INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.15.209' (ECDSA) to the list of known hosts. 2017/08/20 08:32:27 parsed 1 programs 2017/08/20 08:32:27 executed programs: 0 syzkaller login: [ 36.370389] ================================================================== [ 36.371482] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801d803a500 [ 36.372705] Read of size 8 by task syz-executor0/3266 [ 36.373390] CPU: 1 PID: 3266 Comm: syz-executor0 Not tainted 4.9.44-g6dda7ac #31 [ 36.374469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.375918] ffff8801d877f4c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801d803a500 [ 36.377446] ffff8801d803a600 ffffed003b0074a0 ffff8801d803a500 ffff8801d877f4e8 [ 36.378652] ffffffff8153c5ec ffffed003b0074a0 ffff8801da0013c0 0000000000000000 [ 36.380027] Call Trace: [ 36.380424] [<ffffffff81d929c9>] dump_stack+0xc1/0x128 [ 36.381152] [<ffffffff8153c5ec>] kasan_object_err+0x1c/0x70 [ 36.381965] [<ffffffff8153c8ac>] kasan_report.part.1+0x21c/0x500 [ 36.382810] [<ffffffff81cdff71>] ? bio_copy_user_iov+0xe61/0xea0 [ 36.383741] [<ffffffff8153cc49>] __asan_report_load8_noabort+0x29/0x30 [ 36.384643] [<ffffffff81cdff71>] bio_copy_user_iov+0xe61/0xea0 [ 36.385486] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600 [ 36.386367] [<ffffffff81e4325b>] ? __sbitmap_queue_get+0xfb/0x230 [ 36.387263] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0 [ 36.388039] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790 [ 36.388963] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0 [ 36.389783] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.392045] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20 [ 36.398239] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0 [ 36.404614] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0 [ 36.410461] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790 [ 36.416845] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130 [ 36.422604] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130 [ 36.428366] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 36.435254] [<ffffffff82668c0a>] sg_common_write.isra.24+0xc1a/0x17c0 [ 36.441881] [<ffffffff82667ff0>] ? sg_open+0x15a0/0x15a0 [ 36.447383] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0 [ 36.453156] [<ffffffff81562a38>] ? check_stack_object+0x68/0x140 [ 36.459358] [<ffffffff81562c84>] ? __check_object_size+0x174/0x3a9 [ 36.465738] [<ffffffff8266d028>] sg_write+0x688/0xad0 [ 36.470975] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0 [ 36.476563] [<ffffffff81e41a32>] ? depot_save_stack+0x122/0x4a0 [ 36.482672] [<ffffffff815a272e>] ? putname+0xee/0x130 [ 36.487912] [<ffffffff8153b933>] ? save_stack+0xa3/0xd0 [ 36.493333] [<ffffffff812e3478>] ? do_futex+0x3e8/0x1640 [ 36.498834] [<ffffffff81569b02>] ? do_sys_open+0x252/0x4c0 [ 36.504507] [<ffffffff81569d9d>] ? SyS_open+0x2d/0x40 [ 36.509746] [<ffffffff838a6805>] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.516471] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.523462] [<ffffffff814daecc>] ? __vma_link_file+0x10c/0x160 [ 36.529490] [<ffffffff814e10a1>] ? vma_wants_writenotify+0x51/0x380 [ 36.535954] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.542937] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0 [ 36.548522] [<ffffffff8156a563>] __vfs_write+0x103/0x680 [ 36.554022] [<ffffffff8156a460>] ? default_llseek+0x290/0x290 [ 36.559955] [<ffffffff811ba935>] ? __might_sleep+0x95/0x1a0 [ 36.565721] [<ffffffff81be0a99>] ? __inode_security_revalidate+0xd9/0x130 [ 36.572708] [<ffffffff81bda5d9>] ? avc_policy_seqno+0x9/0x20 [ 36.578561] [<ffffffff81beaf72>] ? selinux_file_permission+0x82/0x460 [ 36.585191] [<ffffffff81bd1689>] ? security_file_permission+0x89/0x1e0 [ 36.591906] [<ffffffff8156e025>] ? rw_verify_area+0xe5/0x2b0 [ 36.597753] [<ffffffff8156e690>] vfs_write+0x170/0x4e0 [ 36.603083] [<ffffffff81572089>] SyS_write+0xd9/0x1b0 [ 36.608328] [<ffffffff81571fb0>] ? SyS_read+0x1b0/0x1b0 [ 36.613742] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.620285] [<ffffffff838a6805>] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.626825] Object at ffff8801d803a500, in cache kmalloc-256 size: 256 [ 36.633452] Allocated: [ 36.635908] PID = 3266 [ 36.638368] save_stack_trace+0x16/0x20 [ 36.642304] save_stack+0x43/0xd0 [ 36.645717] kasan_kmalloc+0xad/0xe0 [ 36.649392] __kmalloc+0x11d/0x310 [ 36.652896] sg_build_indirect.isra.23+0x8b/0x550 [ 36.657705] sg_build_reserve+0x8d/0xb0 [ 36.661641] sg_open+0x946/0x15a0 [ 36.665055] chrdev_open+0x22b/0x4c0 [ 36.668728] do_dentry_open+0x607/0xc60 [ 36.672661] vfs_open+0x105/0x220 [ 36.676076] path_openat+0x64c/0x2a60 [ 36.679839] do_filp_open+0x197/0x290 [ 36.683617] do_sys_open+0x352/0x4c0 [ 36.687290] SyS_open+0x2d/0x40 [ 36.690532] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.695250] Freed: [ 36.697361] PID = 3267 [ 36.699822] save_stack_trace+0x16/0x20 [ 36.703758] save_stack+0x43/0xd0 [ 36.707173] kasan_slab_free+0x73/0xc0 [ 36.711021] kfree+0xf0/0x2f0 [ 36.714091] sg_remove_scat.isra.20+0x212/0x2d0 [ 36.718720] sg_ioctl+0x12d0/0x29f0 [ 36.722308] do_vfs_ioctl+0x1aa/0x10c0 [ 36.726160] SyS_ioctl+0x8f/0xc0 [ 36.729491] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 36.734203] Memory state around the buggy address: [ 36.739095] ffff8801d803a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.746427] ffff8801d803a480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 36.753747] >ffff8801d803a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.761066] ^ [ 36.764395] ffff8801d803a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.771716] ffff8801d803a600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 36.779042] ================================================================== [ 36.786641] ================================================================== [ 36.793980] BUG: KASAN: wild-memory-access on address ffe70875c11d8000 [ 36.800607] Write of size 38 by task syz-executor0/3266 [ 36.805935] CPU: 1 PID: 3266 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 36.814648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.823972] ffff8801d877f448 ffffffff81d929c9 ffff8801d877f618 0000000000000026 [ 36.831913] 0000000000000001 ffff8801d877f840 ffe70875c11d8000 ffff8801d877f4d0 [ 36.839862] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284 [ 36.847824] Call Trace: [ 36.850378] [<ffffffff81d929c9>] dump_stack+0xc1/0x128 [ 36.855705] [<ffffffff8153ca9f>] kasan_report.part.1+0x40f/0x500 [ 36.861900] [<ffffffff81ddc284>] ? copy_page_from_iter+0x1a4/0x5d0 [ 36.868270] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0 [ 36.874029] [<ffffffff8153ce70>] kasan_report+0x20/0x30 [ 36.879439] [<ffffffff8153b7b7>] check_memory_region+0x137/0x190 [ 36.885632] [<ffffffff8153b844>] kasan_check_write+0x14/0x20 [ 36.891480] [<ffffffff81ddc284>] copy_page_from_iter+0x1a4/0x5d0 [ 36.897687] [<ffffffff81cdfc15>] bio_copy_user_iov+0xb05/0xea0 [ 36.903709] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600 [ 36.909732] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0 [ 36.915152] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790 [ 36.921350] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0 [ 36.927555] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.934547] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20 [ 36.940743] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0 [ 36.947116] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0 [ 36.952970] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790 [ 36.959340] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130 [ 36.965098] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130 [ 36.970875] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70 [ 36.977850] [<ffffffff82668c0a>] sg_common_write.isra.24+0xc1a/0x17c0 [ 36.984490] [<ffffffff82667ff0>] ? sg_open+0x15a0/0x15a0 [ 36.990002] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0 [ 36.995766] [<ffffffff81562a38>] ? check_stack_object+0x68/0x140 [ 37.001961] [<ffffffff81562c84>] ? __check_object_size+0x174/0x3a9 [ 37.008333] [<ffffffff8266d028>] sg_write+0x688/0xad0 [ 37.013579] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0 [ 37.019169] [<ffffffff81e41a32>] ? depot_save_stack+0x122/0x4a0 [ 37.025279] [<ffffffff815a272e>] ? putname+0xee/0x130 [ 37.030522] [<ffffffff8153b933>] ? save_stack+0xa3/0xd0 [ 37.035946] [<ffffffff812e3478>] ? do_futex+0x3e8/0x1640 [ 37.041457] [<ffffffff81569b02>] ? do_sys_open+0x252/0x4c0 [ 37.047142] [<ffffffff81569d9d>] ? SyS_open+0x2d/0x40 [ 37.052393] [<ffffffff838a6805>] ? entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.059111] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.066087] [<ffffffff814daecc>] ? __vma_link_file+0x10c/0x160 [ 37.072108] [<ffffffff814e10a1>] ? vma_wants_writenotify+0x51/0x380 [ 37.078577] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.085553] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0 [ 37.091140] [<ffffffff8156a563>] __vfs_write+0x103/0x680 [ 37.096642] [<ffffffff8156a460>] ? default_llseek+0x290/0x290 [ 37.102579] [<ffffffff811ba935>] ? __might_sleep+0x95/0x1a0 [ 37.108344] [<ffffffff81be0a99>] ? __inode_security_revalidate+0xd9/0x130 [ 37.115327] [<ffffffff81bda5d9>] ? avc_policy_seqno+0x9/0x20 [ 37.121179] [<ffffffff81beaf72>] ? selinux_file_permission+0x82/0x460 [ 37.127811] [<ffffffff81bd1689>] ? security_file_permission+0x89/0x1e0 [ 37.134529] [<ffffffff8156e025>] ? rw_verify_area+0xe5/0x2b0 [ 37.140386] [<ffffffff8156e690>] vfs_write+0x170/0x4e0 [ 37.145724] [<ffffffff81572089>] SyS_write+0xd9/0x1b0 [ 37.150968] [<ffffffff81571fb0>] ? SyS_read+0x1b0/0x1b0 [ 37.156380] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.162924] [<ffffffff838a6805>] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 37.169468] ================================================================== [ 37.177016] ================================================================== [ 37.184350] BUG: KASAN: wild-memory-access on address ffe70875c11d8000 [ 37.190976] Write of size 38 by task syz-executor0/3266 [ 37.196302] CPU: 1 PID: 3266 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31 [ 37.205014] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.214335] ffff8801d877f3f8 ffffffff81d929c9 ffe70875c11d8000 0000000000000026 [ 37.222296] 0000000000000001 0000000020006fdb ffe70875c11d8000 ffff8801d877f480 [ 37.230251] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4 [ 37.238194] Call Trace: [ 37.240745] [<ffffffff81d929c9>] dump_stack+0xc1/0x128 [ 37.246072] [<ffffffff8153ca9f>] kasan_report.part.1+0x40f/0x500 [ 37.252269] [<ffffffff81dc60d4>] ? copy_user_handle_tail+0xb4/0xd0 [ 37.258640] [<ffffffff838a7239>] ? retint_kernel+0x2d/0x2d [ 37.264319] [<ffffffff8153ce70>] kasan_report+0x20/0x30 [ 37.269732] [<ffffffff8153b7b7>] check_memory_region+0x137/0x190 [ 37.275926] [<ffffffff8153bc23>] memset+0x23/0x40 [ 37.280819] [<ffffffff81dc60d4>] copy_user_handle_tail+0xb4/0xd0 [ 37.287014] [<ffffffff81ddc2a0>] copy_page_from_iter+0x1c0/0x5d0 [ 37.293209] [<ffffffff81cdfc15>] bio_copy_user_iov+0xb05/0xea0 [ 37.299232] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600 [ 37.305251] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0 [ 37.310664] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790 [ 37.316864] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0 [ 37.323067] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 37.330043] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20 [ 37.336238] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0 [ 37.342605] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0 [ 37.348460] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790 [ 37.354830] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130 [ 37.360608] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130 [ 37.366373] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70