[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.718389] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.145484] random: sshd: uninitialized urandom read (32 bytes read) [ 30.386358] random: sshd: uninitialized urandom read (32 bytes read) [ 30.959678] random: sshd: uninitialized urandom read (32 bytes read) [ 78.611936] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.42' (ECDSA) to the list of known hosts. [ 84.161558] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/10 12:24:38 parsed 1 programs [ 85.825748] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/10 12:24:41 executed programs: 0 [ 87.203953] IPVS: ftp: loaded support on port[0] = 21 [ 87.448734] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.455561] bridge0: port 1(bridge_slave_0) entered disabled state [ 87.463063] device bridge_slave_0 entered promiscuous mode [ 87.481324] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.487937] bridge0: port 2(bridge_slave_1) entered disabled state [ 87.495027] device bridge_slave_1 entered promiscuous mode [ 87.512573] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 87.531497] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 87.580331] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 87.601359] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 87.674778] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 87.682013] team0: Port device team_slave_0 added [ 87.699700] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 87.706973] team0: Port device team_slave_1 added [ 87.724628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 87.746532] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 87.765125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 87.786281] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 87.935584] bridge0: port 2(bridge_slave_1) entered blocking state [ 87.942237] bridge0: port 2(bridge_slave_1) entered forwarding state [ 87.949111] bridge0: port 1(bridge_slave_0) entered blocking state [ 87.955470] bridge0: port 1(bridge_slave_0) entered forwarding state [ 88.478565] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.529556] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 88.582751] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 88.588920] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 88.597579] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 88.641527] 8021q: adding VLAN 0 to HW filter on device team0 [ 88.967819] ================================================================== [ 88.975304] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 88.981315] Read of size 8 at addr ffff8801c439ea30 by task syz-executor0/5616 [ 88.988734] [ 88.990365] CPU: 1 PID: 5616 Comm: syz-executor0 Not tainted 4.19.0-rc3+ #134 [ 88.997620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.006961] Call Trace: [ 89.009577] dump_stack+0x1c4/0x2b4 [ 89.013198] ? dump_stack_print_info.cold.2+0x52/0x52 [ 89.018377] ? printk+0xa7/0xcf [ 89.021658] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 89.026419] print_address_description.cold.8+0x9/0x1ff [ 89.031780] kasan_report.cold.9+0x242/0x309 [ 89.036226] ? sock_i_ino+0x94/0xa0 [ 89.039853] __asan_report_load8_noabort+0x14/0x20 [ 89.044847] sock_i_ino+0x94/0xa0 [ 89.048326] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 89.053002] ? tipc_diag_dump+0x30/0x30 [ 89.056978] ? tipc_getname+0x7f0/0x7f0 [ 89.060953] ? graph_lock+0x170/0x170 [ 89.064744] ? __lock_sock+0x203/0x350 [ 89.068650] ? find_held_lock+0x36/0x1c0 [ 89.072709] ? mark_held_locks+0xc7/0x130 [ 89.076843] ? __local_bh_enable_ip+0x160/0x260 [ 89.081498] ? __local_bh_enable_ip+0x160/0x260 [ 89.086451] ? lockdep_hardirqs_on+0x421/0x5c0 [ 89.091025] ? trace_hardirqs_on+0xbd/0x310 [ 89.095331] ? lock_release+0x970/0x970 [ 89.099291] ? lock_sock_nested+0xe2/0x120 [ 89.103613] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 89.108626] ? skb_put+0x17b/0x1e0 [ 89.112153] ? memset+0x31/0x40 [ 89.115492] ? __nlmsg_put+0x14c/0x1b0 [ 89.119392] __tipc_add_sock_diag+0x233/0x360 [ 89.123888] tipc_nl_sk_walk+0x122/0x1d0 [ 89.127941] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 89.133206] tipc_diag_dump+0x24/0x30 [ 89.136997] netlink_dump+0x519/0xd50 [ 89.140800] ? netlink_broadcast+0x50/0x50 [ 89.145033] __netlink_dump_start+0x4f1/0x6f0 [ 89.149523] ? tipc_data_ready+0x3e0/0x3e0 [ 89.153748] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 89.158852] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 89.163576] ? tipc_data_ready+0x3e0/0x3e0 [ 89.167805] ? tipc_unregister_sysctl+0x20/0x20 [ 89.172459] ? tipc_ioctl+0x3a0/0x3a0 [ 89.176255] ? netlink_deliver_tap+0x355/0xf80 [ 89.180836] sock_diag_rcv_msg+0x31d/0x410 [ 89.185191] netlink_rcv_skb+0x172/0x440 [ 89.189250] ? sock_diag_bind+0x80/0x80 [ 89.193218] ? netlink_ack+0xb80/0xb80 [ 89.197161] sock_diag_rcv+0x2a/0x40 [ 89.200916] netlink_unicast+0x5a5/0x760 [ 89.204972] ? netlink_attachskb+0x9a0/0x9a0 [ 89.209370] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 89.214900] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 89.219923] netlink_sendmsg+0xa18/0xfc0 [ 89.223981] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 89.229191] ? netlink_unicast+0x760/0x760 [ 89.233422] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 89.238347] ? apparmor_socket_sendmsg+0x29/0x30 [ 89.243169] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 89.248700] ? security_socket_sendmsg+0x94/0xc0 [ 89.253523] ? netlink_unicast+0x760/0x760 [ 89.257758] sock_sendmsg+0xd5/0x120 [ 89.261473] ___sys_sendmsg+0x7fd/0x930 [ 89.265527] ? __local_bh_enable_ip+0x160/0x260 [ 89.270315] ? copy_msghdr_from_user+0x580/0x580 [ 89.275075] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 89.280533] ? release_sock+0x1ec/0x2c0 [ 89.284504] ? __fget_light+0x2e9/0x430 [ 89.288476] ? fget_raw+0x20/0x20 [ 89.291921] ? __release_sock+0x3a0/0x3a0 [ 89.296058] ? tipc_nametbl_build_group+0x273/0x360 [ 89.301074] ? tipc_setsockopt+0x726/0xd70 [ 89.305315] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 89.310839] ? sockfd_lookup_light+0xc5/0x160 [ 89.315322] __sys_sendmsg+0x11d/0x280 [ 89.319217] ? __ia32_sys_shutdown+0x80/0x80 [ 89.323622] ? do_fast_syscall_32+0x150/0xfb2 [ 89.328104] ? do_fast_syscall_32+0x150/0xfb2 [ 89.332592] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 89.338054] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 89.342804] do_fast_syscall_32+0x34d/0xfb2 [ 89.347114] ? do_int80_syscall_32+0x890/0x890 [ 89.351688] ? entry_SYSENTER_compat+0x68/0x7f [ 89.356257] ? trace_hardirqs_off_caller+0xbb/0x310 [ 89.361262] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 89.366095] ? trace_hardirqs_on_caller+0x310/0x310 [ 89.371102] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 89.376112] ? recalc_sigpending_tsk+0x180/0x180 [ 89.380855] ? kasan_check_write+0x14/0x20 [ 89.385079] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 89.389919] entry_SYSENTER_compat+0x70/0x7f [ 89.394314] RIP: 0023:0xf7f88ca9 [ 89.397669] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 89.416560] RSP: 002b:00000000f7f840cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172 [ 89.424256] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040 [ 89.431542] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 89.438798] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 89.446053] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 89.453305] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 89.460565] [ 89.462191] Allocated by task 5616: [ 89.465806] save_stack+0x43/0xd0 [ 89.469243] kasan_kmalloc+0xc7/0xe0 [ 89.472940] kasan_slab_alloc+0x12/0x20 [ 89.476899] kmem_cache_alloc+0x12e/0x730 [ 89.481045] sock_alloc_inode+0x1d/0x260 [ 89.485102] alloc_inode+0x63/0x190 [ 89.488712] new_inode_pseudo+0x71/0x1a0 [ 89.492758] sock_alloc+0x41/0x270 [ 89.496281] __sock_create+0x175/0x930 [ 89.500155] __sys_socket+0x106/0x260 [ 89.503940] __ia32_sys_socket+0x73/0xb0 [ 89.507988] do_fast_syscall_32+0x34d/0xfb2 [ 89.512309] entry_SYSENTER_compat+0x70/0x7f [ 89.516706] [ 89.518329] Freed by task 5615: [ 89.521723] save_stack+0x43/0xd0 [ 89.525167] __kasan_slab_free+0x102/0x150 [ 89.529396] kasan_slab_free+0xe/0x10 [ 89.533185] kmem_cache_free+0x83/0x290 [ 89.537162] sock_destroy_inode+0x51/0x60 [ 89.541295] destroy_inode+0x159/0x200 [ 89.545173] evict+0x5e0/0x980 [ 89.548350] iput+0x679/0xa90 [ 89.551456] dentry_unlink_inode+0x461/0x5e0 [ 89.555865] __dentry_kill+0x44c/0x7a0 [ 89.559758] dentry_kill+0xc9/0x5a0 [ 89.563370] dput.part.26+0x660/0x790 [ 89.567164] dput+0x15/0x20 [ 89.570082] __fput+0x4cf/0xa30 [ 89.573344] ____fput+0x15/0x20 [ 89.576612] task_work_run+0x1e8/0x2a0 [ 89.580502] exit_to_usermode_loop+0x318/0x380 [ 89.585090] do_fast_syscall_32+0xcd5/0xfb2 [ 89.589411] entry_SYSENTER_compat+0x70/0x7f [ 89.593808] [ 89.595437] The buggy address belongs to the object at ffff8801c439e9c0 [ 89.595437] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 89.609293] The buggy address is located 112 bytes inside of [ 89.609293] 984-byte region [ffff8801c439e9c0, ffff8801c439ed98) [ 89.621149] The buggy address belongs to the page: [ 89.626063] page:ffffea000710e780 count:1 mapcount:0 mapping:ffff8801d36ca840 index:0xffff8801c439effd [ 89.635494] flags: 0x2fffc0000000100(slab) [ 89.639724] raw: 02fffc0000000100 ffffea000710e548 ffffea000710e688 ffff8801d36ca840 [ 89.647593] raw: ffff8801c439effd ffff8801c439e0c0 0000000100000003 ffff8801b8ce4680 [ 89.655453] page dumped because: kasan: bad access detected [ 89.661143] page->mem_cgroup:ffff8801b8ce4680 [ 89.665618] [ 89.667226] Memory state around the buggy address: [ 89.672146] ffff8801c439e900: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 89.679488] ffff8801c439e980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 89.686851] >ffff8801c439ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.694204] ^ [ 89.699134] ffff8801c439ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.706502] ffff8801c439eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.713849] ================================================================== [ 89.721197] Disabling lock debugging due to kernel taint [ 89.726741] Kernel panic - not syncing: panic_on_warn set ... [ 89.726741] [ 89.734118] CPU: 1 PID: 5616 Comm: syz-executor0 Tainted: G B 4.19.0-rc3+ #134 [ 89.742779] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.752127] Call Trace: [ 89.754701] dump_stack+0x1c4/0x2b4 [ 89.758314] ? dump_stack_print_info.cold.2+0x52/0x52 [ 89.763490] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 89.768236] panic+0x238/0x4e7 [ 89.771410] ? add_taint.cold.5+0x16/0x16 [ 89.775543] ? trace_hardirqs_on+0x9a/0x310 [ 89.779859] ? trace_hardirqs_on+0xb4/0x310 [ 89.784162] ? trace_hardirqs_on+0xb4/0x310 [ 89.788485] kasan_end_report+0x47/0x4f [ 89.792467] kasan_report.cold.9+0x76/0x309 [ 89.796772] ? sock_i_ino+0x94/0xa0 [ 89.800386] __asan_report_load8_noabort+0x14/0x20 [ 89.805300] sock_i_ino+0x94/0xa0 [ 89.808742] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 89.813394] ? tipc_diag_dump+0x30/0x30 [ 89.817356] ? tipc_getname+0x7f0/0x7f0 [ 89.821318] ? graph_lock+0x170/0x170 [ 89.825107] ? __lock_sock+0x203/0x350 [ 89.828983] ? find_held_lock+0x36/0x1c0 [ 89.833035] ? mark_held_locks+0xc7/0x130 [ 89.837171] ? __local_bh_enable_ip+0x160/0x260 [ 89.841823] ? __local_bh_enable_ip+0x160/0x260 [ 89.846476] ? lockdep_hardirqs_on+0x421/0x5c0 [ 89.851045] ? trace_hardirqs_on+0xbd/0x310 [ 89.855349] ? lock_release+0x970/0x970 [ 89.859308] ? lock_sock_nested+0xe2/0x120 [ 89.863545] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 89.868543] ? skb_put+0x17b/0x1e0 [ 89.872065] ? memset+0x31/0x40 [ 89.875334] ? __nlmsg_put+0x14c/0x1b0 [ 89.879208] __tipc_add_sock_diag+0x233/0x360 [ 89.883689] tipc_nl_sk_walk+0x122/0x1d0 [ 89.887736] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 89.892999] tipc_diag_dump+0x24/0x30 [ 89.896805] netlink_dump+0x519/0xd50 [ 89.900592] ? netlink_broadcast+0x50/0x50 [ 89.904817] __netlink_dump_start+0x4f1/0x6f0 [ 89.909296] ? tipc_data_ready+0x3e0/0x3e0 [ 89.913523] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 89.918613] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 89.923265] ? tipc_data_ready+0x3e0/0x3e0 [ 89.927483] ? tipc_unregister_sysctl+0x20/0x20 [ 89.932137] ? tipc_ioctl+0x3a0/0x3a0 [ 89.935922] ? netlink_deliver_tap+0x355/0xf80 [ 89.940492] sock_diag_rcv_msg+0x31d/0x410 [ 89.944723] netlink_rcv_skb+0x172/0x440 [ 89.948769] ? sock_diag_bind+0x80/0x80 [ 89.952728] ? netlink_ack+0xb80/0xb80 [ 89.956604] sock_diag_rcv+0x2a/0x40 [ 89.960302] netlink_unicast+0x5a5/0x760 [ 89.964354] ? netlink_attachskb+0x9a0/0x9a0 [ 89.968751] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 89.974274] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 89.979278] netlink_sendmsg+0xa18/0xfc0 [ 89.983325] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 89.988500] ? netlink_unicast+0x760/0x760 [ 89.992725] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 89.997640] ? apparmor_socket_sendmsg+0x29/0x30 [ 90.002384] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.007905] ? security_socket_sendmsg+0x94/0xc0 [ 90.012666] ? netlink_unicast+0x760/0x760 [ 90.016886] sock_sendmsg+0xd5/0x120 [ 90.020587] ___sys_sendmsg+0x7fd/0x930 [ 90.024549] ? __local_bh_enable_ip+0x160/0x260 [ 90.029214] ? copy_msghdr_from_user+0x580/0x580 [ 90.033960] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 90.039402] ? release_sock+0x1ec/0x2c0 [ 90.043393] ? __fget_light+0x2e9/0x430 [ 90.047365] ? fget_raw+0x20/0x20 [ 90.050817] ? __release_sock+0x3a0/0x3a0 [ 90.054972] ? tipc_nametbl_build_group+0x273/0x360 [ 90.059980] ? tipc_setsockopt+0x726/0xd70 [ 90.064208] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 90.069732] ? sockfd_lookup_light+0xc5/0x160 [ 90.074218] __sys_sendmsg+0x11d/0x280 [ 90.078094] ? __ia32_sys_shutdown+0x80/0x80 [ 90.082491] ? do_fast_syscall_32+0x150/0xfb2 [ 90.086983] ? do_fast_syscall_32+0x150/0xfb2 [ 90.091480] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 90.096932] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 90.101686] do_fast_syscall_32+0x34d/0xfb2 [ 90.105995] ? do_int80_syscall_32+0x890/0x890 [ 90.110567] ? entry_SYSENTER_compat+0x68/0x7f [ 90.115138] ? trace_hardirqs_off_caller+0xbb/0x310 [ 90.120145] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 90.124979] ? trace_hardirqs_on_caller+0x310/0x310 [ 90.130005] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 90.135033] ? recalc_sigpending_tsk+0x180/0x180 [ 90.139803] ? kasan_check_write+0x14/0x20 [ 90.144044] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 90.148891] entry_SYSENTER_compat+0x70/0x7f [ 90.153322] RIP: 0023:0xf7f88ca9 [ 90.156677] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 90.175567] RSP: 002b:00000000f7f840cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172 [ 90.183264] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040 [ 90.190525] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 90.197799] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 90.205064] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 90.212328] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 90.219896] Dumping ftrace buffer: [ 90.223421] (ftrace buffer empty) [ 90.227722] Kernel Offset: disabled [ 90.231351] Rebooting in 86400 seconds..