SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5702 comm=syz-executor6 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor7/5757 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 5757 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d03a76d8 ffffffff81d90889 0000000000000000 ffffffff83c17800 ffffffff83f42ec0 ffff8801d0000000 0000000000000003 ffff8801d03a7718 ffffffff81df7854 ffff8801d03a7730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5796 Comm: syz-executor2 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d052f8a0 ffffffff81d90889 ffff8801d052fb80 0000000000000000 ffff8801a9263f10 ffff8801d052fa70 ffff8801a9263e00 ffff8801d052fa98 ffffffff8165e497 0000000000006e92 ffff8801c34220f0 ffff8801c34220a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 5809 Comm: syz-executor2 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd31f9a0 ffffffff81d90889 ffff8801cd31fc80 0000000000000000 ffff8801a9263f10 ffff8801cd31fb70 ffff8801a9263e00 ffff8801cd31fb98 ffffffff8165e497 0000000000006e92 ffff8801d5c5d0f0 ffff8801d5c5d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 audit: type=1400 audit(1513047786.046:33): avc: denied { create } for pid=5884 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513047786.076:34): avc: denied { connect } for pid=5884 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513047786.106:35): avc: denied { getopt } for pid=5884 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513047786.136:36): avc: denied { getattr } for pid=5884 comm="syz-executor7" path="socket:[16247]" dev="sockfs" ino=16247 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 nla_parse: 7 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=6025 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=6025 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=6025 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=6025 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=6042 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=6025 comm=syz-executor7 keychord: Insufficient bytes present for keycount 30 keychord: Insufficient bytes present for keycount 30 binder: 6175:6178 ERROR: BC_REGISTER_LOOPER called without request binder: 6175:6178 transaction failed 29189/-22, size 0-0 line 3007 binder: 6175:6178 BC_ACQUIRE_DONE node 16 has no pending acquire request binder: 6175:6178 got reply transaction with no transaction stack binder: 6175:6178 transaction failed 29201/-71, size 48-40 line 2923 binder: 6175:6196 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode binder_alloc: 6175: binder_alloc_buf, no vma binder: 6175:6178 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 6175:6178 ioctl 40046207 0 returned -16 binder: 6175:6196 BC_ACQUIRE_DONE u0000000000000000 no match binder: 6175:6196 got reply transaction with no transaction stack binder: 6175:6196 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. binder: 6286:6289 transaction failed 29189/-22, size 80-16 line 3007 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6277 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder: 6286:6289 transaction failed 29189/-22, size 80-16 line 3007 ffff8801d5b8f9a0 ffffffff81d90889 ffff8801d5b8fc80 0000000000000000 ffff8801a9263910 ffff8801d5b8fb70 ffff8801a9263800 ffff8801d5b8fb98 ffffffff8165e497 0000000000006e92 ffff8801d0cc88f0 ffff8801d0cc88a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 binder: undelivered TRANSACTION_ERROR: 29189 CPU: 1 PID: 6296 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a616f9a0 ffffffff81d90889 ffff8801a616fc80 0000000000000000 ffff8801a6ee1910 ffff8801a616fb70 ffff8801a6ee1800 ffff8801a616fb98 ffffffff8165e497 0000000000006e92 ffff8801a63c38f0 ffff8801a63c38a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 6331:6336 transaction failed 29189/-22, size 80-16 line 3007 binder_alloc: binder_alloc_mmap_handler: 6331 20000000-20002000 already mapped failed -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6421:6431 ioctl 40046207 0 returned -16 binder_alloc: 6421: binder_alloc_buf, no vma binder: 6421:6451 transaction failed 29189/-3, size 0-0 line 3130 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 26 to 6421:6424 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. device lo entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads keychord: invalid keycode count 0 keychord: invalid keycode count 0 device syz3 entered promiscuous mode device gre0 entered promiscuous mode handle_userfault: 2 callbacks suppressed FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 6740 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d532f940 ffffffff81d90889 ffff8801d532fc20 0000000000000000 ffff8801a6ee1f10 ffff8801d532fb10 ffff8801a6ee1e00 ffff8801d532fb38 ffffffff8165e497 0000000000006e92 ffff8801d048d0f0 ffff8801d048d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 audit: type=1400 audit(1513047790.566:37): avc: denied { execute } for pid=6769 comm="syz-executor5" path="pipe:[17564]" dev="pipefs" ino=17564 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6740 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d532f940 ffffffff81d90889 ffff8801d532fc20 0000000000000000 ffff8801a9262d10 ffff8801d532fb10 ffff8801a9262c00 ffff8801d532fb38 ffffffff8165e497 0000000000006e92 ffff8801d048d0f0 ffff8801d048d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H audit: type=1400 audit(1513047791.356:38): avc: denied { create } for pid=6871 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 Read of size 4 by task syz-executor7/6875 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 ffff8801c4311380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 ================================================================== [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 ^ ================================================================== ^ ================================================================== ffff8801c4311400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 Freed: [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 ffff8801cb5d78b0 ffffffff81d90889 ffff8801d77fe500 ffff8801c4311300 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/6875 Call Trace: [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 __do_softirq+0x206/0x951 kernel/softirq.c:284 ^ ^ ffff8801c4311280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 Object at ffff8801c4311300, in cache fasync_cache size: 96 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 ffff8801c4311400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Call Trace: [] vfs_readv+0x84/0xc0 fs/read_write.c:898 Object at ffff8801c4311300, in cache fasync_cache size: 96 CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 Call Trace: [] do_readv+0xe6/0x250 fs/read_write.c:924 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/6875 ffff8801cb5d78b0 ffffffff81d90889 ffff8801d77fe500 ffff8801c4311300 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Call Trace: entry_SYSCALL_64_fastpath+0x23/0xc6 >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ================================================================== __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Allocated: ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 Call Trace: ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ================================================================== __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 Freed: Call Trace: Read of size 4 by task syz-executor7/6875 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 Call Trace: [] vfs_readv+0x84/0xc0 fs/read_write.c:898 Allocated: ffff8801c4311280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc __do_softirq+0x206/0x951 kernel/softirq.c:284 ^ ffff8801c4311380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc __do_softirq+0x206/0x951 kernel/softirq.c:284 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/6875 ffff8801cb5d78b0 ffffffff81d90889 ffff8801d77fe500 ffff8801c4311300 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 ================================================================== fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc save_stack+0x43/0xd0 mm/kasan/kasan.c:495 CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ffff8801c4311280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc PID = 3 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 ffff8801cb5d78b0 ffffffff81d90889 ffff8801d77fe500 ffff8801c4311300 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 Allocated: >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 Call Trace: [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ================================================================== __do_softirq+0x206/0x951 kernel/softirq.c:284 >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc entry_SYSCALL_64_fastpath+0x23/0xc6 ffff8801c4311380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] do_readv+0xe6/0x250 fs/read_write.c:924 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Object at ffff8801c4311300, in cache fasync_cache size: 96 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] do_readv+0xe6/0x250 fs/read_write.c:924 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 entry_SYSCALL_64_fastpath+0x23/0xc6 ^ >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc PID = 3 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 ================================================================== ffff8801c4311280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Call Trace: ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 entry_SYSCALL_64_fastpath+0x23/0xc6 >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc Freed: ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 CPU: 1 PID: 6875 Comm: syz-executor7 Tainted: G B 4.9.68-gfb66dc2 #107 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] do_readv+0xe6/0x250 fs/read_write.c:924 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Call Trace: [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ================================================================== ffff8801c4311280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 Call Trace: Call Trace: ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 PID = 6875 >ffff8801c4311300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Object at ffff8801c4311300, in cache fasync_cache size: 96 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801c4311364 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801c4311364 ffff8801c4311400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc entry_SYSCALL_64_fastpath+0x23/0xc6 ffff8801c4311380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/6875 ffff8801c4311360 ffffed003886226c ffff8801c4311364 ffff8801cb5d78d8 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 Freed: ffffffff8153a44c ffffed003886226c ffff8801d77fe500 0000000000000000 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 Freed: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 ffff8801cb5d78b0 ffffffff81d90889 ffff8801d77fe500 ffff8801c4311300 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 Allocated: ffff8801c4311200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc entry_SYSCALL_64_fastpath+0x23/0xc6 ^ Memory state around the buggy address: