================================================================== BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user include/linux/instrumented.h:118 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user lib/usercopy.c:32 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0xc7/0x150 lib/usercopy.c:26 Read of size 42 at addr ffff888013b20980 by task syz-executor524/8497 CPU: 1 PID: 8497 Comm: syz-executor524 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 instrument_copy_to_user include/linux/instrumented.h:118 [inline] _copy_to_user lib/usercopy.c:32 [inline] _copy_to_user+0xc7/0x150 lib/usercopy.c:26 copy_to_user include/linux/uaccess.h:200 [inline] __htab_map_lookup_and_delete_batch+0xef4/0x1860 kernel/bpf/hashtab.c:1588 bpf_map_do_batch+0x3d5/0x510 kernel/bpf/syscall.c:4001 __do_sys_bpf+0x1be4/0x4f40 kernel/bpf/syscall.c:4453 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x445ac9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb4a0c0a2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00000000004cb410 RCX: 0000000000445ac9 RDX: 0000000000000038 RSI: 0000000020000080 RDI: 0000000000000019 RBP: 000000000049a8f0 R08: 00007fb4a0c0a700 R09: 0000000000000000 R10: 00007fb4a0c0a700 R11: 0000000000000246 R12: 00000000200031c0 R13: 000000000049a078 R14: 00000000200021c0 R15: 00000000004cb418 Allocated by task 8497: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] ____kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515 kmalloc_node include/linux/slab.h:577 [inline] kvmalloc_node+0x61/0xf0 mm/util.c:587 kvmalloc include/linux/mm.h:785 [inline] __htab_map_lookup_and_delete_batch+0x513/0x1860 kernel/bpf/hashtab.c:1467 bpf_map_do_batch+0x3d5/0x510 kernel/bpf/syscall.c:4001 __do_sys_bpf+0x1be4/0x4f40 kernel/bpf/syscall.c:4453 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888013b20980 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888013b20980, ffff888013b209c0) The buggy address belongs to the page: page:ffffea00004ec800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13b20 flags: 0xfff00000000200(slab) raw: 00fff00000000200 0000000000000000 0000001400000001 ffff888010841640 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888013b20880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888013b20900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888013b20980: 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc fc ^ ffff888013b20a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888013b20a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ==================================================================