[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.872645] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.323822] random: sshd: uninitialized urandom read (32 bytes read) [ 15.633185] random: sshd: uninitialized urandom read (32 bytes read) [ 16.411009] random: sshd: uninitialized urandom read (32 bytes read) [ 16.543955] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 21.991822] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 22.092937] ================================================================== [ 22.100338] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 [ 22.107326] Write of size 10 at addr ffff8801ca1a0000 by task syz-executor623/3790 [ 22.115000] [ 22.116606] CPU: 0 PID: 3790 Comm: syz-executor623 Not tainted 4.9.96-g8c01d00 #11 [ 22.124284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.133613] ffff8801c28c7490 ffffffff81eb0b69 ffffea0007286800 ffff8801ca1a0000 [ 22.141602] 0000000000000001 ffff8801ca1a0000 000000000000000a ffff8801c28c74c8 [ 22.149593] ffffffff8156540b ffff8801ca1a0000 000000000000000a 0000000000000001 [ 22.157575] Call Trace: [ 22.160171] [] dump_stack+0xc1/0x128 [ 22.165508] [] print_address_description+0x6c/0x234 [ 22.172167] [] kasan_report.cold.6+0x242/0x2fe [ 22.178388] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 22.184860] [] check_memory_region+0x14f/0x1b0 [ 22.191083] [] memcpy+0x37/0x50 [ 22.196017] [] selinux_sb_copy_data+0x1cd/0x380 [ 22.202335] [] security_sb_copy_data+0x7b/0xb0 [ 22.208566] [] parse_security_options+0x36/0x90 [ 22.214882] [] btrfs_mount+0x2f3/0x2bc0 [ 22.220500] [] ? btrfs_remount+0x1360/0x1360 [ 22.226549] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 22.233467] [] ? _find_next_bit.part.0+0xe0/0x120 [ 22.239942] [] ? find_next_bit+0x43/0x50 [ 22.245637] [] ? pcpu_alloc+0x483/0xad0 [ 22.251237] [] ? pcpu_create_chunk+0x430/0x430 [ 22.257460] [] ? __raw_spin_lock_init+0x1c/0x100 [ 22.263840] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.270654] [] ? lockdep_init_map+0x105/0x4f0 [ 22.276774] [] ? lockdep_init_map+0x105/0x4f0 [ 22.282894] [] mount_fs+0x28c/0x370 [ 22.288155] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 22.294537] [] vfs_kern_mount+0x40/0x60 [ 22.300145] [] btrfs_mount+0x40b/0x2bc0 [ 22.305745] [] ? btrfs_remount+0x1360/0x1360 [ 22.311783] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 22.318688] [] ? _find_next_bit.part.0+0xe0/0x120 [ 22.325151] [] ? find_next_bit+0x43/0x50 [ 22.330837] [] ? pcpu_alloc+0x483/0xad0 [ 22.336434] [] ? pcpu_create_chunk+0x430/0x430 [ 22.342658] [] ? __raw_spin_lock_init+0x1c/0x100 [ 22.349032] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.355862] [] ? lockdep_init_map+0x105/0x4f0 [ 22.361980] [] ? lockdep_init_map+0x105/0x4f0 [ 22.368097] [] mount_fs+0x28c/0x370 [ 22.373346] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 22.379734] [] ? ns_capable_common+0x12a/0x150 [ 22.385961] [] do_mount+0x3c9/0x2740 [ 22.391299] [] ? copy_mount_string+0x40/0x40 [ 22.397328] [] ? kasan_unpoison_shadow+0x35/0x50 [ 22.403716] [] ? kasan_kmalloc+0xc7/0xe0 [ 22.409423] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 22.415985] [] ? copy_mount_options+0x5f/0x320 [ 22.422201] [] ? copy_mount_options+0x1e5/0x320 [ 22.428505] [] compat_SyS_mount+0x4fc/0xff0 [ 22.434449] [] ? do_fast_syscall_32+0xcf/0x870 [ 22.440657] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 22.446947] [] do_fast_syscall_32+0x2f7/0x870 [ 22.453061] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 22.459698] [] entry_SYSENTER_compat+0x90/0xa2 [ 22.465897] [ 22.467499] Allocated by task 3742: [ 22.471114] save_stack_trace+0x16/0x20 [ 22.475075] save_stack+0x43/0xd0 [ 22.478510] kasan_kmalloc+0xc7/0xe0 [ 22.482203] kmem_cache_alloc_trace+0xfd/0x2b0 [ 22.486767] sock_alloc_inode+0x66/0x260 [ 22.490802] alloc_inode+0x63/0x180 [ 22.494401] new_inode_pseudo+0x17/0xe0 [ 22.498348] sock_alloc+0x41/0x280 [ 22.501858] SYSC_accept4+0xff/0x680 [ 22.505540] SyS_accept+0x26/0x30 [ 22.508963] do_syscall_64+0x1a6/0x490 [ 22.512820] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 22.517891] [ 22.519487] Freed by task 17: [ 22.522568] save_stack_trace+0x16/0x20 [ 22.526512] save_stack+0x43/0xd0 [ 22.529943] kasan_slab_free+0x72/0xc0 [ 22.533806] kfree+0xfb/0x310 [ 22.536885] rcu_process_callbacks+0x9d5/0x12b0 [ 22.541524] __do_softirq+0x20b/0x937 [ 22.545379] [ 22.546980] The buggy address belongs to the object at ffff8801ca1a0000 [ 22.546980] which belongs to the cache kmalloc-128 of size 128 [ 22.559608] The buggy address is located 0 bytes inside of [ 22.559608] 128-byte region [ffff8801ca1a0000, ffff8801ca1a0080) [ 22.571281] The buggy address belongs to the page: [ 22.576357] page:ffffea0007286800 count:1 mapcount:0 mapping: (null) index:0x0 [ 22.584765] flags: 0x8000000000000080(slab) [ 22.589064] page dumped because: kasan: bad access detected [ 22.594751] [ 22.596354] Memory state around the buggy address: [ 22.601257] ffff8801ca19ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.608586] ffff8801ca19ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.615918] >ffff8801ca1a0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.623256] ^ [ 22.626593] ffff8801ca1a0080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 22.633924] ffff8801ca1a0100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.641254] ================================================================== [ 22.648584] Disabling lock debugging due to kernel taint [ 22.654246] Kernel panic - not syncing: panic_on_warn set ... [ 22.654246] [ 22.661598] CPU: 0 PID: 3790 Comm: syz-executor623 Tainted: G B 4.9.96-g8c01d00 #11 [ 22.670494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.679834] ffff8801c28c73f0 ffffffff81eb0b69 ffffffff841c492d 00000000ffffffff [ 22.687836] 0000000000000000 0000000000000000 000000000000000a ffff8801c28c74b0 [ 22.695835] ffffffff8141f975 0000000041b58ab3 ffffffff841b8030 ffffffff8141f7b6 [ 22.703823] Call Trace: [ 22.706387] [] dump_stack+0xc1/0x128 [ 22.711734] [] panic+0x1bf/0x3bc [ 22.716738] [] ? add_taint.cold.6+0x16/0x16 [ 22.722690] [] ? ___preempt_schedule+0x16/0x18 [ 22.728895] [] kasan_end_report+0x47/0x4f [ 22.734664] [] kasan_report.cold.6+0x76/0x2fe [ 22.740782] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 22.747246] [] check_memory_region+0x14f/0x1b0 [ 22.753449] [] memcpy+0x37/0x50 [ 22.758351] [] selinux_sb_copy_data+0x1cd/0x380 [ 22.764656] [] security_sb_copy_data+0x7b/0xb0 [ 22.770870] [] parse_security_options+0x36/0x90 [ 22.777158] [] btrfs_mount+0x2f3/0x2bc0 [ 22.782757] [] ? btrfs_remount+0x1360/0x1360 [ 22.788793] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 22.795787] [] ? _find_next_bit.part.0+0xe0/0x120 [ 22.802262] [] ? find_next_bit+0x43/0x50 [ 22.807946] [] ? pcpu_alloc+0x483/0xad0 [ 22.813639] [] ? pcpu_create_chunk+0x430/0x430 [ 22.819851] [] ? __raw_spin_lock_init+0x1c/0x100 [ 22.826320] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.833318] [] ? lockdep_init_map+0x105/0x4f0 [ 22.839453] [] ? lockdep_init_map+0x105/0x4f0 [ 22.845595] [] mount_fs+0x28c/0x370 [ 22.850859] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 22.857243] [] vfs_kern_mount+0x40/0x60 [ 22.862933] [] btrfs_mount+0x40b/0x2bc0 [ 22.868535] [] ? btrfs_remount+0x1360/0x1360 [ 22.874571] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 22.881471] [] ? _find_next_bit.part.0+0xe0/0x120 [ 22.887949] [] ? find_next_bit+0x43/0x50 [ 22.893652] [] ? pcpu_alloc+0x483/0xad0 [ 22.899257] [] ? pcpu_create_chunk+0x430/0x430 [ 22.905487] [] ? __raw_spin_lock_init+0x1c/0x100 [ 22.911869] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 22.918684] [] ? lockdep_init_map+0x105/0x4f0 [ 22.924814] [] ? lockdep_init_map+0x105/0x4f0 [ 22.930971] [] mount_fs+0x28c/0x370 [ 22.936227] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 22.942875] [] ? ns_capable_common+0x12a/0x150 [ 22.949094] [] do_mount+0x3c9/0x2740 [ 22.954435] [] ? copy_mount_string+0x40/0x40 [ 22.960477] [] ? kasan_unpoison_shadow+0x35/0x50 [ 22.966856] [] ? kasan_kmalloc+0xc7/0xe0 [ 22.972544] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 22.979189] [] ? copy_mount_options+0x5f/0x320 [ 22.986263] [] ? copy_mount_options+0x1e5/0x320 [ 22.992559] [] compat_SyS_mount+0x4fc/0xff0 [ 22.998527] [] ? do_fast_syscall_32+0xcf/0x870 [ 23.004736] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 23.011034] [] do_fast_syscall_32+0x2f7/0x870 [ 23.017170] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.023836] [] entry_SYSENTER_compat+0x90/0xa2 [ 23.030627] Dumping ftrace buffer: [ 23.034158] (ftrace buffer empty) [ 23.037845] Kernel Offset: disabled [ 23.041587] Rebooting in 86400 seconds..