Warning: Permanently added '10.128.0.176' (ECDSA) to the list of known hosts. executing program [ 58.505848][ T6796] ================================================================== [ 58.514056][ T6796] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0xeeb/0x1010 [ 58.522010][ T6796] Read of size 2 at addr ffff88809e5a7508 by task syz-executor201/6796 [ 58.530215][ T6796] [ 58.532534][ T6796] CPU: 0 PID: 6796 Comm: syz-executor201 Not tainted 5.8.0-rc2-syzkaller #0 [ 58.541175][ T6796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.551201][ T6796] Call Trace: [ 58.554467][ T6796] dump_stack+0x18f/0x20d [ 58.558772][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 58.564027][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 58.569289][ T6796] print_address_description.constprop.0.cold+0xae/0x436 [ 58.576300][ T6796] ? vprintk_func+0x97/0x1a6 [ 58.580877][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 58.586134][ T6796] kasan_report.cold+0x1f/0x37 [ 58.590875][ T6796] ? __netdev_alloc_skb+0x90/0x420 [ 58.595958][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 58.601216][ T6796] qrtr_endpoint_post+0xeeb/0x1010 [ 58.606303][ T6796] qrtr_tun_write_iter+0xf5/0x180 [ 58.611304][ T6796] do_iter_readv_writev+0x567/0x780 [ 58.616475][ T6796] ? get_order+0x20/0x20 [ 58.620702][ T6796] ? apparmor_file_permission+0x26e/0x4e0 [ 58.626403][ T6796] do_iter_write+0x188/0x5f0 [ 58.630969][ T6796] ? trace_hardirqs_off+0x27/0x210 [ 58.636070][ T6796] vfs_writev+0x1aa/0x2e0 [ 58.640389][ T6796] ? vfs_iter_write+0xa0/0xa0 [ 58.645057][ T6796] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 58.650583][ T6796] ? putname+0xe1/0x120 [ 58.654720][ T6796] ? build_open_flags+0x650/0x650 [ 58.659738][ T6796] ? _down_write_nest_lock+0x150/0x150 [ 58.665177][ T6796] __x64_sys_pwritev+0x231/0x310 [ 58.670094][ T6796] ? __ia32_sys_preadv2+0x150/0x150 [ 58.675269][ T6796] ? do_syscall_64+0x1c/0xe0 [ 58.679837][ T6796] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 58.685792][ T6796] do_syscall_64+0x60/0xe0 [ 58.690185][ T6796] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.696053][ T6796] RIP: 0033:0x4401d9 [ 58.699916][ T6796] Code: Bad RIP value. [ 58.703954][ T6796] RSP: 002b:00007ffc466e9768 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 [ 58.712337][ T6796] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401d9 [ 58.720283][ T6796] RDX: 0000000000000001 RSI: 0000000020000440 RDI: 0000000000000003 [ 58.728227][ T6796] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 58.736170][ T6796] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 58.744113][ T6796] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 58.752107][ T6796] [ 58.754431][ T6796] Allocated by task 6796: [ 58.758735][ T6796] save_stack+0x1b/0x40 [ 58.762867][ T6796] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 58.768470][ T6796] __kmalloc+0x17a/0x340 [ 58.772687][ T6796] qrtr_tun_write_iter+0x8a/0x180 [ 58.777684][ T6796] do_iter_readv_writev+0x567/0x780 [ 58.782856][ T6796] do_iter_write+0x188/0x5f0 [ 58.787418][ T6796] vfs_writev+0x1aa/0x2e0 [ 58.791719][ T6796] __x64_sys_pwritev+0x231/0x310 [ 58.796627][ T6796] do_syscall_64+0x60/0xe0 [ 58.801367][ T6796] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.807223][ T6796] [ 58.809525][ T6796] Freed by task 4840: [ 58.813479][ T6796] save_stack+0x1b/0x40 [ 58.817606][ T6796] __kasan_slab_free+0xf5/0x140 [ 58.822428][ T6796] kfree+0x103/0x2c0 [ 58.826308][ T6796] single_release+0x8c/0xb0 [ 58.830796][ T6796] close_pdeo.part.0+0xdc/0x2e0 [ 58.835617][ T6796] proc_reg_release+0x2e9/0x360 [ 58.840437][ T6796] __fput+0x33c/0x880 [ 58.844390][ T6796] task_work_run+0xdd/0x190 [ 58.848866][ T6796] __prepare_exit_to_usermode+0x1e9/0x1f0 [ 58.854556][ T6796] do_syscall_64+0x6c/0xe0 [ 58.858953][ T6796] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.864811][ T6796] [ 58.867114][ T6796] The buggy address belongs to the object at ffff88809e5a7500 [ 58.867114][ T6796] which belongs to the cache kmalloc-32 of size 32 [ 58.880972][ T6796] The buggy address is located 8 bytes inside of [ 58.880972][ T6796] 32-byte region [ffff88809e5a7500, ffff88809e5a7520) [ 58.893953][ T6796] The buggy address belongs to the page: [ 58.899568][ T6796] page:ffffea00027969c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e5a7fc1 [ 58.909957][ T6796] flags: 0xfffe0000000200(slab) [ 58.916432][ T6796] raw: 00fffe0000000200 ffffea0002797048 ffffea00027b06c8 ffff8880aa0001c0 [ 58.925002][ T6796] raw: ffff88809e5a7fc1 ffff88809e5a7000 0000000100000016 0000000000000000 [ 58.933555][ T6796] page dumped because: kasan: bad access detected [ 58.939948][ T6796] [ 58.942258][ T6796] Memory state around the buggy address: [ 58.947867][ T6796] ffff88809e5a7400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 58.955900][ T6796] ffff88809e5a7480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 58.963937][ T6796] >ffff88809e5a7500: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 58.971967][ T6796] ^ [ 58.976268][ T6796] ffff88809e5a7580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 58.984301][ T6796] ffff88809e5a7600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 58.992330][ T6796] ================================================================== [ 59.000358][ T6796] Disabling lock debugging due to kernel taint [ 59.020082][ T6796] Kernel panic - not syncing: panic_on_warn set ... [ 59.026664][ T6796] CPU: 0 PID: 6796 Comm: syz-executor201 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 59.036701][ T6796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.046725][ T6796] Call Trace: [ 59.049992][ T6796] dump_stack+0x18f/0x20d [ 59.054306][ T6796] ? qrtr_endpoint_post+0xe80/0x1010 [ 59.059559][ T6796] panic+0x2e3/0x75c [ 59.063429][ T6796] ? __warn_printk+0xf3/0xf3 [ 59.067992][ T6796] ? preempt_schedule_common+0x59/0xc0 [ 59.073422][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 59.078678][ T6796] ? preempt_schedule_thunk+0x16/0x18 [ 59.084020][ T6796] ? trace_hardirqs_on+0x55/0x220 [ 59.089013][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 59.094265][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 59.099522][ T6796] end_report+0x4d/0x53 [ 59.103649][ T6796] kasan_report.cold+0xd/0x37 [ 59.108297][ T6796] ? __netdev_alloc_skb+0x90/0x420 [ 59.113376][ T6796] ? qrtr_endpoint_post+0xeeb/0x1010 [ 59.118631][ T6796] qrtr_endpoint_post+0xeeb/0x1010 [ 59.123714][ T6796] qrtr_tun_write_iter+0xf5/0x180 [ 59.128711][ T6796] do_iter_readv_writev+0x567/0x780 [ 59.133879][ T6796] ? get_order+0x20/0x20 [ 59.138096][ T6796] ? apparmor_file_permission+0x26e/0x4e0 [ 59.143818][ T6796] do_iter_write+0x188/0x5f0 [ 59.148379][ T6796] ? trace_hardirqs_off+0x27/0x210 [ 59.153462][ T6796] vfs_writev+0x1aa/0x2e0 [ 59.157762][ T6796] ? vfs_iter_write+0xa0/0xa0 [ 59.162411][ T6796] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 59.167925][ T6796] ? putname+0xe1/0x120 [ 59.172054][ T6796] ? build_open_flags+0x650/0x650 [ 59.177052][ T6796] ? _down_write_nest_lock+0x150/0x150 [ 59.182483][ T6796] __x64_sys_pwritev+0x231/0x310 [ 59.187390][ T6796] ? __ia32_sys_preadv2+0x150/0x150 [ 59.192559][ T6796] ? do_syscall_64+0x1c/0xe0 [ 59.197120][ T6796] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.203071][ T6796] do_syscall_64+0x60/0xe0 [ 59.207462][ T6796] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.213337][ T6796] RIP: 0033:0x4401d9 [ 59.217214][ T6796] Code: Bad RIP value. [ 59.221247][ T6796] RSP: 002b:00007ffc466e9768 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 [ 59.229626][ T6796] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401d9 [ 59.237574][ T6796] RDX: 0000000000000001 RSI: 0000000020000440 RDI: 0000000000000003 [ 59.245520][ T6796] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 59.253461][ T6796] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 59.261416][ T6796] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 59.270390][ T6796] Kernel Offset: disabled [ 59.274712][ T6796] Rebooting in 86400 seconds..