================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline] BUG: KASAN: slab-out-of-bounds in j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] BUG: KASAN: slab-out-of-bounds in j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] BUG: KASAN: slab-out-of-bounds in j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095 Read of size 7 at addr ffff888077ddb917 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.6.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 memcpy+0x23/0x50 mm/kasan/common.c:127 memcpy include/linux/string.h:381 [inline] j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095 __run_hrtimer kernel/time/hrtimer.c:1517 [inline] __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1579 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1596 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 16: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 __do_kmalloc_node mm/slab.c:3616 [inline] __kmalloc_node_track_caller+0x4d/0x70 mm/slab.c:3630 __kmalloc_reserve.isra.46+0x2c/0xc0 net/core/skbuff.c:142 __alloc_skb+0xd7/0x570 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1081 [inline] j1939_session_fresh_new net/can/j1939/transport.c:1459 [inline] j1939_xtp_rx_rts_session_new net/can/j1939/transport.c:1552 [inline] j1939_xtp_rx_rts+0x63d/0x1030 net/can/j1939/transport.c:1653 j1939_tp_cmd_recv net/can/j1939/transport.c:1924 [inline] j1939_tp_recv+0x224/0x780 net/can/j1939/transport.c:2005 j1939_can_recv+0x4ce/0x620 net/can/j1939/main.c:101 deliver net/can/af_can.c:569 [inline] can_rcv_filter+0x4ff/0x840 net/can/af_can.c:603 can_receive+0x290/0x470 net/can/af_can.c:660 can_rcv+0xd9/0x160 net/can/af_can.c:686 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5187 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5301 process_backlog+0x1ef/0x700 net/core/dev.c:6133 napi_poll net/core/dev.c:6571 [inline] net_rx_action+0x458/0xe40 net/core/dev.c:6639 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888077dd8000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 6423 bytes to the right of 8192-byte region [ffff888077dd8000, ffff888077dda000) The buggy address belongs to the page: page:ffffea0001df7600 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea0001df2308 ffffea0002a37608 ffff8880aa4021c0 raw: 0000000000000000 ffff888077dd8000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888077ddb800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077ddb880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888077ddb900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888077ddb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077ddba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================