[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.266997] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.813703] random: sshd: uninitialized urandom read (32 bytes read) [ 15.948707] audit: type=1400 audit(1567847516.290:6): avc: denied { map } for pid=1763 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.991536] random: sshd: uninitialized urandom read (32 bytes read) [ 16.505169] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.152' (ECDSA) to the list of known hosts. [ 22.084768] urandom_read: 1 callbacks suppressed [ 22.084772] random: sshd: uninitialized urandom read (32 bytes read) [ 22.180546] audit: type=1400 audit(1567847522.530:7): avc: denied { map } for pid=1781 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/09/07 09:12:02 parsed 1 programs [ 22.243663] audit: type=1400 audit(1567847522.590:8): avc: denied { map } for pid=1781 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 22.636487] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/07 09:12:03 executed programs: 0 [ 23.528775] audit: type=1400 audit(1567847523.870:9): avc: denied { map } for pid=1781 comm="syz-execprog" path="/root/syzkaller-shm919909940" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/09/07 09:12:08 executed programs: 93 [ 29.031084] ================================================================== [ 29.038473] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 29.045811] Read of size 8 at addr ffff8881c12e7860 by task syz-executor.3/3087 [ 29.053229] [ 29.054835] CPU: 0 PID: 3087 Comm: syz-executor.3 Not tainted 4.14.142+ #0 [ 29.061819] Call Trace: [ 29.064387] dump_stack+0xca/0x134 [ 29.067915] ? unwind_next_frame+0x169f/0x1810 [ 29.072472] ? unwind_next_frame+0x169f/0x1810 [ 29.077033] print_address_description+0x60/0x226 [ 29.081849] ? unwind_next_frame+0x169f/0x1810 [ 29.086402] ? unwind_next_frame+0x169f/0x1810 [ 29.090960] __kasan_report.cold+0x1a/0x41 [ 29.095188] ? unwind_next_frame+0x169f/0x1810 [ 29.099744] unwind_next_frame+0x169f/0x1810 [ 29.104127] ? retint_kernel+0x2d/0x2d [ 29.107989] ? perf_callchain_user+0x4a7/0xf80 [ 29.112549] ? deref_stack_reg+0xe0/0xe0 [ 29.116584] ? perf_callchain_user+0x2d1/0xf80 [ 29.121142] ? retint_kernel+0x2d/0x2d [ 29.125018] perf_callchain_kernel+0x3a0/0x540 [ 29.129575] ? perf_callchain_kernel+0x540/0x540 [ 29.134307] ? arch_perf_update_userpage+0x330/0x330 [ 29.139385] ? perf_callchain+0x147/0x190 [ 29.143519] ? futex_wait_setup+0x132/0x330 [ 29.147829] get_perf_callchain+0x2f5/0x770 [ 29.152300] ? put_callchain_buffers+0x60/0x60 [ 29.156856] ? perf_callchain+0x150/0x190 [ 29.160982] perf_callchain+0x147/0x190 [ 29.164932] perf_prepare_sample+0x6a8/0x1360 [ 29.169403] ? perf_output_sample+0x1700/0x1700 [ 29.174049] ? perf_prepare_sample+0x1360/0x1360 [ 29.178782] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 29.184467] perf_event_output_forward+0xdc/0x220 [ 29.189294] ? perf_prepare_sample+0x1360/0x1360 [ 29.194037] ? __perf_event_overflow+0x1cc/0x340 [ 29.198771] ? check_preemption_disabled+0x35/0x1f0 [ 29.203781] __perf_event_overflow+0x12d/0x340 [ 29.208337] perf_swevent_overflow+0x7a/0xf0 [ 29.212723] perf_swevent_event+0x112/0x270 [ 29.217022] perf_tp_event+0x633/0x7f0 [ 29.220885] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 29.226577] ? trace_hardirqs_on+0x10/0x10 [ 29.230788] ? __lock_acquire+0x5d7/0x4320 [ 29.235005] ? perf_trace_run_bpf_submit+0x113/0x170 [ 29.240093] ? check_preemption_disabled+0x35/0x1f0 [ 29.245082] perf_trace_run_bpf_submit+0x113/0x170 [ 29.249998] perf_trace_lock_acquire+0x341/0x4e0 [ 29.254748] ? HARDIRQ_verbose+0x10/0x10 [ 29.258784] ? retint_kernel+0x2d/0x2d [ 29.262657] ? get_futex_key+0x4c1/0xf90 [ 29.266706] lock_acquire+0x279/0x360 [ 29.270481] ? futex_wait_setup+0x132/0x330 [ 29.274781] _raw_spin_lock+0x2a/0x40 [ 29.278559] ? futex_wait_setup+0x132/0x330 [ 29.282857] futex_wait_setup+0x132/0x330 [ 29.286983] ? get_futex_key+0xf90/0xf90 [ 29.291024] futex_wait+0x1ad/0x570 [ 29.294627] ? futex_wait_setup+0x330/0x330 [ 29.298923] ? wake_up_q+0xea/0x150 [ 29.302530] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 29.307519] ? futex_wake+0x15b/0x440 [ 29.311298] do_futex+0x13f/0x1980 [ 29.314815] ? trace_hardirqs_on+0x10/0x10 [ 29.319064] ? perf_trace_lock_acquire+0x341/0x4e0 [ 29.323968] ? exit_robust_list+0x240/0x240 [ 29.328261] ? HARDIRQ_verbose+0x10/0x10 [ 29.332393] ? __might_fault+0x104/0x1b0 [ 29.336551] ? lock_downgrade+0x5d0/0x5d0 [ 29.340672] ? lock_acquire+0x12b/0x360 [ 29.344621] ? __might_fault+0xd4/0x1b0 [ 29.348573] ? __might_fault+0x177/0x1b0 [ 29.352637] ? _copy_to_user+0x82/0xd0 [ 29.356502] SyS_futex+0x1c5/0x2c3 [ 29.360023] ? do_futex+0x1980/0x1980 [ 29.363803] ? SyS_clock_gettime+0x7d/0xe0 [ 29.368013] ? do_clock_gettime+0xd0/0xd0 [ 29.372135] ? do_syscall_64+0x43/0x520 [ 29.376083] ? do_futex+0x1980/0x1980 [ 29.379857] do_syscall_64+0x19b/0x520 [ 29.383735] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.388920] RIP: 0033:0x4598e9 [ 29.392088] RSP: 002b:00007f52af2e8cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.399786] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 29.407032] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 29.414279] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 29.421526] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 29.428771] R13: 00007ffd36e2877f R14: 00007f52af2e99c0 R15: 000000000075bf2c [ 29.436030] [ 29.437634] The buggy address belongs to the page: [ 29.442539] page:ffffea000704b9c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 29.450655] flags: 0x4000000000000000() [ 29.454618] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 29.462477] raw: ffffea000704b9e0 ffffea000704b9e0 0000000000000000 0000000000000000 [ 29.470333] page dumped because: kasan: bad access detected [ 29.476014] [ 29.477615] Memory state around the buggy address: [ 29.482536] ffff8881c12e7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.489883] ffff8881c12e7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.497215] >ffff8881c12e7800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 29.504546] ^ [ 29.511011] ffff8881c12e7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.518344] ffff8881c12e7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.525673] ================================================================== [ 29.533002] Disabling lock debugging due to kernel taint [ 29.538528] Kernel panic - not syncing: panic_on_warn set ... [ 29.538528] [ 29.545872] CPU: 0 PID: 3087 Comm: syz-executor.3 Tainted: G B 4.14.142+ #0 [ 29.554071] Call Trace: [ 29.556639] dump_stack+0xca/0x134 [ 29.560168] panic+0x1ea/0x3d3 [ 29.563334] ? add_taint.cold+0x16/0x16 [ 29.567286] ? lock_downgrade+0x5d0/0x5d0 [ 29.571411] ? unwind_next_frame+0x169f/0x1810 [ 29.575986] end_report+0x43/0x49 [ 29.579413] ? unwind_next_frame+0x169f/0x1810 [ 29.583968] __kasan_report.cold+0xd/0x41 [ 29.588103] ? unwind_next_frame+0x169f/0x1810 [ 29.592659] unwind_next_frame+0x169f/0x1810 [ 29.597042] ? retint_kernel+0x2d/0x2d [ 29.600906] ? perf_callchain_user+0x4a7/0xf80 [ 29.605464] ? deref_stack_reg+0xe0/0xe0 [ 29.609500] ? perf_callchain_user+0x2d1/0xf80 [ 29.614058] ? retint_kernel+0x2d/0x2d [ 29.617921] perf_callchain_kernel+0x3a0/0x540 [ 29.622493] ? perf_callchain_kernel+0x540/0x540 [ 29.627248] ? arch_perf_update_userpage+0x330/0x330 [ 29.632336] ? perf_callchain+0x147/0x190 [ 29.636486] ? futex_wait_setup+0x132/0x330 [ 29.640790] get_perf_callchain+0x2f5/0x770 [ 29.645133] ? put_callchain_buffers+0x60/0x60 [ 29.649822] ? perf_callchain+0x150/0x190 [ 29.653957] perf_callchain+0x147/0x190 [ 29.657918] perf_prepare_sample+0x6a8/0x1360 [ 29.663206] ? perf_output_sample+0x1700/0x1700 [ 29.667861] ? perf_prepare_sample+0x1360/0x1360 [ 29.672609] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 29.678299] perf_event_output_forward+0xdc/0x220 [ 29.683132] ? perf_prepare_sample+0x1360/0x1360 [ 29.687870] ? __perf_event_overflow+0x1cc/0x340 [ 29.692610] ? check_preemption_disabled+0x35/0x1f0 [ 29.697611] __perf_event_overflow+0x12d/0x340 [ 29.702173] perf_swevent_overflow+0x7a/0xf0 [ 29.706561] perf_swevent_event+0x112/0x270 [ 29.710861] perf_tp_event+0x633/0x7f0 [ 29.714732] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 29.720427] ? trace_hardirqs_on+0x10/0x10 [ 29.724652] ? __lock_acquire+0x5d7/0x4320 [ 29.728867] ? perf_trace_run_bpf_submit+0x113/0x170 [ 29.733947] ? check_preemption_disabled+0x35/0x1f0 [ 29.738938] perf_trace_run_bpf_submit+0x113/0x170 [ 29.743843] perf_trace_lock_acquire+0x341/0x4e0 [ 29.748575] ? HARDIRQ_verbose+0x10/0x10 [ 29.752609] ? retint_kernel+0x2d/0x2d [ 29.756477] ? get_futex_key+0x4c1/0xf90 [ 29.760533] lock_acquire+0x279/0x360 [ 29.765264] ? futex_wait_setup+0x132/0x330 [ 29.769804] _raw_spin_lock+0x2a/0x40 [ 29.773582] ? futex_wait_setup+0x132/0x330 [ 29.777878] futex_wait_setup+0x132/0x330 [ 29.782015] ? get_futex_key+0xf90/0xf90 [ 29.786496] futex_wait+0x1ad/0x570 [ 29.790117] ? futex_wait_setup+0x330/0x330 [ 29.794420] ? wake_up_q+0xea/0x150 [ 29.798025] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 29.803033] ? futex_wake+0x15b/0x440 [ 29.806825] do_futex+0x13f/0x1980 [ 29.810360] ? trace_hardirqs_on+0x10/0x10 [ 29.814583] ? perf_trace_lock_acquire+0x341/0x4e0 [ 29.819501] ? exit_robust_list+0x240/0x240 [ 29.823800] ? HARDIRQ_verbose+0x10/0x10 [ 29.827840] ? __might_fault+0x104/0x1b0 [ 29.831916] ? lock_downgrade+0x5d0/0x5d0 [ 29.836143] ? lock_acquire+0x12b/0x360 [ 29.840124] ? __might_fault+0xd4/0x1b0 [ 29.844081] ? __might_fault+0x177/0x1b0 [ 29.848124] ? _copy_to_user+0x82/0xd0 [ 29.852021] SyS_futex+0x1c5/0x2c3 [ 29.855546] ? do_futex+0x1980/0x1980 [ 29.859325] ? SyS_clock_gettime+0x7d/0xe0 [ 29.863539] ? do_clock_gettime+0xd0/0xd0 [ 29.867681] ? do_syscall_64+0x43/0x520 [ 29.871633] ? do_futex+0x1980/0x1980 [ 29.875417] do_syscall_64+0x19b/0x520 [ 29.879289] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.884462] RIP: 0033:0x4598e9 [ 29.887656] RSP: 002b:00007f52af2e8cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.895340] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 29.902597] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 29.909848] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 29.917111] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 29.924360] R13: 00007ffd36e2877f R14: 00007f52af2e99c0 R15: 000000000075bf2c [ 29.932368] Kernel Offset: 0x24a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 29.943375] Rebooting in 86400 seconds..