ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 ^ setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 entry_SYSCALL_64_fastpath+0x16/0x76 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Call Trace: [] entry_SYSCALL_64_fastpath+0x16/0x76 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Read of size 4 by task syz-executor1/6024 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ============================================================================= [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 ^ [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 ----------------------------------------------------------------------------- ================================================================== ^ [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 ============================================================================= 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ============================================================================= [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 BUG fasync_cache (Tainted: G B ): kasan: bad access detected Memory state around the buggy address: 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Call Trace: ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb Memory state around the buggy address: kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 ================================================================== INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] entry_SYSCALL_64_fastpath+0x16/0x76 ^ [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 ret_from_fork+0x3f/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:468 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Call Trace: [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ----------------------------------------------------------------------------- [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Call Trace: ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Bytes b4 ffff8801d3701120: 00 00 00 00 6d 13 00 00 74 9d ff ff 00 00 00 00 ....m...t....... kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Bytes b4 ffff8801d3701120: 00 00 00 00 6d 13 00 00 74 9d ff ff 00 00 00 00 ....m...t....... Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Bytes b4 ffff8801d3701120: 00 00 00 00 6d 13 00 00 74 9d ff ff 00 00 00 00 ....m...t....... [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 ============================================================================= Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Bytes b4 ffff8801d3701120: 00 00 00 00 6d 13 00 00 74 9d ff ff 00 00 00 00 ....m...t....... ================================================================== __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 ============================================================================= ret_from_fork+0x3f/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:468 BUG fasync_cache (Tainted: G B ): kasan: bad access detected ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ================================================================== slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Call Trace: [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Slab 0xffffea00074dc000 objects=20 used=3 fp=0xffff8801d3701900 flags=0x8000000000004080 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... [] entry_SYSCALL_64_fastpath+0x16/0x76 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 ^ __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 entry_SYSCALL_64_fastpath+0x16/0x76 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 Memory state around the buggy address: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 Memory state around the buggy address: Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ^ [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... Read of size 4 by task syz-executor1/6024 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Read of size 4 by task syz-executor1/6024 entry_SYSCALL_64_fastpath+0x16/0x76 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 ============================================================================= Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Memory state around the buggy address: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 entry_SYSCALL_64_fastpath+0x16/0x76 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Call Trace: ----------------------------------------------------------------------------- [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 entry_SYSCALL_64_fastpath+0x16/0x76 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 entry_SYSCALL_64_fastpath+0x16/0x76 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 [] entry_SYSCALL_64_fastpath+0x16/0x76 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 ============================================================================= [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f INFO: Slab 0xffffea00074dc000 objects=20 used=3 fp=0xffff8801d3701900 flags=0x8000000000004080 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. Read of size 4 by task syz-executor1/6024 ^ [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. ============================================================================= CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 entry_SYSCALL_64_fastpath+0x16/0x76 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 entry_SYSCALL_64_fastpath+0x16/0x76 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ================================================================== __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... Read of size 4 by task syz-executor1/6024 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ================================================================== INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Call Trace: BUG fasync_cache (Tainted: G B ): kasan: bad access detected ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 __rcu_reclaim /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/rcu.h:118 [inline] rcu_do_batch /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/rcu/tree.c:2957 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ^ [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ----------------------------------------------------------------------------- Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Bytes b4 ffff8801d3701120: 00 00 00 00 6d 13 00 00 74 9d ff ff 00 00 00 00 ....m...t....... ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Memory state around the buggy address: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Call Trace: ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 Read of size 4 by task syz-executor1/6024 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 Read of size 4 by task syz-executor1/6024 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... ============================================================================= Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 ================================================================== ================================================================== ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ^ ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 ^ [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Object ffff8801d3701130: 00 00 00 00 ad 4e ad de ff ff ff ff be 3f fb a0 .....N.......?.. >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ----------------------------------------------------------------------------- 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [] entry_SYSCALL_64_fastpath+0x16/0x76 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ============================================================================= Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc entry_SYSCALL_64_fastpath+0x16/0x76 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 sg_fasync+0x66/0xb0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1213 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 Read of size 4 by task syz-executor1/6024 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 entry_SYSCALL_64_fastpath+0x16/0x76 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x16/0x76 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ^ [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 Read of size 4 by task syz-executor1/6024 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 BUG fasync_cache (Tainted: G B ): kasan: bad access detected INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ----------------------------------------------------------------------------- [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ----------------------------------------------------------------------------- [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 ================================================================== ================================================================== Read of size 4 by task syz-executor1/6024 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... ----------------------------------------------------------------------------- [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 ^ [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f ffff8801d3700010 ffff8801d3701130 ffff8800b43179e0 ffffffff814d3af4 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 Call Trace: BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 entry_SYSCALL_64_fastpath+0x16/0x76 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 ============================================================================= Call Trace: ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 Call Trace: [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 ffff8801d3701200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8801d3700010 ffff8801d3701130 ffff8800b43179e0 ffffffff814d3af4 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 ffff8801d3700010 ffff8801d3701130 ffff8800b43179e0 ffffffff814d3af4 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ^ [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 Call Trace: setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ----------------------------------------------------------------------------- [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 Object ffff8801d3701160: 00 50 8b 83 ff ff ff ff 01 46 00 00 03 00 00 00 .P.......F...... run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Call Trace: [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 __do_softirq+0x24d/0xa60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:273 Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... ============================================================================= Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 Object ffff8801d3701180: 00 de 72 d5 01 88 ff ff f0 f4 52 81 ff ff ff ff ..r.......R..... BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 setfl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:69 [inline] do_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:266 [inline] SYSC_fcntl /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:371 [inline] SyS_fcntl+0x5be/0xc70 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:356 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc Memory state around the buggy address: Object ffff8801d3701170: 00 00 00 00 00 00 00 00 00 67 b4 b5 00 88 ff ff .........g...... INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 CPU: 1 PID: 6024 Comm: syz-executor1 Tainted: G B 4.4.104-ged884eb #2 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 Memory state around the buggy address: ffff8800bbb98c00 ffffea00074dc000 ffff8801d3701130 0000000000000000 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] entry_SYSCALL_64_fastpath+0x16/0x76 ----------------------------------------------------------------------------- ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 [] queued_write_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qrwlock.h:121 [inline] [] do_raw_write_lock+0xc7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock_debug.c:279 ffff8801d3701280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb BUG fasync_cache (Tainted: G B ): kasan: bad access detected kthread+0x245/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/kthread.c:211 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 0000000000000000 3fe20028167234bc ffff8800b43179b0 ffffffff81cc9b0f INFO: Slab 0xffffea00074dc000 objects=20 used=3 fp=0xffff8801d3701900 flags=0x8000000000004080 [] sg_finish_rem_req+0x255/0x2f0 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:1848 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 Call Trace: fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 BUG fasync_cache (Tainted: G B ): kasan: bad access detected BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 [] SYSC_read /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:569 [inline] [] SyS_read+0xd3/0x1c0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:562 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 entry_SYSCALL_64_fastpath+0x16/0x76 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ----------------------------------------------------------------------------- [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 ffff8801d3701100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 BUG: KASAN: slab-out-of-bounds in __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801d3701194 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 at addr ffff8801d3701194 ================================================================== Read of size 4 by task syz-executor1/6024 [] vfs_read+0xe1/0x340 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:454 INFO: Freed in fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 age=52 cpu=0 pid=3 [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_read+0x767/0x1260 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:538 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 Call Trace: [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] sg_remove_request+0x60/0x100 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/scsi/sg.c:2132 INFO: Object 0xffff8801d3701130 @offset=4400 fp=0xdead4ead00000000 [] kasan_report /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 [inline] [] __asan_report_load4_noabort+0x29/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:282 Object ffff8801d3701140: ff ff ff ff ff ff ff ff 80 e3 70 85 ff ff ff ff ..........p..... ================================================================== ffff8801d3701080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 [] pv_queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/paravirt.h:696 [inline] [] queued_spin_lock_slowpath /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/include/asm-generic/qspinlock.h:102 [inline] [] queued_write_lock_slowpath+0x116/0x150 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qrwlock.c:115 INFO: Allocated in fasync_alloc /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:603 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_add_entry /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:661 [inline] age=1 cpu=1 pid=6024 INFO: Allocated in fasync_helper+0x29/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:690 age=1 cpu=1 pid=6024 ffff8801d3700010 ffff8801d3701130 ffff8800b43179e0 ffffffff814d3af4 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [] __read_once_size /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/compiler.h:218 [inline] [] atomic_read /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:27 [inline] [] virt_spin_lock /syzkaller/managers/android-44-kasan-gce/kernel/./arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x5ad/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/qspinlock.c:352 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 Memory state around the buggy address: run_ksoftirqd+0x20/0x60 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/softirq.c:662 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] kmem_cache_alloc+0x155/0x290 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2614 fasync_free_rcu+0x14/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/fs/fcntl.c:562 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kmem_cache_free+0x1f1/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2849 ----------------------------------------------------------------------------- [] __vfs_read+0xda/0x3e0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:432 ----------------------------------------------------------------------------- __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 Read of size 4 by task syz-executor1/6024 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 >ffff8801d3701180: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 [] __raw_write_lock_irqsave /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x70 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/locking/spinlock.c:303 Object ffff8801d3701150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................