[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.647958] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.911201] random: sshd: uninitialized urandom read (32 bytes read)
[   27.208671] random: sshd: uninitialized urandom read (32 bytes read)
[   27.752330] random: sshd: uninitialized urandom read (32 bytes read)
[  110.291215] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.42' (ECDSA) to the list of known hosts.
[  115.940422] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 00:18:18 parsed 1 programs
[  117.169523] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 00:18:20 executed programs: 0
[  118.402131] IPVS: ftp: loaded support on port[0] = 21
[  118.601800] bridge0: port 1(bridge_slave_0) entered blocking state
[  118.608314] bridge0: port 1(bridge_slave_0) entered disabled state
[  118.615534] device bridge_slave_0 entered promiscuous mode
[  118.631463] bridge0: port 2(bridge_slave_1) entered blocking state
[  118.637949] bridge0: port 2(bridge_slave_1) entered disabled state
[  118.644927] device bridge_slave_1 entered promiscuous mode
[  118.659928] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  118.676054] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  118.717172] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  118.735092] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  118.798184] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  118.805482] team0: Port device team_slave_0 added
[  118.820383] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  118.827484] team0: Port device team_slave_1 added
[  118.842523] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  118.859442] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  118.876841] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  118.894075] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  119.012298] bridge0: port 2(bridge_slave_1) entered blocking state
[  119.018748] bridge0: port 2(bridge_slave_1) entered forwarding state
[  119.025590] bridge0: port 1(bridge_slave_0) entered blocking state
[  119.031956] bridge0: port 1(bridge_slave_0) entered forwarding state
[  119.458409] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  119.464531] 8021q: adding VLAN 0 to HW filter on device bond0
[  119.507974] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  119.550759] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  119.558339] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  119.595015] 8021q: adding VLAN 0 to HW filter on device team0
[  120.079422] ==================================================================
[  120.086868] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.094298] Read of size 4 at addr ffff8801d3ad255c by task syz-executor0/4767
[  120.101635] 
[  120.103250] CPU: 1 PID: 4767 Comm: syz-executor0 Not tainted 4.18.0+ #196
[  120.110156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  120.119495] Call Trace:
[  120.122074]  dump_stack+0x1c9/0x2b4
[  120.125688]  ? dump_stack_print_info.cold.2+0x52/0x52
[  120.130861]  ? printk+0xa7/0xcf
[  120.134125]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  120.139178]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.144269]  print_address_description+0x6c/0x20b
[  120.149102]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.154195]  kasan_report.cold.7+0x242/0x30d
[  120.158592]  __asan_report_load4_noabort+0x14/0x20
[  120.163512]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.168426]  ? tipc_group_member_evt+0xe30/0xe30
[  120.173228]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  120.178235]  ? skb_put+0x17b/0x1e0
[  120.181773]  ? memset+0x31/0x40
[  120.185040]  ? memcpy+0x45/0x50
[  120.188301]  ? __nla_put+0x37/0x40
[  120.191822]  ? nla_put+0x11a/0x150
[  120.195348]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  120.200060]  ? tipc_diag_dump+0x30/0x30
[  120.204026]  ? tipc_getname+0x7f0/0x7f0
[  120.207983]  ? save_stack+0xa9/0xd0
[  120.211593]  ? save_stack+0x43/0xd0
[  120.215207]  ? kasan_kmalloc+0xc4/0xe0
[  120.219079]  ? __kmalloc_node_track_caller+0x47/0x70
[  120.224169]  ? graph_lock+0x170/0x170
[  120.227961]  ? __netlink_dump_start+0x4f1/0x6f0
[  120.232622]  ? sock_diag_rcv_msg+0x31d/0x410
[  120.237020]  ? netlink_rcv_skb+0x172/0x440
[  120.241240]  ? sock_diag_rcv+0x2a/0x40
[  120.245108]  ? netlink_unicast+0x5a0/0x760
[  120.249321]  ? netlink_sendmsg+0xa18/0xfc0
[  120.253618]  ? sock_sendmsg+0xd5/0x120
[  120.257494]  ? ___sys_sendmsg+0x7fd/0x930
[  120.261629]  ? __x64_sys_sendmsg+0x78/0xb0
[  120.265844]  ? do_syscall_64+0x1b9/0x820
[  120.270058]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  120.275416]  ? lock_acquire+0x1e4/0x540
[  120.279385]  ? tipc_nl_sk_walk+0x60a/0xd30
[  120.283631]  ? tipc_nl_sk_walk+0x311/0xd30
[  120.287876]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  120.292897]  ? skb_put+0x17b/0x1e0
[  120.296451]  ? __nlmsg_put+0x14c/0x1b0
[  120.300347]  __tipc_add_sock_diag+0x22f/0x360
[  120.304846]  tipc_nl_sk_walk+0x68d/0xd30
[  120.308918]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  120.314194]  ? __tipc_nl_add_sk+0x400/0x400
[  120.318522]  ? skb_scrub_packet+0x490/0x490
[  120.322853]  ? kasan_check_write+0x14/0x20
[  120.327090]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  120.332026]  ? lock_downgrade+0x8f0/0x8f0
[  120.336179]  tipc_diag_dump+0x24/0x30
[  120.339982]  netlink_dump+0x519/0xd50
[  120.343786]  ? netlink_broadcast+0x50/0x50
[  120.348081]  __netlink_dump_start+0x4f1/0x6f0
[  120.352613]  ? kasan_check_read+0x11/0x20
[  120.356757]  tipc_sock_diag_handler_dump+0x234/0x340
[  120.361842]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  120.366492]  ? tipc_unregister_sysctl+0x20/0x20
[  120.371153]  ? netlink_deliver_tap+0x356/0xfb0
[  120.375724]  sock_diag_rcv_msg+0x31d/0x410
[  120.379952]  netlink_rcv_skb+0x172/0x440
[  120.384004]  ? sock_diag_bind+0x80/0x80
[  120.387969]  ? netlink_ack+0xbe0/0xbe0
[  120.391983]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  120.396688]  sock_diag_rcv+0x2a/0x40
[  120.400389]  netlink_unicast+0x5a0/0x760
[  120.404433]  ? netlink_attachskb+0x9a0/0x9a0
[  120.408826]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  120.414345]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  120.419351]  netlink_sendmsg+0xa18/0xfc0
[  120.423400]  ? netlink_unicast+0x760/0x760
[  120.427770]  ? move_addr_to_kernel.part.18+0x100/0x100
[  120.433043]  ? security_socket_sendmsg+0x94/0xc0
[  120.437785]  ? netlink_unicast+0x760/0x760
[  120.442002]  sock_sendmsg+0xd5/0x120
[  120.445704]  ___sys_sendmsg+0x7fd/0x930
[  120.449664]  ? copy_msghdr_from_user+0x580/0x580
[  120.454404]  ? kasan_check_read+0x11/0x20
[  120.458533]  ? do_raw_spin_unlock+0xa7/0x2f0
[  120.462927]  ? __fget_light+0x2f7/0x440
[  120.466881]  ? __local_bh_enable_ip+0x161/0x230
[  120.471531]  ? fget_raw+0x20/0x20
[  120.474968]  ? __release_sock+0x3a0/0x3a0
[  120.479098]  ? tipc_nametbl_build_group+0x279/0x360
[  120.484099]  ? tipc_setsockopt+0x726/0xd70
[  120.488331]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  120.493851]  ? sockfd_lookup_light+0xc5/0x160
[  120.498329]  __sys_sendmsg+0x11d/0x290
[  120.502200]  ? __ia32_sys_shutdown+0x80/0x80
[  120.506672]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  120.512201]  ? fput+0x130/0x1a0
[  120.515463]  ? __x64_sys_futex+0x47f/0x6a0
[  120.519733]  __x64_sys_sendmsg+0x78/0xb0
[  120.524226]  do_syscall_64+0x1b9/0x820
[  120.528098]  ? syscall_return_slowpath+0x5e0/0x5e0
[  120.533009]  ? syscall_return_slowpath+0x31d/0x5e0
[  120.537972]  ? __switch_to_asm+0x34/0x70
[  120.542024]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  120.547373]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  120.552290]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  120.557460] RIP: 0033:0x457089
[  120.560709] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  120.579613] RSP: 002b:00007f888c3e0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  120.587311] RAX: ffffffffffffffda RBX: 00007f888c3e16d4 RCX: 0000000000457089
[  120.594563] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  120.601813] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  120.609072] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  120.616328] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  120.623597] 
[  120.625217] Allocated by task 4767:
[  120.628827]  save_stack+0x43/0xd0
[  120.632430]  kasan_kmalloc+0xc4/0xe0
[  120.636132]  kmem_cache_alloc_trace+0x152/0x780
[  120.640789]  tipc_group_create+0x155/0xa70
[  120.645014]  tipc_setsockopt+0x2d1/0xd70
[  120.649058]  __sys_setsockopt+0x1c5/0x3b0
[  120.653192]  __x64_sys_setsockopt+0xbe/0x150
[  120.657594]  do_syscall_64+0x1b9/0x820
[  120.661470]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  120.666635] 
[  120.668250] Freed by task 4766:
[  120.671519]  save_stack+0x43/0xd0
[  120.674957]  __kasan_slab_free+0x11a/0x170
[  120.679172]  kasan_slab_free+0xe/0x10
[  120.682953]  kfree+0xd9/0x260
[  120.686145]  tipc_group_delete+0x2e5/0x3f0
[  120.690372]  tipc_sk_leave+0x113/0x220
[  120.694243]  tipc_release+0x14e/0x12b0
[  120.698111]  __sock_release+0xd7/0x250
[  120.702016]  sock_close+0x19/0x20
[  120.705463]  __fput+0x39b/0x860
[  120.708726]  ____fput+0x15/0x20
[  120.711994]  task_work_run+0x1e8/0x2a0
[  120.715867]  exit_to_usermode_loop+0x318/0x380
[  120.720440]  do_syscall_64+0x6be/0x820
[  120.724313]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  120.729477] 
[  120.731083] The buggy address belongs to the object at ffff8801d3ad2500
[  120.731083]  which belongs to the cache kmalloc-192 of size 192
[  120.743726] The buggy address is located 92 bytes inside of
[  120.743726]  192-byte region [ffff8801d3ad2500, ffff8801d3ad25c0)
[  120.755494] The buggy address belongs to the page:
[  120.760407] page:ffffea00074eb480 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[  120.768535] flags: 0x2fffc0000000100(slab)
[  120.772753] raw: 02fffc0000000100 ffffea00074bcd08 ffffea00074c8a48 ffff8801dac00040
[  120.780636] raw: 0000000000000000 ffff8801d3ad2000 0000000100000010 0000000000000000
[  120.788496] page dumped because: kasan: bad access detected
[  120.794181] 
[  120.795783] Memory state around the buggy address:
[  120.800737]  ffff8801d3ad2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  120.808085]  ffff8801d3ad2480: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  120.815427] >ffff8801d3ad2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  120.822931]                                                     ^
[  120.829149]  ffff8801d3ad2580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  120.836494]  ffff8801d3ad2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  120.843831] ==================================================================
[  120.851164] Disabling lock debugging due to kernel taint
[  120.856658] Kernel panic - not syncing: panic_on_warn set ...
[  120.856658] 
[  120.864014] CPU: 1 PID: 4767 Comm: syz-executor0 Tainted: G    B             4.18.0+ #196
[  120.872308] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  120.881649] Call Trace:
[  120.884225]  dump_stack+0x1c9/0x2b4
[  120.887830]  ? dump_stack_print_info.cold.2+0x52/0x52
[  120.893001]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  120.897739]  panic+0x238/0x4e7
[  120.900911]  ? add_taint.cold.5+0x16/0x16
[  120.905039]  ? do_raw_spin_unlock+0xa7/0x2f0
[  120.909430]  ? tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.914514]  kasan_end_report+0x47/0x4f
[  120.918476]  kasan_report.cold.7+0x76/0x30d
[  120.922789]  __asan_report_load4_noabort+0x14/0x20
[  120.927705]  tipc_group_fill_sock_diag+0x7b9/0x84b
[  120.932619]  ? tipc_group_member_evt+0xe30/0xe30
[  120.937357]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  120.942357]  ? skb_put+0x17b/0x1e0
[  120.945878]  ? memset+0x31/0x40
[  120.949137]  ? memcpy+0x45/0x50
[  120.952397]  ? __nla_put+0x37/0x40
[  120.955916]  ? nla_put+0x11a/0x150
[  120.959440]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[  120.964088]  ? tipc_diag_dump+0x30/0x30
[  120.968051]  ? tipc_getname+0x7f0/0x7f0
[  120.972009]  ? save_stack+0xa9/0xd0
[  120.975621]  ? save_stack+0x43/0xd0
[  120.979226]  ? kasan_kmalloc+0xc4/0xe0
[  120.983096]  ? __kmalloc_node_track_caller+0x47/0x70
[  120.988181]  ? graph_lock+0x170/0x170
[  120.991961]  ? __netlink_dump_start+0x4f1/0x6f0
[  120.996620]  ? sock_diag_rcv_msg+0x31d/0x410
[  121.001055]  ? netlink_rcv_skb+0x172/0x440
[  121.005281]  ? sock_diag_rcv+0x2a/0x40
[  121.009150]  ? netlink_unicast+0x5a0/0x760
[  121.013389]  ? netlink_sendmsg+0xa18/0xfc0
[  121.017600]  ? sock_sendmsg+0xd5/0x120
[  121.021476]  ? ___sys_sendmsg+0x7fd/0x930
[  121.025705]  ? __x64_sys_sendmsg+0x78/0xb0
[  121.029930]  ? do_syscall_64+0x1b9/0x820
[  121.033972]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.039323]  ? lock_acquire+0x1e4/0x540
[  121.043280]  ? tipc_nl_sk_walk+0x60a/0xd30
[  121.047493]  ? tipc_nl_sk_walk+0x311/0xd30
[  121.051711]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  121.056703]  ? skb_put+0x17b/0x1e0
[  121.060241]  ? __nlmsg_put+0x14c/0x1b0
[  121.064112]  __tipc_add_sock_diag+0x22f/0x360
[  121.068665]  tipc_nl_sk_walk+0x68d/0xd30
[  121.072714]  ? tipc_sock_diag_handler_dump+0x340/0x340
[  121.077976]  ? __tipc_nl_add_sk+0x400/0x400
[  121.082275]  ? skb_scrub_packet+0x490/0x490
[  121.086575]  ? kasan_check_write+0x14/0x20
[  121.090802]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  121.095732]  ? lock_downgrade+0x8f0/0x8f0
[  121.099881]  tipc_diag_dump+0x24/0x30
[  121.103681]  netlink_dump+0x519/0xd50
[  121.107489]  ? netlink_broadcast+0x50/0x50
[  121.111728]  __netlink_dump_start+0x4f1/0x6f0
[  121.116221]  ? kasan_check_read+0x11/0x20
[  121.120399]  tipc_sock_diag_handler_dump+0x234/0x340
[  121.125499]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  121.130166]  ? tipc_unregister_sysctl+0x20/0x20
[  121.134834]  ? netlink_deliver_tap+0x356/0xfb0
[  121.139419]  sock_diag_rcv_msg+0x31d/0x410
[  121.143656]  netlink_rcv_skb+0x172/0x440
[  121.147717]  ? sock_diag_bind+0x80/0x80
[  121.151689]  ? netlink_ack+0xbe0/0xbe0
[  121.155577]  ? rcu_cleanup_dead_rnp+0x200/0x200
[  121.160257]  sock_diag_rcv+0x2a/0x40
[  121.163966]  netlink_unicast+0x5a0/0x760
[  121.168031]  ? netlink_attachskb+0x9a0/0x9a0
[  121.172439]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  121.177975]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  121.182992]  netlink_sendmsg+0xa18/0xfc0
[  121.187056]  ? netlink_unicast+0x760/0x760
[  121.191290]  ? move_addr_to_kernel.part.18+0x100/0x100
[  121.196572]  ? security_socket_sendmsg+0x94/0xc0
[  121.201353]  ? netlink_unicast+0x760/0x760
[  121.205583]  sock_sendmsg+0xd5/0x120
[  121.209301]  ___sys_sendmsg+0x7fd/0x930
[  121.213277]  ? copy_msghdr_from_user+0x580/0x580
[  121.218048]  ? kasan_check_read+0x11/0x20
[  121.222195]  ? do_raw_spin_unlock+0xa7/0x2f0
[  121.226613]  ? __fget_light+0x2f7/0x440
[  121.230590]  ? __local_bh_enable_ip+0x161/0x230
[  121.235267]  ? fget_raw+0x20/0x20
[  121.238720]  ? __release_sock+0x3a0/0x3a0
[  121.242879]  ? tipc_nametbl_build_group+0x279/0x360
[  121.247900]  ? tipc_setsockopt+0x726/0xd70
[  121.252143]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  121.257676]  ? sockfd_lookup_light+0xc5/0x160
[  121.262174]  __sys_sendmsg+0x11d/0x290
[  121.266058]  ? __ia32_sys_shutdown+0x80/0x80
[  121.270467]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  121.276005]  ? fput+0x130/0x1a0
[  121.279286]  ? __x64_sys_futex+0x47f/0x6a0
[  121.283525]  __x64_sys_sendmsg+0x78/0xb0
[  121.287585]  do_syscall_64+0x1b9/0x820
[  121.291652]  ? syscall_return_slowpath+0x5e0/0x5e0
[  121.296580]  ? syscall_return_slowpath+0x31d/0x5e0
[  121.301517]  ? __switch_to_asm+0x34/0x70
[  121.305573]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[  121.310942]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  121.315784]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  121.320967] RIP: 0033:0x457089
[  121.324163] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  121.343057] RSP: 002b:00007f888c3e0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  121.350762] RAX: ffffffffffffffda RBX: 00007f888c3e16d4 RCX: 0000000000457089
[  121.358029] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  121.365289] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  121.372554] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  121.379817] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[  121.387442] Dumping ftrace buffer:
[  121.390976]    (ftrace buffer empty)
[  121.394662] Kernel Offset: disabled
[  121.398271] Rebooting in 86400 seconds..