[ 33.007744] audit: type=1800 audit(1575093002.889:33): pid=6894 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0
[ 33.035015] audit: type=1800 audit(1575093002.889:34): pid=6894 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 36.915579] random: sshd: uninitialized urandom read (32 bytes read)
[ 37.365463] audit: type=1400 audit(1575093007.249:35): avc: denied { map } for pid=7068 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[ 37.474070] random: sshd: uninitialized urandom read (32 bytes read)
[ 38.077995] random: sshd: uninitialized urandom read (32 bytes read)
[ 65.830153] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.220' (ECDSA) to the list of known hosts.
[ 71.393447] random: sshd: uninitialized urandom read (32 bytes read)
[ 71.518658] audit: type=1400 audit(1575093041.399:36): avc: denied { map } for pid=7080 comm="syz-executor236" path="/root/syz-executor236820079" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 71.781026] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 72.516472] audit: type=1400 audit(1575093042.399:37): avc: denied { create } for pid=7087 comm="syz-executor236" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 72.541968] audit: type=1400 audit(1575093042.399:38): avc: denied { write } for pid=7087 comm="syz-executor236" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 72.565999] audit: type=1400 audit(1575093042.399:39): avc: denied { read } for pid=7087 comm="syz-executor236" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[ 72.590593] input: s as /devices/virtual/input/input5
[ 72.622838] input: s as /devices/virtual/input/input6
executing program
[ 72.776103] input: s as /devices/virtual/input/input7
[ 72.801039] IPVS: ftp: loaded support on port[0] = 21
[ 72.811249] input: s as /devices/virtual/input/input8
executing program
[ 72.964820] input: s as /devices/virtual/input/input9
[ 73.012379] input: s as /devices/virtual/input/input10
executing program
[ 73.175448] input: s as /devices/virtual/input/input11
[ 73.212421] input: s as /devices/virtual/input/input12
executing program
[ 73.403937] input: s as /devices/virtual/input/input13
[ 73.442366] input: s as /devices/virtual/input/input14
executing program
[ 73.532708] input: s as /devices/virtual/input/input15
executing program
[ 73.621356] input: s as /devices/virtual/input/input16
[ 73.669031] input: s as /devices/virtual/input/input17
[ 73.714901] input: s as /devices/virtual/input/input18
executing program
[ 73.742397] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 73.775634] input: s as /devices/virtual/input/input19
[ 73.816982] input: s as /devices/virtual/input/input20
[ 73.857998] input: s as /devices/virtual/input/input21
executing program
[ 73.897580] input: s as /devices/virtual/input/input22
executing program
[ 73.940628] input: s as /devices/virtual/input/input23
executing program
[ 73.988653] input: s as /devices/virtual/input/input24
[ 74.036785] input: s as /devices/virtual/input/input26
[ 74.053574] input: s as /devices/virtual/input/input27
executing program
[ 74.090433] input: s as /devices/virtual/input/input28
executing program
[ 74.127553] input: s as /devices/virtual/input/input29
[ 74.156982] input: s as /devices/virtual/input/input30
[ 74.172724] input: s as /devices/virtual/input/input31
[ 74.223361] input: s as /devices/virtual/input/input32
executing program
executing program
[ 74.321702] input: s as /devices/virtual/input/input33
[ 74.341105] input: s as /devices/virtual/input/input34
executing program
[ 74.407300] input: s as /devices/virtual/input/input35
[ 74.431289] input: s as /devices/virtual/input/input36
[ 74.474825] input: s as /devices/virtual/input/input37
[ 74.511164] IPVS: ftp: loaded support on port[0] = 21
[ 74.531680] input: s as /devices/virtual/input/input38
executing program
executing program
executing program
[ 74.624166] input: s as /devices/virtual/input/input39
[ 74.696166] input: s as /devices/virtual/input/input41
[ 74.701624] input: s as /devices/virtual/input/input40
[ 74.723192] input: s as /devices/virtual/input/input42
executing program
[ 74.761891] input: s as /devices/virtual/input/input43
[ 74.813020] input: s as /devices/virtual/input/input44
[ 74.831242] input: s as /devices/virtual/input/input45
executing program
[ 74.901248] input: s as /devices/virtual/input/input46
[ 74.956044] input: s as /devices/virtual/input/input47
executing program
[ 75.041966] input: s as /devices/virtual/input/input48
[ 75.048498] input: s as /devices/virtual/input/input49
executing program
executing program
[ 75.131033] input: s as /devices/virtual/input/input50
[ 75.143445] input: s as /devices/virtual/input/input52
[ 75.160135] input: s as /devices/virtual/input/input51
executing program
[ 75.193244] input: s as /devices/virtual/input/input53
executing program
[ 75.233918] input: s as /devices/virtual/input/input54
executing program
executing program
[ 75.267465] input: s as /devices/virtual/input/input56
[ 75.297139] input: s as /devices/virtual/input/input57
[ 75.341368] IPVS: ftp: loaded support on port[0] = 21
[ 75.350849] input: s as /devices/virtual/input/input58
[ 75.356969] input: s as /devices/virtual/input/input59
[ 75.374894] input: s as /devices/virtual/input/input60
executing program
[ 75.413190] input: s as /devices/virtual/input/input61
executing program
executing program
[ 75.473975] input: s as /devices/virtual/input/input63
executing program
[ 75.523099] input: s as /devices/virtual/input/input64
[ 75.531274] input: s as /devices/virtual/input/input65
[ 75.541466] input: s as /devices/virtual/input/input66
executing program
[ 75.576140] input: s as /devices/virtual/input/input67
[ 75.644189] input: s as /devices/virtual/input/input68
[ 75.649958] input: s as /devices/virtual/input/input69
executing program
executing program
[ 75.715271] input: s as /devices/virtual/input/input71
[ 75.734824] input: s as /devices/virtual/input/input72
[ 75.809332] input: s as /devices/virtual/input/input73
[ 75.816276] input: s as /devices/virtual/input/input74
executing program
[ 75.853088] input: s as /devices/virtual/input/input75
executing program
executing program
[ 75.901446] input: s as /devices/virtual/input/input76
[ 75.925319] input: s as /devices/virtual/input/input77
executing program
[ 75.969826] input: s as /devices/virtual/input/input78
[ 75.983964] input: s as /devices/virtual/input/input79
executing program
[ 76.041238] input: s as /devices/virtual/input/input80
[ 76.053344] input: s as /devices/virtual/input/input81
[ 76.061684] input: s as /devices/virtual/input/input82
[ 76.102991] input: s as /devices/virtual/input/input83
[ 76.130954] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
[ 76.215166] input: s as /devices/virtual/input/input85
[ 76.230742] input: s as /devices/virtual/input/input86
executing program
[ 76.266625] input: s as /devices/virtual/input/input87
executing program
[ 76.318025] input: s as /devices/virtual/input/input89
executing program
[ 76.363494] input: s as /devices/virtual/input/input90
[ 76.394245] input: s as /devices/virtual/input/input91
[ 76.418554] input: s as /devices/virtual/input/input92
executing program
[ 76.504286] input: s as /devices/virtual/input/input94
executing program
[ 76.553152] input: s as /devices/virtual/input/input96
executing program
executing program
[ 76.609197] input: s as /devices/virtual/input/input97
[ 76.617187] input: s as /devices/virtual/input/input98
[ 76.654523] input: s as /devices/virtual/input/input99
[ 76.673006] input: s as /devices/virtual/input/input101
[ 76.688231] input: s as /devices/virtual/input/input100
executing program
executing program
[ 76.716150] input: s as /devices/virtual/input/input102
executing program
[ 76.775255] input: s as /devices/virtual/input/input103
[ 76.792476] input: s as /devices/virtual/input/input105
[ 76.800494] input: s as /devices/virtual/input/input104
[ 76.861838] input: s as /devices/virtual/input/input106
executing program
[ 76.903333] input: s as /devices/virtual/input/input107
[ 76.913499] input: s as /devices/virtual/input/input108
[ 76.974521] input: s as /devices/virtual/input/input109
executing program
[ 77.017370] input: s as /devices/virtual/input/input110
[ 77.039155] input: s as /devices/virtual/input/input111
[ 77.053290] input: s as /devices/virtual/input/input112
executing program
[ 77.103358] input: s as /devices/virtual/input/input113
executing program
executing program
[ 77.191722] input: s as /devices/virtual/input/input114
[ 77.220742] input: s as /devices/virtual/input/input115
executing program
[ 77.267101] input: s as /devices/virtual/input/input116
executing program
[ 77.307643] input: s as /devices/virtual/input/input117
[ 77.357662] input: s as /devices/virtual/input/input118
[ 77.375701] input: s as /devices/virtual/input/input119
[ 77.393153] input: s as /devices/virtual/input/input120
[ 77.408842] input: s as /devices/virtual/input/input121
executing program
[ 77.501489] input: s as /devices/virtual/input/input122
[ 77.526064] input: s as /devices/virtual/input/input123
executing program
[ 77.566989] input: s as /devices/virtual/input/input124
executing program
[ 77.618413] input: s as /devices/virtual/input/input125
[ 77.657709] input: s as /devices/virtual/input/input126
executing program
[ 77.674307] input: s as /devices/virtual/input/input127
executing program
[ 77.724022] input: s as /devices/virtual/input/input128
[ 77.784648] input: s as /devices/virtual/input/input129
[ 77.799497] input: s as /devices/virtual/input/input130
executing program
executing program
executing program
executing program
[ 77.911472] input: s as /devices/virtual/input/input133
[ 77.921700] input: s as /devices/virtual/input/input134
[ 77.928081] input: s as /devices/virtual/input/input135
[ 77.938085] input: s as /devices/virtual/input/input136
[ 77.977410] input: s as /devices/virtual/input/input137
[ 78.013429] input: s as /devices/virtual/input/input138
executing program
[ 78.116419] input: s as /devices/virtual/input/input140
executing program
executing program
[ 78.161438] input: s as /devices/virtual/input/input142
executing program
executing program
[ 78.229628] input: s as /devices/virtual/input/input144
[ 78.251536] input: s as /devices/virtual/input/input145
executing program
[ 78.281130] input: s as /devices/virtual/input/input146
[ 78.306899] input: s as /devices/virtual/input/input147
[ 78.328691] input: s as /devices/virtual/input/input148
[ 78.374009] input: s as /devices/virtual/input/input149
[ 78.392017] input: s as /devices/virtual/input/input150
executing program
[ 78.468498] input: s as /devices/virtual/input/input152
[ 78.514739] input: s as /devices/virtual/input/input154
[ 78.531321] input: s as /devices/virtual/input/input153
executing program
[ 78.569050] input: s as /devices/virtual/input/input155
[ 78.591683] input: s as /devices/virtual/input/input156
executing program
[ 78.646655] input: s as /devices/virtual/input/input157
executing program
executing program
[ 78.698040] input: s as /devices/virtual/input/input158
[ 78.737150] input: s as /devices/virtual/input/input159
executing program
executing program
[ 78.744211] input: s as /devices/virtual/input/input160
[ 78.781677] input: s as /devices/virtual/input/input161
[ 78.805005] input: s as /devices/virtual/input/input162
[ 78.818264] input: s as /devices/virtual/input/input163
[ 78.837391] input: s as /devices/virtual/input/input164
executing program
executing program
[ 78.914167] input: s as /devices/virtual/input/input167
[ 78.937815] input: s as /devices/virtual/input/input168
[ 78.950350] ==================================================================
[ 78.958003] BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50
[ 78.964599] Read of size 8 at addr ffff888088e890e8 by task syz-executor236/7670
[ 78.972113]
[ 78.973784] CPU: 1 PID: 7670 Comm: syz-executor236 Not tainted 4.14.156-syzkaller #0
[ 78.981646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 78.990998] Call Trace:
[ 78.993600] dump_stack+0x142/0x197
[ 78.997211] ? cdev_put.part.0+0x4c/0x50
[ 79.001251] print_address_description.cold+0x7c/0x1dc
[ 79.006513] ? cdev_put.part.0+0x4c/0x50
[ 79.010553] kasan_report.cold+0xa9/0x2af
[ 79.014773] ? evdev_ioctl+0x30/0x30
[ 79.018464] __asan_report_load8_noabort+0x14/0x20
[ 79.023373] cdev_put.part.0+0x4c/0x50
[ 79.027249] chrdev_open+0x266/0x590
[ 79.030945] ? cdev_put.part.0+0x50/0x50
[ 79.034986] ? security_file_open+0x89/0x190
[ 79.039383] do_dentry_open+0x73b/0xeb0
[ 79.043343] ? cdev_put.part.0+0x50/0x50
[ 79.047386] vfs_open+0x105/0x220
[ 79.050840] path_openat+0x8bd/0x3f70
[ 79.054622] ? trace_hardirqs_on+0x10/0x10
[ 79.058839] ? path_lookupat.isra.0+0x7b0/0x7b0
[ 79.063486] ? find_held_lock+0x35/0x130
[ 79.067531] ? __alloc_fd+0x1d4/0x4a0
[ 79.071315] do_filp_open+0x18e/0x250
[ 79.075111] ? may_open_dev+0xe0/0xe0
[ 79.078897] ? do_raw_spin_unlock+0x16b/0x260
[ 79.083376] ? _raw_spin_unlock+0x2d/0x50
[ 79.087513] ? __alloc_fd+0x1d4/0x4a0
[ 79.091316] do_sys_open+0x2c5/0x430
[ 79.095083] ? filp_open+0x70/0x70
[ 79.098613] ? do_futex+0x19e0/0x19e0
[ 79.102404] SyS_open+0x2d/0x40
[ 79.105666] ? do_sys_open+0x430/0x430
[ 79.109538] do_syscall_64+0x1e8/0x640
[ 79.113406] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 79.118341] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 79.123516] RIP: 0033:0x406be1
[ 79.126689] RSP: 002b:00007f96010088b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
[ 79.134380] RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000406be1
[ 79.141646] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f96010088d0
[ 79.148897] RBP: 00000000006ddc20 R08: 000000000000000f R09: 0000000000000000
[ 79.156149] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006ddc2c
[ 79.163402] R13: 00007ffe4c4d029f R14: 00007f96010099c0 R15: 0000000000000000
[ 79.170667]
[ 79.172279] Allocated by task 7670:
[ 79.175890] save_stack_trace+0x16/0x20
[ 79.179930] save_stack+0x45/0xd0
[ 79.183477] kasan_kmalloc+0xce/0xf0
[ 79.187170] kmem_cache_alloc_trace+0x152/0x790
[ 79.191819] evdev_connect+0x76/0x4a0
[ 79.195601] input_attach_handler+0x154/0x1a0
[ 79.200079] input_register_device.cold+0xbf/0x202
[ 79.204993] uinput_ioctl_handler.isra.0+0xdc8/0x18a0
[ 79.210166] uinput_ioctl+0x4a/0x60
[ 79.213778] do_vfs_ioctl+0x7ae/0x1060
[ 79.217646] SyS_ioctl+0x8f/0xc0
[ 79.220992] do_syscall_64+0x1e8/0x640
[ 79.224861] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 79.230029]
[ 79.231640] Freed by task 7686:
[ 79.234900] save_stack_trace+0x16/0x20
[ 79.238852] save_stack+0x45/0xd0
[ 79.242298] kasan_slab_free+0x75/0xc0
[ 79.246257] kfree+0xcc/0x270
[ 79.249342] evdev_free+0x5e/0x70
[ 79.252779] device_release+0x7b/0x1a0
[ 79.256645] kobject_put.cold+0x269/0x2f9
[ 79.260773] cdev_default_release+0x41/0x50
[ 79.265074] kobject_put.cold+0x269/0x2f9
[ 79.269198] cdev_put.part.0+0x39/0x50
[ 79.273063] chrdev_open+0x266/0x590
[ 79.276757] do_dentry_open+0x73b/0xeb0
[ 79.280711] vfs_open+0x105/0x220
[ 79.284142] path_openat+0x8bd/0x3f70
[ 79.287920] do_filp_open+0x18e/0x250
[ 79.291701] do_sys_open+0x2c5/0x430
[ 79.295425] SyS_open+0x2d/0x40
[ 79.298692] do_syscall_64+0x1e8/0x640
[ 79.302590] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 79.307769]
[ 79.309442] The buggy address belongs to the object at ffff888088e88b00
[ 79.309442] which belongs to the cache kmalloc-2048 of size 2048
[ 79.322276] The buggy address is located 1512 bytes inside of
[ 79.322276] 2048-byte region [ffff888088e88b00, ffff888088e89300)
[ 79.334438] The buggy address belongs to the page:
[ 79.339466] page:ffffea000223a200 count:1 mapcount:0 mapping:ffff888088e88280 index:0x0 compound_mapcount: 0
[ 79.349430] flags: 0xfffe0000008100(slab|head)
[ 79.353996] raw: 00fffe0000008100 ffff888088e88280 0000000000000000 0000000100000003
[ 79.361864] raw: ffffea00023a4820 ffffea0002233a20 ffff8880aa800c40 0000000000000000
[ 79.369728] page dumped because: kasan: bad access detected
[ 79.375421]
[ 79.377058] Memory state around the buggy address:
[ 79.381995] ffff888088e88f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.389335] ffff888088e89000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.396675] >ffff888088e89080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.404016] ^
[ 79.410845] ffff888088e89100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.418195] ffff888088e89180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.425545] ==================================================================
[ 79.432913] Disabling lock debugging due to kernel taint
[ 79.442065] Kernel panic - not syncing: panic_on_warn set ...
[ 79.442065]
[ 79.443845] kobject: 'event5' (ffff88807191f878): kobject_cleanup, parent (null)
[ 79.449457] CPU: 1 PID: 7670 Comm: syz-executor236 Tainted: G B 4.14.156-syzkaller #0
[ 79.458172] kobject: 'input169' (ffff8880a9aa0760): fill_kobj_path: path = '/devices/virtual/input/input169'
[ 79.466915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 79.466918] Call Trace:
[ 79.466931] dump_stack+0x142/0x197
[ 79.466941] ? cdev_put.part.0+0x4c/0x50
[ 79.466947] panic+0x1f9/0x42d
[ 79.466953] ? add_taint.cold+0x16/0x16
[ 79.466961] ? ___preempt_schedule+0x16/0x18
[ 79.466972] kasan_end_report+0x47/0x4f
[ 79.477223] kobject: 'event5' (ffff88807191f878): calling ktype release
[ 79.486274] kasan_report.cold+0x130/0x2af
[ 79.486283] ? evdev_ioctl+0x30/0x30
[ 79.486289] __asan_report_load8_noabort+0x14/0x20
[ 79.486296] cdev_put.part.0+0x4c/0x50
[ 79.486302] chrdev_open+0x266/0x590
[ 79.486308] ? cdev_put.part.0+0x50/0x50
[ 79.486317] ? security_file_open+0x89/0x190
[ 79.488979] kobject: 'event5': free name
[ 79.492513] do_dentry_open+0x73b/0xeb0
[ 79.492522] ? cdev_put.part.0+0x50/0x50
[ 79.492530] vfs_open+0x105/0x220
[ 79.492539] path_openat+0x8bd/0x3f70
[ 79.492549] ? trace_hardirqs_on+0x10/0x10
[ 79.492564] ? path_lookupat.isra.0+0x7b0/0x7b0
[ 79.496670] input: s as /devices/virtual/input/input169
[ 79.499775] ? find_held_lock+0x35/0x130
[ 79.499785] ? __alloc_fd+0x1d4/0x4a0
[ 79.499793] do_filp_open+0x18e/0x250
[ 79.499800] ? may_open_dev+0xe0/0xe0
[ 79.503991] kobject: 'event4' (ffff88808e9214b8): kobject_uevent_env
[ 79.508140] ? do_raw_spin_unlock+0x16b/0x260
[ 79.508150] ? _raw_spin_unlock+0x2d/0x50
[ 79.508158] ? __alloc_fd+0x1d4/0x4a0
[ 79.512301] kobject: 'input162' (ffff88807191f160): kobject_uevent_env
[ 79.518851] do_sys_open+0x2c5/0x430
[ 79.518860] ? filp_open+0x70/0x70
[ 79.518868] ? do_futex+0x19e0/0x19e0
[ 79.518877] SyS_open+0x2d/0x40
[ 79.523358] kobject: 'event4' (ffff88808e9214b8): fill_kobj_path: path = '/devices/virtual/input/input163/event4'
[ 79.526925] ? do_sys_open+0x430/0x430
[ 79.526937] do_syscall_64+0x1e8/0x640
[ 79.526944] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 79.526957] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 79.533358] kobject: 'input162' (ffff88807191f160): fill_kobj_path: path = '/devices/virtual/input/input162'
[ 79.535760] RIP: 0033:0x406be1
[ 79.535765] RSP: 002b:00007f96010088b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
[ 79.535773] RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000406be1
[ 79.535777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f96010088d0
[ 79.535780] RBP: 00000000006ddc20 R08: 000000000000000f R09: 0000000000000000
[ 79.535786] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006ddc2c
[ 79.540655] kobject: 'input162' (ffff88807191f160): kobject_cleanup, parent (null)
[ 79.543540] R13: 00007ffe4c4d029f R14: 00007f96010099c0 R15: 0000000000000000
[ 79.549577] Kernel Offset: disabled
[ 79.735967] Rebooting in 86400 seconds..