Pseudo-terminal will not be allocated because stdin is not a terminal. Warning: Permanently added 'ci-android-49-kasan-gce-6,10.128.0.10' (ECDSA) to the list of known hosts. Warning: Permanently added '[ssh-serialport.googleapis.com]:9600,[216.239.38.127]:9600' (RSA) to the list of known hosts. 2017/07/22 15:55:37 parsed 1 programs 2017/07/22 15:55:37 executed programs: 0 serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-6 port 1 (session ID: f2117e1817f0307e0d5c0556560be2750bec59602507ff62e9423d68047999ca, active connections: 1). INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 2017/07/22 15:55:42 executed programs: 349 2017/07/22 15:55:47 executed programs: 630 2017/07/22 15:55:52 executed programs: 921 2017/07/22 15:55:57 executed programs: 1207 2017/07/22 15:56:02 executed programs: 1491 2017/07/22 15:56:08 executed programs: 1774 2017/07/22 15:56:13 executed programs: 2062 2017/07/22 15:56:18 executed programs: 2349 2017/07/22 15:56:23 executed programs: 2634 2017/07/22 15:56:28 executed programs: 2911 2017/07/22 15:56:33 executed programs: 3189 2017/07/22 15:56:38 executed programs: 3476 2017/07/22 15:56:43 executed programs: 3759 2017/07/22 15:56:48 executed programs: 4049 2017/07/22 15:56:53 executed programs: 4338 2017/07/22 15:56:58 executed programs: 4620 2017/07/22 15:57:03 executed programs: 4902 2017/07/22 15:57:08 executed programs: 5188 2017/07/22 15:57:13 executed programs: 5471 2017/07/22 15:57:18 executed programs: 5751 2017/07/22 15:57:23 executed programs: 6042 2017/07/22 15:57:28 executed programs: 6330 2017/07/22 15:57:33 executed programs: 6615 2017/07/22 15:57:38 executed programs: 6898 2017/07/22 15:57:43 executed programs: 7187 syzkaller login: [ 1246.709244] ================================================================== [ 1246.710845] BUG: KASAN: use-after-free in do_get_mempolicy+0xb41/0xba0 at addr ffff8801d867e0a6 [ 1246.712563] Read of size 2 by task syz-executor7/30145 [ 1246.713604] CPU: 1 PID: 30145 Comm: syz-executor7 Not tainted 4.9.39-g5b07c2d #4 [ 1246.714802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1246.716108] ffff8801c7f3fcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801d867e0a0 [ 1246.717584] ffff8801d867e0b8 ffffed003b0cfc14 ffff8801d867e0a6 ffff8801c7f3fd20 [ 1246.719098] ffffffff81546bfc ffffed003b0cfc14 ffff8801dac0ec80 0000000000000000 [ 1246.720279] Call Trace: [ 1246.720755] [] dump_stack+0xc1/0x128 [ 1246.721581] [] kasan_object_err+0x1c/0x70 [ 1246.722425] [] kasan_report.part.1+0x20d/0x4e0 [ 1246.723490] [] ? do_get_mempolicy+0xb41/0xba0 [ 1246.724327] [] ? call_rwsem_wake+0x1b/0x30 [ 1246.725178] [] __asan_report_load2_noabort+0x29/0x30 [ 1246.726538] [] do_get_mempolicy+0xb41/0xba0 [ 1246.727386] [] ? sp_free+0x60/0x60 [ 1246.728081] [] SyS_get_mempolicy+0xc3/0x190 [ 1246.728992] [] ? SyS_migrate_pages+0x710/0x710 [ 1246.734043] [] ? SyS_mbind+0xe6/0x150 [ 1246.739469] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 1246.746129] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 1246.752952] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 1246.759548] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1246.766098] Object at ffff8801d867e0a0, in cache numa_policy size: 24 [ 1246.772642] Allocated: [ 1246.775111] PID = 30145 [ 1246.777687] save_stack_trace+0x16/0x20 [ 1246.781633] save_stack+0x43/0xd0 [ 1246.785069] kasan_kmalloc+0xad/0xe0 [ 1246.788750] kasan_slab_alloc+0x12/0x20 [ 1246.792694] kmem_cache_alloc+0xc9/0x2a0 [ 1246.796728] __mpol_dup+0x79/0x3c0 [ 1246.800237] do_mbind+0x71e/0xb30 [ 1246.803672] SyS_mbind+0x13b/0x150 [ 1246.807180] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1246.811899] Freed: [ 1246.814018] PID = 30128 [ 1246.816571] save_stack_trace+0x16/0x20 [ 1246.820511] save_stack+0x43/0xd0 [ 1246.823936] kasan_slab_free+0x73/0xc0 [ 1246.827805] kmem_cache_free+0xb2/0x2e0 [ 1246.831780] __mpol_put+0x26/0x30 [ 1246.835202] remove_vma+0x12b/0x1a0 [ 1246.838800] do_munmap+0x7ff/0xeb0 [ 1246.842308] mmap_region+0x14d/0xfe0 [ 1246.845990] do_mmap+0x595/0xbe0 [ 1246.849327] vm_mmap_pgoff+0x158/0x1a0 [ 1246.853183] SyS_mmap_pgoff+0x1fc/0x580 [ 1246.857127] SyS_mmap+0x16/0x20 [ 1246.860378] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1246.865109] Memory state around the buggy address: [ 1246.870009] ffff8801d867df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 1246.877337] ffff8801d867e000: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 1246.884664] >ffff8801d867e080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 1246.891994] ^ [ 1246.896383] ffff8801d867e100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 1246.903711] ffff8801d867e180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 1246.911037] ================================================================== [ 1246.918378] Disabling lock debugging due to kernel taint [ 1246.952502] ================================================================== [ 1246.959908] BUG: KASAN: use-after-free in do_get_mempolicy+0xb23/0xba0 at addr ffff8801d867e0b0 [ 1246.968716] Read of size 8 by task syz-executor7/30145 [ 1246.973976] CPU: 1 PID: 30145 Comm: syz-executor7 Tainted: G B 4.9.39-g5b07c2d #4 [ 1246.982696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1246.992022] ffff8801c7f3fcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801d867e0a0 [ 1247.000020] ffff8801d867e0b8 ffffed003b0cfc16 ffff8801d867e0b0 ffff8801c7f3fd20 [ 1247.008057] ffffffff81546bfc ffffed003b0cfc16 ffff8801dac0ec80 0000000000000000 [ 1247.016030] Call Trace: [ 1247.018596] [] dump_stack+0xc1/0x128 [ 1247.023931] [] kasan_object_err+0x1c/0x70 [ 1247.029697] [] kasan_report.part.1+0x20d/0x4e0 [ 1247.035911] [] ? do_get_mempolicy+0xb23/0xba0 [ 1247.042029] [] __asan_report_load8_noabort+0x29/0x30 [ 1247.048782] [] do_get_mempolicy+0xb23/0xba0 [ 1247.054725] [] ? sp_free+0x60/0x60 [ 1247.059887] [] SyS_get_mempolicy+0xc3/0x190 [ 1247.065840] [] ? SyS_migrate_pages+0x710/0x710 [ 1247.072044] [] ? SyS_mbind+0xe6/0x150 [ 1247.077465] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 1247.084103] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 1247.090917] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 1247.097465] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.104016] Object at ffff8801d867e0a0, in cache numa_policy size: 24 [ 1247.110561] Allocated: [ 1247.113028] PID = 30145 [ 1247.115598] save_stack_trace+0x16/0x20 [ 1247.119539] save_stack+0x43/0xd0 [ 1247.122960] kasan_kmalloc+0xad/0xe0 [ 1247.126640] kasan_slab_alloc+0x12/0x20 [ 1247.130597] kmem_cache_alloc+0xc9/0x2a0 [ 1247.134628] __mpol_dup+0x79/0x3c0 [ 1247.138136] do_mbind+0x71e/0xb30 [ 1247.141556] SyS_mbind+0x13b/0x150 [ 1247.145065] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.149802] Freed: [ 1247.151918] PID = 30128 [ 1247.154471] save_stack_trace+0x16/0x20 [ 1247.158415] save_stack+0x43/0xd0 [ 1247.161837] kasan_slab_free+0x73/0xc0 [ 1247.165692] kmem_cache_free+0xb2/0x2e0 [ 1247.169637] __mpol_put+0x26/0x30 [ 1247.173059] remove_vma+0x12b/0x1a0 [ 1247.176652] do_munmap+0x7ff/0xeb0 [ 1247.180161] mmap_region+0x14d/0xfe0 [ 1247.183843] do_mmap+0x595/0xbe0 [ 1247.187179] vm_mmap_pgoff+0x158/0x1a0 [ 1247.191034] SyS_mmap_pgoff+0x1fc/0x580 [ 1247.194994] SyS_mmap+0x16/0x20 [ 1247.198243] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.202963] Memory state around the buggy address: [ 1247.207877] ffff8801d867df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 1247.215205] ffff8801d867e000: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 1247.222533] >ffff8801d867e080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 1247.229881] ^ [ 1247.234777] ffff8801d867e100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 1247.242104] ffff8801d867e180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 1247.249430] ================================================================== [ 1247.258794] ================================================================== [ 1247.266146] BUG: KASAN: use-after-free in do_get_mempolicy+0xaee/0xba0 at addr ffff8801d867e0a6 [ 1247.274953] Read of size 2 by task syz-executor7/30145 [ 1247.280212] CPU: 1 PID: 30145 Comm: syz-executor7 Tainted: G B 4.9.39-g5b07c2d #4 [ 1247.288926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1247.298250] ffff8801c7f3fcf8 ffffffff81eacd59 ffff8801dac0ec80 ffff8801d867e0a0 [ 1247.306241] ffff8801d867e0b8 ffffed003b0cfc14 ffff8801d867e0a6 ffff8801c7f3fd20 [ 1247.314223] ffffffff81546bfc ffffed003b0cfc14 ffff8801dac0ec80 0000000000000000 [ 1247.322192] Call Trace: [ 1247.324758] [] dump_stack+0xc1/0x128 [ 1247.330097] [] kasan_object_err+0x1c/0x70 [ 1247.335871] [] kasan_report.part.1+0x20d/0x4e0 [ 1247.342101] [] ? do_get_mempolicy+0xaee/0xba0 [ 1247.348218] [] __asan_report_load2_noabort+0x29/0x30 [ 1247.354943] [] do_get_mempolicy+0xaee/0xba0 [ 1247.360886] [] ? sp_free+0x60/0x60 [ 1247.366046] [] SyS_get_mempolicy+0xc3/0x190 [ 1247.371988] [] ? SyS_migrate_pages+0x710/0x710 [ 1247.378188] [] ? SyS_mbind+0xe6/0x150 [ 1247.383624] [] ? entry_SYSCALL_64_fastpath+0x5/0xc6 [ 1247.390264] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 1247.397077] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 1247.403640] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.410190] Object at ffff8801d867e0a0, in cache numa_policy size: 24 [ 1247.416733] Allocated: [ 1247.419203] PID = 30145 [ 1247.421763] save_stack_trace+0x16/0x20 [ 1247.425710] save_stack+0x43/0xd0 [ 1247.429148] kasan_kmalloc+0xad/0xe0 [ 1247.432832] kasan_slab_alloc+0x12/0x20 [ 1247.436772] kmem_cache_alloc+0xc9/0x2a0 [ 1247.440801] __mpol_dup+0x79/0x3c0 [ 1247.444310] do_mbind+0x71e/0xb30 [ 1247.447731] SyS_mbind+0x13b/0x150 [ 1247.451240] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.455958] Freed: [ 1247.458075] PID = 30128 [ 1247.460629] save_stack_trace+0x16/0x20 [ 1247.464571] save_stack+0x43/0xd0 [ 1247.467995] kasan_slab_free+0x73/0xc0 [ 1247.471853] kmem_cache_free+0xb2/0x2e0 [ 1247.475798] __mpol_put+0x26/0x30 [ 1247.479222] remove_vma+0x12b/0x1a0 [ 1247.482818] do_munmap+0x7ff/0xeb0 [ 1247.486327] mmap_region+0x14d/0xfe0 [ 1247.490007] do_mmap+0x595/0xbe0 [ 1247.493373] vm_mmap_pgoff+0x158/0x1a0 [ 1247.497231] SyS_mmap_pgoff+0x1fc/0x580 [ 1247.501175] SyS_mmap+0x16/0x20 [ 1247.504425] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 1247.509148] Memory state around the buggy address: [ 1247.514067] ffff8801d867df80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 1247.521394] ffff8801d867e000: fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb [ 1247.528724] >ffff8801d867e080: fb fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb [ 1247.536064] ^ [ 1247.540443] ffff8801d867e100: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb [ 1247.547770] ffff8801d867e180: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc [ 1247.555127] ==================================================================