[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.240982] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.517187] random: sshd: uninitialized urandom read (32 bytes read) [ 19.909757] random: sshd: uninitialized urandom read (32 bytes read) [ 20.684879] random: sshd: uninitialized urandom read (32 bytes read) [ 92.893563] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. [ 98.376537] random: sshd: uninitialized urandom read (32 bytes read) 2018/04/28 18:57:21 parsed 1 programs 2018/04/28 18:57:21 executed programs: 0 [ 98.783303] IPVS: Creating netns size=2536 id=1 [ 98.814842] IPVS: Creating netns size=2536 id=2 [ 98.840591] IPVS: Creating netns size=2536 id=3 [ 98.883581] IPVS: Creating netns size=2536 id=4 [ 98.904489] IPVS: Creating netns size=2536 id=5 [ 98.941249] IPVS: Creating netns size=2536 id=6 [ 98.968251] IPVS: Creating netns size=2536 id=7 [ 99.010887] IPVS: Creating netns size=2536 id=8 [ 100.161521] ================================================================== [ 100.168902] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 100.175621] Read of size 8 at addr ffff8801d03b9ee0 by task blkid/4323 [ 100.182251] [ 100.183850] CPU: 1 PID: 4323 Comm: blkid Not tainted 4.9.96-g71fce1e #13 [ 100.190657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.199979] ffff8801cc9df6d8 ffffffff81eb0b69 ffffea000740ee00 ffff8801d03b9ee0 [ 100.207951] 0000000000000000 ffff8801d03b9ee0 0000000000000000 ffff8801cc9df710 [ 100.215921] ffffffff8156540b ffff8801d03b9ee0 0000000000000008 0000000000000000 [ 100.223888] Call Trace: [ 100.226444] [] dump_stack+0xc1/0x128 [ 100.231780] [] print_address_description+0x6c/0x234 [ 100.238417] [] kasan_report.cold.6+0x242/0x2fe [ 100.244632] [] ? disk_unblock_events+0x51/0x60 [ 100.250836] [] __asan_report_load8_noabort+0x14/0x20 [ 100.257558] [] disk_unblock_events+0x51/0x60 [ 100.263585] [] __blkdev_get+0x6b6/0xd60 [ 100.269182] [] ? __blkdev_put+0x840/0x840 [ 100.274962] [] ? fsnotify+0x114/0x1100 [ 100.280469] [] blkdev_get+0x2da/0x920 [ 100.285886] [] ? bd_may_claim+0xd0/0xd0 [ 100.291479] [] ? bd_acquire+0x27/0x250 [ 100.296990] [] ? bd_acquire+0x88/0x250 [ 100.302499] [] ? _raw_spin_unlock+0x2c/0x50 [ 100.308439] [] blkdev_open+0x1a5/0x250 [ 100.313947] [] do_dentry_open+0x703/0xc80 [ 100.319711] [] ? blkdev_get_by_dev+0x70/0x70 [ 100.325736] [] vfs_open+0x11c/0x210 [ 100.330980] [] ? may_open.isra.57+0x14f/0x2a0 [ 100.337095] [] path_openat+0x758/0x3590 [ 100.342689] [] ? save_stack+0xa9/0xd0 [ 100.348109] [] ? path_lookupat.isra.41+0x410/0x410 [ 100.354658] [] ? __lock_is_held+0xa2/0xf0 [ 100.360423] [] do_filp_open+0x197/0x270 [ 100.366016] [] ? may_open_dev+0xe0/0xe0 [ 100.371610] [] ? _raw_spin_unlock+0x2c/0x50 [ 100.377550] [] ? __alloc_fd+0x1d7/0x4a0 [ 100.386733] [] do_sys_open+0x30d/0x5c0 [ 100.392248] [] ? filp_open+0x70/0x70 [ 100.397589] [] ? up_read+0x1a/0x40 [ 100.402757] [] ? __do_page_fault+0x183/0xd50 [ 100.408790] [] SyS_open+0x2d/0x40 [ 100.413867] [] ? do_sys_open+0x5c0/0x5c0 [ 100.419552] [] do_syscall_64+0x1a6/0x490 [ 100.425239] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 100.432138] [ 100.433742] Allocated by task 4309: [ 100.437345] save_stack_trace+0x16/0x20 [ 100.441292] save_stack+0x43/0xd0 [ 100.444720] kasan_kmalloc+0xc7/0xe0 [ 100.448407] kmem_cache_alloc_trace+0xfd/0x2b0 [ 100.452960] alloc_disk_node+0x54/0x3a0 [ 100.456903] alloc_disk+0x18/0x20 [ 100.460328] loop_add+0x33b/0x770 [ 100.463752] loop_probe+0x14f/0x180 [ 100.467353] kobj_lookup+0x223/0x410 [ 100.471036] get_gendisk+0x39/0x2d0 [ 100.474635] __blkdev_get+0x351/0xd60 [ 100.478413] blkdev_get+0x488/0x920 [ 100.482012] blkdev_open+0x1a5/0x250 [ 100.485696] do_dentry_open+0x703/0xc80 [ 100.489640] vfs_open+0x11c/0x210 [ 100.493090] path_openat+0x758/0x3590 [ 100.496861] do_filp_open+0x197/0x270 [ 100.500633] do_sys_open+0x30d/0x5c0 [ 100.504321] compat_SyS_open+0x2a/0x40 [ 100.508181] do_fast_syscall_32+0x2f7/0x870 [ 100.512472] entry_SYSENTER_compat+0x90/0xa2 [ 100.516851] [ 100.518448] Freed by task 4323: [ 100.521701] save_stack_trace+0x16/0x20 [ 100.525648] save_stack+0x43/0xd0 [ 100.529074] kasan_slab_free+0x72/0xc0 [ 100.532931] kfree+0xfb/0x310 [ 100.536011] disk_release+0x259/0x330 [ 100.539784] device_release+0x7e/0x220 [ 100.543647] kobject_release+0x103/0x1b0 [ 100.547679] kobject_put+0x6d/0xd0 [ 100.551191] put_disk+0x23/0x30 [ 100.554442] __blkdev_get+0x616/0xd60 [ 100.558214] blkdev_get+0x2da/0x920 [ 100.561811] blkdev_open+0x1a5/0x250 [ 100.565494] do_dentry_open+0x703/0xc80 [ 100.569440] vfs_open+0x11c/0x210 [ 100.572863] path_openat+0x758/0x3590 [ 100.576635] do_filp_open+0x197/0x270 [ 100.580406] do_sys_open+0x30d/0x5c0 [ 100.584092] SyS_open+0x2d/0x40 [ 100.587343] do_syscall_64+0x1a6/0x490 [ 100.591200] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 100.596271] [ 100.597870] The buggy address belongs to the object at ffff8801d03b9980 [ 100.597870] which belongs to the cache kmalloc-2048 of size 2048 [ 100.610669] The buggy address is located 1376 bytes inside of [ 100.610669] 2048-byte region [ffff8801d03b9980, ffff8801d03ba180) [ 100.622686] The buggy address belongs to the page: [ 100.627589] page:ffffea000740ee00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 100.637764] flags: 0x8000000000004080(slab|head) [ 100.642489] page dumped because: kasan: bad access detected [ 100.648168] [ 100.649766] Memory state around the buggy address: [ 100.654669] ffff8801d03b9d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.661997] ffff8801d03b9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.669328] >ffff8801d03b9e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.676657] ^ [ 100.683119] ffff8801d03b9f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.690448] ffff8801d03b9f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.698055] ================================================================== [ 100.705386] Disabling lock debugging due to kernel taint [ 101.712727] Kernel panic - not syncing: panic_on_warn set ... [ 101.712727] [ 101.720140] CPU: 1 PID: 4323 Comm: blkid Tainted: G B 4.9.96-g71fce1e #13 [ 101.728188] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 101.737529] ffff8801cc9df638 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff [ 101.745593] 0000000000000000 0000000000000001 0000000000000000 ffff8801cc9df6f8 [ 101.753648] ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6 [ 101.761700] Call Trace: [ 101.764282] [] dump_stack+0xc1/0x128 [ 101.769642] [] panic+0x1bf/0x3bc [ 101.774653] [] ? add_taint.cold.6+0x16/0x16 [ 101.780613] [] ? ___preempt_schedule+0x16/0x18 [ 101.786836] [] kasan_end_report+0x47/0x4f [ 101.792625] [] kasan_report.cold.6+0x76/0x2fe [ 101.798763] [] ? disk_unblock_events+0x51/0x60 [ 101.804991] [] __asan_report_load8_noabort+0x14/0x20 [ 101.811736] [] disk_unblock_events+0x51/0x60 [ 101.817784] [] __blkdev_get+0x6b6/0xd60 [ 101.823399] [] ? __blkdev_put+0x840/0x840 [ 101.829186] [] ? fsnotify+0x114/0x1100 [ 101.834702] [] blkdev_get+0x2da/0x920 [ 101.840126] [] ? bd_may_claim+0xd0/0xd0 [ 101.845721] [] ? bd_acquire+0x27/0x250 [ 101.851230] [] ? bd_acquire+0x88/0x250 [ 101.856746] [] ? _raw_spin_unlock+0x2c/0x50 [ 101.862694] [] blkdev_open+0x1a5/0x250 [ 101.868206] [] do_dentry_open+0x703/0xc80 [ 101.873976] [] ? blkdev_get_by_dev+0x70/0x70 [ 101.880007] [] vfs_open+0x11c/0x210 [ 101.885256] [] ? may_open.isra.57+0x14f/0x2a0 [ 101.891371] [] path_openat+0x758/0x3590 [ 101.896968] [] ? save_stack+0xa9/0xd0 [ 101.902391] [] ? path_lookupat.isra.41+0x410/0x410 [ 101.908944] [] ? __lock_is_held+0xa2/0xf0 [ 101.914714] [] do_filp_open+0x197/0x270 [ 101.920318] [] ? may_open_dev+0xe0/0xe0 [ 101.925922] [] ? _raw_spin_unlock+0x2c/0x50 [ 101.931874] [] ? __alloc_fd+0x1d7/0x4a0 [ 101.937476] [] do_sys_open+0x30d/0x5c0 [ 101.942986] [] ? filp_open+0x70/0x70 [ 101.948321] [] ? up_read+0x1a/0x40 [ 101.953484] [] ? __do_page_fault+0x183/0xd50 [ 101.959513] [] SyS_open+0x2d/0x40 [ 101.964584] [] ? do_sys_open+0x5c0/0x5c0 [ 101.970263] [] do_syscall_64+0x1a6/0x490 [ 101.975946] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 101.983308] Dumping ftrace buffer: [ 101.986816] (ftrace buffer empty) [ 101.990494] Kernel Offset: disabled [ 101.994089] Rebooting in 86400 seconds..