[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.159588] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   28.320801] random: sshd: uninitialized urandom read (32 bytes read)
[   28.698695] random: sshd: uninitialized urandom read (32 bytes read)
[   29.249744] random: sshd: uninitialized urandom read (32 bytes read)
[   99.384060] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts.
[  104.894052] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 04:27:26 parsed 1 programs
[  105.911252] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 04:27:28 executed programs: 0
[  107.108251] IPVS: ftp: loaded support on port[0] = 21
[  107.311853] bridge0: port 1(bridge_slave_0) entered blocking state
[  107.318316] bridge0: port 1(bridge_slave_0) entered disabled state
[  107.325607] device bridge_slave_0 entered promiscuous mode
[  107.342438] bridge0: port 2(bridge_slave_1) entered blocking state
[  107.348803] bridge0: port 2(bridge_slave_1) entered disabled state
[  107.355831] device bridge_slave_1 entered promiscuous mode
[  107.371531] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  107.387645] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  107.429931] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  107.447969] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  107.511323] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  107.518617] team0: Port device team_slave_0 added
[  107.534445] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  107.541591] team0: Port device team_slave_1 added
[  107.556878] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  107.569720] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  107.587819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  107.607066] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  107.723369] bridge0: port 2(bridge_slave_1) entered blocking state
[  107.729923] bridge0: port 2(bridge_slave_1) entered forwarding state
[  107.736766] bridge0: port 1(bridge_slave_0) entered blocking state
[  107.743153] bridge0: port 1(bridge_slave_0) entered forwarding state
[  108.175782] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  108.182155] 8021q: adding VLAN 0 to HW filter on device bond0
[  108.227008] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  108.260074] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  108.279500] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  108.285744] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  108.293768] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  108.332408] 8021q: adding VLAN 0 to HW filter on device team0
[  111.542682] ==================================================================
[  111.550224] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x739/0x84b
[  111.557680] Read of size 2 at addr ffff8801badf9872 by task syz-executor0/5519
[  111.565027] 
[  111.566681] CPU: 0 PID: 5519 Comm: syz-executor0 Not tainted 4.18.0+ #189
[  111.573617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  111.582967] Call Trace:
[  111.585565]  dump_stack+0x1c9/0x2b4
[  111.589196]  ? dump_stack_print_info.cold.2+0x52/0x52
[  111.594388]  ? printk+0xa7/0xcf
[  111.597670]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  111.602448]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  111.607566]  print_address_description+0x6c/0x20b
[  111.612412]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  111.617515]  kasan_report.cold.7+0x242/0x2fe
[  111.621929]  __asan_report_load2_noabort+0x14/0x20
[  111.626857]  tipc_group_fill_sock_diag+0x739/0x84b
[  111.631803]  ? tipc_group_member_evt+0xe30/0xe30
[  111.636588]  ? skb_put+0x17b/0x1e0
[  111.640138]  ? memset+0x31/0x40
[  111.643425]  ? memcpy+0x45/0x50
[  111.646706]  ? __nla_put+0x37/0x40
[  111.650256]  ? nla_put+0x11a/0x150
[  111.653802]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  111.658475]  ? tipc_diag_dump+0x30/0x30
[  111.662455]  ? tipc_getname+0x7f0/0x7f0
[  111.666434]  ? save_stack+0xa9/0xd0
[  111.670071]  ? graph_lock+0x170/0x170
[  111.673876]  ? graph_lock+0x170/0x170
[  111.677689]  ? __netlink_dump_start+0x4f1/0x6f0
[  111.682374]  ? sock_diag_rcv_msg+0x31d/0x410
[  111.686783]  ? netlink_rcv_skb+0x172/0x440
[  111.691038]  ? sock_diag_rcv+0x2a/0x40
[  111.694924]  ? netlink_unicast+0x5a0/0x760
[  111.699157]  ? netlink_sendmsg+0xa18/0xfc0
[  111.703391]  ? sock_sendmsg+0xd5/0x120
[  111.707286]  ? ___sys_sendmsg+0x7fd/0x930
[  111.711436]  ? __x64_sys_sendmsg+0x78/0xb0
[  111.715669]  ? do_syscall_64+0x1b9/0x820
[  111.719730]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  111.725097]  ? print_usage_bug+0xc0/0xc0
[  111.729168]  ? find_held_lock+0x36/0x1c0
[  111.733237]  ? lock_acquire+0x1e4/0x540
[  111.737220]  ? tipc_nl_sk_walk+0x60a/0xd30
[  111.741460]  ? lock_downgrade+0x8f0/0x8f0
[  111.745619]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  111.750636]  ? skb_put+0x17b/0x1e0
[  111.754183]  ? __nlmsg_put+0x14c/0x1b0
[  111.758080]  __tipc_add_sock_diag+0x22f/0x360
[  111.762586]  tipc_nl_sk_walk+0x68d/0xd30
[  111.766654]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  111.771960]  ? __tipc_nl_add_sk+0x400/0x400
[  111.776316]  ? skb_scrub_packet+0x490/0x490
[  111.780650]  ? kasan_check_write+0x14/0x20
[  111.784894]  ? lock_downgrade+0x8f0/0x8f0
[  111.789063]  tipc_diag_dump+0x24/0x30
[  111.792863]  netlink_dump+0x519/0xd50
[  111.796679]  ? netlink_broadcast+0x50/0x50
[  111.800925]  __netlink_dump_start+0x4f1/0x6f0
[  111.805523]  ? kasan_check_read+0x11/0x20
[  111.809680]  tipc_sock_diag_handler_dump+0x234/0x340
[  111.814786]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  111.819458]  ? tipc_unregister_sysctl+0x20/0x20
[  111.824131]  ? netlink_deliver_tap+0x356/0xfb0
[  111.828729]  sock_diag_rcv_msg+0x31d/0x410
[  111.832992]  netlink_rcv_skb+0x172/0x440
[  111.837056]  ? sock_diag_bind+0x80/0x80
[  111.841035]  ? netlink_ack+0xbe0/0xbe0
[  111.844921]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  111.849616]  sock_diag_rcv+0x2a/0x40
[  111.853333]  netlink_unicast+0x5a0/0x760
[  111.857399]  ? netlink_attachskb+0x9a0/0x9a0
[  111.861822]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  111.867361]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  111.872384]  netlink_sendmsg+0xa18/0xfc0
[  111.876452]  ? netlink_unicast+0x760/0x760
[  111.880690]  ? move_addr_to_kernel.part.18+0x100/0x100
[  111.885971]  ? security_socket_sendmsg+0x94/0xc0
[  111.890735]  ? netlink_unicast+0x760/0x760
[  111.894973]  sock_sendmsg+0xd5/0x120
[  111.898697]  ___sys_sendmsg+0x7fd/0x930
[  111.902705]  ? copy_msghdr_from_user+0x580/0x580
[  111.907464]  ? kasan_check_read+0x11/0x20
[  111.911612]  ? do_raw_spin_unlock+0xa7/0x2f0
[  111.916043]  ? __fget_light+0x2f7/0x440
[  111.920021]  ? __local_bh_enable_ip+0x161/0x230
[  111.924689]  ? fget_raw+0x20/0x20
[  111.928152]  ? __release_sock+0x3a0/0x3a0
[  111.932319]  ? tipc_nametbl_build_group+0x279/0x360
[  111.937343]  ? tipc_setsockopt+0x726/0xd70
[  111.941584]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  111.947161]  ? sockfd_lookup_light+0xc5/0x160
[  111.951662]  __sys_sendmsg+0x11d/0x290
[  111.955562]  ? __ia32_sys_shutdown+0x80/0x80
[  111.959973]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  111.965526]  ? fput+0x130/0x1a0
[  111.968810]  ? __x64_sys_futex+0x47f/0x6a0
[  111.973061]  __x64_sys_sendmsg+0x78/0xb0
[  111.977129]  do_syscall_64+0x1b9/0x820
[  111.981034]  ? finish_task_switch+0x1d3/0x870
[  111.985536]  ? syscall_return_slowpath+0x5e0/0x5e0
[  111.990471]  ? syscall_return_slowpath+0x31d/0x5e0
[  111.995404]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  112.000775]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  112.005626]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  112.010812] RIP: 0033:0x457089
[  112.014017] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  112.032916] RSP: 002b:00007fdf26234c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  112.040637] RAX: ffffffffffffffda RBX: 00007fdf262356d4 RCX: 0000000000457089
[  112.047923] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  112.055188] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  112.062456] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  112.069723] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  112.077008] 
[  112.078643] Allocated by task 5519:
[  112.082284]  save_stack+0x43/0xd0
[  112.085750]  kasan_kmalloc+0xc4/0xe0
[  112.089482]  kmem_cache_alloc_trace+0x152/0x780
[  112.094156]  tipc_group_create+0x155/0xa70
[  112.098394]  tipc_setsockopt+0x2d1/0xd70
[  112.102456]  __sys_setsockopt+0x1c5/0x3b0
[  112.106605]  __x64_sys_setsockopt+0xbe/0x150
[  112.111017]  do_syscall_64+0x1b9/0x820
[  112.114904]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  112.120084] 
[  112.121711] Freed by task 5518:
[  112.124996]  save_stack+0x43/0xd0
[  112.128449]  __kasan_slab_free+0x11a/0x170
[  112.132682]  kasan_slab_free+0xe/0x10
[  112.136487]  kfree+0xd9/0x260
[  112.139593]  tipc_group_delete+0x2e5/0x3f0
[  112.143828]  tipc_sk_leave+0x113/0x220
[  112.147712]  tipc_release+0x14e/0x12b0
[  112.151599]  __sock_release+0xd7/0x250
[  112.155484]  sock_close+0x19/0x20
[  112.158937]  __fput+0x39b/0x860
[  112.162219]  ____fput+0x15/0x20
[  112.165509]  task_work_run+0x1e8/0x2a0
[  112.169395]  exit_to_usermode_loop+0x318/0x380
[  112.173993]  do_syscall_64+0x6be/0x820
[  112.177878]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  112.183144] 
[  112.184773] The buggy address belongs to the object at ffff8801badf9800
[  112.184773]  which belongs to the cache kmalloc-192 of size 192
[  112.197428] The buggy address is located 114 bytes inside of
[  112.197428]  192-byte region [ffff8801badf9800, ffff8801badf98c0)
[  112.209294] The buggy address belongs to the page:
[  112.214225] page:ffffea0006eb7e40 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  112.222373] flags: 0x2fffc0000000100(slab)
[  112.226623] raw: 02fffc0000000100 ffffea00071187c8 ffffea0006f3df08 ffff8801dac00040
[  112.234515] raw: 0000000000000000 ffff8801badf9000 0000000100000010 0000000000000000
[  112.242401] page dumped because: kasan: bad access detected
[  112.248097] 
[  112.249735] Memory state around the buggy address:
[  112.254671]  ffff8801badf9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  112.262057]  ffff8801badf9780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  112.269413] >ffff8801badf9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.276767]                                                              ^
[  112.283779]  ffff8801badf9880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  112.291137]  ffff8801badf9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  112.298489] ==================================================================
[  112.305838] Disabling lock debugging due to kernel taint
[  112.311325] Kernel panic - not syncing: panic_on_warn set ...
[  112.311325] 
[  112.318708] CPU: 0 PID: 5519 Comm: syz-executor0 Tainted: G    B             4.18.0+ #189
[  112.327011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  112.336822] Call Trace:
[  112.339418]  dump_stack+0x1c9/0x2b4
[  112.343050]  ? dump_stack_print_info.cold.2+0x52/0x52
[  112.348262]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  112.353031]  panic+0x238/0x4e7
[  112.356230]  ? add_taint.cold.5+0x16/0x16
[  112.360387]  ? do_raw_spin_unlock+0xa7/0x2f0
[  112.364806]  ? tipc_group_fill_sock_diag+0x739/0x84b
[  112.369918]  kasan_end_report+0x47/0x4f
[  112.373911]  kasan_report.cold.7+0x76/0x2fe
[  112.378241]  __asan_report_load2_noabort+0x14/0x20
[  112.383172]  tipc_group_fill_sock_diag+0x739/0x84b
[  112.388100]  ? tipc_group_member_evt+0xe30/0xe30
[  112.392858]  ? skb_put+0x17b/0x1e0
[  112.396391]  ? memset+0x31/0x40
[  112.399668]  ? memcpy+0x45/0x50
[  112.402949]  ? __nla_put+0x37/0x40
[  112.406495]  ? nla_put+0x11a/0x150
[  112.410061]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  112.414740]  ? tipc_diag_dump+0x30/0x30
[  112.418710]  ? tipc_getname+0x7f0/0x7f0
[  112.422673]  ? save_stack+0xa9/0xd0
[  112.426295]  ? graph_lock+0x170/0x170
[  112.430100]  ? graph_lock+0x170/0x170
[  112.433902]  ? __netlink_dump_start+0x4f1/0x6f0
[  112.438571]  ? sock_diag_rcv_msg+0x31d/0x410
[  112.443063]  ? netlink_rcv_skb+0x172/0x440
[  112.447297]  ? sock_diag_rcv+0x2a/0x40
[  112.451178]  ? netlink_unicast+0x5a0/0x760
[  112.455403]  ? netlink_sendmsg+0xa18/0xfc0
[  112.459631]  ? sock_sendmsg+0xd5/0x120
[  112.463527]  ? ___sys_sendmsg+0x7fd/0x930
[  112.467671]  ? __x64_sys_sendmsg+0x78/0xb0
[  112.471905]  ? do_syscall_64+0x1b9/0x820
[  112.475962]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  112.481478]  ? print_usage_bug+0xc0/0xc0
[  112.485552]  ? find_held_lock+0x36/0x1c0
[  112.489610]  ? lock_acquire+0x1e4/0x540
[  112.493582]  ? tipc_nl_sk_walk+0x60a/0xd30
[  112.497835]  ? lock_downgrade+0x8f0/0x8f0
[  112.501995]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  112.507017]  ? skb_put+0x17b/0x1e0
[  112.510559]  ? __nlmsg_put+0x14c/0x1b0
[  112.514450]  __tipc_add_sock_diag+0x22f/0x360
[  112.518947]  tipc_nl_sk_walk+0x68d/0xd30
[  112.523027]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  112.528305]  ? __tipc_nl_add_sk+0x400/0x400
[  112.532673]  ? skb_scrub_packet+0x490/0x490
[  112.537003]  ? kasan_check_write+0x14/0x20
[  112.541239]  ? lock_downgrade+0x8f0/0x8f0
[  112.545417]  tipc_diag_dump+0x24/0x30
[  112.549223]  netlink_dump+0x519/0xd50
[  112.553036]  ? netlink_broadcast+0x50/0x50
[  112.557287]  __netlink_dump_start+0x4f1/0x6f0
[  112.561780]  ? kasan_check_read+0x11/0x20
[  112.565940]  tipc_sock_diag_handler_dump+0x234/0x340
[  112.571141]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  112.575805]  ? tipc_unregister_sysctl+0x20/0x20
[  112.580498]  ? netlink_deliver_tap+0x356/0xfb0
[  112.585117]  sock_diag_rcv_msg+0x31d/0x410
[  112.589349]  netlink_rcv_skb+0x172/0x440
[  112.593420]  ? sock_diag_bind+0x80/0x80
[  112.597391]  ? netlink_ack+0xbe0/0xbe0
[  112.601289]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  112.605959]  sock_diag_rcv+0x2a/0x40
[  112.609676]  netlink_unicast+0x5a0/0x760
[  112.613732]  ? netlink_attachskb+0x9a0/0x9a0
[  112.618142]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  112.623691]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  112.628744]  netlink_sendmsg+0xa18/0xfc0
[  112.632807]  ? netlink_unicast+0x760/0x760
[  112.637050]  ? move_addr_to_kernel.part.18+0x100/0x100
[  112.642342]  ? security_socket_sendmsg+0x94/0xc0
[  112.647103]  ? netlink_unicast+0x760/0x760
[  112.651353]  sock_sendmsg+0xd5/0x120
[  112.655063]  ___sys_sendmsg+0x7fd/0x930
[  112.659041]  ? copy_msghdr_from_user+0x580/0x580
[  112.663792]  ? kasan_check_read+0x11/0x20
[  112.667944]  ? do_raw_spin_unlock+0xa7/0x2f0
[  112.672359]  ? __fget_light+0x2f7/0x440
[  112.676335]  ? __local_bh_enable_ip+0x161/0x230
[  112.681007]  ? fget_raw+0x20/0x20
[  112.684471]  ? __release_sock+0x3a0/0x3a0
[  112.688631]  ? tipc_nametbl_build_group+0x279/0x360
[  112.693649]  ? tipc_setsockopt+0x726/0xd70
[  112.697885]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  112.703431]  ? sockfd_lookup_light+0xc5/0x160
[  112.707925]  __sys_sendmsg+0x11d/0x290
[  112.711808]  ? __ia32_sys_shutdown+0x80/0x80
[  112.716215]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  112.721757]  ? fput+0x130/0x1a0
[  112.725039]  ? __x64_sys_futex+0x47f/0x6a0
[  112.729286]  __x64_sys_sendmsg+0x78/0xb0
[  112.733350]  do_syscall_64+0x1b9/0x820
[  112.737236]  ? finish_task_switch+0x1d3/0x870
[  112.741738]  ? syscall_return_slowpath+0x5e0/0x5e0
[  112.746699]  ? syscall_return_slowpath+0x31d/0x5e0
[  112.751631]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  112.757002]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  112.761842]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  112.767026] RIP: 0033:0x457089
[  112.770217] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  112.789117] RSP: 002b:00007fdf26234c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  112.796835] RAX: ffffffffffffffda RBX: 00007fdf262356d4 RCX: 0000000000457089
[  112.804100] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  112.811364] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  112.818628] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  112.825889] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  112.833442] Dumping ftrace buffer:
[  112.836974]    (ftrace buffer empty)
[  112.840660] Kernel Offset: disabled
[  112.844265] Rebooting in 86400 seconds..