Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.272424] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 10.346344] random: crng init done Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.211' (ECDSA) to the list of known hosts. 2019/11/08 19:02:05 parsed 1 programs 2019/11/08 19:02:07 executed programs: 0 syzkaller login: [ 22.364848] audit: type=1400 audit(1573239727.172:5): avc: denied { sys_admin } for pid=2064 comm="syz-executor.1" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 22.393349] audit: type=1400 audit(1573239727.202:6): avc: denied { net_admin } for pid=2066 comm="syz-executor.4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 22.736348] audit: type=1400 audit(1573239727.552:7): avc: denied { sys_chroot } for pid=2068 comm="syz-executor.1" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 [ 22.763242] audit: type=1400 audit(1573239727.582:8): avc: denied { associate } for pid=2067 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/11/08 19:02:12 executed programs: 142 2019/11/08 19:02:17 executed programs: 285 2019/11/08 19:02:22 executed programs: 431 [ 40.567598] ================================================================== [ 40.575019] BUG: KASAN: use-after-free in disk_unblock_events+0x51/0x60 [ 40.581762] Read of size 8 at addr ffff8801c9881ee0 by task blkid/3669 [ 40.588411] [ 40.590019] CPU: 0 PID: 3669 Comm: blkid Not tainted 4.9.141+ #23 [ 40.596232] ffff8801c8c4f6f8 ffffffff81b42e79 ffffea0007262000 ffff8801c9881ee0 [ 40.604294] 0000000000000000 ffff8801c9881ee0 0000000000000000 ffff8801c8c4f730 [ 40.612353] ffffffff815009b8 ffff8801c9881ee0 0000000000000008 0000000000000000 [ 40.620408] Call Trace: [ 40.622993] [] dump_stack+0xc1/0x128 [ 40.628354] [] print_address_description+0x6c/0x234 [ 40.635017] [] kasan_report.cold.6+0x242/0x2fe [ 40.641247] [] ? disk_unblock_events+0x51/0x60 [ 40.647476] [] __asan_report_load8_noabort+0x14/0x20 [ 40.654233] [] disk_unblock_events+0x51/0x60 [ 40.660290] [] __blkdev_get+0x6b6/0xd60 [ 40.665909] [] ? __blkdev_put+0x840/0x840 [ 40.671709] [] ? fsnotify+0x114/0x1100 [ 40.677242] [] blkdev_get+0x2da/0x920 [ 40.682681] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.689415] [] ? bd_may_claim+0xd0/0xd0 [ 40.695013] [] ? bd_acquire+0x27/0x250 [ 40.700525] [] ? bd_acquire+0x88/0x250 [ 40.706039] [] ? _raw_spin_unlock+0x2c/0x50 [ 40.711987] [] blkdev_open+0x1a5/0x250 [ 40.717504] [] do_dentry_open+0x3ef/0xc90 [ 40.723276] [] ? blkdev_get_by_dev+0x70/0x70 [ 40.729312] [] vfs_open+0x11c/0x210 [ 40.734566] [] ? may_open.isra.20+0x14f/0x2a0 [ 40.740701] [] path_openat+0x542/0x2790 [ 40.746297] [] ? path_mountpoint+0x6c0/0x6c0 [ 40.752328] [] ? trace_hardirqs_on+0x10/0x10 [ 40.758362] [] ? expand_files.part.3+0x3a9/0x6d0 [ 40.764750] [] do_filp_open+0x197/0x270 [ 40.770345] [] ? may_open_dev+0xe0/0xe0 [ 40.775945] [] ? _raw_spin_unlock+0x2c/0x50 [ 40.781986] [] ? __alloc_fd+0x1d7/0x4a0 [ 40.787586] [] do_sys_open+0x30d/0x5c0 [ 40.793098] [] ? filp_open+0x70/0x70 [ 40.798445] [] ? up_read+0x1a/0x40 [ 40.803615] [] SyS_open+0x2d/0x40 [ 40.808733] [] ? do_sys_open+0x5c0/0x5c0 [ 40.814419] [] do_syscall_64+0x19f/0x550 [ 40.820109] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 40.827006] [ 40.828611] Allocated by task 3651: [ 40.832220] save_stack_trace+0x16/0x20 [ 40.836171] kasan_kmalloc.part.1+0x62/0xf0 [ 40.840469] kasan_kmalloc+0xaf/0xc0 [ 40.844158] kmem_cache_alloc_trace+0x117/0x2e0 [ 40.848812] alloc_disk_node+0x54/0x3a0 [ 40.852762] alloc_disk+0x18/0x20 [ 40.856192] loop_add+0x368/0x7a0 [ 40.859623] loop_control_ioctl+0x136/0x300 [ 40.863921] compat_SyS_ioctl+0x12d/0x1fd0 [ 40.868131] do_fast_syscall_32+0x2f1/0xa10 [ 40.872435] entry_SYSENTER_compat+0x90/0xa2 [ 40.876814] [ 40.878416] Freed by task 3669: [ 40.881677] save_stack_trace+0x16/0x20 [ 40.885633] kasan_slab_free+0xac/0x190 [ 40.889579] kfree+0xfb/0x310 [ 40.892659] disk_release+0x259/0x330 [ 40.896434] device_release+0x7e/0x220 [ 40.900306] kobject_put+0x148/0x250 [ 40.903991] put_disk+0x23/0x30 [ 40.907242] __blkdev_get+0x616/0xd60 [ 40.911013] blkdev_get+0x2da/0x920 [ 40.914620] blkdev_open+0x1a5/0x250 [ 40.918305] do_dentry_open+0x3ef/0xc90 [ 40.922255] vfs_open+0x11c/0x210 [ 40.925693] path_openat+0x542/0x2790 [ 40.929464] do_filp_open+0x197/0x270 [ 40.933253] do_sys_open+0x30d/0x5c0 [ 40.936944] SyS_open+0x2d/0x40 [ 40.940199] do_syscall_64+0x19f/0x550 [ 40.944069] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 40.949141] [ 40.950745] The buggy address belongs to the object at ffff8801c9881980 [ 40.950745] which belongs to the cache kmalloc-2048 of size 2048 [ 40.963555] The buggy address is located 1376 bytes inside of [ 40.963555] 2048-byte region [ffff8801c9881980, ffff8801c9882180) [ 40.975611] The buggy address belongs to the page: [ 40.980518] page:ffffea0007262000 count:1 mapcount:0 mapping: (null) index:0xffff8801c9883300 compound_mapcount: 0 [ 40.992006] flags: 0x4000000000004080(slab|head) [ 40.996741] page dumped because: kasan: bad access detected [ 41.002423] [ 41.004024] Memory state around the buggy address: [ 41.008929] ffff8801c9881d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.016264] ffff8801c9881e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.023597] >ffff8801c9881e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.030927] ^ [ 41.037391] ffff8801c9881f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.044758] ffff8801c9881f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.052088] ================================================================== [ 41.059419] Disabling lock debugging due to kernel taint [ 41.066112] Kernel panic - not syncing: panic_on_warn set ... [ 41.066112] [ 41.073484] CPU: 0 PID: 3669 Comm: blkid Tainted: G B 4.9.141+ #23 [ 41.080919] ffff8801c8c4f658 ffffffff81b42e79 ffffffff82e37630 00000000ffffffff [ 41.088993] 0000000000000000 0000000000000000 0000000000000000 ffff8801c8c4f718 [ 41.097068] ffffffff813f7125 0000000041b58ab3 ffffffff82e2b62b ffffffff813f6f66 [ 41.105121] Call Trace: [ 41.107707] [] dump_stack+0xc1/0x128 [ 41.113064] [] panic+0x1bf/0x39f [ 41.118078] [] ? add_taint.cold.5+0x16/0x16 [ 41.124043] [] ? ___preempt_schedule+0x16/0x18 [ 41.130273] [] kasan_end_report+0x47/0x4f [ 41.136063] [] kasan_report.cold.6+0x76/0x2fe [ 41.142209] [] ? disk_unblock_events+0x51/0x60 [ 41.148439] [] __asan_report_load8_noabort+0x14/0x20 [ 41.155195] [] disk_unblock_events+0x51/0x60 [ 41.161250] [] __blkdev_get+0x6b6/0xd60 [ 41.166866] [] ? __blkdev_put+0x840/0x840 [ 41.172651] [] ? fsnotify+0x114/0x1100 [ 41.178165] [] blkdev_get+0x2da/0x920 [ 41.183596] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.190345] [] ? bd_may_claim+0xd0/0xd0 [ 41.195945] [] ? bd_acquire+0x27/0x250 [ 41.201455] [] ? bd_acquire+0x88/0x250 [ 41.206968] [] ? _raw_spin_unlock+0x2c/0x50 [ 41.212915] [] blkdev_open+0x1a5/0x250 [ 41.218430] [] do_dentry_open+0x3ef/0xc90 [ 41.224214] [] ? blkdev_get_by_dev+0x70/0x70 [ 41.230255] [] vfs_open+0x11c/0x210 [ 41.235507] [] ? may_open.isra.20+0x14f/0x2a0 [ 41.241640] [] path_openat+0x542/0x2790 [ 41.247241] [] ? path_mountpoint+0x6c0/0x6c0 [ 41.253273] [] ? trace_hardirqs_on+0x10/0x10 [ 41.259308] [] ? expand_files.part.3+0x3a9/0x6d0 [ 41.265689] [] do_filp_open+0x197/0x270 [ 41.271308] [] ? may_open_dev+0xe0/0xe0 [ 41.276909] [] ? _raw_spin_unlock+0x2c/0x50 [ 41.282860] [] ? __alloc_fd+0x1d7/0x4a0 [ 41.288461] [] do_sys_open+0x30d/0x5c0 [ 41.293975] [] ? filp_open+0x70/0x70 [ 41.299314] [] ? up_read+0x1a/0x40 [ 41.304478] [] SyS_open+0x2d/0x40 [ 41.309558] [] ? do_sys_open+0x5c0/0x5c0 [ 41.315244] [] do_syscall_64+0x19f/0x550 [ 41.320930] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 41.328454] Kernel Offset: disabled [ 41.332063] Rebooting in 86400 seconds..