Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.35' (ECDSA) to the list of known hosts. serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-8 port 1 (session ID: 818c49ad5cc66e04782b03028824f75d983c2742db7bfd167e07ee4be6f39c09, active connections: 1). INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 2017/07/26 05:52:45 parsed 1 programs 2017/07/26 05:52:45 executed programs: 0 syzkaller login: [ 99.082264] hrtimer: interrupt took 21967 ns 2017/07/26 05:52:50 executed programs: 380 2017/07/26 05:52:55 executed programs: 677 [ 109.009458] sg_write: data in/out 171756805/34 bytes for SCSI command 0x55-- guessing data in; [ 109.009458] program syz-executor6 not setting count and/or reply_len properly [ 109.030308] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in; [ 109.030308] program syz-executor7 not setting count and/or reply_len properly [ 109.075570] sg_write: data in/out 171756805/34 bytes for SCSI command 0x55-- guessing data in; [ 109.075570] program syz-executor6 not setting count and/or reply_len properly [ 109.170298] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in; [ 109.170298] program syz-executor1 not setting count and/or reply_len properly [ 112.662823] sg_write: data in/out 102929522/34 bytes for SCSI command 0xde-- guessing data in; [ 112.662823] program syz-executor7 not setting count and/or reply_len properly [ 112.717425] sg_write: data in/out 102929522/34 bytes for SCSI command 0xde-- guessing data in; [ 112.717425] program syz-executor7 not setting count and/or reply_len properly [ 113.339714] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in; [ 113.339714] program syz-executor6 not setting count and/or reply_len properly [ 113.356471] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in; [ 113.356471] program syz-executor0 not setting count and/or reply_len properly [ 113.422191] sg_write: data in/out 1006076092/34 bytes for SCSI command 0x3d-- guessing data in; [ 113.422191] program syz-executor3 not setting count and/or reply_len properly 2017/07/26 05:53:00 executed programs: 971 [ 114.416009] ================================================================== [ 114.423392] BUG: KASAN: use-after-free in bio_copy_user_iov+0xcdf/0xe50 at addr ffff8801d9317c80 [ 114.432298] Read of size 8 by task syz-executor4/7270 [ 114.437468] CPU: 0 PID: 7270 Comm: syz-executor4 Not tainted 4.9.39-g72a0c9f #6 [ 114.444892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 114.454226] ffff8801d5fcf4f0 ffffffff81eacd59 ffff8801dac013c0 ffff8801d9317c80 [ 114.462282] ffff8801d9317d80 ffffed003b262f90 ffff8801d9317c80 ffff8801d5fcf518 [ 114.470286] ffffffff81546bfc ffffed003b262f90 ffff8801dac013c0 0000000000000000 [ 114.478295] Call Trace: [ 114.480892] [] dump_stack+0xc1/0x128 [ 114.486250] [] kasan_object_err+0x1c/0x70 [ 114.492031] [] kasan_report.part.1+0x20d/0x4e0 [ 114.498257] [] ? bvec_alloc+0x2d0/0x2d0 [ 114.503864] [] ? bio_copy_user_iov+0xcdf/0xe50 [ 114.510093] [] ? __kmalloc+0x128/0x320 [ 114.515631] [] __asan_report_load8_noabort+0x29/0x30 [ 114.522371] [] bio_copy_user_iov+0xcdf/0xe50 [ 114.528449] [] ? bio_uncopy_user+0x5e0/0x5e0 [ 114.534523] [] ? __sbitmap_queue_get+0xfb/0x230 [ 114.540826] [] blk_rq_map_user_iov+0x22f/0x770 [ 114.547053] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 114.553290] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 114.560300] [] ? init_wait_entry+0x100/0x100 [ 114.566418] [] ? blk_mq_get_tag+0x13e/0x230 [ 114.572373] [] ? import_single_range+0x1d4/0x2b0 [ 114.578763] [] blk_rq_map_user+0x109/0x180 [ 114.584643] [] ? blk_rq_map_user_iov+0x770/0x770 [ 114.591045] [] ? sg_res_in_use+0x1f/0x130 [ 114.596823] [] ? _raw_read_unlock_irqrestore+0x5a/0x70 [ 114.603732] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 114.610656] [] sg_common_write.isra.21+0xc12/0x17a0 [ 114.617315] [] ? sg_open+0x1590/0x1590 [ 114.622835] [] ? __might_fault+0x114/0x1d0 [ 114.628705] [] sg_write+0x68b/0xb10 [ 114.633981] [] ? drop_futex_key_refs.isra.12+0x63/0xd0 [ 114.640883] [] ? sg_ioctl+0x29d0/0x29d0 [ 114.646484] [] ? __lock_acquire+0x669/0x3db0 [ 114.652527] [] ? do_futex+0x3d3/0x1600 [ 114.658056] [] ? khugepaged_enter_vma_merge+0x78/0x220 [ 114.664965] [] ? vma_wants_writenotify+0x51/0x380 [ 114.671442] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 114.678455] [] ? sg_ioctl+0x29d0/0x29d0 [ 114.684063] [] __vfs_write+0xfb/0x660 [ 114.689540] [] ? default_llseek+0x290/0x290 [ 114.695491] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 114.702254] [] ? common_file_perm+0x14f/0x390 [ 114.708409] [] ? apparmor_file_permission+0x22/0x30 [ 114.715086] [] ? security_file_permission+0x89/0x1e0 [ 114.721817] [] ? rw_verify_area+0xe5/0x2b0 [ 114.727687] [] vfs_write+0x170/0x4e0 [ 114.733033] [] SyS_write+0xd4/0x1a0 [ 114.738285] [] ? SyS_read+0x1a0/0x1a0 [ 114.743712] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 114.750534] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 114.757099] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 114.763673] Object at ffff8801d9317c80, in cache kmalloc-256 size: 256 [ 114.770311] Allocated: [ 114.772778] PID = 7280 [ 114.775254] save_stack_trace+0x16/0x20 [ 114.779190] save_stack+0x43/0xd0 [ 114.782603] kasan_kmalloc+0xad/0xe0 [ 114.786279] __kmalloc+0x128/0x320 [ 114.789781] sg_build_indirect.isra.20+0x8b/0x550 [ 114.794590] sg_build_reserve+0x8d/0xb0 [ 114.798533] sg_open+0x92b/0x1590 [ 114.801952] chrdev_open+0x227/0x4a0 [ 114.805630] do_dentry_open+0x607/0xc60 [ 114.809564] vfs_open+0x105/0x220 [ 114.812978] path_openat+0x644/0x2a40 [ 114.816740] do_filp_open+0x18b/0x270 [ 114.820502] do_sys_open+0x336/0x4b0 [ 114.824185] SyS_open+0x2d/0x40 [ 114.827426] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 114.832141] Freed: [ 114.834250] PID = 7280 [ 114.836713] save_stack_trace+0x16/0x20 [ 114.840651] save_stack+0x43/0xd0 [ 114.844067] kasan_slab_free+0x73/0xc0 [ 114.847920] kfree+0xf0/0x2f0 [ 114.850991] sg_remove_scat.isra.17+0x212/0x2d0 [ 114.855624] sg_ioctl+0x12b5/0x29d0 [ 114.859210] do_vfs_ioctl+0x194/0x1070 [ 114.863058] SyS_ioctl+0x8f/0xc0 [ 114.866388] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 114.871117] Memory state around the buggy address: [ 114.876006] ffff8801d9317b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.883330] ffff8801d9317c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 114.890652] >ffff8801d9317c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.897974] ^ [ 114.901303] ffff8801d9317d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.908624] ffff8801d9317d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 114.915945] ================================================================== [ 114.923266] Disabling lock debugging due to kernel taint [ 114.932310] ================================================================== [ 114.939683] BUG: KASAN: wild-memory-access on address ffe708754477d000 [ 114.946341] Write of size 38 by task syz-executor4/7270 [ 114.951682] CPU: 1 PID: 7270 Comm: syz-executor4 Tainted: G B 4.9.39-g72a0c9f #6 [ 114.960315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 114.969635] ffff8801d5fcf470 ffffffff81eacd59 ffff8801d5fcf630 0000000000000026 [ 114.977590] 0000000000000001 ffe708754477d000 ffe708754477d000 ffff8801d5fcf4f0 [ 114.985543] ffffffff815470a0 0000000000000001 ffff8801d5fcf500 ffffffff81ef5faa [ 114.993482] Call Trace: [ 114.996037] [] dump_stack+0xc1/0x128 [ 115.001368] [] kasan_report.part.1+0x400/0x4e0 [ 115.007567] [] ? copy_page_from_iter+0x1aa/0x5c0 [ 115.013946] [] ? __might_fault+0xe4/0x1d0 [ 115.019721] [] ? __might_fault+0x114/0x1d0 [ 115.025575] [] kasan_report+0x20/0x30 [ 115.030988] [] check_memory_region+0x137/0x190 [ 115.037182] [] kasan_check_write+0x14/0x20 [ 115.043043] [] copy_page_from_iter+0x1aa/0x5c0 [ 115.049240] [] bio_copy_user_iov+0xacc/0xe50 [ 115.055260] [] ? bio_uncopy_user+0x5e0/0x5e0 [ 115.061283] [] blk_rq_map_user_iov+0x22f/0x770 [ 115.067523] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 115.073766] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 115.080750] [] ? init_wait_entry+0x100/0x100 [ 115.086772] [] ? blk_mq_get_tag+0x13e/0x230 [ 115.092708] [] ? import_single_range+0x1d4/0x2b0 [ 115.099093] [] blk_rq_map_user+0x109/0x180 [ 115.104945] [] ? blk_rq_map_user_iov+0x770/0x770 [ 115.111341] [] ? sg_res_in_use+0x1f/0x130 [ 115.117123] [] ? _raw_read_unlock_irqrestore+0x5a/0x70 [ 115.124028] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 115.130917] [] sg_common_write.isra.21+0xc12/0x17a0 [ 115.137549] [] ? sg_open+0x1590/0x1590 [ 115.143050] [] ? __might_fault+0x114/0x1d0 [ 115.148898] [] sg_write+0x68b/0xb10 [ 115.154139] [] ? drop_futex_key_refs.isra.12+0x63/0xd0 [ 115.161030] [] ? sg_ioctl+0x29d0/0x29d0 [ 115.166622] [] ? __lock_acquire+0x669/0x3db0 [ 115.172643] [] ? do_futex+0x3d3/0x1600 [ 115.178144] [] ? khugepaged_enter_vma_merge+0x78/0x220 [ 115.185034] [] ? vma_wants_writenotify+0x51/0x380 [ 115.191488] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 115.198467] [] ? sg_ioctl+0x29d0/0x29d0 [ 115.204057] [] __vfs_write+0xfb/0x660 [ 115.209530] [] ? default_llseek+0x290/0x290 [ 115.215466] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 115.222181] [] ? common_file_perm+0x14f/0x390 [ 115.228300] [] ? apparmor_file_permission+0x22/0x30 [ 115.234929] [] ? security_file_permission+0x89/0x1e0 [ 115.241648] [] ? rw_verify_area+0xe5/0x2b0 [ 115.247513] [] vfs_write+0x170/0x4e0 [ 115.252839] [] SyS_write+0xd4/0x1a0 [ 115.258079] [] ? SyS_read+0x1a0/0x1a0 [ 115.263495] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 115.270305] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 115.276848] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 115.283386] ================================================================== [ 115.291478] ================================================================== [ 115.298835] BUG: KASAN: wild-memory-access on address ffe708754477d000 [ 115.305461] Write of size 38 by task syz-executor4/7270 [ 115.310785] CPU: 1 PID: 7270 Comm: syz-executor4 Tainted: G B 4.9.39-g72a0c9f #6 [ 115.319409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 115.328733] ffff8801d5fcf420 ffffffff81eacd59 ffe708754477d000 0000000000000026 [ 115.336695] 0000000000000001 0000000020006fdb ffe708754477d000 ffff8801d5fcf4a0 [ 115.344631] ffffffff815470a0 0000000000000000 ffff8801d5fcf458 ffffffff81edff24 [ 115.352640] Call Trace: [ 115.355194] [] dump_stack+0xc1/0x128 [ 115.360524] [] kasan_report.part.1+0x400/0x4e0 [ 115.366727] [] ? copy_user_handle_tail+0xb4/0xd0 [ 115.373111] [] ? retint_kernel+0x2d/0x2d [ 115.378786] [] kasan_report+0x20/0x30 [ 115.384200] [] check_memory_region+0x137/0x190 [ 115.390402] [] memset+0x23/0x40 [ 115.395302] [] copy_user_handle_tail+0xb4/0xd0 [ 115.401504] [] copy_page_from_iter+0x1b9/0x5c0 [ 115.407704] [] bio_copy_user_iov+0xacc/0xe50 [ 115.413732] [] ? bio_uncopy_user+0x5e0/0x5e0