binder_alloc: 7088: binder_alloc_buf size 7955998185600934960 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:344 [inline] BUG: KASAN: slab-out-of-bounds in map_lookup_elem+0x4dc/0xbd0 kernel/bpf/syscall.c:584 Read of size 4 at addr ffff8801d5d3d530 by task syz-executor4/7098 CPU: 1 PID: 7098 Comm: syz-executor4 Not tainted 4.15.0-rc7+ #169 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:344 [inline] map_lookup_elem+0x4dc/0xbd0 kernel/bpf/syscall.c:584 SYSC_bpf kernel/bpf/syscall.c:1711 [inline] SyS_bpf+0x922/0x4400 kernel/bpf/syscall.c:1685 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7f42c79 RSP: 002b:00000000f773e08c EFLAGS: 00000296 ORIG_RAX: 0000000000000165 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000208e6000 RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 3735: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 kmem_cache_zalloc include/linux/slab.h:678 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:123 path_openat+0xed/0x3530 fs/namei.c:3496 do_filp_open+0x25b/0x3b0 fs/namei.c:3554 do_sys_open+0x502/0x6d0 fs/open.c:1059 C_SYSC_open fs/open.c:1096 [inline] compat_SyS_open+0x2a/0x40 fs/open.c:1094 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 Freed by task 3774: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3488 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3746 file_free_rcu+0x5c/0x70 fs/file_table.c:50 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2758 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline] rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2996 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801d5d3d300 which belongs to the cache filp of size 456 The buggy address is located 104 bytes to the right of 456-byte region [ffff8801d5d3d300, ffff8801d5d3d4c8) The buggy address belongs to the page: page:ffffea0007574f40 count:1 mapcount:0 mapping:ffff8801d5d3d080 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801d5d3d080 0000000000000000 0000000100000006 raw: ffffea0007574e60 ffffea00075750e0 ffff8801dae2c180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d5d3d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d5d3d480: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc >ffff8801d5d3d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d5d3d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d5d3d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================