[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 29.607504] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 29.845120] random: sshd: uninitialized urandom read (32 bytes read) [ 30.177216] random: sshd: uninitialized urandom read (32 bytes read) [ 30.696225] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 970.259169] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 975.918099] random: sshd: uninitialized urandom read (32 bytes read) [ 976.093918] kauditd_printk_skb: 10 callbacks suppressed [ 976.093928] audit: type=1400 audit(1561967806.334:36): avc: denied { map } for pid=6858 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/07/01 07:56:47 parsed 1 programs [ 976.911379] audit: type=1400 audit(1561967807.154:37): avc: denied { map } for pid=6858 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=13813 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 977.674052] random: cc1: uninitialized urandom read (8 bytes read) 2019/07/01 07:56:49 executed programs: 0 [ 979.650312] IPVS: ftp: loaded support on port[0] = 21 [ 979.949249] chnl_net:caif_netlink_parms(): no params data found [ 979.980459] bridge0: port 1(bridge_slave_0) entered blocking state [ 979.987221] bridge0: port 1(bridge_slave_0) entered disabled state [ 979.994586] device bridge_slave_0 entered promiscuous mode [ 980.001965] bridge0: port 2(bridge_slave_1) entered blocking state [ 980.008323] bridge0: port 2(bridge_slave_1) entered disabled state [ 980.015690] device bridge_slave_1 entered promiscuous mode [ 980.029691] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 980.038671] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 980.054671] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 980.062206] team0: Port device team_slave_0 added [ 980.067568] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 980.074909] team0: Port device team_slave_1 added [ 980.080579] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 980.087744] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 980.142225] device hsr_slave_0 entered promiscuous mode [ 980.180420] device hsr_slave_1 entered promiscuous mode [ 980.230586] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 980.237674] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 980.252206] bridge0: port 2(bridge_slave_1) entered blocking state [ 980.258705] bridge0: port 2(bridge_slave_1) entered forwarding state [ 980.265732] bridge0: port 1(bridge_slave_0) entered blocking state [ 980.272110] bridge0: port 1(bridge_slave_0) entered forwarding state [ 980.298539] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 980.304694] 8021q: adding VLAN 0 to HW filter on device bond0 [ 980.312747] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 980.321637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 980.330407] bridge0: port 1(bridge_slave_0) entered disabled state [ 980.337438] bridge0: port 2(bridge_slave_1) entered disabled state [ 980.347323] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 980.353619] 8021q: adding VLAN 0 to HW filter on device team0 [ 980.361804] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 980.369463] bridge0: port 1(bridge_slave_0) entered blocking state [ 980.375865] bridge0: port 1(bridge_slave_0) entered forwarding state [ 980.384960] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 980.393131] bridge0: port 2(bridge_slave_1) entered blocking state [ 980.399457] bridge0: port 2(bridge_slave_1) entered forwarding state [ 980.413187] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 980.420931] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 980.429775] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 980.440818] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 980.451240] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 980.462930] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 980.468937] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 980.476728] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 980.491573] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 980.501145] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 980.941079] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 982.031049] audit: type=1400 audit(1561967812.274:38): avc: denied { map } for pid=6901 comm="syz-executor.0" path="socket:[25133]" dev="sockfs" ino=25133 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=key_socket permissive=1 2019/07/01 07:56:54 executed programs: 14 [ 1144.790217] INFO: task syz-executor.0:7008 blocked for more than 140 seconds. [ 1144.797724] Not tainted 4.14.131 #25 [ 1144.804341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 1144.812347] syz-executor.0 D28528 7008 6875 0x80000000 [ 1144.818052] Call Trace: [ 1144.825081] __schedule+0x7b8/0x1cd0 [ 1144.829090] ? pci_mmcfg_check_reserved+0x150/0x150 [ 1144.838135] ? _raw_spin_unlock_irq+0x28/0x90 [ 1144.843435] schedule+0x92/0x1c0 [ 1144.846801] rwsem_down_read_failed+0x1f6/0x390 [ 1144.851758] ? __rwsem_down_read_failed_common.part.0+0x80/0x80 [ 1144.857824] call_rwsem_down_read_failed+0x18/0x30 [ 1144.863753] down_read+0x49/0xb0 [ 1144.867218] ? do_exit+0x3d2/0x2c10 [ 1144.871101] do_exit+0x3d2/0x2c10 [ 1144.874601] ? find_held_lock+0x35/0x130 [ 1144.878659] ? mm_update_next_owner+0x5d0/0x5d0 [ 1144.884345] ? _raw_spin_unlock_irq+0x28/0x90 [ 1144.888851] ? trace_hardirqs_on_caller+0x400/0x590 [ 1144.894103] do_group_exit+0x111/0x330 [ 1144.897992] SyS_exit_group+0x1d/0x20 [ 1144.902763] ? do_group_exit+0x330/0x330 [ 1144.906866] do_syscall_64+0x1e8/0x640 [ 1144.910994] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1144.915846] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1144.922012] RIP: 0033:0x459519 [ 1144.925200] RSP: 002b:00007ffd84907f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1144.933120] RAX: ffffffffffffffda RBX: 000000000000001e RCX: 0000000000459519 [ 1144.941160] RDX: 0000000000413201 RSI: fffffffffffffff7 RDI: 0000000000000000 [ 1144.948427] RBP: 0000000000000000 R08: ffffffffffffffff R09: 00007ffd84907ff0 [ 1144.955960] R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000001 [ 1144.964649] R13: 00007ffd84907ff0 R14: 0000000000000000 R15: 00007ffd84908000 [ 1144.972180] INFO: task syz-executor.0:7010 blocked for more than 140 seconds. [ 1144.979445] Not tainted 4.14.131 #25 [ 1144.984628] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 1144.992614] syz-executor.0 D29192 7010 6875 0x80000000 [ 1144.998241] Call Trace: [ 1145.001917] __schedule+0x7b8/0x1cd0 [ 1145.005633] ? pci_mmcfg_check_reserved+0x150/0x150 [ 1145.010895] ? _raw_spin_unlock_irq+0x28/0x90 [ 1145.015393] schedule+0x92/0x1c0 [ 1145.018752] rwsem_down_read_failed+0x1f6/0x390 [ 1145.024447] ? __rwsem_down_read_failed_common.part.0+0x80/0x80 [ 1145.030596] call_rwsem_down_read_failed+0x18/0x30 [ 1145.035526] down_read+0x49/0xb0 [ 1145.038886] ? do_exit+0x3d2/0x2c10 [ 1145.043657] do_exit+0x3d2/0x2c10 [ 1145.047115] ? find_held_lock+0x35/0x130 [ 1145.051500] ? mm_update_next_owner+0x5d0/0x5d0 [ 1145.056178] do_group_exit+0x111/0x330 [ 1145.061098] get_signal+0x381/0x1cd0 [ 1145.064827] ? trace_hardirqs_on+0x10/0x10 [ 1145.069055] ? save_trace+0x290/0x290 [ 1145.073171] ? trace_hardirqs_on+0x10/0x10 [ 1145.077462] do_signal+0x86/0x19a0 [ 1145.081996] ? setup_sigcontext+0x7d0/0x7d0 [ 1145.086386] ? kasan_check_read+0x11/0x20 [ 1145.091492] ? _copy_to_user+0x87/0xd0 [ 1145.095443] ? SyS_futex+0x215/0x302 [ 1145.099146] ? SyS_futex+0x222/0x302 [ 1145.103973] ? exit_to_usermode_loop+0x3d/0x220 [ 1145.108691] exit_to_usermode_loop+0x15c/0x220 [ 1145.114068] do_syscall_64+0x4bc/0x640 [ 1145.117961] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1145.123801] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1145.128991] RIP: 0033:0x459519 [ 1145.132393] RSP: 002b:00007f139f2f7cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 1145.140883] RAX: fffffffffffffe00 RBX: 000000000075bfd0 RCX: 0000000000459519 [ 1145.148145] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd0 [ 1145.155669] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 1145.163708] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bfd4 [ 1145.171210] R13: 00007ffd84907d8f R14: 00007f139f2f89c0 R15: 000000000075bfd4 [ 1145.178498] [ 1145.178498] Showing all locks held in the system: [ 1145.185851] 1 lock held by khungtaskd/1003: [ 1145.190311] #0: (tasklist_lock){.+.+}, at: [] debug_show_all_locks+0x7f/0x21f [ 1145.199366] 1 lock held by rsyslogd/6712: [ 1145.203567] #0: (&f->f_pos_lock){+.+.}, at: [] __fdget_pos+0xab/0xd0 [ 1145.211871] 2 locks held by getty/6834: [ 1145.215838] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.224559] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.233957] 2 locks held by getty/6835: [ 1145.237915] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.246620] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.255921] 2 locks held by getty/6836: [ 1145.259880] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.268580] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.277888] 2 locks held by getty/6837: [ 1145.281879] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.290573] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.299860] 2 locks held by getty/6838: [ 1145.303860] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.312570] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.321886] 2 locks held by getty/6839: [ 1145.325846] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.334546] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.343862] 2 locks held by getty/6840: [ 1145.347825] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 1145.356553] #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1e6/0x17b0 [ 1145.365879] 1 lock held by syz-executor.0/7008: [ 1145.370567] #0: (&mm->mmap_sem){++++}, at: [] do_exit+0x3d2/0x2c10 [ 1145.378634] 1 lock held by syz-executor.0/7010: [ 1145.383406] #0: (&mm->mmap_sem){++++}, at: [] do_exit+0x3d2/0x2c10 [ 1145.391501] [ 1145.393117] ============================================= [ 1145.393117] [ 1145.401678] NMI backtrace for cpu 0 [ 1145.405313] CPU: 0 PID: 1003 Comm: khungtaskd Not tainted 4.14.131 #25 [ 1145.411967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1145.421339] Call Trace: [ 1145.423990] dump_stack+0x138/0x19c [ 1145.427613] nmi_cpu_backtrace.cold+0x57/0x94 [ 1145.432152] ? irq_force_complete_move.cold+0x7d/0x7d [ 1145.437339] nmi_trigger_cpumask_backtrace+0x141/0x189 [ 1145.442611] arch_trigger_cpumask_backtrace+0x14/0x20 [ 1145.447843] watchdog+0x5e7/0xb90 [ 1145.451320] kthread+0x319/0x430 [ 1145.454676] ? hungtask_pm_notify+0x50/0x50 [ 1145.458985] ? kthread_create_on_node+0xd0/0xd0 [ 1145.463645] ret_from_fork+0x24/0x30 [ 1145.467431] Sending NMI from CPU 0 to CPUs 1: [ 1145.472384] NMI backtrace for cpu 1 [ 1145.472387] CPU: 1 PID: 7009 Comm: syz-executor.0 Not tainted 4.14.131 #25 [ 1145.472391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1145.472393] task: ffff8880a629e640 task.stack: ffff8880a4940000 [ 1145.472395] RIP: 0010:__lock_acquire+0x505/0x45e0 [ 1145.472397] RSP: 0018:ffff8880a4947820 EFLAGS: 00000046 [ 1145.472402] RAX: 0000000000000000 RBX: 0000000000040000 RCX: 0000000000000000 [ 1145.472404] RDX: 0000000000000001 RSI: 1ffff11014c53ddc RDI: ffff8880a629ef09 [ 1145.472407] RBP: ffff8880a49479d0 R08: 0000000000000001 R09: 0000000000040579 [ 1145.472410] R10: ffff8880a629eee8 R11: ffff8880a629e640 R12: ffff8880a180d680 [ 1145.472413] R13: 0000000000000579 R14: 0000000000000001 R15: 0000000000000000 [ 1145.472415] FS: 00007f139f319700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000 [ 1145.472418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1145.472420] CR2: 0000000001502978 CR3: 000000009e9c8000 CR4: 00000000001406e0 [ 1145.472423] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1145.472425] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1145.472427] Call Trace: [ 1145.472429] ? _raw_spin_unlock_irq+0x28/0x90 [ 1145.472431] ? trace_hardirqs_on_caller+0x400/0x590 [ 1145.472433] ? trace_hardirqs_on+0x10/0x10 [ 1145.472434] ? save_trace+0x290/0x290 [ 1145.472436] ? mark_held_locks+0xb1/0x100 [ 1145.472438] ? __lock_is_held+0xb6/0x140 [ 1145.472440] ? trace_hardirqs_on_caller+0x400/0x590 [ 1145.472442] lock_acquire+0x16f/0x430 [ 1145.472444] ? perf_mmap+0x50a/0x13f0 [ 1145.472446] ? perf_mmap+0x50a/0x13f0 [ 1145.472448] __mutex_lock+0xe8/0x1470 [ 1145.472450] ? perf_mmap+0x50a/0x13f0 [ 1145.472452] ? perf_mmap+0x64b/0x13f0 [ 1145.472454] ? retint_kernel+0x2d/0x2d [ 1145.472455] ? perf_mmap+0x50a/0x13f0 [ 1145.472457] ? mutex_trylock+0x1c0/0x1c0 [ 1145.472459] ? __mutex_unlock_slowpath+0x71/0x800 [ 1145.472461] ? wait_for_completion+0x420/0x420 [ 1145.472463] mutex_lock_nested+0x16/0x20 [ 1145.472465] ? mutex_lock_nested+0x16/0x20 [ 1145.472467] perf_mmap+0x50a/0x13f0 [ 1145.472469] mmap_region+0x852/0x1030 [ 1145.472470] do_mmap+0x5b8/0xcd0 [ 1145.472472] vm_mmap_pgoff+0x17a/0x1d0 [ 1145.472474] ? vma_is_stack_for_current+0xa0/0xa0 [ 1145.472476] ? __fget+0x237/0x370 [ 1145.472478] SyS_mmap_pgoff+0x3ca/0x520 [ 1145.472480] ? find_mergeable_anon_vma+0x2c0/0x2c0 [ 1145.472482] ? do_syscall_64+0x53/0x640 [ 1145.472484] ? align_vdso_addr+0x60/0x60 [ 1145.472485] SyS_mmap+0x16/0x20 [ 1145.472487] do_syscall_64+0x1e8/0x640 [ 1145.472490] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 1145.472492] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1145.472493] RIP: 0033:0x459519 [ 1145.472495] RSP: 002b:00007f139f318c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 1145.472500] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459519 [ 1145.472503] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffd000 [ 1145.472506] RBP: 000000000075bf20 R08: 0000000000000003 R09: 0000000000000000 [ 1145.472508] R10: 0080000000000011 R11: 0000000000000246 R12: 00007f139f3196d4 [ 1145.472511] R13: 00000000004c5822 R14: 00000000004d9ed8 R15: 00000000ffffffff [ 1145.472512] Code: 49 8d 7a 21 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 ad 0a 00 00 <4d> 8d 7a 22 41 0f b6 5a 21 48 b8 00 00 00 00 00 fc ff df 4c 89 [ 1145.474384] Kernel panic - not syncing: hung_task: blocked tasks [ 1145.795255] CPU: 0 PID: 1003 Comm: khungtaskd Not tainted 4.14.131 #25 [ 1145.801908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1145.811251] Call Trace: [ 1145.813834] dump_stack+0x138/0x19c [ 1145.817455] panic+0x1f2/0x426 [ 1145.820636] ? add_taint.cold+0x16/0x16 [ 1145.824598] ? ___preempt_schedule+0x16/0x18 [ 1145.829008] watchdog+0x5f8/0xb90 [ 1145.832548] kthread+0x319/0x430 [ 1145.835903] ? hungtask_pm_notify+0x50/0x50 [ 1145.840212] ? kthread_create_on_node+0xd0/0xd0 [ 1145.844873] ret_from_fork+0x24/0x30 [ 1145.850254] Kernel Offset: disabled [ 1145.853889] Rebooting in 86400 seconds..