INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.0.16' (ECDSA) to the list of known hosts. 2017/08/19 02:31:02 parsed 1 programs 2017/08/19 02:31:02 executed programs: 0 syzkaller login: [ 53.122157] IPVS: Creating netns size=2536 id=1 [ 53.328250] ================================================================== [ 53.335621] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801cdc1c8c0 [ 53.344506] Read of size 8 by task syz-executor0/3318 [ 53.349659] CPU: 0 PID: 3318 Comm: syz-executor0 Not tainted 4.9.44-gca95b3e #30 [ 53.357153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.366468] ffff8801c98574c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801cdc1c8c0 [ 53.374399] ffff8801cdc1c9c0 ffffed0039b83918 ffff8801cdc1c8c0 ffff8801c98574e8 [ 53.382329] ffffffff8153c5ec ffffed0039b83918 ffff8801da0013c0 0000000000000000 [ 53.390266] Call Trace: [ 53.392819] [] dump_stack+0xc1/0x128 [ 53.398148] [] kasan_object_err+0x1c/0x70 [ 53.403912] [] kasan_report.part.1+0x21c/0x500 [ 53.410105] [] ? bio_copy_user_iov+0xe61/0xea0 [ 53.416302] [] __asan_report_load8_noabort+0x29/0x30 [ 53.423019] [] bio_copy_user_iov+0xe61/0xea0 [ 53.429037] [] ? bio_uncopy_user+0x600/0x600 [ 53.435065] [] ? __sbitmap_queue_get+0xfb/0x230 [ 53.441344] [] ? __bt_get+0x199/0x1f0 [ 53.446756] [] blk_rq_map_user_iov+0x237/0x790 [ 53.452963] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 53.459158] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 53.466148] [] ? kvm_sched_clock_read+0x9/0x20 [ 53.472343] [] ? import_single_range+0x1d4/0x2b0 [ 53.478711] [] blk_rq_map_user+0x111/0x1a0 [ 53.484573] [] ? blk_rq_map_user_iov+0x790/0x790 [ 53.490954] [] ? sg_res_in_use+0x1f/0x130 [ 53.496711] [] ? sg_res_in_use+0xea/0x130 [ 53.502503] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 53.509401] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 53.516029] [] ? sg_open+0x15a0/0x15a0 [ 53.521531] [] ? __might_fault+0xe4/0x1d0 [ 53.527290] [] ? check_stack_object+0x68/0x140 [ 53.533482] [] ? __check_object_size+0x174/0x3a9 [ 53.539847] [] sg_write+0x688/0xad0 [ 53.545097] [] ? sg_ioctl+0x29f0/0x29f0 [ 53.550682] [] ? depot_save_stack+0x122/0x4a0 [ 53.557017] [] ? putname+0xee/0x130 [ 53.562254] [] ? save_stack+0xa3/0xd0 [ 53.567665] [] ? do_futex+0x3e8/0x1640 [ 53.573162] [] ? do_sys_open+0x252/0x4c0 [ 53.578832] [] ? SyS_open+0x2d/0x40 [ 53.584089] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.590802] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 53.597774] [] ? __vma_link_file+0x10c/0x160 [ 53.603799] [] ? vma_wants_writenotify+0x51/0x380 [ 53.610253] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 53.617230] [] ? sg_ioctl+0x29f0/0x29f0 [ 53.622821] [] __vfs_write+0x103/0x680 [ 53.628324] [] ? default_llseek+0x290/0x290 [ 53.634260] [] ? __might_sleep+0x95/0x1a0 [ 53.640021] [] ? __inode_security_revalidate+0xd9/0x130 [ 53.647010] [] ? avc_policy_seqno+0x9/0x20 [ 53.652858] [] ? selinux_file_permission+0x82/0x460 [ 53.659483] [] ? security_file_permission+0x89/0x1e0 [ 53.666198] [] ? rw_verify_area+0xe5/0x2b0 [ 53.672045] [] vfs_write+0x170/0x4e0 [ 53.677372] [] SyS_write+0xd9/0x1b0 [ 53.682611] [] ? SyS_read+0x1b0/0x1b0 [ 53.688023] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.694567] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.701106] Object at ffff8801cdc1c8c0, in cache kmalloc-256 size: 256 [ 53.707740] Allocated: [ 53.710197] PID = 3318 [ 53.712670] save_stack_trace+0x16/0x20 [ 53.716607] save_stack+0x43/0xd0 [ 53.720025] kasan_kmalloc+0xad/0xe0 [ 53.723698] __kmalloc+0x11d/0x310 [ 53.727201] sg_build_indirect.isra.23+0x8b/0x550 [ 53.732013] sg_build_reserve+0x8d/0xb0 [ 53.735946] sg_open+0x946/0x15a0 [ 53.739362] chrdev_open+0x22b/0x4c0 [ 53.743040] do_dentry_open+0x607/0xc60 [ 53.746972] vfs_open+0x105/0x220 [ 53.750386] path_openat+0x64c/0x2a60 [ 53.754144] do_filp_open+0x197/0x290 [ 53.757902] do_sys_open+0x352/0x4c0 [ 53.761594] SyS_open+0x2d/0x40 [ 53.764835] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.769550] Freed: [ 53.771660] PID = 3319 [ 53.774117] save_stack_trace+0x16/0x20 [ 53.778050] save_stack+0x43/0xd0 [ 53.781462] kasan_slab_free+0x73/0xc0 [ 53.785308] kfree+0xf0/0x2f0 [ 53.788378] sg_remove_scat.isra.20+0x212/0x2d0 [ 53.793015] sg_ioctl+0x12d0/0x29f0 [ 53.796604] do_vfs_ioctl+0x1aa/0x10c0 [ 53.800457] SyS_ioctl+0x8f/0xc0 [ 53.803786] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 53.808522] Memory state around the buggy address: [ 53.813411] ffff8801cdc1c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.820731] ffff8801cdc1c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.828049] >ffff8801cdc1c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.835368] ^ [ 53.840776] ffff8801cdc1c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.848095] ffff8801cdc1c980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.855413] ================================================================== [ 53.862945] ================================================================== [ 53.870275] BUG: KASAN: wild-memory-access on address ffe70872c8a7e000 [ 53.876901] Write of size 38 by task syz-executor0/3318 [ 53.882228] CPU: 0 PID: 3318 Comm: syz-executor0 Tainted: G B 4.9.44-gca95b3e #30 [ 53.890937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.900257] ffff8801c9857448 ffffffff81d929c9 ffff8801c9857618 0000000000000026 [ 53.908196] 0000000000000001 ffff8801c9857840 ffe70872c8a7e000 ffff8801c98574d0 [ 53.916130] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 53.924077] Call Trace: [ 53.926628] [] dump_stack+0xc1/0x128 [ 53.931951] [] kasan_report.part.1+0x40f/0x500 [ 53.938143] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 53.944953] [] ? __might_fault+0xe4/0x1d0 [ 53.950711] [] kasan_report+0x20/0x30 [ 53.956122] [] check_memory_region+0x137/0x190 [ 53.962316] [] kasan_check_write+0x14/0x20 [ 53.968161] [] copy_page_from_iter+0x1a4/0x5d0 [ 53.974355] [] bio_copy_user_iov+0xb05/0xea0 [ 53.980374] [] ? bio_uncopy_user+0x600/0x600 [ 53.986395] [] ? __bt_get+0x199/0x1f0 [ 53.991805] [] blk_rq_map_user_iov+0x237/0x790 [ 53.997997] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 54.004194] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 54.011169] [] ? kvm_sched_clock_read+0x9/0x20 [ 54.017363] [] ? import_single_range+0x1d4/0x2b0 [ 54.023726] [] blk_rq_map_user+0x111/0x1a0 [ 54.029573] [] ? blk_rq_map_user_iov+0x790/0x790 [ 54.035940] [] ? sg_res_in_use+0x1f/0x130 [ 54.041711] [] ? sg_res_in_use+0xea/0x130 [ 54.047472] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 54.054362] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 54.060989] [] ? sg_open+0x15a0/0x15a0 [ 54.066487] [] ? __might_fault+0xe4/0x1d0 [ 54.072258] [] ? check_stack_object+0x68/0x140 [ 54.078465] [] ? __check_object_size+0x174/0x3a9 [ 54.084832] [] sg_write+0x688/0xad0 [ 54.090068] [] ? sg_ioctl+0x29f0/0x29f0 [ 54.095654] [] ? depot_save_stack+0x122/0x4a0 [ 54.101769] [] ? putname+0xee/0x130 [ 54.107009] [] ? save_stack+0xa3/0xd0 [ 54.112447] [] ? do_futex+0x3e8/0x1640 [ 54.117946] [] ? do_sys_open+0x252/0x4c0 [ 54.123635] [] ? SyS_open+0x2d/0x40 [ 54.128876] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.135621] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 54.142596] [] ? __vma_link_file+0x10c/0x160 [ 54.148613] [] ? vma_wants_writenotify+0x51/0x380 [ 54.155066] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 54.162043] [] ? sg_ioctl+0x29f0/0x29f0 [ 54.167628] [] __vfs_write+0x103/0x680 [ 54.173125] [] ? default_llseek+0x290/0x290 [ 54.179071] [] ? __might_sleep+0x95/0x1a0 [ 54.184830] [] ? __inode_security_revalidate+0xd9/0x130 [ 54.191806] [] ? avc_policy_seqno+0x9/0x20 [ 54.197650] [] ? selinux_file_permission+0x82/0x460 [ 54.204281] [] ? security_file_permission+0x89/0x1e0 [ 54.210996] [] ? rw_verify_area+0xe5/0x2b0 [ 54.216839] [] vfs_write+0x170/0x4e0 [ 54.222163] [] SyS_write+0xd9/0x1b0 [ 54.227401] [] ? SyS_read+0x1b0/0x1b0 [ 54.232816] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.239371] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 54.245912] ================================================================== [ 54.253512] ================================================================== [ 54.260854] BUG: KASAN: wild-memory-access on address ffe70872c8a7e000 [ 54.267494] Write of size 38 by task syz-executor0/3318 [ 54.272820] CPU: 0 PID: 3318 Comm: syz-executor0 Tainted: G B 4.9.44-gca95b3e #30 [ 54.281590] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.290911] ffff8801c98573f8 ffffffff81d929c9 ffe70872c8a7e000 0000000000000026 [ 54.298855] 0000000000000001 0000000020006fdb ffe70872c8a7e000 ffff8801c9857480 [ 54.306799] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 54.314752] Call Trace: [ 54.317305] [] dump_stack+0xc1/0x128 [ 54.322633] [] kasan_report.part.1+0x40f/0x500