[ 33.421636] audit: type=1800 audit(1584497424.532:33): pid=7249 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.449346] audit: type=1800 audit(1584497424.532:34): pid=7249 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [ 34.089775] random: sshd: uninitialized urandom read (32 bytes read) [ 34.296492] audit: type=1400 audit(1584497425.402:35): avc: denied { map } for pid=7420 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.347980] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.130399] random: sshd: uninitialized urandom read (32 bytes read) [ 35.328625] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. [ 40.883319] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program [ 41.013816] audit: type=1400 audit(1584497432.122:36): avc: denied { map } for pid=7433 comm="syz-executor793" path="/root/syz-executor793328469" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.046668] ================================================================== [ 41.054177] BUG: KASAN: use-after-free in do_blk_trace_setup+0xa5b/0xad0 [ 41.061006] Read of size 8 at addr ffff8880a67a4dc0 by task syz-executor793/7443 [ 41.068633] [ 41.070258] CPU: 0 PID: 7443 Comm: syz-executor793 Not tainted 4.14.173-syzkaller #0 [ 41.078273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.087624] Call Trace: [ 41.090203] dump_stack+0x13e/0x194 [ 41.093813] ? do_blk_trace_setup+0xa5b/0xad0 [ 41.098325] print_address_description.cold+0x7c/0x1e2 [ 41.103615] ? do_blk_trace_setup+0xa5b/0xad0 [ 41.108252] kasan_report.cold+0xa9/0x2ae [ 41.112392] do_blk_trace_setup+0xa5b/0xad0 [ 41.116713] blk_trace_setup+0xa3/0x120 [ 41.120676] ? do_blk_trace_setup+0xad0/0xad0 [ 41.125158] sg_ioctl+0x2f9/0x2620 [ 41.128681] ? trace_hardirqs_on+0x10/0x10 [ 41.132896] ? sg_new_write.isra.0+0x8c0/0x8c0 [ 41.137461] ? sg_new_write.isra.0+0x8c0/0x8c0 [ 41.142064] do_vfs_ioctl+0x75a/0xfe0 [ 41.145851] ? selinux_file_mprotect+0x5c0/0x5c0 [ 41.150591] ? ioctl_preallocate+0x1a0/0x1a0 [ 41.154982] ? security_file_ioctl+0x76/0xb0 [ 41.159372] ? security_file_ioctl+0x83/0xb0 [ 41.163764] SyS_ioctl+0x7f/0xb0 [ 41.167113] ? do_vfs_ioctl+0xfe0/0xfe0 [ 41.171067] do_syscall_64+0x1d5/0x640 [ 41.174940] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.180129] RIP: 0033:0x44aee9 [ 41.183308] RSP: 002b:00007fb482743ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.191051] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aee9 [ 41.198313] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000005 [ 41.205577] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 41.212834] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 41.220095] R13: 00007ffca1e3f2cf R14: 00007fb4827449c0 R15: 0000000000000000 [ 41.227363] [ 41.228975] Allocated by task 7443: [ 41.232589] save_stack+0x32/0xa0 [ 41.236023] kasan_kmalloc+0xbf/0xe0 [ 41.239715] kmem_cache_alloc_trace+0x14d/0x7b0 [ 41.244370] do_blk_trace_setup+0x11e/0xad0 [ 41.248671] blk_trace_setup+0xa3/0x120 [ 41.252627] sg_ioctl+0x2f9/0x2620 [ 41.256157] do_vfs_ioctl+0x75a/0xfe0 [ 41.259941] SyS_ioctl+0x7f/0xb0 [ 41.263296] do_syscall_64+0x1d5/0x640 [ 41.267166] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.272341] [ 41.273957] Freed by task 7445: [ 41.277227] save_stack+0x32/0xa0 [ 41.280668] kasan_slab_free+0x75/0xc0 [ 41.284541] kfree+0xcb/0x260 [ 41.287630] blk_trace_remove+0x52/0x80 [ 41.291584] sg_ioctl+0x22a/0x2620 [ 41.295112] do_vfs_ioctl+0x75a/0xfe0 [ 41.298894] SyS_ioctl+0x7f/0xb0 [ 41.302260] do_syscall_64+0x1d5/0x640 [ 41.306128] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.311294] [ 41.312906] The buggy address belongs to the object at ffff8880a67a4d80 [ 41.312906] which belongs to the cache kmalloc-128 of size 128 [ 41.325553] The buggy address is located 64 bytes inside of [ 41.325553] 128-byte region [ffff8880a67a4d80, ffff8880a67a4e00) [ 41.337381] The buggy address belongs to the page: [ 41.342303] page:ffffea000299e900 count:1 mapcount:0 mapping:ffff8880a67a4000 index:0xffff8880a67a4c00 [ 41.351729] flags: 0xfffe0000000100(slab) [ 41.355864] raw: 00fffe0000000100 ffff8880a67a4000 ffff8880a67a4c00 0000000100000014 [ 41.363724] raw: ffffea00029b8160 ffffea00029b5be0 ffff88812fe56640 0000000000000000 [ 41.371584] page dumped because: kasan: bad access detected [ 41.377314] [ 41.378932] Memory state around the buggy address: [ 41.383975] ffff8880a67a4c80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 41.391333] ffff8880a67a4d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 41.398676] >ffff8880a67a4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.406096] ^ [ 41.411571] ffff8880a67a4e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.418914] ffff8880a67a4e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.426259] ================================================================== [ 41.433598] Disabling lock debugging due to kernel taint [ 41.440446] Kernel panic - not syncing: panic_on_warn set ... [ 41.440446] [ 41.447818] CPU: 0 PID: 7443 Comm: syz-executor793 Tainted: G B 4.14.173-syzkaller #0 [ 41.456889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.466218] Call Trace: [ 41.468791] dump_stack+0x13e/0x194 [ 41.472400] panic+0x1f9/0x42d [ 41.475568] ? add_taint.cold+0x16/0x16 [ 41.479528] ? preempt_schedule_common+0x4a/0xc0 [ 41.484271] ? do_blk_trace_setup+0xa5b/0xad0 [ 41.488745] ? ___preempt_schedule+0x16/0x18 [ 41.493131] ? do_blk_trace_setup+0xa5b/0xad0 [ 41.497604] kasan_end_report+0x43/0x49 [ 41.501555] kasan_report.cold+0x12f/0x2ae [ 41.505766] do_blk_trace_setup+0xa5b/0xad0 [ 41.510069] blk_trace_setup+0xa3/0x120 [ 41.514032] ? do_blk_trace_setup+0xad0/0xad0 [ 41.518542] sg_ioctl+0x2f9/0x2620 [ 41.522061] ? trace_hardirqs_on+0x10/0x10 [ 41.526276] ? sg_new_write.isra.0+0x8c0/0x8c0 [ 41.530869] ? sg_new_write.isra.0+0x8c0/0x8c0 [ 41.535435] do_vfs_ioctl+0x75a/0xfe0 [ 41.539221] ? selinux_file_mprotect+0x5c0/0x5c0 [ 41.543968] ? ioctl_preallocate+0x1a0/0x1a0 [ 41.548424] ? security_file_ioctl+0x76/0xb0 [ 41.552823] ? security_file_ioctl+0x83/0xb0 [ 41.557232] SyS_ioctl+0x7f/0xb0 [ 41.560576] ? do_vfs_ioctl+0xfe0/0xfe0 [ 41.564544] do_syscall_64+0x1d5/0x640 [ 41.568462] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.573630] RIP: 0033:0x44aee9 [ 41.576796] RSP: 002b:00007fb482743ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.584483] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 000000000044aee9 [ 41.591776] RDX: 0000000020000080 RSI: 00000000c0481273 RDI: 0000000000000005 [ 41.599026] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 41.606282] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 41.613528] R13: 00007ffca1e3f2cf R14: 00007fb4827449c0 R15: 0000000000000000 [ 41.622056] Kernel Offset: disabled [ 41.625675] Rebooting in 86400 seconds..