================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline] BUG: KASAN: slab-out-of-bounds in j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] BUG: KASAN: slab-out-of-bounds in j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] BUG: KASAN: slab-out-of-bounds in j1939_tp_txtimer+0x777/0x1b00 net/can/j1939/transport.c:1095 Read of size 7 at addr ffff8880947dd95d by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:127 memcpy include/linux/string.h:381 [inline] j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] j1939_tp_txtimer+0x777/0x1b00 net/can/j1939/transport.c:1095 __run_hrtimer kernel/time/hrtimer.c:1517 [inline] __hrtimer_run_queues+0x364/0xe40 kernel/time/hrtimer.c:1579 hrtimer_run_softirq+0x17e/0x270 kernel/time/hrtimer.c:1596 __do_softirq+0x262/0x98c kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:603 [inline] run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595 smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 9834: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:523 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x710 mm/slab.c:3484 kmem_cache_zalloc include/linux/slab.h:659 [inline] __kernfs_new_node+0xf0/0x6e0 fs/kernfs/dir.c:627 kernfs_new_node+0x96/0x120 fs/kernfs/dir.c:689 __kernfs_create_file+0x51/0x340 fs/kernfs/file.c:1001 sysfs_add_file_mode_ns+0x222/0x560 fs/sysfs/file.c:305 create_files fs/sysfs/group.c:63 [inline] internal_create_group+0x359/0xc40 fs/sysfs/group.c:148 internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:188 internal_create_groups fs/sysfs/group.c:184 [inline] sysfs_create_groups+0x2a/0x50 fs/sysfs/group.c:214 device_add_groups drivers/base/core.c:1582 [inline] device_add_attrs drivers/base/core.c:1741 [inline] device_add+0x13b5/0x1d00 drivers/base/core.c:2430 netdev_register_kobject+0x183/0x3b0 net/core/net-sysfs.c:1755 register_netdevice+0x4f4/0x1070 net/core/dev.c:9380 __ip_tunnel_create+0x36b/0x530 net/ipv4/ip_tunnel.c:269 ip_tunnel_init_net+0x370/0x9e0 net/ipv4/ip_tunnel.c:1060 ipgre_tap_init_net+0x2a/0x30 net/ipv4/ip_gre.c:1577 ops_init+0xb3/0x420 net/core/net_namespace.c:137 setup_net+0x2d5/0x8b0 net/core/net_namespace.c:327 copy_net_ns+0x29e/0x5a0 net/core/net_namespace.c:468 create_new_namespaces+0x403/0xb50 kernel/nsproxy.c:108 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:229 ksys_unshare+0x444/0x980 kernel/fork.c:2955 __do_sys_unshare kernel/fork.c:3023 [inline] __se_sys_unshare kernel/fork.c:3021 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3021 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880947dd8c0 which belongs to the cache kernfs_node_cache of size 160 The buggy address is located 157 bytes inside of 160-byte region [ffff8880947dd8c0, ffff8880947dd960) The buggy address belongs to the page: page:ffffea000251f740 refcount:1 mapcount:0 mapping:ffff8880aa5f8700 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000251f708 ffffea0002553d88 ffff8880aa5f8700 raw: 0000000000000000 ffff8880947dd000 0000000100000012 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880947dd800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880947dd880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 >ffff8880947dd900: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ^ ffff8880947dd980: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880947dda00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ==================================================================