INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.0.52' (ECDSA) to the list of known hosts. 2017/08/21 06:49:20 parsed 1 programs 2017/08/21 06:49:20 executed programs: 0 syzkaller login: [ 56.356960] ================================================================== [ 56.358044] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801cce76000 [ 56.359220] Read of size 8 by task syz-executor0/3527 [ 56.360100] CPU: 0 PID: 3527 Comm: syz-executor0 Not tainted 4.9.44-g6dda7ac #31 [ 56.361169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.362396] ffff8801d0f374c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801cce76000 [ 56.363644] ffff8801cce76100 ffffed00399cec00 ffff8801cce76000 ffff8801d0f374e8 [ 56.364896] ffffffff8153c5ec ffffed00399cec00 ffff8801da0013c0 0000000000000000 [ 56.366417] Call Trace: [ 56.366874] [] dump_stack+0xc1/0x128 [ 56.367696] [] kasan_object_err+0x1c/0x70 [ 56.368517] [] kasan_report.part.1+0x21c/0x500 [ 56.369337] [] ? bio_copy_user_iov+0xe61/0xea0 [ 56.370283] [] __asan_report_load8_noabort+0x29/0x30 [ 56.371242] [] bio_copy_user_iov+0xe61/0xea0 [ 56.372039] [] ? bio_uncopy_user+0x600/0x600 [ 56.372877] [] ? __sbitmap_queue_get+0xfb/0x230 [ 56.373707] [] ? __bt_get+0x199/0x1f0 [ 56.374445] [] blk_rq_map_user_iov+0x237/0x790 [ 56.375392] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 56.376213] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 56.377384] [] ? kvm_sched_clock_read+0x9/0x20 [ 56.383583] [] ? import_single_range+0x1d4/0x2b0 [ 56.389986] [] blk_rq_map_user+0x111/0x1a0 [ 56.395837] [] ? blk_rq_map_user_iov+0x790/0x790 [ 56.402209] [] ? sg_res_in_use+0x1f/0x130 [ 56.407970] [] ? sg_res_in_use+0xea/0x130 [ 56.413739] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 56.420649] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 56.427282] [] ? sg_open+0x15a0/0x15a0 [ 56.432787] [] ? __might_fault+0xe4/0x1d0 [ 56.438843] [] ? check_stack_object+0x68/0x140 [ 56.445051] [] ? __check_object_size+0x174/0x3a9 [ 56.451446] [] sg_write+0x688/0xad0 [ 56.456689] [] ? sg_ioctl+0x29f0/0x29f0 [ 56.462283] [] ? format_decode+0x149/0x8f0 [ 56.468165] [] ? do_futex+0x3e8/0x1640 [ 56.473671] [] ? check_preemption_disabled+0x3b/0x200 [ 56.480482] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 56.487461] [] ? trace_hardirqs_on+0xd/0x10 [ 56.493417] [] ? sg_ioctl+0x29f0/0x29f0 [ 56.499031] [] __vfs_write+0x103/0x680 [ 56.504533] [] ? default_llseek+0x290/0x290 [ 56.510471] [] ? __might_sleep+0x95/0x1a0 [ 56.516237] [] ? __inode_security_revalidate+0xd9/0x130 [ 56.523222] [] ? avc_policy_seqno+0x9/0x20 [ 56.529072] [] ? selinux_file_permission+0x82/0x460 [ 56.535709] [] ? security_file_permission+0x89/0x1e0 [ 56.542428] [] ? rw_verify_area+0xe5/0x2b0 [ 56.548278] [] vfs_write+0x170/0x4e0 [ 56.553604] [] SyS_write+0xd9/0x1b0 [ 56.558844] [] ? SyS_read+0x1b0/0x1b0 [ 56.564258] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.570822] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.577364] Object at ffff8801cce76000, in cache kmalloc-256 size: 256 [ 56.583995] Allocated: [ 56.586455] PID = 3530 [ 56.588916] save_stack_trace+0x16/0x20 [ 56.592854] save_stack+0x43/0xd0 [ 56.596284] kasan_kmalloc+0xad/0xe0 [ 56.599961] __kmalloc+0x11d/0x310 [ 56.603489] sg_build_indirect.isra.23+0x8b/0x550 [ 56.608315] sg_build_reserve+0x8d/0xb0 [ 56.612251] sg_open+0x946/0x15a0 [ 56.615665] chrdev_open+0x22b/0x4c0 [ 56.619355] do_dentry_open+0x607/0xc60 [ 56.623289] vfs_open+0x105/0x220 [ 56.626705] path_openat+0x64c/0x2a60 [ 56.630470] do_filp_open+0x197/0x290 [ 56.634234] do_sys_open+0x352/0x4c0 [ 56.637909] SyS_open+0x2d/0x40 [ 56.641151] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.645864] Freed: [ 56.647974] PID = 3530 [ 56.650434] save_stack_trace+0x16/0x20 [ 56.654371] save_stack+0x43/0xd0 [ 56.657785] kasan_slab_free+0x73/0xc0 [ 56.661633] kfree+0xf0/0x2f0 [ 56.664703] sg_remove_scat.isra.20+0x212/0x2d0 [ 56.669334] sg_ioctl+0x12d0/0x29f0 [ 56.672937] do_vfs_ioctl+0x1aa/0x10c0 [ 56.676788] SyS_ioctl+0x8f/0xc0 [ 56.680118] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 56.684832] Memory state around the buggy address: [ 56.689723] ffff8801cce75f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.697045] ffff8801cce75f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.704366] >ffff8801cce76000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.711683] ^ [ 56.715013] ffff8801cce76080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.722335] ffff8801cce76100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 56.729657] ================================================================== [ 56.737258] ================================================================== [ 56.744589] BUG: KASAN: wild-memory-access on address ffe70872baf16000 [ 56.751216] Write of size 38 by task syz-executor0/3527 [ 56.756543] CPU: 0 PID: 3527 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 56.765255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.774590] ffff8801d0f37448 ffffffff81d929c9 ffff8801d0f37618 0000000000000026 [ 56.782555] 0000000000000001 ffff8801d0f37840 ffe70872baf16000 ffff8801d0f374d0 [ 56.790501] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 56.798440] Call Trace: [ 56.800994] [] dump_stack+0xc1/0x128 [ 56.806338] [] kasan_report.part.1+0x40f/0x500 [ 56.812535] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 56.818917] [] ? __might_fault+0xe4/0x1d0 [ 56.824691] [] kasan_report+0x20/0x30 [ 56.830103] [] check_memory_region+0x137/0x190 [ 56.836299] [] kasan_check_write+0x14/0x20 [ 56.842165] [] copy_page_from_iter+0x1a4/0x5d0 [ 56.848376] [] bio_copy_user_iov+0xb05/0xea0 [ 56.854396] [] ? bio_uncopy_user+0x600/0x600 [ 56.860418] [] ? __bt_get+0x199/0x1f0 [ 56.865834] [] blk_rq_map_user_iov+0x237/0x790 [ 56.872030] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 56.878227] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 56.885218] [] ? kvm_sched_clock_read+0x9/0x20 [ 56.891411] [] ? import_single_range+0x1d4/0x2b0 [ 56.897794] [] blk_rq_map_user+0x111/0x1a0 [ 56.903643] [] ? blk_rq_map_user_iov+0x790/0x790 [ 56.910029] [] ? sg_res_in_use+0x1f/0x130 [ 56.915822] [] ? sg_res_in_use+0xea/0x130 [ 56.921588] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 56.928478] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 56.935123] [] ? sg_open+0x15a0/0x15a0 [ 56.940625] [] ? __might_fault+0xe4/0x1d0 [ 56.946384] [] ? check_stack_object+0x68/0x140 [ 56.952593] [] ? __check_object_size+0x174/0x3a9 [ 56.959135] [] sg_write+0x688/0xad0 [ 56.964372] [] ? sg_ioctl+0x29f0/0x29f0 [ 56.969963] [] ? format_decode+0x149/0x8f0 [ 56.975813] [] ? do_futex+0x3e8/0x1640 [ 56.981344] [] ? check_preemption_disabled+0x3b/0x200 [ 56.988148] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 56.995129] [] ? trace_hardirqs_on+0xd/0x10 [ 57.001077] [] ? sg_ioctl+0x29f0/0x29f0 [ 57.006664] [] __vfs_write+0x103/0x680 [ 57.012199] [] ? default_llseek+0x290/0x290 [ 57.018139] [] ? __might_sleep+0x95/0x1a0 [ 57.023900] [] ? __inode_security_revalidate+0xd9/0x130 [ 57.030883] [] ? avc_policy_seqno+0x9/0x20 [ 57.036758] [] ? selinux_file_permission+0x82/0x460 [ 57.043403] [] ? security_file_permission+0x89/0x1e0 [ 57.050119] [] ? rw_verify_area+0xe5/0x2b0 [ 57.055965] [] vfs_write+0x170/0x4e0 [ 57.061307] [] SyS_write+0xd9/0x1b0 [ 57.066548] [] ? SyS_read+0x1b0/0x1b0 [ 57.071961] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.078519] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 57.085059] ================================================================== [ 57.092643] ================================================================== [ 57.099984] BUG: KASAN: wild-memory-access on address ffe70872baf16000 [ 57.106611] Write of size 38 by task syz-executor0/3527 [ 57.111959] CPU: 0 PID: 3527 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 57.120667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.129984] ffff8801d0f373f8 ffffffff81d929c9 ffe70872baf16000 0000000000000026 [ 57.137925] 0000000000000001 0000000020006fdb ffe70872baf16000 ffff8801d0f37480 [ 57.145868] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 57.153875] Call Trace: [ 57.156427] [] dump_stack+0xc1/0x128 [ 57.161772] [] kasan_report.part.1+0x40f/0x500 [ 57.167968] [] ? copy_user_handle_tail+0xb4/0xd0 [ 57.174338] [] ? retint_kernel+0x2d/0x2d [ 57.180101] [] kasan_report+0x20/0x30 [ 57.185515] [] check_memory_region+0x137/0x190 [ 57.191709] [] memset+0x23/0x40 [ 57.196608] [] copy_user_handle_tail+0xb4/0xd0 [ 57.202817] [] copy_page_from_iter+0x1c0/0x5d0 [ 57.209016] [] bio_copy_user_iov+0xb05/0xea0 [ 57.215042] [] ? bio_uncopy_user+0x600/0x600 [ 57.221062] [] ? __bt_get+0x199/0x1f0 [ 57.226473] [] blk_rq_map_user_iov+0x237/0x790 [ 57.232678] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 57.238875] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 57.245876] [] ? kvm_sched_clock_read+0x9/0x20 [ 57.252077] [] ? import_single_range+0x1d4/0x2b0 [ 57.258446] [] blk_rq_map_user+0x111/0x1a0 [ 57.264294] [] ? blk_rq_map_user_iov+0x790/0x790 [ 57.270671] [] ? sg_res_in_use+0x1f/0x130 [ 57.276437] [] ? sg_res_in_use+0xea/0x130 [ 57.282200] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 57.289095] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 57.295737] [] ? sg_open+0x15a0/0x15a0 [ 57.301241] [] ? __might_fault+0xe4/0x1d0 [ 57.307005] [] ? check_stack_object+0x68/0x140 [ 57.313200] [] ? __check_object_size+0x174/0x3a9 [ 57.319575] [] sg_write+0x688/0xad0 [ 57.324814] [] ? sg_ioctl+0x29f0/0x29f0 [ 57.330404] [] ? format_decode+0x149/0x8f0 [ 57.336253] [] ? do_futex+0x3e8/0x1640 [ 57.341754] [] ? check_preemption_disabled+0x3b/0x200 [ 57.348558] [] ? debug_check_no_locks_freed+0x2c0/0x2c0