INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.0.3' (ECDSA) to the list of known hosts. 2017/08/25 22:26:19 parsed 1 programs 2017/08/25 22:26:19 executed programs: 0 syzkaller login: [ 33.171640] ================================================================== [ 33.172940] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801c7c78140 [ 33.174122] Read of size 8 by task syz-executor0/3280 [ 33.174812] CPU: 0 PID: 3280 Comm: syz-executor0 Not tainted 4.9.44-gbf7ef8f #34 [ 33.175836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.177060] ffff8801c60774c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801c7c78140 [ 33.178392] ffff8801c7c78240 ffffed0038f8f028 ffff8801c7c78140 ffff8801c60774e8 [ 33.179571] ffffffff8153c5ec ffffed0038f8f028 ffff8801da0013c0 0000000000000000 [ 33.180730] Call Trace: [ 33.181087] [] dump_stack+0xc1/0x128 [ 33.181799] [] kasan_object_err+0x1c/0x70 [ 33.182577] [] kasan_report.part.1+0x21c/0x500 [ 33.183422] [] ? bio_copy_user_iov+0xe61/0xea0 [ 33.184243] [] __asan_report_load8_noabort+0x29/0x30 [ 33.185153] [] bio_copy_user_iov+0xe61/0xea0 [ 33.186024] [] ? bio_uncopy_user+0x600/0x600 [ 33.186844] [] ? __sbitmap_queue_get+0xfb/0x230 [ 33.187677] [] ? __bt_get+0x199/0x1f0 [ 33.188401] [] blk_rq_map_user_iov+0x237/0x790 [ 33.189242] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 33.190065] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.191021] [] ? __blk_mq_alloc_request+0x740/0xab0 [ 33.192535] [] ? import_single_range+0x1d4/0x2b0 [ 33.198907] [] blk_rq_map_user+0x111/0x1a0 [ 33.204759] [] ? blk_rq_map_user_iov+0x790/0x790 [ 33.211141] [] ? sg_res_in_use+0x1f/0x130 [ 33.216904] [] ? sg_res_in_use+0xea/0x130 [ 33.223208] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 33.230119] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 33.236757] [] ? sg_open+0x15a0/0x15a0 [ 33.242266] [] ? __might_fault+0xe4/0x1d0 [ 33.248032] [] ? check_stack_object+0x68/0x140 [ 33.254236] [] ? __check_object_size+0x174/0x3a9 [ 33.260606] [] sg_write+0x688/0xad0 [ 33.265847] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.271624] [] ? depot_save_stack+0x122/0x4a0 [ 33.277740] [] ? putname+0xee/0x130 [ 33.282984] [] ? save_stack+0xa3/0xd0 [ 33.288410] [] ? do_futex+0x3e8/0x1640 [ 33.293915] [] ? do_sys_open+0x252/0x4c0 [ 33.299602] [] ? SyS_open+0x2d/0x40 [ 33.304847] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.311568] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.318547] [] ? __vma_link_file+0x10c/0x160 [ 33.324568] [] ? vma_wants_writenotify+0x51/0x380 [ 33.331037] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.338018] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.343610] [] __vfs_write+0x103/0x680 [ 33.349113] [] ? default_llseek+0x290/0x290 [ 33.355066] [] ? __might_sleep+0x95/0x1a0 [ 33.360839] [] ? __inode_security_revalidate+0xd9/0x130 [ 33.367819] [] ? avc_policy_seqno+0x9/0x20 [ 33.373671] [] ? selinux_file_permission+0x82/0x460 [ 33.380308] [] ? security_file_permission+0x89/0x1e0 [ 33.387029] [] ? rw_verify_area+0xe5/0x2b0 [ 33.392881] [] vfs_write+0x170/0x4e0 [ 33.398209] [] SyS_write+0xd9/0x1b0 [ 33.403466] [] ? SyS_read+0x1b0/0x1b0 [ 33.408889] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.415439] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.422072] Object at ffff8801c7c78140, in cache kmalloc-256 size: 256 [ 33.428705] Allocated: [ 33.431167] PID = 3280 [ 33.433633] save_stack_trace+0x16/0x20 [ 33.437578] save_stack+0x43/0xd0 [ 33.441170] kasan_kmalloc+0xad/0xe0 [ 33.444847] __kmalloc+0x11d/0x310 [ 33.448352] sg_build_indirect.isra.23+0x8b/0x550 [ 33.453162] sg_build_reserve+0x8d/0xb0 [ 33.457099] sg_open+0x946/0x15a0 [ 33.460517] chrdev_open+0x22b/0x4c0 [ 33.464223] do_dentry_open+0x607/0xc60 [ 33.468167] vfs_open+0x105/0x220 [ 33.471585] path_openat+0x64c/0x2a60 [ 33.475522] do_filp_open+0x197/0x290 [ 33.479287] do_sys_open+0x352/0x4c0 [ 33.482965] SyS_open+0x2d/0x40 [ 33.486213] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.490934] Freed: [ 33.493047] PID = 3281 [ 33.495512] save_stack_trace+0x16/0x20 [ 33.499456] save_stack+0x43/0xd0 [ 33.502891] kasan_slab_free+0x73/0xc0 [ 33.506745] kfree+0xf0/0x2f0 [ 33.509817] sg_remove_scat.isra.20+0x212/0x2d0 [ 33.514450] sg_ioctl+0x12d0/0x29f0 [ 33.518040] do_vfs_ioctl+0x1aa/0x10c0 [ 33.521893] SyS_ioctl+0x8f/0xc0 [ 33.525241] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.529963] Memory state around the buggy address: [ 33.534860] ffff8801c7c78000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.542193] ffff8801c7c78080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.549524] >ffff8801c7c78100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 33.556860] ^ [ 33.562279] ffff8801c7c78180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.569608] ffff8801c7c78200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.576931] ================================================================== [ 33.585266] ================================================================== [ 33.592608] BUG: KASAN: wild-memory-access on address ffe70874499f6000 [ 33.599241] Write of size 38 by task syz-executor0/3280 [ 33.604572] CPU: 0 PID: 3280 Comm: syz-executor0 Tainted: G B 4.9.44-gbf7ef8f #34 [ 33.613284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.622617] ffff8801c6077448 ffffffff81d929c9 ffff8801c6077618 0000000000000026 [ 33.630574] 0000000000000001 ffff8801c6077840 ffe70874499f6000 ffff8801c60774d0 [ 33.638524] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 33.646476] Call Trace: [ 33.649034] [] dump_stack+0xc1/0x128 [ 33.654364] [] kasan_report.part.1+0x40f/0x500 [ 33.660566] [] ? copy_page_from_iter+0x1a4/0x5d0 [ 33.666958] [] ? __might_fault+0xe4/0x1d0 [ 33.672722] [] kasan_report+0x20/0x30 [ 33.678137] [] check_memory_region+0x137/0x190 [ 33.684335] [] kasan_check_write+0x14/0x20 [ 33.690185] [] copy_page_from_iter+0x1a4/0x5d0 [ 33.696390] [] bio_copy_user_iov+0xb05/0xea0 [ 33.702417] [] ? bio_uncopy_user+0x600/0x600 [ 33.708454] [] ? __bt_get+0x199/0x1f0 [ 33.713875] [] blk_rq_map_user_iov+0x237/0x790 [ 33.720074] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 33.726277] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.733259] [] ? __blk_mq_alloc_request+0x740/0xab0 [ 33.739894] [] ? import_single_range+0x1d4/0x2b0 [ 33.746276] [] blk_rq_map_user+0x111/0x1a0 [ 33.752148] [] ? blk_rq_map_user_iov+0x790/0x790 [ 33.758531] [] ? sg_res_in_use+0x1f/0x130 [ 33.764300] [] ? sg_res_in_use+0xea/0x130 [ 33.770066] [] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 33.776964] [] sg_common_write.isra.24+0xc1a/0x17c0 [ 33.783599] [] ? sg_open+0x15a0/0x15a0 [ 33.789106] [] ? __might_fault+0xe4/0x1d0 [ 33.794872] [] ? check_stack_object+0x68/0x140 [ 33.801070] [] ? __check_object_size+0x174/0x3a9 [ 33.807444] [] sg_write+0x688/0xad0 [ 33.812687] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.818283] [] ? depot_save_stack+0x122/0x4a0 [ 33.824400] [] ? putname+0xee/0x130 [ 33.829643] [] ? save_stack+0xa3/0xd0 [ 33.835062] [] ? do_futex+0x3e8/0x1640 [ 33.840567] [] ? do_sys_open+0x252/0x4c0 [ 33.846244] [] ? SyS_open+0x2d/0x40 [ 33.851509] [] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.858233] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.865230] [] ? __vma_link_file+0x10c/0x160 [ 33.871263] [] ? vma_wants_writenotify+0x51/0x380 [ 33.877727] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 33.884706] [] ? sg_ioctl+0x29f0/0x29f0 [ 33.890298] [] __vfs_write+0x103/0x680 [ 33.895799] [] ? default_llseek+0x290/0x290 [ 33.901735] [] ? __might_sleep+0x95/0x1a0 [ 33.907510] [] ? __inode_security_revalidate+0xd9/0x130 [ 33.914489] [] ? avc_policy_seqno+0x9/0x20 [ 33.920340] [] ? selinux_file_permission+0x82/0x460 [ 33.926972] [] ? security_file_permission+0x89/0x1e0 [ 33.933701] [] ? rw_verify_area+0xe5/0x2b0 [ 33.939548] [] vfs_write+0x170/0x4e0 [ 33.944875] [] SyS_write+0xd9/0x1b0 [ 33.950118] [] ? SyS_read+0x1b0/0x1b0 [ 33.955567] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.962117] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 33.968659] ================================================================== [ 33.976198] ================================================================== [ 33.983526] BUG: KASAN: wild-memory-access on address ffe70874499f6000 [ 33.990160] Write of size 38 by task syz-executor0/3280 [ 33.995490] CPU: 0 PID: 3280 Comm: syz-executor0 Tainted: G B 4.9.44-gbf7ef8f #34 [ 34.004201] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.013524] ffff8801c60773f8 ffffffff81d929c9 ffe70874499f6000 0000000000000026 [ 34.021496] 0000000000000001 0000000020006fdb ffe70874499f6000 ffff8801c6077480 [ 34.029450] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 34.037401] Call Trace: [ 34.039958] [] dump_stack+0xc1/0x128 [ 34.045290] [] kasan_report.part.1+0x40f/0x500 [ 34.051487] [] ? copy_user_handle_tail+0xb4/0xd0 [ 34.057870] [] ? retint_kernel+0x2d/0x2d [ 34.063580] [] kasan_report+0x20/0x30 [ 34.069030] [] check_memory_region+0x137/0x190 [ 34.076889] [] memset+0x23/0x40 [ 34.082390] [] copy_user_handle_tail+0xb4/0xd0 [ 34.088601] [] copy_page_from_iter+0x1c0/0x5d0 [ 34.094808] [] bio_copy_user_iov+0xb05/0xea0 [ 34.100859] [] ? bio_uncopy_user+0x600/0x600 [ 34.106888] [] ? __bt_get+0x199/0x1f0 [ 34.112307] [] blk_rq_map_user_iov+0x237/0x790 [ 34.118504] [] ? blk_rq_append_bio+0x1a0/0x1a0 [ 34.124706] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 34.131682] [] ? __blk_mq_alloc_request+0x740/0xab0 [ 34.138316] [] ? import_single_range+0x1d4/0x2b0 [ 34.144687] [] blk_rq_map_user+0x111/0x1a0 [ 34.150546] [] ? blk_rq_map_user_iov+0x790/0x790 [ 34.156918] [] ? sg_res_in_use+0x1f/0x130 [ 34.162679] [] ? sg_res_in_use+0xea/0x130 [ 34.168449] [] ? _raw_read_unlock_irqrestore+0x45/0x70