INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. 2018/10/01 03:10:42 parsed 1 programs 2018/10/01 03:10:43 executed programs: 0 [ 832.577990] audit: type=1400 audit(1538363444.430:5): avc: denied { associate } for pid=2174 comm="syz-executor0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2018/10/01 03:10:48 executed programs: 4 2018/10/01 03:10:53 executed programs: 9 2018/10/01 03:10:58 executed programs: 14 2018/10/01 03:11:03 executed programs: 19 2018/10/01 03:11:08 executed programs: 24 2018/10/01 03:11:14 executed programs: 29 2018/10/01 03:11:19 executed programs: 34 2018/10/01 03:11:24 executed programs: 39 2018/10/01 03:11:29 executed programs: 44 2018/10/01 03:11:34 executed programs: 49 2018/10/01 03:11:39 executed programs: 54 2018/10/01 03:11:44 executed programs: 59 2018/10/01 03:11:49 executed programs: 64 2018/10/01 03:11:55 executed programs: 69 2018/10/01 03:12:00 executed programs: 74 INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "2" respawning too fast: disabled for 5 minutes 2018/10/01 03:12:05 executed programs: 79 2018/10/01 03:12:10 executed programs: 84 2018/10/01 03:12:15 executed programs: 89 2018/10/01 03:12:20 executed programs: 94 2018/10/01 03:12:25 executed programs: 99 2018/10/01 03:12:30 executed programs: 104 2018/10/01 03:12:35 executed programs: 109 2018/10/01 03:12:41 executed programs: 114 2018/10/01 03:12:46 executed programs: 119 2018/10/01 03:12:51 executed programs: 124 2018/10/01 03:12:56 executed programs: 129 2018/10/01 03:13:01 executed programs: 134 2018/10/01 03:13:06 executed programs: 139 2018/10/01 03:13:11 executed programs: 144 2018/10/01 03:13:16 executed programs: 149 2018/10/01 03:13:21 executed programs: 154 2018/10/01 03:13:26 executed programs: 159 2018/10/01 03:13:32 executed programs: 164 2018/10/01 03:13:37 executed programs: 169 2018/10/01 03:13:42 executed programs: 174 2018/10/01 03:13:47 executed programs: 179 2018/10/01 03:13:52 executed programs: 184 2018/10/01 03:13:57 executed programs: 189 2018/10/01 03:14:02 executed programs: 194 [ 1031.825232] ================================================================== [ 1031.832743] BUG: KASAN: use-after-free in fuse_dev_do_read.isra.11.constprop.15+0x14b7/0x18b0 [ 1031.841379] Read of size 8 at addr ffff8801c6da9dd8 by task syz-executor0/4798 [ 1031.848760] [ 1031.850368] CPU: 0 PID: 4798 Comm: syz-executor0 Not tainted 4.9.130+ #46 [ 1031.857279] ffff8801d7d57958 ffffffff81b36c89 ffffea00071b6a00 ffff8801c6da9dd8 [ 1031.865346] 0000000000000000 ffff8801c6da9dd8 ffff8801c82091c8 ffff8801d7d57990 [ 1031.873353] ffffffff8150080d ffff8801c6da9dd8 0000000000000008 0000000000000000 [ 1031.881358] Call Trace: [ 1031.883930] [] dump_stack+0xc1/0x128 [ 1031.889278] [] print_address_description+0x6c/0x234 [ 1031.895919] [] kasan_report.cold.6+0x242/0x2fe [ 1031.902126] [] ? fuse_dev_do_read.isra.11.constprop.15+0x14b7/0x18b0 [ 1031.910244] [] __asan_report_load8_noabort+0x14/0x20 [ 1031.916973] [] fuse_dev_do_read.isra.11.constprop.15+0x14b7/0x18b0 [ 1031.924915] [] ? fuse_dev_release+0x480/0x480 [ 1031.931039] [] ? futex_wait_restart+0x230/0x230 [ 1031.937336] [] fuse_dev_read+0x156/0x1f0 [ 1031.943024] [] ? fuse_dev_do_read.isra.11.constprop.15+0x18b0/0x18b0 [ 1031.951142] [] ? fsnotify+0x114/0x1100 [ 1031.956663] [] ? iov_iter_init+0xaf/0x1d0 [ 1031.962442] [] __vfs_read+0x3d4/0x560 [ 1031.967878] [] ? clone_verify_area+0x220/0x220 [ 1031.974094] [] ? __fsnotify_inode_delete+0x30/0x30 [ 1031.980648] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 1031.989113] [] ? avc_policy_seqno+0x9/0x20 [ 1031.994979] [] ? selinux_file_permission+0x82/0x470 [ 1032.001622] [] ? rw_verify_area+0xe5/0x2a0 [ 1032.007483] [] vfs_read+0x124/0x390 [ 1032.012734] [] SyS_read+0xd9/0x1c0 [ 1032.017897] [] ? vfs_copy_file_range+0x870/0x870 [ 1032.024279] [] ? do_syscall_64+0x48/0x550 [ 1032.030051] [] ? vfs_copy_file_range+0x870/0x870 [ 1032.036430] [] do_syscall_64+0x19f/0x550 [ 1032.042233] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 1032.049132] [ 1032.050735] Allocated by task 4798: [ 1032.054337] save_stack_trace+0x16/0x20 [ 1032.058296] kasan_kmalloc.part.1+0x62/0xf0 [ 1032.062591] kasan_kmalloc+0xaf/0xc0 [ 1032.066277] kasan_slab_alloc+0x12/0x20 [ 1032.070226] kmem_cache_alloc+0xd5/0x2b0 [ 1032.074295] __fuse_request_alloc+0x27/0xe0 [ 1032.078589] fuse_request_alloc+0x18/0x20 [ 1032.082711] fuse_fill_super+0xcd3/0x1640 [ 1032.086918] mount_nodev+0x5b/0x100 [ 1032.090537] fuse_mount+0x2c/0x40 [ 1032.093966] mount_fs+0x28c/0x370 [ 1032.097396] vfs_kern_mount.part.8+0xd1/0x4b0 [ 1032.101865] do_mount+0x3c9/0x28a0 [ 1032.105383] SyS_mount+0xea/0x100 [ 1032.108824] do_syscall_64+0x19f/0x550 [ 1032.112687] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 1032.117954] [ 1032.119581] Freed by task 4805: [ 1032.122839] save_stack_trace+0x16/0x20 [ 1032.126793] kasan_slab_free+0xac/0x190 [ 1032.130745] kmem_cache_free+0xbe/0x310 [ 1032.134696] fuse_request_free+0x8b/0xa0 [ 1032.138733] fuse_put_request+0x261/0x310 [ 1032.142855] request_end+0x34/0x6f0 [ 1032.146456] fuse_dev_do_write+0x12a8/0x2390 [ 1032.150838] fuse_dev_write+0x142/0x1d0 [ 1032.154783] __vfs_write+0x3d7/0x580 [ 1032.158480] vfs_write+0x187/0x520 [ 1032.162021] SyS_write+0xd9/0x1c0 [ 1032.165451] do_syscall_64+0x19f/0x550 [ 1032.169314] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 1032.174389] [ 1032.175990] The buggy address belongs to the object at ffff8801c6da9da8 [ 1032.175990] which belongs to the cache fuse_request of size 456 [ 1032.188848] The buggy address is located 48 bytes inside of [ 1032.188848] 456-byte region [ffff8801c6da9da8, ffff8801c6da9f70) [ 1032.200609] The buggy address belongs to the page: [ 1032.205515] page:ffffea00071b6a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 1032.215695] flags: 0x4000000000004080(slab|head) [ 1032.220423] page dumped because: kasan: bad access detected [ 1032.226111] [ 1032.227712] Memory state around the buggy address: [ 1032.232613] ffff8801c6da9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1032.239950] ffff8801c6da9d00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 1032.247284] >ffff8801c6da9d80: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb [ 1032.254851] ^ [ 1032.261061] ffff8801c6da9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1032.268393] ffff8801c6da9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1032.275727] ================================================================== [ 1032.283059] Disabling lock debugging due to kernel taint [ 1032.289606] Kernel panic - not syncing: panic_on_warn set ... [ 1032.289606] [ 1032.296995] CPU: 0 PID: 4798 Comm: syz-executor0 Tainted: G B 4.9.130+ #46 [ 1032.305108] ffff8801d7d578b8 ffffffff81b36c89 ffffffff82e357a8 00000000ffffffff [ 1032.314852] 0000000000000000 0000000000000000 ffff8801c82091c8 ffff8801d7d57978 [ 1032.322878] ffffffff813f6835 0000000041b58ab3 ffffffff82e297ab ffffffff813f6676 [ 1032.330890] Call Trace: [ 1032.333454] [] dump_stack+0xc1/0x128 [ 1032.338795] [] panic+0x1bf/0x39f [ 1032.343789] [] ? add_taint.cold.6+0x16/0x16 [ 1032.349737] [] ? ___preempt_schedule+0x16/0x18 [ 1032.355951] [] kasan_end_report+0x47/0x4f [ 1032.361817] [] kasan_report.cold.6+0x76/0x2fe [ 1032.367940] [] ? fuse_dev_do_read.isra.11.constprop.15+0x14b7/0x18b0 [ 1032.376064] [] __asan_report_load8_noabort+0x14/0x20 [ 1032.382789] [] fuse_dev_do_read.isra.11.constprop.15+0x14b7/0x18b0 [ 1032.390732] [] ? fuse_dev_release+0x480/0x480 [ 1032.396852] [] ? futex_wait_restart+0x230/0x230 [ 1032.403166] [] fuse_dev_read+0x156/0x1f0 [ 1032.409021] [] ? fuse_dev_do_read.isra.11.constprop.15+0x18b0/0x18b0 [ 1032.417239] [] ? fsnotify+0x114/0x1100 [ 1032.422759] [] ? iov_iter_init+0xaf/0x1d0 [ 1032.428532] [] __vfs_read+0x3d4/0x560 [ 1032.433969] [] ? clone_verify_area+0x220/0x220 [ 1032.440177] [] ? __fsnotify_inode_delete+0x30/0x30 [ 1032.446745] [] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 1032.455215] [] ? avc_policy_seqno+0x9/0x20 [ 1032.461073] [] ? selinux_file_permission+0x82/0x470 [ 1032.467713] [] ? rw_verify_area+0xe5/0x2a0 [ 1032.473568] [] vfs_read+0x124/0x390 [ 1032.478825] [] SyS_read+0xd9/0x1c0 [ 1032.484013] [] ? vfs_copy_file_range+0x870/0x870 [ 1032.490387] [] ? do_syscall_64+0x48/0x550 [ 1032.496157] [] ? vfs_copy_file_range+0x870/0x870 [ 1032.502538] [] do_syscall_64+0x19f/0x550 [ 1032.508230] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 1032.515452] Kernel Offset: disabled [ 1032.519064] Rebooting in 86400 seconds..