[[0;32m  OK  [0m] Started OpenBSD Secure Shell server.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.102' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   46.106738][ T6791] ==================================================================
[   46.115025][ T6791] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x659/0x1150
[   46.123030][ T6791] Read of size 4294967294 at addr ffff8880a201b650 by task syz-executor462/6791
[   46.132034][ T6791] 
[   46.134490][ T6791] CPU: 1 PID: 6791 Comm: syz-executor462 Not tainted 5.8.0-rc7-syzkaller #0
[   46.143234][ T6791] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.153736][ T6791] Call Trace:
[   46.157291][ T6791]  dump_stack+0x1f0/0x31e
[   46.161607][ T6791]  print_address_description+0x66/0x5a0
[   46.167515][ T6791]  ? printk+0x62/0x83
[   46.171716][ T6791]  ? vprintk_emit+0x339/0x3c0
[   46.176678][ T6791]  kasan_report+0x132/0x1d0
[   46.181185][ T6791]  ? qrtr_endpoint_post+0x659/0x1150
[   46.186745][ T6791]  check_memory_region+0x2b5/0x2f0
[   46.191868][ T6791]  ? qrtr_endpoint_post+0x659/0x1150
[   46.197384][ T6791]  memcpy+0x25/0x60
[   46.201244][ T6791]  qrtr_endpoint_post+0x659/0x1150
[   46.206489][ T6791]  qrtr_tun_write_iter+0xc6/0x120
[   46.211685][ T6791]  vfs_write+0xa08/0xc70
[   46.215947][ T6791]  ksys_write+0x11b/0x220
[   46.220303][ T6791]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.226896][ T6791]  do_syscall_64+0x73/0xe0
[   46.231310][ T6791]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.237210][ T6791] RIP: 0033:0x440259
[   46.241966][ T6791] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   46.261940][ T6791] RSP: 002b:00007ffd2181ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   46.270580][ T6791] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
[   46.278566][ T6791] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   46.286556][ T6791] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   46.294547][ T6791] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60
[   46.303703][ T6791] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000
[   46.311762][ T6791] 
[   46.314100][ T6791] Allocated by task 6791:
[   46.318521][ T6791]  __kasan_kmalloc+0x103/0x140
[   46.323420][ T6791]  __kmalloc+0x24b/0x330
[   46.328461][ T6791]  kzalloc+0x16/0x30
[   46.332367][ T6791]  qrtr_tun_write_iter+0x76/0x120
[   46.337382][ T6791]  vfs_write+0xa08/0xc70
[   46.341625][ T6791]  ksys_write+0x11b/0x220
[   46.345999][ T6791]  do_syscall_64+0x73/0xe0
[   46.350409][ T6791]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.356278][ T6791] 
[   46.358699][ T6791] Freed by task 4860:
[   46.362691][ T6791]  __kasan_slab_free+0x114/0x170
[   46.367612][ T6791]  kfree+0x10a/0x220
[   46.371507][ T6791]  simple_xattr_set+0x5ae/0x5e0
[   46.376364][ T6791]  __vfs_removexattr+0x3b9/0x3f0
[   46.381418][ T6791]  vfs_removexattr+0xa5/0x190
[   46.386125][ T6791]  path_removexattr+0x174/0x240
[   46.390968][ T6791]  __x64_sys_lremovexattr+0x59/0x70
[   46.396297][ T6791]  do_syscall_64+0x73/0xe0
[   46.401998][ T6791]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.407979][ T6791] 
[   46.410307][ T6791] The buggy address belongs to the object at ffff8880a201b640
[   46.410307][ T6791]  which belongs to the cache kmalloc-32 of size 32
[   46.426742][ T6791] The buggy address is located 16 bytes inside of
[   46.426742][ T6791]  32-byte region [ffff8880a201b640, ffff8880a201b660)
[   46.441804][ T6791] The buggy address belongs to the page:
[   46.448082][ T6791] page:ffffea00028806c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a201bfc1
[   46.458485][ T6791] flags: 0xfffe0000000200(slab)
[   46.463332][ T6791] raw: 00fffe0000000200 ffffea00027cd3c8 ffffea00027a46c8 ffff8880aa4001c0
[   46.472103][ T6791] raw: ffff8880a201bfc1 ffff8880a201b000 000000010000003c 0000000000000000
[   46.480837][ T6791] page dumped because: kasan: bad access detected
[   46.487259][ T6791] 
[   46.489571][ T6791] Memory state around the buggy address:
[   46.496576][ T6791]  ffff8880a201b500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   46.505949][ T6791]  ffff8880a201b580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   46.514216][ T6791] >ffff8880a201b600: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
[   46.522680][ T6791]                                                  ^
[   46.530163][ T6791]  ffff8880a201b680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   46.538229][ T6791]  ffff8880a201b700: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   46.546283][ T6791] ==================================================================
[   46.554338][ T6791] Disabling lock debugging due to kernel taint
[   46.560817][ T6791] Kernel panic - not syncing: panic_on_warn set ...
[   46.567507][ T6791] CPU: 1 PID: 6791 Comm: syz-executor462 Tainted: G    B             5.8.0-rc7-syzkaller #0
[   46.578623][ T6791] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.588760][ T6791] Call Trace:
[   46.592427][ T6791]  dump_stack+0x1f0/0x31e
[   46.597631][ T6791]  panic+0x264/0x7a0
[   46.601973][ T6791]  ? trace_hardirqs_on+0x30/0x80
[   46.607354][ T6791]  ? _raw_spin_unlock_irqrestore+0xa5/0xd0
[   46.613257][ T6791]  kasan_report+0x1c9/0x1d0
[   46.617757][ T6791]  ? qrtr_endpoint_post+0x659/0x1150
[   46.623028][ T6791]  check_memory_region+0x2b5/0x2f0
[   46.628166][ T6791]  ? qrtr_endpoint_post+0x659/0x1150
[   46.633444][ T6791]  memcpy+0x25/0x60
[   46.637257][ T6791]  qrtr_endpoint_post+0x659/0x1150
[   46.642371][ T6791]  qrtr_tun_write_iter+0xc6/0x120
[   46.647706][ T6791]  vfs_write+0xa08/0xc70
[   46.651958][ T6791]  ksys_write+0x11b/0x220
[   46.656299][ T6791]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.662737][ T6791]  do_syscall_64+0x73/0xe0
[   46.667157][ T6791]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   46.673135][ T6791] RIP: 0033:0x440259
[   46.677380][ T6791] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   46.697436][ T6791] RSP: 002b:00007ffd2181ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   46.706361][ T6791] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440259
[   46.714319][ T6791] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   46.723601][ T6791] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   46.731578][ T6791] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a60
[   46.739565][ T6791] R13: 0000000000401af0 R14: 0000000000000000 R15: 0000000000000000
[   46.748727][ T6791] Kernel Offset: disabled
[   46.753197][ T6791] Rebooting in 86400 seconds..