Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 51.716780] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 51.811392] audit: type=1400 audit(1555445329.679:7): avc: denied { map } for pid=1800 comm="syz-executor908" path="/root/syz-executor908997611" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 52.076240] ================================================================== [ 52.083713] BUG: KASAN: use-after-free in get_disk+0xc0/0xd0 [ 52.089516] Read of size 8 at addr ffff8881cf4d1eb0 by task blkid/1806 [ 52.096177] [ 52.097853] CPU: 1 PID: 1806 Comm: blkid Not tainted 4.14.111+ #54 [ 52.104170] Call Trace: [ 52.106819] dump_stack+0xb9/0x10e [ 52.110375] ? get_disk+0xc0/0xd0 [ 52.113822] print_address_description+0x60/0x226 [ 52.118681] ? get_disk+0xc0/0xd0 [ 52.122139] kasan_report.cold+0x88/0x2a5 [ 52.126296] ? get_disk+0xc0/0xd0 [ 52.129798] ? get_gendisk+0xee/0x240 [ 52.133605] ? __blkdev_get+0x345/0xf90 [ 52.137582] ? __blkdev_put+0x6d0/0x6d0 [ 52.141561] ? bdget+0x41a/0x4e0 [ 52.144919] ? lock_downgrade+0x5d0/0x5d0 [ 52.149071] ? blkdev_get+0x97/0x8b0 [ 52.152779] ? bd_acquire+0x149/0x2c0 [ 52.156576] ? bd_may_claim+0xd0/0xd0 [ 52.160373] ? lock_downgrade+0x5d0/0x5d0 [ 52.164647] ? lock_acquire+0x10f/0x380 [ 52.168613] ? bd_acquire+0x113/0x2c0 [ 52.172442] ? blkdev_open+0x1cc/0x250 [ 52.176319] ? security_file_open+0x88/0x190 [ 52.180764] ? do_dentry_open+0x44e/0xdf0 [ 52.184907] ? bd_acquire+0x2c0/0x2c0 [ 52.188702] ? vfs_open+0x105/0x230 [ 52.192583] ? path_openat+0xb6b/0x2b70 [ 52.196602] ? path_mountpoint+0x9a0/0x9a0 [ 52.200828] ? trace_hardirqs_on+0x10/0x10 [ 52.205050] ? do_filp_open+0x1a1/0x280 [ 52.209003] ? may_open_dev+0xe0/0xe0 [ 52.212790] ? lock_downgrade+0x5d0/0x5d0 [ 52.216913] ? lock_acquire+0x10f/0x380 [ 52.220866] ? __alloc_fd+0x3f/0x490 [ 52.224696] ? _raw_spin_unlock+0x29/0x40 [ 52.228840] ? __alloc_fd+0x1bf/0x490 [ 52.232633] ? do_sys_open+0x2ca/0x590 [ 52.236512] ? filp_open+0x60/0x60 [ 52.240054] ? do_syscall_64+0x43/0x4b0 [ 52.244035] ? do_sys_open+0x590/0x590 [ 52.247909] ? do_syscall_64+0x19b/0x4b0 [ 52.251957] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.257312] [ 52.258930] Allocated by task 1801: [ 52.262550] kasan_kmalloc.part.0+0x4f/0xd0 [ 52.266952] kmem_cache_alloc_trace+0x126/0x310 [ 52.271617] alloc_disk_node+0x5b/0x3d0 [ 52.275634] [ 52.277288] Freed by task 1803: [ 52.280573] kasan_slab_free+0xb0/0x190 [ 52.284535] kfree+0xf5/0x310 [ 52.287628] device_release+0xf4/0x1a0 [ 52.291502] [ 52.293157] The buggy address belongs to the object at ffff8881cf4d1980 [ 52.293157] which belongs to the cache kmalloc-2048 of size 2048 [ 52.305977] The buggy address is located 1328 bytes inside of [ 52.305977] 2048-byte region [ffff8881cf4d1980, ffff8881cf4d2180) [ 52.318017] The buggy address belongs to the page: [ 52.322947] page:ffffea00073d3400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 52.333521] flags: 0x4000000000010200(slab|head) [ 52.338265] raw: 4000000000010200 0000000000000000 0000000000000000 00000001800f000f [ 52.346138] raw: dead000000000100 dead000000000200 ffff8881da802800 0000000000000000 [ 52.354010] page dumped because: kasan: bad access detected [ 52.359706] [ 52.361325] Memory state around the buggy address: [ 52.366242] ffff8881cf4d1d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.373589] ffff8881cf4d1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.380937] >ffff8881cf4d1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.388409] ^ [ 52.393346] ffff8881cf4d1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.400697] ffff8881cf4d1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.408189] ================================================================== [ 52.415673] Disabling lock debugging due to kernel taint [ 52.421355] Kernel panic - not syncing: panic_on_warn set ... [ 52.421355] [ 52.428709] CPU: 1 PID: 1806 Comm: blkid Tainted: G B 4.14.111+ #54 [ 52.436230] Call Trace: [ 52.438809] dump_stack+0xb9/0x10e [ 52.442334] panic+0x1d9/0x3c2 [ 52.445517] ? add_taint.cold+0x16/0x16 [ 52.449481] ? retint_kernel+0x2d/0x2d [ 52.453503] ? get_disk+0xc0/0xd0 [ 52.456940] kasan_end_report+0x43/0x49 [ 52.460900] kasan_report.cold+0xa4/0x2a5 [ 52.465071] ? get_disk+0xc0/0xd0 [ 52.468516] ? get_gendisk+0xee/0x240 [ 52.472349] ? __blkdev_get+0x345/0xf90 [ 52.476317] ? __blkdev_put+0x6d0/0x6d0 [ 52.480375] ? bdget+0x41a/0x4e0 [ 52.483722] ? lock_downgrade+0x5d0/0x5d0 [ 52.487851] ? blkdev_get+0x97/0x8b0 [ 52.491544] ? bd_acquire+0x149/0x2c0 [ 52.495324] ? bd_may_claim+0xd0/0xd0 [ 52.499109] ? lock_downgrade+0x5d0/0x5d0 [ 52.503245] ? lock_acquire+0x10f/0x380 [ 52.507206] ? bd_acquire+0x113/0x2c0 [ 52.511000] ? blkdev_open+0x1cc/0x250 [ 52.514910] ? security_file_open+0x88/0x190 [ 52.519311] ? do_dentry_open+0x44e/0xdf0 [ 52.523485] ? bd_acquire+0x2c0/0x2c0 [ 52.527270] ? vfs_open+0x105/0x230 [ 52.530907] ? path_openat+0xb6b/0x2b70 [ 52.535002] ? path_mountpoint+0x9a0/0x9a0 [ 52.539228] ? trace_hardirqs_on+0x10/0x10 [ 52.543728] ? do_filp_open+0x1a1/0x280 [ 52.547689] ? may_open_dev+0xe0/0xe0 [ 52.551523] ? lock_downgrade+0x5d0/0x5d0 [ 52.555657] ? lock_acquire+0x10f/0x380 [ 52.559721] ? __alloc_fd+0x3f/0x490 [ 52.563427] ? _raw_spin_unlock+0x29/0x40 [ 52.567643] ? __alloc_fd+0x1bf/0x490 [ 52.571430] ? do_sys_open+0x2ca/0x590 [ 52.575301] ? filp_open+0x60/0x60 [ 52.578955] ? do_syscall_64+0x43/0x4b0 [ 52.582926] ? do_sys_open+0x590/0x590 [ 52.586919] ? do_syscall_64+0x19b/0x4b0 [ 52.590971] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.596872] Kernel Offset: 0x1c200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 52.607794] Rebooting in 86400 seconds..