================================================================== BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user include/linux/instrumented.h:119 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user lib/usercopy.c:33 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x116/0x140 lib/usercopy.c:27 Read of size 16 at addr ffff8880764fe818 by task syz-executor.0/26931 CPU: 1 PID: 26931 Comm: syz-executor.0 Not tainted 6.1.0-rc4-syzkaller-00356-g8f2975c2bb4c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_copy_to_user include/linux/instrumented.h:119 [inline] _copy_to_user lib/usercopy.c:33 [inline] _copy_to_user+0x116/0x140 lib/usercopy.c:27 copy_to_user include/linux/uaccess.h:169 [inline] v4l2_compat_put_array_args+0x480/0x830 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1154 video_usercopy+0x4e7/0x17e0 drivers/media/v4l2-core/v4l2-ioctl.c:3409 v4l2_ioctl+0x1b3/0x250 drivers/media/v4l2-core/v4l2-dev.c:364 v4l2_compat_ioctl32+0x237/0x2a0 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1253 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:968 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f26549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f7f215cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c0cc5604 RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 26931: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa1/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:955 [inline] __kmalloc_node+0x59/0xc0 mm/slab_common.c:962 kmalloc_node include/linux/slab.h:579 [inline] kvmalloc_node+0x3f/0x1b0 mm/util.c:581 kvmalloc include/linux/slab.h:706 [inline] video_usercopy+0x264/0x17e0 drivers/media/v4l2-core/v4l2-ioctl.c:3367 v4l2_ioctl+0x1b3/0x250 drivers/media/v4l2-core/v4l2-dev.c:364 v4l2_compat_ioctl32+0x237/0x2a0 drivers/media/v4l2-core/v4l2-compat-ioctl32.c:1253 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:968 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 The buggy address belongs to the object at ffff8880764fe800 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 24 bytes inside of 32-byte region [ffff8880764fe800, ffff8880764fe820) The buggy address belongs to the physical page: page:ffffea0001d93f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x764fe flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000870440 dead000000000002 ffff888011841500 raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 3656, tgid 3656 (syz-executor.0), ts 136345990088, free_ts 136193677085 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288 __alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5555 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x213/0x300 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3180 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279 slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x191/0x3e0 mm/slub.c:3437 kmalloc_trace+0x22/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] ref_tracker_alloc+0x14c/0x550 lib/ref_tracker.c:85 __netdev_tracker_alloc include/linux/netdevice.h:3995 [inline] netdev_hold include/linux/netdevice.h:4024 [inline] linkwatch_add_event net/core/link_watch.c:113 [inline] linkwatch_fire_event+0x202/0x260 net/core/link_watch.c:274 netif_carrier_on net/sched/sch_generic.c:581 [inline] netif_carrier_on+0x9c/0x100 net/sched/sch_generic.c:575 veth_open+0x219/0x270 drivers/net/veth.c:1345 __dev_open+0x297/0x4d0 net/core/dev.c:1432 __dev_change_flags+0x583/0x750 net/core/dev.c:8543 dev_change_flags+0x93/0x170 net/core/dev.c:8614 do_setlink+0x9f1/0x3bb0 net/core/rtnetlink.c:2788 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3483 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x62/0x80 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] __kmem_cache_alloc_node+0x2da/0x3e0 mm/slub.c:3437 kmalloc_trace+0x22/0x60 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:689 [inline] fib6_info_alloc+0xc1/0x210 net/ipv6/ip6_fib.c:156 ip6_route_info_create+0x341/0x18f0 net/ipv6/route.c:3749 ip6_route_add+0x24/0x150 net/ipv6/route.c:3843 addrconf_add_mroute+0x1e1/0x310 net/ipv6/addrconf.c:2489 addrconf_add_dev+0x156/0x1c0 net/ipv6/addrconf.c:2507 addrconf_dev_config+0x1ec/0x410 net/ipv6/addrconf.c:3382 addrconf_notify+0xf36/0x1c10 net/ipv6/addrconf.c:3635 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 Memory state around the buggy address: ffff8880764fe700: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc ffff8880764fe780: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc >ffff8880764fe800: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff8880764fe880: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc ffff8880764fe900: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc ================================================================== ---------------- Code disassembly (best guess): 0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi 4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d a: 10 06 adc %al,(%rsi) c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 10: 10 07 adc %al,(%rdi) 12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi 16: 10 08 adc %cl,(%rax) 18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1c: 00 00 add %al,(%rax) 1e: 00 00 add %al,(%rax) 20: 00 51 52 add %dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov %esp,%ebp 26: 0f 34 sysenter 28: cd 80 int $0x80 * 2a: 5d pop %rbp <-- trapping instruction 2b: 5a pop %rdx 2c: 59 pop %rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi