Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.35' (ECDSA) to the list of known hosts.
serialport: Connected to syzkaller.us-central1-c.ci-android-49-kasan-gce-8 port 1 (session ID: 818c49ad5cc66e04782b03028824f75d983c2742db7bfd167e07ee4be6f39c09, active connections: 1).
INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
2017/07/26 05:52:45 parsed 1 programs
2017/07/26 05:52:45 executed programs: 0
syzkaller login: [ 99.082264] hrtimer: interrupt took 21967 ns
2017/07/26 05:52:50 executed programs: 380
2017/07/26 05:52:55 executed programs: 677
[ 109.009458] sg_write: data in/out 171756805/34 bytes for SCSI command 0x55-- guessing data in;
[ 109.009458] program syz-executor6 not setting count and/or reply_len properly
[ 109.030308] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in;
[ 109.030308] program syz-executor7 not setting count and/or reply_len properly
[ 109.075570] sg_write: data in/out 171756805/34 bytes for SCSI command 0x55-- guessing data in;
[ 109.075570] program syz-executor6 not setting count and/or reply_len properly
[ 109.170298] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in;
[ 109.170298] program syz-executor1 not setting count and/or reply_len properly
[ 112.662823] sg_write: data in/out 102929522/34 bytes for SCSI command 0xde-- guessing data in;
[ 112.662823] program syz-executor7 not setting count and/or reply_len properly
[ 112.717425] sg_write: data in/out 102929522/34 bytes for SCSI command 0xde-- guessing data in;
[ 112.717425] program syz-executor7 not setting count and/or reply_len properly
[ 113.339714] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in;
[ 113.339714] program syz-executor6 not setting count and/or reply_len properly
[ 113.356471] sg_write: data in/out 1453903184/34 bytes for SCSI command 0x33-- guessing data in;
[ 113.356471] program syz-executor0 not setting count and/or reply_len properly
[ 113.422191] sg_write: data in/out 1006076092/34 bytes for SCSI command 0x3d-- guessing data in;
[ 113.422191] program syz-executor3 not setting count and/or reply_len properly
2017/07/26 05:53:00 executed programs: 971
[ 114.416009] ==================================================================
[ 114.423392] BUG: KASAN: use-after-free in bio_copy_user_iov+0xcdf/0xe50 at addr ffff8801d9317c80
[ 114.432298] Read of size 8 by task syz-executor4/7270
[ 114.437468] CPU: 0 PID: 7270 Comm: syz-executor4 Not tainted 4.9.39-g72a0c9f #6
[ 114.444892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 114.454226] ffff8801d5fcf4f0 ffffffff81eacd59 ffff8801dac013c0 ffff8801d9317c80
[ 114.462282] ffff8801d9317d80 ffffed003b262f90 ffff8801d9317c80 ffff8801d5fcf518
[ 114.470286] ffffffff81546bfc ffffed003b262f90 ffff8801dac013c0 0000000000000000
[ 114.478295] Call Trace:
[ 114.480892] [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[ 114.486250] [<ffffffff81546bfc>] kasan_object_err+0x1c/0x70
[ 114.492031] [<ffffffff81546ead>] kasan_report.part.1+0x20d/0x4e0
[ 114.498257] [<ffffffff81e02780>] ? bvec_alloc+0x2d0/0x2d0
[ 114.503864] [<ffffffff81e051cf>] ? bio_copy_user_iov+0xcdf/0xe50
[ 114.510093] [<ffffffff815410e8>] ? __kmalloc+0x128/0x320
[ 114.515631] [<ffffffff81547239>] __asan_report_load8_noabort+0x29/0x30
[ 114.522371] [<ffffffff81e051cf>] bio_copy_user_iov+0xcdf/0xe50
[ 114.528449] [<ffffffff81e044f0>] ? bio_uncopy_user+0x5e0/0x5e0
[ 114.534523] [<ffffffff81f5d72b>] ? __sbitmap_queue_get+0xfb/0x230
[ 114.540826] [<ffffffff81e3665f>] blk_rq_map_user_iov+0x22f/0x770
[ 114.547053] [<ffffffff81e36430>] ? blk_rq_append_bio+0x1a0/0x1a0
[ 114.553290] [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 114.560300] [<ffffffff81225bf0>] ? init_wait_entry+0x100/0x100
[ 114.566418] [<ffffffff81e538ee>] ? blk_mq_get_tag+0x13e/0x230
[ 114.572373] [<ffffffff81eeaeb4>] ? import_single_range+0x1d4/0x2b0
[ 114.578763] [<ffffffff81e36ca9>] blk_rq_map_user+0x109/0x180
[ 114.584643] [<ffffffff81e36ba0>] ? blk_rq_map_user_iov+0x770/0x770
[ 114.591045] [<ffffffff82786e9f>] ? sg_res_in_use+0x1f/0x130
[ 114.596823] [<ffffffff8396564a>] ? _raw_read_unlock_irqrestore+0x5a/0x70
[ 114.603732] [<ffffffff83965635>] ? _raw_read_unlock_irqrestore+0x45/0x70
[ 114.610656] [<ffffffff8278f982>] sg_common_write.isra.21+0xc12/0x17a0
[ 114.617315] [<ffffffff8278ed70>] ? sg_open+0x1590/0x1590
[ 114.622835] [<ffffffff814bcf14>] ? __might_fault+0x114/0x1d0
[ 114.628705] [<ffffffff82793d1b>] sg_write+0x68b/0xb10
[ 114.633981] [<ffffffff812d6983>] ? drop_futex_key_refs.isra.12+0x63/0xd0
[ 114.640883] [<ffffffff82793690>] ? sg_ioctl+0x29d0/0x29d0
[ 114.646484] [<ffffffff81238619>] ? __lock_acquire+0x669/0x3db0
[ 114.652527] [<ffffffff812ddbb3>] ? do_futex+0x3d3/0x1600
[ 114.658056] [<ffffffff8156a638>] ? khugepaged_enter_vma_merge+0x78/0x220
[ 114.664965] [<ffffffff814dced1>] ? vma_wants_writenotify+0x51/0x380
[ 114.671442] [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 114.678455] [<ffffffff82793690>] ? sg_ioctl+0x29d0/0x29d0
[ 114.684063] [<ffffffff81572d6b>] __vfs_write+0xfb/0x660
[ 114.689540] [<ffffffff81572c70>] ? default_llseek+0x290/0x290
[ 114.695491] [<ffffffff81282f37>] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 114.702254] [<ffffffff81d7beff>] ? common_file_perm+0x14f/0x390
[ 114.708409] [<ffffffff81d7c3a2>] ? apparmor_file_permission+0x22/0x30
[ 114.715086] [<ffffffff81cf8459>] ? security_file_permission+0x89/0x1e0
[ 114.721817] [<ffffffff81576785>] ? rw_verify_area+0xe5/0x2b0
[ 114.727687] [<ffffffff81576df0>] vfs_write+0x170/0x4e0
[ 114.733033] [<ffffffff8157a724>] SyS_write+0xd4/0x1a0
[ 114.738285] [<ffffffff8157a650>] ? SyS_read+0x1a0/0x1a0
[ 114.743712] [<ffffffff812377db>] ? trace_hardirqs_on_caller+0x38b/0x590
[ 114.750534] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 114.757099] [<ffffffff83965985>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 114.763673] Object at ffff8801d9317c80, in cache kmalloc-256 size: 256
[ 114.770311] Allocated:
[ 114.772778] PID = 7280
[ 114.775254] save_stack_trace+0x16/0x20
[ 114.779190] save_stack+0x43/0xd0
[ 114.782603] kasan_kmalloc+0xad/0xe0
[ 114.786279] __kmalloc+0x128/0x320
[ 114.789781] sg_build_indirect.isra.20+0x8b/0x550
[ 114.794590] sg_build_reserve+0x8d/0xb0
[ 114.798533] sg_open+0x92b/0x1590
[ 114.801952] chrdev_open+0x227/0x4a0
[ 114.805630] do_dentry_open+0x607/0xc60
[ 114.809564] vfs_open+0x105/0x220
[ 114.812978] path_openat+0x644/0x2a40
[ 114.816740] do_filp_open+0x18b/0x270
[ 114.820502] do_sys_open+0x336/0x4b0
[ 114.824185] SyS_open+0x2d/0x40
[ 114.827426] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 114.832141] Freed:
[ 114.834250] PID = 7280
[ 114.836713] save_stack_trace+0x16/0x20
[ 114.840651] save_stack+0x43/0xd0
[ 114.844067] kasan_slab_free+0x73/0xc0
[ 114.847920] kfree+0xf0/0x2f0
[ 114.850991] sg_remove_scat.isra.17+0x212/0x2d0
[ 114.855624] sg_ioctl+0x12b5/0x29d0
[ 114.859210] do_vfs_ioctl+0x194/0x1070
[ 114.863058] SyS_ioctl+0x8f/0xc0
[ 114.866388] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 114.871117] Memory state around the buggy address:
[ 114.876006] ffff8801d9317b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 114.883330] ffff8801d9317c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 114.890652] >ffff8801d9317c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 114.897974] ^
[ 114.901303] ffff8801d9317d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 114.908624] ffff8801d9317d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 114.915945] ==================================================================
[ 114.923266] Disabling lock debugging due to kernel taint
[ 114.932310] ==================================================================
[ 114.939683] BUG: KASAN: wild-memory-access on address ffe708754477d000
[ 114.946341] Write of size 38 by task syz-executor4/7270
[ 114.951682] CPU: 1 PID: 7270 Comm: syz-executor4 Tainted: G B 4.9.39-g72a0c9f #6
[ 114.960315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 114.969635] ffff8801d5fcf470 ffffffff81eacd59 ffff8801d5fcf630 0000000000000026
[ 114.977590] 0000000000000001 ffe708754477d000 ffe708754477d000 ffff8801d5fcf4f0
[ 114.985543] ffffffff815470a0 0000000000000001 ffff8801d5fcf500 ffffffff81ef5faa
[ 114.993482] Call Trace:
[ 114.996037] [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[ 115.001368] [<ffffffff815470a0>] kasan_report.part.1+0x400/0x4e0
[ 115.007567] [<ffffffff81ef5faa>] ? copy_page_from_iter+0x1aa/0x5c0
[ 115.013946] [<ffffffff814bcee4>] ? __might_fault+0xe4/0x1d0
[ 115.019721] [<ffffffff814bcf14>] ? __might_fault+0x114/0x1d0
[ 115.025575] [<ffffffff81547440>] kasan_report+0x20/0x30
[ 115.030988] [<ffffffff81545dc7>] check_memory_region+0x137/0x190
[ 115.037182] [<ffffffff81545e54>] kasan_check_write+0x14/0x20
[ 115.043043] [<ffffffff81ef5faa>] copy_page_from_iter+0x1aa/0x5c0
[ 115.049240] [<ffffffff81e04fbc>] bio_copy_user_iov+0xacc/0xe50
[ 115.055260] [<ffffffff81e044f0>] ? bio_uncopy_user+0x5e0/0x5e0
[ 115.061283] [<ffffffff81e3665f>] blk_rq_map_user_iov+0x22f/0x770
[ 115.067523] [<ffffffff81e36430>] ? blk_rq_append_bio+0x1a0/0x1a0
[ 115.073766] [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 115.080750] [<ffffffff81225bf0>] ? init_wait_entry+0x100/0x100
[ 115.086772] [<ffffffff81e538ee>] ? blk_mq_get_tag+0x13e/0x230
[ 115.092708] [<ffffffff81eeaeb4>] ? import_single_range+0x1d4/0x2b0
[ 115.099093] [<ffffffff81e36ca9>] blk_rq_map_user+0x109/0x180
[ 115.104945] [<ffffffff81e36ba0>] ? blk_rq_map_user_iov+0x770/0x770
[ 115.111341] [<ffffffff82786e9f>] ? sg_res_in_use+0x1f/0x130
[ 115.117123] [<ffffffff8396564a>] ? _raw_read_unlock_irqrestore+0x5a/0x70
[ 115.124028] [<ffffffff83965635>] ? _raw_read_unlock_irqrestore+0x45/0x70
[ 115.130917] [<ffffffff8278f982>] sg_common_write.isra.21+0xc12/0x17a0
[ 115.137549] [<ffffffff8278ed70>] ? sg_open+0x1590/0x1590
[ 115.143050] [<ffffffff814bcf14>] ? __might_fault+0x114/0x1d0
[ 115.148898] [<ffffffff82793d1b>] sg_write+0x68b/0xb10
[ 115.154139] [<ffffffff812d6983>] ? drop_futex_key_refs.isra.12+0x63/0xd0
[ 115.161030] [<ffffffff82793690>] ? sg_ioctl+0x29d0/0x29d0
[ 115.166622] [<ffffffff81238619>] ? __lock_acquire+0x669/0x3db0
[ 115.172643] [<ffffffff812ddbb3>] ? do_futex+0x3d3/0x1600
[ 115.178144] [<ffffffff8156a638>] ? khugepaged_enter_vma_merge+0x78/0x220
[ 115.185034] [<ffffffff814dced1>] ? vma_wants_writenotify+0x51/0x380
[ 115.191488] [<ffffffff81237fb0>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 115.198467] [<ffffffff82793690>] ? sg_ioctl+0x29d0/0x29d0
[ 115.204057] [<ffffffff81572d6b>] __vfs_write+0xfb/0x660
[ 115.209530] [<ffffffff81572c70>] ? default_llseek+0x290/0x290
[ 115.215466] [<ffffffff81282f37>] ? debug_lockdep_rcu_enabled+0x77/0x90
[ 115.222181] [<ffffffff81d7beff>] ? common_file_perm+0x14f/0x390
[ 115.228300] [<ffffffff81d7c3a2>] ? apparmor_file_permission+0x22/0x30
[ 115.234929] [<ffffffff81cf8459>] ? security_file_permission+0x89/0x1e0
[ 115.241648] [<ffffffff81576785>] ? rw_verify_area+0xe5/0x2b0
[ 115.247513] [<ffffffff81576df0>] vfs_write+0x170/0x4e0
[ 115.252839] [<ffffffff8157a724>] SyS_write+0xd4/0x1a0
[ 115.258079] [<ffffffff8157a650>] ? SyS_read+0x1a0/0x1a0
[ 115.263495] [<ffffffff812377db>] ? trace_hardirqs_on_caller+0x38b/0x590
[ 115.270305] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 115.276848] [<ffffffff83965985>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 115.283386] ==================================================================
[ 115.291478] ==================================================================
[ 115.298835] BUG: KASAN: wild-memory-access on address ffe708754477d000
[ 115.305461] Write of size 38 by task syz-executor4/7270
[ 115.310785] CPU: 1 PID: 7270 Comm: syz-executor4 Tainted: G B 4.9.39-g72a0c9f #6
[ 115.319409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 115.328733] ffff8801d5fcf420 ffffffff81eacd59 ffe708754477d000 0000000000000026
[ 115.336695] 0000000000000001 0000000020006fdb ffe708754477d000 ffff8801d5fcf4a0
[ 115.344631] ffffffff815470a0 0000000000000000 ffff8801d5fcf458 ffffffff81edff24
[ 115.352640] Call Trace:
[ 115.355194] [<ffffffff81eacd59>] dump_stack+0xc1/0x128
[ 115.360524] [<ffffffff815470a0>] kasan_report.part.1+0x400/0x4e0
[ 115.366727] [<ffffffff81edff24>] ? copy_user_handle_tail+0xb4/0xd0
[ 115.373111] [<ffffffff839663b9>] ? retint_kernel+0x2d/0x2d
[ 115.378786] [<ffffffff81547440>] kasan_report+0x20/0x30
[ 115.384200] [<ffffffff81545dc7>] check_memory_region+0x137/0x190
[ 115.390402] [<ffffffff81546233>] memset+0x23/0x40
[ 115.395302] [<ffffffff81edff24>] copy_user_handle_tail+0xb4/0xd0
[ 115.401504] [<ffffffff81ef5fb9>] copy_page_from_iter+0x1b9/0x5c0
[ 115.407704] [<ffffffff81e04fbc>] bio_copy_user_iov+0xacc/0xe50
[ 115.413732] [<ffffffff81e044f0>] ? bio_uncopy_user+0x5e0/0x5e0