INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-9,10.128.15.200' (ECDSA) to the list of known hosts. 2017/08/12 07:03:17 parsed 1 programs 2017/08/12 07:03:17 executed programs: 0 syzkaller login: [ 43.002016] ================================================================== [ 43.003041] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801cdd2d780 [ 43.004202] Read of size 8 by task syz-executor0/3311 [ 43.004939] CPU: 0 PID: 3311 Comm: syz-executor0 Not tainted 4.9.41-g4501c04 #23 [ 43.006003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.007243] ffff8801d4f374c0 ffffffff81d92609 ffff8801da0013c0 ffff8801cdd2d780 [ 43.008398] ffff8801cdd2d880 ffffed0039ba5af0 ffff8801cdd2d780 ffff8801d4f374e8 [ 43.009509] ffffffff8153c1bc ffffed0039ba5af0 ffff8801da0013c0 0000000000000000 [ 43.010625] Call Trace: [ 43.010978] [] dump_stack+0xc1/0x128 [ 43.011685] [] kasan_object_err+0x1c/0x70 [ 43.012458] [] kasan_report.part.1+0x21c/0x500 [ 43.013357] [] ? bio_copy_user_iov+0xe61/0xea0 [ 43.014173] [] __asan_report_load8_noabort+0x29/0x30 [ 43.015058] [] bio_copy_user_iov+0xe61/0xea0 [ 43.015853] [] ? bio_uncopy_user+0x600/0x600 [ 43.016651] [] ? __sbitmap_queue_get+0xfb/0x230 [ 43.017494] [] ? __bt_get+0x199/0x1f0 [ 43.018210] [] blk_rq_map_user_iov+0x237/0x790 [ 43.019028] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 43.019846] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.020763] [] ? kvm_sched_clock_read+0x9/0x20 [ 43.021613] [] ? import_single_range+0x1d4/0x2b0 [ 43.022469] [] blk_rq_map_user+0x111/0x1a0 [ 43.028315] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.034687] [] ? sg_res_in_use+0x1f/0x130 [ 43.040450] [] ? sg_res_in_use+0xea/0x130 [ 43.046216] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 43.053112] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 43.059743] [] ? sg_open+0x15a0/0x15a0 [ 43.065251] [] ? __might_fault+0xe4/0x1d0 [ 43.071013] [] ? check_stack_object+0x68/0x140 [ 43.077204] [] ? __check_object_size+0x174/0x3a9 [ 43.083571] [] sg_write+0x688/0xad0 [ 43.088810] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.094399] [] ? depot_save_stack+0x122/0x4a0 [ 43.100507] [] ? putname+0xee/0x130 [ 43.105746] [] ? save_stack+0xa3/0xd0 [ 43.111160] [] ? do_futex+0x3e8/0x1640 [ 43.116659] [] ? do_sys_open+0x252/0x4c0 [ 43.122330] [] ? SyS_open+0x2d/0x40 [ 43.127571] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.134287] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.141265] [] ? depot_save_stack+0x122/0x4a0 [ 43.147379] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.154353] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.159939] [] __vfs_write+0x103/0x680 [ 43.165437] [] ? default_llseek+0x290/0x290 [ 43.171376] [] ? __might_sleep+0x95/0x1a0 [ 43.177143] [] ? __inode_security_revalidate+0xd9/0x130 [ 43.184118] [] ? avc_policy_seqno+0x9/0x20 [ 43.189966] [] ? selinux_file_permission+0x82/0x460 [ 43.196591] [] ? security_file_permission+0x89/0x1e0 [ 43.203306] [] ? rw_verify_area+0xe5/0x2b0 [ 43.209153] [] vfs_write+0x170/0x4e0 [ 43.214479] [] SyS_write+0xd9/0x1b0 [ 43.219725] [] ? SyS_read+0x1b0/0x1b0 [ 43.225138] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.231683] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.238224] Object at ffff8801cdd2d780, in cache kmalloc-256 size: 256 [ 43.244849] Allocated: [ 43.247304] PID = 3311 [ 43.249763] save_stack_trace+0x16/0x20 [ 43.253699] save_stack+0x43/0xd0 [ 43.257114] kasan_kmalloc+0xad/0xe0 [ 43.260788] __kmalloc+0x11d/0x310 [ 43.264290] sg_build_indirect.isra.23+0x8b/0x550 [ 43.269094] sg_build_reserve+0x8d/0xb0 [ 43.273038] sg_open+0x946/0x15a0 [ 43.276453] chrdev_open+0x22b/0x4c0 [ 43.280127] do_dentry_open+0x607/0xc60 [ 43.284064] vfs_open+0x105/0x220 [ 43.287481] path_openat+0x64c/0x2a60 [ 43.291248] do_filp_open+0x197/0x290 [ 43.295011] do_sys_open+0x352/0x4c0 [ 43.298683] SyS_open+0x2d/0x40 [ 43.301925] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.306638] Freed: [ 43.308754] PID = 3312 [ 43.311216] save_stack_trace+0x16/0x20 [ 43.315154] save_stack+0x43/0xd0 [ 43.318569] kasan_slab_free+0x73/0xc0 [ 43.322417] kfree+0xf0/0x2f0 [ 43.325486] sg_remove_scat.isra.20+0x212/0x2d0 [ 43.330115] sg_ioctl+0x12d0/0x29f0 [ 43.333703] do_vfs_ioctl+0x1aa/0x10c0 [ 43.337551] SyS_ioctl+0x8f/0xc0 [ 43.340878] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.345593] Memory state around the buggy address: [ 43.350484] ffff8801cdd2d680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.357810] ffff8801cdd2d700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 43.365130] >ffff8801cdd2d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.372447] ^ [ 43.375776] ffff8801cdd2d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.383095] ffff8801cdd2d880: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 43.390422] ================================================================== [ 43.397956] ================================================================== [ 43.405282] BUG: KASAN: wild-memory-access on address ffe708744e790000 [ 43.411906] Write of size 38 by task syz-executor0/3311 [ 43.417236] CPU: 0 PID: 3311 Comm: syz-executor0 Tainted: G B 4.9.41-g4501c04 #23 [ 43.425946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.435268] ffff8801d4f37448 ffffffff81d92609 ffff8801d4f37618 0000000000000026 [ 43.443199] 0000000000000001 ffff8801d4f37840 ffe708744e790000 ffff8801d4f374d0 [ 43.451132] ffffffff8153c66f 0000000000000000 0000000000000001 ffffffff81ddbec4 [ 43.459063] Call Trace: [ 43.461620] [] dump_stack+0xc1/0x128 [ 43.466947] [] kasan_report.part.1+0x40f/0x500 [ 43.473142] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 43.479511] [] ? __might_fault+0xe4/0x1d0 [ 43.485271] [] kasan_report+0x20/0x30 [ 43.490688] [] check_memory_region+0x137/0x190 [ 43.496884] [] kasan_check_write+0x14/0x20 [ 43.502730] [] copy_page_from_iter+0x1a4/0x5d0 [ 43.508969] [] bio_copy_user_iov+0xb05/0xea0 [ 43.515000] [] ? bio_uncopy_user+0x600/0x600 [ 43.521019] [] ? __bt_get+0x199/0x1f0 [ 43.526436] [] blk_rq_map_user_iov+0x237/0x790 [ 43.532670] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 43.538865] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.545841] [] ? kvm_sched_clock_read+0x9/0x20 [ 43.552046] [] ? import_single_range+0x1d4/0x2b0 [ 43.558416] [] blk_rq_map_user+0x111/0x1a0 [ 43.564262] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.570629] [] ? sg_res_in_use+0x1f/0x130 [ 43.576387] [] ? sg_res_in_use+0xea/0x130 [ 43.582148] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 43.589035] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 43.595662] [] ? sg_open+0x15a0/0x15a0 [ 43.601165] [] ? __might_fault+0xe4/0x1d0 [ 43.606922] [] ? check_stack_object+0x68/0x140 [ 43.613118] [] ? __check_object_size+0x174/0x3a9 [ 43.619486] [] sg_write+0x688/0xad0 [ 43.624723] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.630312] [] ? depot_save_stack+0x122/0x4a0 [ 43.636419] [] ? putname+0xee/0x130 [ 43.641659] [] ? save_stack+0xa3/0xd0 [ 43.647075] [] ? do_futex+0x3e8/0x1640 [ 43.652572] [] ? do_sys_open+0x252/0x4c0 [ 43.658241] [] ? SyS_open+0x2d/0x40 [ 43.663482] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.670236] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.677214] [] ? depot_save_stack+0x122/0x4a0 [ 43.683322] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.690298] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.695884] [] __vfs_write+0x103/0x680 [ 43.701402] [] ? default_llseek+0x290/0x290 [ 43.707333] [] ? __might_sleep+0x95/0x1a0 [ 43.713092] [] ? __inode_security_revalidate+0xd9/0x130 [ 43.720067] [] ? avc_policy_seqno+0x9/0x20 [ 43.725910] [] ? selinux_file_permission+0x82/0x460 [ 43.732536] [] ? security_file_permission+0x89/0x1e0 [ 43.739258] [] ? rw_verify_area+0xe5/0x2b0 [ 43.745103] [] vfs_write+0x170/0x4e0 [ 43.750427] [] SyS_write+0xd9/0x1b0 [ 43.755664] [] ? SyS_read+0x1b0/0x1b0 [ 43.761078] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.767622] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.774159] ================================================================== [ 43.781769] ================================================================== [ 43.789098] BUG: KASAN: wild-memory-access on address ffe708744e790000 [ 43.795733] Write of size 38 by task syz-executor0/3311 [ 43.801058] CPU: 0 PID: 3311 Comm: syz-executor0 Tainted: G B 4.9.41-g4501c04 #23 [ 43.809768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.819091] ffff8801d4f373f8 ffffffff81d92609 ffe708744e790000 0000000000000026 [ 43.827029] 0000000000000001 0000000020006fdb ffe708744e790000 ffff8801d4f37480 [ 43.834958] ffffffff8153c66f 0000000000000000 0000000000000000 ffffffff81dc5d14 [ 43.842891] Call Trace: [ 43.845442] [] dump_stack+0xc1/0x128 [ 43.850769] [] kasan_report.part.1+0x40f/0x500 [ 43.856963] [] ? copy_user_handle_tail+0xb4/0xd0 [ 43.863329] [] ? retint_kernel+0x2d/0x2d [ 43.869009] [] kasan_report+0x20/0x30 [ 43.874419] [] check_memory_region+0x137/0x190 [ 43.880620] [] memset+0x23/0x40 [ 43.885518] [] copy_user_handle_tail+0xb4/0xd0 [ 43.891721] [] copy_page_from_iter+0x1c0/0x5d0 [ 43.897928] [] bio_copy_user_iov+0xb05/0xea0 [ 43.903960] [] ? bio_uncopy_user+0x600/0x600 [ 43.909987] [] ? __bt_get+0x199/0x1f0 [ 43.915406] [] blk_rq_map_user_iov+0x237/0x790 [ 43.921607] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 43.927810] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.934788] [] ? kvm_sched_clock_read+0x9/0x20 [ 43.940996] [] ? import_single_range+0x1d4/0x2b0 [ 43.947373] [] blk_rq_map_user+0x111/0x1a0 [ 43.953221] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.959592] [] ? sg_res_in_use+0x1f/0x130 [ 43.965360] [] ? sg_res_in_use+0xea/0x130 [ 43.971125] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 43.978016] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 43.984644] [] ? sg_open+0x15a0/0x15a0 [ 43.990147] [] ? __might_fault+0xe4/0x1d0 [ 43.995909] [] ? check_stack_object+0x68/0x140