usercopy: kernel memory overwrite attempt detected to ffff88808ced8000 (kmalloc-1024) (4096 bytes) ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:73! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 9236 Comm: syz-executor.2 Not tainted 4.14.180-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88804369c240 task.stack: ffff888056890000 RIP: 0010:report_usercopy mm/usercopy.c:73 [inline] RIP: 0010:__check_object_size mm/usercopy.c:270 [inline] RIP: 0010:__check_object_size+0x1c6/0x28a mm/usercopy.c:228 RSP: 0018:ffff888056897628 EFLAGS: 00010282 RAX: 0000000000000062 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000020d41 RSI: ffffffff81491530 RDI: ffffed100ad12ebb RBP: ffffffff86b2e8c0 R08: 0000000000000062 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808ced8000 R13: ffffffff86b2e880 R14: ffff88808ced9000 R15: ffffea000233b600 FS: 00007f2ab3097700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001000 CR3: 0000000090914000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: check_object_size include/linux/thread_info.h:108 [inline] check_copy_size include/linux/thread_info.h:139 [inline] copy_from_user include/linux/uaccess.h:146 [inline] snd_rawmidi_kernel_write1+0x2d5/0x680 sound/core/rawmidi.c:1283 snd_rawmidi_write+0x275/0x970 sound/core/rawmidi.c:1348 __vfs_write+0xe4/0x630 fs/read_write.c:480 __kernel_write+0xf5/0x330 fs/read_write.c:501 write_pipe_buf+0x143/0x1b0 fs/splice.c:797 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x332/0x740 fs/splice.c:626 splice_from_pipe+0xc6/0x120 fs/splice.c:661 default_file_splice_write+0x37/0x80 fs/splice.c:809 do_splice_from fs/splice.c:851 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1018 splice_direct_to_actor+0x27e/0x730 fs/splice.c:973 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x469/0xaf0 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45c829 RSP: 002b:00007f2ab3096c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00000000004fc2e0 RCX: 000000000045c829 RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007 RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000008dc R14: 00000000004cb816 R15: 00007f2ab30976d4 Code: e9 b2 86 48 0f 45 ea e8 09 0e d0 ff 48 8b 04 24 49 89 d9 4c 89 e1 4c 89 ea 48 89 ee 48 c7 c7 80 e9 b2 86 49 89 c0 e8 c5 cd be ff <0f> 0b e8 e3 0d d0 ff 48 c7 c7 00 00 00 81 49 bf 00 00 00 00 80 RIP: report_usercopy mm/usercopy.c:73 [inline] RSP: ffff888056897628 RIP: __check_object_size mm/usercopy.c:270 [inline] RSP: ffff888056897628 RIP: __check_object_size+0x1c6/0x28a mm/usercopy.c:228 RSP: ffff888056897628 ---[ end trace 0facba9d562291b9 ]---