INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Call Trace: Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Read of size 4 by task syz-executor5/7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 Memory state around the buggy address: slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ================================================================== ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 Read of size 4 by task syz-executor5/7148 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 ----------------------------------------------------------------------------- 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb Memory state around the buggy address: Read of size 4 by task syz-executor5/7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Call Trace: Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ Read of size 4 by task syz-executor5/7148 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor5/7148 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ----------------------------------------------------------------------------- [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ entry_SYSCALL_64_fastpath+0x16/0x76 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ffff8800b903e880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Call Trace: Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ----------------------------------------------------------------------------- slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ----------------------------------------------------------------------------- ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ----------------------------------------------------------------------------- [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 Read of size 4 by task syz-executor5/7148 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 ^ Read of size 4 by task syz-executor5/7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ================================================================== >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Memory state around the buggy address: ----------------------------------------------------------------------------- [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ Read of size 4 by task syz-executor5/7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ================================================================== [] entry_SYSCALL_64_fastpath+0x16/0x76 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 ================================================================== ============================================================================= Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc BUG fasync_cache (Tainted: G B ): kasan: bad access detected sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Read of size 4 by task syz-executor5/7148 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] entry_SYSCALL_64_fastpath+0x16/0x76 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ^ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ================================================================== Read of size 4 by task syz-executor5/7148 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ^ INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Read of size 4 by task syz-executor5/7148 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 Call Trace: Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ================================================================== ============================================================================= Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 ----------------------------------------------------------------------------- entry_SYSCALL_64_fastpath+0x16/0x76 entry_SYSCALL_64_fastpath+0x16/0x76 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ Read of size 4 by task syz-executor5/7148 Call Trace: ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Read of size 4 by task syz-executor5/7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f entry_SYSCALL_64_fastpath+0x16/0x76 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 entry_SYSCALL_64_fastpath+0x16/0x76 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Read of size 4 by task syz-executor5/7148 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Read of size 4 by task syz-executor5/7148 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor5/7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 Read of size 4 by task syz-executor5/7148 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Read of size 4 by task syz-executor5/7148 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Call Trace: Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ============================================================================= run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ^ BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ ============================================================================= Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Read of size 4 by task syz-executor5/7148 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor5/7148 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Read of size 4 by task syz-executor5/7148 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ============================================================================= Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Memory state around the buggy address: Read of size 4 by task syz-executor5/7148 Call Trace: Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ^ fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 ----------------------------------------------------------------------------- [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 Read of size 4 by task syz-executor5/7148 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 [] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] entry_SYSCALL_64_fastpath+0x16/0x76 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Memory state around the buggy address: [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 ============================================================================= Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ----------------------------------------------------------------------------- ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ================================================================== ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ret_from_fork+0x3f/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:468 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor5/7148 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Read of size 4 by task syz-executor5/7148 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Read of size 4 by task syz-executor5/7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ^ ----------------------------------------------------------------------------- Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Read of size 4 by task syz-executor5/7148 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb Read of size 4 by task syz-executor5/7148 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ----------------------------------------------------------------------------- ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ================================================================== [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ ----------------------------------------------------------------------------- [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 ffff8800b903e010 ffff8800b903e960 ffff8801d45df9e0 ffffffff814d3af4 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ^ ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Read of size 4 by task syz-executor5/7148 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ^ __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ================================================================== Memory state around the buggy address: ================================================================== ^ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] entry_SYSCALL_64_fastpath+0x16/0x76 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ----------------------------------------------------------------------------- 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG fasync_cache (Tainted: G B ): kasan: bad access detected Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ----------------------------------------------------------------------------- [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ----------------------------------------------------------------------------- [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 ----------------------------------------------------------------------------- [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 ret_from_fork+0x3f/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:468 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ffff8800b903e880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ----------------------------------------------------------------------------- [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... INFO: Slab 0xffffea0002e40f80 objects=20 used=2 fp=0xffff8800b903eaf0 flags=0x4000000000004080 ============================================================================= smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Read of size 4 by task syz-executor5/7148 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ffff8800b903e900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ================================================================== [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... ffff8800b903ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=0 cpu=1 pid=7148 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=0 cpu=1 pid=7148 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== Read of size 4 by task syz-executor5/7148 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ============================================================================= kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8800b903e9c4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8800b903e9c4 Read of size 4 by task syz-executor5/7148 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 ================================================================== Object ffff8800b903e970: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ----------------------------------------------------------------------------- Read of size 4 by task syz-executor5/7148 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Memory state around the buggy address: ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 Object ffff8800b903e9b0: 00 3c 13 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff .<........R..... Object ffff8800b903e9a0: 00 00 00 00 00 00 00 00 00 a7 1f b9 00 88 ff ff ................ Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 smpboot_thread_fn+0x55f/0x920 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/smpboot.c:163 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800b903ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Read of size 4 by task syz-executor5/7148 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... Object ffff8800b903e960: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ffff8801d98ecc00 ffffea0002e40f80 ffff8800b903e960 0000000000000000 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc Read of size 4 by task syz-executor5/7148 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Object ffff8800b903e990: 00 50 8b 83 ff ff ff ff 01 46 00 00 07 00 00 00 .P.......F...... slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 INFO: Object 0xffff8800b903e960 @offset=2400 fp=0xdead4ead00000000 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Bytes b4 ffff8800b903e950: 01 00 00 00 b2 18 00 00 b5 a0 ff ff 00 00 00 00 ................ ret_from_fork+0x3f/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:468 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 ^ >ffff8800b903e980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ----------------------------------------------------------------------------- 0000000000000000 582991853f244264 ffff8801d45df9b0 ffffffff81cc9b0f slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8800b903e980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=624 cpu=0 pid=3 ================================================================== Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 CPU: 1 PID: 7148 Comm: syz-executor5 Tainted: G B 4.4.104-ged884eb #2 Read of size 4 by task syz-executor5/7148 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 BUG fasync_cache (Tainted: G B ): kasan: bad access detected