Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.835610] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.940077] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. 2019/09/24 15:49:39 parsed 1 programs 2019/09/24 15:49:41 executed programs: 0 syzkaller login: [ 50.881863] audit: type=1400 audit(1569340181.271:5): avc: denied { sys_admin } for pid=2075 comm="syz-executor.4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 50.914699] audit: type=1400 audit(1569340181.311:6): avc: denied { net_admin } for pid=2083 comm="syz-executor.2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 51.324999] audit: type=1400 audit(1569340181.721:7): avc: denied { sys_chroot } for pid=2083 comm="syz-executor.2" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 51.350496] audit: type=1400 audit(1569340181.741:8): avc: denied { associate } for pid=2083 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 55.654351] ================================================================== [ 55.661840] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 55.668621] Read of size 8 at addr ffff8801d2d851e0 by task syz-executor.3/3030 [ 55.676070] [ 55.677701] CPU: 0 PID: 3030 Comm: syz-executor.3 Not tainted 4.9.141+ #23 [ 55.684901] ffff8801d193f6e8 ffffffff81b42e79 ffffea00074b6000 ffff8801d2d851e0 [ 55.693017] 0000000000000000 ffff8801d2d851e0 0000000000000000 ffff8801d193f720 [ 55.701094] ffffffff815009b8 ffff8801d2d851e0 0000000000000008 0000000000000000 [ 55.709185] Call Trace: [ 55.711873] [] dump_stack+0xc1/0x128 [ 55.717245] [] print_address_description+0x6c/0x234 [ 55.724103] [] kasan_report.cold.6+0x242/0x2fe [ 55.730347] [] ? disk_unblock_events+0x51/0x60 [ 55.736592] [] __asan_report_load8_noabort+0x14/0x20 [ 55.743453] [] disk_unblock_events+0x51/0x60 [ 55.749523] [] __blkdev_get+0x6b6/0xd60 [ 55.755156] [] ? __blkdev_put+0x840/0x840 [ 55.761027] [] ? fsnotify+0x114/0x1100 [ 55.766571] [] blkdev_get+0x2da/0x920 [ 55.772035] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 55.778884] [] ? bd_may_claim+0xd0/0xd0 [ 55.784525] [] ? bd_acquire+0x27/0x250 [ 55.790070] [] ? bd_acquire+0x88/0x250 [ 55.795705] [] ? _raw_spin_unlock+0x2c/0x50 [ 55.802001] [] blkdev_open+0x1a5/0x250 [ 55.807556] [] do_dentry_open+0x3ef/0xc90 [ 55.813404] [] ? blkdev_get_by_dev+0x70/0x70 [ 55.820341] [] vfs_open+0x11c/0x210 [ 55.825626] [] ? may_open.isra.20+0x14f/0x2a0 [ 55.831807] [] path_openat+0x542/0x2790 [ 55.837441] [] ? path_mountpoint+0x6c0/0x6c0 [ 55.843636] [] ? trace_hardirqs_on+0x10/0x10 [ 55.849700] [] ? trace_hardirqs_on+0x10/0x10 [ 55.856242] [] ? expand_files.part.3+0x3a9/0x6d0 [ 55.862676] [] do_filp_open+0x197/0x270 [ 55.868309] [] ? may_open_dev+0xe0/0xe0 [ 55.873945] [] ? _raw_spin_unlock+0x2c/0x50 [ 55.879931] [] ? __alloc_fd+0x1d7/0x4a0 [ 55.885651] [] do_sys_open+0x30d/0x5c0 [ 55.891221] [] ? filp_open+0x70/0x70 [ 55.896598] [] ? up_read+0x1a/0x40 [ 55.901802] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 55.908655] [] compat_SyS_open+0x2a/0x40 [ 55.914397] [] ? compat_SyS_getdents64+0x280/0x280 [ 55.921080] [] do_fast_syscall_32+0x2f1/0xa10 [ 55.927246] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.933924] [] entry_SYSENTER_compat+0x90/0xa2 [ 55.940184] [ 55.941815] Allocated by task 3018: [ 55.945448] save_stack_trace+0x16/0x20 [ 55.949425] kasan_kmalloc.part.1+0x62/0xf0 [ 55.953749] kasan_kmalloc+0xaf/0xc0 [ 55.957553] kmem_cache_alloc_trace+0x117/0x2e0 [ 55.962230] alloc_disk_node+0x54/0x3a0 [ 55.966470] alloc_disk+0x18/0x20 [ 55.969927] loop_add+0x368/0x7a0 [ 55.973384] loop_probe+0x14f/0x180 [ 55.977015] kobj_lookup+0x223/0x410 [ 55.980733] get_gendisk+0x39/0x2d0 [ 55.984359] __blkdev_get+0x351/0xd60 [ 55.988159] blkdev_get+0x2da/0x920 [ 55.991785] blkdev_open+0x1a5/0x250 [ 55.995502] do_dentry_open+0x3ef/0xc90 [ 55.999479] vfs_open+0x11c/0x210 2019/09/24 15:49:46 executed programs: 201 [ 56.002936] path_openat+0x542/0x2790 [ 56.006739] do_filp_open+0x197/0x270 [ 56.010550] do_sys_open+0x30d/0x5c0 [ 56.014268] compat_SyS_open+0x2a/0x40 [ 56.018165] do_fast_syscall_32+0x2f1/0xa10 [ 56.022490] entry_SYSENTER_compat+0x90/0xa2 [ 56.026900] [ 56.028783] Freed by task 3030: [ 56.032070] save_stack_trace+0x16/0x20 [ 56.036048] kasan_slab_free+0xac/0x190 [ 56.040091] kfree+0xfb/0x310 [ 56.043194] disk_release+0x259/0x330 [ 56.046992] device_release+0x7e/0x220 [ 56.050888] kobject_put+0x148/0x250 [ 56.054602] put_disk+0x23/0x30 [ 56.057912] __blkdev_get+0x616/0xd60 [ 56.061712] blkdev_get+0x2da/0x920 [ 56.065427] blkdev_open+0x1a5/0x250 [ 56.069139] do_dentry_open+0x3ef/0xc90 [ 56.073203] vfs_open+0x11c/0x210 [ 56.076660] path_openat+0x542/0x2790 [ 56.080473] do_filp_open+0x197/0x270 [ 56.084277] do_sys_open+0x30d/0x5c0 [ 56.088087] compat_SyS_open+0x2a/0x40 [ 56.091975] do_fast_syscall_32+0x2f1/0xa10 [ 56.096305] entry_SYSENTER_compat+0x90/0xa2 [ 56.100705] [ 56.102331] The buggy address belongs to the object at ffff8801d2d84c80 [ 56.102331] which belongs to the cache kmalloc-2048 of size 2048 [ 56.115166] The buggy address is located 1376 bytes inside of [ 56.115166] 2048-byte region [ffff8801d2d84c80, ffff8801d2d85480) [ 56.127216] The buggy address belongs to the page: [ 56.132148] page:ffffea00074b6000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 56.142487] flags: 0x4000000000004080(slab|head) [ 56.147271] page dumped because: kasan: bad access detected [ 56.153083] [ 56.154702] Memory state around the buggy address: [ 56.159790] ffff8801d2d85080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.167139] ffff8801d2d85100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.174513] >ffff8801d2d85180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.181863] ^ [ 56.188455] ffff8801d2d85200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.196255] ffff8801d2d85280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.203744] ================================================================== [ 56.211095] Disabling lock debugging due to kernel taint [ 56.222018] Kernel panic - not syncing: panic_on_warn set ... [ 56.222018] [ 56.229527] CPU: 0 PID: 3030 Comm: syz-executor.3 Tainted: G B 4.9.141+ #23 [ 56.237864] ffff8801d193f648 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 56.246055] 0000000000000000 0000000000000000 0000000000000000 ffff8801d193f708 [ 56.254085] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 56.262258] Call Trace: [ 56.264946] [] dump_stack+0xc1/0x128 [ 56.270653] [] panic+0x1bf/0x39f [ 56.275789] [] ? add_taint.cold.5+0x16/0x16 [ 56.281904] [] ? ___preempt_schedule+0x16/0x18 [ 56.288285] [] kasan_end_report+0x47/0x4f [ 56.294371] [] kasan_report.cold.6+0x76/0x2fe [ 56.300522] [] ? disk_unblock_events+0x51/0x60 [ 56.306754] [] __asan_report_load8_noabort+0x14/0x20 [ 56.313618] [] disk_unblock_events+0x51/0x60 [ 56.319672] [] __blkdev_get+0x6b6/0xd60 [ 56.325375] [] ? __blkdev_put+0x840/0x840 [ 56.331162] [] ? fsnotify+0x114/0x1100 [ 56.337047] [] blkdev_get+0x2da/0x920 [ 56.342496] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 56.349245] [] ? bd_may_claim+0xd0/0xd0 [ 56.354948] [] ? bd_acquire+0x27/0x250 [ 56.360735] [] ? bd_acquire+0x88/0x250 [ 56.367145] [] ? _raw_spin_unlock+0x2c/0x50 [ 56.373114] [] blkdev_open+0x1a5/0x250 [ 56.378656] [] do_dentry_open+0x3ef/0xc90 [ 56.384448] [] ? blkdev_get_by_dev+0x70/0x70 [ 56.390597] [] vfs_open+0x11c/0x210 [ 56.396483] [] ? may_open.isra.20+0x14f/0x2a0 [ 56.402627] [] path_openat+0x542/0x2790 [ 56.408235] [] ? path_mountpoint+0x6c0/0x6c0 [ 56.414307] [] ? trace_hardirqs_on+0x10/0x10 [ 56.420347] [] ? trace_hardirqs_on+0x10/0x10 [ 56.426391] [] ? expand_files.part.3+0x3a9/0x6d0 [ 56.432824] [] do_filp_open+0x197/0x270 [ 56.438467] [] ? may_open_dev+0xe0/0xe0 [ 56.445394] [] ? _raw_spin_unlock+0x2c/0x50 [ 56.451393] [] ? __alloc_fd+0x1d7/0x4a0 [ 56.457002] [] do_sys_open+0x30d/0x5c0 [ 56.462527] [] ? filp_open+0x70/0x70 [ 56.468585] [] ? up_read+0x1a/0x40 [ 56.473788] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 56.480724] [] compat_SyS_open+0x2a/0x40 [ 56.486462] [] ? compat_SyS_getdents64+0x280/0x280 [ 56.493044] [] do_fast_syscall_32+0x2f1/0xa10 [ 56.499199] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.505854] [] entry_SYSENTER_compat+0x90/0xa2 [ 56.512868] Kernel Offset: disabled [ 56.516491] Rebooting in 86400 seconds..