[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.818522] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.988487] random: sshd: uninitialized urandom read (32 bytes read) [ 27.319001] random: sshd: uninitialized urandom read (32 bytes read) [ 27.830794] random: sshd: uninitialized urandom read (32 bytes read) [ 33.285927] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts. [ 38.869836] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.953407] ================================================================== [ 38.960873] BUG: KASAN: use-after-free in selinux_sb_copy_data+0x1cd/0x380 [ 38.967875] Write of size 10 at addr ffff8801c3b7a000 by task syz-executor060/3805 [ 38.975677] [ 38.977290] CPU: 0 PID: 3805 Comm: syz-executor060 Not tainted 4.9.122-g54068d6 #26 [ 38.985069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.994516] ffff8801b8a3f4c8 ffffffff81eb8829 ffffea00070ede80 ffff8801c3b7a000 [ 39.002636] 0000000000000001 ffff8801c3b7a000 000000000000000a ffff8801b8a3f500 [ 39.010648] ffffffff8156b6be ffff8801c3b7a000 000000000000000a 0000000000000001 [ 39.018645] Call Trace: [ 39.021310] [] dump_stack+0xc1/0x128 [ 39.026666] [] print_address_description+0x6c/0x234 [ 39.033314] [] kasan_report.cold.6+0x242/0x2fe [ 39.039526] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 39.046001] [] check_memory_region+0x14f/0x1b0 [ 39.052212] [] memcpy+0x37/0x50 [ 39.057121] [] selinux_sb_copy_data+0x1cd/0x380 [ 39.063421] [] security_sb_copy_data+0x7b/0xb0 [ 39.069640] [] parse_security_options+0x36/0x90 [ 39.075940] [] btrfs_mount+0x2f3/0x2bc0 [ 39.081547] [] ? btrfs_remount+0x1360/0x1360 [ 39.087586] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.094503] [] ? _find_next_bit.part.0+0xe0/0x120 [ 39.100987] [] ? find_next_bit+0x43/0x50 [ 39.106771] [] ? pcpu_alloc+0x483/0xad0 [ 39.112404] [] ? pcpu_create_chunk+0x430/0x430 [ 39.118709] [] ? __raw_spin_lock_init+0x1c/0x100 [ 39.125096] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.131920] [] ? lockdep_init_map+0x105/0x4f0 [ 39.138155] [] ? lockdep_init_map+0x105/0x4f0 [ 39.144359] [] mount_fs+0x28c/0x370 [ 39.149626] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 39.156019] [] vfs_kern_mount+0x40/0x60 [ 39.161632] [] btrfs_mount+0x40b/0x2bc0 [ 39.167242] [] ? btrfs_remount+0x1360/0x1360 [ 39.173297] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.180204] [] ? _find_next_bit.part.0+0xe0/0x120 [ 39.186679] [] ? find_next_bit+0x43/0x50 [ 39.192376] [] ? pcpu_alloc+0x483/0xad0 [ 39.197994] [] ? pcpu_create_chunk+0x430/0x430 [ 39.204316] [] ? __raw_spin_lock_init+0x1c/0x100 [ 39.210724] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.217551] [] ? lockdep_init_map+0x105/0x4f0 [ 39.223731] [] ? lockdep_init_map+0x105/0x4f0 [ 39.229864] [] mount_fs+0x28c/0x370 [ 39.235119] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 39.241603] [] ? ns_capable_common+0x12a/0x150 [ 39.247814] [] do_mount+0x3c9/0x2740 [ 39.253160] [] ? copy_mount_string+0x40/0x40 [ 39.259202] [] ? kasan_unpoison_shadow+0x35/0x50 [ 39.265590] [] ? kasan_kmalloc+0xc7/0xe0 [ 39.271289] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 39.277859] [] ? copy_mount_options+0x5f/0x320 [ 39.284075] [] ? copy_mount_options+0x1e5/0x320 [ 39.290385] [] SyS_mount+0xfe/0x110 [ 39.295657] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 39.301361] [] do_syscall_64+0x1a6/0x490 [ 39.307101] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.314014] [ 39.315625] Allocated by task 2217: [ 39.319233] save_stack_trace+0x16/0x20 [ 39.323190] save_stack+0x43/0xd0 [ 39.326630] kasan_kmalloc+0xc7/0xe0 [ 39.330364] kasan_slab_alloc+0x12/0x20 [ 39.334385] kmem_cache_alloc+0xbe/0x290 [ 39.338434] selinux_file_alloc_security+0xae/0x190 [ 39.343435] security_file_alloc+0x73/0xb0 [ 39.347647] get_empty_filp+0x11e/0x380 [ 39.351597] alloc_file+0x20/0x350 [ 39.355125] anon_inode_getfile+0x1a4/0x350 [ 39.359423] anon_inode_getfd+0x45/0x90 [ 39.363378] SyS_signalfd4+0x237/0x430 [ 39.367243] do_syscall_64+0x1a6/0x490 [ 39.371115] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.376191] [ 39.377793] Freed by task 2217: [ 39.381047] save_stack_trace+0x16/0x20 [ 39.384996] save_stack+0x43/0xd0 [ 39.388431] kasan_slab_free+0x72/0xc0 [ 39.392305] kmem_cache_free+0xbe/0x310 [ 39.396263] selinux_file_free_security+0x49/0x60 [ 39.401129] security_file_free+0x4e/0x90 [ 39.405266] __fput+0x270/0x700 [ 39.408526] ____fput+0x15/0x20 [ 39.411785] task_work_run+0x10c/0x180 [ 39.415654] exit_to_usermode_loop+0xfc/0x120 [ 39.420126] do_syscall_64+0x364/0x490 [ 39.423994] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.429069] [ 39.430676] The buggy address belongs to the object at ffff8801c3b7a000 [ 39.430676] which belongs to the cache selinux_file_security of size 16 [ 39.444097] The buggy address is located 0 bytes inside of [ 39.444097] 16-byte region [ffff8801c3b7a000, ffff8801c3b7a010) [ 39.455735] The buggy address belongs to the page: [ 39.460649] page:ffffea00070ede80 count:1 mapcount:0 mapping: (null) index:0xffff8801c3b7aa80 [ 39.470239] flags: 0x8000000000000080(slab) [ 39.474542] page dumped because: kasan: bad access detected [ 39.480226] [ 39.481832] Memory state around the buggy address: [ 39.486735] ffff8801c3b79f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.494070] ffff8801c3b79f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.501409] >ffff8801c3b7a000: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc [ 39.508745] ^ [ 39.512086] ffff8801c3b7a080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc [ 39.519429] ffff8801c3b7a100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc [ 39.526762] ================================================================== [ 39.534093] Disabling lock debugging due to kernel taint [ 39.541545] Kernel panic - not syncing: panic_on_warn set ... [ 39.541545] [ 39.548900] CPU: 0 PID: 3805 Comm: syz-executor060 Tainted: G B 4.9.122-g54068d6 #26 [ 39.558023] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.567362] ffff8801b8a3f428 ffffffff81eb8829 ffffffff843c81db 00000000ffffffff [ 39.575365] 0000000000000000 0000000000000000 000000000000000a ffff8801b8a3f4e8 [ 39.583386] ffffffff81423f35 0000000041b58ab3 ffffffff843bb838 ffffffff81423d76 [ 39.591374] Call Trace: [ 39.593944] [] dump_stack+0xc1/0x128 [ 39.599290] [] panic+0x1bf/0x3bc [ 39.604289] [] ? add_taint.cold.6+0x16/0x16 [ 39.610361] [] ? ___preempt_schedule+0x16/0x18 [ 39.616575] [] kasan_end_report+0x47/0x4f [ 39.622358] [] kasan_report.cold.6+0x76/0x2fe [ 39.628490] [] ? selinux_sb_copy_data+0x1cd/0x380 [ 39.634959] [] check_memory_region+0x14f/0x1b0 [ 39.641169] [] memcpy+0x37/0x50 [ 39.646078] [] selinux_sb_copy_data+0x1cd/0x380 [ 39.652450] [] security_sb_copy_data+0x7b/0xb0 [ 39.658673] [] parse_security_options+0x36/0x90 [ 39.664975] [] btrfs_mount+0x2f3/0x2bc0 [ 39.670626] [] ? btrfs_remount+0x1360/0x1360 [ 39.676669] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.683577] [] ? _find_next_bit.part.0+0xe0/0x120 [ 39.690048] [] ? find_next_bit+0x43/0x50 [ 39.695736] [] ? pcpu_alloc+0x483/0xad0 [ 39.701339] [] ? pcpu_create_chunk+0x430/0x430 [ 39.707557] [] ? __raw_spin_lock_init+0x1c/0x100 [ 39.713949] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.720770] [] ? lockdep_init_map+0x105/0x4f0 [ 39.726897] [] ? lockdep_init_map+0x105/0x4f0 [ 39.733035] [] mount_fs+0x28c/0x370 [ 39.738295] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 39.744685] [] vfs_kern_mount+0x40/0x60 [ 39.750301] [] btrfs_mount+0x40b/0x2bc0 [ 39.755962] [] ? btrfs_remount+0x1360/0x1360 [ 39.762005] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.768914] [] ? _find_next_bit.part.0+0xe0/0x120 [ 39.775393] [] ? find_next_bit+0x43/0x50 [ 39.781214] [] ? pcpu_alloc+0x483/0xad0 [ 39.786817] [] ? pcpu_create_chunk+0x430/0x430 [ 39.793105] [] ? __raw_spin_lock_init+0x1c/0x100 [ 39.799495] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.806321] [] ? lockdep_init_map+0x105/0x4f0 [ 39.812450] [] ? lockdep_init_map+0x105/0x4f0 [ 39.818585] [] mount_fs+0x28c/0x370 [ 39.823845] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 39.830236] [] ? ns_capable_common+0x12a/0x150 [ 39.836461] [] do_mount+0x3c9/0x2740 [ 39.841802] [] ? copy_mount_string+0x40/0x40 [ 39.847840] [] ? kasan_unpoison_shadow+0x35/0x50 [ 39.854223] [] ? kasan_kmalloc+0xc7/0xe0 [ 39.859922] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 39.866493] [] ? copy_mount_options+0x5f/0x320 [ 39.872843] [] ? copy_mount_options+0x1e5/0x320 [ 39.879144] [] SyS_mount+0xfe/0x110 [ 39.884403] [] ? copy_mnt_ns+0x8e0/0x8e0 [ 39.890135] [] do_syscall_64+0x1a6/0x490 [ 39.895831] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 39.903118] Dumping ftrace buffer: [ 39.906647] (ftrace buffer empty) [ 39.910348] Kernel Offset: disabled [ 39.913965] Rebooting in 86400 seconds..