[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.138924] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.725705] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 25.141152] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 25.883939] random: sshd: uninitialized urandom read (32 bytes read, 70 bits of entropy available) [ 77.816344] random: sshd: uninitialized urandom read (32 bytes read, 91 bits of entropy available) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 83.287628] random: sshd: uninitialized urandom read (32 bytes read, 93 bits of entropy available) 2018/08/22 13:52:05 parsed 1 programs [ 85.189826] random: cc1: uninitialized urandom read (8 bytes read, 95 bits of entropy available) 2018/08/22 13:52:08 executed programs: 0 [ 86.902379] IPVS: Creating netns size=2552 id=1 [ 87.150921] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 87.167245] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 87.253179] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 87.268579] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 87.352317] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 87.368461] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 87.385551] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 87.404527] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 88.148161] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 88.188326] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 91.016207] ================================================================== [ 91.023610] BUG: KASAN: use-after-free in sockfs_setattr+0x11d/0x140 [ 91.030112] Write of size 4 at addr ffff8801d4ffd104 by task syz-executor0/4764 [ 91.037544] [ 91.039151] CPU: 1 PID: 4764 Comm: syz-executor0 Not tainted 4.4.151-ge917467 #20 [ 91.046746] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.056077] 0000000000000000 4fec89414e34cd67 ffff8800b5b8fb98 ffffffff81e15eed [ 91.064080] ffffea000753fe00 ffff8801d4ffd104 0000000000000001 ffff8801d4ffd104 [ 91.072111] 0000000000000000 ffff8800b5b8fbd0 ffffffff8151b390 ffff8801d4ffd104 [ 91.080106] Call Trace: [ 91.082673] [] dump_stack+0xc1/0x124 [ 91.088020] [] print_address_description+0x6c/0x216 [ 91.094668] [] kasan_report.cold.7+0x175/0x2f7 [ 91.100882] [] ? sockfs_setattr+0x11d/0x140 [ 91.106832] [] __asan_report_store4_noabort+0x17/0x20 [ 91.113652] [] sockfs_setattr+0x11d/0x140 [ 91.119447] [] ? SYSC_recvfrom+0x360/0x360 [ 91.125311] [] notify_change2+0x96a/0xbd0 [ 91.131089] [] ? cap_bprm_set_creds+0x4bf/0x2560 [ 91.137473] [] chown_common+0x484/0x550 [ 91.143079] [] ? chmod_common+0x450/0x450 [ 91.148861] [] ? __mnt_want_write+0x1e3/0x270 [ 91.154989] [] SyS_fchownat+0x115/0x1b0 [ 91.160591] [] ? SyS_chmod+0x130/0x130 [ 91.166110] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 91.172323] [] ? SyS_chmod+0x130/0x130 [ 91.177838] [] do_fast_syscall_32+0x324/0x8b0 [ 91.183966] [] sysenter_flags_fixed+0xd/0x1a [ 91.190009] [ 91.191613] Allocated by task 4764: [ 91.195243] [] save_stack_trace+0x26/0x50 [ 91.201145] [] save_stack+0x43/0xd0 [ 91.206529] [] kasan_kmalloc+0xc7/0xe0 [ 91.212166] [] kasan_slab_alloc+0x12/0x20 [ 91.218062] [] kmem_cache_alloc+0xbe/0x2a0 [ 91.224062] [] sk_prot_alloc+0x69/0x300 [ 91.229787] [] sk_alloc+0x3a/0x3a0 [ 91.235077] [] unix_create1+0x7e/0x4a0 [ 91.240728] [] unix_create+0x15c/0x1c0 [ 91.246369] [] __sock_create+0x2f0/0x5f0 [ 91.252180] [] SyS_socketpair+0x195/0x510 [ 91.258092] [] do_fast_syscall_32+0x324/0x8b0 [ 91.264359] [] sysenter_flags_fixed+0xd/0x1a [ 91.270516] [ 91.272121] Freed by task 4763: [ 91.275381] [] save_stack_trace+0x26/0x50 [ 91.281289] [] save_stack+0x43/0xd0 [ 91.286666] [] kasan_slab_free+0x72/0xc0 [ 91.292517] [] kmem_cache_free+0xbe/0x340 [ 91.298430] [] sk_destruct+0x347/0x4c0 [ 91.304076] [] __sk_free+0x4f/0x220 [ 91.309449] [] sk_free+0x30/0x40 [ 91.314561] [] unix_release_sock+0x5a8/0xa00 [ 91.320716] [] unix_release+0x44/0x90 [ 91.326286] [] sock_release+0x96/0x1c0 [ 91.331925] [] sock_close+0x16/0x20 [ 91.337323] [] __fput+0x235/0x6f0 [ 91.342548] [] ____fput+0x15/0x20 [ 91.347746] [] task_work_run+0x10f/0x190 [ 91.353556] [] exit_to_usermode_loop+0x13d/0x160 [ 91.360069] [] do_fast_syscall_32+0x61e/0x8b0 [ 91.366314] [] sysenter_flags_fixed+0xd/0x1a [ 91.372465] [ 91.374068] The buggy address belongs to the object at ffff8801d4ffcd00 [ 91.374068] which belongs to the cache UNIX of size 1664 [ 91.386177] The buggy address is located 1028 bytes inside of [ 91.386177] 1664-byte region [ffff8801d4ffcd00, ffff8801d4ffd380) [ 91.398195] The buggy address belongs to the page: [ 91.403809] kasan: CONFIG_KASAN_INLINE enabled [ 91.408224] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 91.415773] ------------[ cut here ]------------ [ 91.420546] WARNING: CPU: 0 PID: 3783 at kernel/sched/core.c:7946 __might_sleep+0x138/0x1a0() [ 91.429216] do not call blocking ops when !TASK_RUNNING; state=1 set at [] do_wait+0x26e/0xa30 [ 91.439529] Kernel panic - not syncing: panic_on_warn set ... [ 91.439529] [ 92.574401] Shutting down cpus with NMI [ 92.579088] Dumping ftrace buffer: [ 92.582622] (ftrace buffer empty) [ 92.586316] Kernel Offset: disabled [ 92.589934] Rebooting in 86400 seconds..