[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.474577] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.780697] random: sshd: uninitialized urandom read (32 bytes read) [ 17.187797] random: sshd: uninitialized urandom read (32 bytes read) [ 17.688786] random: sshd: uninitialized urandom read (32 bytes read) [ 24.990019] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 30.593381] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.674670] ================================================================== [ 30.682596] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 [ 30.689765] Write of size 10 at addr ffff8801c3210000 by task syz-executor782/3804 [ 30.697757] [ 30.699470] CPU: 1 PID: 3804 Comm: syz-executor782 Not tainted 4.9.122-g54068d6 #30 [ 30.707594] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.716953] ffff8801b6f0f490 ffffffff81eb8829 ffffea00070c8400 ffff8801c3210000 [ 30.725714] 0000000000000001 ffff8801c3210000 000000000000000a ffff8801b6f0f4c8 [ 30.734431] ffffffff8156b6be ffff8801c3210000 000000000000000a 0000000000000001 [ 30.742902] Call Trace: [ 30.745742] [] dump_stack+0xc1/0x128 [ 30.751458] [] print_address_description+0x6c/0x234 [ 30.758539] [] kasan_report.cold.6+0x242/0x2fe [ 30.764911] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 30.771592] [] check_memory_region+0x14f/0x1b0 [ 30.777991] [] memcpy+0x37/0x50 [ 30.783054] [] selinux_sb_copy_data+0x1cd/0x380 [ 30.789367] [] security_sb_copy_data+0x7b/0xb0 [ 30.796342] [] parse_security_options+0x36/0x90 [ 30.803025] [] btrfs_mount+0x2f3/0x2bc0 [ 30.808804] [] ? btrfs_remount+0x1360/0x1360 [ 30.815132] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 30.822357] [] ? _find_next_bit.part.0+0xe0/0x120 [ 30.828843] [] ? find_next_bit+0x43/0x50 [ 30.834678] [] ? pcpu_alloc+0x483/0xad0 [ 30.840384] [] ? pcpu_create_chunk+0x430/0x430 [ 30.846992] [] ? __raw_spin_lock_init+0x1c/0x100 [ 30.853595] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.860730] [] ? lockdep_init_map+0x105/0x4f0 [ 30.867144] [] ? lockdep_init_map+0x105/0x4f0 [ 30.873462] [] mount_fs+0x28c/0x370 [ 30.878870] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 30.885438] [] vfs_kern_mount+0x40/0x60 [ 30.891384] [] btrfs_mount+0x40b/0x2bc0 [ 30.897161] [] ? btrfs_remount+0x1360/0x1360 [ 30.903247] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 30.910299] [] ? _find_next_bit.part.0+0xe0/0x120 [ 30.916942] [] ? find_next_bit+0x43/0x50 [ 30.922655] [] ? pcpu_alloc+0x483/0xad0 [ 30.928476] [] ? pcpu_create_chunk+0x430/0x430 [ 30.934869] [] ? __raw_spin_lock_init+0x1c/0x100 [ 30.941455] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.948383] [] ? lockdep_init_map+0x105/0x4f0 [ 30.954645] [] ? lockdep_init_map+0x105/0x4f0 [ 30.961028] [] mount_fs+0x28c/0x370 [ 30.966299] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 30.972806] [] ? ns_capable_common+0x12a/0x150 [ 30.979432] [] do_mount+0x3c9/0x2740 [ 30.985233] [] ? copy_mount_string+0x40/0x40 [ 30.991376] [] ? kasan_unpoison_shadow+0x35/0x50 [ 30.997790] [] ? kasan_kmalloc+0xc7/0xe0 [ 31.003871] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 31.010591] [] ? copy_mount_options+0x5f/0x320 [ 31.016936] [] ? copy_mount_options+0x1e5/0x320 [ 31.023253] [] compat_SyS_mount+0x4fc/0xff0 [ 31.029341] [] ? do_fast_syscall_32+0xcf/0x870 [ 31.035703] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 31.042019] [] do_fast_syscall_32+0x2f7/0x870 [ 31.048158] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.055344] [] entry_SYSENTER_compat+0x90/0xa2 [ 31.061574] [ 31.063216] The buggy address belongs to the page: [ 31.068131] page:ffffea00070c8400 count:0 mapcount:-127 mapping: (null) index:0x0 [ 31.076745] flags: 0x8000000000000000() [ 31.080706] page dumped because: kasan: bad access detected [ 31.086598] [ 31.088226] Memory state around the buggy address: [ 31.093144] ffff8801c320ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.100639] ffff8801c320ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.107993] >ffff8801c3210000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.115338] ^ [ 31.118876] ffff8801c3210080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.126234] ffff8801c3210100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.133701] ================================================================== [ 31.141063] Disabling lock debugging due to kernel taint [ 31.148562] Kernel panic - not syncing: panic_on_warn set ... [ 31.148562] [ 31.156445] CPU: 1 PID: 3804 Comm: syz-executor782 Tainted: G B 4.9.122-g54068d6 #30 [ 31.165542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.175203] ffff8801b6f0f3f0 ffffffff81eb8829 ffffffff843c81db 00000000ffffffff [ 31.183271] 0000000000000000 0000000000000001 000000000000000a ffff8801b6f0f4b0 [ 31.191716] ffffffff81423f35 0000000041b58ab3 ffffffff843bb838 ffffffff81423d76 [ 31.200039] Call Trace: [ 31.202623] [] dump_stack+0xc1/0x128 [ 31.208198] [] panic+0x1bf/0x3bc [ 31.213237] [] ? add_taint.cold.6+0x16/0x16 [ 31.219495] [] ? ___preempt_schedule+0x16/0x18 [ 31.225725] [] kasan_end_report+0x47/0x4f [ 31.231674] [] kasan_report.cold.6+0x76/0x2fe [ 31.238039] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 31.244529] [] check_memory_region+0x14f/0x1b0 [ 31.250751] [] memcpy+0x37/0x50 [ 31.255793] [] selinux_sb_copy_data+0x1cd/0x380 [ 31.262108] [] security_sb_copy_data+0x7b/0xb0 [ 31.268337] [] parse_security_options+0x36/0x90 [ 31.275385] [] btrfs_mount+0x2f3/0x2bc0 [ 31.281148] [] ? btrfs_remount+0x1360/0x1360 [ 31.287324] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 31.294402] [] ? _find_next_bit.part.0+0xe0/0x120 [ 31.300891] [] ? find_next_bit+0x43/0x50 [ 31.306594] [] ? pcpu_alloc+0x483/0xad0 [ 31.312227] [] ? pcpu_create_chunk+0x430/0x430 [ 31.318450] [] ? __raw_spin_lock_init+0x1c/0x100 [ 31.324850] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.332300] [] ? lockdep_init_map+0x105/0x4f0 [ 31.338566] [] ? lockdep_init_map+0x105/0x4f0 [ 31.344712] [] mount_fs+0x28c/0x370 [ 31.350199] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 31.356769] [] vfs_kern_mount+0x40/0x60 [ 31.362390] [] btrfs_mount+0x40b/0x2bc0 [ 31.368483] [] ? btrfs_remount+0x1360/0x1360 [ 31.374537] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 31.381541] [] ? _find_next_bit.part.0+0xe0/0x120 [ 31.388120] [] ? find_next_bit+0x43/0x50 [ 31.394005] [] ? pcpu_alloc+0x483/0xad0 [ 31.399759] [] ? pcpu_create_chunk+0x430/0x430 [ 31.406127] [] ? __raw_spin_lock_init+0x1c/0x100 [ 31.412666] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.419715] [] ? lockdep_init_map+0x105/0x4f0 [ 31.425854] [] ? lockdep_init_map+0x105/0x4f0 [ 31.432108] [] mount_fs+0x28c/0x370 [ 31.437594] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 31.444123] [] ? ns_capable_common+0x12a/0x150 [ 31.450360] [] do_mount+0x3c9/0x2740 [ 31.455875] [] ? copy_mount_string+0x40/0x40 [ 31.461933] [] ? kasan_unpoison_shadow+0x35/0x50 [ 31.468443] [] ? kasan_kmalloc+0xc7/0xe0 [ 31.474159] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 31.480760] [] ? copy_mount_options+0x5f/0x320 [ 31.487145] [] ? copy_mount_options+0x1e5/0x320 [ 31.493483] [] compat_SyS_mount+0x4fc/0xff0 [ 31.499606] [] ? do_fast_syscall_32+0xcf/0x870 [ 31.505945] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 31.512487] [] do_fast_syscall_32+0x2f7/0x870 [ 31.518624] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.525286] [] entry_SYSENTER_compat+0x90/0xa2 [ 31.532215] Dumping ftrace buffer: [ 31.535761] (ftrace buffer empty) [ 31.539460] Kernel Offset: disabled [ 31.543197] Rebooting in 86400 seconds..