INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-0,10.128.0.36' (ECDSA) to the list of known hosts. 2017/08/21 04:58:22 parsed 1 programs 2017/08/21 04:58:22 executed programs: 0 syzkaller login: [ 42.879500] sg_write: data in/out 1732536878/34 bytes for SCSI command 0xfd-- guessing data in; [ 42.879500] program syz-executor0 not setting count and/or reply_len properly [ 43.287082] ================================================================== [ 43.294617] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801c9b96000 [ 43.303506] Read of size 8 by task syz-executor0/3848 [ 43.308663] CPU: 0 PID: 3848 Comm: syz-executor0 Not tainted 4.9.44-g6dda7ac #31 [ 43.316159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.325481] ffff8801ca4274c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801c9b96000 [ 43.333425] ffff8801c9b96100 ffffed0039372c00 ffff8801c9b96000 ffff8801ca4274e8 [ 43.341369] ffffffff8153c5ec ffffed0039372c00 ffff8801da0013c0 0000000000000000 [ 43.349311] Call Trace: [ 43.351869] [] dump_stack+0xc1/0x128 [ 43.357201] [] kasan_object_err+0x1c/0x70 [ 43.362970] [] kasan_report.part.1+0x21c/0x500 [ 43.369168] [] ? bio_copy_user_iov+0xe61/0xea0 [ 43.375403] [] __asan_report_load8_noabort+0x29/0x30 [ 43.382124] [] bio_copy_user_iov+0xe61/0xea0 [ 43.388146] [] ? bio_uncopy_user+0x600/0x600 [ 43.394171] [] ? __sbitmap_queue_get+0xfb/0x230 [ 43.400459] [] ? __bt_get+0x199/0x1f0 [ 43.405876] [] blk_rq_map_user_iov+0x237/0x790 [ 43.412088] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 43.418287] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.425267] [] ? kvm_sched_clock_read+0x9/0x20 [ 43.431466] [] ? import_single_range+0x1d4/0x2b0 [ 43.437835] [] blk_rq_map_user+0x111/0x1a0 [ 43.443688] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.450068] [] ? sg_res_in_use+0x1f/0x130 [ 43.455829] [] ? sg_res_in_use+0xea/0x130 [ 43.461596] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 43.468489] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 43.475119] [] ? sg_open+0x15a0/0x15a0 [ 43.480634] [] ? __might_fault+0xe4/0x1d0 [ 43.486401] [] ? check_stack_object+0x68/0x140 [ 43.492598] [] ? __check_object_size+0x174/0x3a9 [ 43.498996] [] sg_write+0x688/0xad0 [ 43.504236] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.509825] [] ? depot_save_stack+0x122/0x4a0 [ 43.515936] [] ? putname+0xee/0x130 [ 43.521175] [] ? save_stack+0xa3/0xd0 [ 43.526593] [] ? do_futex+0x3e8/0x1640 [ 43.532096] [] ? do_sys_open+0x252/0x4c0 [ 43.537783] [] ? SyS_open+0x2d/0x40 [ 43.543033] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.549764] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.556755] [] ? depot_save_stack+0x122/0x4a0 [ 43.562877] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.569906] [] ? sg_ioctl+0x29f0/0x29f0 [ 43.575509] [] __vfs_write+0x103/0x680 [ 43.581017] [] ? default_llseek+0x290/0x290 [ 43.586961] [] ? __might_sleep+0x95/0x1a0 [ 43.592732] [] ? __inode_security_revalidate+0xd9/0x130 [ 43.599717] [] ? avc_policy_seqno+0x9/0x20 [ 43.605571] [] ? selinux_file_permission+0x82/0x460 [ 43.612213] [] ? security_file_permission+0x89/0x1e0 [ 43.618934] [] ? rw_verify_area+0xe5/0x2b0 [ 43.624789] [] vfs_write+0x170/0x4e0 [ 43.630116] [] SyS_write+0xd9/0x1b0 [ 43.635358] [] ? SyS_read+0x1b0/0x1b0 [ 43.640772] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.647314] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.653870] Object at ffff8801c9b96000, in cache kmalloc-256 size: 256 [ 43.660496] Allocated: [ 43.662956] PID = 3848 [ 43.665419] save_stack_trace+0x16/0x20 [ 43.669357] save_stack+0x43/0xd0 [ 43.672780] kasan_kmalloc+0xad/0xe0 [ 43.676456] __kmalloc+0x11d/0x310 [ 43.680481] sg_build_indirect.isra.23+0x8b/0x550 [ 43.685302] sg_build_reserve+0x8d/0xb0 [ 43.689254] sg_open+0x946/0x15a0 [ 43.692690] chrdev_open+0x22b/0x4c0 [ 43.696378] do_dentry_open+0x607/0xc60 [ 43.700324] vfs_open+0x105/0x220 [ 43.703755] path_openat+0x64c/0x2a60 [ 43.707531] do_filp_open+0x197/0x290 [ 43.711323] do_sys_open+0x352/0x4c0 [ 43.715011] SyS_open+0x2d/0x40 [ 43.718289] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.723017] Freed: [ 43.725143] PID = 3849 [ 43.727615] save_stack_trace+0x16/0x20 [ 43.731563] save_stack+0x43/0xd0 [ 43.734991] kasan_slab_free+0x73/0xc0 [ 43.738853] kfree+0xf0/0x2f0 [ 43.741936] sg_remove_scat.isra.20+0x212/0x2d0 [ 43.746581] sg_ioctl+0x12d0/0x29f0 [ 43.750182] do_vfs_ioctl+0x1aa/0x10c0 [ 43.754047] SyS_ioctl+0x8f/0xc0 [ 43.757391] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 43.762134] Memory state around the buggy address: [ 43.767041] ffff8801c9b95f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.774381] ffff8801c9b95f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.781715] >ffff8801c9b96000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.789045] ^ [ 43.792375] ffff8801c9b96080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.799698] ffff8801c9b96100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.807018] ================================================================== [ 43.814925] ================================================================== [ 43.822287] BUG: KASAN: wild-memory-access on address ffe7087658f9c000 [ 43.828923] Write of size 38 by task syz-executor0/3848 [ 43.834252] CPU: 0 PID: 3848 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 43.842962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.852284] ffff8801ca427448 ffffffff81d929c9 ffff8801ca427618 0000000000000026 [ 43.860237] 0000000000000001 ffff8801ca427840 ffe7087658f9c000 ffff8801ca4274d0 [ 43.868188] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 43.876130] Call Trace: [ 43.878685] [] dump_stack+0xc1/0x128 [ 43.884021] [] kasan_report.part.1+0x40f/0x500 [ 43.890226] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 43.896608] [] ? __might_fault+0xe4/0x1d0 [ 43.902375] [] kasan_report+0x20/0x30 [ 43.907798] [] check_memory_region+0x137/0x190 [ 43.914003] [] kasan_check_write+0x14/0x20 [ 43.919860] [] copy_page_from_iter+0x1a4/0x5d0 [ 43.926060] [] bio_copy_user_iov+0xb05/0xea0 [ 43.932098] [] ? bio_uncopy_user+0x600/0x600 [ 43.938121] [] ? __bt_get+0x199/0x1f0 [ 43.943536] [] blk_rq_map_user_iov+0x237/0x790 [ 43.949732] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 43.955929] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.962905] [] ? kvm_sched_clock_read+0x9/0x20 [ 43.969110] [] ? import_single_range+0x1d4/0x2b0 [ 43.975489] [] blk_rq_map_user+0x111/0x1a0 [ 43.981338] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.987709] [] ? sg_res_in_use+0x1f/0x130 [ 43.993485] [] ? sg_res_in_use+0xea/0x130 [ 43.999256] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 44.006148] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 44.012783] [] ? sg_open+0x15a0/0x15a0 [ 44.018288] [] ? __might_fault+0xe4/0x1d0 [ 44.024048] [] ? check_stack_object+0x68/0x140 [ 44.030241] [] ? __check_object_size+0x174/0x3a9 [ 44.036624] [] sg_write+0x688/0xad0 [ 44.041882] [] ? sg_ioctl+0x29f0/0x29f0 [ 44.047473] [] ? depot_save_stack+0x122/0x4a0 [ 44.053584] [] ? putname+0xee/0x130 [ 44.058827] [] ? save_stack+0xa3/0xd0 [ 44.064245] [] ? do_futex+0x3e8/0x1640 [ 44.069752] [] ? do_sys_open+0x252/0x4c0 [ 44.075430] [] ? SyS_open+0x2d/0x40 [ 44.080685] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 44.087404] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 44.094381] [] ? depot_save_stack+0x122/0x4a0 [ 44.100490] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 44.107474] [] ? sg_ioctl+0x29f0/0x29f0 [ 44.113059] [] __vfs_write+0x103/0x680 [ 44.118560] [] ? default_llseek+0x290/0x290 [ 44.124501] [] ? __might_sleep+0x95/0x1a0 [ 44.130272] [] ? __inode_security_revalidate+0xd9/0x130 [ 44.137254] [] ? avc_policy_seqno+0x9/0x20 [ 44.143102] [] ? selinux_file_permission+0x82/0x460 [ 44.149737] [] ? security_file_permission+0x89/0x1e0 [ 44.156454] [] ? rw_verify_area+0xe5/0x2b0 [ 44.162302] [] vfs_write+0x170/0x4e0 [ 44.167630] [] SyS_write+0xd9/0x1b0 [ 44.172869] [] ? SyS_read+0x1b0/0x1b0 [ 44.178285] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.184831] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 44.191370] ================================================================== [ 44.199161] ================================================================== [ 44.206499] BUG: KASAN: wild-memory-access on address ffe7087658f9c000 [ 44.213127] Write of size 38 by task syz-executor0/3848 [ 44.218461] CPU: 0 PID: 3848 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 44.227172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.236490] ffff8801ca4273f8 ffffffff81d929c9 ffe7087658f9c000 0000000000000026 [ 44.244460] 0000000000000001 0000000020006fdb ffe7087658f9c000 ffff8801ca427480 [ 44.252437] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 44.260390] Call Trace: [ 44.262940] [] dump_stack+0xc1/0x128 [ 44.268271] [] kasan_report.part.1+0x40f/0x500 [ 44.274466] [] ? copy_user_handle_tail+0xb4/0xd0 [ 44.280840] [] ? retint_kernel+0x2d/0x2d