audit: type=1400 audit(1602976135.984:8): avc: denied { execmem } for pid=6489 comm="syz-executor322" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:674 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr ffff8880898b123e by task syz-executor322/6489 CPU: 1 PID: 6489 Comm: syz-executor322 Not tainted 4.19.152-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430 __fb_pad_aligned_buffer include/linux/fb.h:674 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x389/0x5d0 drivers/video/fbdev/core/fbcon.c:1269 con_flush drivers/tty/vt/vt.c:2559 [inline] do_con_write+0x671/0x1f40 drivers/tty/vt/vt.c:2809 con_write+0x22/0xb0 drivers/tty/vt/vt.c:3145 process_output_block drivers/tty/n_tty.c:593 [inline] n_tty_write+0x3c0/0xff0 drivers/tty/n_tty.c:2331 do_tty_write drivers/tty/tty_io.c:960 [inline] tty_write+0x496/0x890 drivers/tty/tty_io.c:1044 __vfs_write+0xf7/0x770 fs/read_write.c:485 vfs_write+0x1f3/0x540 fs/read_write.c:549 ksys_write+0x12b/0x2a0 fs/read_write.c:599 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4403c9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff5d8fd448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6471: __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703 __kmalloc_reserve net/core/skbuff.c:137 [inline] __alloc_skb+0xae/0x580 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:995 [inline] __tcp_send_ack+0xb3/0x610 net/ipv4/tcp_output.c:3619 tcp_delack_timer_handler+0x339/0x760 net/ipv4/tcp_timer.c:303 tcp_delack_timer+0x95/0x270 net/ipv4/tcp_timer.c:330 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 Freed by task 0: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x250 mm/slab.c:3822 skb_free_head net/core/skbuff.c:554 [inline] skb_release_data+0x6ea/0x930 net/core/skbuff.c:574 skb_release_all net/core/skbuff.c:631 [inline] __kfree_skb net/core/skbuff.c:645 [inline] consume_skb+0x113/0x3e0 net/core/skbuff.c:705 __dev_kfree_skb_any+0x9c/0xd0 net/core/dev.c:2796 dev_consume_skb_any include/linux/netdevice.h:3557 [inline] napi_consume_skb+0x4a8/0x650 net/core/skbuff.c:769 free_old_xmit_skbs+0xdb/0x240 drivers/net/virtio_net.c:1379 start_xmit+0x156/0x17c0 drivers/net/virtio_net.c:1575 __netdev_start_xmit include/linux/netdevice.h:4333 [inline] netdev_start_xmit include/linux/netdevice.h:4347 [inline] xmit_one net/core/dev.c:3256 [inline] dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272 sch_direct_xmit+0x2cf/0xf70 net/sched/sch_generic.c:332 qdisc_restart net/sched/sch_generic.c:395 [inline] __qdisc_run+0x4fc/0x1680 net/sched/sch_generic.c:403 qdisc_run include/net/pkt_sched.h:120 [inline] __dev_xmit_skb net/core/dev.c:3451 [inline] __dev_queue_xmit+0x21fe/0x2ec0 net/core/dev.c:3807 neigh_hh_output include/net/neighbour.h:491 [inline] neigh_output include/net/neighbour.h:499 [inline] ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x203/0x650 net/ipv4/ip_output.c:406 dst_output include/net/dst.h:455 [inline] ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125 __ip_queue_xmit+0x8a0/0x1bd0 net/ipv4/ip_output.c:506 __tcp_transmit_skb+0x1c72/0x36c0 net/ipv4/tcp_output.c:1148 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline] tcp_write_xmit+0x839/0x5050 net/ipv4/tcp_output.c:2389 __tcp_push_pending_frames+0xae/0x280 net/ipv4/tcp_output.c:2568 tcp_push_pending_frames include/net/tcp.h:1772 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5179 [inline] tcp_rcv_established+0x1359/0x1d10 net/ipv4/tcp_input.c:5588 tcp_v4_do_rcv+0x5d6/0x870 net/ipv4/tcp_ipv4.c:1544 tcp_v4_rcv+0x2c1d/0x3bd0 net/ipv4/tcp_ipv4.c:1829 ip_local_deliver_finish+0x4cb/0xc80 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:289 [inline] ip_local_deliver+0x188/0x560 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:461 [inline] ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414 NF_HOOK include/linux/netfilter.h:289 [inline] ip_rcv+0xca/0x420 net/ipv4/ip_input.c:524 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066 netif_receive_skb_internal+0x110/0x450 net/core/dev.c:5156 napi_skb_finish net/core/dev.c:5600 [inline] napi_gro_receive+0x303/0x460 net/core/dev.c:5631 receive_buf+0x1045/0x6250 drivers/net/virtio_net.c:1072 virtnet_receive drivers/net/virtio_net.c:1336 [inline] virtnet_poll+0x52f/0xda0 drivers/net/virtio_net.c:1441 napi_poll net/core/dev.c:6272 [inline] net_rx_action+0x4e5/0x10d0 net/core/dev.c:6338 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880898b0dc0 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 126 bytes to the right of 1024-byte region [ffff8880898b0dc0, ffff8880898b11c0) The buggy address belongs to the page: page:ffffea0002262c00 count:1 mapcount:0 mapping:ffff88812c3f6ac0 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffffea0002931388 ffffea0002267b08 ffff88812c3f6ac0 raw: 0000000000000000 ffff8880898b0040 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880898b1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880898b1180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880898b1200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff8880898b1280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880898b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================