[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.761353] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.364537] random: sshd: uninitialized urandom read (32 bytes read)
[   19.527352] random: sshd: uninitialized urandom read (32 bytes read)
[   20.255674] random: sshd: uninitialized urandom read (32 bytes read)
[   61.595903] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts.
[   66.983351] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/29 23:06:26 parsed 1 programs
2018/05/29 23:06:26 executed programs: 0
[   67.480000] IPVS: ftp: loaded support on port[0] = 21
[   67.601194] bridge0: port 1(bridge_slave_0) entered blocking state
[   67.607642] bridge0: port 1(bridge_slave_0) entered disabled state
[   67.614821] device bridge_slave_0 entered promiscuous mode
[   67.629948] bridge0: port 2(bridge_slave_1) entered blocking state
[   67.636326] bridge0: port 2(bridge_slave_1) entered disabled state
[   67.643574] device bridge_slave_1 entered promiscuous mode
[   67.658290] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   67.673497] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   67.713570] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   67.730972] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   67.790531] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   67.797808] team0: Port device team_slave_0 added
[   67.811747] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   67.818812] team0: Port device team_slave_1 added
[   67.833229] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   67.849143] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   67.865599] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   67.883435] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   67.891139] ip (4552) used greatest stack depth: 17032 bytes left
[   67.994529] bridge0: port 2(bridge_slave_1) entered blocking state
[   68.000981] bridge0: port 2(bridge_slave_1) entered forwarding state
[   68.007779] bridge0: port 1(bridge_slave_0) entered blocking state
[   68.014143] bridge0: port 1(bridge_slave_0) entered forwarding state
[   68.396037] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   68.402145] 8021q: adding VLAN 0 to HW filter on device bond0
[   68.441985] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   68.481555] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   68.488789] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   68.523372] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   68.529476] 8021q: adding VLAN 0 to HW filter on device team0
[   68.547395] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   68.783390] ==================================================================
[   68.790851] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150
[   68.797060] Read of size 1 at addr ffff8801ae5fd25d by task syz-executor0/4737
[   68.804392] 
[   68.806006] CPU: 1 PID: 4737 Comm: syz-executor0 Not tainted 4.17.0-rc7+ #98
[   68.813176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.822507] Call Trace:
[   68.825076]  dump_stack+0x1b9/0x294
[   68.828684]  ? dump_stack_print_info.cold.2+0x52/0x52
[   68.833858]  ? printk+0x9e/0xba
[   68.837119]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   68.841857]  ? kasan_check_write+0x14/0x20
[   68.846073]  print_address_description+0x6c/0x20b
[   68.850899]  ? nla_strlcpy+0x13d/0x150
[   68.854766]  kasan_report.cold.7+0x242/0x2fe
[   68.859155]  __asan_report_load1_noabort+0x14/0x20
[   68.864060]  nla_strlcpy+0x13d/0x150
[   68.867754]  nfnl_acct_new+0x574/0xc50
[   68.871621]  ? nfnl_acct_overquota+0x380/0x380
[   68.876182]  ? debug_check_no_locks_freed+0x310/0x310
[   68.881351]  ? graph_lock+0x170/0x170
[   68.885129]  ? print_usage_bug+0xc0/0xc0
[   68.889171]  ? print_usage_bug+0xc0/0xc0
[   68.893214]  ? get_futex_key+0xf83/0x1e90
[   68.897343]  ? find_held_lock+0x36/0x1c0
[   68.901706]  ? graph_lock+0x170/0x170
[   68.905495]  ? lock_downgrade+0x8e0/0x8e0
[   68.909625]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   68.915146]  ? __lock_is_held+0xb5/0x140
[   68.919198]  ? nfnl_acct_overquota+0x380/0x380
[   68.923769]  nfnetlink_rcv_msg+0xdb5/0xff0
[   68.927989]  ? __lock_is_held+0xb5/0x140
[   68.932041]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   68.937049]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   68.941452]  ? nfnetlink_bind+0x3a0/0x3a0
[   68.945582]  ? graph_lock+0x170/0x170
[   68.949364]  ? find_held_lock+0x36/0x1c0
[   68.953417]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   68.958942]  netlink_rcv_skb+0x172/0x440
[   68.962985]  ? nfnetlink_bind+0x3a0/0x3a0
[   68.967116]  ? netlink_ack+0xbc0/0xbc0
[   68.970990]  ? __netlink_ns_capable+0x100/0x130
[   68.975643]  nfnetlink_rcv+0x1fe/0x1ba0
[   68.979603]  ? kasan_check_read+0x11/0x20
[   68.983730]  ? rcu_is_watching+0x85/0x140
[   68.987863]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   68.993039]  ? nfnl_err_reset+0x2d0/0x2d0
[   68.997179]  ? netlink_remove_tap+0x610/0x610
[   69.001658]  ? refcount_add_not_zero+0x320/0x320
[   69.006397]  ? kasan_check_read+0x11/0x20
[   69.010610]  ? rcu_is_watching+0x85/0x140
[   69.014738]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   69.019911]  ? netlink_skb_destructor+0x210/0x210
[   69.024736]  ? kasan_check_write+0x14/0x20
[   69.028954]  netlink_unicast+0x58b/0x740
[   69.032998]  ? netlink_attachskb+0x970/0x970
[   69.037389]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.042918]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   69.047917]  ? security_netlink_send+0x88/0xb0
[   69.052491]  netlink_sendmsg+0x9f0/0xfa0
[   69.056537]  ? netlink_unicast+0x740/0x740
[   69.060765]  ? _raw_spin_unlock_irq+0x27/0x70
[   69.065240]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   69.070240]  ? security_socket_sendmsg+0x94/0xc0
[   69.074976]  ? netlink_unicast+0x740/0x740
[   69.079193]  sock_sendmsg+0xd5/0x120
[   69.082898]  sock_write_iter+0x35a/0x5a0
[   69.086940]  ? sock_sendmsg+0x120/0x120
[   69.090898]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   69.096421]  ? iov_iter_init+0xc9/0x1f0
[   69.100378]  __vfs_write+0x64d/0x960
[   69.104073]  ? kernel_read+0x120/0x120
[   69.107945]  ? handle_mm_fault+0x8c0/0xc70
[   69.112159]  ? rw_verify_area+0x118/0x360
[   69.116286]  vfs_write+0x1f8/0x560
[   69.119805]  ksys_write+0xf9/0x250
[   69.123323]  ? __ia32_sys_read+0xb0/0xb0
[   69.127366]  ? mm_fault_error+0x380/0x380
[   69.131494]  __ia32_sys_write+0x71/0xb0
[   69.135450]  do_fast_syscall_32+0x345/0xf9b
[   69.139753]  ? do_int80_syscall_32+0x880/0x880
[   69.144314]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   69.149135]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.154661]  ? syscall_return_slowpath+0x30f/0x5c0
[   69.159572]  ? sysret32_from_system_call+0x5/0x46
[   69.164397]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   69.169221]  entry_SYSENTER_compat+0x70/0x7f
[   69.173625] RIP: 0023:0xf7fb4cb9
[   69.176967] RSP: 002b:00000000ffcf5d7c EFLAGS: 00000282 ORIG_RAX: 0000000000000004
[   69.184655] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[   69.191902] RDX: 000000000000007b RSI: 0000000000000000 RDI: 0000000000000000
[   69.199150] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   69.206397] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   69.213645] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   69.220896] 
[   69.222502] Allocated by task 4322:
[   69.226112]  save_stack+0x43/0xd0
[   69.229543]  kasan_kmalloc+0xc4/0xe0
[   69.233233]  kasan_slab_alloc+0x12/0x20
[   69.237208]  kmem_cache_alloc+0x12e/0x760
[   69.241353]  anon_vma_fork+0x2c8/0x950
[   69.245218]  copy_process.part.38+0x2eff/0x6e70
[   69.249877]  _do_fork+0x291/0x12a0
[   69.253396]  __x64_sys_clone+0xbf/0x150
[   69.257349]  do_syscall_64+0x1b1/0x800
[   69.261215]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.266380] 
[   69.267983] Freed by task 4324:
[   69.271243]  save_stack+0x43/0xd0
[   69.274675]  __kasan_slab_free+0x11a/0x170
[   69.278888]  kasan_slab_free+0xe/0x10
[   69.282666]  kmem_cache_free+0x86/0x2d0
[   69.286617]  unlink_anon_vmas+0x5e8/0xa40
[   69.290742]  free_pgtables+0x271/0x380
[   69.294605]  exit_mmap+0x2c9/0x5a0
[   69.298121]  mmput+0x251/0x610
[   69.301303]  flush_old_exec+0xb94/0x20e0
[   69.305344]  load_elf_binary+0xa33/0x5610
[   69.309479]  search_binary_handler+0x17d/0x570
[   69.314037]  do_execveat_common.isra.34+0x16ce/0x2590
[   69.319203]  __x64_sys_execve+0x8d/0xb0
[   69.323156]  do_syscall_64+0x1b1/0x800
[   69.327031]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.332193] 
[   69.333798] The buggy address belongs to the object at ffff8801ae5fd240
[   69.333798]  which belongs to the cache anon_vma_chain of size 64
[   69.346604] The buggy address is located 29 bytes inside of
[   69.346604]  64-byte region [ffff8801ae5fd240, ffff8801ae5fd280)
[   69.358289] The buggy address belongs to the page:
[   69.363195] page:ffffea0006b97f40 count:1 mapcount:0 mapping:ffff8801ae5fd000 index:0x0
[   69.371316] flags: 0x2fffc0000000100(slab)
[   69.375534] raw: 02fffc0000000100 ffff8801ae5fd000 0000000000000000 000000010000002a
[   69.383396] raw: ffffea000720e5a0 ffffea0006bbe620 ffff8801da94a500 0000000000000000
[   69.391250] page dumped because: kasan: bad access detected
[   69.396932] 
[   69.398535] Memory state around the buggy address:
[   69.403441]  ffff8801ae5fd100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[   69.410774]  ffff8801ae5fd180: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[   69.418108] >ffff8801ae5fd200: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[   69.425439]                                                     ^
[   69.431646]  ffff8801ae5fd280: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[   69.438983]  ffff8801ae5fd300: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[   69.446316] ==================================================================
[   69.453648] Disabling lock debugging due to kernel taint
[   69.459534] Kernel panic - not syncing: panic_on_warn set ...
[   69.459534] 
[   69.466914] CPU: 1 PID: 4737 Comm: syz-executor0 Tainted: G    B             4.17.0-rc7+ #98
[   69.475465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   69.484793] Call Trace:
[   69.487370]  dump_stack+0x1b9/0x294
[   69.490981]  ? dump_stack_print_info.cold.2+0x52/0x52
[   69.496152]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   69.500889]  ? nla_strlcpy+0x110/0x150
[   69.504766]  panic+0x22f/0x4de
[   69.507937]  ? add_taint.cold.5+0x16/0x16
[   69.512064]  ? do_raw_spin_unlock+0x9e/0x2e0
[   69.516449]  ? do_raw_spin_unlock+0x9e/0x2e0
[   69.520833]  ? nla_strlcpy+0x13d/0x150
[   69.524697]  kasan_end_report+0x47/0x4f
[   69.528647]  kasan_report.cold.7+0x76/0x2fe
[   69.532947]  __asan_report_load1_noabort+0x14/0x20
[   69.537872]  nla_strlcpy+0x13d/0x150
[   69.541593]  nfnl_acct_new+0x574/0xc50
[   69.545471]  ? nfnl_acct_overquota+0x380/0x380
[   69.550045]  ? debug_check_no_locks_freed+0x310/0x310
[   69.555222]  ? graph_lock+0x170/0x170
[   69.559005]  ? print_usage_bug+0xc0/0xc0
[   69.563049]  ? print_usage_bug+0xc0/0xc0
[   69.567106]  ? get_futex_key+0xf83/0x1e90
[   69.571236]  ? find_held_lock+0x36/0x1c0
[   69.575277]  ? graph_lock+0x170/0x170
[   69.579054]  ? lock_downgrade+0x8e0/0x8e0
[   69.583183]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.588698]  ? __lock_is_held+0xb5/0x140
[   69.592741]  ? nfnl_acct_overquota+0x380/0x380
[   69.597310]  nfnetlink_rcv_msg+0xdb5/0xff0
[   69.601534]  ? __lock_is_held+0xb5/0x140
[   69.605577]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   69.610568]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   69.614958]  ? nfnetlink_bind+0x3a0/0x3a0
[   69.619081]  ? graph_lock+0x170/0x170
[   69.622857]  ? find_held_lock+0x36/0x1c0
[   69.626898]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.632429]  netlink_rcv_skb+0x172/0x440
[   69.636468]  ? nfnetlink_bind+0x3a0/0x3a0
[   69.640594]  ? netlink_ack+0xbc0/0xbc0
[   69.644457]  ? __netlink_ns_capable+0x100/0x130
[   69.649103]  nfnetlink_rcv+0x1fe/0x1ba0
[   69.653056]  ? kasan_check_read+0x11/0x20
[   69.657182]  ? rcu_is_watching+0x85/0x140
[   69.661309]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   69.666478]  ? nfnl_err_reset+0x2d0/0x2d0
[   69.670604]  ? netlink_remove_tap+0x610/0x610
[   69.675079]  ? refcount_add_not_zero+0x320/0x320
[   69.679811]  ? kasan_check_read+0x11/0x20
[   69.683934]  ? rcu_is_watching+0x85/0x140
[   69.688060]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   69.693230]  ? netlink_skb_destructor+0x210/0x210
[   69.698054]  ? kasan_check_write+0x14/0x20
[   69.702301]  netlink_unicast+0x58b/0x740
[   69.706361]  ? netlink_attachskb+0x970/0x970
[   69.710768]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.716300]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   69.721302]  ? security_netlink_send+0x88/0xb0
[   69.725864]  netlink_sendmsg+0x9f0/0xfa0
[   69.729905]  ? netlink_unicast+0x740/0x740
[   69.734118]  ? _raw_spin_unlock_irq+0x27/0x70
[   69.738593]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   69.743602]  ? security_socket_sendmsg+0x94/0xc0
[   69.748367]  ? netlink_unicast+0x740/0x740
[   69.752588]  sock_sendmsg+0xd5/0x120
[   69.756287]  sock_write_iter+0x35a/0x5a0
[   69.760331]  ? sock_sendmsg+0x120/0x120
[   69.764295]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   69.769813]  ? iov_iter_init+0xc9/0x1f0
[   69.773765]  __vfs_write+0x64d/0x960
[   69.777462]  ? kernel_read+0x120/0x120
[   69.781335]  ? handle_mm_fault+0x8c0/0xc70
[   69.785549]  ? rw_verify_area+0x118/0x360
[   69.789677]  vfs_write+0x1f8/0x560
[   69.793198]  ksys_write+0xf9/0x250
[   69.796714]  ? __ia32_sys_read+0xb0/0xb0
[   69.800756]  ? mm_fault_error+0x380/0x380
[   69.804880]  __ia32_sys_write+0x71/0xb0
[   69.808835]  do_fast_syscall_32+0x345/0xf9b
[   69.813134]  ? do_int80_syscall_32+0x880/0x880
[   69.817692]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   69.822524]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   69.828046]  ? syscall_return_slowpath+0x30f/0x5c0
[   69.832972]  ? sysret32_from_system_call+0x5/0x46
[   69.837802]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   69.842626]  entry_SYSENTER_compat+0x70/0x7f
[   69.847014] RIP: 0023:0xf7fb4cb9
[   69.850356] RSP: 002b:00000000ffcf5d7c EFLAGS: 00000282 ORIG_RAX: 0000000000000004
[   69.858041] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[   69.865732] RDX: 000000000000007b RSI: 0000000000000000 RDI: 0000000000000000
[   69.872980] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   69.880226] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   69.887476] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   69.895205] Dumping ftrace buffer:
[   69.898731]    (ftrace buffer empty)
[   69.902415] Kernel Offset: disabled
[   69.906018] Rebooting in 86400 seconds..