================================================================== BUG: KASAN: slab-out-of-bounds in pipe_write+0xc25/0xe10 fs/pipe.c:481 Write of size 8 at addr ffff8880771167a8 by task syz-executor.3/7987 CPU: 1 PID: 7987 Comm: syz-executor.3 Not tainted 5.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137 pipe_write+0xc25/0xe10 fs/pipe.c:481 call_write_iter include/linux/fs.h:1895 [inline] new_sync_write+0x3fd/0x7e0 fs/read_write.c:483 __vfs_write+0x94/0x110 fs/read_write.c:496 vfs_write+0x18a/0x520 fs/read_write.c:558 ksys_write+0x105/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:620 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f494e010c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 00000000fffffef3 RSI: 00000000200001c0 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494e0116d4 R13: 00000000004c7830 R14: 00000000004e44b0 R15: 00000000ffffffff Allocated by task 7989: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x164/0x790 mm/slab.c:3664 kmalloc_array include/linux/slab.h:614 [inline] kcalloc include/linux/slab.h:625 [inline] pipe_set_size fs/pipe.c:1139 [inline] pipe_fcntl+0x30c/0x7b0 fs/pipe.c:1205 do_fcntl+0x177/0xff0 fs/fcntl.c:417 __do_sys_fcntl fs/fcntl.c:463 [inline] __se_sys_fcntl fs/fcntl.c:448 [inline] __x64_sys_fcntl+0x11f/0x170 fs/fcntl.c:448 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888077116780 which belongs to the cache kmalloc-64(17:syz3) of size 64 The buggy address is located 40 bytes inside of 64-byte region [ffff888077116780, ffff8880771167c0) The buggy address belongs to the page: page:ffffea0001dc4580 refcount:1 mapcount:0 mapping:ffff88809b9e2540 index:0xffff888077116f80 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffff8880a5cd2a38 ffff8880a5cd2a38 ffff88809b9e2540 raw: ffff888077116f80 ffff888077116000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888077116680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077116700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888077116780: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ^ ffff888077116800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077116880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================