[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 9.307676] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.665674] random: sshd: uninitialized urandom read (32 bytes read) [ 26.755579] random: crng init done Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. 2019/01/10 15:00:08 parsed 1 programs 2019/01/10 15:00:10 executed programs: 0 [ 50.767506] audit: type=1400 audit(1547132410.542:5): avc: denied { sys_admin } for pid=2074 comm="syz-executor3" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 50.798089] audit: type=1400 audit(1547132410.572:6): avc: denied { net_admin } for pid=2079 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 50.996255] audit: type=1400 audit(1547132410.772:7): avc: denied { sys_chroot } for pid=2079 comm="syz-executor5" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 51.030296] audit: type=1400 audit(1547132410.802:8): avc: denied { associate } for pid=2079 comm="syz-executor5" name="syz5" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/01/10 15:00:15 executed programs: 170 [ 55.830379] ================================================================== [ 55.837790] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 55.845311] Read of size 8 at addr ffff8801d6e5f3e0 by task syz-executor4/2931 [ 55.852644] [ 55.854272] CPU: 0 PID: 2931 Comm: syz-executor4 Not tainted 4.9.141+ #23 [ 55.861187] ffff8801d64a76e8 ffffffff81b42e79 ffffea00075b9600 ffff8801d6e5f3e0 [ 55.869252] 0000000000000000 ffff8801d6e5f3e0 0000000000000000 ffff8801d64a7720 [ 55.877342] ffffffff815009b8 ffff8801d6e5f3e0 0000000000000008 0000000000000000 [ 55.885469] Call Trace: [ 55.888064] [] dump_stack+0xc1/0x128 [ 55.893435] [] print_address_description+0x6c/0x234 [ 55.900091] [] kasan_report.cold.6+0x242/0x2fe [ 55.906819] [] ? disk_unblock_events+0x51/0x60 [ 55.913039] [] __asan_report_load8_noabort+0x14/0x20 [ 55.919789] [] disk_unblock_events+0x51/0x60 [ 55.925872] [] __blkdev_get+0x6b6/0xd60 [ 55.931503] [] ? __blkdev_put+0x840/0x840 [ 55.937291] [] ? fsnotify+0x114/0x1100 [ 55.942834] [] blkdev_get+0x2da/0x920 [ 55.948287] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 55.955047] [] ? bd_may_claim+0xd0/0xd0 [ 55.960678] [] ? bd_acquire+0x27/0x250 [ 55.966229] [] ? bd_acquire+0x88/0x250 [ 55.971745] [] ? _raw_spin_unlock+0x2c/0x50 [ 55.977688] [] blkdev_open+0x1a5/0x250 [ 55.983196] [] do_dentry_open+0x3ef/0xc90 [ 55.988965] [] ? blkdev_get_by_dev+0x70/0x70 [ 55.995012] [] vfs_open+0x11c/0x210 [ 56.000262] [] ? may_open.isra.20+0x14f/0x2a0 [ 56.006383] [] path_openat+0x542/0x2790 [ 56.011992] [] ? path_mountpoint+0x6c0/0x6c0 [ 56.018032] [] ? trace_hardirqs_on+0x10/0x10 [ 56.024063] [] ? trace_hardirqs_on+0x10/0x10 [ 56.030095] [] ? expand_files.part.3+0x3a9/0x6d0 [ 56.036471] [] do_filp_open+0x197/0x270 [ 56.042197] [] ? may_open_dev+0xe0/0xe0 [ 56.047792] [] ? _raw_spin_unlock+0x2c/0x50 [ 56.053734] [] ? __alloc_fd+0x1d7/0x4a0 [ 56.059332] [] do_sys_open+0x30d/0x5c0 [ 56.064864] [] ? filp_open+0x70/0x70 [ 56.070224] [] ? up_read+0x1a/0x40 [ 56.075388] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 56.082200] [] compat_SyS_open+0x2a/0x40 [ 56.087884] [] ? compat_SyS_getdents64+0x280/0x280 [ 56.094456] [] do_fast_syscall_32+0x2f1/0xa10 [ 56.100578] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.107218] [] entry_SYSENTER_compat+0x90/0xa2 [ 56.113419] [ 56.115035] Allocated by task 2925: [ 56.118634] save_stack_trace+0x16/0x20 [ 56.122580] kasan_kmalloc.part.1+0x62/0xf0 [ 56.126872] kasan_kmalloc+0xaf/0xc0 [ 56.130568] kmem_cache_alloc_trace+0x117/0x2e0 [ 56.135215] alloc_disk_node+0x54/0x3a0 [ 56.139170] alloc_disk+0x18/0x20 [ 56.142621] loop_add+0x368/0x7a0 [ 56.146068] loop_probe+0x14f/0x180 [ 56.149667] kobj_lookup+0x223/0x410 [ 56.153350] get_gendisk+0x39/0x2d0 [ 56.156951] __blkdev_get+0x351/0xd60 [ 56.160724] blkdev_get+0x2da/0x920 [ 56.164324] blkdev_open+0x1a5/0x250 [ 56.168011] do_dentry_open+0x3ef/0xc90 [ 56.171957] vfs_open+0x11c/0x210 [ 56.175386] path_openat+0x542/0x2790 [ 56.179159] do_filp_open+0x197/0x270 [ 56.182933] do_sys_open+0x30d/0x5c0 [ 56.186620] compat_SyS_open+0x2a/0x40 [ 56.190480] do_fast_syscall_32+0x2f1/0xa10 [ 56.194773] entry_SYSENTER_compat+0x90/0xa2 [ 56.199149] [ 56.200751] Freed by task 2931: [ 56.204030] save_stack_trace+0x16/0x20 [ 56.207999] kasan_slab_free+0xac/0x190 [ 56.211968] kfree+0xfb/0x310 [ 56.215059] disk_release+0x259/0x330 [ 56.218879] device_release+0x7e/0x220 [ 56.222739] kobject_put+0x148/0x250 [ 56.226440] put_disk+0x23/0x30 [ 56.229707] __blkdev_get+0x616/0xd60 [ 56.233486] blkdev_get+0x2da/0x920 [ 56.237083] blkdev_open+0x1a5/0x250 [ 56.240769] do_dentry_open+0x3ef/0xc90 [ 56.244733] vfs_open+0x11c/0x210 [ 56.248155] path_openat+0x542/0x2790 [ 56.251956] do_filp_open+0x197/0x270 [ 56.255736] do_sys_open+0x30d/0x5c0 [ 56.259437] compat_SyS_open+0x2a/0x40 [ 56.263297] do_fast_syscall_32+0x2f1/0xa10 [ 56.267599] entry_SYSENTER_compat+0x90/0xa2 [ 56.272000] [ 56.273611] The buggy address belongs to the object at ffff8801d6e5ee80 [ 56.273611] which belongs to the cache kmalloc-2048 of size 2048 [ 56.286411] The buggy address is located 1376 bytes inside of [ 56.286411] 2048-byte region [ffff8801d6e5ee80, ffff8801d6e5f680) [ 56.298427] The buggy address belongs to the page: [ 56.303333] page:ffffea00075b9600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 56.313508] flags: 0x4000000000004080(slab|head) [ 56.318231] page dumped because: kasan: bad access detected [ 56.323906] [ 56.325521] Memory state around the buggy address: [ 56.330436] ffff8801d6e5f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.337778] ffff8801d6e5f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.345108] >ffff8801d6e5f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.352456] ^ [ 56.358940] ffff8801d6e5f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.366270] ffff8801d6e5f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.373612] ================================================================== [ 56.380950] Disabling lock debugging due to kernel taint [ 56.390424] Kernel panic - not syncing: panic_on_warn set ... [ 56.390424] [ 56.397833] CPU: 0 PID: 2931 Comm: syz-executor4 Tainted: G B 4.9.141+ #23 [ 56.405945] ffff8801d64a7648 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 56.413961] 0000000000000000 0000000000000000 0000000000000000 ffff8801d64a7708 [ 56.421987] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 56.429998] Call Trace: [ 56.432575] [] dump_stack+0xc1/0x128 [ 56.437927] [] panic+0x1bf/0x39f [ 56.442933] [] ? add_taint.cold.5+0x16/0x16 [ 56.448920] [] ? ___preempt_schedule+0x16/0x18 [ 56.455124] [] kasan_end_report+0x47/0x4f [ 56.460913] [] kasan_report.cold.6+0x76/0x2fe [ 56.467065] [] ? disk_unblock_events+0x51/0x60 [ 56.473271] [] __asan_report_load8_noabort+0x14/0x20 [ 56.480012] [] disk_unblock_events+0x51/0x60 [ 56.486068] [] __blkdev_get+0x6b6/0xd60 [ 56.491665] [] ? __blkdev_put+0x840/0x840 [ 56.497436] [] ? fsnotify+0x114/0x1100 [ 56.502978] [] blkdev_get+0x2da/0x920 [ 56.508443] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 56.515173] [] ? bd_may_claim+0xd0/0xd0 [ 56.520790] [] ? bd_acquire+0x27/0x250 [ 56.526314] [] ? bd_acquire+0x88/0x250 [ 56.531823] [] ? _raw_spin_unlock+0x2c/0x50 [ 56.537781] [] blkdev_open+0x1a5/0x250 [ 56.543291] [] do_dentry_open+0x3ef/0xc90 [ 56.549062] [] ? blkdev_get_by_dev+0x70/0x70 [ 56.555118] [] vfs_open+0x11c/0x210 [ 56.560368] [] ? may_open.isra.20+0x14f/0x2a0 [ 56.566485] [] path_openat+0x542/0x2790 [ 56.572101] [] ? path_mountpoint+0x6c0/0x6c0 [ 56.578137] [] ? trace_hardirqs_on+0x10/0x10 [ 56.584169] [] ? trace_hardirqs_on+0x10/0x10 [ 56.590200] [] ? expand_files.part.3+0x3a9/0x6d0 [ 56.596578] [] do_filp_open+0x197/0x270 [ 56.602174] [] ? may_open_dev+0xe0/0xe0 [ 56.607799] [] ? _raw_spin_unlock+0x2c/0x50 [ 56.613750] [] ? __alloc_fd+0x1d7/0x4a0 [ 56.619346] [] do_sys_open+0x30d/0x5c0 [ 56.624887] [] ? filp_open+0x70/0x70 [ 56.630238] [] ? up_read+0x1a/0x40 [ 56.635409] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 56.642231] [] compat_SyS_open+0x2a/0x40 [ 56.647915] [] ? compat_SyS_getdents64+0x280/0x280 [ 56.654467] [] do_fast_syscall_32+0x2f1/0xa10 [ 56.660604] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.667272] [] entry_SYSENTER_compat+0x90/0xa2 [ 56.673836] Kernel Offset: disabled [ 56.677446] Rebooting in 86400 seconds..