[ 29.115135] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 29.803967] random: sshd: uninitialized urandom read (32 bytes read) [ 30.159367] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.697946] random: sshd: uninitialized urandom read (32 bytes read) [ 30.874515] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 36.377273] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.489408] kauditd_printk_skb: 10 callbacks suppressed [ 36.489416] audit: type=1400 audit(1571481878.347:36): avc: denied { map } for pid=6857 comm="syz-executor638" path="/root/syz-executor638862518" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.494263] ================================================================== [ 36.528524] BUG: KASAN: use-after-free in do_blockdev_direct_IO+0x70c1/0x7fd0 [ 36.535775] Read of size 8 at addr ffff8880a5940f08 by task syz-executor638/6857 [ 36.543291] [ 36.544897] CPU: 0 PID: 6857 Comm: syz-executor638 Not tainted 4.14.150 #0 [ 36.551882] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.561265] Call Trace: [ 36.563836] dump_stack+0x138/0x197 [ 36.567441] ? do_blockdev_direct_IO+0x70c1/0x7fd0 [ 36.572350] print_address_description.cold+0x7c/0x1dc [ 36.577604] ? do_blockdev_direct_IO+0x70c1/0x7fd0 [ 36.582508] kasan_report.cold+0xa9/0x2af [ 36.586632] __asan_report_load8_noabort+0x14/0x20 [ 36.591539] do_blockdev_direct_IO+0x70c1/0x7fd0 [ 36.596282] ? __ext4_get_inode_loc+0x392/0xf30 [ 36.600944] ? sb_init_dio_done_wq+0x80/0x80 [ 36.605335] ? __lock_acquire+0x2521/0x4620 [ 36.609637] ? save_trace+0x290/0x290 [ 36.613413] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 36.619019] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 36.624631] __blockdev_direct_IO+0xa1/0xca [ 36.628929] ? write_end_fn+0xa0/0xa0 [ 36.632707] ext4_direct_IO+0x70d/0x1890 [ 36.636763] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 36.642464] generic_file_direct_write+0x1e7/0x430 [ 36.647371] __generic_file_write_iter+0x2bc/0x5b0 [ 36.652291] ext4_file_write_iter+0x2ac/0xe90 [ 36.656764] ? ext4_file_mmap+0x2c0/0x2c0 [ 36.660901] ? __might_sleep+0x93/0xb0 [ 36.664766] do_iter_readv_writev+0x418/0x670 [ 36.669237] ? vfs_dedupe_file_range+0x8f0/0x8f0 [ 36.673972] ? rw_verify_area+0xea/0x2b0 [ 36.678010] do_iter_write+0x154/0x540 [ 36.681874] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 36.687312] ? __kmalloc+0x376/0x7a0 [ 36.691003] vfs_iter_write+0x77/0xb0 [ 36.694954] iter_file_splice_write+0x572/0xad0 [ 36.699602] ? default_file_splice_read+0x7b0/0x7b0 [ 36.704593] ? __lock_is_held+0xb6/0x140 [ 36.708647] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 36.713379] ? __sb_start_write+0x153/0x2f0 [ 36.717703] ? default_file_splice_read+0x7b0/0x7b0 [ 36.722703] SyS_splice+0xd92/0x1430 [ 36.726395] ? do_sys_open+0x221/0x430 [ 36.730262] ? compat_SyS_vmsplice+0x250/0x250 [ 36.734822] ? do_syscall_64+0x53/0x640 [ 36.738772] ? compat_SyS_vmsplice+0x250/0x250 [ 36.743330] do_syscall_64+0x1e8/0x640 [ 36.747203] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.752043] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.757207] RIP: 0033:0x440309 [ 36.760389] RSP: 002b:00007ffe6bef4568 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 36.768083] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 36.775348] RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004 [ 36.782605] RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000 [ 36.789850] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 36.797097] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 36.804361] [ 36.805966] Allocated by task 6835: [ 36.809578] save_stack_trace+0x16/0x20 [ 36.813529] save_stack+0x45/0xd0 [ 36.816956] kasan_kmalloc+0xce/0xf0 [ 36.820645] kasan_slab_alloc+0xf/0x20 [ 36.824508] kmem_cache_alloc+0x12e/0x780 [ 36.828647] getname_kernel+0x53/0x350 [ 36.832512] open_exec+0x18/0x70 [ 36.835855] load_elf_binary+0x77c/0x4d60 [ 36.839976] search_binary_handler+0x149/0x6f0 [ 36.844531] do_execveat_common.isra.0+0x1000/0x1dd0 [ 36.849616] SyS_execve+0x39/0x50 [ 36.853045] do_syscall_64+0x1e8/0x640 [ 36.856908] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.862071] [ 36.863684] Freed by task 6835: [ 36.866943] save_stack_trace+0x16/0x20 [ 36.870890] save_stack+0x45/0xd0 [ 36.874318] kasan_slab_free+0x75/0xc0 [ 36.878200] kmem_cache_free+0x83/0x2b0 [ 36.882152] putname+0xdb/0x120 [ 36.885413] open_exec+0x42/0x70 [ 36.888768] load_elf_binary+0x77c/0x4d60 [ 36.892891] search_binary_handler+0x149/0x6f0 [ 36.897448] do_execveat_common.isra.0+0x1000/0x1dd0 [ 36.902527] SyS_execve+0x39/0x50 [ 36.905956] do_syscall_64+0x1e8/0x640 [ 36.909817] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.914987] [ 36.916604] The buggy address belongs to the object at ffff8880a59404c0 [ 36.916604] which belongs to the cache names_cache of size 4096 [ 36.929335] The buggy address is located 2632 bytes inside of [ 36.929335] 4096-byte region [ffff8880a59404c0, ffff8880a59414c0) [ 36.941368] The buggy address belongs to the page: [ 36.946275] page:ffffea0002965000 count:1 mapcount:0 mapping:ffff8880a59404c0 index:0x0 compound_mapcount: 0 [ 36.956218] flags: 0x1fffc0000008100(slab|head) [ 36.960864] raw: 01fffc0000008100 ffff8880a59404c0 0000000000000000 0000000100000001 [ 36.968721] raw: ffffea000298b620 ffffea0001f73320 ffff8880aa9e0cc0 0000000000000000 [ 36.976576] page dumped because: kasan: bad access detected [ 36.982260] [ 36.983862] Memory state around the buggy address: [ 36.988761] ffff8880a5940e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.996095] ffff8880a5940e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.003438] >ffff8880a5940f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.010770] ^ [ 37.014369] ffff8880a5940f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.021699] ffff8880a5941000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.029033] ================================================================== [ 37.036364] Disabling lock debugging due to kernel taint [ 37.042184] Kernel panic - not syncing: panic_on_warn set ... [ 37.042184] [ 37.049542] CPU: 0 PID: 6857 Comm: syz-executor638 Tainted: G B 4.14.150 #0 [ 37.057752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.067098] Call Trace: [ 37.069667] dump_stack+0x138/0x197 [ 37.073271] ? do_blockdev_direct_IO+0x70c1/0x7fd0 [ 37.078173] panic+0x1f9/0x42d [ 37.081338] ? add_taint.cold+0x16/0x16 [ 37.085287] ? ___preempt_schedule+0x16/0x18 [ 37.089678] kasan_end_report+0x47/0x4f [ 37.093626] kasan_report.cold+0x130/0x2af [ 37.097838] __asan_report_load8_noabort+0x14/0x20 [ 37.102748] do_blockdev_direct_IO+0x70c1/0x7fd0 [ 37.107478] ? __ext4_get_inode_loc+0x392/0xf30 [ 37.112126] ? sb_init_dio_done_wq+0x80/0x80 [ 37.116518] ? __lock_acquire+0x2521/0x4620 [ 37.120816] ? save_trace+0x290/0x290 [ 37.124590] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 37.130190] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 37.135786] __blockdev_direct_IO+0xa1/0xca [ 37.140083] ? write_end_fn+0xa0/0xa0 [ 37.143857] ext4_direct_IO+0x70d/0x1890 [ 37.147890] ? ext4_dio_get_block_unwritten_sync+0xd0/0xd0 [ 37.153500] generic_file_direct_write+0x1e7/0x430 [ 37.158402] __generic_file_write_iter+0x2bc/0x5b0 [ 37.163308] ext4_file_write_iter+0x2ac/0xe90 [ 37.167788] ? ext4_file_mmap+0x2c0/0x2c0 [ 37.171913] ? __might_sleep+0x93/0xb0 [ 37.175775] do_iter_readv_writev+0x418/0x670 [ 37.180256] ? vfs_dedupe_file_range+0x8f0/0x8f0 [ 37.184998] ? rw_verify_area+0xea/0x2b0 [ 37.189044] do_iter_write+0x154/0x540 [ 37.192906] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 37.198417] ? __kmalloc+0x376/0x7a0 [ 37.202105] vfs_iter_write+0x77/0xb0 [ 37.205881] iter_file_splice_write+0x572/0xad0 [ 37.210539] ? default_file_splice_read+0x7b0/0x7b0 [ 37.215555] ? __lock_is_held+0xb6/0x140 [ 37.219605] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 37.224336] ? __sb_start_write+0x153/0x2f0 [ 37.228631] ? default_file_splice_read+0x7b0/0x7b0 [ 37.233620] SyS_splice+0xd92/0x1430 [ 37.237310] ? do_sys_open+0x221/0x430 [ 37.241172] ? compat_SyS_vmsplice+0x250/0x250 [ 37.245730] ? do_syscall_64+0x53/0x640 [ 37.249699] ? compat_SyS_vmsplice+0x250/0x250 [ 37.254279] do_syscall_64+0x1e8/0x640 [ 37.258148] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.262973] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 37.268139] RIP: 0033:0x440309 [ 37.271306] RSP: 002b:00007ffe6bef4568 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 37.278988] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 37.286248] RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004 [ 37.293512] RBP: 00000000006ca018 R08: 00000000ffffffff R09: 0000000000000000 [ 37.300764] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 37.308020] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 37.316492] Kernel Offset: disabled [ 37.320120] Rebooting in 86400 seconds..