[ 33.970770] audit: type=1800 audit(1555522357.192:33): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.994237] audit: type=1800 audit(1555522357.192:34): pid=6938 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 59.563208] random: sshd: uninitialized urandom read (32 bytes read) [ 60.083321] audit: type=1400 audit(1555522383.302:35): avc: denied { map } for pid=7112 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 60.133991] random: sshd: uninitialized urandom read (32 bytes read) [ 60.572468] random: sshd: uninitialized urandom read (32 bytes read) [ 60.756509] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. [ 66.418175] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 66.546375] audit: type=1400 audit(1555522389.762:36): avc: denied { map } for pid=7125 comm="syz-executor543" path="/root/syz-executor543769209" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 66.584223] ================================================================== [ 66.591854] BUG: KASAN: use-after-free in do_blk_trace_setup+0xa8f/0xb10 [ 66.598791] Read of size 8 at addr ffff888099e76040 by task syz-executor543/7133 [ 66.606618] [ 66.608230] CPU: 0 PID: 7133 Comm: syz-executor543 Not tainted 4.14.112 #2 [ 66.615612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.625219] Call Trace: [ 66.627846] dump_stack+0x138/0x19c [ 66.631468] ? do_blk_trace_setup+0xa8f/0xb10 [ 66.635966] print_address_description.cold+0x7c/0x1dc [ 66.641357] ? do_blk_trace_setup+0xa8f/0xb10 [ 66.645845] kasan_report.cold+0xaf/0x2b5 [ 66.649989] __asan_report_load8_noabort+0x14/0x20 [ 66.655151] do_blk_trace_setup+0xa8f/0xb10 [ 66.659481] blk_trace_setup+0xbd/0x140 [ 66.663491] ? do_blk_trace_setup+0xb10/0xb10 [ 66.668000] sg_ioctl+0x31b/0x27e0 [ 66.671536] ? sg_new_write.isra.0+0x910/0x910 [ 66.676111] ? __might_sleep+0x93/0xb0 [ 66.680225] ? save_trace+0x290/0x290 [ 66.684029] ? sg_new_write.isra.0+0x910/0x910 [ 66.688740] do_vfs_ioctl+0x7b9/0x1070 [ 66.692708] ? selinux_file_mprotect+0x5d0/0x5d0 [ 66.697609] ? ioctl_preallocate+0x1c0/0x1c0 [ 66.702015] ? lock_downgrade+0x6e0/0x6e0 [ 66.706433] ? security_file_ioctl+0x83/0xc0 [ 66.710832] ? security_file_ioctl+0x8f/0xc0 [ 66.715277] SyS_ioctl+0x8f/0xc0 [ 66.718750] ? do_vfs_ioctl+0x1070/0x1070 [ 66.723201] do_syscall_64+0x1eb/0x630 [ 66.727093] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.731938] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 66.737115] RIP: 0033:0x445069 [ 66.740359] RSP: 002b:00007ffd2532fa98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 66.748059] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445069 [ 66.755447] RDX: 0000000020000000 RSI: 00000000c0481273 RDI: 0000000000000003 [ 66.762873] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 66.770471] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402200 [ 66.778120] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 66.785584] [ 66.787291] Allocated by task 7133: [ 66.790935] save_stack_trace+0x16/0x20 [ 66.795032] save_stack+0x45/0xd0 [ 66.798480] kasan_kmalloc+0xce/0xf0 [ 66.802289] kmem_cache_alloc_trace+0x152/0x790 [ 66.807041] do_blk_trace_setup+0x120/0xb10 [ 66.811352] blk_trace_setup+0xbd/0x140 [ 66.815533] sg_ioctl+0x31b/0x27e0 [ 66.819204] do_vfs_ioctl+0x7b9/0x1070 [ 66.823188] SyS_ioctl+0x8f/0xc0 [ 66.826697] do_syscall_64+0x1eb/0x630 [ 66.830881] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 66.836181] [ 66.837924] Freed by task 7135: [ 66.841196] save_stack_trace+0x16/0x20 [ 66.845165] save_stack+0x45/0xd0 [ 66.848685] kasan_slab_free+0x75/0xc0 [ 66.852625] kfree+0xcc/0x270 [ 66.856007] blk_trace_free+0x106/0x140 [ 66.859977] blk_trace_remove+0x59/0x80 [ 66.863944] sg_ioctl+0x247/0x27e0 [ 66.867477] do_vfs_ioctl+0x7b9/0x1070 [ 66.871453] SyS_ioctl+0x8f/0xc0 [ 66.874807] do_syscall_64+0x1eb/0x630 [ 66.878772] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 66.883939] [ 66.885785] The buggy address belongs to the object at ffff888099e76000 [ 66.885785] which belongs to the cache kmalloc-128 of size 128 [ 66.898769] The buggy address is located 64 bytes inside of [ 66.898769] 128-byte region [ffff888099e76000, ffff888099e76080) [ 66.910551] The buggy address belongs to the page: [ 66.915558] page:ffffea0002679d80 count:1 mapcount:0 mapping:ffff888099e76000 index:0x0 [ 66.923897] flags: 0x1fffc0000000100(slab) [ 66.928194] raw: 01fffc0000000100 ffff888099e76000 0000000000000000 0000000100000015 [ 66.936079] raw: ffffea0002855760 ffffea000274ee60 ffff8880aa800640 0000000000000000 [ 66.944109] page dumped because: kasan: bad access detected [ 66.949820] [ 66.951440] Memory state around the buggy address: [ 66.956559] ffff888099e75f00: fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc fb [ 66.964135] ffff888099e75f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 66.971587] >ffff888099e76000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.978946] ^ [ 66.984526] ffff888099e76080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb executing program [ 66.991895] ffff888099e76100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 66.999430] ================================================================== [ 67.006916] Disabling lock debugging due to kernel taint [ 67.013219] Kernel panic - not syncing: panic_on_warn set ... [ 67.013219] [ 67.020681] CPU: 0 PID: 7133 Comm: syz-executor543 Tainted: G B 4.14.112 #2 [ 67.028910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.038386] Call Trace: [ 67.041096] dump_stack+0x138/0x19c [ 67.044721] ? do_blk_trace_setup+0xa8f/0xb10 [ 67.049208] panic+0x1f2/0x438 [ 67.052581] ? add_taint.cold+0x16/0x16 [ 67.056550] ? ___preempt_schedule+0x16/0x18 [ 67.060955] kasan_end_report+0x47/0x4f [ 67.064920] kasan_report.cold+0x136/0x2b5 [ 67.069251] __asan_report_load8_noabort+0x14/0x20 [ 67.074301] do_blk_trace_setup+0xa8f/0xb10 [ 67.078884] blk_trace_setup+0xbd/0x140 [ 67.082848] ? do_blk_trace_setup+0xb10/0xb10 [ 67.087384] sg_ioctl+0x31b/0x27e0 [ 67.090919] ? sg_new_write.isra.0+0x910/0x910 [ 67.095616] ? __might_sleep+0x93/0xb0 [ 67.099503] ? save_trace+0x290/0x290 [ 67.103508] ? sg_new_write.isra.0+0x910/0x910 [ 67.108120] do_vfs_ioctl+0x7b9/0x1070 [ 67.112117] ? selinux_file_mprotect+0x5d0/0x5d0 [ 67.116866] ? ioctl_preallocate+0x1c0/0x1c0 [ 67.121282] ? lock_downgrade+0x6e0/0x6e0 [ 67.125424] ? security_file_ioctl+0x83/0xc0 [ 67.129860] ? security_file_ioctl+0x8f/0xc0 [ 67.134263] SyS_ioctl+0x8f/0xc0 [ 67.137664] ? do_vfs_ioctl+0x1070/0x1070 [ 67.141800] do_syscall_64+0x1eb/0x630 [ 67.145672] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 67.150710] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 67.155893] RIP: 0033:0x445069 [ 67.159138] RSP: 002b:00007ffd2532fa98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 67.167104] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445069 [ 67.174377] RDX: 0000000020000000 RSI: 00000000c0481273 RDI: 0000000000000003 [ 67.181635] RBP: 00000000006cf018 R08: 0000000000000004 R09: 00000000004002e0 [ 67.188898] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000402200 [ 67.196192] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 67.204447] Kernel Offset: disabled [ 67.208075] Rebooting in 86400 seconds..