nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8801d2548d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=10 cpu=0 pid=18486 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ============================================================================= slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 ================================================================== [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 entry_SYSCALL_64_fastpath+0x16/0x76 printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=37 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=37 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=37 cpu=0 pid=18507 Read of size 4 by task syz-executor6/18507 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=43 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=43 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=43 cpu=0 pid=18507 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=44 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=44 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=44 cpu=0 pid=18507 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ================================================================== Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ffff8801d2548e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ============================================================================= fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 ----------------------------------------------------------------------------- [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 Memory state around the buggy address: BUG fasync_cache (Tainted: G B ): kasan: bad access detected slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=81 cpu=0 pid=18486 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ----------------------------------------------------------------------------- Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 ================================================================== Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Call Trace: Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Read of size 4 by task syz-executor6/18507 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=108 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=108 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=108 cpu=0 pid=18507 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ============================================================================= apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=132 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=132 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=132 cpu=0 pid=18507 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... entry_SYSCALL_64_fastpath+0x16/0x76 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=141 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=141 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=141 cpu=0 pid=18507 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=148 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=148 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=148 cpu=0 pid=18507 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ============================================================================= INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=151 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=151 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=151 cpu=0 pid=18507 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Read of size 4 by task syz-executor6/18507 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 ffff8801d2548e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 ============================================================================= INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=170 cpu=0 pid=18486 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 Memory state around the buggy address: ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=187 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=187 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=187 cpu=0 pid=18507 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ============================================================================= INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=194 cpu=0 pid=18486 Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 Read of size 4 by task syz-executor6/18507 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=204 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=204 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=204 cpu=0 pid=18507 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Read of size 4 by task syz-executor6/18507 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 vprintk_default+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1844 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 [] entry_SYSCALL_64_fastpath+0x16/0x76 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ----------------------------------------------------------------------------- CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Read of size 4 by task syz-executor6/18507 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=228 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=228 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=228 cpu=0 pid=18507 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ Read of size 4 by task syz-executor6/18507 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=237 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=237 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=237 cpu=0 pid=18507 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ----------------------------------------------------------------------------- [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ^ Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ================================================================== INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=272 cpu=0 pid=18486 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=295 cpu=0 pid=18486 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] entry_SYSCALL_64_fastpath+0x16/0x76 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 Read of size 4 by task syz-executor6/18507 Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ----------------------------------------------------------------------------- [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 entry_SYSCALL_64_fastpath+0x16/0x76 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ================================================================== Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=343 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=343 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=343 cpu=0 pid=18507 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=349 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=349 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=349 cpu=0 pid=18507 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 ============================================================================= printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=367 cpu=0 pid=18486 Call Trace: __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=374 cpu=0 pid=18486 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ffff8801d2548d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 Memory state around the buggy address: ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] entry_SYSCALL_64_fastpath+0x16/0x76 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=394 cpu=0 pid=18486 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ----------------------------------------------------------------------------- [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ============================================================================= __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=419 cpu=0 pid=18486 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 ================================================================== INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ============================================================================= BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 ----------------------------------------------------------------------------- [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Read of size 4 by task syz-executor6/18507 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 [] entry_SYSCALL_64_fastpath+0x16/0x76 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=444 cpu=0 pid=18486 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=455 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=455 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=455 cpu=0 pid=18507 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] entry_SYSCALL_64_fastpath+0x16/0x76 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ Read of size 4 by task syz-executor6/18507 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=478 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=478 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=478 cpu=0 pid=18507 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ----------------------------------------------------------------------------- Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ============================================================================= nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 ================================================================== invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=498 cpu=0 pid=18486 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ----------------------------------------------------------------------------- [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 vprintk_default+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1844 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ================================================================== __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Read of size 4 by task syz-executor6/18507 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=549 cpu=0 pid=18486 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 Read of size 4 by task syz-executor6/18507 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=562 cpu=0 pid=18486 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 entry_SYSCALL_64_fastpath+0x16/0x76 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 Memory state around the buggy address: ================================================================== Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ffff8801d2548e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ----------------------------------------------------------------------------- ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Memory state around the buggy address: ================================================================== ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 ^ Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 ffff8801d94bcc00 ffffea0007495200 ffff8801d2548e10 0000000000000000 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=637 cpu=0 pid=18486 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Read of size 4 by task syz-executor6/18507 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=645 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=645 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=645 cpu=0 pid=18507 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 Read of size 4 by task syz-executor6/18507 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Read of size 4 by task syz-executor6/18507 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 Read of size 4 by task syz-executor6/18507 Read of size 4 by task syz-executor6/18507 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=673 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=673 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=673 cpu=0 pid=18507 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... ffff8801d94bcc00 ffffea0007495200 ffff8801d2548e10 0000000000000000 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ============================================================================= nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 ================================================================== invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=703 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=703 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=703 cpu=0 pid=18507 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=721 cpu=0 pid=18486 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 Read of size 4 by task syz-executor6/18507 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=743 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=743 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=743 cpu=0 pid=18507 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ============================================================================= __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 ============================================================================= ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ^ Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 Read of size 4 by task syz-executor6/18507 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d94bcc00 ffffea0007495200 ffff8801d2548e10 0000000000000000 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 nfnetlink_rcv_msg+0x90c/0xaf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nfnetlink.c:215 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=785 cpu=0 pid=18486 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=786 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=786 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=786 cpu=0 pid=18507 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ================================================================== Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Read of size 4 by task syz-executor6/18507 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 nla_parse_nested /syzkaller/managers/android-44-kasan-gce/kernel/include/net/netlink.h:737 [inline] ctnetlink_parse_tuple+0x106/0x750 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1011 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ============================================================================= INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=819 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=819 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=819 cpu=0 pid=18507 vprintk+0x1a/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1843 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 ============================================================================= vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ ================================================================== Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 nla_parse+0x1b7/0x230 /syzkaller/managers/android-44-kasan-gce/kernel/lib/nlattr.c:205 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 Read of size 4 by task syz-executor6/18507 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 ----------------------------------------------------------------------------- vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=861 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=861 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=861 cpu=0 pid=18507 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=873 cpu=0 pid=18486 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ffff8801d2548d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=879 cpu=0 pid=18486 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 ============================================================================= fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=888 cpu=0 pid=18486 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Read of size 4 by task syz-executor6/18507 Memory state around the buggy address: INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=892 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=892 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=892 cpu=0 pid=18507 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 ffff8801d94bcc00 ffffea0007495200 ffff8801d2548e10 0000000000000000 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Read of size 4 by task syz-executor6/18507 Object ffff8801d2548e60: 00 a7 01 d6 01 88 ff ff f0 f4 52 81 ff ff ff ff ..........R..... printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Object ffff8801d2548e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=906 cpu=0 pid=18507 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=906 cpu=0 pid=18507 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=906 cpu=0 pid=18507 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 vprintk_default+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1844 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc vprintk_default+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1844 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 printk+0x9c/0xc3 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1922 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Read of size 4 by task syz-executor6/18507 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 vprintk_emit+0x47c/0x6f0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/printk/printk.c:1832 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Read of size 4 by task syz-executor6/18507 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 ctnetlink_get_conntrack+0x2cf/0x760 /syzkaller/managers/android-44-kasan-gce/kernel/net/netfilter/nf_conntrack_netlink.c:1214 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Read of size 4 by task syz-executor6/18507 [] entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 Read of size 4 by task syz-executor6/18507 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 Call Trace: [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 Read of size 4 by task syz-executor6/18507 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d2548e10: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=965 cpu=0 pid=18486 0000000000000000 b9b1865c1360443a ffff8801c991f9b0 ffffffff81cc9b0f INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=971 cpu=0 pid=18486 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Object ffff8801d2548e50: 00 00 00 00 00 00 00 00 00 2a 86 d2 01 88 ff ff .........*...... apic_timer_interrupt+0x8c/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:689 INFO: Slab 0xffffea0007495200 objects=20 used=1 fp=0xffff8801d2549db0 flags=0x8000000000004080 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d2548e74 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d2548e74 ffff8801d2548010 ffff8801d2548e10 ffff8801c991f9e0 ffffffff814d3af4 ffff8801d2548e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc invoke_softirq /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:391 INFO: Object 0xffff8801d2548e10 @offset=3600 fp=0xdead4ead00000000 Memory state around the buggy address: Bytes b4 ffff8801d2548e00: 01 00 00 00 c2 14 00 00 c7 a3 ff ff 00 00 00 00 ................ CPU: 0 PID: 18507 Comm: syz-executor6 Tainted: G B 4.4.105-g8a53962 #3 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ^ exiting_irq /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/kernel/apic/apic.c:926 ffff8801d2548f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 Object ffff8801d2548e20: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG fasync_cache (Tainted: G B ): kasan: bad access detected >ffff8801d2548e00: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d2548e40: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Read of size 4 by task syz-executor6/18507