[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.738471] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.368901] random: sshd: uninitialized urandom read (32 bytes read) [ 21.746449] random: sshd: uninitialized urandom read (32 bytes read) [ 22.479247] random: sshd: uninitialized urandom read (32 bytes read) [ 22.664289] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. [ 28.195609] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.297997] ================================================================== [ 28.305480] BUG: KASAN: use-after-free in tls_sk_proto_close+0x8ab/0x9c0 [ 28.312305] Read of size 1 at addr ffff8801ae40a858 by task syz-executor363/4503 [ 28.319813] [ 28.321428] CPU: 0 PID: 4503 Comm: syz-executor363 Not tainted 4.17.0-rc3+ #34 [ 28.328766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.338101] Call Trace: [ 28.340675] dump_stack+0x1b9/0x294 [ 28.344285] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.349457] ? printk+0x9e/0xba [ 28.352718] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.357457] ? kasan_check_write+0x14/0x20 [ 28.361674] print_address_description+0x6c/0x20b [ 28.366500] ? tls_sk_proto_close+0x8ab/0x9c0 [ 28.370974] kasan_report.cold.7+0x242/0x2fe [ 28.375364] __asan_report_load1_noabort+0x14/0x20 [ 28.380274] tls_sk_proto_close+0x8ab/0x9c0 [ 28.384576] ? kasan_check_write+0x14/0x20 [ 28.388796] ? tcp_check_oom+0x520/0x520 [ 28.392839] ? trace_hardirqs_off+0xd/0x10 [ 28.397056] ? tls_write_space+0x340/0x340 [ 28.401276] ? depot_save_stack+0x26b/0x450 [ 28.405579] ? graph_lock+0x170/0x170 [ 28.409365] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.414886] ? ipv6_sock_ac_close+0x34e/0x480 [ 28.419367] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.424887] ? ipv6_sock_mc_close+0x161/0x1c0 [ 28.429368] ? ip_mc_drop_socket+0x20f/0x270 [ 28.433762] inet_release+0x104/0x1f0 [ 28.437546] inet6_release+0x50/0x70 [ 28.441242] sock_release+0x96/0x1b0 [ 28.444944] ? sock_alloc_file+0x4e0/0x4e0 [ 28.449158] sock_close+0x16/0x20 [ 28.452598] __fput+0x34d/0x890 [ 28.455859] ? fput+0x1a0/0x1a0 [ 28.459121] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.463602] ____fput+0x15/0x20 [ 28.466868] task_work_run+0x1e4/0x290 [ 28.470739] ? task_work_cancel+0x240/0x240 [ 28.475048] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.480567] ? switch_task_namespaces+0xa2/0xd0 [ 28.485217] do_exit+0x1aee/0x2730 [ 28.488745] ? plist_add+0x770/0x770 [ 28.492443] ? mm_update_next_owner+0x980/0x980 [ 28.497093] ? print_usage_bug+0xc0/0xc0 [ 28.501132] ? graph_lock+0x170/0x170 [ 28.504910] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.509300] ? rcu_note_context_switch+0x710/0x710 [ 28.514209] ? lock_acquire+0x1dc/0x520 [ 28.518168] ? __might_sleep+0x95/0x190 [ 28.522128] ? __lock_acquire+0x7f5/0x5140 [ 28.526359] ? debug_check_no_locks_freed+0x310/0x310 [ 28.531529] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.535916] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 28.540478] ? kasan_check_write+0x14/0x20 [ 28.544693] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.549861] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.555378] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 28.560462] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.565978] ? futex_wait+0x5c1/0x9f0 [ 28.569763] ? futex_wait_setup+0x400/0x400 [ 28.574073] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.579244] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.584761] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 28.589843] ? futex_wake+0x2f6/0x750 [ 28.593622] ? graph_lock+0x170/0x170 [ 28.597405] ? memset+0x31/0x40 [ 28.600666] ? find_held_lock+0x36/0x1c0 [ 28.604711] ? lock_downgrade+0x8e0/0x8e0 [ 28.608840] do_group_exit+0x16f/0x430 [ 28.612719] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 28.617281] ? __ia32_sys_exit+0x50/0x50 [ 28.621321] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.625797] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.630795] get_signal+0x886/0x1960 [ 28.634494] ? ptrace_notify+0x130/0x130 [ 28.638543] ? lock_downgrade+0x8e0/0x8e0 [ 28.642672] ? lock_downgrade+0x8e0/0x8e0 [ 28.646803] ? kasan_check_read+0x11/0x20 [ 28.650934] ? do_raw_spin_unlock+0x9e/0x2e0 [ 28.655324] ? __local_bh_enable_ip+0x161/0x230 [ 28.659978] do_signal+0x98/0x2040 [ 28.663501] ? trace_hardirqs_on+0xd/0x10 [ 28.667640] ? __local_bh_enable_ip+0x161/0x230 [ 28.672292] ? _raw_spin_unlock_bh+0x30/0x40 [ 28.676681] ? release_sock+0x1e2/0x2b0 [ 28.680647] ? setup_sigcontext+0x7d0/0x7d0 [ 28.684949] ? __release_sock+0x3a0/0x3a0 [ 28.689083] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.694611] ? _copy_from_user+0xdf/0x150 [ 28.698740] ? sk_stream_wait_memory+0x1260/0x1260 [ 28.703650] ? tls_setsockopt+0xb2/0x780 [ 28.707699] ? exit_to_usermode_loop+0x87/0x310 [ 28.712350] exit_to_usermode_loop+0x28a/0x310 [ 28.716913] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 28.721736] ? do_syscall_64+0x92/0x800 [ 28.725694] do_syscall_64+0x6ac/0x800 [ 28.729563] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.734474] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.739387] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.744734] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.749560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.754729] RIP: 0033:0x4457b9 [ 28.757897] RSP: 002b:00007fdf4d766da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.765585] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457b9 [ 28.772844] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c [ 28.780101] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 28.787353] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac38 [ 28.794602] R13: 3692738801137283 R14: 6bf92c39443c4c1d R15: 0000000000000006 [ 28.801856] [ 28.803461] Allocated by task 4498: [ 28.807071] save_stack+0x43/0xd0 [ 28.810505] kasan_kmalloc+0xc4/0xe0 [ 28.814199] kmem_cache_alloc_trace+0x152/0x780 [ 28.818848] tls_init+0x1f9/0xb00 [ 28.822287] tcp_set_ulp+0x1bc/0x520 [ 28.825982] do_tcp_setsockopt.isra.39+0x44a/0x2600 [ 28.830979] tcp_setsockopt+0xc1/0xe0 [ 28.834761] sock_common_setsockopt+0x9a/0xe0 [ 28.839247] __sys_setsockopt+0x1bd/0x390 [ 28.843374] __x64_sys_setsockopt+0xbe/0x150 [ 28.847761] do_syscall_64+0x1b1/0x800 [ 28.851631] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.856792] [ 28.858396] Freed by task 4503: [ 28.861656] save_stack+0x43/0xd0 [ 28.865088] __kasan_slab_free+0x11a/0x170 [ 28.869300] kasan_slab_free+0xe/0x10 [ 28.873094] kfree+0xd9/0x260 [ 28.876181] tls_sw_free_resources+0x2a3/0x360 [ 28.880743] tls_sk_proto_close+0x67c/0x9c0 [ 28.885046] inet_release+0x104/0x1f0 [ 28.888835] inet6_release+0x50/0x70 [ 28.892530] sock_release+0x96/0x1b0 [ 28.896228] sock_close+0x16/0x20 [ 28.899660] __fput+0x34d/0x890 [ 28.902918] ____fput+0x15/0x20 [ 28.906177] task_work_run+0x1e4/0x290 [ 28.910045] do_exit+0x1aee/0x2730 [ 28.913565] do_group_exit+0x16f/0x430 [ 28.917432] get_signal+0x886/0x1960 [ 28.921140] do_signal+0x98/0x2040 [ 28.924657] exit_to_usermode_loop+0x28a/0x310 [ 28.929218] do_syscall_64+0x6ac/0x800 [ 28.933085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.938246] [ 28.939857] The buggy address belongs to the object at ffff8801ae40a800 [ 28.939857] which belongs to the cache kmalloc-256 of size 256 [ 28.952494] The buggy address is located 88 bytes inside of [ 28.952494] 256-byte region [ffff8801ae40a800, ffff8801ae40a900) [ 28.964260] The buggy address belongs to the page: [ 28.969171] page:ffffea0006b90280 count:1 mapcount:0 mapping:ffff8801ae40a080 index:0x0 [ 28.977296] flags: 0x2fffc0000000100(slab) [ 28.981514] raw: 02fffc0000000100 ffff8801ae40a080 0000000000000000 000000010000000c [ 28.989380] raw: ffffea0006bea9e0 ffffea0006bc94a0 ffff8801da8007c0 0000000000000000 [ 28.997238] page dumped because: kasan: bad access detected [ 29.002924] [ 29.004526] Memory state around the buggy address: [ 29.009450] ffff8801ae40a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.016806] ffff8801ae40a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.024151] >ffff8801ae40a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.031486] ^ [ 29.037697] ffff8801ae40a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.045040] ffff8801ae40a900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.052375] ================================================================== [ 29.059708] Disabling lock debugging due to kernel taint [ 29.065401] Kernel panic - not syncing: panic_on_warn set ... [ 29.065401] [ 29.072778] CPU: 0 PID: 4503 Comm: syz-executor363 Tainted: G B 4.17.0-rc3+ #34 [ 29.081517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.090848] Call Trace: [ 29.093420] dump_stack+0x1b9/0x294 [ 29.097036] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.102209] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.106947] ? tls_sk_proto_close+0x7f0/0x9c0 [ 29.111422] panic+0x22f/0x4de [ 29.114595] ? add_taint.cold.5+0x16/0x16 [ 29.118724] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.123125] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.127515] ? tls_sk_proto_close+0x8ab/0x9c0 [ 29.131991] kasan_end_report+0x47/0x4f [ 29.135947] kasan_report.cold.7+0x76/0x2fe [ 29.140252] __asan_report_load1_noabort+0x14/0x20 [ 29.145164] tls_sk_proto_close+0x8ab/0x9c0 [ 29.149463] ? kasan_check_write+0x14/0x20 [ 29.153678] ? tcp_check_oom+0x520/0x520 [ 29.157718] ? trace_hardirqs_off+0xd/0x10 [ 29.161932] ? tls_write_space+0x340/0x340 [ 29.166153] ? depot_save_stack+0x26b/0x450 [ 29.170455] ? graph_lock+0x170/0x170 [ 29.174240] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.179755] ? ipv6_sock_ac_close+0x34e/0x480 [ 29.184230] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.189742] ? ipv6_sock_mc_close+0x161/0x1c0 [ 29.194214] ? ip_mc_drop_socket+0x20f/0x270 [ 29.198609] inet_release+0x104/0x1f0 [ 29.202388] inet6_release+0x50/0x70 [ 29.206090] sock_release+0x96/0x1b0 [ 29.209793] ? sock_alloc_file+0x4e0/0x4e0 [ 29.214007] sock_close+0x16/0x20 [ 29.217447] __fput+0x34d/0x890 [ 29.220706] ? fput+0x1a0/0x1a0 [ 29.223965] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.228439] ____fput+0x15/0x20 [ 29.231695] task_work_run+0x1e4/0x290 [ 29.235559] ? task_work_cancel+0x240/0x240 [ 29.239860] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.245385] ? switch_task_namespaces+0xa2/0xd0 [ 29.250042] do_exit+0x1aee/0x2730 [ 29.253563] ? plist_add+0x770/0x770 [ 29.257257] ? mm_update_next_owner+0x980/0x980 [ 29.261913] ? print_usage_bug+0xc0/0xc0 [ 29.265952] ? graph_lock+0x170/0x170 [ 29.269733] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.274130] ? rcu_note_context_switch+0x710/0x710 [ 29.279041] ? lock_acquire+0x1dc/0x520 [ 29.283003] ? __might_sleep+0x95/0x190 [ 29.286964] ? __lock_acquire+0x7f5/0x5140 [ 29.291188] ? debug_check_no_locks_freed+0x310/0x310 [ 29.296358] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.300742] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.305303] ? kasan_check_write+0x14/0x20 [ 29.309517] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.314688] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.320218] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 29.325301] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.330815] ? futex_wait+0x5c1/0x9f0 [ 29.334594] ? futex_wait_setup+0x400/0x400 [ 29.338908] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.344101] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.349623] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 29.354703] ? futex_wake+0x2f6/0x750 [ 29.358481] ? graph_lock+0x170/0x170 [ 29.362260] ? memset+0x31/0x40 [ 29.365517] ? find_held_lock+0x36/0x1c0 [ 29.369566] ? lock_downgrade+0x8e0/0x8e0 [ 29.373694] do_group_exit+0x16f/0x430 [ 29.377561] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.382120] ? __ia32_sys_exit+0x50/0x50 [ 29.386161] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.390638] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.395634] get_signal+0x886/0x1960 [ 29.399328] ? ptrace_notify+0x130/0x130 [ 29.403371] ? lock_downgrade+0x8e0/0x8e0 [ 29.407495] ? lock_downgrade+0x8e0/0x8e0 [ 29.411624] ? kasan_check_read+0x11/0x20 [ 29.415750] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.420139] ? __local_bh_enable_ip+0x161/0x230 [ 29.424789] do_signal+0x98/0x2040 [ 29.428308] ? trace_hardirqs_on+0xd/0x10 [ 29.432436] ? __local_bh_enable_ip+0x161/0x230 [ 29.437087] ? _raw_spin_unlock_bh+0x30/0x40 [ 29.441476] ? release_sock+0x1e2/0x2b0 [ 29.445431] ? setup_sigcontext+0x7d0/0x7d0 [ 29.449730] ? __release_sock+0x3a0/0x3a0 [ 29.453857] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.459388] ? _copy_from_user+0xdf/0x150 [ 29.463515] ? sk_stream_wait_memory+0x1260/0x1260 [ 29.468422] ? tls_setsockopt+0xb2/0x780 [ 29.472466] ? exit_to_usermode_loop+0x87/0x310 [ 29.477122] exit_to_usermode_loop+0x28a/0x310 [ 29.481684] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 29.486504] ? do_syscall_64+0x92/0x800 [ 29.490458] do_syscall_64+0x6ac/0x800 [ 29.494325] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.499231] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.504143] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 29.509490] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.514315] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.519481] RIP: 0033:0x4457b9 [ 29.522648] RSP: 002b:00007fdf4d766da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 29.530332] RAX: fffffffffffffe00 RBX: 00000000006dac3c RCX: 00000000004457b9 [ 29.537580] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dac3c [ 29.544828] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 29.552079] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac38 [ 29.559328] R13: 3692738801137283 R14: 6bf92c39443c4c1d R15: 0000000000000006 [ 29.567072] Dumping ftrace buffer: [ 29.570590] (ftrace buffer empty) [ 29.574276] Kernel Offset: disabled [ 29.577884] Rebooting in 86400 seconds..