sg_write: data in/out 34319/34 bytes for SCSI command 0xfc-- guessing data in; program syz-executor4 not setting count and/or reply_len properly ================================================================== BUG: KASAN: wild-memory-access on address ffe708746dee7000 Read of size 28 by task syz-executor4/9103 CPU: 1 PID: 9103 Comm: syz-executor4 Not tainted 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ad65f9e8 ffffffff81d93149 ffe708746dee7000 000000000000001c 0000000000000000 ffff8801a8fc3ae0 ffe708746dee7000 ffff8801ad65fa70 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_report_error mm/kasan/report.c:284 [inline] [] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309 [] kasan_report+0x20/0x30 mm/kasan/report.c:296 [] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320 [] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline] [] sg_read_oxfer drivers/scsi/sg.c:1978 [inline] [] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: 9215:9221 ioctl 4b6a 20df7fb3 returned -22 binder: 9215:9230 ioctl 4b6a 20df7fb3 returned -22 device syz0 entered promiscuous mode device syz0 left promiscuous mode device syz0 entered promiscuous mode device syz0 left promiscuous mode device syz6 left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9378 Comm: syz-executor0 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d0ba7930 ffffffff81d93149 ffff8801d0ba7c10 0000000000000000 ffff8801ac0ff910 ffff8801d0ba7b00 ffff8801ac0ff800 ffff8801d0ba7b28 ffffffff81660dc8 ffff8801d0ba7a80 ffff8801d0ba79a0 00000001cf1e0067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 9391 Comm: syz-executor0 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d257f9a0 ffffffff81d93149 ffff8801d257fc80 0000000000000000 ffff8801ac0ff910 ffff8801d257fb70 ffff8801ac0ff800 ffff8801d257fb98 ffffffff81660dc8 ffff8801d257faf0 ffff8801d257fbb8 00000001cf1e0067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=9561 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=9561 comm=syz-executor6 device syz5 entered promiscuous mode device syz5 left promiscuous mode device syz5 entered promiscuous mode device gre0 entered promiscuous mode binder: 9612:9614 ioctl 8904 209beffc returned -22 keychord: Insufficient bytes present for keycount 186 keychord: Insufficient bytes present for keycount 186 sock: process `syz-executor4' is using obsolete setsockopt SO_BSDCOMPAT binder: 9612:9633 ioctl 8904 209beffc returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9812 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9812 comm=syz-executor2 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode binder: 9969:9973 ioctl 8955 20001000 returned -22 binder: 9974:9977 ioctl 4b6a 20df7fb3 returned -22 binder: 9969:9973 ioctl 8955 20001000 returned -22 binder: 9974:9992 ioctl 4b6a 20df7fb3 returned -22 blk_update_request: I/O error, dev loop0, sector 0 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10002 Comm: syz-executor3 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf107a00 ffffffff81d93149 ffff8801cf107ce0 0000000000000000 ffff8801ac8a0d10 ffff8801cf107bd0 ffff8801ac8a0c00 ffff8801cf107bf8 ffffffff81660dc8 ffff8801cf107b50 0000000041b58ab3 00000001cdec3067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 blk_update_request: I/O error, dev loop0, sector 0 device syz4 entered promiscuous mode device syz4 left promiscuous mode device syz4 entered promiscuous mode binder: 10081:10082 ioctl 4b45 20306000 returned -22 binder: 10081:10084 ioctl 4b45 20306000 returned -22 CPU: 1 PID: 10013 Comm: syz-executor3 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801acb978e0 ffffffff81d93149 ffff8801acb97bc0 0000000000000000 ffff8801ac8a0d10 ffff8801acb97ab0 ffff8801ac8a0c00 ffff8801acb97ad8 ffffffff81660dc8 ffff8801acb97a30 ffffed0035458900 00000001cdec3067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedsend ipc/mqueue.c:973 [inline] [] SyS_mq_timedsend+0xe6/0xa80 ipc/mqueue.c:956 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 10117:10120 ioctl 40045201 207a1000 returned -22 binder: 10117:10137 ioctl 40045201 207a1000 returned -22 binder: 10116:10124 ioctl 2401 6 returned -22 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder: 10116:10160 ioctl 40045402 20b8affc returned -22 keychord: using input dev AT Translated Set 2 keyboard for fevent binder: 10116:10163 ioctl 2401 6 returned -22 binder: 10116:10163 ioctl 40045402 20b8affc returned -22 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 device lo entered promiscuous mode nla_parse: 17 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. keychord: invalid keycode count 0 keychord: Insufficient bytes present for keycount 18 keychord: using input dev AT Translated Set 2 keyboard for fevent device lo left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. keychord: invalid keycode count 0 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode sg_write: data in/out 2127708969/6 bytes for SCSI command 0xe3-- guessing data in; program syz-executor1 not setting count and/or reply_len properly IPVS: Creating netns size=2536 id=22 device lo left promiscuous mode device lo entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 device syz4 left promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. binder: 10439:10440 ioctl 8904 209beffc returned -22 binder: 10439:10440 ioctl 8904 209beffc returned -22 sock: sock_set_timeout: `syz-executor2' (pid 10518) tries to set negative timeout binder: 10536:10538 ioctl 8936 20fcd000 returned -22 binder: 10536:10538 ioctl 80605414 20fcc000 returned -22 binder: 10536:10545 ioctl 8936 20fcd000 returned -22 binder: 10536:10545 ioctl 80605414 20fcc000 returned -22 sock: sock_set_timeout: `syz-executor2' (pid 10493) tries to set negative timeout netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode device syz0 entered promiscuous mode devpts: called with bogus options devpts: called with bogus options SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63196 sclass=netlink_route_socket pig=10783 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63196 sclass=netlink_route_socket pig=10783 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3803 sclass=netlink_route_socket pig=10834 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3803 sclass=netlink_route_socket pig=10834 comm=syz-executor4 binder: 10892:10896 ioctl 80045400 20366000 returned -22 binder: 10892:10919 ioctl 80045400 20366000 returned -22 device syz5 left promiscuous mode device syz2 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. device syz5 entered promiscuous mode device syz2 left promiscuous mode device syz2 entered promiscuous mode device syz5 left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. binder: 11197:11199 ioctl 541b 20080ffc returned -22 binder: 11197:11199 ioctl 541b 20080ffc returned -22 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11326 Comm: syz-executor5 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801abb379d0 ffffffff81d93149 ffff8801abb37cb0 0000000000000000 ffff8801ac0fe410 ffff8801abb37ba0 ffff8801ac0fe300 ffff8801abb37bc8 ffffffff81660dc8 ffff8801abb37b20 0000000000000000 00000001d04a4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 11374 Comm: syz-executor7 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cffe7990 ffffffff81d93149 ffff8801cffe7c70 0000000000000000 ffff8801ac8a1010 ffff8801cffe7b60 ffff8801ac8a0f00 ffff8801cffe7b88 ffffffff81660dc8 ffff8801cffe7ae0 ffff8801cffe79c8 00000001ce814067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device syz4 entered promiscuous mode CPU: 0 PID: 11396 Comm: syz-executor7 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d75a7a10 ffffffff81d93149 ffff8801d75a7cf0 0000000000000000 ffff8801ac8a1010 ffff8801d75a7be0 ffff8801ac8a0f00 ffff8801d75a7c08 ffffffff81660dc8 ffff8801d75a7b60 0000000000000000 00000001ce814067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 binder: 11447:11448 ioctl 5424 20795ffc returned -22 binder: 11447:11449 ioctl 5424 20795ffc returned -22 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11396 Comm: syz-executor7 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d75a7a10 ffffffff81d93149 ffff8801d75a7cf0 0000000000000000 ffff8801ac8a1610 ffff8801d75a7be0 ffff8801ac8a1500 ffff8801d75a7c08 ffffffff81660dc8 ffff8801d75a7b60 ffffffff812dff30 00000001d1acc067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 11374 Comm: syz-executor7 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cffe7990 ffffffff81d93149 ffff8801cffe7c70 0000000000000000 ffff8801ac8a1610 ffff8801cffe7b60 ffff8801ac8a1500 ffff8801cffe7b88 ffffffff81660dc8 ffff8801cffe7ae0 ffff8801cffe79c8 00000001d1acc067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 nla_parse: 5 callbacks suppressed netlink: 29 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 29 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. 9pnet_virtio: no channels available for device ./file0 binder: 11633:11634 ioctl c0286404 20c0dfd8 returned -22 binder: 11633:11634 ioctl c0286404 20c0dfd8 returned -22 9pnet_virtio: no channels available for device ./file0