[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.567157][ T6843] ================================================================== [ 59.575330][ T6843] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 59.583284][ T6843] Read of size 4294967294 at addr ffff8880a97c3790 by task syz-executor445/6843 [ 59.592267][ T6843] [ 59.594573][ T6843] CPU: 1 PID: 6843 Comm: syz-executor445 Not tainted 5.8.0-syzkaller #0 [ 59.602866][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.612898][ T6843] Call Trace: [ 59.616167][ T6843] dump_stack+0x18f/0x20d [ 59.620475][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 59.625733][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 59.630997][ T6843] print_address_description.constprop.0.cold+0xae/0x497 [ 59.637999][ T6843] ? vprintk_func+0x97/0x1a6 [ 59.642583][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 59.648028][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 59.653292][ T6843] kasan_report.cold+0x1f/0x37 [ 59.658039][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 59.663304][ T6843] check_memory_region+0x13d/0x180 [ 59.668393][ T6843] memcpy+0x20/0x60 [ 59.672180][ T6843] qrtr_endpoint_post+0x5c1/0x1050 [ 59.677388][ T6843] qrtr_tun_write_iter+0xf5/0x180 [ 59.682394][ T6843] new_sync_write+0x422/0x650 [ 59.687059][ T6843] ? new_sync_read+0x6e0/0x6e0 [ 59.691802][ T6843] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 59.697325][ T6843] ? apparmor_file_permission+0x26e/0x4e0 [ 59.703024][ T6843] ? build_open_flags+0x650/0x650 [ 59.708030][ T6843] vfs_write+0x5ad/0x730 [ 59.712252][ T6843] ksys_write+0x12d/0x250 [ 59.716558][ T6843] ? __ia32_sys_read+0xb0/0xb0 [ 59.721297][ T6843] ? trace_hardirqs_on+0x5f/0x220 [ 59.726298][ T6843] ? lockdep_hardirqs_on+0x76/0xf0 [ 59.731385][ T6843] __do_fast_syscall_32+0x57/0x80 [ 59.736386][ T6843] do_fast_syscall_32+0x2f/0x70 [ 59.741215][ T6843] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 59.747517][ T6843] RIP: 0023:0xf7fbf569 [ 59.751562][ T6843] Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 59.771139][ T6843] RSP: 002b:00000000ffc2780c EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 59.779525][ T6843] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 59.787496][ T6843] RDX: 0000000000000010 RSI: 00000000080ea078 RDI: 00000000ffc27860 [ 59.795441][ T6843] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 59.803387][ T6843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 59.811352][ T6843] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 59.819305][ T6843] [ 59.821612][ T6843] Allocated by task 6843: [ 59.825918][ T6843] kasan_save_stack+0x1b/0x40 [ 59.830588][ T6843] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.836193][ T6843] __kmalloc+0x1a8/0x320 [ 59.840410][ T6843] qrtr_tun_write_iter+0x8a/0x180 [ 59.845408][ T6843] new_sync_write+0x422/0x650 [ 59.850059][ T6843] vfs_write+0x5ad/0x730 [ 59.854276][ T6843] ksys_write+0x12d/0x250 [ 59.858581][ T6843] __do_fast_syscall_32+0x57/0x80 [ 59.863575][ T6843] do_fast_syscall_32+0x2f/0x70 [ 59.868397][ T6843] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 59.874689][ T6843] [ 59.876996][ T6843] The buggy address belongs to the object at ffff8880a97c3780 [ 59.876996][ T6843] which belongs to the cache kmalloc-32 of size 32 [ 59.890951][ T6843] The buggy address is located 16 bytes inside of [ 59.890951][ T6843] 32-byte region [ffff8880a97c3780, ffff8880a97c37a0) [ 59.904017][ T6843] The buggy address belongs to the page: [ 59.909644][ T6843] page:000000005e45c943 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a97c3fc1 pfn:0xa97c3 [ 59.921064][ T6843] flags: 0xfffe0000000200(slab) [ 59.925909][ T6843] raw: 00fffe0000000200 ffffea0002492408 ffffea00029aab08 ffff8880aa040100 [ 59.934484][ T6843] raw: ffff8880a97c3fc1 ffff8880a97c3000 000000010000002f 0000000000000000 [ 59.943037][ T6843] page dumped because: kasan: bad access detected [ 59.949417][ T6843] [ 59.951717][ T6843] Memory state around the buggy address: [ 59.957321][ T6843] ffff8880a97c3680: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 59.965355][ T6843] ffff8880a97c3700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 59.973389][ T6843] >ffff8880a97c3780: 00 00 fc fc fc fc fc fc 07 fc fc fc fc fc fc fc [ 59.981417][ T6843] ^ [ 59.985978][ T6843] ffff8880a97c3800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 59.994014][ T6843] ffff8880a97c3880: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 60.002044][ T6843] ================================================================== [ 60.010091][ T6843] Disabling lock debugging due to kernel taint [ 60.028079][ T6843] Kernel panic - not syncing: panic_on_warn set ... [ 60.034677][ T6843] CPU: 1 PID: 6843 Comm: syz-executor445 Tainted: G B 5.8.0-syzkaller #0 [ 60.044358][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.054382][ T6843] Call Trace: [ 60.057649][ T6843] dump_stack+0x18f/0x20d [ 60.061975][ T6843] ? qrtr_endpoint_post+0x530/0x1050 [ 60.067232][ T6843] panic+0x2e3/0x75c [ 60.071099][ T6843] ? __warn_printk+0xf3/0xf3 [ 60.075662][ T6843] ? preempt_schedule_common+0x59/0xc0 [ 60.081091][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.086347][ T6843] ? preempt_schedule_thunk+0x16/0x18 [ 60.091697][ T6843] ? trace_hardirqs_on+0x55/0x220 [ 60.096694][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.101949][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.107214][ T6843] end_report+0x4d/0x53 [ 60.111342][ T6843] kasan_report.cold+0xd/0x37 [ 60.115991][ T6843] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.121252][ T6843] check_memory_region+0x13d/0x180 [ 60.126335][ T6843] memcpy+0x20/0x60 [ 60.130118][ T6843] qrtr_endpoint_post+0x5c1/0x1050 [ 60.135204][ T6843] qrtr_tun_write_iter+0xf5/0x180 [ 60.140202][ T6843] new_sync_write+0x422/0x650 [ 60.144850][ T6843] ? new_sync_read+0x6e0/0x6e0 [ 60.149605][ T6843] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 60.155123][ T6843] ? apparmor_file_permission+0x26e/0x4e0 [ 60.160818][ T6843] ? build_open_flags+0x650/0x650 [ 60.165814][ T6843] vfs_write+0x5ad/0x730 [ 60.170039][ T6843] ksys_write+0x12d/0x250 [ 60.174340][ T6843] ? __ia32_sys_read+0xb0/0xb0 [ 60.179078][ T6843] ? trace_hardirqs_on+0x5f/0x220 [ 60.184093][ T6843] ? lockdep_hardirqs_on+0x76/0xf0 [ 60.189201][ T6843] __do_fast_syscall_32+0x57/0x80 [ 60.194197][ T6843] do_fast_syscall_32+0x2f/0x70 [ 60.199018][ T6843] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 60.205314][ T6843] RIP: 0023:0xf7fbf569 [ 60.209356][ T6843] Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 60.228938][ T6843] RSP: 002b:00000000ffc2780c EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 60.237320][ T6843] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 60.245265][ T6843] RDX: 0000000000000010 RSI: 00000000080ea078 RDI: 00000000ffc27860 [ 60.253208][ T6843] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 60.261151][ T6843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 60.269093][ T6843] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 60.278388][ T6843] Kernel Offset: disabled [ 60.282726][ T6843] Rebooting in 86400 seconds..