RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000f18 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 R13: 0000000000000b67 R14: 00000000004cce12 R15: 0000000000000001 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline] BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28 [inline] BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x269/0x6a0 crypto/scatterwalk.c:43 Read of size 3632 at addr ffff888063fbd000 by task syz-executor.2/5286 CPU: 0 PID: 5286 Comm: syz-executor.2 Not tainted 4.19.100-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x123/0x190 mm/kasan/kasan.c:267 memcpy+0x24/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:348 [inline] memcpy_dir crypto/scatterwalk.c:28 [inline] scatterwalk_copychunks+0x269/0x6a0 crypto/scatterwalk.c:43 scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline] scatterwalk_map_and_copy+0x14d/0x1d0 crypto/scatterwalk.c:60 gcmaes_encrypt.constprop.0+0x762/0xd90 arch/x86/crypto/aesni-intel_glue.c:956 generic_gcmaes_encrypt+0x108/0x160 arch/x86/crypto/aesni-intel_glue.c:1297 crypto_aead_encrypt include/crypto/aead.h:335 [inline] gcmaes_wrapper_encrypt+0x15f/0x200 arch/x86/crypto/aesni-intel_glue.c:1130 crypto_aead_encrypt include/crypto/aead.h:335 [inline] tls_do_encryption net/tls/tls_sw.c:193 [inline] tls_push_record+0x9c0/0x13a0 net/tls/tls_sw.c:228 tls_sw_sendpage+0x538/0xd50 net/tls/tls_sw.c:585 inet_sendpage+0x168/0x630 net/ipv4/af_inet.c:815 kernel_sendpage+0x92/0xf0 net/socket.c:3378 sock_sendpage+0x8b/0xc0 net/socket.c:847 pipe_to_sendpage+0x296/0x360 fs/splice.c:452 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x391/0x7d0 fs/splice.c:627 splice_from_pipe+0x108/0x170 fs/splice.c:662 generic_splice_sendpage+0x3c/0x50 fs/splice.c:833 do_splice_from fs/splice.c:852 [inline] do_splice+0x642/0x1340 fs/splice.c:1154 __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice fs/splice.c:1408 [inline] __x64_sys_splice+0x2c6/0x330 fs/splice.c:1408 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbc39d3ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007fbc39d3b6d4 RCX: 000000000045b349 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000f18 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 R13: 0000000000000b67 R14: 00000000004cce12 R15: 0000000000000001 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888063fbd080 which belongs to the cache PHONET of size 1120 The buggy address is located 128 bytes to the left of 1120-byte region [ffff888063fbd080, ffff888063fbd4e0) The buggy address belongs to the page: page:ffffea00018fef40 count:1 mapcount:0 mapping:ffff88809b3a7180 index:0xffff888063fbd080 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff88809a9f1d38 ffff88809a9f1d38 ffff88809b3a7180 raw: ffff888063fbd080 ffff888063fbd080 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888063fbcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888063fbcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888063fbd000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888063fbd080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888063fbd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================