Warning: Permanently added 'ci-android-49-kasan-gce-4,10.128.0.17' (ECDSA) to the list of known hosts. 2017/07/26 20:29:30 parsed 1 programs serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-4 port 1 (session ID: f01a6cce25f0fe70dd766ecf817bed6a3e1b76d1c8cb133beff5808ec0062518, active connections: 1). 2017/07/26 20:29:30 executed programs: 0 INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 48.448262] IPVS: Creating netns size=2536 id=1 [ 48.456336] IPVS: Creating netns size=2536 id=2 [ 48.473091] IPVS: Creating netns size=2536 id=3 [ 48.503866] IPVS: Creating netns size=2536 id=4 [ 48.507822] netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. [ 48.523507] netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. [ 48.532114] netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. [ 48.548540] netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. [ 48.560510] IPVS: Creating netns size=2536 id=5 [ 48.569224] netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. [ 48.581761] netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. [ 48.593444] netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. [ 48.603500] netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. [ 48.619798] netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. [ 48.630550] netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. [ 48.642453] IPVS: Creating netns size=2536 id=6 [ 48.664477] IPVS: Creating netns size=2536 id=7 [ 48.697528] IPVS: Creating netns size=2536 id=8 [ 51.903248] ================================================================== [ 51.910644] BUG: KASAN: use-after-free in do_get_mempolicy+0xb41/0xba0 at addr ffff8801c76e0d26 [ 51.919479] Read of size 2 by task syz-executor0/5047 [ 51.924650] CPU: 1 PID: 5047 Comm: syz-executor0 Not tainted 4.9.39-g72a0c9f #6 [ 51.932078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.941411] ffff8801c9a67cf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801c76e0d20 [ 51.949409] ffff8801c76e0d38 ffffed0038edc1a4 ffff8801c76e0d26 ffff8801c9a67d20 [ 51.957411] ffffffff81546bfc ffffed0038edc1a4 ffff8801dac0ec80 0000000000000000 [ 51.965426] Call Trace: [ 51.968003] [] dump_stack+0xc1/0x128 [ 51.973353] [] kasan_object_err+0x1c/0x70 [ 51.979138] [] kasan_report.part.1+0x20d/0x4e0 [ 51.985350] [] ? do_get_mempolicy+0xb41/0xba0 [ 51.991481] [] ? call_rwsem_wake+0x1b/0x30 [ 51.997345] [] __asan_report_load2_noabort+0x29/0x30 [ 52.004083] [] do_get_mempolicy+0xb41/0xba0 [ 52.010044] [] ? sp_free+0x60/0x60 [ 52.015217] [] SyS_get_mempolicy+0xc3/0x190 [ 52.021178] [] ? SyS_migrate_pages+0x710/0x710 [ 52.027396] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 52.034050] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 52.040875] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.047436] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.053994] Object at ffff8801c76e0d20, in cache numa_policy size: 24 [ 52.060548] Allocated: [ 52.063020] PID = 5033 [ 52.065498] save_stack_trace+0x16/0x20 [ 52.069464] save_stack+0x43/0xd0 [ 52.072904] kasan_kmalloc+0xad/0xe0 [ 52.076606] kasan_slab_alloc+0x12/0x20 [ 52.080561] kmem_cache_alloc+0xc9/0x2a0 [ 52.084605] __mpol_dup+0x79/0x3c0 [ 52.088128] do_mbind+0x71e/0xb30 [ 52.091568] SyS_mbind+0x13b/0x150 [ 52.095101] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.099834] Freed: [ 52.101959] PID = 5021 [ 52.104440] save_stack_trace+0x16/0x20 [ 52.108398] save_stack+0x43/0xd0 [ 52.111835] kasan_slab_free+0x73/0xc0 [ 52.115708] kmem_cache_free+0xb2/0x2e0 [ 52.119661] __mpol_put+0x26/0x30 [ 52.123101] remove_vma+0x12b/0x1a0 [ 52.126711] do_munmap+0x7ff/0xeb0 [ 52.130232] mmap_region+0x14d/0xfe0 [ 52.133928] do_mmap+0x595/0xbe0 [ 52.137283] vm_mmap_pgoff+0x158/0x1a0 [ 52.141157] SyS_mmap_pgoff+0x1fc/0x580 [ 52.145114] SyS_mmap+0x16/0x20 [ 52.148377] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.153106] Memory state around the buggy address: [ 52.158015] ffff8801c76e0c00: fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc [ 52.165356] ffff8801c76e0c80: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 52.172698] >ffff8801c76e0d00: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 52.180033] ^ [ 52.184419] ffff8801c76e0d80: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 52.191759] ffff8801c76e0e00: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 52.199091] ================================================================== [ 52.206423] Disabling lock debugging due to kernel taint [ 52.212674] ================================================================== [ 52.220027] BUG: KASAN: use-after-free in do_get_mempolicy+0xb23/0xba0 at addr ffff8801c76e0d30 [ 52.228826] Read of size 8 by task syz-executor0/5047 [ 52.233979] CPU: 0 PID: 5047 Comm: syz-executor0 Tainted: G B 4.9.39-g72a0c9f #6 [ 52.242602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.251919] ffff8801c9a67cf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801c76e0d20 [ 52.259856] ffff8801c76e0d38 ffffed0038edc1a6 ffff8801c76e0d30 ffff8801c9a67d20 [ 52.267790] ffffffff81546bfc ffffed0038edc1a6 ffff8801dac0ec80 0000000000000000 [ 52.275732] Call Trace: [ 52.278283] [] dump_stack+0xc1/0x128 [ 52.283613] [] kasan_object_err+0x1c/0x70 [ 52.289375] [] kasan_report.part.1+0x20d/0x4e0 [ 52.295569] [] ? do_get_mempolicy+0xb23/0xba0 [ 52.301678] [] __asan_report_load8_noabort+0x29/0x30 [ 52.308393] [] do_get_mempolicy+0xb23/0xba0 [ 52.314327] [] ? sp_free+0x60/0x60 [ 52.319477] [] SyS_get_mempolicy+0xc3/0x190 [ 52.325409] [] ? SyS_migrate_pages+0x710/0x710 [ 52.331607] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 52.338235] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 52.345039] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.351581] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.358127] Object at ffff8801c76e0d20, in cache numa_policy size: 24 [ 52.364665] Allocated: [ 52.367122] PID = 5033 [ 52.369581] save_stack_trace+0x16/0x20 [ 52.373520] save_stack+0x43/0xd0 [ 52.376940] kasan_kmalloc+0xad/0xe0 [ 52.380613] kasan_slab_alloc+0x12/0x20 [ 52.384563] kmem_cache_alloc+0xc9/0x2a0 [ 52.388585] __mpol_dup+0x79/0x3c0 [ 52.392091] do_mbind+0x71e/0xb30 [ 52.395509] SyS_mbind+0x13b/0x150 [ 52.399012] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.403727] Freed: [ 52.405836] PID = 5021 [ 52.408296] save_stack_trace+0x16/0x20 [ 52.412233] save_stack+0x43/0xd0 [ 52.415649] kasan_slab_free+0x73/0xc0 [ 52.419495] kmem_cache_free+0xb2/0x2e0 [ 52.423432] __mpol_put+0x26/0x30 [ 52.426847] remove_vma+0x12b/0x1a0 [ 52.430436] do_munmap+0x7ff/0xeb0 [ 52.433942] mmap_region+0x14d/0xfe0 [ 52.437632] do_mmap+0x595/0xbe0 [ 52.440959] vm_mmap_pgoff+0x158/0x1a0 [ 52.444811] SyS_mmap_pgoff+0x1fc/0x580 [ 52.448752] SyS_mmap+0x16/0x20 [ 52.451995] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.456717] Memory state around the buggy address: [ 52.461624] ffff8801c76e0c00: fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc [ 52.468944] ffff8801c76e0c80: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 52.476265] >ffff8801c76e0d00: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 52.483585] ^ [ 52.488474] ffff8801c76e0d80: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 52.495795] ffff8801c76e0e00: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 52.503115] ================================================================== [ 52.512076] ================================================================== [ 52.519439] BUG: KASAN: use-after-free in do_get_mempolicy+0xaee/0xba0 at addr ffff8801c76e0d26 [ 52.528250] Read of size 2 by task syz-executor0/5047 [ 52.533407] CPU: 0 PID: 5047 Comm: syz-executor0 Tainted: G B 4.9.39-g72a0c9f #6 [ 52.542033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.551438] ffff8801c9a67cf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801c76e0d20 [ 52.559388] ffff8801c76e0d38 ffffed0038edc1a4 ffff8801c76e0d26 ffff8801c9a67d20 [ 52.567376] ffffffff81546bfc ffffed0038edc1a4 ffff8801dac0ec80 0000000000000000 [ 52.575319] Call Trace: [ 52.577872] [] dump_stack+0xc1/0x128 [ 52.583201] [] kasan_object_err+0x1c/0x70 [ 52.588997] [] kasan_report.part.1+0x20d/0x4e0 [ 52.595192] [] ? do_get_mempolicy+0xaee/0xba0 [ 52.601306] [] __asan_report_load2_noabort+0x29/0x30 [ 52.608024] [] do_get_mempolicy+0xaee/0xba0 [ 52.613960] [] ? sp_free+0x60/0x60 [ 52.619113] [] SyS_get_mempolicy+0xc3/0x190 [ 52.625049] [] ? SyS_migrate_pages+0x710/0x710 [ 52.631244] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 52.637876] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 52.644681] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.651224] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.657764] Object at ffff8801c76e0d20, in cache numa_policy size: 24 [ 52.664303] Allocated: [ 52.666761] PID = 5033 [ 52.669222] save_stack_trace+0x16/0x20 [ 52.673160] save_stack+0x43/0xd0 [ 52.676576] kasan_kmalloc+0xad/0xe0 [ 52.680290] kasan_slab_alloc+0x12/0x20 [ 52.684227] kmem_cache_alloc+0xc9/0x2a0 [ 52.688249] __mpol_dup+0x79/0x3c0 [ 52.691758] do_mbind+0x71e/0xb30 [ 52.695176] SyS_mbind+0x13b/0x150 [ 52.698682] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.703397] Freed: [ 52.705509] PID = 5021 [ 52.707969] save_stack_trace+0x16/0x20 [ 52.711908] save_stack+0x43/0xd0 [ 52.715324] kasan_slab_free+0x73/0xc0 [ 52.719175] kmem_cache_free+0xb2/0x2e0 [ 52.723113] __mpol_put+0x26/0x30 [ 52.726528] remove_vma+0x12b/0x1a0 [ 52.730123] do_munmap+0x7ff/0xeb0 [ 52.733639] mmap_region+0x14d/0xfe0 [ 52.737315] do_mmap+0x595/0xbe0 [ 52.740642] vm_mmap_pgoff+0x158/0x1a0 [ 52.744491] SyS_mmap_pgoff+0x1fc/0x580 [ 52.748428] SyS_mmap+0x16/0x20 [ 52.751718] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 52.756439] Memory state around the buggy address: [ 52.761335] ffff8801c76e0c00: fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc [ 52.768658] ffff8801c76e0c80: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 52.775986] >ffff8801c76e0d00: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 52.783305] ^ [ 52.787675] ffff8801c76e0d80: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 52.794996] ffff8801c76e0e00: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 52.802318] ==================================================================