Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.058190][ T6970] ================================================================== [ 63.066388][ T6970] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0xeeb/0x1010 [ 63.074461][ T6970] Read of size 2 at addr ffff88809e5d4a48 by task syz-executor050/6970 [ 63.082776][ T6970] [ 63.085120][ T6970] CPU: 0 PID: 6970 Comm: syz-executor050 Not tainted 5.8.0-rc2-syzkaller #0 [ 63.093809][ T6970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.103847][ T6970] Call Trace: [ 63.107122][ T6970] dump_stack+0x18f/0x20d [ 63.111615][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.116887][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.122153][ T6970] print_address_description.constprop.0.cold+0xae/0x436 [ 63.129173][ T6970] ? vprintk_func+0x97/0x1a6 [ 63.133758][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.139063][ T6970] kasan_report.cold+0x1f/0x37 [ 63.143812][ T6970] ? __netdev_alloc_skb+0x90/0x420 [ 63.148899][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.154162][ T6970] qrtr_endpoint_post+0xeeb/0x1010 [ 63.159258][ T6970] qrtr_tun_write_iter+0xf5/0x180 [ 63.164307][ T6970] do_iter_readv_writev+0x567/0x780 [ 63.169542][ T6970] ? get_order+0x20/0x20 [ 63.173767][ T6970] ? apparmor_file_permission+0x26e/0x4e0 [ 63.179479][ T6970] do_iter_write+0x188/0x5f0 [ 63.184070][ T6970] ? trace_hardirqs_off+0x27/0x210 [ 63.189165][ T6970] vfs_writev+0x1aa/0x2e0 [ 63.193820][ T6970] ? vfs_iter_write+0xa0/0xa0 [ 63.198475][ T6970] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 63.203999][ T6970] ? putname+0xe1/0x120 [ 63.208153][ T6970] ? build_open_flags+0x650/0x650 [ 63.213162][ T6970] ? _down_write_nest_lock+0x150/0x150 [ 63.218626][ T6970] __x64_sys_pwritev+0x231/0x310 [ 63.223555][ T6970] ? __ia32_sys_preadv2+0x150/0x150 [ 63.228753][ T6970] ? do_syscall_64+0x1c/0xe0 [ 63.233324][ T6970] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 63.239288][ T6970] do_syscall_64+0x60/0xe0 [ 63.243804][ T6970] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.249680][ T6970] RIP: 0033:0x4401d9 [ 63.253722][ T6970] Code: Bad RIP value. [ 63.257868][ T6970] RSP: 002b:00007fffc542c7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 [ 63.266261][ T6970] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401d9 [ 63.274323][ T6970] RDX: 0000000000000001 RSI: 0000000020000440 RDI: 0000000000000003 [ 63.282380][ T6970] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 63.290432][ T6970] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 63.298390][ T6970] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 63.306351][ T6970] [ 63.308674][ T6970] Allocated by task 6970: [ 63.312983][ T6970] save_stack+0x1b/0x40 [ 63.317225][ T6970] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 63.322929][ T6970] __kmalloc+0x17a/0x340 [ 63.327148][ T6970] qrtr_tun_write_iter+0x8a/0x180 [ 63.332149][ T6970] do_iter_readv_writev+0x567/0x780 [ 63.337339][ T6970] do_iter_write+0x188/0x5f0 [ 63.341915][ T6970] vfs_writev+0x1aa/0x2e0 [ 63.346223][ T6970] __x64_sys_pwritev+0x231/0x310 [ 63.351189][ T6970] do_syscall_64+0x60/0xe0 [ 63.355583][ T6970] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.361451][ T6970] [ 63.364364][ T6970] Freed by task 4969: [ 63.368339][ T6970] save_stack+0x1b/0x40 [ 63.372473][ T6970] __kasan_slab_free+0xf5/0x140 [ 63.377298][ T6970] kfree+0x103/0x2c0 [ 63.381189][ T6970] tomoyo_path_perm+0x234/0x3f0 [ 63.386013][ T6970] security_inode_getattr+0xcf/0x140 [ 63.391275][ T6970] vfs_statx+0x170/0x390 [ 63.395499][ T6970] __do_sys_newlstat+0x91/0x110 [ 63.400324][ T6970] do_syscall_64+0x60/0xe0 [ 63.404718][ T6970] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.410580][ T6970] [ 63.412891][ T6970] The buggy address belongs to the object at ffff88809e5d4a40 [ 63.412891][ T6970] which belongs to the cache kmalloc-32 of size 32 [ 63.426743][ T6970] The buggy address is located 8 bytes inside of [ 63.426743][ T6970] 32-byte region [ffff88809e5d4a40, ffff88809e5d4a60) [ 63.439818][ T6970] The buggy address belongs to the page: [ 63.445443][ T6970] page:ffffea0002797500 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e5d4fc1 [ 63.455829][ T6970] flags: 0xfffe0000000200(slab) [ 63.460668][ T6970] raw: 00fffe0000000200 ffffea000278cfc8 ffffea0002793548 ffff8880aa0001c0 [ 63.469244][ T6970] raw: ffff88809e5d4fc1 ffff88809e5d4000 000000010000003f 0000000000000000 [ 63.477880][ T6970] page dumped because: kasan: bad access detected [ 63.484403][ T6970] [ 63.486718][ T6970] Memory state around the buggy address: [ 63.492329][ T6970] ffff88809e5d4900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 63.500421][ T6970] ffff88809e5d4980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 63.508459][ T6970] >ffff88809e5d4a00: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 63.516493][ T6970] ^ [ 63.522882][ T6970] ffff88809e5d4a80: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 63.530923][ T6970] ffff88809e5d4b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 63.538963][ T6970] ================================================================== [ 63.547394][ T6970] Disabling lock debugging due to kernel taint [ 63.558034][ T6970] Kernel panic - not syncing: panic_on_warn set ... [ 63.564761][ T6970] CPU: 0 PID: 6970 Comm: syz-executor050 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 63.574820][ T6970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.584958][ T6970] Call Trace: [ 63.588250][ T6970] dump_stack+0x18f/0x20d [ 63.592580][ T6970] ? qrtr_endpoint_post+0xe80/0x1010 [ 63.597882][ T6970] panic+0x2e3/0x75c [ 63.601775][ T6970] ? __warn_printk+0xf3/0xf3 [ 63.606361][ T6970] ? preempt_schedule_common+0x59/0xc0 [ 63.611817][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.617104][ T6970] ? preempt_schedule_thunk+0x16/0x18 [ 63.622486][ T6970] ? trace_hardirqs_on+0x55/0x220 [ 63.627488][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.632746][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.638023][ T6970] end_report+0x4d/0x53 [ 63.642152][ T6970] kasan_report.cold+0xd/0x37 [ 63.646806][ T6970] ? __netdev_alloc_skb+0x90/0x420 [ 63.651892][ T6970] ? qrtr_endpoint_post+0xeeb/0x1010 [ 63.657166][ T6970] qrtr_endpoint_post+0xeeb/0x1010 [ 63.662272][ T6970] qrtr_tun_write_iter+0xf5/0x180 [ 63.667281][ T6970] do_iter_readv_writev+0x567/0x780 [ 63.672531][ T6970] ? get_order+0x20/0x20 [ 63.676784][ T6970] ? apparmor_file_permission+0x26e/0x4e0 [ 63.682571][ T6970] do_iter_write+0x188/0x5f0 [ 63.687266][ T6970] ? trace_hardirqs_off+0x27/0x210 [ 63.692367][ T6970] vfs_writev+0x1aa/0x2e0 [ 63.696679][ T6970] ? vfs_iter_write+0xa0/0xa0 [ 63.701413][ T6970] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 63.707043][ T6970] ? putname+0xe1/0x120 [ 63.711198][ T6970] ? build_open_flags+0x650/0x650 [ 63.716207][ T6970] ? _down_write_nest_lock+0x150/0x150 [ 63.722078][ T6970] __x64_sys_pwritev+0x231/0x310 [ 63.727002][ T6970] ? __ia32_sys_preadv2+0x150/0x150 [ 63.732204][ T6970] ? do_syscall_64+0x1c/0xe0 [ 63.736776][ T6970] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 63.742822][ T6970] do_syscall_64+0x60/0xe0 [ 63.747311][ T6970] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.753201][ T6970] RIP: 0033:0x4401d9 [ 63.757066][ T6970] Code: Bad RIP value. [ 63.761131][ T6970] RSP: 002b:00007fffc542c7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 [ 63.769538][ T6970] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401d9 [ 63.777572][ T6970] RDX: 0000000000000001 RSI: 0000000020000440 RDI: 0000000000000003 [ 63.785729][ T6970] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 63.793703][ T6970] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 63.801658][ T6970] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 63.811362][ T6970] Kernel Offset: disabled [ 63.815681][ T6970] Rebooting in 86400 seconds..