Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 62.303347][ T6806] ================================================================== [ 62.311537][ T6806] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0xeeb/0x1010 [ 62.319493][ T6806] Read of size 2 at addr ffff88809de50c48 by task syz-executor531/6806 [ 62.327700][ T6806] [ 62.330012][ T6806] CPU: 0 PID: 6806 Comm: syz-executor531 Not tainted 5.8.0-rc2-syzkaller #0 [ 62.338661][ T6806] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.348696][ T6806] Call Trace: [ 62.351968][ T6806] dump_stack+0x18f/0x20d [ 62.356280][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.361539][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.366805][ T6806] print_address_description.constprop.0.cold+0xae/0x436 [ 62.373805][ T6806] ? vprintk_func+0x97/0x1a6 [ 62.378377][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.383637][ T6806] kasan_report.cold+0x1f/0x37 [ 62.388381][ T6806] ? __netdev_alloc_skb+0x90/0x420 [ 62.393470][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.398734][ T6806] qrtr_endpoint_post+0xeeb/0x1010 [ 62.403823][ T6806] qrtr_tun_write_iter+0xf5/0x180 [ 62.409889][ T6806] do_iter_readv_writev+0x567/0x780 [ 62.415076][ T6806] ? get_order+0x20/0x20 [ 62.419315][ T6806] ? apparmor_file_permission+0x26e/0x4e0 [ 62.425024][ T6806] do_iter_write+0x188/0x5f0 [ 62.429598][ T6806] compat_writev+0x1ea/0x390 [ 62.434162][ T6806] ? do_pwritev+0x270/0x270 [ 62.438708][ T6806] ? putname+0xe1/0x120 [ 62.442901][ T6806] ? putname+0xe1/0x120 [ 62.447087][ T6806] ? do_sys_openat2+0xa2/0x3b0 [ 62.451840][ T6806] ? build_open_flags+0x650/0x650 [ 62.456856][ T6806] ? __up_read+0x1a1/0x7b0 [ 62.461260][ T6806] do_compat_pwritev64+0x180/0x1b0 [ 62.466368][ T6806] ? do_compat_writev+0x1d0/0x1d0 [ 62.471374][ T6806] ? do_fast_syscall_32+0x40/0x120 [ 62.476468][ T6806] do_syscall_32_irqs_on+0x3f/0x60 [ 62.481554][ T6806] do_fast_syscall_32+0x7f/0x120 [ 62.486470][ T6806] entry_SYSENTER_compat+0x6d/0x7c [ 62.491556][ T6806] RIP: 0023:0xf7f8f569 [ 62.495596][ T6806] Code: Bad RIP value. [ 62.499636][ T6806] RSP: 002b:00000000ffda5ffc EFLAGS: 00000292 ORIG_RAX: 000000000000014e [ 62.508023][ T6806] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000440 [ 62.515972][ T6806] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000080bb528 [ 62.523921][ T6806] RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 [ 62.531868][ T6806] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 62.540250][ T6806] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 62.548206][ T6806] [ 62.550513][ T6806] Allocated by task 6806: [ 62.554821][ T6806] save_stack+0x1b/0x40 [ 62.559039][ T6806] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.564660][ T6806] __kmalloc+0x17a/0x340 [ 62.568881][ T6806] qrtr_tun_write_iter+0x8a/0x180 [ 62.573879][ T6806] do_iter_readv_writev+0x567/0x780 [ 62.579068][ T6806] do_iter_write+0x188/0x5f0 [ 62.583650][ T6806] compat_writev+0x1ea/0x390 [ 62.588231][ T6806] do_compat_pwritev64+0x180/0x1b0 [ 62.594802][ T6806] do_syscall_32_irqs_on+0x3f/0x60 [ 62.599892][ T6806] do_fast_syscall_32+0x7f/0x120 [ 62.604804][ T6806] entry_SYSENTER_compat+0x6d/0x7c [ 62.609885][ T6806] [ 62.612190][ T6806] Freed by task 1: [ 62.615890][ T6806] save_stack+0x1b/0x40 [ 62.620022][ T6806] __kasan_slab_free+0xf5/0x140 [ 62.624846][ T6806] kfree+0x103/0x2c0 [ 62.628716][ T6806] tomoyo_path_perm+0x234/0x3f0 [ 62.633538][ T6806] security_inode_getattr+0xcf/0x140 [ 62.638800][ T6806] vfs_statx+0x170/0x390 [ 62.643029][ T6806] __do_sys_newlstat+0x91/0x110 [ 62.647856][ T6806] do_syscall_64+0x60/0xe0 [ 62.653063][ T6806] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.658923][ T6806] [ 62.661228][ T6806] The buggy address belongs to the object at ffff88809de50c40 [ 62.661228][ T6806] which belongs to the cache kmalloc-32 of size 32 [ 62.675082][ T6806] The buggy address is located 8 bytes inside of [ 62.675082][ T6806] 32-byte region [ffff88809de50c40, ffff88809de50c60) [ 62.688068][ T6806] The buggy address belongs to the page: [ 62.693678][ T6806] page:ffffea0002779400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809de50fc1 [ 62.704062][ T6806] flags: 0xfffe0000000200(slab) [ 62.708902][ T6806] raw: 00fffe0000000200 ffffea000277e008 ffffea0002761c88 ffff8880aa0001c0 [ 62.717465][ T6806] raw: ffff88809de50fc1 ffff88809de50000 000000010000003f 0000000000000000 [ 62.726023][ T6806] page dumped because: kasan: bad access detected [ 62.732404][ T6806] [ 62.734706][ T6806] Memory state around the buggy address: [ 62.740315][ T6806] ffff88809de50b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 62.748355][ T6806] ffff88809de50b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 62.756393][ T6806] >ffff88809de50c00: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 62.764432][ T6806] ^ [ 62.770849][ T6806] ffff88809de50c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 62.778894][ T6806] ffff88809de50d00: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 62.786926][ T6806] ================================================================== [ 62.794956][ T6806] Disabling lock debugging due to kernel taint [ 62.801598][ T6806] Kernel panic - not syncing: panic_on_warn set ... [ 62.808193][ T6806] CPU: 0 PID: 6806 Comm: syz-executor531 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 62.818246][ T6806] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.828293][ T6806] Call Trace: [ 62.831562][ T6806] dump_stack+0x18f/0x20d [ 62.835879][ T6806] ? qrtr_endpoint_post+0xe80/0x1010 [ 62.841180][ T6806] panic+0x2e3/0x75c [ 62.845099][ T6806] ? __warn_printk+0xf3/0xf3 [ 62.849699][ T6806] ? preempt_schedule_common+0x59/0xc0 [ 62.855165][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.860478][ T6806] ? preempt_schedule_thunk+0x16/0x18 [ 62.865842][ T6806] ? trace_hardirqs_on+0x55/0x220 [ 62.870871][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.876159][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.881616][ T6806] end_report+0x4d/0x53 [ 62.885774][ T6806] kasan_report.cold+0xd/0x37 [ 62.890453][ T6806] ? __netdev_alloc_skb+0x90/0x420 [ 62.895559][ T6806] ? qrtr_endpoint_post+0xeeb/0x1010 [ 62.900841][ T6806] qrtr_endpoint_post+0xeeb/0x1010 [ 62.905960][ T6806] qrtr_tun_write_iter+0xf5/0x180 [ 62.910988][ T6806] do_iter_readv_writev+0x567/0x780 [ 62.916166][ T6806] ? get_order+0x20/0x20 [ 62.920388][ T6806] ? apparmor_file_permission+0x26e/0x4e0 [ 62.926088][ T6806] do_iter_write+0x188/0x5f0 [ 62.930655][ T6806] compat_writev+0x1ea/0x390 [ 62.935223][ T6806] ? do_pwritev+0x270/0x270 [ 62.939717][ T6806] ? putname+0xe1/0x120 [ 62.943849][ T6806] ? putname+0xe1/0x120 [ 62.947979][ T6806] ? do_sys_openat2+0xa2/0x3b0 [ 62.952723][ T6806] ? build_open_flags+0x650/0x650 [ 62.957723][ T6806] ? __up_read+0x1a1/0x7b0 [ 62.962114][ T6806] do_compat_pwritev64+0x180/0x1b0 [ 62.967200][ T6806] ? do_compat_writev+0x1d0/0x1d0 [ 62.972198][ T6806] ? do_fast_syscall_32+0x40/0x120 [ 62.977319][ T6806] do_syscall_32_irqs_on+0x3f/0x60 [ 62.982402][ T6806] do_fast_syscall_32+0x7f/0x120 [ 62.987315][ T6806] entry_SYSENTER_compat+0x6d/0x7c [ 62.992397][ T6806] RIP: 0023:0xf7f8f569 [ 62.996435][ T6806] Code: Bad RIP value. [ 63.000472][ T6806] RSP: 002b:00000000ffda5ffc EFLAGS: 00000292 ORIG_RAX: 000000000000014e [ 63.008941][ T6806] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000440 [ 63.016887][ T6806] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000080bb528 [ 63.024843][ T6806] RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 [ 63.032787][ T6806] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 63.040734][ T6806] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 63.050014][ T6806] Kernel Offset: disabled [ 63.054331][ T6806] Rebooting in 86400 seconds..