INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.15.209' (ECDSA) to the list of known hosts. 2017/08/20 08:32:27 parsed 1 programs 2017/08/20 08:32:27 executed programs: 0 syzkaller login: [ 36.370389] ================================================================== [ 36.371482] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801d803a500 [ 36.372705] Read of size 8 by task syz-executor0/3266 [ 36.373390] CPU: 1 PID: 3266 Comm: syz-executor0 Not tainted 4.9.44-g6dda7ac #31 [ 36.374469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.375918] ffff8801d877f4c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801d803a500 [ 36.377446] ffff8801d803a600 ffffed003b0074a0 ffff8801d803a500 ffff8801d877f4e8 [ 36.378652] ffffffff8153c5ec ffffed003b0074a0 ffff8801da0013c0 0000000000000000 [ 36.380027] Call Trace: [ 36.380424] [] dump_stack+0xc1/0x128 [ 36.381152] [] kasan_object_err+0x1c/0x70 [ 36.381965] [] kasan_report.part.1+0x21c/0x500 [ 36.382810] [] ? bio_copy_user_iov+0xe61/0xea0 [ 36.383741] [] __asan_report_load8_noabort+0x29/0x30 [ 36.384643] [] bio_copy_user_iov+0xe61/0xea0 [ 36.385486] [] ? bio_uncopy_user+0x600/0x600 [ 36.386367] [] ? __sbitmap_queue_get+0xfb/0x230 [ 36.387263] [] ? __bt_get+0x199/0x1f0 [ 36.388039] [] blk_rq_map_user_iov+0x237/0x790 [ 36.388963] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 36.389783] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.392045] [] ? kvm_sched_clock_read+0x9/0x20 [ 36.398239] [] ? import_single_range+0x1d4/0x2b0 [ 36.404614] [] blk_rq_map_user+0x111/0x1a0 [ 36.410461] [] ? blk_rq_map_user_iov+0x790/0x790 [ 36.416845] [] ? sg_res_in_use+0x1f/0x130 [ 36.422604] [] ? sg_res_in_use+0xea/0x130 [ 36.428366] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 36.435254] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 36.441881] [] ? sg_open+0x15a0/0x15a0 [ 36.447383] [] ? __might_fault+0xe4/0x1d0 [ 36.453156] [] ? check_stack_object+0x68/0x140 [ 36.459358] [] ? __check_object_size+0x174/0x3a9 [ 36.465738] [] sg_write+0x688/0xad0 [ 36.470975] [] ? sg_ioctl+0x29f0/0x29f0 [ 36.476563] [] ? depot_save_stack+0x122/0x4a0 [ 36.482672] [] ? putname+0xee/0x130 [ 36.487912] [] ? save_stack+0xa3/0xd0 [ 36.493333] [] ? do_futex+0x3e8/0x1640 [ 36.498834] [] ? do_sys_open+0x252/0x4c0 [ 36.504507] [] ? SyS_open+0x2d/0x40 [ 36.509746] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.516471] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.523462] [] ? __vma_link_file+0x10c/0x160 [ 36.529490] [] ? vma_wants_writenotify+0x51/0x380 [ 36.535954] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.542937] [] ? sg_ioctl+0x29f0/0x29f0 [ 36.548522] [] __vfs_write+0x103/0x680 [ 36.554022] [] ? default_llseek+0x290/0x290 [ 36.559955] [] ? __might_sleep+0x95/0x1a0 [ 36.565721] [] ? __inode_security_revalidate+0xd9/0x130 [ 36.572708] [] ? avc_policy_seqno+0x9/0x20 [ 36.578561] [] ? selinux_file_permission+0x82/0x460 [ 36.585191] [] ? security_file_permission+0x89/0x1e0 [ 36.591906] [] ? rw_verify_area+0xe5/0x2b0 [ 36.597753] [] vfs_write+0x170/0x4e0 [ 36.603083] [] SyS_write+0xd9/0x1b0 [ 36.608328] [] ? SyS_read+0x1b0/0x1b0 [ 36.613742] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.620285] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.626825] Object at ffff8801d803a500, in cache kmalloc-256 size: 256 [ 36.633452] Allocated: [ 36.635908] PID = 3266 [ 36.638368] save_stack_trace+0x16/0x20 [ 36.642304] save_stack+0x43/0xd0 [ 36.645717] kasan_kmalloc+0xad/0xe0 [ 36.649392] __kmalloc+0x11d/0x310 [ 36.652896] sg_build_indirect.isra.23+0x8b/0x550 [ 36.657705] sg_build_reserve+0x8d/0xb0 [ 36.661641] sg_open+0x946/0x15a0 [ 36.665055] chrdev_open+0x22b/0x4c0 [ 36.668728] do_dentry_open+0x607/0xc60 [ 36.672661] vfs_open+0x105/0x220 [ 36.676076] path_openat+0x64c/0x2a60 [ 36.679839] do_filp_open+0x197/0x290 [ 36.683617] do_sys_open+0x352/0x4c0 [ 36.687290] SyS_open+0x2d/0x40 [ 36.690532] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.695250] Freed: [ 36.697361] PID = 3267 [ 36.699822] save_stack_trace+0x16/0x20 [ 36.703758] save_stack+0x43/0xd0 [ 36.707173] kasan_slab_free+0x73/0xc0 [ 36.711021] kfree+0xf0/0x2f0 [ 36.714091] sg_remove_scat.isra.20+0x212/0x2d0 [ 36.718720] sg_ioctl+0x12d0/0x29f0 [ 36.722308] do_vfs_ioctl+0x1aa/0x10c0 [ 36.726160] SyS_ioctl+0x8f/0xc0 [ 36.729491] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.734203] Memory state around the buggy address: [ 36.739095] ffff8801d803a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.746427] ffff8801d803a480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 36.753747] >ffff8801d803a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.761066] ^ [ 36.764395] ffff8801d803a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.771716] ffff8801d803a600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 36.779042] ================================================================== [ 36.786641] ================================================================== [ 36.793980] BUG: KASAN: wild-memory-access on address ffe70875c11d8000 [ 36.800607] Write of size 38 by task syz-executor0/3266 [ 36.805935] CPU: 1 PID: 3266 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 36.814648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.823972] ffff8801d877f448 ffffffff81d929c9 ffff8801d877f618 0000000000000026 [ 36.831913] 0000000000000001 ffff8801d877f840 ffe70875c11d8000 ffff8801d877f4d0 [ 36.839862] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 36.847824] Call Trace: [ 36.850378] [] dump_stack+0xc1/0x128 [ 36.855705] [] kasan_report.part.1+0x40f/0x500 [ 36.861900] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 36.868270] [] ? __might_fault+0xe4/0x1d0 [ 36.874029] [] kasan_report+0x20/0x30 [ 36.879439] [] check_memory_region+0x137/0x190 [ 36.885632] [] kasan_check_write+0x14/0x20 [ 36.891480] [] copy_page_from_iter+0x1a4/0x5d0 [ 36.897687] [] bio_copy_user_iov+0xb05/0xea0 [ 36.903709] [] ? bio_uncopy_user+0x600/0x600 [ 36.909732] [] ? __bt_get+0x199/0x1f0 [ 36.915152] [] blk_rq_map_user_iov+0x237/0x790 [ 36.921350] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 36.927555] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.934547] [] ? kvm_sched_clock_read+0x9/0x20 [ 36.940743] [] ? import_single_range+0x1d4/0x2b0 [ 36.947116] [] blk_rq_map_user+0x111/0x1a0 [ 36.952970] [] ? blk_rq_map_user_iov+0x790/0x790 [ 36.959340] [] ? sg_res_in_use+0x1f/0x130 [ 36.965098] [] ? sg_res_in_use+0xea/0x130 [ 36.970875] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 36.977850] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 36.984490] [] ? sg_open+0x15a0/0x15a0 [ 36.990002] [] ? __might_fault+0xe4/0x1d0 [ 36.995766] [] ? check_stack_object+0x68/0x140 [ 37.001961] [] ? __check_object_size+0x174/0x3a9 [ 37.008333] [] sg_write+0x688/0xad0 [ 37.013579] [] ? sg_ioctl+0x29f0/0x29f0 [ 37.019169] [] ? depot_save_stack+0x122/0x4a0 [ 37.025279] [] ? putname+0xee/0x130 [ 37.030522] [] ? save_stack+0xa3/0xd0 [ 37.035946] [] ? do_futex+0x3e8/0x1640 [ 37.041457] [] ? do_sys_open+0x252/0x4c0 [ 37.047142] [] ? SyS_open+0x2d/0x40 [ 37.052393] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.059111] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.066087] [] ? __vma_link_file+0x10c/0x160 [ 37.072108] [] ? vma_wants_writenotify+0x51/0x380 [ 37.078577] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.085553] [] ? sg_ioctl+0x29f0/0x29f0 [ 37.091140] [] __vfs_write+0x103/0x680 [ 37.096642] [] ? default_llseek+0x290/0x290 [ 37.102579] [] ? __might_sleep+0x95/0x1a0 [ 37.108344] [] ? __inode_security_revalidate+0xd9/0x130 [ 37.115327] [] ? avc_policy_seqno+0x9/0x20 [ 37.121179] [] ? selinux_file_permission+0x82/0x460 [ 37.127811] [] ? security_file_permission+0x89/0x1e0 [ 37.134529] [] ? rw_verify_area+0xe5/0x2b0 [ 37.140386] [] vfs_write+0x170/0x4e0 [ 37.145724] [] SyS_write+0xd9/0x1b0 [ 37.150968] [] ? SyS_read+0x1b0/0x1b0 [ 37.156380] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.162924] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.169468] ================================================================== [ 37.177016] ================================================================== [ 37.184350] BUG: KASAN: wild-memory-access on address ffe70875c11d8000 [ 37.190976] Write of size 38 by task syz-executor0/3266 [ 37.196302] CPU: 1 PID: 3266 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 37.205014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.214335] ffff8801d877f3f8 ffffffff81d929c9 ffe70875c11d8000 0000000000000026 [ 37.222296] 0000000000000001 0000000020006fdb ffe70875c11d8000 ffff8801d877f480 [ 37.230251] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 37.238194] Call Trace: [ 37.240745] [] dump_stack+0xc1/0x128 [ 37.246072] [] kasan_report.part.1+0x40f/0x500 [ 37.252269] [] ? copy_user_handle_tail+0xb4/0xd0 [ 37.258640] [] ? retint_kernel+0x2d/0x2d [ 37.264319] [] kasan_report+0x20/0x30 [ 37.269732] [] check_memory_region+0x137/0x190 [ 37.275926] [] memset+0x23/0x40 [ 37.280819] [] copy_user_handle_tail+0xb4/0xd0 [ 37.287014] [] copy_page_from_iter+0x1c0/0x5d0 [ 37.293209] [] bio_copy_user_iov+0xb05/0xea0 [ 37.299232] [] ? bio_uncopy_user+0x600/0x600 [ 37.305251] [] ? __bt_get+0x199/0x1f0 [ 37.310664] [] blk_rq_map_user_iov+0x237/0x790 [ 37.316864] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 37.323067] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.330043] [] ? kvm_sched_clock_read+0x9/0x20 [ 37.336238] [] ? import_single_range+0x1d4/0x2b0 [ 37.342605] [] blk_rq_map_user+0x111/0x1a0 [ 37.348460] [] ? blk_rq_map_user_iov+0x790/0x790 [ 37.354830] [] ? sg_res_in_use+0x1f/0x130 [ 37.360608] [] ? sg_res_in_use+0xea/0x130 [ 37.366373] [] ? _raw_read_unlock_irqrestore+0x45/0x70