[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [ 10.911779] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 11.877481] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. 2019/11/08 19:01:45 parsed 1 programs 2019/11/08 19:01:48 executed programs: 0 syzkaller login: [ 26.714539] audit: type=1400 audit(1573239708.309:5): avc: denied { sys_admin } for pid=2061 comm="syz-executor.1" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 26.763604] audit: type=1400 audit(1573239708.359:6): avc: denied { net_admin } for pid=2067 comm="syz-executor.2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.115762] audit: type=1400 audit(1573239708.719:7): avc: denied { sys_chroot } for pid=2073 comm="syz-executor.4" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 27.141533] audit: type=1400 audit(1573239708.739:8): avc: denied { associate } for pid=2073 comm="syz-executor.4" name="syz4" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 28.993887] ================================================================== [ 29.001337] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 29.008068] Read of size 8 at addr ffff8801c74f0560 by task blkid/2387 [ 29.014751] [ 29.016369] CPU: 1 PID: 2387 Comm: blkid Not tainted 4.9.141+ #1 [ 29.022508] ffff8801c80bf6f8 ffffffff81b42e79 ffffea00071d3c00 ffff8801c74f0560 [ 29.030630] 0000000000000000 ffff8801c74f0560 0000000000000000 ffff8801c80bf730 [ 29.038714] ffffffff815009b8 ffff8801c74f0560 0000000000000008 0000000000000000 [ 29.046786] Call Trace: [ 29.049372] [] dump_stack+0xc1/0x128 [ 29.054750] [] print_address_description+0x6c/0x234 [ 29.061422] [] kasan_report.cold.6+0x242/0x2fe [ 29.067662] [] ? disk_unblock_events+0x51/0x60 [ 29.081022] [] __asan_report_load8_noabort+0x14/0x20 [ 29.087808] [] disk_unblock_events+0x51/0x60 [ 29.093896] [] __blkdev_get+0x6b6/0xd60 [ 29.099525] [] ? __blkdev_put+0x840/0x840 [ 29.105934] [] ? fsnotify+0x114/0x1100 [ 29.111679] [] blkdev_get+0x2da/0x920 [ 29.117399] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.124154] [] ? bd_may_claim+0xd0/0xd0 [ 29.129780] [] ? bd_acquire+0x27/0x250 [ 29.135322] [] ? bd_acquire+0x88/0x250 [ 29.140865] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.146834] [] blkdev_open+0x1a5/0x250 [ 29.152376] [] do_dentry_open+0x3ef/0xc90 [ 29.158174] [] ? blkdev_get_by_dev+0x70/0x70 [ 29.164236] [] vfs_open+0x11c/0x210 [ 29.169953] [] ? may_open.isra.20+0x14f/0x2a0 [ 29.176110] [] path_openat+0x542/0x2790 [ 29.181739] [] ? path_mountpoint+0x6c0/0x6c0 [ 29.187802] [] ? trace_hardirqs_on+0x10/0x10 [ 29.193898] [] ? expand_files.part.3+0x3a9/0x6d0 [ 29.200307] [] do_filp_open+0x197/0x270 [ 29.205943] [] ? may_open_dev+0xe0/0xe0 [ 29.211883] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.217855] [] ? __alloc_fd+0x1d7/0x4a0 [ 29.223481] [] do_sys_open+0x30d/0x5c0 [ 29.229018] [] ? filp_open+0x70/0x70 [ 29.234385] [] ? up_read+0x1a/0x40 [ 29.239569] [] SyS_open+0x2d/0x40 [ 29.244691] [] ? do_sys_open+0x5c0/0x5c0 [ 29.250406] [] do_syscall_64+0x19f/0x550 [ 29.256126] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.265041] [ 29.266664] Allocated by task 2376: [ 29.270291] save_stack_trace+0x16/0x20 [ 29.274261] kasan_kmalloc.part.1+0x62/0xf0 [ 29.278604] kasan_kmalloc+0xaf/0xc0 [ 29.282320] kmem_cache_alloc_trace+0x117/0x2e0 [ 29.286995] alloc_disk_node+0x54/0x3a0 [ 29.290982] alloc_disk+0x18/0x20 [ 29.294433] loop_add+0x368/0x7a0 [ 29.297882] loop_control_ioctl+0x136/0x300 [ 29.302201] do_vfs_ioctl+0x1ac/0x11a0 [ 29.306089] SyS_ioctl+0x8f/0xc0 [ 29.309452] do_syscall_64+0x19f/0x550 [ 29.313339] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.318430] [ 29.320050] Freed by task 2387: [ 29.323325] save_stack_trace+0x16/0x20 [ 29.327297] kasan_slab_free+0xac/0x190 [ 29.331270] kfree+0xfb/0x310 [ 29.334377] disk_release+0x259/0x330 [ 29.338347] device_release+0x7e/0x220 [ 29.342230] kobject_put+0x148/0x250 [ 29.345941] put_disk+0x23/0x30 [ 29.349259] __blkdev_get+0x616/0xd60 [ 29.353058] blkdev_get+0x2da/0x920 [ 29.356683] blkdev_open+0x1a5/0x250 [ 29.360400] do_dentry_open+0x3ef/0xc90 [ 29.364374] vfs_open+0x11c/0x210 [ 29.368348] path_openat+0x542/0x2790 [ 29.372152] do_filp_open+0x197/0x270 [ 29.375965] do_sys_open+0x30d/0x5c0 [ 29.379679] SyS_open+0x2d/0x40 [ 29.382955] do_syscall_64+0x19f/0x550 [ 29.386846] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.391942] [ 29.393568] The buggy address belongs to the object at ffff8801c74f0000 [ 29.393568] which belongs to the cache kmalloc-2048 of size 2048 [ 29.406393] The buggy address is located 1376 bytes inside of [ 29.406393] 2048-byte region [ffff8801c74f0000, ffff8801c74f0800) [ 29.418436] The buggy address belongs to the page: [ 29.423369] page:ffffea00071d3c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 29.433599] flags: 0x4000000000004080(slab|head) [ 29.438342] page dumped because: kasan: bad access detected [ 29.444307] [ 29.445926] Memory state around the buggy address: [ 29.450858] ffff8801c74f0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.458216] ffff8801c74f0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.465606] >ffff8801c74f0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.472967] ^ [ 29.479637] ffff8801c74f0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.486995] ffff8801c74f0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.494347] ================================================================== [ 29.501711] Disabling lock debugging due to kernel taint [ 29.512473] Kernel panic - not syncing: panic_on_warn set ... [ 29.512473] [ 29.519882] CPU: 1 PID: 2387 Comm: blkid Tainted: G B 4.9.141+ #1 [ 29.527241] ffff8801c80bf658 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 29.535408] 0000000000000000 0000000000000001 0000000000000000 ffff8801c80bf718 [ 29.543478] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 29.551557] Call Trace: [ 29.554147] [] dump_stack+0xc1/0x128 [ 29.559514] [] panic+0x1bf/0x39f [ 29.564534] [] ? add_taint.cold.5+0x16/0x16 [ 29.570512] [] ? ___preempt_schedule+0x16/0x18 [ 29.577311] [] kasan_end_report+0x47/0x4f [ 29.583158] [] kasan_report.cold.6+0x76/0x2fe [ 29.589303] [] ? disk_unblock_events+0x51/0x60 [ 29.595547] [] __asan_report_load8_noabort+0x14/0x20 [ 29.602305] [] disk_unblock_events+0x51/0x60 [ 29.608376] [] __blkdev_get+0x6b6/0xd60 [ 29.614007] [] ? __blkdev_put+0x840/0x840 [ 29.619984] [] ? fsnotify+0x114/0x1100 [ 29.625524] [] blkdev_get+0x2da/0x920 [ 29.631585] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.638341] [] ? bd_may_claim+0xd0/0xd0 [ 29.643976] [] ? bd_acquire+0x27/0x250 [ 29.649520] [] ? bd_acquire+0x88/0x250 [ 29.656102] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.662083] [] blkdev_open+0x1a5/0x250 [ 29.667629] [] do_dentry_open+0x3ef/0xc90 [ 29.673444] [] ? blkdev_get_by_dev+0x70/0x70 [ 29.679677] [] vfs_open+0x11c/0x210 [ 29.684960] [] ? may_open.isra.20+0x14f/0x2a0 [ 29.691118] [] path_openat+0x542/0x2790 [ 29.696748] [] ? path_mountpoint+0x6c0/0x6c0 [ 29.702812] [] ? trace_hardirqs_on+0x10/0x10 [ 29.708881] [] ? expand_files.part.3+0x3a9/0x6d0 [ 29.715328] [] do_filp_open+0x197/0x270 [ 29.720956] [] ? may_open_dev+0xe0/0xe0 [ 29.726588] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.732564] [] ? __alloc_fd+0x1d7/0x4a0 [ 29.738193] [] do_sys_open+0x30d/0x5c0 [ 29.743736] [] ? filp_open+0x70/0x70 [ 29.749105] [] ? up_read+0x1a/0x40 [ 29.754299] [] SyS_open+0x2d/0x40 [ 29.759435] [] ? do_sys_open+0x5c0/0x5c0 [ 29.765168] [] do_syscall_64+0x19f/0x550 [ 29.770883] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.778482] Kernel Offset: disabled [ 29.782095] Rebooting in 86400 seconds..