>ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 printk+0x9c/0xc3 kernel/printk/printk.c:1922 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... ----------------------------------------------------------------------------- [] vfs_read+0xe1/0x340 fs/read_write.c:454 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 ================================================================== [] entry_SYSCALL_64_fastpath+0x16/0x76 [] object_err+0x2f/0x40 mm/slub.c:689 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 vprintk+0x1a/0x20 kernel/printk/printk.c:1843 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 Read of size 4 by task syz-executor4/7285 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 ^ fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ================================================================== [] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ============================================================================= fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ================================================================== Memory state around the buggy address: >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ----------------------------------------------------------------------------- [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Call Trace: slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ================================================================== ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== [] vfs_read+0xe1/0x340 fs/read_write.c:454 entry_SYSCALL_64_fastpath+0x16/0x76 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f __do_softirq+0x24d/0xa60 kernel/softirq.c:273 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 [] vfs_read+0xe1/0x340 fs/read_write.c:454 vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] vfs_read+0xe1/0x340 fs/read_write.c:454 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 Memory state around the buggy address: Memory state around the buggy address: [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] vfs_read+0xe1/0x340 fs/read_write.c:454 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ----------------------------------------------------------------------------- [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 Call Trace: INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] vfs_read+0xe1/0x340 fs/read_write.c:454 Read of size 4 by task syz-executor4/7285 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 [] vfs_read+0xe1/0x340 fs/read_write.c:454 __slab_free+0x18c/0x2b0 mm/slub.c:2685 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f __slab_free+0x18c/0x2b0 mm/slub.c:2685 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ================================================================== ================================================================== [] vfs_read+0xe1/0x340 fs/read_write.c:454 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] vfs_read+0xe1/0x340 fs/read_write.c:454 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 Call Trace: INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 ============================================================================= ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Read of size 4 by task syz-executor4/7285 Call Trace: binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== ================================================================== ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Memory state around the buggy address: printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ----------------------------------------------------------------------------- Call Trace: ================================================================== 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 entry_SYSCALL_64_fastpath+0x16/0x76 entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] entry_SYSCALL_64_fastpath+0x16/0x76 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] object_err+0x2f/0x40 mm/slub.c:689 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 Call Trace: __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ================================================================== ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: ^ ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 printk+0x9c/0xc3 kernel/printk/printk.c:1922 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ================================================================== [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ================================================================== [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Call Trace: ============================================================================= >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 Call Trace: ^ BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 Call Trace: ----------------------------------------------------------------------------- ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 ^ BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Memory state around the buggy address: __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Call Trace: INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ================================================================== Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 ================================================================== [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 ================================================================== [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 ================================================================== ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: ^ Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor4/7285 Call Trace: __do_softirq+0x24d/0xa60 kernel/softirq.c:273 printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Memory state around the buggy address: [] entry_SYSCALL_64_fastpath+0x16/0x76 Call Trace: printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Call Trace: INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 Call Trace: ----------------------------------------------------------------------------- apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] object_err+0x2f/0x40 mm/slub.c:689 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f ----------------------------------------------------------------------------- Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] vfs_read+0xe1/0x340 fs/read_write.c:454 Read of size 4 by task syz-executor4/7285 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 printk+0x9c/0xc3 kernel/printk/printk.c:1922 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f ============================================================================= INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] vfs_read+0xe1/0x340 fs/read_write.c:454 fasync_alloc fs/fcntl.c:603 [inline] fasync_add_entry fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 fs/fcntl.c:690 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ^ ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Call Trace: ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ================================================================== __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] print_trailer+0x114/0x1a0 mm/slub.c:682 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ^ ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Memory state around the buggy address: [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 [] entry_SYSCALL_64_fastpath+0x16/0x76 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_free+0x18c/0x2b0 mm/slub.c:2685 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 vprintk+0x1a/0x20 kernel/printk/printk.c:1843 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 ^ ================================================================== exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 ================================================================== Call Trace: ----------------------------------------------------------------------------- CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 [] vfs_read+0xe1/0x340 fs/read_write.c:454 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Call Trace: slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk+0x1a/0x20 kernel/printk/printk.c:1843 ================================================================== [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 Memory state around the buggy address: ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 vprintk+0x1a/0x20 kernel/printk/printk.c:1843 Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 ^ __slab_free+0x18c/0x2b0 mm/slub.c:2685 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ================================================================== >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc Memory state around the buggy address: ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Call Trace: ----------------------------------------------------------------------------- binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ^ __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] vfs_read+0xe1/0x340 fs/read_write.c:454 vprintk+0x1a/0x20 kernel/printk/printk.c:1843 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_free+0x18c/0x2b0 mm/slub.c:2685 Call Trace: exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Call Trace: vprintk+0x1a/0x20 kernel/printk/printk.c:1843 Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __do_softirq+0x24d/0xa60 kernel/softirq.c:273 BUG fasync_cache (Tainted: G B ): kasan: bad access detected [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __slab_free+0x18c/0x2b0 mm/slub.c:2685 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ----------------------------------------------------------------------------- [] object_err+0x2f/0x40 mm/slub.c:689 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ============================================================================= BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 [] entry_SYSCALL_64_fastpath+0x16/0x76 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] vfs_read+0xe1/0x340 fs/read_write.c:454 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:218 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d4e5e064 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 at addr ffff8801d4e5e064 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 printk+0x9c/0xc3 kernel/printk/printk.c:1922 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ================================================================== [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Call Trace: Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Call Trace: vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Call Trace: __do_softirq+0x24d/0xa60 kernel/softirq.c:273 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 Call Trace: invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ================================================================== printk+0x9c/0xc3 kernel/printk/printk.c:1922 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 Read of size 4 by task syz-executor4/7285 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __do_softirq+0x24d/0xa60 kernel/softirq.c:273 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x60/0x100 drivers/scsi/sg.c:2132 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ^ INFO: Freed in fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 age=19 cpu=1 pid=7254 ================================================================== [] entry_SYSCALL_64_fastpath+0x16/0x76 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f vprintk+0x1a/0x20 kernel/printk/printk.c:1843 ^ vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Call Trace: printk+0x9c/0xc3 kernel/printk/printk.c:1922 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 Call Trace: __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... entry_SYSCALL_64_fastpath+0x16/0x76 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] vfs_read+0xe1/0x340 fs/read_write.c:454 sg_fasync+0x66/0xb0 drivers/scsi/sg.c:1213 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_trailer+0x114/0x1a0 mm/slub.c:682 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f ================================================================== [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __slab_free+0x18c/0x2b0 mm/slub.c:2685 [] object_err+0x2f/0x40 mm/slub.c:689 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... __slab_free+0x18c/0x2b0 mm/slub.c:2685 [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 binder_transaction+0x1560/0x7030 drivers/android/binder.c:3121 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_trailer+0x114/0x1a0 mm/slub.c:682 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Call Trace: fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Call Trace: __do_softirq+0x24d/0xa60 kernel/softirq.c:273 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ^ __do_softirq+0x24d/0xa60 kernel/softirq.c:273 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ================================================================== Memory state around the buggy address: >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 setfl fs/fcntl.c:69 [inline] do_fcntl fs/fcntl.c:266 [inline] SYSC_fcntl fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 fs/fcntl.c:356 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 ffff8801d4e5e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: [] entry_SYSCALL_64_fastpath+0x16/0x76 [] print_trailer+0x114/0x1a0 mm/slub.c:682 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 [] object_err+0x2f/0x40 mm/slub.c:689 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ binder_alloc_new_buf_locked+0xb14/0x16f0 drivers/android/binder_alloc.c:347 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 Memory state around the buggy address: ^ __do_softirq+0x24d/0xa60 kernel/softirq.c:273 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 mm/slub.c:2614 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ printk+0x9c/0xc3 kernel/printk/printk.c:1922 Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 INFO: Object 0xffff8801d4e5e000 @offset=0 fp=0xdead4ead00000000 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 ================================================================== >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Read of size 4 by task syz-executor4/7285 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] vfs_read+0xe1/0x340 fs/read_write.c:454 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ================================================================== [] entry_SYSCALL_64_fastpath+0x16/0x76 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 Call Trace: __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:303 Object ffff8801d4e5e050: 00 06 0c b6 00 88 ff ff 30 f5 52 81 ff ff ff ff ........0.R..... binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 ================================================================== ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] kasan_report mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:282 vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 ----------------------------------------------------------------------------- Memory state around the buggy address: ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] __vfs_read+0xda/0x3e0 fs/read_write.c:432 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d4e5e010: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] object_err+0x2f/0x40 mm/slub.c:689 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Call Trace: >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 [] queued_write_lock include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:279 INFO: Slab 0xffffea0007539780 objects=20 used=1 fp=0xffff8801d4e5f2c0 flags=0x8000000000004080 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 Read of size 4 by task syz-executor4/7285 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 Object ffff8801d4e5e030: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... Object ffff8801d4e5e000: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 CPU: 0 PID: 7285 Comm: syz-executor4 Tainted: G B 4.4.105-g36205b7 #4 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 Object ffff8801d4e5e040: 00 00 00 00 00 00 00 00 00 6a 86 b8 00 88 ff ff .........j...... Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ vprintk_emit+0x47c/0x6f0 kernel/printk/printk.c:1832 printk+0x9c/0xc3 kernel/printk/printk.c:1922 [] print_trailer+0x114/0x1a0 mm/slub.c:682 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] sg_read+0x767/0x1260 drivers/scsi/sg.c:538 ffff8801d9824c00 ffffea0007539780 ffff8801d4e5e000 0000000000000000 binder_alloc_new_buf+0x3b/0x60 drivers/android/binder_alloc.c:513 INFO: Allocated in fasync_alloc fs/fcntl.c:603 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_add_entry fs/fcntl.c:661 [inline] age=0 cpu=0 pid=7285 INFO: Allocated in fasync_helper+0x29/0x90 fs/fcntl.c:690 age=0 cpu=0 pid=7285 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 entry_SYSCALL_64_fastpath+0x16/0x76 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Read of size 4 by task syz-executor4/7285 0000000000000000 09d2b58e21a0d847 ffff8801d63c79b0 ffffffff81cc9b4f fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 ffff8801d4e5e010 ffff8801d4e5e000 ffff8801d63c79e0 ffffffff814d3af4 vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 slab_free mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 mm/slub.c:2849 Call Trace: vprintk_default+0x9/0x10 kernel/printk/printk.c:1844 vprintk+0x1a/0x20 kernel/printk/printk.c:1843 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 binder_thread_write+0x8f5/0x3110 drivers/android/binder.c:3694 >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:689 Read of size 4 by task syz-executor4/7285 Object ffff8801d4e5e020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ fasync_free_rcu+0x14/0x20 fs/fcntl.c:562 Call Trace: >ffff8801d4e5e000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801d4e5e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc vprintk+0x1a/0x20 kernel/printk/printk.c:1843 ================================================================== [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 fs/read_write.c:562 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] sg_finish_rem_req+0x255/0x2f0 drivers/scsi/sg.c:1848 ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d4e5df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __read_once_size include/linux/compiler.h:218 [inline] [] atomic_read arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 kernel/locking/qspinlock.c:352 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4e5df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 fs/read_write.c:454