[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [ 10.369391] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 11.818809] random: crng init done Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. 2019/06/08 08:50:22 parsed 1 programs 2019/06/08 08:50:25 executed programs: 0 [ 55.415525] audit: type=1400 audit(1559983825.282:5): avc: denied { sys_admin } for pid=2079 comm="syz-executor.2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 55.462343] audit: type=1400 audit(1559983825.332:6): avc: denied { net_admin } for pid=2083 comm="syz-executor.2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 55.848512] audit: type=1400 audit(1559983825.722:7): avc: denied { sys_chroot } for pid=2083 comm="syz-executor.2" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 55.874351] audit: type=1400 audit(1559983825.742:8): avc: denied { associate } for pid=2083 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 59.863953] ================================================================== [ 59.871374] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 59.878127] Read of size 8 at addr ffff8801d8100560 by task syz-executor.2/2727 [ 59.885566] [ 59.887192] CPU: 1 PID: 2727 Comm: syz-executor.2 Not tainted 4.9.141+ #23 [ 59.894201] ffff8801d7e9f6e8 ffffffff81b42e79 ffffea0007604000 ffff8801d8100560 [ 59.902281] 0000000000000000 ffff8801d8100560 0000000000000000 ffff8801d7e9f720 [ 59.910363] ffffffff815009b8 ffff8801d8100560 0000000000000008 0000000000000000 [ 59.918441] Call Trace: [ 59.921037] [] dump_stack+0xc1/0x128 [ 59.926443] [] print_address_description+0x6c/0x234 [ 59.933117] [] kasan_report.cold.6+0x242/0x2fe [ 59.939353] [] ? disk_unblock_events+0x51/0x60 [ 59.945590] [] __asan_report_load8_noabort+0x14/0x20 [ 59.952351] [] disk_unblock_events+0x51/0x60 [ 59.958410] [] __blkdev_get+0x6b6/0xd60 [ 59.964036] [] ? __blkdev_put+0x840/0x840 [ 59.969840] [] ? fsnotify+0x114/0x1100 [ 59.975382] [] blkdev_get+0x2da/0x920 [ 59.980833] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 59.987591] [] ? bd_may_claim+0xd0/0xd0 [ 59.993220] [] ? bd_acquire+0x27/0x250 [ 59.998762] [] ? bd_acquire+0x88/0x250 [ 60.004301] [] ? _raw_spin_unlock+0x2c/0x50 [ 60.010281] [] blkdev_open+0x1a5/0x250 [ 60.015825] [] do_dentry_open+0x3ef/0xc90 [ 60.021636] [] ? blkdev_get_by_dev+0x70/0x70 [ 60.027698] [] vfs_open+0x11c/0x210 [ 60.032981] [] ? may_open.isra.20+0x14f/0x2a0 [ 60.039125] [] path_openat+0x542/0x2790 [ 60.044741] [] ? path_mountpoint+0x6c0/0x6c0 [ 60.050779] [] ? trace_hardirqs_on+0x10/0x10 [ 60.056831] [] ? trace_hardirqs_on+0x10/0x10 [ 60.062965] [] ? expand_files.part.3+0x3a9/0x6d0 [ 60.069355] [] do_filp_open+0x197/0x270 [ 60.074964] [] ? may_open_dev+0xe0/0xe0 [ 60.080569] [] ? _raw_spin_unlock+0x2c/0x50 [ 60.086523] [] ? __alloc_fd+0x1d7/0x4a0 [ 60.092127] [] do_sys_open+0x30d/0x5c0 [ 60.097642] [] ? filp_open+0x70/0x70 [ 60.102984] [] ? up_read+0x1a/0x40 [ 60.108157] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 60.114976] [] compat_SyS_open+0x2a/0x40 [ 60.120666] [] ? compat_SyS_getdents64+0x280/0x280 [ 60.127225] [] do_fast_syscall_32+0x2f1/0xa10 [ 60.133350] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.140001] [] entry_SYSENTER_compat+0x90/0xa2 [ 60.146221] [ 60.147826] Allocated by task 2727: [ 60.151437] save_stack_trace+0x16/0x20 [ 60.155390] kasan_kmalloc.part.1+0x62/0xf0 [ 60.159691] kasan_kmalloc+0xaf/0xc0 [ 60.163387] kmem_cache_alloc_trace+0x117/0x2e0 [ 60.168036] alloc_disk_node+0x54/0x3a0 [ 60.171986] alloc_disk+0x18/0x20 [ 60.175445] loop_add+0x368/0x7a0 [ 60.178878] loop_probe+0x14f/0x180 [ 60.182506] kobj_lookup+0x223/0x410 [ 60.186201] get_gendisk+0x39/0x2d0 [ 60.189812] __blkdev_get+0x351/0xd60 [ 60.193589] blkdev_get+0x2da/0x920 [ 60.197193] blkdev_open+0x1a5/0x250 [ 60.200888] do_dentry_open+0x3ef/0xc90 [ 60.204838] vfs_open+0x11c/0x210 [ 60.208268] path_openat+0x542/0x2790 [ 60.212044] do_filp_open+0x197/0x270 [ 60.215845] do_sys_open+0x30d/0x5c0 [ 60.219540] compat_SyS_open+0x2a/0x40 [ 60.223406] do_fast_syscall_32+0x2f1/0xa10 [ 60.227713] entry_SYSENTER_compat+0x90/0xa2 [ 60.232120] [ 60.233729] Freed by task 2727: [ 60.237006] save_stack_trace+0x16/0x20 [ 60.240960] kasan_slab_free+0xac/0x190 [ 60.244910] kfree+0xfb/0x310 [ 60.248109] disk_release+0x259/0x330 [ 60.251903] device_release+0x7e/0x220 [ 60.255807] kobject_put+0x148/0x250 [ 60.259502] put_disk+0x23/0x30 [ 60.262759] __blkdev_get+0x616/0xd60 [ 60.266534] blkdev_get+0x2da/0x920 [ 60.270148] blkdev_open+0x1a5/0x250 [ 60.273870] do_dentry_open+0x3ef/0xc90 [ 60.277826] vfs_open+0x11c/0x210 [ 60.281266] path_openat+0x542/0x2790 [ 60.285057] do_filp_open+0x197/0x270 [ 60.288838] do_sys_open+0x30d/0x5c0 [ 60.292532] compat_SyS_open+0x2a/0x40 [ 60.296399] do_fast_syscall_32+0x2f1/0xa10 [ 60.300767] entry_SYSENTER_compat+0x90/0xa2 [ 60.305151] [ 60.306756] The buggy address belongs to the object at ffff8801d8100000 [ 60.306756] which belongs to the cache kmalloc-2048 of size 2048 [ 60.319567] The buggy address is located 1376 bytes inside of [ 60.319567] 2048-byte region [ffff8801d8100000, ffff8801d8100800) [ 60.331598] The buggy address belongs to the page: [ 60.336515] page:ffffea0007604000 count:1 mapcount:0 mapping: (null) index:0xffff8801d8106e80 compound_mapcount: 0 [ 60.348028] flags: 0x4000000000004080(slab|head) [ 60.352761] page dumped because: kasan: bad access detected [ 60.358448] [ 60.360055] Memory state around the buggy address: [ 60.364965] ffff8801d8100400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.372310] ffff8801d8100480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.379658] >ffff8801d8100500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.387011] ^ [ 60.393509] ffff8801d8100580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.400852] ffff8801d8100600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.408191] ================================================================== [ 60.415530] Disabling lock debugging due to kernel taint [ 60.421594] Kernel panic - not syncing: panic_on_warn set ... [ 60.421594] [ 60.428970] CPU: 1 PID: 2727 Comm: syz-executor.2 Tainted: G B 4.9.141+ #23 [ 60.437701] ffff8801d7e9f648 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 60.445721] 0000000000000000 0000000000000001 0000000000000000 ffff8801d7e9f708 [ 60.453714] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 60.461768] Call Trace: [ 60.464338] [] dump_stack+0xc1/0x128 [ 60.469684] [] panic+0x1bf/0x39f [ 60.474721] [] ? add_taint.cold.5+0x16/0x16 [ 60.480694] [] ? ___preempt_schedule+0x16/0x18 [ 60.486911] [] kasan_end_report+0x47/0x4f [ 60.492691] [] kasan_report.cold.6+0x76/0x2fe [ 60.498943] [] ? disk_unblock_events+0x51/0x60 [ 60.505154] [] __asan_report_load8_noabort+0x14/0x20 [ 60.511884] [] disk_unblock_events+0x51/0x60 [ 60.517919] [] __blkdev_get+0x6b6/0xd60 [ 60.523524] [] ? __blkdev_put+0x840/0x840 [ 60.529301] [] ? fsnotify+0x114/0x1100 [ 60.534836] [] blkdev_get+0x2da/0x920 [ 60.540279] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 60.547011] [] ? bd_may_claim+0xd0/0xd0 [ 60.552637] [] ? bd_acquire+0x27/0x250 [ 60.558169] [] ? bd_acquire+0x88/0x250 [ 60.563682] [] ? _raw_spin_unlock+0x2c/0x50 [ 60.569630] [] blkdev_open+0x1a5/0x250 [ 60.575161] [] do_dentry_open+0x3ef/0xc90 [ 60.580958] [] ? blkdev_get_by_dev+0x70/0x70 [ 60.587096] [] vfs_open+0x11c/0x210 [ 60.592366] [] ? may_open.isra.20+0x14f/0x2a0 [ 60.598491] [] path_openat+0x542/0x2790 [ 60.604111] [] ? path_mountpoint+0x6c0/0x6c0 [ 60.610150] [] ? trace_hardirqs_on+0x10/0x10 [ 60.616201] [] ? trace_hardirqs_on+0x10/0x10 [ 60.622248] [] ? expand_files.part.3+0x3a9/0x6d0 [ 60.628651] [] do_filp_open+0x197/0x270 [ 60.634281] [] ? may_open_dev+0xe0/0xe0 [ 60.634289] [] ? _raw_spin_unlock+0x2c/0x50 [ 60.634298] [] ? __alloc_fd+0x1d7/0x4a0 [ 60.634310] [] do_sys_open+0x30d/0x5c0 [ 60.634316] [] ? filp_open+0x70/0x70 [ 60.634325] [] ? up_read+0x1a/0x40 [ 60.634335] [] ? compat_SyS_clock_settime+0x1a0/0x1a0 [ 60.634344] [] compat_SyS_open+0x2a/0x40 [ 60.634352] [] ? compat_SyS_getdents64+0x280/0x280 [ 60.634359] [] do_fast_syscall_32+0x2f1/0xa10 [ 60.634368] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.634376] [] entry_SYSENTER_compat+0x90/0xa2 [ 60.640270] Kernel Offset: disabled [ 60.709643] Rebooting in 86400 seconds..