Trace: [ 57.784532][ T6847] dump_stack+0x198/0x1fd [ 57.788909][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.794175][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.799447][ T6847] print_address_description.constprop.0.cold+0xae/0x497 [ 57.806448][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.811708][ T6847] ? lockdep_hardirqs_off+0x96/0xd0 [ 57.816886][ T6847] ? vprintk_func+0x95/0x1d4 [ 57.821457][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.826768][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.832027][ T6847] kasan_report.cold+0x1f/0x37 [ 57.836772][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 57.842035][ T6847] check_memory_region+0x13d/0x180 [ 57.847128][ T6847] memcpy+0x20/0x60 [ 57.850912][ T6847] qrtr_endpoint_post+0x5c1/0x1050 [ 57.856023][ T6847] qrtr_tun_write_iter+0xf5/0x180 [ 57.861025][ T6847] new_sync_write+0x422/0x650 [ 57.865681][ T6847] ? new_sync_read+0x6e0/0x6e0 [ 57.870416][ T6847] ? putname+0xe1/0x120 [ 57.874571][ T6847] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 57.880091][ T6847] ? putname+0xe1/0x120 [ 57.884228][ T6847] ? apparmor_file_permission+0x26e/0x4e0 [ 57.889923][ T6847] ? build_open_flags+0x650/0x650 [ 57.894927][ T6847] vfs_write+0x5ad/0x730 [ 57.899148][ T6847] ksys_write+0x12d/0x250 [ 57.903456][ T6847] ? __ia32_sys_read+0xb0/0xb0 [ 57.908196][ T6847] ? check_preemption_disabled+0x50/0x130 [ 57.913918][ T6847] ? syscall_enter_from_user_mode+0x1d/0x60 [ 57.919789][ T6847] do_syscall_64+0x2d/0x70 [ 57.924187][ T6847] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 57.930053][ T6847] RIP: 0033:0x440279 [ 57.933944][ T6847] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.953535][ T6847] RSP: 002b:00007ffc502d14b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 57.961930][ T6847] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 57.969882][ T6847] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 57.977830][ T6847] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 57.985779][ T6847] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 57.993746][ T6847] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 58.001721][ T6847] [ 58.004026][ T6847] Allocated by task 6847: [ 58.008337][ T6847] kasan_save_stack+0x1b/0x40 [ 58.012990][ T6847] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.018596][ T6847] __kmalloc+0x1b0/0x360 [ 58.022834][ T6847] qrtr_tun_write_iter+0x8a/0x180 [ 58.027837][ T6847] new_sync_write+0x422/0x650 [ 58.032492][ T6847] vfs_write+0x5ad/0x730 [ 58.036708][ T6847] ksys_write+0x12d/0x250 [ 58.041011][ T6847] do_syscall_64+0x2d/0x70 [ 58.045404][ T6847] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.051365][ T6847] [ 58.053671][ T6847] The buggy address belongs to the object at ffff8880a62dc140 [ 58.053671][ T6847] which belongs to the cache kmalloc-32 of size 32 [ 58.067539][ T6847] The buggy address is located 0 bytes to the right of [ 58.067539][ T6847] 32-byte region [ffff8880a62dc140, ffff8880a62dc160) [ 58.081056][ T6847] The buggy address belongs to the page: [ 58.086667][ T6847] page:000000008c79c906 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a62dcfc1 pfn:0xa62dc [ 58.098101][ T6847] flags: 0xfffe0000000200(slab) [ 58.103022][ T6847] raw: 00fffe0000000200 ffffea0002986a48 ffffea0002780148 ffff8880aa040100 [ 58.111585][ T6847] raw: ffff8880a62dcfc1 ffff8880a62dc000 000000010000003e 0000000000000000 [ 58.120144][ T6847] page dumped because: kasan: bad access detected [ 58.126581][ T6847] [ 58.128887][ T6847] Memory state around the buggy address: [ 58.134551][ T6847] ffff8880a62dc000: 00 01 fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 58.142591][ T6847] ffff8880a62dc080: fa fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 58.150668][ T6847] >ffff8880a62dc100: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 58.158740][ T6847] ^ [ 58.165909][ T6847] ffff8880a62dc180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 58.173965][ T6847] ffff8880a62dc200: fa fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 58.181998][ T6847] ================================================================== [ 58.190029][ T6847] Disabling lock debugging due to kernel taint [ 58.196497][ T6847] Kernel panic - not syncing: panic_on_warn set ... [ 58.203094][ T6847] CPU: 1 PID: 6847 Comm: syz-executor167 Tainted: G B 5.9.0-rc6-syzkaller #0 [ 58.213242][ T6847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.223279][ T6847] Call Trace: [ 58.226549][ T6847] dump_stack+0x198/0x1fd [ 58.230851][ T6847] ? qrtr_endpoint_post+0x540/0x1050 [ 58.236890][ T6847] panic+0x382/0x7fb [ 58.240770][ T6847] ? __warn_printk+0xf3/0xf3 [ 58.245332][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 58.250591][ T6847] ? trace_hardirqs_on+0x55/0x220 [ 58.255601][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 58.260857][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 58.266114][ T6847] end_report+0x4d/0x53 [ 58.270243][ T6847] kasan_report.cold+0xd/0x37 [ 58.274891][ T6847] ? qrtr_endpoint_post+0x5c1/0x1050 [ 58.280163][ T6847] check_memory_region+0x13d/0x180 [ 58.285244][ T6847] memcpy+0x20/0x60 [ 58.289039][ T6847] qrtr_endpoint_post+0x5c1/0x1050 [ 58.294123][ T6847] qrtr_tun_write_iter+0xf5/0x180 [ 58.299122][ T6847] new_sync_write+0x422/0x650 [ 58.303771][ T6847] ? new_sync_read+0x6e0/0x6e0 [ 58.308504][ T6847] ? putname+0xe1/0x120 [ 58.312650][ T6847] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 58.318182][ T6847] ? putname+0xe1/0x120 [ 58.322310][ T6847] ? apparmor_file_permission+0x26e/0x4e0 [ 58.328002][ T6847] ? build_open_flags+0x650/0x650 [ 58.333001][ T6847] vfs_write+0x5ad/0x730 [ 58.337215][ T6847] ksys_write+0x12d/0x250 [ 58.341514][ T6847] ? __ia32_sys_read+0xb0/0xb0 [ 58.346249][ T6847] ? check_preemption_disabled+0x50/0x130 [ 58.351953][ T6847] ? syscall_enter_from_user_mode+0x1d/0x60 [ 58.357850][ T6847] do_syscall_64+0x2d/0x70 [ 58.362242][ T6847] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.368104][ T6847] RIP: 0033:0x440279 [ 58.372047][ T6847] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.391656][ T6847] RSP: 002b:00007ffc502d14b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 58.400046][ T6847] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440279 [ 58.407993][ T6847] RDX: 0000000000000020 RSI: 0000000020000000 RDI: 0000000000000003 [ 58.416019][ T6847] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 58.423967][ T6847] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a80 [ 58.431914][ T6847] R13: 0000000000401b10 R14: 0000000000000000 R15: 0000000000000000 [ 58.441116][ T6847] Kernel Offset: disabled [ 58.445432][ T6847] Rebooting in 86400 seconds..