Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.506943][ T6834] ================================================================== [ 64.516054][ T6834] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 64.524971][ T6834] Read of size 4294967294 at addr ffff8880a1cf1d10 by task syz-executor595/6834 [ 64.534032][ T6834] [ 64.536358][ T6834] CPU: 1 PID: 6834 Comm: syz-executor595 Not tainted 5.8.0-rc7-syzkaller #0 [ 64.545018][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.555082][ T6834] Call Trace: [ 64.558564][ T6834] dump_stack+0x18f/0x20d [ 64.562929][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 64.568408][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 64.573944][ T6834] print_address_description.constprop.0.cold+0xae/0x436 [ 64.581358][ T6834] ? __might_fault+0x11f/0x1d0 [ 64.586721][ T6834] ? lockdep_hardirqs_off+0x66/0xa0 [ 64.591938][ T6834] ? vprintk_func+0x97/0x1a6 [ 64.596820][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 64.602729][ T6834] kasan_report.cold+0x1f/0x37 [ 64.607620][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 64.612927][ T6834] check_memory_region+0x13d/0x180 [ 64.618051][ T6834] memcpy+0x20/0x60 [ 64.621968][ T6834] qrtr_endpoint_post+0x5c1/0x1050 [ 64.627087][ T6834] qrtr_tun_write_iter+0xf5/0x180 [ 64.632123][ T6834] new_sync_write+0x422/0x650 [ 64.636809][ T6834] ? new_sync_read+0x6e0/0x6e0 [ 64.641686][ T6834] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 64.647267][ T6834] ? apparmor_file_permission+0x26e/0x4e0 [ 64.652994][ T6834] ? build_open_flags+0x650/0x650 [ 64.658118][ T6834] vfs_write+0x59d/0x6b0 [ 64.662365][ T6834] ksys_write+0x12d/0x250 [ 64.667177][ T6834] ? __ia32_sys_read+0xb0/0xb0 [ 64.671960][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 64.677071][ T6834] ? do_syscall_64+0x1c/0xe0 [ 64.681768][ T6834] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.687873][ T6834] do_syscall_64+0x60/0xe0 [ 64.692317][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.698624][ T6834] RIP: 0033:0x440259 [ 64.702552][ T6834] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.722284][ T6834] RSP: 002b:00007ffd16e750a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 64.730712][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 64.738778][ T6834] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 64.746748][ T6834] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 64.754974][ T6834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 64.762959][ T6834] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 64.770948][ T6834] [ 64.773275][ T6834] Allocated by task 6834: [ 64.777668][ T6834] save_stack+0x1b/0x40 [ 64.781965][ T6834] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 64.787715][ T6834] __kmalloc+0x17a/0x340 [ 64.791966][ T6834] qrtr_tun_write_iter+0x8a/0x180 [ 64.797722][ T6834] new_sync_write+0x422/0x650 [ 64.802422][ T6834] vfs_write+0x59d/0x6b0 [ 64.807083][ T6834] ksys_write+0x12d/0x250 [ 64.811504][ T6834] do_syscall_64+0x60/0xe0 [ 64.818208][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.825581][ T6834] [ 64.827989][ T6834] Freed by task 1: [ 64.831806][ T6834] save_stack+0x1b/0x40 [ 64.836629][ T6834] __kasan_slab_free+0xf5/0x140 [ 64.842296][ T6834] kfree+0x103/0x2c0 [ 64.846562][ T6834] tomoyo_path_perm+0x234/0x3f0 [ 64.853657][ T6834] security_inode_getattr+0xcf/0x140 [ 64.861312][ T6834] vfs_statx+0x170/0x390 [ 64.865846][ T6834] __do_sys_newlstat+0x91/0x110 [ 64.871125][ T6834] do_syscall_64+0x60/0xe0 [ 64.875574][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.881761][ T6834] [ 64.884092][ T6834] The buggy address belongs to the object at ffff8880a1cf1d00 [ 64.884092][ T6834] which belongs to the cache kmalloc-32 of size 32 [ 64.898195][ T6834] The buggy address is located 16 bytes inside of [ 64.898195][ T6834] 32-byte region [ffff8880a1cf1d00, ffff8880a1cf1d20) [ 64.911397][ T6834] The buggy address belongs to the page: [ 64.918780][ T6834] page:ffffea0002873c40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a1cf1fc1 [ 64.931135][ T6834] flags: 0xfffe0000000200(slab) [ 64.936000][ T6834] raw: 00fffe0000000200 ffffea000269e108 ffffea000287b508 ffff8880aa0001c0 [ 64.944814][ T6834] raw: ffff8880a1cf1fc1 ffff8880a1cf1000 000000010000003f 0000000000000000 [ 64.953436][ T6834] page dumped because: kasan: bad access detected [ 64.960371][ T6834] [ 64.962709][ T6834] Memory state around the buggy address: [ 64.968448][ T6834] ffff8880a1cf1c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 64.976699][ T6834] ffff8880a1cf1c80: fb fb fb fb fc fc fc fc 00 04 fc fc fc fc fc fc [ 64.984789][ T6834] >ffff8880a1cf1d00: 00 00 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc [ 64.992945][ T6834] ^ [ 64.997735][ T6834] ffff8880a1cf1d80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 65.005910][ T6834] ffff8880a1cf1e00: 07 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 65.014073][ T6834] ================================================================== [ 65.022329][ T6834] Disabling lock debugging due to kernel taint [ 65.064662][ T6834] Kernel panic - not syncing: panic_on_warn set ... [ 65.071402][ T6834] CPU: 0 PID: 6834 Comm: syz-executor595 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 65.083145][ T6834] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.093212][ T6834] Call Trace: [ 65.096700][ T6834] dump_stack+0x18f/0x20d [ 65.101047][ T6834] ? qrtr_endpoint_post+0x4d0/0x1050 [ 65.106326][ T6834] panic+0x2e3/0x75c [ 65.110235][ T6834] ? __warn_printk+0xf3/0xf3 [ 65.114824][ T6834] ? preempt_schedule_common+0x59/0xc0 [ 65.120510][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 65.125920][ T6834] ? preempt_schedule_thunk+0x16/0x18 [ 65.131301][ T6834] ? trace_hardirqs_on+0x55/0x220 [ 65.136330][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 65.142412][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 65.147822][ T6834] end_report+0x4d/0x53 [ 65.151973][ T6834] kasan_report.cold+0xd/0x37 [ 65.157111][ T6834] ? qrtr_endpoint_post+0x5c1/0x1050 [ 65.162585][ T6834] check_memory_region+0x13d/0x180 [ 65.168305][ T6834] memcpy+0x20/0x60 [ 65.172146][ T6834] qrtr_endpoint_post+0x5c1/0x1050 [ 65.177256][ T6834] qrtr_tun_write_iter+0xf5/0x180 [ 65.182284][ T6834] new_sync_write+0x422/0x650 [ 65.186968][ T6834] ? new_sync_read+0x6e0/0x6e0 [ 65.191731][ T6834] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 65.197382][ T6834] ? apparmor_file_permission+0x26e/0x4e0 [ 65.203196][ T6834] ? build_open_flags+0x650/0x650 [ 65.208355][ T6834] vfs_write+0x59d/0x6b0 [ 65.212780][ T6834] ksys_write+0x12d/0x250 [ 65.217106][ T6834] ? __ia32_sys_read+0xb0/0xb0 [ 65.222843][ T6834] ? lock_is_held_type+0xb0/0xe0 [ 65.227790][ T6834] ? do_syscall_64+0x1c/0xe0 [ 65.232471][ T6834] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 65.238675][ T6834] do_syscall_64+0x60/0xe0 [ 65.243113][ T6834] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.249010][ T6834] RIP: 0033:0x440259 [ 65.253775][ T6834] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.274002][ T6834] RSP: 002b:00007ffd16e750a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.283033][ T6834] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 65.291013][ T6834] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 65.298991][ T6834] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 65.308144][ T6834] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 65.316129][ T6834] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 65.329824][ T6834] Kernel Offset: disabled [ 65.334820][ T6834] Rebooting in 86400 seconds..