[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [ 11.067711] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.750571] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.106' (ECDSA) to the list of known hosts. 2019/07/22 04:53:11 parsed 1 programs 2019/07/22 04:53:12 executed programs: 0 syzkaller login: [ 40.240970] audit: type=1400 audit(1563771192.956:5): avc: denied { sys_admin } for pid=2068 comm="syz-executor.1" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.290667] audit: type=1400 audit(1563771193.006:6): avc: denied { net_admin } for pid=2075 comm="syz-executor.1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.719351] audit: type=1400 audit(1563771193.436:7): avc: denied { sys_chroot } for pid=2075 comm="syz-executor.1" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 40.744804] audit: type=1400 audit(1563771193.456:8): avc: denied { associate } for pid=2074 comm="syz-executor.3" name="syz3" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/07/22 04:53:17 executed programs: 142 [ 45.544621] ================================================================== [ 45.553935] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 45.562648] Read of size 8 at addr ffff8801d692a760 by task syz-executor.2/2976 [ 45.571234] [ 45.572973] CPU: 0 PID: 2976 Comm: syz-executor.2 Not tainted 4.9.141+ #1 [ 45.580000] ffff8801d39376f8 ffffffff81b42e79 ffffea00075a4a00 ffff8801d692a760 [ 45.588662] 0000000000000000 ffff8801d692a760 0000000000000000 ffff8801d3937730 [ 45.598033] ffffffff815009b8 ffff8801d692a760 0000000000000008 0000000000000000 [ 45.607654] Call Trace: [ 45.610516] [] dump_stack+0xc1/0x128 [ 45.616501] [] print_address_description+0x6c/0x234 [ 45.624023] [] kasan_report.cold.6+0x242/0x2fe [ 45.630878] [] ? disk_unblock_events+0x51/0x60 [ 45.637315] [] __asan_report_load8_noabort+0x14/0x20 [ 45.645181] [] disk_unblock_events+0x51/0x60 [ 45.652962] [] __blkdev_get+0x6b6/0xd60 [ 45.661776] [] ? __blkdev_put+0x840/0x840 [ 45.668101] [] ? fsnotify+0x114/0x1100 [ 45.674027] [] blkdev_get+0x2da/0x920 [ 45.679789] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.687094] [] ? bd_may_claim+0xd0/0xd0 [ 45.693537] [] ? bd_acquire+0x27/0x250 [ 45.701333] [] ? bd_acquire+0x88/0x250 [ 45.707951] [] ? _raw_spin_unlock+0x2c/0x50 [ 45.714458] [] blkdev_open+0x1a5/0x250 [ 45.720662] [] do_dentry_open+0x3ef/0xc90 [ 45.727007] [] ? blkdev_get_by_dev+0x70/0x70 [ 45.733707] [] vfs_open+0x11c/0x210 [ 45.740331] [] ? may_open.isra.20+0x14f/0x2a0 [ 45.747702] [] path_openat+0x542/0x2790 [ 45.753562] [] ? path_mountpoint+0x6c0/0x6c0 [ 45.760239] [] ? trace_hardirqs_on+0x10/0x10 [ 45.767375] [] ? expand_files.part.3+0x3a9/0x6d0 [ 45.774867] [] do_filp_open+0x197/0x270 [ 45.780993] [] ? may_open_dev+0xe0/0xe0 [ 45.787260] [] ? _raw_spin_unlock+0x2c/0x50 [ 45.793638] [] ? __alloc_fd+0x1d7/0x4a0 [ 45.800859] [] do_sys_open+0x30d/0x5c0 [ 45.807225] [] ? filp_open+0x70/0x70 [ 45.813051] [] ? __might_fault+0x18e/0x1d0 [ 45.819990] [] ? __might_fault+0xe4/0x1d0 [ 45.828458] [] ? SyS_clock_settime+0x220/0x220 [ 45.835931] [] SyS_open+0x2d/0x40 [ 45.842174] [] ? do_sys_open+0x5c0/0x5c0 [ 45.849942] [] do_syscall_64+0x19f/0x550 [ 45.859023] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.868581] [ 45.870881] Allocated by task 2964: [ 45.874810] save_stack_trace+0x16/0x20 [ 45.879237] kasan_kmalloc.part.1+0x62/0xf0 [ 45.884100] kasan_kmalloc+0xaf/0xc0 [ 45.888384] kmem_cache_alloc_trace+0x117/0x2e0 [ 45.893335] alloc_disk_node+0x54/0x3a0 [ 45.897533] alloc_disk+0x18/0x20 [ 45.901318] loop_add+0x368/0x7a0 [ 45.905056] loop_probe+0x14f/0x180 [ 45.909230] kobj_lookup+0x223/0x410 [ 45.913343] get_gendisk+0x39/0x2d0 [ 45.917291] __blkdev_get+0x351/0xd60 [ 45.921519] blkdev_get+0x2da/0x920 [ 45.925265] blkdev_open+0x1a5/0x250 [ 45.929579] do_dentry_open+0x3ef/0xc90 [ 45.935212] vfs_open+0x11c/0x210 [ 45.938899] path_openat+0x542/0x2790 [ 45.942801] do_filp_open+0x197/0x270 [ 45.948083] do_sys_open+0x30d/0x5c0 [ 45.952708] SyS_open+0x2d/0x40 [ 45.956338] do_syscall_64+0x19f/0x550 [ 45.960558] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 45.968626] [ 45.970280] Freed by task 2976: [ 45.974108] save_stack_trace+0x16/0x20 [ 45.979392] kasan_slab_free+0xac/0x190 [ 45.984228] kfree+0xfb/0x310 [ 45.987718] disk_release+0x259/0x330 [ 45.991543] device_release+0x7e/0x220 [ 45.996707] kobject_put+0x148/0x250 [ 46.003374] put_disk+0x23/0x30 [ 46.006816] __blkdev_get+0x616/0xd60 [ 46.012234] blkdev_get+0x2da/0x920 [ 46.016918] blkdev_open+0x1a5/0x250 [ 46.021034] do_dentry_open+0x3ef/0xc90 [ 46.025349] vfs_open+0x11c/0x210 [ 46.029381] path_openat+0x542/0x2790 [ 46.033961] do_filp_open+0x197/0x270 [ 46.038096] do_sys_open+0x30d/0x5c0 [ 46.041828] SyS_open+0x2d/0x40 [ 46.045475] do_syscall_64+0x19f/0x550 [ 46.049472] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.056683] [ 46.058416] The buggy address belongs to the object at ffff8801d692a200 [ 46.058416] which belongs to the cache kmalloc-2048 of size 2048 [ 46.074150] The buggy address is located 1376 bytes inside of [ 46.074150] 2048-byte region [ffff8801d692a200, ffff8801d692aa00) [ 46.087424] The buggy address belongs to the page: [ 46.092860] page:ffffea00075a4a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 46.104467] flags: 0x4000000000004080(slab|head) [ 46.110399] page dumped because: kasan: bad access detected [ 46.117101] [ 46.118951] Memory state around the buggy address: [ 46.126645] ffff8801d692a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.134437] ffff8801d692a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.141964] >ffff8801d692a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.160398] ^ [ 46.167572] ffff8801d692a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.175902] ffff8801d692a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.184145] ================================================================== [ 46.193127] Disabling lock debugging due to kernel taint [ 46.206493] Kernel panic - not syncing: panic_on_warn set ... [ 46.206493] [ 46.215549] CPU: 0 PID: 2976 Comm: syz-executor.2 Tainted: G B 4.9.141+ #1 [ 46.224067] ffff8801d3937658 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 46.235295] 0000000000000000 0000000000000000 0000000000000000 ffff8801d3937718 [ 46.244284] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 46.255510] Call Trace: [ 46.258395] [] dump_stack+0xc1/0x128 [ 46.264220] [] panic+0x1bf/0x39f [ 46.270056] [] ? add_taint.cold.5+0x16/0x16 [ 46.276664] [] ? ___preempt_schedule+0x16/0x18 [ 46.283095] [] kasan_end_report+0x47/0x4f [ 46.289462] [] kasan_report.cold.6+0x76/0x2fe [ 46.297498] [] ? disk_unblock_events+0x51/0x60 [ 46.305105] [] __asan_report_load8_noabort+0x14/0x20 [ 46.313130] [] disk_unblock_events+0x51/0x60 [ 46.319646] [] __blkdev_get+0x6b6/0xd60 [ 46.326897] [] ? __blkdev_put+0x840/0x840 [ 46.333617] [] ? fsnotify+0x114/0x1100 [ 46.341722] [] blkdev_get+0x2da/0x920 [ 46.349777] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 46.358189] [] ? bd_may_claim+0xd0/0xd0 [ 46.365430] [] ? bd_acquire+0x27/0x250 [ 46.371902] [] ? bd_acquire+0x88/0x250 [ 46.378807] [] ? _raw_spin_unlock+0x2c/0x50 [ 46.385364] [] blkdev_open+0x1a5/0x250 [ 46.392288] [] do_dentry_open+0x3ef/0xc90 [ 46.401184] [] ? blkdev_get_by_dev+0x70/0x70 [ 46.411242] [] vfs_open+0x11c/0x210 [ 46.418931] [] ? may_open.isra.20+0x14f/0x2a0 [ 46.430241] [] path_openat+0x542/0x2790 [ 46.442648] [] ? path_mountpoint+0x6c0/0x6c0 [ 46.453286] [] ? trace_hardirqs_on+0x10/0x10 [ 46.463564] [] ? expand_files.part.3+0x3a9/0x6d0 [ 46.472951] [] do_filp_open+0x197/0x270 [ 46.480007] [] ? may_open_dev+0xe0/0xe0 [ 46.486917] [] ? _raw_spin_unlock+0x2c/0x50 [ 46.494796] [] ? __alloc_fd+0x1d7/0x4a0 [ 46.502083] [] do_sys_open+0x30d/0x5c0 [ 46.508663] [] ? filp_open+0x70/0x70 [ 46.515824] [] ? __might_fault+0x18e/0x1d0 [ 46.523253] [] ? __might_fault+0xe4/0x1d0 [ 46.530037] [] ? SyS_clock_settime+0x220/0x220 [ 46.537510] [] SyS_open+0x2d/0x40 [ 46.542870] [] ? do_sys_open+0x5c0/0x5c0 [ 46.557576] [] do_syscall_64+0x19f/0x550 [ 46.566290] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 46.575388] Kernel Offset: disabled [ 46.580022] Rebooting in 86400 seconds..