INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-7,10.128.0.60' (ECDSA) to the list of known hosts. 2017/08/21 17:29:30 parsed 1 programs 2017/08/21 17:29:30 executed programs: 0 syzkaller login: [ 42.056909] ================================================================== [ 42.057947] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801cf571dc0 [ 42.059133] Read of size 8 by task syz-executor0/3276 [ 42.059835] CPU: 1 PID: 3276 Comm: syz-executor0 Not tainted 4.9.44-gc2e2621 #32 [ 42.060843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.062105] ffff8801c811f4c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801cf571dc0 [ 42.063235] ffff8801cf571ec0 ffffed0039eae3b8 ffff8801cf571dc0 ffff8801c811f4e8 [ 42.064360] ffffffff8153c5ec ffffed0039eae3b8 ffff8801da0013c0 0000000000000000 [ 42.065487] Call Trace: [ 42.065841] [] dump_stack+0xc1/0x128 [ 42.066552] [] kasan_object_err+0x1c/0x70 [ 42.067316] [] kasan_report.part.1+0x21c/0x500 [ 42.068135] [] ? bio_copy_user_iov+0xe61/0xea0 [ 42.069060] [] __asan_report_load8_noabort+0x29/0x30 [ 42.069947] [] bio_copy_user_iov+0xe61/0xea0 [ 42.070744] [] ? bio_uncopy_user+0x600/0x600 [ 42.071543] [] ? __sbitmap_queue_get+0xfb/0x230 [ 42.072376] [] ? __bt_get+0x199/0x1f0 [ 42.073097] [] blk_rq_map_user_iov+0x237/0x790 [ 42.073990] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 42.074829] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.075749] [] ? kvm_sched_clock_read+0x9/0x20 [ 42.076585] [] ? import_single_range+0x1d4/0x2b0 [ 42.077427] [] blk_rq_map_user+0x111/0x1a0 [ 42.083278] [] ? blk_rq_map_user_iov+0x790/0x790 [ 42.089648] [] ? sg_res_in_use+0x1f/0x130 [ 42.095410] [] ? sg_res_in_use+0xea/0x130 [ 42.101174] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 42.108064] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 42.114694] [] ? sg_open+0x15a0/0x15a0 [ 42.120196] [] ? __might_fault+0xe4/0x1d0 [ 42.125958] [] ? check_stack_object+0x68/0x140 [ 42.132162] [] ? __check_object_size+0x174/0x3a9 [ 42.138539] [] sg_write+0x688/0xad0 [ 42.143782] [] ? sg_ioctl+0x29f0/0x29f0 [ 42.149378] [] ? depot_save_stack+0x122/0x4a0 [ 42.155496] [] ? putname+0xee/0x130 [ 42.160744] [] ? save_stack+0xa3/0xd0 [ 42.166171] [] ? do_futex+0x3e8/0x1640 [ 42.171684] [] ? do_sys_open+0x252/0x4c0 [ 42.177360] [] ? SyS_open+0x2d/0x40 [ 42.182604] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.189324] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.196301] [] ? depot_save_stack+0x122/0x4a0 [ 42.202412] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.209389] [] ? sg_ioctl+0x29f0/0x29f0 [ 42.214977] [] __vfs_write+0x103/0x680 [ 42.220485] [] ? default_llseek+0x290/0x290 [ 42.226421] [] ? __might_sleep+0x95/0x1a0 [ 42.232193] [] ? __inode_security_revalidate+0xd9/0x130 [ 42.239176] [] ? avc_policy_seqno+0x9/0x20 [ 42.245027] [] ? selinux_file_permission+0x82/0x460 [ 42.251658] [] ? security_file_permission+0x89/0x1e0 [ 42.258373] [] ? rw_verify_area+0xe5/0x2b0 [ 42.264220] [] vfs_write+0x170/0x4e0 [ 42.269553] [] SyS_write+0xd9/0x1b0 [ 42.274791] [] ? SyS_read+0x1b0/0x1b0 [ 42.280210] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.286761] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.293305] Object at ffff8801cf571dc0, in cache kmalloc-256 size: 256 [ 42.299938] Allocated: [ 42.302400] PID = 3276 [ 42.304870] save_stack_trace+0x16/0x20 [ 42.308807] save_stack+0x43/0xd0 [ 42.312222] kasan_kmalloc+0xad/0xe0 [ 42.315897] __kmalloc+0x11d/0x310 [ 42.319405] sg_build_indirect.isra.23+0x8b/0x550 [ 42.324208] sg_build_reserve+0x8d/0xb0 [ 42.328145] sg_open+0x946/0x15a0 [ 42.331562] chrdev_open+0x22b/0x4c0 [ 42.335239] do_dentry_open+0x607/0xc60 [ 42.339179] vfs_open+0x105/0x220 [ 42.342604] path_openat+0x64c/0x2a60 [ 42.346377] do_filp_open+0x197/0x290 [ 42.350142] do_sys_open+0x352/0x4c0 [ 42.353817] SyS_open+0x2d/0x40 [ 42.357062] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.361776] Freed: [ 42.363888] PID = 3277 [ 42.366350] save_stack_trace+0x16/0x20 [ 42.370285] save_stack+0x43/0xd0 [ 42.373701] kasan_slab_free+0x73/0xc0 [ 42.377549] kfree+0xf0/0x2f0 [ 42.380619] sg_remove_scat.isra.20+0x212/0x2d0 [ 42.385254] sg_ioctl+0x12d0/0x29f0 [ 42.388852] do_vfs_ioctl+0x1aa/0x10c0 [ 42.392701] SyS_ioctl+0x8f/0xc0 [ 42.396029] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.400756] Memory state around the buggy address: [ 42.405646] ffff8801cf571c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.412970] ffff8801cf571d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.420291] >ffff8801cf571d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.427612] ^ [ 42.433023] ffff8801cf571e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.440343] ffff8801cf571e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.447663] ================================================================== [ 42.455106] ================================================================== [ 42.462441] BUG: KASAN: wild-memory-access on address ffe7087625f28000 [ 42.469068] Write of size 38 by task syz-executor0/3276 [ 42.474393] CPU: 1 PID: 3276 Comm: syz-executor0 Tainted: G B 4.9.44-gc2e2621 #32 [ 42.483110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.492428] ffff8801c811f448 ffffffff81d929c9 ffff8801c811f618 0000000000000026 [ 42.500380] 0000000000000001 ffff8801c811f840 ffe7087625f28000 ffff8801c811f4d0 [ 42.508320] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 42.516264] Call Trace: [ 42.518817] [] dump_stack+0xc1/0x128 [ 42.524159] [] kasan_report.part.1+0x40f/0x500 [ 42.530357] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 42.536726] [] ? __might_fault+0xe4/0x1d0 [ 42.542488] [] kasan_report+0x20/0x30 [ 42.547901] [] check_memory_region+0x137/0x190 [ 42.554186] [] kasan_check_write+0x14/0x20 [ 42.560038] [] copy_page_from_iter+0x1a4/0x5d0 [ 42.566238] [] bio_copy_user_iov+0xb05/0xea0 [ 42.572265] [] ? bio_uncopy_user+0x600/0x600 [ 42.578295] [] ? __bt_get+0x199/0x1f0 [ 42.583709] [] blk_rq_map_user_iov+0x237/0x790 [ 42.589905] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 42.596103] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.603076] [] ? kvm_sched_clock_read+0x9/0x20 [ 42.609271] [] ? import_single_range+0x1d4/0x2b0 [ 42.615648] [] blk_rq_map_user+0x111/0x1a0 [ 42.621496] [] ? blk_rq_map_user_iov+0x790/0x790 [ 42.627867] [] ? sg_res_in_use+0x1f/0x130 [ 42.633628] [] ? sg_res_in_use+0xea/0x130 [ 42.639390] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 42.646279] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 42.652908] [] ? sg_open+0x15a0/0x15a0 [ 42.658411] [] ? __might_fault+0xe4/0x1d0 [ 42.664174] [] ? check_stack_object+0x68/0x140 [ 42.670367] [] ? __check_object_size+0x174/0x3a9 [ 42.676742] [] sg_write+0x688/0xad0 [ 42.681981] [] ? sg_ioctl+0x29f0/0x29f0 [ 42.687569] [] ? depot_save_stack+0x122/0x4a0 [ 42.693679] [] ? putname+0xee/0x130 [ 42.698918] [] ? save_stack+0xa3/0xd0 [ 42.704336] [] ? do_futex+0x3e8/0x1640 [ 42.709842] [] ? do_sys_open+0x252/0x4c0 [ 42.715514] [] ? SyS_open+0x2d/0x40 [ 42.720757] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.727473] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.734451] [] ? depot_save_stack+0x122/0x4a0 [ 42.740562] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.747540] [] ? sg_ioctl+0x29f0/0x29f0 [ 42.753133] [] __vfs_write+0x103/0x680 [ 42.758636] [] ? default_llseek+0x290/0x290 [ 42.764578] [] ? __might_sleep+0x95/0x1a0 [ 42.770349] [] ? __inode_security_revalidate+0xd9/0x130 [ 42.777331] [] ? avc_policy_seqno+0x9/0x20 [ 42.783181] [] ? selinux_file_permission+0x82/0x460 [ 42.789812] [] ? security_file_permission+0x89/0x1e0 [ 42.796528] [] ? rw_verify_area+0xe5/0x2b0 [ 42.802376] [] vfs_write+0x170/0x4e0 [ 42.807710] [] SyS_write+0xd9/0x1b0 [ 42.812953] [] ? SyS_read+0x1b0/0x1b0 [ 42.818377] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.824921] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 42.831463] ================================================================== [ 42.838862] ================================================================== [ 42.846201] BUG: KASAN: wild-memory-access on address ffe7087625f28000 [ 42.852830] Write of size 38 by task syz-executor0/3276 [ 42.858166] CPU: 1 PID: 3276 Comm: syz-executor0 Tainted: G B 4.9.44-gc2e2621 #32 [ 42.866876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.876196] ffff8801c811f3f8 ffffffff81d929c9 ffe7087625f28000 0000000000000026 [ 42.884144] 0000000000000001 0000000020006fdb ffe7087625f28000 ffff8801c811f480 [ 42.892086] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 42.900036] Call Trace: [ 42.902595] [] dump_stack+0xc1/0x128 [ 42.907922] [] kasan_report.part.1+0x40f/0x500 [ 42.914119] [] ? copy_user_handle_tail+0xb4/0xd0 [ 42.920492] [] ? retint_kernel+0x2d/0x2d [ 42.926166] [] kasan_report+0x20/0x30 [ 42.931580] [] check_memory_region+0x137/0x190 [ 42.937773] [] memset+0x23/0x40 [ 42.942666] [] copy_user_handle_tail+0xb4/0xd0 [ 42.948867] [] copy_page_from_iter+0x1c0/0x5d0 [ 42.955074] [] bio_copy_user_iov+0xb05/0xea0 [ 42.961106] [] ? bio_uncopy_user+0x600/0x600 [ 42.967148] [] ? __bt_get+0x199/0x1f0 [ 42.972569] [] blk_rq_map_user_iov+0x237/0x790 [ 42.978768] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 42.984967] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 42.991946] [] ? kvm_sched_clock_read+0x9/0x20 [ 42.998153] [] ? import_single_range+0x1d4/0x2b0 [ 43.004531] [] blk_rq_map_user+0x111/0x1a0 [ 43.010382] [] ? blk_rq_map_user_iov+0x790/0x790 [ 43.016755] [] ? sg_res_in_use+0x1f/0x130 [ 43.022520] [] ? sg_res_in_use+0xea/0x130 [ 43.028292] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 43.035183] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 43.041812] [] ? sg_open+0x15a0/0x15a0 [ 43.047316] [] ? __might_fault+0xe4/0x1d0 [ 43.053079] [] ? check_stack_object+0x68/0x140