================================================================== BUG: KASAN: wild-memory-access on address ffe708746cc71000 Read of size 28 by task syz-executor7/3753 CPU: 0 PID: 3753 Comm: syz-executor7 Not tainted 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8d879e8 ffffffff81d93149 ffe708746cc71000 000000000000001c 0000000000000000 ffff8801a9a3aa20 ffe708746cc71000 ffff8801a8d87a70 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_report_error mm/kasan/report.c:284 [inline] [] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309 [] kasan_report+0x20/0x30 mm/kasan/report.c:296 [] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320 [] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline] [] sg_read_oxfer drivers/scsi/sg.c:1978 [inline] [] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== ================================================================== BUG: KASAN: wild-memory-access on address ffe708746cc71000 Read of size 28 by task syz-executor7/3753 CPU: 0 PID: 3753 Comm: syz-executor7 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8d879e8 ffffffff81d93149 ffe708746cc71000 000000000000001c 0000000000000000 ffff8801a9a3aea0 ffe708746cc71000 ffff8801a8d87a70 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_report_error mm/kasan/report.c:284 [inline] [] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309 [] kasan_report+0x20/0x30 mm/kasan/report.c:296 [] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320 [] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline] [] sg_read_oxfer drivers/scsi/sg.c:1978 [inline] [] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== mmap: syz-executor7 (3830) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. device gre0 entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. syz-executor6 uses obsolete (PF_INET,SOCK_PACKET) netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. IPv6: NLM_F_REPLACE set, but no existing node found! device gre0 entered promiscuous mode binder: 4078:4079 ioctl 4b3b 1 returned -22 binder: 4078:4088 ioctl 4b3b 1 returned -22 sock: sock_set_timeout: `syz-executor5' (pid 4103) tries to set negative timeout SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29397 sclass=netlink_route_socket pig=4151 comm=syz-executor2 keychord: using input dev AT Translated Set 2 keyboard for fevent IPVS: Creating netns size=2536 id=10 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29397 sclass=netlink_route_socket pig=4151 comm=syz-executor2 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. keychord: invalid keycode count 0 keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: invalid keycode count 0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 4407 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9cf7a10 ffffffff81d93149 ffff8801a9cf7cf0 0000000000000000 ffff8801a9b9ed10 ffff8801a9cf7be0 ffff8801a9b9ec00 ffff8801a9cf7c08 ffffffff81660dc8 ffff8801a9cf7b60 ffffffff811c9f10 00000001ac144067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode CPU: 1 PID: 4426 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ac65f9d0 ffffffff81d93149 ffff8801ac65fcb0 0000000000000000 ffff8801a9b9ed10 ffff8801ac65fba0 ffff8801a9b9ec00 ffff8801ac65fbc8 ffffffff81660dc8 ffff8801ac65fb20 0000000000000000 00000001ac144067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=4727 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=4727 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4754 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=4765 comm=syz-executor3 nla_parse: 10 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=57 sclass=netlink_route_socket pig=4899 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=57 sclass=netlink_route_socket pig=4922 comm=syz-executor1 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: Can't replace route, no match found netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: Can't replace route, no match found netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. device lo entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5176 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c75c7780 ffffffff81d93149 ffff8801c75c7a60 0000000000000000 ffff8801a9b9e890 ffff8801c75c7950 ffff8801a9b9e780 ffff8801c75c7978 ffffffff81660dc8 ffff8801c75c78d0 0000000000000000 00000001cd369067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 5184 Comm: syz-executor4 Tainted: G B 4.9.52-g9b2b081 #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8b67a10 ffffffff81d93149 ffff8801a8b67cf0 0000000000000000 ffff8801a9b9e890 ffff8801a8b67be0 ffff8801a9b9e780 ffff8801a8b67c08 ffffffff81660dc8 ffff8801a8b67b60 0000000000000000 00000001cd369067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode IPVS: Creating netns size=2536 id=11 pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) IPVS: Creating netns size=2536 id=12 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5535 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5558 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=5649 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=5649 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=5649 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=5682 comm=syz-executor6 device gre0 entered promiscuous mode device syz1 left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device syz0 entered promiscuous mode keychord: using input dev AT Translated Set 2 keyboard for fevent device syz0 left promiscuous mode keychord: invalid keycode count 0 device syz0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=5941 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5941 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5941 comm=syz-executor5 sg_write: data in/out 296463/34 bytes for SCSI command 0xfc-- guessing data in; program syz-executor2 not setting count and/or reply_len properly SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=5941 comm=syz-executor5 sd 0:0:1:0: [sg0] tag#744 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#744 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#744 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 sd 0:0:1:0: [sg0] tag#744 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#744 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#744 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#744 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 binder: 6157:6160 ioctl 4c00 ffffffffffffffff returned -22 binder: 6157:6183 ioctl 4c00 ffffffffffffffff returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 6283:6285 ioctl 8915 20ff1fe0 returned -22 binder: 6283:6320 ioctl 8915 20ff1fe0 returned -22 binder: 6414:6415 ioctl 8915 20ff1fe0 returned -22 binder: 6414:6420 ioctl 8915 20ff1fe0 returned -22 binder: 6431:6449 ioctl 8910 20000ff0 returned -22 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=13