[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 30.890498] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.264178] kauditd_printk_skb: 9 callbacks suppressed [ 31.264186] audit: type=1400 audit(1575066370.712:35): avc: denied { map } for pid=6944 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 31.319217] random: sshd: uninitialized urandom read (32 bytes read) [ 31.859809] random: sshd: uninitialized urandom read (32 bytes read) [ 33.247420] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts. [ 38.727910] random: sshd: uninitialized urandom read (32 bytes read) [ 38.904815] audit: type=1400 audit(1575066378.352:36): avc: denied { map } for pid=6958 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/11/29 22:26:18 parsed 1 programs [ 39.520661] random: cc1: uninitialized urandom read (8 bytes read) 2019/11/29 22:26:19 executed programs: 0 [ 40.289749] audit: type=1400 audit(1575066379.732:37): avc: denied { map } for pid=6958 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=1170 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 40.315731] audit: type=1400 audit(1575066379.762:38): avc: denied { map } for pid=6958 comm="syz-execprog" path="/root/syzkaller-shm341922500" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 40.580933] IPVS: ftp: loaded support on port[0] = 21 [ 41.463758] chnl_net:caif_netlink_parms(): no params data found [ 41.491544] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.498176] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.505285] device bridge_slave_0 entered promiscuous mode [ 41.512318] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.518681] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.525848] device bridge_slave_1 entered promiscuous mode [ 41.541198] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.549990] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.565372] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.572754] team0: Port device team_slave_0 added [ 41.578185] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.585723] team0: Port device team_slave_1 added [ 41.591146] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.598506] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.651979] device hsr_slave_0 entered promiscuous mode [ 41.720385] device hsr_slave_1 entered promiscuous mode [ 41.770914] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 41.777982] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 41.791218] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.797690] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.804668] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.811026] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.839046] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 41.846112] 8021q: adding VLAN 0 to HW filter on device bond0 [ 41.854267] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 41.863032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 41.871535] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.878404] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.887841] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 41.894110] 8021q: adding VLAN 0 to HW filter on device team0 [ 41.903038] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 41.910862] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.917237] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.937015] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 41.947125] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 41.957658] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 41.964382] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 41.972411] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.978759] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.986517] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.994205] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.001762] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.009247] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.016772] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 42.023513] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.034402] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 42.042051] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 42.048785] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 42.059617] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.470285] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 43.439217] audit: type=1400 audit(1575066382.882:39): avc: denied { create } for pid=6989 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.464604] audit: type=1400 audit(1575066382.882:40): avc: denied { write } for pid=6989 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.489224] audit: type=1400 audit(1575066382.902:41): avc: denied { read } for pid=6989 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.981817] [ 43.983457] ===================================== [ 43.988272] WARNING: bad unlock balance detected! [ 43.993138] 4.14.156-syzkaller #0 Not tainted [ 43.997616] ------------------------------------- [ 44.002433] syz-executor.0/7127 is trying to release lock (&file->mut) at: [ 44.009965] [] ucma_destroy_id+0x20d/0x420 [ 44.015751] but there are no more locks to release! [ 44.020752] [ 44.020752] other info that might help us debug this: [ 44.027392] 1 lock held by syz-executor.0/7127: [ 44.032036] #0: (&file->mut){+.+.}, at: [] ucma_destroy_id+0x1aa/0x420 [ 44.040437] [ 44.040437] stack backtrace: [ 44.044908] CPU: 0 PID: 7127 Comm: syz-executor.0 Not tainted 4.14.156-syzkaller #0 [ 44.052676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.062029] Call Trace: [ 44.064596] dump_stack+0x142/0x197 [ 44.068200] ? ucma_destroy_id+0x20d/0x420 [ 44.072410] print_unlock_imbalance_bug.cold+0x114/0x123 [ 44.077835] ? ucma_destroy_id+0x20d/0x420 [ 44.082154] lock_release+0x616/0x940 [ 44.085932] ? ucma_destroy_id+0x1aa/0x420 [ 44.090142] ? lock_downgrade+0x740/0x740 [ 44.094268] ? __radix_tree_delete+0xe9/0x140 [ 44.098752] __mutex_unlock_slowpath+0x71/0x800 [ 44.103395] ? radix_tree_delete_item+0xe5/0x1a0 [ 44.108125] ? wait_for_completion+0x420/0x420 [ 44.112701] mutex_unlock+0xd/0x10 [ 44.116234] ucma_destroy_id+0x20d/0x420 [ 44.120272] ? ucma_close+0x310/0x310 [ 44.124067] ? _copy_from_user+0x99/0x110 [ 44.128190] ucma_write+0x231/0x310 [ 44.131796] ? ucma_close+0x310/0x310 [ 44.135570] ? ucma_open+0x290/0x290 [ 44.139261] __vfs_write+0x105/0x6b0 [ 44.142950] ? ucma_open+0x290/0x290 [ 44.146645] ? kernel_read+0x120/0x120 [ 44.150513] ? __inode_security_revalidate+0xd6/0x130 [ 44.155691] ? avc_policy_seqno+0x9/0x20 [ 44.159728] ? selinux_file_permission+0x85/0x480 [ 44.164548] ? security_file_permission+0x89/0x1f0 [ 44.169467] ? rw_verify_area+0xea/0x2b0 [ 44.173518] vfs_write+0x198/0x500 [ 44.177034] SyS_write+0xfd/0x230 [ 44.180463] ? SyS_read+0x230/0x230 [ 44.184064] ? do_syscall_64+0x53/0x640 [ 44.188014] ? SyS_read+0x230/0x230 [ 44.191633] do_syscall_64+0x1e8/0x640 [ 44.195498] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.200494] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.205850] RIP: 0033:0x45a679 [ 44.209022] RSP: 002b:00007f672fc38c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 44.216715] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 44.223971] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 44.231231] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 44.238498] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f672fc396d4 [ 44.245772] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 44.254695] ================================================================== [ 44.262108] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x656/0x800 [ 44.272619] Read of size 8 at addr ffff88808835f040 by task syz-executor.0/7127 [ 44.280050] [ 44.281671] CPU: 0 PID: 7127 Comm: syz-executor.0 Not tainted 4.14.156-syzkaller #0 [ 44.289455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.299213] Call Trace: [ 44.301789] dump_stack+0x142/0x197 [ 44.305408] ? __mutex_unlock_slowpath+0x656/0x800 [ 44.310336] print_address_description.cold+0x7c/0x1dc [ 44.315692] ? __mutex_unlock_slowpath+0x656/0x800 [ 44.320603] kasan_report.cold+0xa9/0x2af [ 44.324734] __asan_report_load8_noabort+0x14/0x20 [ 44.329645] __mutex_unlock_slowpath+0x656/0x800 [ 44.334392] ? radix_tree_delete_item+0xe5/0x1a0 [ 44.339141] ? wait_for_completion+0x420/0x420 [ 44.343713] mutex_unlock+0xd/0x10 [ 44.350555] ucma_destroy_id+0x20d/0x420 [ 44.354599] ? ucma_close+0x310/0x310 [ 44.358389] ? _copy_from_user+0x99/0x110 [ 44.362567] ucma_write+0x231/0x310 [ 44.366181] ? ucma_close+0x310/0x310 [ 44.369959] ? ucma_open+0x290/0x290 [ 44.373656] __vfs_write+0x105/0x6b0 [ 44.377350] ? ucma_open+0x290/0x290 [ 44.381056] ? kernel_read+0x120/0x120 [ 44.384926] ? __inode_security_revalidate+0xd6/0x130 [ 44.390106] ? avc_policy_seqno+0x9/0x20 [ 44.394197] ? selinux_file_permission+0x85/0x480 [ 44.399037] ? security_file_permission+0x89/0x1f0 [ 44.404010] ? rw_verify_area+0xea/0x2b0 [ 44.408056] vfs_write+0x198/0x500 [ 44.411578] SyS_write+0xfd/0x230 [ 44.415061] ? SyS_read+0x230/0x230 [ 44.418670] ? do_syscall_64+0x53/0x640 [ 44.422701] ? SyS_read+0x230/0x230 [ 44.426314] do_syscall_64+0x1e8/0x640 [ 44.430198] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.435296] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.440465] RIP: 0033:0x45a679 [ 44.443633] RSP: 002b:00007f672fc38c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 44.451698] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 44.458950] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 44.466207] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 44.473489] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f672fc396d4 [ 44.481808] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 44.489136] [ 44.490747] Allocated by task 7130: [ 44.494401] save_stack_trace+0x16/0x20 [ 44.498354] save_stack+0x45/0xd0 [ 44.501793] kasan_kmalloc+0xce/0xf0 [ 44.505505] kmem_cache_alloc_trace+0x152/0x790 [ 44.510168] ucma_open+0x4f/0x290 [ 44.513617] misc_open+0x34f/0x480 [ 44.517142] chrdev_open+0x207/0x590 [ 44.520847] do_dentry_open+0x73b/0xeb0 [ 44.524825] vfs_open+0x105/0x220 [ 44.528634] path_openat+0x8bd/0x3f70 [ 44.532594] do_filp_open+0x18e/0x250 [ 44.536430] do_sys_open+0x2c5/0x430 [ 44.540126] SyS_openat+0x30/0x40 [ 44.543564] do_syscall_64+0x1e8/0x640 [ 44.547432] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.552601] [ 44.554204] Freed by task 7122: [ 44.557462] save_stack_trace+0x16/0x20 [ 44.561425] save_stack+0x45/0xd0 [ 44.564856] kasan_slab_free+0x75/0xc0 [ 44.568740] kfree+0xcc/0x270 [ 44.571933] ucma_close+0x280/0x310 [ 44.575648] __fput+0x275/0x7a0 [ 44.578911] ____fput+0x16/0x20 [ 44.582346] task_work_run+0x114/0x190 [ 44.586223] exit_to_usermode_loop+0x1da/0x220 [ 44.590791] do_syscall_64+0x4bc/0x640 [ 44.594878] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.600047] [ 44.601661] The buggy address belongs to the object at ffff88808835f040 [ 44.601661] which belongs to the cache kmalloc-256 of size 256 [ 44.614405] The buggy address is located 0 bytes inside of [ 44.614405] 256-byte region [ffff88808835f040, ffff88808835f140) [ 44.626133] The buggy address belongs to the page: [ 44.631222] page:ffffea000220d7c0 count:1 mapcount:0 mapping:ffff88808835f040 index:0xffff88808835fe00 [ 44.640646] flags: 0xfffe0000000100(slab) [ 44.644790] raw: 00fffe0000000100 ffff88808835f040 ffff88808835fe00 0000000100000008 [ 44.652665] raw: ffffea00028fbfe0 ffffea000293db20 ffff8880aa8007c0 0000000000000000 [ 44.660525] page dumped because: kasan: bad access detected [ 44.666320] [ 44.667927] Memory state around the buggy address: [ 44.672839] ffff88808835ef00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 44.680214] ffff88808835ef80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 44.687553] >ffff88808835f000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 44.695024] ^ [ 44.700453] ffff88808835f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.707788] ffff88808835f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 44.715134] ================================================================== [ 44.723070] Kernel panic - not syncing: panic_on_warn set ... [ 44.723070] [ 44.730445] CPU: 0 PID: 7127 Comm: syz-executor.0 Tainted: G B 4.14.156-syzkaller #0 [ 44.739458] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.748808] Call Trace: [ 44.751395] dump_stack+0x142/0x197 [ 44.755010] ? __mutex_unlock_slowpath+0x656/0x800 [ 44.759917] panic+0x1f9/0x42d [ 44.763086] ? add_taint.cold+0x16/0x16 [ 44.767039] ? ___preempt_schedule+0x16/0x18 [ 44.771879] kasan_end_report+0x47/0x4f [ 44.775833] kasan_report.cold+0x130/0x2af [ 44.780079] __asan_report_load8_noabort+0x14/0x20 [ 44.785080] __mutex_unlock_slowpath+0x656/0x800 [ 44.789812] ? radix_tree_delete_item+0xe5/0x1a0 [ 44.795360] ? wait_for_completion+0x420/0x420 [ 44.800028] mutex_unlock+0xd/0x10 [ 44.803563] ucma_destroy_id+0x20d/0x420 [ 44.807611] ? ucma_close+0x310/0x310 [ 44.811396] ? _copy_from_user+0x99/0x110 [ 44.815530] ucma_write+0x231/0x310 [ 44.819138] ? ucma_close+0x310/0x310 [ 44.822938] ? ucma_open+0x290/0x290 [ 44.826631] __vfs_write+0x105/0x6b0 [ 44.830341] ? ucma_open+0x290/0x290 [ 44.834033] ? kernel_read+0x120/0x120 [ 44.837899] ? __inode_security_revalidate+0xd6/0x130 [ 44.843090] ? avc_policy_seqno+0x9/0x20 [ 44.847128] ? selinux_file_permission+0x85/0x480 [ 44.851948] ? security_file_permission+0x89/0x1f0 [ 44.856853] ? rw_verify_area+0xea/0x2b0 [ 44.860892] vfs_write+0x198/0x500 [ 44.864410] SyS_write+0xfd/0x230 [ 44.867840] ? SyS_read+0x230/0x230 [ 44.871444] ? do_syscall_64+0x53/0x640 [ 44.875400] ? SyS_read+0x230/0x230 [ 44.879003] do_syscall_64+0x1e8/0x640 [ 44.882870] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.887694] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.892926] RIP: 0033:0x45a679 [ 44.896153] RSP: 002b:00007f672fc38c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 44.903841] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 [ 44.911206] RDX: 0000000000000018 RSI: 0000000020000140 RDI: 0000000000000003 [ 44.918482] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 44.925732] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f672fc396d4 [ 44.933040] R13: 00000000004d2b20 R14: 00000000004e3ba8 R15: 00000000ffffffff [ 44.941656] Kernel Offset: disabled [ 44.945296] Rebooting in 86400 seconds..