[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 11.097609] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.060484] random: sshd: uninitialized urandom read (32 bytes read) [ 18.167988] random: crng init done Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. 2019/08/25 02:42:43 parsed 1 programs 2019/08/25 02:42:46 executed programs: 0 [ 28.560177] audit: type=1400 audit(1566700966.586:5): avc: denied { sys_admin } for pid=2067 comm="syz-executor.0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.589572] audit: type=1400 audit(1566700966.616:6): avc: denied { net_admin } for pid=2073 comm="syz-executor.1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.963420] audit: type=1400 audit(1566700966.996:7): avc: denied { sys_chroot } for pid=2078 comm="syz-executor.3" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 28.964780] audit: type=1400 audit(1566700966.996:8): avc: denied { associate } for pid=2075 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/08/25 02:42:51 executed programs: 223 2019/08/25 02:42:56 executed programs: 471 [ 39.378987] ================================================================== [ 39.386399] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 39.393237] Read of size 8 at addr ffff8801d2ee7c60 by task blkid/4225 [ 39.399892] [ 39.401517] CPU: 1 PID: 4225 Comm: blkid Not tainted 4.9.141+ #23 [ 39.407779] ffff8801cf2276f8 ffffffff81b42e79 ffffea00074bb800 ffff8801d2ee7c60 [ 39.416071] 0000000000000000 ffff8801d2ee7c60 0000000000000000 ffff8801cf227730 [ 39.424942] ffffffff815009b8 ffff8801d2ee7c60 0000000000000008 0000000000000000 [ 39.433249] Call Trace: [ 39.435835] [] dump_stack+0xc1/0x128 [ 39.441209] [] print_address_description+0x6c/0x234 [ 39.447876] [] kasan_report.cold.6+0x242/0x2fe [ 39.454105] [] ? disk_unblock_events+0x51/0x60 [ 39.460344] [] __asan_report_load8_noabort+0x14/0x20 [ 39.467103] [] disk_unblock_events+0x51/0x60 [ 39.473183] [] __blkdev_get+0x6b6/0xd60 [ 39.478811] [] ? __blkdev_put+0x840/0x840 [ 39.484613] [] ? fsnotify+0x114/0x1100 [ 39.490153] [] blkdev_get+0x2da/0x920 [ 39.495701] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.502462] [] ? bd_may_claim+0xd0/0xd0 [ 39.508090] [] ? bd_acquire+0x27/0x250 [ 39.513627] [] ? bd_acquire+0x88/0x250 [ 39.519162] [] ? _raw_spin_unlock+0x2c/0x50 [ 39.525147] [] blkdev_open+0x1a5/0x250 [ 39.530698] [] do_dentry_open+0x3ef/0xc90 [ 39.536507] [] ? blkdev_get_by_dev+0x70/0x70 [ 39.542570] [] vfs_open+0x11c/0x210 [ 39.547850] [] ? may_open.isra.20+0x14f/0x2a0 [ 39.554229] [] path_openat+0x542/0x2790 [ 39.559920] [] ? path_mountpoint+0x6c0/0x6c0 [ 39.565987] [] ? trace_hardirqs_on+0x10/0x10 [ 39.572050] [] ? expand_files.part.3+0x3a9/0x6d0 [ 39.578462] [] do_filp_open+0x197/0x270 [ 39.584103] [] ? may_open_dev+0xe0/0xe0 [ 39.589738] [] ? _raw_spin_unlock+0x2c/0x50 [ 39.595714] [] ? __alloc_fd+0x1d7/0x4a0 [ 39.601426] [] do_sys_open+0x30d/0x5c0 [ 39.606969] [] ? filp_open+0x70/0x70 [ 39.612421] [] ? up_read+0x1a/0x40 [ 39.617622] [] SyS_open+0x2d/0x40 [ 39.622727] [] ? do_sys_open+0x5c0/0x5c0 [ 39.628452] [] do_syscall_64+0x19f/0x550 [ 39.634185] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.641174] [ 39.642804] Allocated by task 4221: [ 39.646438] save_stack_trace+0x16/0x20 [ 39.650409] kasan_kmalloc.part.1+0x62/0xf0 [ 39.654731] kasan_kmalloc+0xaf/0xc0 [ 39.658448] kmem_cache_alloc_trace+0x117/0x2e0 [ 39.663116] alloc_disk_node+0x54/0x3a0 [ 39.667217] alloc_disk+0x18/0x20 [ 39.670669] loop_add+0x368/0x7a0 [ 39.674123] loop_probe+0x14f/0x180 [ 39.677746] kobj_lookup+0x223/0x410 [ 39.681593] get_gendisk+0x39/0x2d0 [ 39.685394] __blkdev_get+0x351/0xd60 [ 39.689197] blkdev_get+0x488/0x920 [ 39.692824] blkdev_open+0x1a5/0x250 [ 39.696536] do_dentry_open+0x3ef/0xc90 [ 39.700503] vfs_open+0x11c/0x210 [ 39.703955] path_openat+0x542/0x2790 [ 39.707758] do_filp_open+0x197/0x270 [ 39.711561] do_sys_open+0x30d/0x5c0 [ 39.715275] compat_SyS_open+0x2a/0x40 [ 39.723821] do_fast_syscall_32+0x2f1/0xa10 [ 39.728134] entry_SYSENTER_compat+0x90/0xa2 [ 39.732532] [ 39.734152] Freed by task 4225: [ 39.737432] save_stack_trace+0x16/0x20 [ 39.741389] kasan_slab_free+0xac/0x190 [ 39.745345] kfree+0xfb/0x310 [ 39.748517] disk_release+0x259/0x330 [ 39.752312] device_release+0x7e/0x220 [ 39.756195] kobject_put+0x148/0x250 [ 39.760060] put_disk+0x23/0x30 [ 39.763315] __blkdev_get+0x616/0xd60 [ 39.767137] blkdev_get+0x2da/0x920 [ 39.771171] blkdev_open+0x1a5/0x250 [ 39.774968] do_dentry_open+0x3ef/0xc90 [ 39.778923] vfs_open+0x11c/0x210 [ 39.782425] path_openat+0x542/0x2790 [ 39.786209] do_filp_open+0x197/0x270 [ 39.790006] do_sys_open+0x30d/0x5c0 [ 39.793697] SyS_open+0x2d/0x40 [ 39.796973] do_syscall_64+0x19f/0x550 [ 39.800842] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.805930] [ 39.807536] The buggy address belongs to the object at ffff8801d2ee7700 [ 39.807536] which belongs to the cache kmalloc-2048 of size 2048 [ 39.821213] The buggy address is located 1376 bytes inside of [ 39.821213] 2048-byte region [ffff8801d2ee7700, ffff8801d2ee7f00) [ 39.833345] The buggy address belongs to the page: [ 39.838256] page:ffffea00074bb800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 39.848447] flags: 0x4000000000004080(slab|head) [ 39.853178] page dumped because: kasan: bad access detected [ 39.858860] [ 39.860466] Memory state around the buggy address: [ 39.865387] ffff8801d2ee7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.872738] ffff8801d2ee7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.880262] >ffff8801d2ee7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.888102] ^ [ 39.894582] ffff8801d2ee7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.901932] ffff8801d2ee7d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.909267] ================================================================== [ 39.916606] Disabling lock debugging due to kernel taint [ 39.961785] Kernel panic - not syncing: panic_on_warn set ... [ 39.961785] [ 39.969195] CPU: 1 PID: 4225 Comm: blkid Tainted: G B 4.9.141+ #23 [ 39.976722] ffff8801cf227658 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 39.984813] 0000000000000000 0000000000000001 0000000000000000 ffff8801cf227718 [ 39.992869] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 40.001113] Call Trace: [ 40.003821] [] dump_stack+0xc1/0x128 [ 40.009181] [] panic+0x1bf/0x39f [ 40.014289] [] ? add_taint.cold.5+0x16/0x16 [ 40.020248] [] ? ___preempt_schedule+0x16/0x18 [ 40.026459] [] kasan_end_report+0x47/0x4f [ 40.032243] [] kasan_report.cold.6+0x76/0x2fe [ 40.038374] [] ? disk_unblock_events+0x51/0x60 [ 40.044685] [] __asan_report_load8_noabort+0x14/0x20 [ 40.051429] [] disk_unblock_events+0x51/0x60 [ 40.057666] [] __blkdev_get+0x6b6/0xd60 [ 40.063269] [] ? __blkdev_put+0x840/0x840 [ 40.069053] [] ? fsnotify+0x114/0x1100 [ 40.074575] [] blkdev_get+0x2da/0x920 [ 40.080126] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.086861] [] ? bd_may_claim+0xd0/0xd0 [ 40.092840] [] ? bd_acquire+0x27/0x250 [ 40.098474] [] ? bd_acquire+0x88/0x250 [ 40.103996] [] ? _raw_spin_unlock+0x2c/0x50 [ 40.110049] [] blkdev_open+0x1a5/0x250 [ 40.115570] [] do_dentry_open+0x3ef/0xc90 [ 40.121464] [] ? blkdev_get_by_dev+0x70/0x70 [ 40.127601] [] vfs_open+0x11c/0x210 [ 40.132878] [] ? may_open.isra.20+0x14f/0x2a0 [ 40.139010] [] path_openat+0x542/0x2790 [ 40.144622] [] ? path_mountpoint+0x6c0/0x6c0 [ 40.150662] [] ? trace_hardirqs_on+0x10/0x10 [ 40.156716] [] ? expand_files.part.3+0x3a9/0x6d0 [ 40.163133] [] do_filp_open+0x197/0x270 [ 40.168740] [] ? may_open_dev+0xe0/0xe0 [ 40.174350] [] ? _raw_spin_unlock+0x2c/0x50 [ 40.180320] [] ? __alloc_fd+0x1d7/0x4a0 [ 40.185935] [] do_sys_open+0x30d/0x5c0 [ 40.191475] [] ? filp_open+0x70/0x70 [ 40.196825] [] ? up_read+0x1a/0x40 [ 40.201996] [] SyS_open+0x2d/0x40 [ 40.207265] [] ? do_sys_open+0x5c0/0x5c0 [ 40.212962] [] do_syscall_64+0x19f/0x550 [ 40.218671] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 40.226081] Kernel Offset: disabled [ 40.229689] Rebooting in 86400 seconds..