INIT: Entering runlevel: 2
[�[36minfo�[39;49m] Using makefile-style concurrent boot in runlevel 2.
[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added 'ci-android-49-kasan-gce-2,10.128.0.52' (ECDSA) to the list of known hosts.
2017/08/21 06:49:20 parsed 1 programs
2017/08/21 06:49:20 executed programs: 0
syzkaller login: [ 56.356960] ==================================================================
[ 56.358044] BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 at addr ffff8801cce76000
[ 56.359220] Read of size 8 by task syz-executor0/3527
[ 56.360100] CPU: 0 PID: 3527 Comm: syz-executor0 Not tainted 4.9.44-g6dda7ac #31
[ 56.361169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 56.362396] ffff8801d0f374c0 ffffffff81d929c9 ffff8801da0013c0 ffff8801cce76000
[ 56.363644] ffff8801cce76100 ffffed00399cec00 ffff8801cce76000 ffff8801d0f374e8
[ 56.364896] ffffffff8153c5ec ffffed00399cec00 ffff8801da0013c0 0000000000000000
[ 56.366417] Call Trace:
[ 56.366874] [<ffffffff81d929c9>] dump_stack+0xc1/0x128
[ 56.367696] [<ffffffff8153c5ec>] kasan_object_err+0x1c/0x70
[ 56.368517] [<ffffffff8153c8ac>] kasan_report.part.1+0x21c/0x500
[ 56.369337] [<ffffffff81cdff71>] ? bio_copy_user_iov+0xe61/0xea0
[ 56.370283] [<ffffffff8153cc49>] __asan_report_load8_noabort+0x29/0x30
[ 56.371242] [<ffffffff81cdff71>] bio_copy_user_iov+0xe61/0xea0
[ 56.372039] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600
[ 56.372877] [<ffffffff81e4325b>] ? __sbitmap_queue_get+0xfb/0x230
[ 56.373707] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0
[ 56.374445] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790
[ 56.375392] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0
[ 56.376213] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 56.377384] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20
[ 56.383583] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0
[ 56.389986] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0
[ 56.395837] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790
[ 56.402209] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130
[ 56.407970] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130
[ 56.413739] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70
[ 56.420649] [<ffffffff82668c0a>] sg_common_write.isra.24+0xc1a/0x17c0
[ 56.427282] [<ffffffff82667ff0>] ? sg_open+0x15a0/0x15a0
[ 56.432787] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0
[ 56.438843] [<ffffffff81562a38>] ? check_stack_object+0x68/0x140
[ 56.445051] [<ffffffff81562c84>] ? __check_object_size+0x174/0x3a9
[ 56.451446] [<ffffffff8266d028>] sg_write+0x688/0xad0
[ 56.456689] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0
[ 56.462283] [<ffffffff81db3e29>] ? format_decode+0x149/0x8f0
[ 56.468165] [<ffffffff812e3478>] ? do_futex+0x3e8/0x1640
[ 56.473671] [<ffffffff81df9acb>] ? check_preemption_disabled+0x3b/0x200
[ 56.480482] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 56.487461] [<ffffffff8123b60d>] ? trace_hardirqs_on+0xd/0x10
[ 56.493417] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0
[ 56.499031] [<ffffffff8156a563>] __vfs_write+0x103/0x680
[ 56.504533] [<ffffffff8156a460>] ? default_llseek+0x290/0x290
[ 56.510471] [<ffffffff811ba935>] ? __might_sleep+0x95/0x1a0
[ 56.516237] [<ffffffff81be0a99>] ? __inode_security_revalidate+0xd9/0x130
[ 56.523222] [<ffffffff81bda5d9>] ? avc_policy_seqno+0x9/0x20
[ 56.529072] [<ffffffff81beaf72>] ? selinux_file_permission+0x82/0x460
[ 56.535709] [<ffffffff81bd1689>] ? security_file_permission+0x89/0x1e0
[ 56.542428] [<ffffffff8156e025>] ? rw_verify_area+0xe5/0x2b0
[ 56.548278] [<ffffffff8156e690>] vfs_write+0x170/0x4e0
[ 56.553604] [<ffffffff81572089>] SyS_write+0xd9/0x1b0
[ 56.558844] [<ffffffff81571fb0>] ? SyS_read+0x1b0/0x1b0
[ 56.564258] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 56.570822] [<ffffffff838a6805>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 56.577364] Object at ffff8801cce76000, in cache kmalloc-256 size: 256
[ 56.583995] Allocated:
[ 56.586455] PID = 3530
[ 56.588916] save_stack_trace+0x16/0x20
[ 56.592854] save_stack+0x43/0xd0
[ 56.596284] kasan_kmalloc+0xad/0xe0
[ 56.599961] __kmalloc+0x11d/0x310
[ 56.603489] sg_build_indirect.isra.23+0x8b/0x550
[ 56.608315] sg_build_reserve+0x8d/0xb0
[ 56.612251] sg_open+0x946/0x15a0
[ 56.615665] chrdev_open+0x22b/0x4c0
[ 56.619355] do_dentry_open+0x607/0xc60
[ 56.623289] vfs_open+0x105/0x220
[ 56.626705] path_openat+0x64c/0x2a60
[ 56.630470] do_filp_open+0x197/0x290
[ 56.634234] do_sys_open+0x352/0x4c0
[ 56.637909] SyS_open+0x2d/0x40
[ 56.641151] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 56.645864] Freed:
[ 56.647974] PID = 3530
[ 56.650434] save_stack_trace+0x16/0x20
[ 56.654371] save_stack+0x43/0xd0
[ 56.657785] kasan_slab_free+0x73/0xc0
[ 56.661633] kfree+0xf0/0x2f0
[ 56.664703] sg_remove_scat.isra.20+0x212/0x2d0
[ 56.669334] sg_ioctl+0x12d0/0x29f0
[ 56.672937] do_vfs_ioctl+0x1aa/0x10c0
[ 56.676788] SyS_ioctl+0x8f/0xc0
[ 56.680118] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 56.684832] Memory state around the buggy address:
[ 56.689723] ffff8801cce75f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.697045] ffff8801cce75f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 56.704366] >ffff8801cce76000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.711683] ^
[ 56.715013] ffff8801cce76080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.722335] ffff8801cce76100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 56.729657] ==================================================================
[ 56.737258] ==================================================================
[ 56.744589] BUG: KASAN: wild-memory-access on address ffe70872baf16000
[ 56.751216] Write of size 38 by task syz-executor0/3527
[ 56.756543] CPU: 0 PID: 3527 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31
[ 56.765255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 56.774590] ffff8801d0f37448 ffffffff81d929c9 ffff8801d0f37618 0000000000000026
[ 56.782555] 0000000000000001 ffff8801d0f37840 ffe70872baf16000 ffff8801d0f374d0
[ 56.790501] ffffffff8153ca9f 0000000000000000 0000000000000001 ffffffff81ddc284
[ 56.798440] Call Trace:
[ 56.800994] [<ffffffff81d929c9>] dump_stack+0xc1/0x128
[ 56.806338] [<ffffffff8153ca9f>] kasan_report.part.1+0x40f/0x500
[ 56.812535] [<ffffffff81ddc284>] ? copy_page_from_iter+0x1a4/0x5d0
[ 56.818917] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0
[ 56.824691] [<ffffffff8153ce70>] kasan_report+0x20/0x30
[ 56.830103] [<ffffffff8153b7b7>] check_memory_region+0x137/0x190
[ 56.836299] [<ffffffff8153b844>] kasan_check_write+0x14/0x20
[ 56.842165] [<ffffffff81ddc284>] copy_page_from_iter+0x1a4/0x5d0
[ 56.848376] [<ffffffff81cdfc15>] bio_copy_user_iov+0xb05/0xea0
[ 56.854396] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600
[ 56.860418] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0
[ 56.865834] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790
[ 56.872030] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0
[ 56.878227] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 56.885218] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20
[ 56.891411] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0
[ 56.897794] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0
[ 56.903643] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790
[ 56.910029] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130
[ 56.915822] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130
[ 56.921588] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70
[ 56.928478] [<ffffffff82668c0a>] sg_common_write.isra.24+0xc1a/0x17c0
[ 56.935123] [<ffffffff82667ff0>] ? sg_open+0x15a0/0x15a0
[ 56.940625] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0
[ 56.946384] [<ffffffff81562a38>] ? check_stack_object+0x68/0x140
[ 56.952593] [<ffffffff81562c84>] ? __check_object_size+0x174/0x3a9
[ 56.959135] [<ffffffff8266d028>] sg_write+0x688/0xad0
[ 56.964372] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0
[ 56.969963] [<ffffffff81db3e29>] ? format_decode+0x149/0x8f0
[ 56.975813] [<ffffffff812e3478>] ? do_futex+0x3e8/0x1640
[ 56.981344] [<ffffffff81df9acb>] ? check_preemption_disabled+0x3b/0x200
[ 56.988148] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 56.995129] [<ffffffff8123b60d>] ? trace_hardirqs_on+0xd/0x10
[ 57.001077] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0
[ 57.006664] [<ffffffff8156a563>] __vfs_write+0x103/0x680
[ 57.012199] [<ffffffff8156a460>] ? default_llseek+0x290/0x290
[ 57.018139] [<ffffffff811ba935>] ? __might_sleep+0x95/0x1a0
[ 57.023900] [<ffffffff81be0a99>] ? __inode_security_revalidate+0xd9/0x130
[ 57.030883] [<ffffffff81bda5d9>] ? avc_policy_seqno+0x9/0x20
[ 57.036758] [<ffffffff81beaf72>] ? selinux_file_permission+0x82/0x460
[ 57.043403] [<ffffffff81bd1689>] ? security_file_permission+0x89/0x1e0
[ 57.050119] [<ffffffff8156e025>] ? rw_verify_area+0xe5/0x2b0
[ 57.055965] [<ffffffff8156e690>] vfs_write+0x170/0x4e0
[ 57.061307] [<ffffffff81572089>] SyS_write+0xd9/0x1b0
[ 57.066548] [<ffffffff81571fb0>] ? SyS_read+0x1b0/0x1b0
[ 57.071961] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 57.078519] [<ffffffff838a6805>] entry_SYSCALL_64_fastpath+0x23/0xc6
[ 57.085059] ==================================================================
[ 57.092643] ==================================================================
[ 57.099984] BUG: KASAN: wild-memory-access on address ffe70872baf16000
[ 57.106611] Write of size 38 by task syz-executor0/3527
[ 57.111959] CPU: 0 PID: 3527 Comm: syz-executor0 Tainted: G B 4.9.44-g6dda7ac #31
[ 57.120667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 57.129984] ffff8801d0f373f8 ffffffff81d929c9 ffe70872baf16000 0000000000000026
[ 57.137925] 0000000000000001 0000000020006fdb ffe70872baf16000 ffff8801d0f37480
[ 57.145868] ffffffff8153ca9f 0000000000000000 0000000000000000 ffffffff81dc60d4
[ 57.153875] Call Trace:
[ 57.156427] [<ffffffff81d929c9>] dump_stack+0xc1/0x128
[ 57.161772] [<ffffffff8153ca9f>] kasan_report.part.1+0x40f/0x500
[ 57.167968] [<ffffffff81dc60d4>] ? copy_user_handle_tail+0xb4/0xd0
[ 57.174338] [<ffffffff838a7239>] ? retint_kernel+0x2d/0x2d
[ 57.180101] [<ffffffff8153ce70>] kasan_report+0x20/0x30
[ 57.185515] [<ffffffff8153b7b7>] check_memory_region+0x137/0x190
[ 57.191709] [<ffffffff8153bc23>] memset+0x23/0x40
[ 57.196608] [<ffffffff81dc60d4>] copy_user_handle_tail+0xb4/0xd0
[ 57.202817] [<ffffffff81ddc2a0>] copy_page_from_iter+0x1c0/0x5d0
[ 57.209016] [<ffffffff81cdfc15>] bio_copy_user_iov+0xb05/0xea0
[ 57.215042] [<ffffffff81cdf110>] ? bio_uncopy_user+0x600/0x600
[ 57.221062] [<ffffffff81d2fec9>] ? __bt_get+0x199/0x1f0
[ 57.226473] [<ffffffff81d13ec7>] blk_rq_map_user_iov+0x237/0x790
[ 57.232678] [<ffffffff81d13c90>] ? blk_rq_append_bio+0x1a0/0x1a0
[ 57.238875] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[ 57.245876] [<ffffffff810d2ec9>] ? kvm_sched_clock_read+0x9/0x20
[ 57.252077] [<ffffffff81dd09b4>] ? import_single_range+0x1d4/0x2b0
[ 57.258446] [<ffffffff81d14531>] blk_rq_map_user+0x111/0x1a0
[ 57.264294] [<ffffffff81d14420>] ? blk_rq_map_user_iov+0x790/0x790
[ 57.270671] [<ffffffff8266011f>] ? sg_res_in_use+0x1f/0x130
[ 57.276437] [<ffffffff826601ea>] ? sg_res_in_use+0xea/0x130
[ 57.282200] [<ffffffff838a6485>] ? _raw_read_unlock_irqrestore+0x45/0x70
[ 57.289095] [<ffffffff82668c0a>] sg_common_write.isra.24+0xc1a/0x17c0
[ 57.295737] [<ffffffff82667ff0>] ? sg_open+0x15a0/0x15a0
[ 57.301241] [<ffffffff814c1104>] ? __might_fault+0xe4/0x1d0
[ 57.307005] [<ffffffff81562a38>] ? check_stack_object+0x68/0x140
[ 57.313200] [<ffffffff81562c84>] ? __check_object_size+0x174/0x3a9
[ 57.319575] [<ffffffff8266d028>] sg_write+0x688/0xad0
[ 57.324814] [<ffffffff8266c9a0>] ? sg_ioctl+0x29f0/0x29f0
[ 57.330404] [<ffffffff81db3e29>] ? format_decode+0x149/0x8f0
[ 57.336253] [<ffffffff812e3478>] ? do_futex+0x3e8/0x1640
[ 57.341754] [<ffffffff81df9acb>] ? check_preemption_disabled+0x3b/0x200
[ 57.348558] [<ffffffff8123bc30>] ? debug_check_no_locks_freed+0x2c0/0x2c0