[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.777551][ T6812] ================================================================== [ 60.785973][ T6812] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x5c1/0x1050 [ 60.793935][ T6812] Read of size 4294967294 at addr ffff8880a8a8f090 by task syz-executor435/6812 [ 60.802934][ T6812] [ 60.805252][ T6812] CPU: 1 PID: 6812 Comm: syz-executor435 Not tainted 5.8.0-rc7-syzkaller #0 [ 60.813922][ T6812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.824050][ T6812] Call Trace: [ 60.827331][ T6812] dump_stack+0x18f/0x20d [ 60.831672][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.836951][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.842232][ T6812] print_address_description.constprop.0.cold+0xae/0x436 [ 60.849264][ T6812] ? __might_fault+0x11f/0x1d0 [ 60.854049][ T6812] ? lockdep_hardirqs_off+0x66/0xa0 [ 60.859244][ T6812] ? vprintk_func+0x97/0x1a6 [ 60.863820][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.869113][ T6812] kasan_report.cold+0x1f/0x37 [ 60.873872][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 60.879142][ T6812] check_memory_region+0x13d/0x180 [ 60.884238][ T6812] memcpy+0x20/0x60 [ 60.888056][ T6812] qrtr_endpoint_post+0x5c1/0x1050 [ 60.893157][ T6812] qrtr_tun_write_iter+0xf5/0x180 [ 60.898172][ T6812] new_sync_write+0x422/0x650 [ 60.902851][ T6812] ? new_sync_read+0x6e0/0x6e0 [ 60.907609][ T6812] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 60.913142][ T6812] ? apparmor_file_permission+0x26e/0x4e0 [ 60.918862][ T6812] ? build_open_flags+0x650/0x650 [ 60.923899][ T6812] vfs_write+0x59d/0x6b0 [ 60.928134][ T6812] ksys_write+0x12d/0x250 [ 60.932453][ T6812] ? __ia32_sys_read+0xb0/0xb0 [ 60.937208][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 60.942134][ T6812] ? do_syscall_64+0x1c/0xe0 [ 60.946712][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.952683][ T6812] do_syscall_64+0x60/0xe0 [ 60.957094][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.962980][ T6812] RIP: 0033:0x440259 [ 60.966868][ T6812] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.986462][ T6812] RSP: 002b:00007fff95fbcba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 60.994863][ T6812] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 61.002821][ T6812] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 61.010786][ T6812] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.018743][ T6812] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 61.028053][ T6812] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 61.036144][ T6812] [ 61.038490][ T6812] Allocated by task 6812: [ 61.042824][ T6812] save_stack+0x1b/0x40 [ 61.046976][ T6812] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.052588][ T6812] __kmalloc+0x17a/0x340 [ 61.056884][ T6812] qrtr_tun_write_iter+0x8a/0x180 [ 61.061902][ T6812] new_sync_write+0x422/0x650 [ 61.066563][ T6812] vfs_write+0x59d/0x6b0 [ 61.070790][ T6812] ksys_write+0x12d/0x250 [ 61.075165][ T6812] do_syscall_64+0x60/0xe0 [ 61.079579][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.085613][ T6812] [ 61.087929][ T6812] Freed by task 4899: [ 61.091904][ T6812] save_stack+0x1b/0x40 [ 61.096064][ T6812] __kasan_slab_free+0xf5/0x140 [ 61.100920][ T6812] kfree+0x103/0x2c0 [ 61.104828][ T6812] tomoyo_path_perm+0x234/0x3f0 [ 61.109674][ T6812] security_inode_getattr+0xcf/0x140 [ 61.114953][ T6812] vfs_statx+0x170/0x390 [ 61.119189][ T6812] __do_sys_newlstat+0x91/0x110 [ 61.124024][ T6812] do_syscall_64+0x60/0xe0 [ 61.128427][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.134296][ T6812] [ 61.136643][ T6812] The buggy address belongs to the object at ffff8880a8a8f080 [ 61.136643][ T6812] which belongs to the cache kmalloc-32 of size 32 [ 61.150542][ T6812] The buggy address is located 16 bytes inside of [ 61.150542][ T6812] 32-byte region [ffff8880a8a8f080, ffff8880a8a8f0a0) [ 61.163636][ T6812] The buggy address belongs to the page: [ 61.169428][ T6812] page:ffffea0002a2a3c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a8a8ffc1 [ 61.179839][ T6812] flags: 0xfffe0000000200(slab) [ 61.184684][ T6812] raw: 00fffe0000000200 ffffea0002a2d588 ffffea00024f0c48 ffff8880aa0001c0 [ 61.193253][ T6812] raw: ffff8880a8a8ffc1 ffff8880a8a8f000 000000010000002c 0000000000000000 [ 61.201819][ T6812] page dumped because: kasan: bad access detected [ 61.208207][ T6812] [ 61.210510][ T6812] Memory state around the buggy address: [ 61.216128][ T6812] ffff8880a8a8ef80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 61.226348][ T6812] ffff8880a8a8f000: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 61.234416][ T6812] >ffff8880a8a8f080: 00 00 fc fc fc fc fc fc 00 02 fc fc fc fc fc fc [ 61.242460][ T6812] ^ [ 61.247044][ T6812] ffff8880a8a8f100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 61.255097][ T6812] ffff8880a8a8f180: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc [ 61.263138][ T6812] ================================================================== [ 61.271221][ T6812] Disabling lock debugging due to kernel taint [ 61.284078][ T6812] Kernel panic - not syncing: panic_on_warn set ... [ 61.290723][ T6812] CPU: 1 PID: 6812 Comm: syz-executor435 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 61.300784][ T6812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.310839][ T6812] Call Trace: [ 61.314131][ T6812] dump_stack+0x18f/0x20d [ 61.318444][ T6812] ? qrtr_endpoint_post+0x520/0x1050 [ 61.323714][ T6812] panic+0x2e3/0x75c [ 61.327589][ T6812] ? __warn_printk+0xf3/0xf3 [ 61.332157][ T6812] ? preempt_schedule_common+0x59/0xc0 [ 61.337599][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 61.342890][ T6812] ? preempt_schedule_thunk+0x16/0x18 [ 61.348252][ T6812] ? trace_hardirqs_on+0x55/0x220 [ 61.353257][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 61.358543][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 61.364346][ T6812] end_report+0x4d/0x53 [ 61.368478][ T6812] kasan_report.cold+0xd/0x37 [ 61.373140][ T6812] ? qrtr_endpoint_post+0x5c1/0x1050 [ 61.378409][ T6812] check_memory_region+0x13d/0x180 [ 61.383504][ T6812] memcpy+0x20/0x60 [ 61.387323][ T6812] qrtr_endpoint_post+0x5c1/0x1050 [ 61.392420][ T6812] qrtr_tun_write_iter+0xf5/0x180 [ 61.397443][ T6812] new_sync_write+0x422/0x650 [ 61.402097][ T6812] ? new_sync_read+0x6e0/0x6e0 [ 61.407992][ T6812] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 61.413649][ T6812] ? apparmor_file_permission+0x26e/0x4e0 [ 61.419385][ T6812] ? build_open_flags+0x650/0x650 [ 61.424402][ T6812] vfs_write+0x59d/0x6b0 [ 61.428669][ T6812] ksys_write+0x12d/0x250 [ 61.433014][ T6812] ? __ia32_sys_read+0xb0/0xb0 [ 61.437820][ T6812] ? lock_is_held_type+0xb0/0xe0 [ 61.442746][ T6812] ? do_syscall_64+0x1c/0xe0 [ 61.447325][ T6812] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.453286][ T6812] do_syscall_64+0x60/0xe0 [ 61.457682][ T6812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.463572][ T6812] RIP: 0033:0x440259 [ 61.467461][ T6812] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 61.487055][ T6812] RSP: 002b:00007fff95fbcba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 61.495447][ T6812] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259 [ 61.503410][ T6812] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 61.511374][ T6812] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 61.519332][ T6812] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60 [ 61.527283][ T6812] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000 [ 61.536417][ T6812] Kernel Offset: disabled [ 61.540736][ T6812] Rebooting in 86400 seconds..