[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.262595] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 13.489740] random: sshd: uninitialized urandom read (32 bytes read) [ 13.780828] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.836733] random: sshd: uninitialized urandom read (32 bytes read) [ 14.971004] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.58' (ECDSA) to the list of known hosts. [ 20.467214] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 20.552469] ================================================================== [ 20.559872] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 [ 20.566858] Write of size 10 at addr ffff8801c1735000 by task syz-executor715/3799 [ 20.574533] [ 20.576136] CPU: 0 PID: 3799 Comm: syz-executor715 Not tainted 4.9.96-g8c01d00 #11 [ 20.583813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 20.593137] ffff8801b4cf74c8 ffffffff81eb0b69 ffffea000705cd40 ffff8801c1735000 [ 20.601121] 0000000000000001 ffff8801c1735000 000000000000000a ffff8801b4cf7500 [ 20.609133] ffffffff8156540b ffff8801c1735000 000000000000000a 0000000000000001 [ 20.617131] Call Trace: [ 20.619701] [] dump_stack+0xc1/0x128 [ 20.625037] [] print_address_description+0x6c/0x234 [ 20.631673] [] kasan_report.cold.6+0x242/0x2fe [ 20.637877] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 20.644343] [] check_memory_region+0x14f/0x1b0 [ 20.650544] [] memcpy+0x37/0x50 [ 20.655451] [] selinux_sb_copy_data+0x1cd/0x380 [ 20.661748] [] security_sb_copy_data+0x7b/0xb0 [ 20.667953] [] parse_security_options+0x36/0x90 [ 20.674241] [] btrfs_mount+0x2f3/0x2bc0 [ 20.679836] [] ? btrfs_remount+0x1360/0x1360 [ 20.685869] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 20.692769] [] ? _find_next_bit.part.0+0xe0/0x120 [ 20.699231] [] ? find_next_bit+0x43/0x50 [ 20.704924] [] ? pcpu_alloc+0x483/0xad0 [ 20.710519] [] ? pcpu_create_chunk+0x430/0x430 [ 20.716722] [] ? __raw_spin_lock_init+0x1c/0x100 [ 20.723108] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.729917] [] ? lockdep_init_map+0x105/0x4f0 [ 20.736030] [] ? lockdep_init_map+0x105/0x4f0 [ 20.742147] [] mount_fs+0x28c/0x370 [ 20.747395] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 20.753770] [] vfs_kern_mount+0x40/0x60 [ 20.759364] [] btrfs_mount+0x40b/0x2bc0 [ 20.764963] [] ? btrfs_remount+0x1360/0x1360 [ 20.770995] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 20.777892] [] ? _find_next_bit.part.0+0xe0/0x120 [ 20.784354] [] ? find_next_bit+0x43/0x50 [ 20.790047] [] ? pcpu_alloc+0x483/0xad0 [ 20.795644] [] ? pcpu_create_chunk+0x430/0x430 [ 20.801852] [] ? __raw_spin_lock_init+0x1c/0x100 [ 20.808227] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 20.815036] [] ? lockdep_init_map+0x105/0x4f0 [ 20.821154] [] ? lockdep_init_map+0x105/0x4f0 [ 20.827271] [] mount_fs+0x28c/0x370 [ 20.832517] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 20.838893] [] ? ns_capable_common+0x12a/0x150 [ 20.845094] [] do_mount+0x3c9/0x2740 [ 20.850426] [] ? copy_mount_string+0x40/0x40 [ 20.856455] [] ? kasan_unpoison_shadow+0x35/0x50 [ 20.862830] [] ? kasan_kmalloc+0xc7/0xe0 [ 20.868511] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 20.875061] [] ? copy_mount_options+0x5f/0x320 [ 20.881263] [] ? copy_mount_options+0x1e5/0x320 [ 20.887548] [] SyS_mount+0xfe/0x110 [ 20.892794] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 20.898475] [] do_syscall_64+0x1a6/0x490 [ 20.904157] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.911052] [ 20.912649] Allocated by task 2040: [ 20.916248] save_stack_trace+0x16/0x20 [ 20.920188] save_stack+0x43/0xd0 [ 20.923613] kasan_kmalloc+0xc7/0xe0 [ 20.927296] kasan_slab_alloc+0x12/0x20 [ 20.931241] kmem_cache_alloc+0xbe/0x290 [ 20.935271] copy_process.part.51+0x3ee5/0x6330 [ 20.939907] _do_fork+0x1b0/0xdc0 [ 20.943329] SyS_clone+0x37/0x50 [ 20.946664] do_syscall_64+0x1a6/0x490 [ 20.950520] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 20.955588] [ 20.957188] Freed by task 2267: [ 20.960438] save_stack_trace+0x16/0x20 [ 20.964380] save_stack+0x43/0xd0 [ 20.967800] kasan_slab_free+0x72/0xc0 [ 20.971656] kmem_cache_free+0xbe/0x310 [ 20.975603] remove_vma+0x11f/0x160 [ 20.979199] exit_mmap+0x2a3/0x3f0 [ 20.982710] mmput+0xf3/0x2d0 [ 20.985786] do_exit+0x906/0x27c0 [ 20.989207] do_group_exit+0x111/0x340 [ 20.993065] SyS_exit_group+0x1d/0x20 [ 20.996838] do_syscall_64+0x1a6/0x490 [ 21.000708] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.005776] [ 21.007376] The buggy address belongs to the object at ffff8801c1735000 [ 21.007376] which belongs to the cache vm_area_struct of size 184 [ 21.020264] The buggy address is located 0 bytes inside of [ 21.020264] 184-byte region [ffff8801c1735000, ffff8801c17350b8) [ 21.031940] The buggy address belongs to the page: [ 21.036840] page:ffffea000705cd40 count:1 mapcount:0 mapping: (null) index:0x0 [ 21.045082] flags: 0x8000000000000080(slab) [ 21.049380] page dumped because: kasan: bad access detected [ 21.055056] [ 21.056651] Memory state around the buggy address: [ 21.061548] ffff8801c1734f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.068876] ffff8801c1734f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 21.076205] >ffff8801c1735000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.083542] ^ [ 21.086877] ffff8801c1735080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb [ 21.094206] ffff8801c1735100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.101534] ================================================================== [ 21.108860] Disabling lock debugging due to kernel taint [ 21.114547] Kernel panic - not syncing: panic_on_warn set ... [ 21.114547] [ 21.121899] CPU: 0 PID: 3799 Comm: syz-executor715 Tainted: G B 4.9.96-g8c01d00 #11 [ 21.130791] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 21.140117] ffff8801b4cf7428 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff [ 21.148096] 0000000000000000 0000000000000000 000000000000000a ffff8801b4cf74e8 [ 21.156074] ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6 [ 21.164052] Call Trace: [ 21.166613] [] dump_stack+0xc1/0x128 [ 21.171950] [] panic+0x1bf/0x3bc [ 21.176934] [] ? add_taint.cold.6+0x16/0x16 [ 21.182877] [] ? ___preempt_schedule+0x16/0x18 [ 21.189088] [] kasan_end_report+0x47/0x4f [ 21.194854] [] kasan_report.cold.6+0x76/0x2fe [ 21.200973] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 21.207436] [] check_memory_region+0x14f/0x1b0 [ 21.213645] [] memcpy+0x37/0x50 [ 21.218545] [] selinux_sb_copy_data+0x1cd/0x380 [ 21.224835] [] security_sb_copy_data+0x7b/0xb0 [ 21.231037] [] parse_security_options+0x36/0x90 [ 21.237324] [] btrfs_mount+0x2f3/0x2bc0 [ 21.242918] [] ? btrfs_remount+0x1360/0x1360 [ 21.248949] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 21.255847] [] ? _find_next_bit.part.0+0xe0/0x120 [ 21.262312] [] ? find_next_bit+0x43/0x50 [ 21.267992] [] ? pcpu_alloc+0x483/0xad0 [ 21.273584] [] ? pcpu_create_chunk+0x430/0x430 [ 21.279788] [] ? __raw_spin_lock_init+0x1c/0x100 [ 21.286164] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.292972] [] ? lockdep_init_map+0x105/0x4f0 [ 21.299085] [] ? lockdep_init_map+0x105/0x4f0 [ 21.305202] [] mount_fs+0x28c/0x370 [ 21.310452] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 21.316827] [] vfs_kern_mount+0x40/0x60 [ 21.322421] [] btrfs_mount+0x40b/0x2bc0 [ 21.328015] [] ? btrfs_remount+0x1360/0x1360 [ 21.334044] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 21.340941] [] ? _find_next_bit.part.0+0xe0/0x120 [ 21.347402] [] ? find_next_bit+0x43/0x50 [ 21.353082] [] ? pcpu_alloc+0x483/0xad0 [ 21.358688] [] ? pcpu_create_chunk+0x430/0x430 [ 21.364891] [] ? __raw_spin_lock_init+0x1c/0x100 [ 21.371265] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 21.378075] [] ? lockdep_init_map+0x105/0x4f0 [ 21.384189] [] ? lockdep_init_map+0x105/0x4f0 [ 21.390311] [] mount_fs+0x28c/0x370 [ 21.395578] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 21.401955] [] ? ns_capable_common+0x12a/0x150 [ 21.408157] [] do_mount+0x3c9/0x2740 [ 21.413490] [] ? copy_mount_string+0x40/0x40 [ 21.419517] [] ? kasan_unpoison_shadow+0x35/0x50 [ 21.425890] [] ? kasan_kmalloc+0xc7/0xe0 [ 21.431576] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 21.438124] [] ? copy_mount_options+0x5f/0x320 [ 21.444337] [] ? copy_mount_options+0x1e5/0x320 [ 21.450624] [] SyS_mount+0xfe/0x110 [ 21.455869] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 21.461554] [] do_syscall_64+0x1a6/0x490 [ 21.467237] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 21.474567] Dumping ftrace buffer: [ 21.478077] (ftrace buffer empty) [ 21.481759] Kernel Offset: disabled [ 21.485369] Rebooting in 86400 seconds..