do_execve+0x27/0x30 fs/exec.c:1679 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc search_binary_handler+0x124/0x610 fs/exec.c:1471 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] vfs_read+0xe1/0x340 fs/read_write.c:454 __slab_free+0x18c/0x2b0 mm/slub.c:2685 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=29 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=29 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=29 cpu=1 pid=32717 ============================================================================= invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] object_err+0x2f/0x40 mm/slub.c:689 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Memory state around the buggy address: ============================================================================= Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Object ffff8801d322dad0: 00 00 00 00 00 00 00 00 00 0c b0 bb 00 88 ff ff ................ apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Object ffff8801d322dad0: 00 00 00 00 00 00 00 00 00 0c b0 bb 00 88 ff ff ................ kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=55 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=55 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=55 cpu=1 pid=32717 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] entry_SYSCALL_64_fastpath+0x16/0x76 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ----------------------------------------------------------------------------- 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=93 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=93 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=93 cpu=1 pid=32717 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 Read of size 4 by task syz-executor6/32717 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] vfs_read+0xe1/0x340 fs/read_write.c:454 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ----------------------------------------------------------------------------- [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] object_err+0x2f/0x40 mm/slub.c:689 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] entry_SYSCALL_64_fastpath+0x16/0x76 kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ============================================================================= Read of size 4 by task syz-executor6/32717 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=226 cpu=1 pid=32505 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ^ ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ^ [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=149 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=149 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=149 cpu=1 pid=32717 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 ================================================================== INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 ============================================================================= __slab_free+0x18c/0x2b0 mm/slub.c:2685 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 ----------------------------------------------------------------------------- [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 Read of size 4 by task syz-executor6/32717 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=285 cpu=1 pid=32505 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 search_binary_handler+0x124/0x610 fs/exec.c:1471 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ----------------------------------------------------------------------------- ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322dad0: 00 00 00 00 00 00 00 00 00 0c b0 bb 00 88 ff ff ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=226 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=226 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=226 cpu=1 pid=32717 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] print_trailer+0x114/0x1a0 mm/slub.c:682 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 entry_SYSCALL_64_fastpath+0x16/0x76 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 Read of size 4 by task syz-executor6/32717 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ============================================================================= ================================================================== Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... ============================================================================= __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] print_trailer+0x114/0x1a0 mm/slub.c:682 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ================================================================== slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 [] entry_SYSCALL_64_fastpath+0x16/0x76 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ================================================================== Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 ^ [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 search_binary_handler+0x124/0x610 fs/exec.c:1471 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ================================================================== Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Read of size 4 by task syz-executor6/32717 Memory state around the buggy address: 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=391 cpu=1 pid=32505 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] print_trailer+0x114/0x1a0 mm/slub.c:682 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_free+0x18c/0x2b0 mm/slub.c:2685 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected ================================================================== INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=325 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=325 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=325 cpu=1 pid=32717 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ----------------------------------------------------------------------------- [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=335 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=335 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=335 cpu=1 pid=32717 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ----------------------------------------------------------------------------- BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=442 cpu=1 pid=32505 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ----------------------------------------------------------------------------- Call Trace: [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 Call Trace: slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ entry_SYSCALL_64_fastpath+0x16/0x76 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG fasync_cache (Tainted: G B ): kasan: bad access detected ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=395 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=395 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=395 cpu=1 pid=32717 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=400 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=400 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=400 cpu=1 pid=32717 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] vfs_read+0xe1/0x340 fs/read_write.c:454 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=497 cpu=1 pid=32505 [] object_err+0x2f/0x40 mm/slub.c:689 ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] vfs_read+0xe1/0x340 fs/read_write.c:454 do_execve+0x27/0x30 fs/exec.c:1679 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 __slab_free+0x18c/0x2b0 mm/slub.c:2685 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 do_execve+0x27/0x30 fs/exec.c:1679 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... [] entry_SYSCALL_64_fastpath+0x16/0x76 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ============================================================================= sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc __do_softirq+0x24d/0xa60 kernel/softirq.c:273 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=532 cpu=1 pid=32505 Call Trace: [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 search_binary_handler+0x124/0x610 fs/exec.c:1471 [] object_err+0x2f/0x40 mm/slub.c:689 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Call Trace: [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] vfs_read+0xe1/0x340 fs/read_write.c:454 entry_SYSCALL_64_fastpath+0x16/0x76 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=578 cpu=1 pid=32505 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] print_trailer+0x114/0x1a0 mm/slub.c:682 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d322dad0: 00 00 00 00 00 00 00 00 00 0c b0 bb 00 88 ff ff ................ apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] object_err+0x2f/0x40 mm/slub.c:689 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG fasync_cache (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [] object_err+0x2f/0x40 mm/slub.c:689 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 do_execve+0x27/0x30 fs/exec.c:1679 Call Trace: Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] vfs_read+0xe1/0x340 fs/read_write.c:454 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ================================================================== INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=619 cpu=1 pid=32505 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ============================================================================= ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] print_trailer+0x114/0x1a0 mm/slub.c:682 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 do_execve+0x27/0x30 fs/exec.c:1679 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] entry_SYSCALL_64_fastpath+0x16/0x76 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ============================================================================= ============================================================================= Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=565 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=565 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=565 cpu=1 pid=32717 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Memory state around the buggy address: ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ----------------------------------------------------------------------------- slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] vfs_read+0xe1/0x340 fs/read_write.c:454 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ----------------------------------------------------------------------------- [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ============================================================================= BUG fasync_cache (Tainted: G B ): kasan: bad access detected ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d322dad0: 00 00 00 00 00 00 00 00 00 0c b0 bb 00 88 ff ff ................ __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=681 cpu=1 pid=32505 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f Call Trace: apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 search_binary_handler+0x124/0x610 fs/exec.c:1471 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... entry_SYSCALL_64_fastpath+0x16/0x76 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] vfs_read+0xe1/0x340 fs/read_write.c:454 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 search_binary_handler+0x124/0x610 fs/exec.c:1471 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ----------------------------------------------------------------------------- [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Call Trace: [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=654 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=654 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=654 cpu=1 pid=32717 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ----------------------------------------------------------------------------- Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ================================================================== Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 entry_SYSCALL_64_fastpath+0x16/0x76 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... ============================================================================= BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ================================================================== Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=681 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=681 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=681 cpu=1 pid=32717 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 ================================================================== Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=775 cpu=1 pid=32505 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ================================================================== do_execve+0x27/0x30 fs/exec.c:1679 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] vfs_read+0xe1/0x340 fs/read_write.c:454 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] print_trailer+0x114/0x1a0 mm/slub.c:682 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 do_execve+0x27/0x30 fs/exec.c:1679 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 [] entry_SYSCALL_64_fastpath+0x16/0x76 __slab_free+0x18c/0x2b0 mm/slub.c:2685 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc search_binary_handler+0x124/0x610 fs/exec.c:1471 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=821 cpu=1 pid=32505 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=831 cpu=1 pid=32505 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=747 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=747 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=747 cpu=1 pid=32717 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ----------------------------------------------------------------------------- Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 entry_SYSCALL_64_fastpath+0x16/0x76 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ----------------------------------------------------------------------------- CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=761 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=761 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=761 cpu=1 pid=32717 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ================================================================== INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=857 cpu=1 pid=32505 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 entry_SYSCALL_64_fastpath+0x16/0x76 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 ----------------------------------------------------------------------------- [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ================================================================== [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ffff8800bbbd6c00 ffffea00074c8b00 ffff8801d322da90 0000000000000000 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=882 cpu=1 pid=32505 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 INFO: Slab 0xffffea00074c8b00 objects=20 used=2 fp=0xffff8801d322caf0 flags=0x8000000000004080 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=898 cpu=1 pid=32505 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc_trace+0x167/0x2b0 mm/slub.c:2626 Memory state around the buggy address: ffff8801d322d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=822 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=822 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=822 cpu=1 pid=32717 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=914 cpu=1 pid=32505 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ============================================================================= __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ----------------------------------------------------------------------------- entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 INFO: Object 0xffff8801d322da90 @offset=6800 fp=0xdead4ead00000000 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=852 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=852 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=852 cpu=1 pid=32717 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Read of size 4 by task syz-executor6/32717 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ================================================================== slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] print_trailer+0x114/0x1a0 mm/slub.c:682 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=964 cpu=1 pid=32505 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 Memory state around the buggy address: Read of size 4 by task syz-executor6/32717 ffff8801d322da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 ----------------------------------------------------------------------------- ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Bytes b4 ffff8801d322da80: 01 00 00 00 0e 00 00 00 5f ac ff ff 00 00 00 00 ........_....... ----------------------------------------------------------------------------- [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ================================================================== CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 do_execve+0x27/0x30 fs/exec.c:1679 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ entry_SYSCALL_64_fastpath+0x16/0x76 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Read of size 4 by task syz-executor6/32717 [] vfs_read+0xe1/0x340 fs/read_write.c:454 Object ffff8801d322daa0: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=1006 cpu=1 pid=32505 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ================================================================== Object ffff8801d322dae0: 00 36 55 d7 01 88 ff ff 30 f5 52 81 ff ff ff ff .6U.....0.R..... kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] vfs_read+0xe1/0x340 fs/read_write.c:454 kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Call Trace: INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=935 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=935 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=935 cpu=1 pid=32717 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=937 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=937 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=937 cpu=1 pid=32717 Object ffff8801d322dac0: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 __slab_free+0x18c/0x2b0 mm/slub.c:2685 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 entry_SYSCALL_64_fastpath+0x16/0x76 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=951 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=951 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=951 cpu=1 pid=32717 __slab_free+0x18c/0x2b0 mm/slub.c:2685 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=953 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=953 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=953 cpu=1 pid=32717 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ================================================================== INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=956 cpu=1 pid=32717 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=956 cpu=1 pid=32717 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=956 cpu=1 pid=32717 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 >ffff8801d322da80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 Memory state around the buggy address: Call Trace: INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=1052 cpu=1 pid=32505 Call Trace: slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 0000000000000000 33496b53932810b6 ffff8801d32579b0 ffffffff81cc9b4f [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d322c010 ffff8801d322da90 ffff8801d32579e0 ffffffff814d3af4 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d322da90: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ffff8801d322db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Memory state around the buggy address: BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d322daf4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d322daf4 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 kmalloc include/linux/slab.h:470 [inline] load_elf_binary+0xca/0x4b70 fs/binfmt_elf.c:687 Memory state around the buggy address: ----------------------------------------------------------------------------- [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 __slab_free+0x18c/0x2b0 mm/slub.c:2685 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8801d322dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ search_binary_handler+0x124/0x610 fs/exec.c:1471 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d322db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 1 PID: 32717 Comm: syz-executor6 Tainted: G B 4.4.105-ge303a83 #5 __slab_free+0x18c/0x2b0 mm/slub.c:2685