1TITLE: KASAN: global-out-of-bounds Read in show_timer
2
3[   66.768767] ==================================================================
4[   66.776196] BUG: KASAN: global-out-of-bounds in show_timer+0x27a/0x2b0 at addr ffffffff82cda558
5[   66.785026] Read of size 8 by task syz-executor7/8685
6[   66.790216] Address belongs to variable nstr.37854+0x18/0x40
7[   66.796010] CPU: 0 PID: 8685 Comm: syz-executor7 Not tainted 4.4.114+ #250
8[   66.803009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
9[   66.807266] kasan: CONFIG_KASAN_INLINE enabled
10[   66.807275] kasan: GPF could be caused by NULL-ptr deref or user memory access
11[   66.807279] general protection fault: 0000 [#1] SMP KASAN
12[   66.807284] Dumping ftrace buffer:
13[   66.807288]    (ftrace buffer empty)
14[   66.807291] Modules linked in:
15[   66.807299] CPU: 1 PID: 8694 Comm: syz-executor3 Not tainted 4.4.114+ #250
16[   66.807304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
17[   66.807311] task: ffff8800b9c69780 ti: ffff8800b7bb8000 task.ti: ffff8800b7bb8000
18[   66.807335] RIP: 0010:[<ffffffff8268adb6>]  [<ffffffff8268adb6>] udp_queue_rcv_skb+0x196/0x1590
19[   66.807338] RSP: 0018:ffff8800b7bbf928  EFLAGS: 00010206
20[   66.807343] RAX: dffffc0000000000 RBX: ffff8800ba440000 RCX: ffffc90003b90000
21[   66.807347] RDX: 000000000000000c RSI: ffff8801cd8b2900 RDI: 0000000000000060
22[   66.807351] RBP: ffff8800b7bbf968 R08: 0000000000000001 R09: 0000000000000001
23[   66.807355] R10: 0000000000000000 R11: 1ffff10016f77efa R12: ffff8801cd8b2900
24[   66.807359] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801cd8b2958
25[   66.807365] FS:  00007fc9a056d700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
26[   66.807370] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
27[   66.807375] CR2: 000000002082dff0 CR3: 00000000b1580000 CR4: 0000000000160630
28[   66.807383] DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
29[   66.807388] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
30[   66.807389] Stack:
31[   66.807399]  ffff8800ba440088 ffff880000000001 ffff8800ba440088 dffffc0000000000
32[   66.807408]  ffff8800ba440000 0000000000000000 ffffed0017488083 ffff8801cd8b2900
33[   66.807418]  ffff8800b7bbf9d8 ffffffff822092d5 ffff8800ba440188 ffff8800ba440190
34[   66.807419] Call Trace:
35[   66.807429]  [<ffffffff822092d5>] release_sock+0x165/0x540
36[   66.807437]  [<ffffffff826844df>] udp_sendmsg+0x15df/0x1c40
37[   66.807447]  [<ffffffff811efdee>] ? __lock_acquire+0xabe/0x4eb0
38[   66.807454]  [<ffffffff82680e70>] ? udp_push_pending_frames+0xe0/0xe0
39[   66.807462]  [<ffffffff811ef330>] ? debug_check_no_locks_freed+0x2c0/0x2c0
40[   66.807469]  [<ffffffff82682f00>] ? udp_seq_next+0x80/0x80
41[   66.807478]  [<ffffffff811ef330>] ? debug_check_no_locks_freed+0x2c0/0x2c0
42[   66.807486]  [<ffffffff811e61d0>] ? zap_class+0x390/0x390
43[   66.807494]  [<ffffffff811e8241>] ? __lock_is_held+0xa1/0xf0
44[   66.807502]  [<ffffffff826b8a58>] ? inet_sendmsg+0x208/0x4c0
45[   66.807508]  [<ffffffff826b8b15>] inet_sendmsg+0x2c5/0x4c0
46[   66.807515]  [<ffffffff826b88c8>] ? inet_sendmsg+0x78/0x4c0
47[   66.807521]  [<ffffffff826b8850>] ? inet_recvmsg+0x4b0/0x4b0
48[   66.807529]  [<ffffffff821fcb2f>] sock_sendmsg+0xcf/0x110
49[   66.807535]  [<ffffffff821fda60>] SYSC_sendto+0x2e0/0x360
50[   66.807543]  [<ffffffff821fd780>] ? SYSC_connect+0x310/0x310
51[   66.807551]  [<ffffffff811c61fe>] ? pick_next_task_fair+0x105e/0x1b40
52[   66.807558]  [<ffffffff811e61d0>] ? zap_class+0x390/0x390
53[   66.807568]  [<ffffffff82a1611c>] ? _raw_spin_unlock_irq+0x2c/0x40
54[   66.807576]  [<ffffffff811eeb5b>] ? trace_hardirqs_on_caller+0x38b/0x590
55[   66.807584]  [<ffffffff82a02785>] ? __schedule+0xab5/0x1c40
56[   66.807591]  [<ffffffff81284a8d>] ? SyS_futex+0x20d/0x2b0
57[   66.807600]  [<ffffffff82a16cce>] ? int_ret_from_sys_call+0x52/0xa3
58[   66.807608]  [<ffffffff82200025>] SyS_sendto+0x45/0x60
59[   66.807616]  [<ffffffff82a16b1b>] entry_SYSCALL_64_fastpath+0x18/0x94
60[   66.807698] Code: 74 24 58 41 f6 c6 01 0f 85 7f 08 00 00 49 83 e6 fe e8 3f b1 c7 fe 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 01 0f 8e 4c 0c 00 00 41 f6 46 60 04
61[   66.807706] RIP  [<ffffffff8268adb6>] udp_queue_rcv_skb+0x196/0x1590
62[   66.807708]  RSP <ffff8800b7bbf928>
63[   66.807727] ---[ end trace 4bc40108dd6f901f ]---
64[   66.807733] Kernel panic - not syncing: Fatal exception in interrupt
65[   67.166273]  0000000000000000 ffff8800b6c7f9f8 ffffffff81cac64d fffffbfff059b4ab
66[   67.174269]  fffffbfff059b4ab 0000000000000008 0000000000000000 ffffffff82cda558
67[   67.182263]  ffff8800b6c7fa80 ffffffff814d588d ffff8800b6c7faa0 ffff8800b6c7fa40
68[   67.190259] Call Trace:
69[   67.192832]  [<ffffffff81cac64d>] dump_stack+0xc1/0x124
70[   67.198179]  [<ffffffff814d588d>] kasan_report.part.2+0x44d/0x540
71[   67.204391]  [<ffffffff8166b87a>] ? show_timer+0x27a/0x2b0
72[   67.209998]  [<ffffffff811159c0>] ? __lock_task_sighand+0x170/0x470
73[   67.216383]  [<ffffffff814d5a3e>] __asan_report_load8_noabort+0x2e/0x30
74[   67.223115]  [<ffffffff8166b87a>] show_timer+0x27a/0x2b0
75[   67.228545]  [<ffffffff8166bac1>] ? timers_start+0x151/0x1d0
76[   67.234325]  [<ffffffff81581e3c>] seq_read+0x32c/0x1240
77[   67.239671]  [<ffffffff81581b10>] ? seq_lseek+0x3c0/0x3c0
78[   67.245188]  [<ffffffff815e3c4d>] ? fsnotify+0x59d/0xec0
79[   67.250612]  [<ffffffff815e4570>] ? fsnotify+0xec0/0xec0
80[   67.256040]  [<ffffffff81510656>] do_loop_readv_writev+0x146/0x1e0
81[   67.262337]  [<ffffffff81b4cabe>] ? security_file_permission+0x8e/0x1e0
82[   67.269067]  [<ffffffff81581b10>] ? seq_lseek+0x3c0/0x3c0
83[   67.274581]  [<ffffffff81581b10>] ? seq_lseek+0x3c0/0x3c0
84[   67.280094]  [<ffffffff81512954>] do_readv_writev+0x5d4/0x6d0
85[   67.285953]  [<ffffffff81512380>] ? vfs_write+0x530/0x530
86[   67.291470]  [<ffffffff811e8241>] ? __lock_is_held+0xa1/0xf0
87[   67.297241]  [<ffffffff8156c152>] ? __fget+0x212/0x3b0
88[   67.302491]  [<ffffffff8156c17b>] ? __fget+0x23b/0x3b0
89[   67.307742]  [<ffffffff8156bf8c>] ? __fget+0x4c/0x3b0
90[   67.312909]  [<ffffffff81512acd>] vfs_readv+0x7d/0xb0
91[   67.318074]  [<ffffffff815152eb>] SyS_preadv+0x18b/0x220
92[   67.323498]  [<ffffffff81515160>] ? SyS_writev+0x230/0x230
93[   67.329099]  [<ffffffff81002284>] ? lockdep_sys_exit_thunk+0x12/0x14
94[   67.335570]  [<ffffffff82a16b1b>] entry_SYSCALL_64_fastpath+0x18/0x94
95[   67.342119] Memory state around the buggy address:
96[   67.347022]  ffffffff82cda400: 05 fa fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
97[   67.354352]  ffffffff82cda480: 07 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
98[   67.361682] >ffffffff82cda500: 07 fa fa fa fa fa fa fa 00 00 00 fa fa fa fa fa
99[   67.369010]                                                     ^
100[   67.375211]  ffffffff82cda580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
101[   67.382542]  ffffffff82cda600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
102[   67.389870] ==================================================================
103[   67.397650] Dumping ftrace buffer:
104[   67.401175]    (ftrace buffer empty)
105[   67.405471] Kernel Offset: disabled
106[   67.409078] Rebooting in 86400 seconds..
107