[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.390803] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.848320] random: sshd: uninitialized urandom read (32 bytes read) [ 24.256477] random: sshd: uninitialized urandom read (32 bytes read) [ 24.996228] random: sshd: uninitialized urandom read (32 bytes read) [ 25.151608] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. [ 30.658272] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.757759] ================================================================== [ 30.765196] BUG: KASAN: use-after-free in tls_sk_proto_close+0x8ab/0x9c0 [ 30.772031] Read of size 1 at addr ffff8801b2e640d8 by task syz-executor073/4520 [ 30.779535] [ 30.781150] CPU: 0 PID: 4520 Comm: syz-executor073 Not tainted 4.17.0-rc3+ #34 [ 30.788484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.797811] Call Trace: [ 30.800380] dump_stack+0x1b9/0x294 [ 30.803986] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.809158] ? printk+0x9e/0xba [ 30.812414] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.817152] ? kasan_check_write+0x14/0x20 [ 30.821365] print_address_description+0x6c/0x20b [ 30.826191] ? tls_sk_proto_close+0x8ab/0x9c0 [ 30.830663] kasan_report.cold.7+0x242/0x2fe [ 30.835053] __asan_report_load1_noabort+0x14/0x20 [ 30.839959] tls_sk_proto_close+0x8ab/0x9c0 [ 30.844257] ? do_raw_spin_lock+0xc1/0x200 [ 30.848469] ? tcp_check_oom+0x520/0x520 [ 30.852508] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.857589] ? tls_write_space+0x340/0x340 [ 30.861799] ? graph_lock+0x170/0x170 [ 30.865579] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.871097] ? locks_remove_file+0x3f7/0x5a0 [ 30.875487] ? fcntl_setlk+0x1020/0x1020 [ 30.879528] ? ip_mc_drop_socket+0x20f/0x270 [ 30.883916] inet_release+0x104/0x1f0 [ 30.887699] sock_release+0x96/0x1b0 [ 30.891390] ? sock_alloc_file+0x4e0/0x4e0 [ 30.895599] sock_close+0x16/0x20 [ 30.899036] __fput+0x34d/0x890 [ 30.902294] ? fput+0x1a0/0x1a0 [ 30.905554] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.910036] ____fput+0x15/0x20 [ 30.913297] task_work_run+0x1e4/0x290 [ 30.917165] ? task_work_cancel+0x240/0x240 [ 30.921466] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.926980] ? switch_task_namespaces+0xa2/0xd0 [ 30.931630] do_exit+0x1aee/0x2730 [ 30.935149] ? plist_add+0x770/0x770 [ 30.938842] ? mm_update_next_owner+0x980/0x980 [ 30.943488] ? print_usage_bug+0xc0/0xc0 [ 30.947538] ? graph_lock+0x170/0x170 [ 30.951326] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.955713] ? rcu_note_context_switch+0x710/0x710 [ 30.960621] ? lock_acquire+0x1dc/0x520 [ 30.964574] ? __might_sleep+0x95/0x190 [ 30.968530] ? __lock_acquire+0x7f5/0x5140 [ 30.972747] ? debug_check_no_locks_freed+0x310/0x310 [ 30.977916] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.982302] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.986868] ? kasan_check_write+0x14/0x20 [ 30.991094] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.996270] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.001787] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.006871] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.012385] ? futex_wait+0x5c1/0x9f0 [ 31.016169] ? futex_wait_setup+0x400/0x400 [ 31.020472] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.025641] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.031161] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.036244] ? futex_wake+0x2f6/0x750 [ 31.040032] ? graph_lock+0x170/0x170 [ 31.043819] ? memset+0x31/0x40 [ 31.047081] ? find_held_lock+0x36/0x1c0 [ 31.051129] ? lock_downgrade+0x8e0/0x8e0 [ 31.055259] do_group_exit+0x16f/0x430 [ 31.059127] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.063685] ? __ia32_sys_exit+0x50/0x50 [ 31.067722] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.072198] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.077195] get_signal+0x886/0x1960 [ 31.080894] ? ptrace_notify+0x130/0x130 [ 31.084938] ? lock_downgrade+0x8e0/0x8e0 [ 31.089065] ? lock_downgrade+0x8e0/0x8e0 [ 31.093195] ? kasan_check_read+0x11/0x20 [ 31.097319] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.101705] ? __local_bh_enable_ip+0x161/0x230 [ 31.106355] do_signal+0x98/0x2040 [ 31.109875] ? trace_hardirqs_on+0xd/0x10 [ 31.114005] ? __local_bh_enable_ip+0x161/0x230 [ 31.118662] ? _raw_spin_unlock_bh+0x30/0x40 [ 31.123056] ? release_sock+0x1e2/0x2b0 [ 31.127019] ? setup_sigcontext+0x7d0/0x7d0 [ 31.131327] ? __release_sock+0x3a0/0x3a0 [ 31.135455] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.140979] ? _copy_from_user+0xdf/0x150 [ 31.145116] ? tls_setsockopt+0xb2/0x780 [ 31.149164] ? exit_to_usermode_loop+0x87/0x310 [ 31.153814] exit_to_usermode_loop+0x28a/0x310 [ 31.158375] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.163204] ? do_syscall_64+0x92/0x800 [ 31.167165] do_syscall_64+0x6ac/0x800 [ 31.171037] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.175945] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.180857] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.186200] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.191033] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.196199] RIP: 0033:0x4456a9 [ 31.199363] RSP: 002b:00007fa76e55adb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.207061] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004456a9 [ 31.214309] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c [ 31.221554] RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000 [ 31.228801] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.236050] R13: 00007ffffbe98f6f R14: 00007fa76e55b9c0 R15: 0000000000000006 [ 31.243304] [ 31.244911] Allocated by task 4515: [ 31.248521] save_stack+0x43/0xd0 [ 31.251953] kasan_kmalloc+0xc4/0xe0 [ 31.255642] kmem_cache_alloc_trace+0x152/0x780 [ 31.260290] tls_init+0x1f9/0xb00 [ 31.263725] tcp_set_ulp+0x1bc/0x520 [ 31.267420] do_tcp_setsockopt.isra.39+0x44a/0x2600 [ 31.272417] tcp_setsockopt+0xc1/0xe0 [ 31.276197] sock_common_setsockopt+0x9a/0xe0 [ 31.280670] __sys_setsockopt+0x1bd/0x390 [ 31.284792] __x64_sys_setsockopt+0xbe/0x150 [ 31.289180] do_syscall_64+0x1b1/0x800 [ 31.293047] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.298207] [ 31.299810] Freed by task 4520: [ 31.303069] save_stack+0x43/0xd0 [ 31.306499] __kasan_slab_free+0x11a/0x170 [ 31.310711] kasan_slab_free+0xe/0x10 [ 31.314488] kfree+0xd9/0x260 [ 31.317572] tls_sw_free_resources+0x2a3/0x360 [ 31.322132] tls_sk_proto_close+0x67c/0x9c0 [ 31.326432] inet_release+0x104/0x1f0 [ 31.330206] sock_release+0x96/0x1b0 [ 31.333892] sock_close+0x16/0x20 [ 31.337320] __fput+0x34d/0x890 [ 31.340572] ____fput+0x15/0x20 [ 31.343830] task_work_run+0x1e4/0x290 [ 31.347690] do_exit+0x1aee/0x2730 [ 31.351204] do_group_exit+0x16f/0x430 [ 31.355070] get_signal+0x886/0x1960 [ 31.358765] do_signal+0x98/0x2040 [ 31.362280] exit_to_usermode_loop+0x28a/0x310 [ 31.366837] do_syscall_64+0x6ac/0x800 [ 31.370699] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.375860] [ 31.377467] The buggy address belongs to the object at ffff8801b2e64080 [ 31.377467] which belongs to the cache kmalloc-256 of size 256 [ 31.390098] The buggy address is located 88 bytes inside of [ 31.390098] 256-byte region [ffff8801b2e64080, ffff8801b2e64180) [ 31.401871] The buggy address belongs to the page: [ 31.406780] page:ffffea0006cb9900 count:1 mapcount:0 mapping:ffff8801b2e64080 index:0x0 [ 31.414899] flags: 0x2fffc0000000100(slab) [ 31.419129] raw: 02fffc0000000100 ffff8801b2e64080 0000000000000000 000000010000000c [ 31.426986] raw: ffffea0006beb620 ffff8801da801648 ffff8801da8007c0 0000000000000000 [ 31.434840] page dumped because: kasan: bad access detected [ 31.440522] [ 31.442123] Memory state around the buggy address: [ 31.447027] ffff8801b2e63f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.454362] ffff8801b2e64000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.461696] >ffff8801b2e64080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.469027] ^ [ 31.475232] ffff8801b2e64100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.482567] ffff8801b2e64180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.489909] ================================================================== [ 31.497242] Disabling lock debugging due to kernel taint [ 31.502753] Kernel panic - not syncing: panic_on_warn set ... [ 31.502753] [ 31.510101] CPU: 0 PID: 4520 Comm: syz-executor073 Tainted: G B 4.17.0-rc3+ #34 [ 31.518836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.528175] Call Trace: [ 31.530742] dump_stack+0x1b9/0x294 [ 31.534346] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.539514] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.544247] ? tls_sk_proto_close+0x7f0/0x9c0 [ 31.548719] panic+0x22f/0x4de [ 31.551889] ? add_taint.cold.5+0x16/0x16 [ 31.556012] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.560396] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.564779] ? tls_sk_proto_close+0x8ab/0x9c0 [ 31.569336] kasan_end_report+0x47/0x4f [ 31.573284] kasan_report.cold.7+0x76/0x2fe [ 31.577583] __asan_report_load1_noabort+0x14/0x20 [ 31.582486] tls_sk_proto_close+0x8ab/0x9c0 [ 31.586783] ? do_raw_spin_lock+0xc1/0x200 [ 31.590991] ? tcp_check_oom+0x520/0x520 [ 31.595026] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 31.600102] ? tls_write_space+0x340/0x340 [ 31.604310] ? graph_lock+0x170/0x170 [ 31.608090] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.613607] ? locks_remove_file+0x3f7/0x5a0 [ 31.617990] ? fcntl_setlk+0x1020/0x1020 [ 31.622033] ? ip_mc_drop_socket+0x20f/0x270 [ 31.626419] inet_release+0x104/0x1f0 [ 31.630199] sock_release+0x96/0x1b0 [ 31.633887] ? sock_alloc_file+0x4e0/0x4e0 [ 31.638094] sock_close+0x16/0x20 [ 31.641524] __fput+0x34d/0x890 [ 31.644780] ? fput+0x1a0/0x1a0 [ 31.648034] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.652508] ____fput+0x15/0x20 [ 31.655762] task_work_run+0x1e4/0x290 [ 31.659624] ? task_work_cancel+0x240/0x240 [ 31.663922] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.669434] ? switch_task_namespaces+0xa2/0xd0 [ 31.674081] do_exit+0x1aee/0x2730 [ 31.677596] ? plist_add+0x770/0x770 [ 31.681285] ? mm_update_next_owner+0x980/0x980 [ 31.685946] ? print_usage_bug+0xc0/0xc0 [ 31.689982] ? graph_lock+0x170/0x170 [ 31.693759] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.698147] ? rcu_note_context_switch+0x710/0x710 [ 31.703053] ? lock_acquire+0x1dc/0x520 [ 31.707021] ? __might_sleep+0x95/0x190 [ 31.710970] ? __lock_acquire+0x7f5/0x5140 [ 31.715182] ? debug_check_no_locks_freed+0x310/0x310 [ 31.720346] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.724733] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.729293] ? kasan_check_write+0x14/0x20 [ 31.733505] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.738670] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.744201] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.749283] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.754795] ? futex_wait+0x5c1/0x9f0 [ 31.758569] ? futex_wait_setup+0x400/0x400 [ 31.762867] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.768033] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.773549] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 31.778625] ? futex_wake+0x2f6/0x750 [ 31.782398] ? graph_lock+0x170/0x170 [ 31.786176] ? memset+0x31/0x40 [ 31.789432] ? find_held_lock+0x36/0x1c0 [ 31.793481] ? lock_downgrade+0x8e0/0x8e0 [ 31.797607] do_group_exit+0x16f/0x430 [ 31.801469] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.806025] ? __ia32_sys_exit+0x50/0x50 [ 31.810071] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.814541] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.819534] get_signal+0x886/0x1960 [ 31.823225] ? ptrace_notify+0x130/0x130 [ 31.827262] ? lock_downgrade+0x8e0/0x8e0 [ 31.831386] ? lock_downgrade+0x8e0/0x8e0 [ 31.835510] ? kasan_check_read+0x11/0x20 [ 31.839633] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.844018] ? __local_bh_enable_ip+0x161/0x230 [ 31.848665] do_signal+0x98/0x2040 [ 31.852180] ? trace_hardirqs_on+0xd/0x10 [ 31.856304] ? __local_bh_enable_ip+0x161/0x230 [ 31.860951] ? _raw_spin_unlock_bh+0x30/0x40 [ 31.865335] ? release_sock+0x1e2/0x2b0 [ 31.869283] ? setup_sigcontext+0x7d0/0x7d0 [ 31.873586] ? __release_sock+0x3a0/0x3a0 [ 31.877713] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.883228] ? _copy_from_user+0xdf/0x150 [ 31.887353] ? tls_setsockopt+0xb2/0x780 [ 31.891393] ? exit_to_usermode_loop+0x87/0x310 [ 31.896041] exit_to_usermode_loop+0x28a/0x310 [ 31.900600] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.905416] ? do_syscall_64+0x92/0x800 [ 31.909365] do_syscall_64+0x6ac/0x800 [ 31.913229] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.918135] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.923042] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.928382] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.933199] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.938364] RIP: 0033:0x4456a9 [ 31.941528] RSP: 002b:00007fa76e55adb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 31.949212] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004456a9 [ 31.956458] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c [ 31.963703] RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000 [ 31.970948] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 31.978194] R13: 00007ffffbe98f6f R14: 00007fa76e55b9c0 R15: 0000000000000006 [ 31.985852] Dumping ftrace buffer: [ 31.989368] (ftrace buffer empty) [ 31.993058] Kernel Offset: disabled [ 31.996663] Rebooting in 86400 seconds..