================================================================== BUG: KASAN: wild-memory-access on address ffe708746d6d3000 Read of size 4060 by task syz-executor1/4948 CPU: 1 PID: 4948 Comm: syz-executor1 Not tainted 4.9.52-g291d968 #56 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c99ef628 ffffffff81d93149 ffe708746d6d3000 0000000000000fdc 0000000000000000 ffff8801a7e74660 ffe708746d6d3000 ffff8801c99ef6b0 ffffffff8153d08f 0000000000000000 0000000000000000 ffffffff826648db Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_report_error mm/kasan/report.c:284 [inline] [] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309 [] kasan_report+0x20/0x30 mm/kasan/report.c:296 [] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320 [] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline] [] sg_read_oxfer drivers/scsi/sg.c:1978 [inline] [] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435 [] do_splice_to+0x10a/0x160 fs/splice.c:899 [] do_splice fs/splice.c:1192 [inline] [] SYSC_splice fs/splice.c:1416 [inline] [] SyS_splice+0xf5f/0x1520 fs/splice.c:1399 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready binder: 5076:5081 ioctl c08c5335 209dcf74 returned -22 binder: 5076:5081 ioctl c08c5335 209dcf74 returned -22 device syz0 entered promiscuous mode device syz0 left promiscuous mode device lo left promiscuous mode nla_parse: 6 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device syz0 entered promiscuous mode device syz0 left promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. device lo entered promiscuous mode device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. keychord: using input dev AT Translated Set 2 keyboard for fevent netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 entered promiscuous mode keychord: invalid keycode count 0 keychord: Insufficient bytes present for keycount 18 netlink: 29 bytes leftover after parsing attributes in process `syz-executor6'. keychord: using input dev AT Translated Set 2 keyboard for fevent netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 29 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. binder: 5534:5538 ioctl 5404 2024a000 returned -22 binder: 5534:5538 ioctl 540a 7fff returned -22 binder: 5534:5554 ioctl 5404 2024a000 returned -22 binder: 5534:5538 ioctl 540a 7fff returned -22 device lo entered promiscuous mode device syz4 entered promiscuous mode device syz4 left promiscuous mode device syz4 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=129 sclass=netlink_route_socket pig=5914 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=129 sclass=netlink_route_socket pig=5914 comm=syz-executor2 device gre0 entered promiscuous mode binder: 6255:6292 ioctl 2403 7fff returned -22 9pnet_virtio: no channels available for device ./file0 binder: 6255:6321 ioctl 2403 7fff returned -22 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 binder: 6380:6387 ioctl c00c642e 2057b000 returned -22 binder: 6380:6387 ioctl 4c00 6 returned -22 IPVS: Creating netns size=2536 id=11 binder: 6380:6387 ioctl c00c642e 2057b000 returned -22 binder: 6380:6387 ioctl 4c00 18 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads syz-executor4: vmalloc: allocation failure: 17178820608 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 6515 Comm: syz-executor4 Tainted: G B 4.9.52-g291d968 #56 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8e37880 ffffffff81d93149 1ffff1003b1c6f13 ffff8801ceefb000 ffffffff83ab7ac0 0000000000000001 0000000000400000 ffff8801d8e37990 ffffffff81450d72 024000c28c82dbb6 0000000041b58ab3 ffffffff8418fa45 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3054 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730 [] ? 0xffffffff810002b8 [] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline] [] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2705 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode 9pnet_virtio: no channels available for device ./file0 Mem-Info: active_anon:76244 inactive_anon:66 isolated_anon:0 active_file:3449 inactive_file:5921 isolated_file:0 unevictable:0 dirty:151 writeback:0 unstable:0 slab_reclaimable:4035 slab_unreclaimable:32266 mapped:22112 shmem:177 pagetables:689 bounce:0 free:1485392 free_pcp:459 free_cma:0 Node 0 active_anon:304940kB inactive_anon:192kB active_file:13796kB inactive_file:23684kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:88356kB dirty:624kB writeback:0kB shmem:632kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 61440kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2910 6411 6411 DMA32 free:2981152kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981848kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:648kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2944508kB min:36816kB low:46020kB high:55224kB active_anon:304940kB inactive_anon:192kB active_file:13796kB inactive_file:23684kB unevictable:0kB writepending:624kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:16188kB slab_unreclaimable:129076kB kernel_stack:5632kB pagetables:2680kB bounce:0kB free_pcp:1136kB local_pcp:484kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 4*4kB (M) 2*8kB (M) 4*16kB (M) 2*32kB (M) 4*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981152kB Normal: 27*4kB (UME) 326*8kB (UME) 929*16kB (UME) 1060*32kB (UME) 653*64kB (UME) 347*128kB (UME) 112*256kB (UM) 46*512kB (UME) 10*1024kB (UME) 4*2048kB (M) 668*4096kB (UM) = 2944492kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9553 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320235 pages reserved syz-executor4: vmalloc: allocation failure: 17178820608 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 6527 Comm: syz-executor4 Tainted: G B 4.9.52-g291d968 #56 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1007880 ffffffff81d93149 1ffff1003a200f13 ffff8801cfce8000 ffffffff83ab7ac0 0000000000000001 0000000000400000 ffff8801d1007990 ffffffff81450d72 024000c22c88308a 0000000041b58ab3 ffffffff8418fa45 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3054 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730 [] ? 0xffffffff810002b8 [] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline] [] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2705 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:76255 inactive_anon:45 isolated_anon:0 active_file:3449 inactive_file:5924 isolated_file:0 unevictable:0 dirty:170 writeback:0 unstable:0 slab_reclaimable:4065 slab_unreclaimable:32294 mapped:22087 shmem:181 pagetables:682 bounce:0 free:1485392 free_pcp:451 free_cma:0 Node 0 active_anon:305020kB inactive_anon:180kB active_file:13796kB inactive_file:23696kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:88348kB dirty:680kB writeback:0kB shmem:724kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 18432kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2910 6411 6411 DMA32 free:2981152kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981848kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:48kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2944540kB min:36816kB low:46020kB high:55224kB active_anon:305020kB inactive_anon:180kB active_file:13796kB inactive_file:23696kB unevictable:0kB writepending:680kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:16260kB slab_unreclaimable:129176kB kernel_stack:5600kB pagetables:2728kB bounce:0kB free_pcp:1108kB local_pcp:572kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 4*4kB (M) 2*8kB (M) 4*16kB (M) 2*32kB (M) 4*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981152kB Normal: 27*4kB (UME) 326*8kB (UME) 927*16kB (UME) 1061*32kB (UME) 653*64kB (UME) 347*128kB (UME) 112*256kB (UM) 46*512kB (UME) 10*1024kB (UME) 4*2048kB (M) 668*4096kB (UM) = 2944492kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9559 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320235 pages reserved nla_parse: 17 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. capability: warning: `syz-executor5' uses deprecated v2 capabilities in a way that may be insecure Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device gre0 entered promiscuous mode device gre0 left promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(gre0): iface reset its stats unexpectedly netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode keychord: Insufficient bytes present for keycount 186 keychord: Insufficient bytes present for keycount 186 IPVS: Creating netns size=2536 id=12 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: 7220:7249 ioctl 4b60 205baf8c returned -22 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=3 sclass=netlink_tcpdiag_socket pig=7248 comm=syz-executor4 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: 7269:7275 ioctl 80044584 20fe6f09 returned -22 binder: 7269:7294 ioctl 80044584 20fe6f09 returned -22 IPVS: Creating netns size=2536 id=13 device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. binder: 7399:7401 ioctl 404c534a 20022000 returned -22 binder: 7399:7401 ioctl 404c534a 20022000 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. device syz5 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: using input dev AT Translated Set 2 keyboard for fevent IPVS: Creating netns size=2536 id=14 binder: 7542:7543 ioctl c00c642e 2057b000 returned -22 keychord: invalid keycode count 0 binder: 7542:7543 ioctl 4c00 6 returned -22 binder: 7542:7550 ioctl c00c642e 2057b000 returned -22 binder: 7542:7543 ioctl 4c00 18 returned -22