[....] Starting OpenBSD Secure Shell server: sshd[ 11.997966] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.308300] random: sshd: uninitialized urandom read (32 bytes read) [ 34.785725] audit: type=1400 audit(1552979043.656:6): avc: denied { map } for pid=1775 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.828159] random: sshd: uninitialized urandom read (32 bytes read) [ 35.304981] random: sshd: uninitialized urandom read (32 bytes read) [ 101.263759] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 106.786770] random: sshd: uninitialized urandom read (32 bytes read) [ 106.882273] audit: type=1400 audit(1552979115.756:7): avc: denied { map } for pid=1829 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/03/19 07:05:16 parsed 1 programs [ 107.701053] audit: type=1400 audit(1552979116.576:8): avc: denied { map } for pid=1829 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5005 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 108.067618] random: cc1: uninitialized urandom read (8 bytes read) 2019/03/19 07:05:18 executed programs: 0 [ 109.455379] audit: type=1400 audit(1552979118.326:9): avc: denied { map } for pid=1829 comm="syz-execprog" path="/root/syzkaller-shm222512418" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 INIT: Id "2" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes 2019/03/19 07:05:23 executed programs: 46 [ 118.118655] ================================================================== [ 118.126096] BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 [ 118.132845] Read of size 8 at addr ffff8881d6264968 by task blkid/3531 [ 118.139494] [ 118.141107] CPU: 0 PID: 3531 Comm: blkid Not tainted 4.14.106+ #31 [ 118.147413] Call Trace: [ 118.149987] dump_stack+0xb9/0x10e [ 118.153525] ? disk_unblock_events+0x4b/0x50 [ 118.157922] print_address_description+0x60/0x226 [ 118.162756] ? disk_unblock_events+0x4b/0x50 [ 118.167153] kasan_report.cold+0x88/0x2a5 [ 118.171303] ? disk_unblock_events+0x4b/0x50 [ 118.175723] ? __blkdev_get+0x68f/0xf90 [ 118.179700] ? __blkdev_put+0x6d0/0x6d0 [ 118.183663] ? fsnotify+0x8b0/0x1150 [ 118.187362] ? blkdev_get+0x97/0x8b0 [ 118.191062] ? bd_acquire+0x171/0x2c0 [ 118.194844] ? bd_may_claim+0xd0/0xd0 [ 118.198626] ? lock_downgrade+0x5d0/0x5d0 [ 118.202770] ? lock_acquire+0x10f/0x380 [ 118.206729] ? bd_acquire+0x21/0x2c0 [ 118.210434] ? blkdev_open+0x1cc/0x250 [ 118.214301] ? security_file_open+0x88/0x190 [ 118.218695] ? do_dentry_open+0x41b/0xd60 [ 118.222924] ? bd_acquire+0x2c0/0x2c0 [ 118.226711] ? vfs_open+0x105/0x230 [ 118.230338] ? path_openat+0xb6b/0x2b70 [ 118.234307] ? path_mountpoint+0x9a0/0x9a0 [ 118.238529] ? trace_hardirqs_on+0x10/0x10 [ 118.243195] ? do_filp_open+0x1a1/0x280 [ 118.247168] ? may_open_dev+0xe0/0xe0 [ 118.250963] ? lock_downgrade+0x5d0/0x5d0 [ 118.255096] ? lock_acquire+0x10f/0x380 [ 118.259072] ? __alloc_fd+0x3f/0x490 [ 118.262776] ? _raw_spin_unlock+0x29/0x40 [ 118.266910] ? __alloc_fd+0x1bf/0x490 [ 118.270706] ? do_sys_open+0x2ca/0x590 [ 118.274612] ? filp_open+0x60/0x60 [ 118.278147] ? do_syscall_64+0x43/0x4b0 [ 118.282106] ? do_sys_open+0x590/0x590 [ 118.285987] ? do_syscall_64+0x19b/0x4b0 [ 118.290051] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 118.295405] [ 118.297015] Allocated by task 3526: [ 118.300624] kasan_kmalloc.part.0+0x4f/0xd0 [ 118.304942] kmem_cache_alloc_trace+0x126/0x310 [ 118.309608] alloc_disk_node+0x5b/0x3d0 [ 118.313554] [ 118.315158] Freed by task 3531: [ 118.318430] kasan_slab_free+0xb0/0x190 [ 118.322383] kfree+0xf5/0x310 [ 118.325467] device_release+0xf4/0x1a0 [ 118.329331] [ 118.330936] The buggy address belongs to the object at ffff8881d6264400 [ 118.330936] which belongs to the cache kmalloc-2048 of size 2048 [ 118.344804] The buggy address is located 1384 bytes inside of [ 118.344804] 2048-byte region [ffff8881d6264400, ffff8881d6264c00) [ 118.356838] The buggy address belongs to the page: [ 118.361751] page:ffffea0007589800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 118.371703] flags: 0x4000000000008100(slab|head) [ 118.376447] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800f000f [ 118.384313] raw: 0000000000000000 0000000900000001 ffff8881da802800 0000000000000000 [ 118.392176] page dumped because: kasan: bad access detected [ 118.397888] [ 118.399499] Memory state around the buggy address: [ 118.404408] ffff8881d6264800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.411755] ffff8881d6264880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.419110] >ffff8881d6264900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.426459] ^ [ 118.433215] ffff8881d6264980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.440574] ffff8881d6264a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.447927] ================================================================== [ 118.455266] Disabling lock debugging due to kernel taint [ 118.676271] Kernel panic - not syncing: panic_on_warn set ... [ 118.676271] [ 118.683680] CPU: 0 PID: 3531 Comm: blkid Tainted: G B 4.14.106+ #31 [ 118.691212] Call Trace: [ 118.693802] dump_stack+0xb9/0x10e [ 118.697344] panic+0x1d9/0x3c2 [ 118.700535] ? add_taint.cold+0x16/0x16 [ 118.704525] ? disk_unblock_events+0x4b/0x50 [ 118.708936] ? ___preempt_schedule+0x16/0x18 [ 118.713353] ? disk_unblock_events+0x4b/0x50 [ 118.717762] kasan_end_report+0x43/0x49 [ 118.721735] kasan_report.cold+0xa4/0x2a5 [ 118.725890] ? disk_unblock_events+0x4b/0x50 [ 118.730301] ? __blkdev_get+0x68f/0xf90 [ 118.734289] ? __blkdev_put+0x6d0/0x6d0 [ 118.738283] ? fsnotify+0x8b0/0x1150 [ 118.742005] ? blkdev_get+0x97/0x8b0 [ 118.745730] ? bd_acquire+0x171/0x2c0 [ 118.749537] ? bd_may_claim+0xd0/0xd0 [ 118.753335] ? lock_downgrade+0x5d0/0x5d0 [ 118.757480] ? lock_acquire+0x10f/0x380 [ 118.761460] ? bd_acquire+0x21/0x2c0 [ 118.765181] ? blkdev_open+0x1cc/0x250 [ 118.769069] ? security_file_open+0x88/0x190 [ 118.773478] ? do_dentry_open+0x41b/0xd60 [ 118.777631] ? bd_acquire+0x2c0/0x2c0 [ 118.781450] ? vfs_open+0x105/0x230 [ 118.785077] ? path_openat+0xb6b/0x2b70 [ 118.789054] ? path_mountpoint+0x9a0/0x9a0 [ 118.793295] ? trace_hardirqs_on+0x10/0x10 [ 118.797536] ? do_filp_open+0x1a1/0x280 [ 118.801519] ? may_open_dev+0xe0/0xe0 [ 118.805349] ? lock_downgrade+0x5d0/0x5d0 [ 118.809533] ? lock_acquire+0x10f/0x380 [ 118.813515] ? __alloc_fd+0x3f/0x490 [ 118.817217] ? _raw_spin_unlock+0x29/0x40 [ 118.821344] ? __alloc_fd+0x1bf/0x490 [ 118.825142] ? do_sys_open+0x2ca/0x590 [ 118.829010] ? filp_open+0x60/0x60 [ 118.832532] ? do_syscall_64+0x43/0x4b0 [ 118.836572] ? do_sys_open+0x590/0x590 [ 118.840455] ? do_syscall_64+0x19b/0x4b0 [ 118.844519] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 118.850298] Kernel Offset: 0x2fa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 118.867960] Rebooting in 86400 seconds..