[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 14.870972] random: sshd: uninitialized urandom read (32 bytes read) [ 15.021010] audit: type=1400 audit(1567755041.410:6): avc: denied { map } for pid=1755 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 15.064082] random: sshd: uninitialized urandom read (32 bytes read) [ 15.567696] random: sshd: uninitialized urandom read (32 bytes read) [ 18.235454] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.192' (ECDSA) to the list of known hosts. [ 23.730814] random: sshd: uninitialized urandom read (32 bytes read) 2019/09/06 07:30:50 parsed 1 programs [ 23.820744] audit: type=1400 audit(1567755050.210:7): avc: denied { map } for pid=1773 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.877380] audit: type=1400 audit(1567755050.260:8): avc: denied { map } for pid=1773 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 24.498193] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/06 07:30:51 executed programs: 0 [ 25.585665] audit: type=1400 audit(1567755051.970:9): avc: denied { map } for pid=1773 comm="syz-execprog" path="/root/syzkaller-shm191157033" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/09/06 07:30:56 executed programs: 113 [ 32.901556] ================================================================== [ 32.908947] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 32.916292] Read of size 8 at addr ffff8881c366f860 by task syz-executor.5/3533 [ 32.923718] [ 32.925325] CPU: 0 PID: 3533 Comm: syz-executor.5 Not tainted 4.14.141+ #0 [ 32.932312] Call Trace: [ 32.934890] dump_stack+0xca/0x134 [ 32.938418] ? unwind_next_frame+0x169f/0x1810 [ 32.942976] ? unwind_next_frame+0x169f/0x1810 [ 32.947538] print_address_description+0x60/0x226 [ 32.952355] ? unwind_next_frame+0x169f/0x1810 [ 32.956922] ? unwind_next_frame+0x169f/0x1810 [ 32.961481] __kasan_report.cold+0x1a/0x41 [ 32.965693] ? unwind_next_frame+0x169f/0x1810 [ 32.970250] unwind_next_frame+0x169f/0x1810 [ 32.974634] ? retint_kernel+0x2d/0x2d [ 32.978499] ? perf_callchain_user+0x4a7/0xf80 [ 32.983055] ? deref_stack_reg+0xe0/0xe0 [ 32.987090] ? perf_callchain_user+0x2d1/0xf80 [ 32.991649] ? retint_kernel+0x2d/0x2d [ 32.995517] perf_callchain_kernel+0x3a0/0x540 [ 33.000075] ? perf_callchain_kernel+0x540/0x540 [ 33.004806] ? arch_perf_update_userpage+0x330/0x330 [ 33.009907] ? perf_callchain+0x147/0x190 [ 33.014041] ? futex_wait_setup+0x132/0x330 [ 33.018357] get_perf_callchain+0x2f5/0x770 [ 33.022662] ? put_callchain_buffers+0x60/0x60 [ 33.027223] ? perf_callchain+0x150/0x190 [ 33.031355] perf_callchain+0x147/0x190 [ 33.035311] perf_prepare_sample+0x6a8/0x1360 [ 33.039796] ? perf_output_sample+0x1700/0x1700 [ 33.044442] ? perf_prepare_sample+0x1360/0x1360 [ 33.049187] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 33.054886] perf_event_output_forward+0xdc/0x220 [ 33.059705] ? perf_prepare_sample+0x1360/0x1360 [ 33.064440] ? __perf_event_overflow+0x1cc/0x340 [ 33.069173] ? check_preemption_disabled+0x35/0x1f0 [ 33.074166] __perf_event_overflow+0x12d/0x340 [ 33.078747] perf_swevent_overflow+0x7a/0xf0 [ 33.083135] perf_swevent_event+0x112/0x270 [ 33.087433] perf_tp_event+0x633/0x7f0 [ 33.091308] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 33.097002] ? trace_hardirqs_on+0x10/0x10 [ 33.101216] ? __lock_acquire+0x5d7/0x4320 [ 33.105448] ? perf_trace_run_bpf_submit+0x113/0x170 [ 33.110528] ? check_preemption_disabled+0x35/0x1f0 [ 33.115529] perf_trace_run_bpf_submit+0x113/0x170 [ 33.120455] perf_trace_lock_acquire+0x341/0x4e0 [ 33.125198] ? HARDIRQ_verbose+0x10/0x10 [ 33.129235] ? retint_kernel+0x2d/0x2d [ 33.133111] ? get_futex_key+0x4c1/0xf90 [ 33.137152] lock_acquire+0x279/0x360 [ 33.141017] ? futex_wait_setup+0x132/0x330 [ 33.145314] _raw_spin_lock+0x2a/0x40 [ 33.149089] ? futex_wait_setup+0x132/0x330 [ 33.153387] futex_wait_setup+0x132/0x330 [ 33.157512] ? get_futex_key+0xf90/0xf90 [ 33.161550] futex_wait+0x1ad/0x570 [ 33.165157] ? futex_wait_setup+0x330/0x330 [ 33.169452] ? wake_up_q+0xea/0x150 [ 33.173078] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 33.178086] ? futex_wake+0x15b/0x440 [ 33.181890] do_futex+0x13f/0x1980 [ 33.185411] ? trace_hardirqs_on+0x10/0x10 [ 33.189624] ? perf_trace_lock_acquire+0x341/0x4e0 [ 33.194530] ? exit_robust_list+0x240/0x240 [ 33.198826] ? HARDIRQ_verbose+0x10/0x10 [ 33.202866] ? __might_fault+0x104/0x1b0 [ 33.206910] ? lock_downgrade+0x5d0/0x5d0 [ 33.211031] ? lock_acquire+0x12b/0x360 [ 33.214984] ? __might_fault+0xd4/0x1b0 [ 33.218937] ? __might_fault+0x177/0x1b0 [ 33.222984] ? _copy_to_user+0x82/0xd0 [ 33.226849] SyS_futex+0x1c5/0x2c3 [ 33.230367] ? do_futex+0x1980/0x1980 [ 33.234143] ? SyS_clock_gettime+0x7d/0xe0 [ 33.238361] ? do_clock_gettime+0xd0/0xd0 [ 33.242489] ? do_syscall_64+0x43/0x520 [ 33.246448] ? do_futex+0x1980/0x1980 [ 33.250224] do_syscall_64+0x19b/0x520 [ 33.254091] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.259258] RIP: 0033:0x459879 [ 33.262448] RSP: 002b:00007ff93211acf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.270143] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459879 [ 33.277391] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 33.284645] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 33.291891] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 33.299223] R13: 00007ffdc10dfa5f R14: 00007ff93211b9c0 R15: 000000000075bf2c [ 33.306473] [ 33.308075] The buggy address belongs to the page: [ 33.312980] page:ffffea00070d9bc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 33.321096] flags: 0x4000000000000000() [ 33.325058] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 33.332914] raw: 0000000000000000 ffffea00070d9be0 0000000000000000 0000000000000000 [ 33.340769] page dumped because: kasan: bad access detected [ 33.346451] [ 33.348055] Memory state around the buggy address: [ 33.352957] ffff8881c366f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.360293] ffff8881c366f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.367629] >ffff8881c366f800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 33.374962] ^ [ 33.381436] ffff8881c366f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.388771] ffff8881c366f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.396115] ================================================================== [ 33.403446] Disabling lock debugging due to kernel taint [ 33.408886] Kernel panic - not syncing: panic_on_warn set ... [ 33.408886] [ 33.416231] CPU: 0 PID: 3533 Comm: syz-executor.5 Tainted: G B 4.14.141+ #0 [ 33.424430] Call Trace: [ 33.427003] dump_stack+0xca/0x134 [ 33.430523] panic+0x1ea/0x3d3 [ 33.433690] ? add_taint.cold+0x16/0x16 [ 33.437654] ? lock_downgrade+0x5d0/0x5d0 [ 33.441780] ? unwind_next_frame+0x169f/0x1810 [ 33.446375] end_report+0x43/0x49 [ 33.449803] ? unwind_next_frame+0x169f/0x1810 [ 33.454359] __kasan_report.cold+0xd/0x41 [ 33.458480] ? unwind_next_frame+0x169f/0x1810 [ 33.463048] unwind_next_frame+0x169f/0x1810 [ 33.467432] ? retint_kernel+0x2d/0x2d [ 33.471299] ? perf_callchain_user+0x4a7/0xf80 [ 33.475855] ? deref_stack_reg+0xe0/0xe0 [ 33.479893] ? perf_callchain_user+0x2d1/0xf80 [ 33.484449] ? retint_kernel+0x2d/0x2d [ 33.488309] perf_callchain_kernel+0x3a0/0x540 [ 33.492868] ? perf_callchain_kernel+0x540/0x540 [ 33.497622] ? arch_perf_update_userpage+0x330/0x330 [ 33.502702] ? perf_callchain+0x147/0x190 [ 33.506836] ? futex_wait_setup+0x132/0x330 [ 33.511137] get_perf_callchain+0x2f5/0x770 [ 33.515437] ? put_callchain_buffers+0x60/0x60 [ 33.520007] ? perf_callchain+0x150/0x190 [ 33.524134] perf_callchain+0x147/0x190 [ 33.528084] perf_prepare_sample+0x6a8/0x1360 [ 33.532557] ? perf_output_sample+0x1700/0x1700 [ 33.537207] ? perf_prepare_sample+0x1360/0x1360 [ 33.541947] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 33.547634] perf_event_output_forward+0xdc/0x220 [ 33.552452] ? perf_prepare_sample+0x1360/0x1360 [ 33.557185] ? __perf_event_overflow+0x1cc/0x340 [ 33.561955] ? check_preemption_disabled+0x35/0x1f0 [ 33.566949] __perf_event_overflow+0x12d/0x340 [ 33.571507] perf_swevent_overflow+0x7a/0xf0 [ 33.575893] perf_swevent_event+0x112/0x270 [ 33.580190] perf_tp_event+0x633/0x7f0 [ 33.584053] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 33.589746] ? trace_hardirqs_on+0x10/0x10 [ 33.593969] ? __lock_acquire+0x5d7/0x4320 [ 33.598183] ? perf_trace_run_bpf_submit+0x113/0x170 [ 33.603259] ? check_preemption_disabled+0x35/0x1f0 [ 33.608254] perf_trace_run_bpf_submit+0x113/0x170 [ 33.613165] perf_trace_lock_acquire+0x341/0x4e0 [ 33.617899] ? HARDIRQ_verbose+0x10/0x10 [ 33.621942] ? retint_kernel+0x2d/0x2d [ 33.625807] ? get_futex_key+0x4c1/0xf90 [ 33.629844] lock_acquire+0x279/0x360 [ 33.633623] ? futex_wait_setup+0x132/0x330 [ 33.637932] _raw_spin_lock+0x2a/0x40 [ 33.641712] ? futex_wait_setup+0x132/0x330 [ 33.646006] futex_wait_setup+0x132/0x330 [ 33.650144] ? get_futex_key+0xf90/0xf90 [ 33.654184] futex_wait+0x1ad/0x570 [ 33.657787] ? futex_wait_setup+0x330/0x330 [ 33.662095] ? wake_up_q+0xea/0x150 [ 33.665697] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 33.670689] ? futex_wake+0x15b/0x440 [ 33.674470] do_futex+0x13f/0x1980 [ 33.677985] ? trace_hardirqs_on+0x10/0x10 [ 33.682197] ? perf_trace_lock_acquire+0x341/0x4e0 [ 33.687102] ? exit_robust_list+0x240/0x240 [ 33.691396] ? HARDIRQ_verbose+0x10/0x10 [ 33.695445] ? __might_fault+0x104/0x1b0 [ 33.699479] ? lock_downgrade+0x5d0/0x5d0 [ 33.703614] ? lock_acquire+0x12b/0x360 [ 33.707564] ? __might_fault+0xd4/0x1b0 [ 33.711515] ? __might_fault+0x177/0x1b0 [ 33.715559] ? _copy_to_user+0x82/0xd0 [ 33.719424] SyS_futex+0x1c5/0x2c3 [ 33.722941] ? do_futex+0x1980/0x1980 [ 33.726717] ? SyS_clock_gettime+0x7d/0xe0 [ 33.730926] ? do_clock_gettime+0xd0/0xd0 [ 33.735049] ? do_syscall_64+0x43/0x520 [ 33.738999] ? do_futex+0x1980/0x1980 [ 33.742775] do_syscall_64+0x19b/0x520 [ 33.746641] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.751807] RIP: 0033:0x459879 [ 33.754973] RSP: 002b:00007ff93211acf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.762657] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459879 [ 33.769903] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 33.777148] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 33.784396] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 33.791651] R13: 00007ffdc10dfa5f R14: 00007ff93211b9c0 R15: 000000000075bf2c [ 33.799672] Kernel Offset: 0x21400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.810570] Rebooting in 86400 seconds..