Pseudo-terminal will not be allocated because stdin is not a terminal. Warning: Permanently added 'ci-android-49-kasan-gce-6,10.128.0.28' (ECDSA) to the list of known hosts. Warning: Permanently added '[ssh-serialport.googleapis.com]:9600,[216.239.38.127]:9600' (RSA) to the list of known hosts. 2017/07/22 11:09:06 parsed 1 programs 2017/07/22 11:09:06 executed programs: 0 serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-6 port 1 (session ID: 9b4586283802b29063097f74a498d0b54ff195185be0ad72e69443356a786b7f, active connections: 1). Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.964960] IPVS: Creating netns size=2536 id=1 [ 27.971388] IPVS: Creating netns size=2536 id=2 [ 27.978584] IPVS: Creating netns size=2536 id=3 [ 28.008582] IPVS: Creating netns size=2536 id=4 [ 28.045886] IPVS: Creating netns size=2536 id=5 [ 28.082034] IPVS: Creating netns size=2536 id=6 [ 28.119570] IPVS: Creating netns size=2536 id=7 [ 28.170077] IPVS: Creating netns size=2536 id=8 2017/07/22 11:09:11 executed programs: 273 2017/07/22 11:09:16 executed programs: 509 [ 38.426476] ================================================================== [ 38.433864] BUG: KASAN: use-after-free in do_get_mempolicy+0xb41/0xba0 at addr ffff8801ca10d0ce [ 38.442675] Read of size 2 by task syz-executor7/7986 [ 38.447835] CPU: 1 PID: 7986 Comm: syz-executor7 Not tainted 4.9.39-g5b07c2d #4 [ 38.455250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.464580] ffff8801c7cbfcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801ca10d0c8 [ 38.472564] ffff8801ca10d0e0 ffffed0039421a19 ffff8801ca10d0ce ffff8801c7cbfd20 [ 38.480543] ffffffff81546bfc ffffed0039421a19 ffff8801dac0ec80 0000000000000000 [ 38.488525] Call Trace: [ 38.491088] [] dump_stack+0xc1/0x128 [ 38.496424] [] kasan_object_err+0x1c/0x70 [ 38.502192] [] kasan_report.part.1+0x20d/0x4e0 [ 38.508397] [] ? do_get_mempolicy+0xb41/0xba0 [ 38.514512] [] ? call_rwsem_wake+0x1b/0x30 [ 38.520370] [] __asan_report_load2_noabort+0x29/0x30 [ 38.527091] [] do_get_mempolicy+0xb41/0xba0 [ 38.533036] [] ? sp_free+0x60/0x60 [ 38.538197] [] SyS_get_mempolicy+0xc3/0x190 [ 38.544138] [] ? SyS_migrate_pages+0x710/0x710 [ 38.550341] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 38.556979] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 38.563801] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.570350] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.576901] Object at ffff8801ca10d0c8, in cache numa_policy size: 24 [ 38.583448] Allocated: [ 38.585917] PID = 7968 [ 38.588389] save_stack_trace+0x16/0x20 [ 38.592332] save_stack+0x43/0xd0 [ 38.595755] kasan_kmalloc+0xad/0xe0 [ 38.599443] kasan_slab_alloc+0x12/0x20 [ 38.603390] kmem_cache_alloc+0xc9/0x2a0 [ 38.607421] __mpol_dup+0x79/0x3c0 [ 38.610930] do_mbind+0x71e/0xb30 [ 38.614357] SyS_mbind+0x13b/0x150 [ 38.617868] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.622590] Freed: [ 38.624711] PID = 7946 [ 38.627181] save_stack_trace+0x16/0x20 [ 38.631126] save_stack+0x43/0xd0 [ 38.634548] kasan_slab_free+0x73/0xc0 [ 38.638407] kmem_cache_free+0xb2/0x2e0 [ 38.642350] __mpol_put+0x26/0x30 [ 38.645777] remove_vma+0x12b/0x1a0 [ 38.649374] do_munmap+0x7ff/0xeb0 [ 38.652884] mmap_region+0x14d/0xfe0 [ 38.656568] do_mmap+0x595/0xbe0 [ 38.659906] vm_mmap_pgoff+0x158/0x1a0 [ 38.663764] SyS_mmap_pgoff+0x1fc/0x580 [ 38.667707] SyS_mmap+0x16/0x20 [ 38.670958] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.675680] Memory state around the buggy address: [ 38.680583] ffff8801ca10cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.687913] ffff8801ca10d000: fb fb fb fc fc 00 00 00 fc fc fb fb fb fc fc fb [ 38.695242] >ffff8801ca10d080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 38.702571] ^ [ 38.708253] ffff8801ca10d100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 38.715582] ffff8801ca10d180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 38.722909] ================================================================== [ 38.730236] Disabling lock debugging due to kernel taint [ 38.777061] ================================================================== [ 38.784464] BUG: KASAN: use-after-free in do_get_mempolicy+0xb23/0xba0 at addr ffff8801ca10d0d8 [ 38.793302] Read of size 8 by task syz-executor7/7986 [ 38.798483] CPU: 1 PID: 7986 Comm: syz-executor7 Tainted: G B 4.9.39-g5b07c2d #4 [ 38.807130] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.816471] ffff8801c7cbfcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801ca10d0c8 [ 38.824510] ffff8801ca10d0e0 ffffed0039421a1b ffff8801ca10d0d8 ffff8801c7cbfd20 [ 38.832545] ffffffff81546bfc ffffed0039421a1b ffff8801dac0ec80 0000000000000000 [ 38.840579] Call Trace: [ 38.843155] [] dump_stack+0xc1/0x128 [ 38.848508] [] kasan_object_err+0x1c/0x70 [ 38.854298] [] kasan_report.part.1+0x20d/0x4e0 [ 38.860523] [] ? do_get_mempolicy+0xb23/0xba0 [ 38.866661] [] __asan_report_load8_noabort+0x29/0x30 [ 38.873407] [] do_get_mempolicy+0xb23/0xba0 [ 38.879368] [] ? sp_free+0x60/0x60 [ 38.884556] [] SyS_get_mempolicy+0xc3/0x190 [ 38.890528] [] ? SyS_migrate_pages+0x710/0x710 [ 38.896753] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 38.903411] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 38.910247] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.916817] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.923381] Object at ffff8801ca10d0c8, in cache numa_policy size: 24 [ 38.929944] Allocated: [ 38.932421] PID = 7968 [ 38.934911] save_stack_trace+0x16/0x20 [ 38.938873] save_stack+0x43/0xd0 [ 38.942316] kasan_kmalloc+0xad/0xe0 [ 38.946020] kasan_slab_alloc+0x12/0x20 [ 38.949985] kmem_cache_alloc+0xc9/0x2a0 [ 38.954044] __mpol_dup+0x79/0x3c0 [ 38.957581] do_mbind+0x71e/0xb30 [ 38.961020] SyS_mbind+0x13b/0x150 [ 38.964552] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 38.969287] Freed: [ 38.971422] PID = 7946 [ 38.973915] save_stack_trace+0x16/0x20 [ 38.977890] save_stack+0x43/0xd0 [ 38.981336] kasan_slab_free+0x73/0xc0 [ 38.985219] kmem_cache_free+0xb2/0x2e0 [ 38.989188] __mpol_put+0x26/0x30 [ 38.992631] remove_vma+0x12b/0x1a0 [ 38.996248] do_munmap+0x7ff/0xeb0 [ 38.999776] mmap_region+0x14d/0xfe0 [ 39.003473] do_mmap+0x595/0xbe0 [ 39.006831] vm_mmap_pgoff+0x158/0x1a0 [ 39.010711] SyS_mmap_pgoff+0x1fc/0x580 [ 39.014667] SyS_mmap+0x16/0x20 [ 39.017940] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 39.022690] Memory state around the buggy address: [ 39.027609] ffff8801ca10cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.034961] ffff8801ca10d000: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 39.042294] >ffff8801ca10d080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 39.049625] ^ [ 39.055823] ffff8801ca10d100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 39.063151] ffff8801ca10d180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 39.070477] ================================================================== [ 39.079137] ================================================================== [ 39.086514] BUG: KASAN: use-after-free in do_get_mempolicy+0xaee/0xba0 at addr ffff8801ca10d0ce [ 39.095350] Read of size 2 by task syz-executor7/7986 [ 39.100536] CPU: 1 PID: 7986 Comm: syz-executor7 Tainted: G B 4.9.39-g5b07c2d #4 [ 39.109183] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.118515] ffff8801c7cbfcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801ca10d0c8 [ 39.126493] ffff8801ca10d0e0 ffffed0039421a19 ffff8801ca10d0ce ffff8801c7cbfd20 [ 39.134471] ffffffff81546bfc ffffed0039421a19 ffff8801dac0ec80 0000000000000000 [ 39.142449] Call Trace: [ 39.145856] [] dump_stack+0xc1/0x128 [ 39.151201] [] kasan_object_err+0x1c/0x70 [ 39.156967] [] kasan_report.part.1+0x20d/0x4e0 [ 39.163171] [] ? do_get_mempolicy+0xaee/0xba0 [ 39.169287] [] __asan_report_load2_noabort+0x29/0x30 [ 39.176011] [] do_get_mempolicy+0xaee/0xba0 [ 39.181951] [] ? sp_free+0x60/0x60 [ 39.187109] [] SyS_get_mempolicy+0xc3/0x190 [ 39.193052] [] ? SyS_migrate_pages+0x710/0x710 [ 39.199255] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 39.205893] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.212702] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.219249] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 39.225798] Object at ffff8801ca10d0c8, in cache numa_policy size: 24 [ 39.232341] Allocated: [ 39.234807] PID = 7968 [ 39.237275] save_stack_trace+0x16/0x20 [ 39.241218] save_stack+0x43/0xd0 [ 39.244645] kasan_kmalloc+0xad/0xe0 [ 39.248327] kasan_slab_alloc+0x12/0x20 [ 39.252273] kmem_cache_alloc+0xc9/0x2a0 [ 39.256303] __mpol_dup+0x79/0x3c0 [ 39.259810] do_mbind+0x71e/0xb30 [ 39.263234] SyS_mbind+0x13b/0x150 [ 39.266742] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 39.271466] Freed: [ 39.273583] PID = 7946 [ 39.276051] save_stack_trace+0x16/0x20 [ 39.279993] save_stack+0x43/0xd0 [ 39.283414] kasan_slab_free+0x73/0xc0 [ 39.287270] kmem_cache_free+0xb2/0x2e0 [ 39.291213] __mpol_put+0x26/0x30 [ 39.294637] remove_vma+0x12b/0x1a0 [ 39.298234] do_munmap+0x7ff/0xeb0 [ 39.301743] mmap_region+0x14d/0xfe0 [ 39.305423] do_mmap+0x595/0xbe0 [ 39.308759] vm_mmap_pgoff+0x158/0x1a0 [ 39.312615] SyS_mmap_pgoff+0x1fc/0x580 [ 39.316560] SyS_mmap+0x16/0x20 [ 39.319812] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 39.324533] Memory state around the buggy address: [ 39.329433] ffff8801ca10cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 39.336761] ffff8801ca10d000: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 39.344087] >ffff8801ca10d080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 39.351414] ^ [ 39.357091] ffff8801ca10d100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 39.364417] ffff8801ca10d180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 39.371743] ==================================================================