================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline] BUG: KASAN: slab-out-of-bounds in pdu_read+0x8a/0xc0 net/9p/protocol.c:64 Read of size 50432 at addr ffff88805d5cb7ad by task syz-executor.1/418 CPU: 0 PID: 418 Comm: syz-executor.1 Not tainted 4.14.175-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x13e/0x194 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393 memcpy+0x20/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:347 [inline] pdu_read+0x8a/0xc0 net/9p/protocol.c:64 p9pdu_vreadf net/9p/protocol.c:167 [inline] p9pdu_readf+0x379/0x1790 net/9p/protocol.c:540 p9_client_version net/9p/client.c:990 [inline] p9_client_create+0xa1f/0x10f0 net/9p/client.c:1088 v9fs_session_init+0x1dc/0x1620 fs/9p/v9fs.c:422 v9fs_mount+0x79/0x850 fs/9p/vfs_super.c:135 mount_fs+0x92/0x2a0 fs/super.c:1237 vfs_kern_mount.part.0+0x5b/0x3c0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x3c9/0x24f0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xa8/0x120 fs/namespace.c:3072 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45c889 RSP: 002b:00007f5b681cbc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f5b681cc6d4 RCX: 000000000045c889 RDX: 0000000020000180 RSI: 0000000020000500 RDI: 0000000000000000 RBP: 000000000076bf00 R08: 0000000020000700 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000074a R14: 00000000004ca0c5 R15: 000000000076bf0c Allocated by task 418: save_stack+0x32/0xa0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529 __do_kmalloc mm/slab.c:3720 [inline] __kmalloc+0x15b/0x7c0 mm/slab.c:3729 kmalloc include/linux/slab.h:493 [inline] p9_fcall_alloc+0x19/0x90 net/9p/client.c:242 p9_tag_alloc net/9p/client.c:312 [inline] p9_client_prepare_req.part.0+0x72f/0xa90 net/9p/client.c:728 p9_client_prepare_req net/9p/client.c:718 [inline] p9_client_rpc+0x170/0x1180 net/9p/client.c:763 p9_client_version net/9p/client.c:980 [inline] p9_client_create+0x997/0x10f0 net/9p/client.c:1088 v9fs_session_init+0x1dc/0x1620 fs/9p/v9fs.c:422 v9fs_mount+0x79/0x850 fs/9p/vfs_super.c:135 mount_fs+0x92/0x2a0 fs/super.c:1237 vfs_kern_mount.part.0+0x5b/0x3c0 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x3c9/0x24f0 fs/namespace.c:2879 SYSC_mount fs/namespace.c:3095 [inline] SyS_mount+0xa8/0x120 fs/namespace.c:3072 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88805d5cb780 which belongs to the cache kmalloc-16384 of size 16384 The buggy address is located 45 bytes inside of 16384-byte region [ffff88805d5cb780, ffff88805d5cf780) The buggy address belongs to the page: page:ffffea0001757200 count:1 mapcount:0 mapping:ffff88805d5cb780 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffff88805d5cb780 0000000000000000 0000000100000001 raw: ffffea0001757020 ffffea000044a220 ffff88812fe55200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88805d5cd680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 netlink: 14 bytes leftover after parsing attributes in process `syz-executor.0'. ffff88805d5cd700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805d5cd780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88805d5cd800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88805d5cd880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================