[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.949753] random: sshd: uninitialized urandom read (32 bytes read) [ 20.378287] audit: type=1400 audit(1548211909.320:6): avc: denied { map } for pid=1757 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 20.419739] random: sshd: uninitialized urandom read (32 bytes read) [ 20.915757] random: sshd: uninitialized urandom read (32 bytes read) [ 82.194785] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts. [ 87.835666] random: sshd: uninitialized urandom read (32 bytes read) [ 87.929111] audit: type=1400 audit(1548211976.870:7): avc: denied { map } for pid=1811 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/01/23 02:52:57 parsed 1 programs [ 88.712569] audit: type=1400 audit(1548211977.660:8): avc: denied { map } for pid=1811 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5006 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 89.384381] random: cc1: uninitialized urandom read (8 bytes read) 2019/01/23 02:53:00 executed programs: 0 [ 91.198059] audit: type=1400 audit(1548211980.140:9): avc: denied { map } for pid=1811 comm="syz-execprog" path="/root/syzkaller-shm002726508" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/01/23 02:53:05 executed programs: 31 2019/01/23 02:53:10 executed programs: 122 2019/01/23 02:53:15 executed programs: 215 INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes 2019/01/23 02:53:20 executed programs: 279 2019/01/23 02:53:25 executed programs: 379 2019/01/23 02:53:30 executed programs: 492 2019/01/23 02:53:35 executed programs: 562 2019/01/23 02:53:40 executed programs: 681 [ 135.399399] ================================================================== [ 135.406883] BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 [ 135.413640] Read of size 8 at addr ffff8881c44e7c68 by task blkid/5874 [ 135.420289] [ 135.421907] CPU: 1 PID: 5874 Comm: blkid Not tainted 4.14.94+ #13 [ 135.428140] Call Trace: [ 135.430726] dump_stack+0xb9/0x10e [ 135.434270] ? disk_unblock_events+0x4b/0x50 [ 135.438675] print_address_description+0x60/0x226 [ 135.443515] ? disk_unblock_events+0x4b/0x50 [ 135.447918] kasan_report.cold+0x88/0x2a5 [ 135.452065] ? disk_unblock_events+0x4b/0x50 [ 135.456467] ? __blkdev_get+0x68f/0xe50 [ 135.460445] ? __blkdev_put+0x6d0/0x6d0 [ 135.464417] ? fsnotify+0x824/0x10c0 [ 135.468137] ? blkdev_get+0x97/0x8b0 [ 135.471845] ? bd_acquire+0x171/0x2c0 [ 135.475639] ? bd_may_claim+0xd0/0xd0 [ 135.479433] ? lock_downgrade+0x5d0/0x5d0 [ 135.483572] ? lock_acquire+0x10f/0x380 [ 135.487538] ? bd_acquire+0x21/0x2c0 [ 135.491304] ? blkdev_open+0x1cc/0x250 [ 135.495187] ? security_file_open+0x88/0x190 [ 135.499606] ? do_dentry_open+0x41b/0xd60 [ 135.503745] ? bd_acquire+0x2c0/0x2c0 [ 135.507550] ? vfs_open+0x105/0x230 [ 135.511174] ? path_openat+0xb6b/0x2b70 [ 135.515151] ? path_mountpoint+0x9a0/0x9a0 [ 135.519384] ? trace_hardirqs_on+0x10/0x10 [ 135.523621] ? do_filp_open+0x1a1/0x280 [ 135.527600] ? may_open_dev+0xe0/0xe0 [ 135.531407] ? lock_downgrade+0x5d0/0x5d0 [ 135.535547] ? lock_acquire+0x10f/0x380 [ 135.539532] ? __alloc_fd+0x3f/0x490 [ 135.543278] ? _raw_spin_unlock+0x29/0x40 [ 135.547422] ? __alloc_fd+0x1bf/0x490 [ 135.551245] ? do_sys_open+0x2ca/0x590 [ 135.555146] ? filp_open+0x60/0x60 [ 135.558729] ? do_syscall_64+0x43/0x4b0 [ 135.562705] ? do_sys_open+0x590/0x590 [ 135.566590] ? do_syscall_64+0x19b/0x4b0 [ 135.570655] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 135.576027] [ 135.577681] Allocated by task 5872: [ 135.581335] kasan_kmalloc.part.0+0x4f/0xd0 [ 135.585670] kmem_cache_alloc_trace+0x126/0x310 [ 135.590339] alloc_disk_node+0x5b/0x3d0 [ 135.594302] [ 135.595952] Freed by task 5874: [ 135.599228] kasan_slab_free+0xb0/0x190 [ 135.603198] kfree+0xf5/0x310 [ 135.606317] device_release+0xf4/0x1a0 [ 135.610199] [ 135.611828] The buggy address belongs to the object at ffff8881c44e7700 [ 135.611828] which belongs to the cache kmalloc-2048 of size 2048 [ 135.624642] The buggy address is located 1384 bytes inside of [ 135.624642] 2048-byte region [ffff8881c44e7700, ffff8881c44e7f00) [ 135.636663] The buggy address belongs to the page: [ 135.641702] page:ffffea0007113800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 135.651647] flags: 0x4000000000008100(slab|head) [ 135.656378] raw: 4000000000008100 0000000000000000 0000000000000000 00000001000f000f [ 135.664236] raw: 0000000000000000 0000000100000001 ffff8881da802800 0000000000000000 [ 135.672232] page dumped because: kasan: bad access detected [ 135.677929] [ 135.679535] Memory state around the buggy address: [ 135.684436] ffff8881c44e7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 135.691911] ffff8881c44e7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 135.699247] >ffff8881c44e7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 135.706581] ^ [ 135.713323] ffff8881c44e7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 135.720757] ffff8881c44e7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 135.728090] ================================================================== [ 135.735557] Disabling lock debugging due to kernel taint [ 135.743563] Kernel panic - not syncing: panic_on_warn set ... [ 135.743563] [ 135.750954] CPU: 1 PID: 5874 Comm: blkid Tainted: G B 4.14.94+ #13 [ 135.758384] Call Trace: [ 135.760965] dump_stack+0xb9/0x10e [ 135.764498] panic+0x1d9/0x3c2 [ 135.767699] ? add_taint.cold+0x16/0x16 [ 135.771666] ? disk_unblock_events+0x4b/0x50 [ 135.776066] ? ___preempt_schedule+0x16/0x18 [ 135.780474] ? disk_unblock_events+0x4b/0x50 [ 135.784907] kasan_end_report+0x43/0x49 [ 135.788890] kasan_report.cold+0xa4/0x2a5 [ 135.793032] ? disk_unblock_events+0x4b/0x50 [ 135.797435] ? __blkdev_get+0x68f/0xe50 [ 135.801406] ? __blkdev_put+0x6d0/0x6d0 [ 135.805391] ? fsnotify+0x824/0x10c0 [ 135.809137] ? blkdev_get+0x97/0x8b0 [ 135.812844] ? bd_acquire+0x171/0x2c0 [ 135.816672] ? bd_may_claim+0xd0/0xd0 [ 135.820466] ? lock_downgrade+0x5d0/0x5d0 [ 135.824605] ? lock_acquire+0x10f/0x380 [ 135.828574] ? bd_acquire+0x21/0x2c0 [ 135.832284] ? blkdev_open+0x1cc/0x250 [ 135.836180] ? security_file_open+0x88/0x190 [ 135.840581] ? do_dentry_open+0x41b/0xd60 [ 135.844724] ? bd_acquire+0x2c0/0x2c0 [ 135.848689] ? vfs_open+0x105/0x230 [ 135.852322] ? path_openat+0xb6b/0x2b70 [ 135.856289] ? path_mountpoint+0x9a0/0x9a0 [ 135.860527] ? trace_hardirqs_on+0x10/0x10 [ 135.864761] ? do_filp_open+0x1a1/0x280 [ 135.868740] ? may_open_dev+0xe0/0xe0 [ 135.872535] ? lock_downgrade+0x5d0/0x5d0 [ 135.876711] ? lock_acquire+0x10f/0x380 [ 135.880679] ? __alloc_fd+0x3f/0x490 [ 135.884402] ? _raw_spin_unlock+0x29/0x40 [ 135.888579] ? __alloc_fd+0x1bf/0x490 [ 135.892377] ? do_sys_open+0x2ca/0x590 [ 135.896275] ? filp_open+0x60/0x60 [ 135.899841] ? do_syscall_64+0x43/0x4b0 [ 135.903810] ? do_sys_open+0x590/0x590 [ 135.907691] ? do_syscall_64+0x19b/0x4b0 [ 135.911777] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 135.917487] Kernel Offset: 0x37e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 135.928388] Rebooting in 86400 seconds..