INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-5,10.128.0.52' (ECDSA) to the list of known hosts. 2017/08/15 06:10:30 parsed 1 programs 2017/08/15 06:10:30 executed programs: 0 syzkaller login: [ 33.253717] ================================================================== [ 33.254775] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801c9ba8dc0 [ 33.255971] Read of size 8 by task syz-executor0/3379 [ 33.256657] CPU: 1 PID: 3379 Comm: syz-executor0 Not tainted 4.9.43-g7073fca #25 [ 33.257642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.258943] ffff8801c9bd74c0 ffffffff81d92909 ffff8801da0013c0 ffff8801c9ba8dc0 [ 33.260095] ffff8801c9ba8ec0 ffffed00393751b8 ffff8801c9ba8dc0 ffff8801c9bd74e8 [ 33.261236] ffffffff8153c51c ffffed00393751b8 ffff8801da0013c0 0000000000000000 [ 33.262370] Call Trace: [ 33.262726] [] dump_stack+0xc1/0x128 [ 33.263526] [] kasan_object_err+0x1c/0x70 [ 33.264298] [] kasan_report.part.1+0x21c/0x500 [ 33.265180] [] ? bio_copy_user_iov+0xe61/0xea0 [ 33.266000] [] __asan_report_load8_noabort+0x29/0x30 [ 33.266908] [] bio_copy_user_iov+0xe61/0xea0 [ 33.267703] [] ? bio_uncopy_user+0x600/0x600 [ 33.268500] [] ? __sbitmap_queue_get+0xfb/0x230 [ 33.269330] [] ? __bt_get+0x199/0x1f0 [ 33.270088] [] blk_rq_map_user_iov+0x237/0x790 [ 33.270908] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 33.271727] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.272646] [] ? kvm_sched_clock_read+0x9/0x20 [ 33.273491] [] ? import_single_range+0x1d4/0x2b0 [ 33.277939] [] blk_rq_map_user+0x111/0x1a0 [ 33.283794] [] ? blk_rq_map_user_iov+0x790/0x790 [ 33.290172] [] ? sg_res_in_use+0x1f/0x130 [ 33.295947] [] ? sg_res_in_use+0xea/0x130 [ 33.301718] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 33.308605] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 33.315230] [] ? sg_open+0x15a0/0x15a0 [ 33.320729] [] ? __might_fault+0xe4/0x1d0 [ 33.326489] [] ? check_stack_object+0x68/0x140 [ 33.332681] [] ? __check_object_size+0x174/0x3a9 [ 33.339047] [] sg_write+0x688/0xad0 [ 33.344286] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.349872] [] ? depot_save_stack+0x122/0x4a0 [ 33.355978] [] ? putname+0xee/0x130 [ 33.361217] [] ? save_stack+0xa3/0xd0 [ 33.366629] [] ? do_futex+0x3e8/0x1640 [ 33.372127] [] ? do_sys_open+0x252/0x4c0 [ 33.377812] [] ? SyS_open+0x2d/0x40 [ 33.383052] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.389767] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.396742] [] ? depot_save_stack+0x122/0x4a0 [ 33.402849] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.409825] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.415411] [] __vfs_write+0x103/0x680 [ 33.420910] [] ? default_llseek+0x290/0x290 [ 33.426845] [] ? __might_sleep+0x95/0x1a0 [ 33.433737] [] ? __inode_security_revalidate+0xd9/0x130 [ 33.440722] [] ? avc_policy_seqno+0x9/0x20 [ 33.446570] [] ? selinux_file_permission+0x82/0x460 [ 33.453201] [] ? security_file_permission+0x89/0x1e0 [ 33.459922] [] ? rw_verify_area+0xe5/0x2b0 [ 33.465771] [] vfs_write+0x170/0x4e0 [ 33.471096] [] SyS_write+0xd9/0x1b0 [ 33.476335] [] ? SyS_read+0x1b0/0x1b0 [ 33.481754] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.488296] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.494837] Object at ffff8801c9ba8dc0, in cache kmalloc-256 size: 256 [ 33.501463] Allocated: [ 33.503920] PID = 3379 [ 33.506382] save_stack_trace+0x16/0x20 [ 33.510320] save_stack+0x43/0xd0 [ 33.513735] kasan_kmalloc+0xad/0xe0 [ 33.517411] __kmalloc+0x11d/0x310 [ 33.520912] sg_build_indirect.isra.23+0x8b/0x550 [ 33.525714] sg_build_reserve+0x8d/0xb0 [ 33.529653] sg_open+0x946/0x15a0 [ 33.533069] chrdev_open+0x22b/0x4c0 [ 33.536746] do_dentry_open+0x607/0xc60 [ 33.540682] vfs_open+0x105/0x220 [ 33.544098] path_openat+0x64c/0x2a60 [ 33.547860] do_filp_open+0x197/0x290 [ 33.552194] do_sys_open+0x352/0x4c0 [ 33.555869] SyS_open+0x2d/0x40 [ 33.559116] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.563832] Freed: [ 33.565943] PID = 3380 [ 33.568406] save_stack_trace+0x16/0x20 [ 33.572347] save_stack+0x43/0xd0 [ 33.575763] kasan_slab_free+0x73/0xc0 [ 33.579609] kfree+0xf0/0x2f0 [ 33.582684] sg_remove_scat.isra.20+0x212/0x2d0 [ 33.587315] sg_ioctl+0x12d0/0x29f0 [ 33.590906] do_vfs_ioctl+0x1aa/0x10c0 [ 33.594754] SyS_ioctl+0x8f/0xc0 [ 33.598084] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.602798] Memory state around the buggy address: [ 33.607688] ffff8801c9ba8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.615008] ffff8801c9ba8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.622329] >ffff8801c9ba8d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.629647] ^ [ 33.635059] ffff8801c9ba8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.642378] ffff8801c9ba8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.649696] ================================================================== [ 33.657382] ================================================================== [ 33.664713] BUG: KASAN: wild-memory-access on address 0005080000000000 [ 33.671339] Write of size 38 by task syz-executor0/3379 [ 33.676675] CPU: 1 PID: 3379 Comm: syz-executor0 Tainted: G B 4.9.43-g7073fca #25 [ 33.685383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.694704] ffff8801c9bd7448 ffffffff81d92909 ffff8801c9bd7618 0000000000000026 [ 33.702640] 0000000000000001 ffff8801c9bd7840 0005080000000000 ffff8801c9bd74d0 [ 33.710590] ffffffff8153c9cf 0000000000000000 0000000000000001 ffffffff81ddc1c4 [ 33.718534] Call Trace: [ 33.721091] [] dump_stack+0xc1/0x128 [ 33.726422] [] kasan_report.part.1+0x40f/0x500 [ 33.732618] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 33.738988] [] ? __might_fault+0xe4/0x1d0 [ 33.744768] [] kasan_report+0x20/0x30 [ 33.750180] [] check_memory_region+0x137/0x190 [ 33.756371] [] kasan_check_write+0x14/0x20 [ 33.762217] [] copy_page_from_iter+0x1a4/0x5d0 [ 33.768411] [] bio_copy_user_iov+0xb05/0xea0 [ 33.774431] [] ? bio_uncopy_user+0x600/0x600 [ 33.780451] [] ? __bt_get+0x199/0x1f0 [ 33.785867] [] blk_rq_map_user_iov+0x237/0x790 [ 33.792060] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 33.798257] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.805233] [] ? kvm_sched_clock_read+0x9/0x20 [ 33.811427] [] ? import_single_range+0x1d4/0x2b0 [ 33.817794] [] blk_rq_map_user+0x111/0x1a0 [ 33.823639] [] ? blk_rq_map_user_iov+0x790/0x790 [ 33.830010] [] ? sg_res_in_use+0x1f/0x130 [ 33.835769] [] ? sg_res_in_use+0xea/0x130 [ 33.841534] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 33.848421] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 33.855048] [] ? sg_open+0x15a0/0x15a0 [ 33.860547] [] ? __might_fault+0xe4/0x1d0 [ 33.866309] [] ? check_stack_object+0x68/0x140 [ 33.872502] [] ? __check_object_size+0x174/0x3a9 [ 33.878868] [] sg_write+0x688/0xad0 [ 33.884104] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.889693] [] ? depot_save_stack+0x122/0x4a0 [ 33.895802] [] ? putname+0xee/0x130 [ 33.901042] [] ? save_stack+0xa3/0xd0 [ 33.906456] [] ? do_futex+0x3e8/0x1640 [ 33.911956] [] ? do_sys_open+0x252/0x4c0 [ 33.917637] [] ? SyS_open+0x2d/0x40 [ 33.922879] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.929603] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.936592] [] ? depot_save_stack+0x122/0x4a0 [ 33.942700] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.949675] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.955261] [] __vfs_write+0x103/0x680 [ 33.960760] [] ? default_llseek+0x290/0x290 [ 33.966704] [] ? __might_sleep+0x95/0x1a0 [ 33.972474] [] ? __inode_security_revalidate+0xd9/0x130 [ 33.979450] [] ? avc_policy_seqno+0x9/0x20 [ 33.985298] [] ? selinux_file_permission+0x82/0x460 [ 33.991937] [] ? security_file_permission+0x89/0x1e0 [ 33.998651] [] ? rw_verify_area+0xe5/0x2b0 [ 34.004508] [] vfs_write+0x170/0x4e0 [ 34.009833] [] SyS_write+0xd9/0x1b0 [ 34.015072] [] ? SyS_read+0x1b0/0x1b0 [ 34.020485] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.027032] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 34.033571] ================================================================== [ 34.041267] ================================================================== [ 34.048597] BUG: KASAN: wild-memory-access on address 0005080000000000 [ 34.055225] Write of size 38 by task syz-executor0/3379 [ 34.060551] CPU: 1 PID: 3379 Comm: syz-executor0 Tainted: G B 4.9.43-g7073fca #25 [ 34.069265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.078585] ffff8801c9bd73f8 ffffffff81d92909 0005080000000000 0000000000000026 [ 34.086535] 0000000000000001 0000000020006fdb 0005080000000000 ffff8801c9bd7480 [ 34.094479] ffffffff8153c9cf 0000000000000000 0000000000000000 ffffffff81dc6014 [ 34.102431] Call Trace: [ 34.104986] [] dump_stack+0xc1/0x128 [ 34.110317] [] kasan_report.part.1+0x40f/0x500 [ 34.116512] [] ? copy_user_handle_tail+0xb4/0xd0 [ 34.122968] [] ? retint_kernel+0x2d/0x2d [ 34.128641] [] kasan_report+0x20/0x30 [ 34.134053] [] check_memory_region+0x137/0x190 [ 34.140246] [] memset+0x23/0x40 [ 34.145136] [] copy_user_handle_tail+0xb4/0xd0 [ 34.151337] [] copy_page_from_iter+0x1c0/0x5d0 [ 34.157542] [] bio_copy_user_iov+0xb05/0xea0 [ 34.163565] [] ? bio_uncopy_user+0x600/0x600 [ 34.169599] [] ? __bt_get+0x199/0x1f0 [ 34.175021] [] blk_rq_map_user_iov+0x237/0x790 [ 34.181214] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 34.187410] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.194386] [] ? kvm_sched_clock_read+0x9/0x20 [ 34.200579] [] ? import_single_range+0x1d4/0x2b0 [ 34.206956] [] blk_rq_map_user+0x111/0x1a0 [ 34.212803] [] ? blk_rq_map_user_iov+0x790/0x790 [ 34.219174] [] ? sg_res_in_use+0x1f/0x130 [ 34.224935] [] ? sg_res_in_use+0xea/0x130 [ 34.230697] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 34.237590] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 34.244217] [] ? sg_open+0x15a0/0x15a0 [ 34.249725] [] ? __might_fault+0xe4/0x1d0