================================================================== BUG: KASAN: wild-memory-access on address ffe708746dda1000 Read of size 28 by task syz-executor2/13185 CPU: 1 PID: 13185 Comm: syz-executor2 Not tainted 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8b779e8 ffffffff81d93149 ffe708746dda1000 000000000000001c 0000000000000000 ffff8801d0c2f720 ffe708746dda1000 ffff8801c8b77a70 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_report_error mm/kasan/report.c:284 [inline] [] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309 [] kasan_report+0x20/0x30 mm/kasan/report.c:296 [] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320 [] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline] [] sg_read_oxfer drivers/scsi/sg.c:1978 [inline] [] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode binder: 13293:13294 ioctl c0145401 20659000 returned -22 binder: 13293:13294 ioctl 8916 20ef9000 returned -22 binder: 13293:13294 ioctl c0145401 20659000 returned -22 binder: 13293:13294 ioctl 8916 20ef9000 returned -22 loop_reread_partitions: partition scan of loop5 (›˜ïtÆ?˜õ`³ÄJò£zìP[ëÃ Œp¤Ï>‰TK6Cî=Ô"à÷Lù ¨¹l†œ!¨V#´F-°ü') failed (rc=-13) binder: 13473:13474 ioctl 540f 20f24000 returned -22 binder: 13473:13474 ioctl 540f 20f24000 returned -22 TCP: request_sock_TCP: Possible SYN flooding on port 20009. Sending cookies. Check SNMP counters. device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=13570 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=13576 comm=syz-executor5 device lo entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13801 comm=syz-executor5 binder: 13802:13804 ioctl 2403 7fff returned -22 device syz3 left promiscuous mode binder: 13802:13845 ioctl 2403 7fff returned -22 device gre0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: invalid keycode count 0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=255 sclass=netlink_route_socket pig=13947 comm=syz-executor6 keychord: using input dev AT Translated Set 2 keyboard for fevent device syz6 entered promiscuous mode keychord: invalid keycode count 0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=255 sclass=netlink_route_socket pig=13947 comm=syz-executor6 device syz6 left promiscuous mode device syz6 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=14009 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=14009 comm=syz-executor3 TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. selinux_nlmsg_perm: 1 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18116 sclass=netlink_route_socket pig=14356 comm=syz-executor1 device gre0 entered promiscuous mode keychord: keycode 46132 out of range keychord: keycode 46132 out of range device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./bus ALSA: seq fatal error: cannot create timer (-22) device syz6 left promiscuous mode ALSA: seq fatal error: cannot create timer (-22) FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 14599 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9aef8e0 ffffffff81d93149 ffff8801d9aefbc0 0000000000000000 ffff8801c6b98b90 ffff8801d9aefab0 ffff8801c6b98a80 ffff8801d9aefad8 ffffffff81660dc8 ffff8801d9aefa30 ffffffff812dce90 00000001a8271067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 FAULT_FLAG_ALLOW_RETRY missing 30 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 [] entry_SYSCALL64_slow_path+0x25/0x25 CPU: 1 PID: 14621 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca36f740 ffffffff81d93149 ffff8801ca36fa20 0000000000000000 ffff8801c6b98b90 ffff8801ca36f910 ffff8801c6b98a80 ffff8801ca36f938 ffffffff81660dc8 ffff8801ca36f890 ffff8801ca36f810 00000001a8271067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 14631 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8e8f740 ffffffff81d93149 ffff8801d8e8fa20 0000000000000000 ffff8801c6b98a10 ffff8801d8e8f910 ffff8801c6b98900 ffff8801d8e8f938 ffffffff81660dc8 ffff8801d8e8f890 0000000000000000 00000001a7a25067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 14621 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca36f8e0 ffffffff81d93149 ffff8801ca36fbc0 0000000000000000 ffff8801c6b98a10 ffff8801ca36fab0 ffff8801c6b98900 ffff8801ca36fad8 ffffffff81660dc8 ffff8801ca36fa30 ffffffff812dce90 00000001a7a25067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 [] entry_SYSCALL64_slow_path+0x25/0x25 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=14650 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=14674 comm=syz-executor2 binder: 14710:14712 ioctl 4b3b 1 returned -22 binder: 14710:14712 ioctl 4b3b 1 returned -22 device syz4 entered promiscuous mode device gre0 entered promiscuous mode nla_parse: 18 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. TCP: request_sock_TCP: Possible SYN flooding on port 20009. Sending cookies. Check SNMP counters. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. keychord: Insufficient bytes present for keycount 13560 keychord: invalid keycode count 0 keychord: Insufficient bytes present for keycount 13560 9pnet_virtio: no channels available for device ./file0 keychord: invalid keycode count 0 binder: 14858:14859 ioctl 8904 209beffc returned -22 binder: 14858:14859 ioctl 8904 209beffc returned -22 9pnet_virtio: no channels available for device ./file0 keychord: Insufficient bytes present for keycount 4090 keychord: Insufficient bytes present for keycount 4090 device gre0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): syz3: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): syz3: link becomes ready keychord: invalid keycode count 0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: NLM_F_REPLACE set, but no existing node found! keychord: invalid keycode count 0 binder: 15252:15253 ioctl 5424 20603ffc returned -22 binder: 15252:15261 ioctl 5424 20603ffc returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=15290 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=15290 comm=syz-executor4 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: NLM_F_REPLACE set, but no existing node found! IPVS: Creating netns size=2536 id=31 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 15454 Comm: syz-executor3 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4af7a30 ffffffff81d93149 ffff8801c4af7d10 0000000000000000 ffff8801c436aa10 ffff8801c4af7c00 ffff8801c436a900 ffff8801c4af7c28 ffffffff81660dc8 ffff8801c4af7b80 ffff8801c4af7a88 00000001c68b0067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_keyctl security/keys/keyctl.c:1600 [inline] [] SyS_keyctl+0x1fb/0x230 security/keys/keyctl.c:1588 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=32 CPU: 0 PID: 15464 Comm: syz-executor3 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cabd7770 ffffffff81d93149 ffff8801cabd7a50 0000000000000000 ffff8801c436aa10 ffff8801cabd7940 ffff8801c436a900 ffff8801cabd7968 ffffffff81660dc8 ffff8801cabd78c0 0000000000000046 00000001c68b0067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] import_iovec+0xc8/0x3c0 lib/iov_iter.c:1243 [] keyctl_instantiate_key_iov+0xd0/0x150 security/keys/keyctl.c:1160 [] SYSC_keyctl security/keys/keyctl.c:1679 [inline] [] SyS_keyctl+0x79/0x230 security/keys/keyctl.c:1588 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 15587:15603 ioctl 8910 20000ff0 returned -22 binder: 15587:15603 ioctl 641e 0 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. IPv6: NLM_F_REPLACE set, but no existing node found! IPVS: Creating netns size=2536 id=33 binder_alloc: binder_alloc_mmap_handler: 15808 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 15808 204f0000-204f4000 already mapped failed -16 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads PF_BRIDGE: RTM_NEWNEIGH with invalid address PF_BRIDGE: RTM_NEWNEIGH with invalid address SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=15905 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15905 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=15912 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15905 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=15921 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=15905 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15935 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15935 comm=syz-executor3 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 15932 Comm: syz-executor1 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5ef79a0 ffffffff81d93149 ffff8801c5ef7c80 0000000000000000 ffff8801c6b99190 ffff8801c5ef7b70 ffff8801c6b99080 ffff8801c5ef7b98 ffffffff81660dc8 ffff8801c5ef7af0 ffff8801c5ef7bb8 00000001d8595067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51