[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.671823] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 27.842712] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.342241] random: sshd: uninitialized urandom read (32 bytes read) [ 28.942935] random: sshd: uninitialized urandom read (32 bytes read) [ 86.937427] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.223' (ECDSA) to the list of known hosts. [ 92.484280] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/13 23:01:39 parsed 1 programs [ 93.660410] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/13 23:01:40 executed programs: 0 [ 94.679794] IPVS: ftp: loaded support on port[0] = 21 [ 94.948713] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.955628] bridge0: port 1(bridge_slave_0) entered disabled state [ 94.962967] device bridge_slave_0 entered promiscuous mode [ 94.982527] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.988921] bridge0: port 2(bridge_slave_1) entered disabled state [ 94.996806] device bridge_slave_1 entered promiscuous mode [ 95.015465] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 95.034487] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 95.086411] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 95.108708] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 95.189699] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 95.197161] team0: Port device team_slave_0 added [ 95.214562] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 95.221890] team0: Port device team_slave_1 added [ 95.239639] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 95.262169] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 95.282627] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 95.303473] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 95.451907] bridge0: port 2(bridge_slave_1) entered blocking state [ 95.458366] bridge0: port 2(bridge_slave_1) entered forwarding state [ 95.465459] bridge0: port 1(bridge_slave_0) entered blocking state [ 95.471856] bridge0: port 1(bridge_slave_0) entered forwarding state [ 96.012613] 8021q: adding VLAN 0 to HW filter on device bond0 [ 96.065893] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 96.120773] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 96.126936] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 96.135889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 96.186328] 8021q: adding VLAN 0 to HW filter on device team0 [ 96.619759] ================================================================== [ 96.627332] BUG: KASAN: use-after-free in __dev_map_entry_free+0x2ab/0x300 [ 96.634369] Read of size 8 at addr ffff8801c4e313c8 by task ksoftirqd/0/9 [ 96.641300] [ 96.642922] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.0-rc3+ #11 [ 96.649703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.659066] Call Trace: [ 96.661658] dump_stack+0x1c4/0x2b4 [ 96.665292] ? dump_stack_print_info.cold.2+0x52/0x52 [ 96.670491] ? printk+0xa7/0xcf [ 96.673771] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 96.678532] print_address_description.cold.8+0x9/0x1ff [ 96.683952] kasan_report.cold.9+0x242/0x309 [ 96.688352] ? __dev_map_entry_free+0x2ab/0x300 [ 96.693014] __asan_report_load8_noabort+0x14/0x20 [ 96.698035] __dev_map_entry_free+0x2ab/0x300 [ 96.702527] ? dev_map_delete_elem+0x120/0x120 [ 96.707104] rcu_process_callbacks+0xf23/0x2670 [ 96.711780] ? __rcu_read_unlock+0x2f0/0x2f0 [ 96.716193] ? lock_is_held_type+0x210/0x210 [ 96.720600] ? graph_lock+0x170/0x170 [ 96.724517] ? graph_lock+0x170/0x170 [ 96.728313] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.733855] ? check_preemption_disabled+0x48/0x200 [ 96.738868] ? check_preemption_disabled+0x48/0x200 [ 96.743889] ? finish_task_switch+0x1f5/0x900 [ 96.748380] ? _raw_spin_unlock_irq+0x27/0x80 [ 96.752877] ? _raw_spin_unlock_irq+0x27/0x80 [ 96.757373] ? lockdep_hardirqs_on+0x421/0x5c0 [ 96.761949] ? trace_hardirqs_on+0xbd/0x310 [ 96.766263] ? kasan_check_read+0x11/0x20 [ 96.770402] ? finish_task_switch+0x1f5/0x900 [ 96.774896] ? compat_start_thread+0x80/0x80 [ 96.779315] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.784866] ? _raw_spin_unlock_irq+0x60/0x80 [ 96.789378] ? finish_task_switch+0x1f5/0x900 [ 96.793881] ? finish_task_switch+0x1b5/0x900 [ 96.798372] ? __switch_to_asm+0x34/0x70 [ 96.802429] ? preempt_notifier_register+0x200/0x200 [ 96.807525] ? __switch_to_asm+0x34/0x70 [ 96.811588] ? __switch_to_asm+0x34/0x70 [ 96.815638] ? __switch_to_asm+0x40/0x70 [ 96.819687] ? __switch_to_asm+0x34/0x70 [ 96.823735] ? __switch_to_asm+0x40/0x70 [ 96.827779] ? __switch_to_asm+0x34/0x70 [ 96.831828] ? __switch_to_asm+0x40/0x70 [ 96.835876] ? __switch_to_asm+0x34/0x70 [ 96.839923] ? __switch_to_asm+0x40/0x70 [ 96.843976] ? pvclock_read_flags+0x160/0x160 [ 96.848459] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.853986] ? check_preemption_disabled+0x48/0x200 [ 96.858997] ? check_preemption_disabled+0x48/0x200 [ 96.864077] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 96.869614] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 96.875015] ? rcu_pm_notify+0xc0/0xc0 [ 96.878903] __do_softirq+0x30b/0xad8 [ 96.882704] ? __irqentry_text_end+0x1f9618/0x1f9618 [ 96.887804] ? schedule+0x108/0x460 [ 96.891430] ? __schedule+0x1ed0/0x1ed0 [ 96.895403] ? trace_hardirqs_off+0xb8/0x310 [ 96.899808] ? ___might_sleep+0x1ed/0x300 [ 96.903947] ? smpboot_thread_fn+0x68b/0xa00 [ 96.908403] ? trace_hardirqs_on+0x310/0x310 [ 96.912822] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.918364] ? check_preemption_disabled+0x48/0x200 [ 96.923376] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.928904] ? takeover_tasklets+0xa90/0xa90 [ 96.933305] run_ksoftirqd+0x94/0x100 [ 96.937095] smpboot_thread_fn+0x68b/0xa00 [ 96.941319] ? sort_range+0x30/0x30 [ 96.944955] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 96.950193] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.955730] ? __kthread_parkme+0xfb/0x1a0 [ 96.959959] kthread+0x35a/0x420 [ 96.963321] ? sort_range+0x30/0x30 [ 96.966946] ? kthread_bind+0x40/0x40 [ 96.970743] ret_from_fork+0x3a/0x50 [ 96.974572] [ 96.976258] Allocated by task 5647: [ 96.979885] save_stack+0x43/0xd0 [ 96.983325] kasan_kmalloc+0xc7/0xe0 [ 96.987096] kmem_cache_alloc_trace+0x152/0x750 [ 96.991772] dev_map_alloc+0x210/0x810 [ 96.995651] map_create+0x3bd/0x10f0 [ 96.999400] __x64_sys_bpf+0x303/0x510 [ 97.003283] do_syscall_64+0x1b9/0x820 [ 97.007177] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 97.012352] [ 97.013967] Freed by task 5636: [ 97.017236] save_stack+0x43/0xd0 [ 97.020680] __kasan_slab_free+0x102/0x150 [ 97.025009] kasan_slab_free+0xe/0x10 [ 97.028802] kfree+0xcf/0x230 [ 97.031903] dev_map_free+0x514/0x690 [ 97.035697] bpf_map_free_deferred+0xba/0xf0 [ 97.040109] process_one_work+0xc90/0x1b90 [ 97.044482] worker_thread+0x17f/0x1390 [ 97.048463] kthread+0x35a/0x420 [ 97.051833] ret_from_fork+0x3a/0x50 [ 97.055532] [ 97.057153] The buggy address belongs to the object at ffff8801c4e312c0 [ 97.057153] which belongs to the cache kmalloc-512 of size 512 [ 97.069806] The buggy address is located 264 bytes inside of [ 97.069806] 512-byte region [ffff8801c4e312c0, ffff8801c4e314c0) [ 97.081688] The buggy address belongs to the page: [ 97.086628] page:ffffea0007138c40 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 97.094776] flags: 0x2fffc0000000100(slab) [ 97.099011] raw: 02fffc0000000100 ffffea000704c3c8 ffffea000704c408 ffff8801da800940 [ 97.107014] raw: 0000000000000000 ffff8801c4e31040 0000000100000006 0000000000000000 [ 97.114905] page dumped because: kasan: bad access detected [ 97.120612] [ 97.122230] Memory state around the buggy address: [ 97.127158] ffff8801c4e31280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 97.134521] ffff8801c4e31300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 97.141886] >ffff8801c4e31380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 97.149265] ^ [ 97.155074] ffff8801c4e31400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 97.162506] ffff8801c4e31480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 97.169880] ================================================================== [ 97.177248] Disabling lock debugging due to kernel taint [ 97.182946] Kernel panic - not syncing: panic_on_warn set ... [ 97.182946] [ 97.186394] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.190461] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G B 4.19.0-rc3+ #11 [ 97.190468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 97.190472] Call Trace: [ 97.190492] dump_stack+0x1c4/0x2b4 [ 97.190505] ? dump_stack_print_info.cold.2+0x52/0x52 [ 97.190521] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 97.190541] panic+0x238/0x4e7 [ 97.197072] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.205162] ? add_taint.cold.5+0x16/0x16 [ 97.205179] ? trace_hardirqs_on+0xb4/0x310 [ 97.205195] kasan_end_report+0x47/0x4f [ 97.205207] kasan_report.cold.9+0x76/0x309 [ 97.205228] ? __dev_map_entry_free+0x2ab/0x300 [ 97.252484] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.255833] __asan_report_load8_noabort+0x14/0x20 [ 97.263297] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.264841] __dev_map_entry_free+0x2ab/0x300 [ 97.290145] ? dev_map_delete_elem+0x120/0x120 [ 97.294744] rcu_process_callbacks+0xf23/0x2670 [ 97.297709] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.299542] ? __rcu_read_unlock+0x2f0/0x2f0 [ 97.299559] ? lock_is_held_type+0x210/0x210 [ 97.299574] ? graph_lock+0x170/0x170 [ 97.299592] ? graph_lock+0x170/0x170 [ 97.309866] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.310670] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.337846] ? check_preemption_disabled+0x48/0x200 [ 97.341925] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.342880] ? check_preemption_disabled+0x48/0x200 [ 97.352716] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.354304] ? finish_task_switch+0x1f5/0x900 [ 97.368243] ? _raw_spin_unlock_irq+0x27/0x80 [ 97.372758] ? _raw_spin_unlock_irq+0x27/0x80 [ 97.377268] ? lockdep_hardirqs_on+0x421/0x5c0 [ 97.381869] ? trace_hardirqs_on+0xbd/0x310 [ 97.386212] ? kasan_check_read+0x11/0x20 [ 97.390380] ? finish_task_switch+0x1f5/0x900 [ 97.394892] ? compat_start_thread+0x80/0x80 [ 97.399323] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.399714] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.404881] ? _raw_spin_unlock_irq+0x60/0x80 [ 97.404910] ? finish_task_switch+0x1f5/0x900 [ 97.419953] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.420323] ? finish_task_switch+0x1b5/0x900 [ 97.420344] ? __switch_to_asm+0x34/0x70 [ 97.438368] ? preempt_notifier_register+0x200/0x200 [ 97.443484] ? __switch_to_asm+0x34/0x70 [ 97.447565] ? __switch_to_asm+0x34/0x70 [ 97.451645] ? __switch_to_asm+0x40/0x70 [ 97.455725] ? __switch_to_asm+0x34/0x70 [ 97.459799] ? __switch_to_asm+0x40/0x70 [ 97.463878] ? __switch_to_asm+0x34/0x70 [ 97.467972] ? __switch_to_asm+0x40/0x70 [ 97.472051] ? __switch_to_asm+0x34/0x70 [ 97.475540] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.476122] ? __switch_to_asm+0x40/0x70 [ 97.486614] ? pvclock_read_flags+0x160/0x160 [ 97.488052] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.491139] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.491155] ? check_preemption_disabled+0x48/0x200 [ 97.491166] ? check_preemption_disabled+0x48/0x200 [ 97.491191] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 97.491206] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 97.491225] ? rcu_pm_notify+0xc0/0xc0 [ 97.502613] cgroup: fork rejected by pids controller in [ 97.506224] __do_softirq+0x30b/0xad8 [ 97.506245] ? __irqentry_text_end+0x1f9618/0x1f9618 [ 97.512316] /syz0 [ 97.516271] ? schedule+0x108/0x460 [ 97.536379] ? __schedule+0x1ed0/0x1ed0 [ 97.536401] ? trace_hardirqs_off+0xb8/0x310 [ 97.548531] kobject: 'loop0' (000000003494ed4d): kobject_uevent_env [ 97.550997] ? ___might_sleep+0x1ed/0x300 [ 97.551010] ? smpboot_thread_fn+0x68b/0xa00 [ 97.551024] ? trace_hardirqs_on+0x310/0x310 [ 97.551045] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 97.555188] kobject: 'loop0' (000000003494ed4d): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 97.559420] ? check_preemption_disabled+0x48/0x200 [ 97.559434] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.559450] ? takeover_tasklets+0xa90/0xa90 [ 97.559472] run_ksoftirqd+0x94/0x100 [ 97.612413] smpboot_thread_fn+0x68b/0xa00 [ 97.616636] ? sort_range+0x30/0x30 [ 97.620251] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 97.625350] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 97.630875] ? __kthread_parkme+0xfb/0x1a0 [ 97.635096] kthread+0x35a/0x420 [ 97.638447] ? sort_range+0x30/0x30 [ 97.642072] ? kthread_bind+0x40/0x40 [ 97.645874] ret_from_fork+0x3a/0x50 [ 97.650520] Kernel Offset: disabled [ 97.654155] Rebooting in 86400 seconds..