[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.653715] random: sshd: uninitialized urandom read (32 bytes read) [ 21.975617] audit: type=1400 audit(1538550084.416:6): avc: denied { map } for pid=1760 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.018263] random: sshd: uninitialized urandom read (32 bytes read) [ 22.502977] random: sshd: uninitialized urandom read (32 bytes read) [ 44.955921] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. [ 50.432842] random: sshd: uninitialized urandom read (32 bytes read) [ 50.520919] audit: type=1400 audit(1538550112.966:7): avc: denied { map } for pid=1784 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16479 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/10/03 07:01:53 parsed 1 programs [ 51.227924] audit: type=1400 audit(1538550113.666:8): avc: denied { map } for pid=1784 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 51.732175] random: cc1: uninitialized urandom read (8 bytes read) 2018/10/03 07:01:55 executed programs: 0 [ 52.862976] audit: type=1400 audit(1538550115.296:9): avc: denied { map } for pid=1784 comm="syz-execprog" path="/root/syzkaller-shm091382219" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 58.958296] hrtimer: interrupt took 46473 ns [ 59.163850] audit: type=1400 audit(1538550121.606:10): avc: denied { create } for pid=4181 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 59.219277] audit: type=1400 audit(1538550121.606:11): avc: denied { write } for pid=4181 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 59.244640] audit: type=1400 audit(1538550121.656:12): avc: denied { read } for pid=4181 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 59.328713] audit: type=1400 audit(1538550121.766:13): avc: denied { prog_load } for pid=4309 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 2018/10/03 07:02:01 executed programs: 6 [ 64.822441] ================================================================== [ 64.829893] BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 [ 64.836645] Read of size 8 at addr ffff8801d20e2768 by task blkid/5429 [ 64.843304] [ 64.844930] CPU: 0 PID: 5429 Comm: blkid Not tainted 4.14.73+ #14 [ 64.851407] Call Trace: [ 64.853998] dump_stack+0xb9/0x11b [ 64.857548] print_address_description+0x60/0x22b [ 64.862405] kasan_report.cold.6+0x11b/0x2dd [ 64.866814] ? disk_unblock_events+0x4b/0x50 [ 64.871227] disk_unblock_events+0x4b/0x50 [ 64.875478] __blkdev_get+0x68f/0xe50 [ 64.879286] ? trace_hardirqs_on+0x10/0x10 [ 64.883535] ? __blkdev_put+0x6e0/0x6e0 [ 64.887515] ? HARDIRQ_verbose+0x10/0x10 [ 64.891584] blkdev_get+0x97/0x8c0 [ 64.895147] ? bd_may_claim+0xe0/0xe0 [ 64.898943] ? bd_acquire+0x171/0x2c0 [ 64.902755] ? lock_downgrade+0x560/0x560 [ 64.906902] ? lock_acquire+0x10f/0x380 [ 64.910884] ? bd_acquire+0x21/0x2c0 [ 64.914628] blkdev_open+0x1bd/0x240 [ 64.918346] ? security_file_open+0x88/0x190 [ 64.922771] do_dentry_open+0x426/0xda0 [ 64.926756] ? bd_acquire+0x2c0/0x2c0 [ 64.930584] vfs_open+0x11c/0x210 [ 64.934053] path_openat+0x4eb/0x23a0 [ 64.937872] ? path_mountpoint+0x9a0/0x9a0 [ 64.942108] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 64.946618] ? trace_hardirqs_on+0x10/0x10 [ 64.950854] ? check_preemption_disabled+0x34/0x160 [ 64.956129] ? perf_trace_lock_acquire+0x126/0x4d0 [ 64.961084] do_filp_open+0x197/0x270 [ 64.964890] ? may_open_dev+0xd0/0xd0 [ 64.968727] ? _raw_spin_unlock+0x29/0x40 [ 64.972892] do_sys_open+0x2ef/0x580 [ 64.976615] ? filp_open+0x60/0x60 [ 64.980164] ? up_read+0x17/0x30 [ 64.983533] ? __do_page_fault+0x64c/0xb60 [ 64.987769] ? do_syscall_64+0x43/0x4b0 [ 64.991749] ? do_sys_open+0x580/0x580 [ 64.995641] do_syscall_64+0x19b/0x4b0 [ 64.999541] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.004734] RIP: 0033:0x7f91cd16f120 [ 65.008443] RSP: 002b:00007ffc84d59528 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 65.016176] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f91cd16f120 [ 65.023642] RDX: 00007ffc84d5af42 RSI: 0000000000000000 RDI: 00007ffc84d5af42 [ 65.030908] RBP: 0000000000000000 R08: 0000000000000078 R09: 0000000000000000 [ 65.038178] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000721030 [ 65.045445] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005 [ 65.052755] [ 65.054383] Allocated by task 5372: [ 65.058013] kasan_kmalloc.part.1+0x4f/0xd0 [ 65.062329] kmem_cache_alloc_trace+0x138/0x300 [ 65.066992] alloc_disk_node+0x5f/0x3b0 [ 65.070969] loop_add+0x3e9/0x840 [ 65.074417] loop_probe+0x14f/0x180 [ 65.078054] kobj_lookup+0x230/0x420 [ 65.081785] get_gendisk+0x32/0x230 [ 65.085405] __blkdev_get+0x345/0xe50 [ 65.089229] blkdev_get+0x456/0x8c0 [ 65.092854] blkdev_open+0x1bd/0x240 [ 65.096567] do_dentry_open+0x426/0xda0 [ 65.100542] vfs_open+0x11c/0x210 [ 65.103990] path_openat+0x4eb/0x23a0 [ 65.107798] do_filp_open+0x197/0x270 [ 65.111614] do_sys_open+0x2ef/0x580 [ 65.115329] do_syscall_64+0x19b/0x4b0 [ 65.119221] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.124408] [ 65.126029] Freed by task 5429: [ 65.129308] kasan_slab_free+0xac/0x190 [ 65.133291] kfree+0xf5/0x310 [ 65.136408] device_release+0xf4/0x1a0 [ 65.140296] kobject_put+0x146/0x200 [ 65.144007] put_disk+0x1f/0x30 [ 65.147284] __blkdev_get+0x5fa/0xe50 [ 65.151083] blkdev_get+0x97/0x8c0 [ 65.154625] blkdev_open+0x1bd/0x240 [ 65.158337] do_dentry_open+0x426/0xda0 [ 65.162307] vfs_open+0x11c/0x210 [ 65.165758] path_openat+0x4eb/0x23a0 [ 65.169555] do_filp_open+0x197/0x270 [ 65.173360] do_sys_open+0x2ef/0x580 [ 65.177075] do_syscall_64+0x19b/0x4b0 [ 65.180992] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.186177] [ 65.187826] The buggy address belongs to the object at ffff8801d20e2200 [ 65.187826] which belongs to the cache kmalloc-2048 of size 2048 [ 65.200666] The buggy address is located 1384 bytes inside of [ 65.200666] 2048-byte region [ffff8801d20e2200, ffff8801d20e2a00) [ 65.212712] The buggy address belongs to the page: [ 65.217670] page:ffffea0007483800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 65.227640] flags: 0x4000000000008100(slab|head) [ 65.232419] raw: 4000000000008100 0000000000000000 0000000000000000 00000001000f000f [ 65.240312] raw: ffffea0007374600 0000000200000002 ffff8801da802800 0000000000000000 [ 65.248186] page dumped because: kasan: bad access detected [ 65.253912] [ 65.255569] Memory state around the buggy address: [ 65.260567] ffff8801d20e2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 2018/10/03 07:02:07 executed programs: 35 [ 65.267923] ffff8801d20e2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.275280] >ffff8801d20e2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.282633] ^ [ 65.289381] ffff8801d20e2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.296747] ffff8801d20e2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.304100] ================================================================== [ 65.311513] Disabling lock debugging due to kernel taint [ 65.334227] Kernel panic - not syncing: panic_on_warn set ... [ 65.334227] [ 65.341644] CPU: 0 PID: 5429 Comm: blkid Tainted: G B 4.14.73+ #14 [ 65.349087] Call Trace: [ 65.351674] dump_stack+0xb9/0x11b [ 65.355216] panic+0x1bf/0x3a4 [ 65.358407] ? add_taint.cold.4+0x16/0x16 [ 65.362559] ? ___preempt_schedule+0x16/0x18 [ 65.366982] kasan_end_report+0x43/0x49 [ 65.370963] kasan_report.cold.6+0x77/0x2dd [ 65.375286] ? disk_unblock_events+0x4b/0x50 [ 65.379701] disk_unblock_events+0x4b/0x50 [ 65.383947] __blkdev_get+0x68f/0xe50 [ 65.387746] ? trace_hardirqs_on+0x10/0x10 [ 65.391977] ? __blkdev_put+0x6e0/0x6e0 [ 65.395953] ? HARDIRQ_verbose+0x10/0x10 [ 65.400016] blkdev_get+0x97/0x8c0 [ 65.403586] ? bd_may_claim+0xe0/0xe0 [ 65.407380] ? bd_acquire+0x171/0x2c0 [ 65.411186] ? lock_downgrade+0x560/0x560 [ 65.415337] ? lock_acquire+0x10f/0x380 [ 65.419312] ? bd_acquire+0x21/0x2c0 [ 65.423034] blkdev_open+0x1bd/0x240 [ 65.426755] ? security_file_open+0x88/0x190 [ 65.431171] do_dentry_open+0x426/0xda0 [ 65.435142] ? bd_acquire+0x2c0/0x2c0 [ 65.438956] vfs_open+0x11c/0x210 [ 65.442414] path_openat+0x4eb/0x23a0 [ 65.446215] ? path_mountpoint+0x9a0/0x9a0 [ 65.450450] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 65.454960] ? trace_hardirqs_on+0x10/0x10 [ 65.459191] ? check_preemption_disabled+0x34/0x160 [ 65.464210] ? perf_trace_lock_acquire+0x126/0x4d0 [ 65.469162] do_filp_open+0x197/0x270 [ 65.472982] ? may_open_dev+0xd0/0xd0 [ 65.476800] ? _raw_spin_unlock+0x29/0x40 [ 65.480965] do_sys_open+0x2ef/0x580 [ 65.484681] ? filp_open+0x60/0x60 [ 65.488230] ? up_read+0x17/0x30 [ 65.491597] ? __do_page_fault+0x64c/0xb60 [ 65.495827] ? do_syscall_64+0x43/0x4b0 [ 65.499788] ? do_sys_open+0x580/0x580 [ 65.503652] do_syscall_64+0x19b/0x4b0 [ 65.507520] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 65.512692] RIP: 0033:0x7f91cd16f120 [ 65.516394] RSP: 002b:00007ffc84d59528 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 65.524078] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f91cd16f120 [ 65.531329] RDX: 00007ffc84d5af42 RSI: 0000000000000000 RDI: 00007ffc84d5af42 [ 65.538594] RBP: 0000000000000000 R08: 0000000000000078 R09: 0000000000000000 [ 65.545856] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000721030 [ 65.553120] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005 [ 65.560674] Kernel Offset: 0x35e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 65.571580] Rebooting in 86400 seconds..