[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.899186] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.440857] random: sshd: uninitialized urandom read (32 bytes read) [ 25.809604] random: sshd: uninitialized urandom read (32 bytes read) [ 26.389386] random: sshd: uninitialized urandom read (32 bytes read) [ 29.915827] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.209' (ECDSA) to the list of known hosts. [ 35.474828] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/06 04:50:11 parsed 1 programs [ 36.569064] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/06 04:50:12 executed programs: 0 [ 37.789148] IPVS: ftp: loaded support on port[0] = 21 [ 38.003996] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.010573] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.018276] device bridge_slave_0 entered promiscuous mode [ 38.035423] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.041801] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.049044] device bridge_slave_1 entered promiscuous mode [ 38.065972] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 38.082240] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 38.127333] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 38.146782] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 38.213433] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 38.220982] team0: Port device team_slave_0 added [ 38.236763] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 38.244058] team0: Port device team_slave_1 added [ 38.259484] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.278109] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.295321] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 38.314395] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 38.439789] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.446426] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.453357] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.459784] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.906398] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.912534] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.960072] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.992462] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 39.015011] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 39.021159] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 39.029921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 39.073339] 8021q: adding VLAN 0 to HW filter on device team0 [ 39.361531] ================================================================== [ 39.369034] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 39.375047] Read of size 8 at addr ffff8801bdac85b0 by task syz-executor0/4904 [ 39.382391] [ 39.384005] CPU: 1 PID: 4904 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #223 [ 39.391256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.400596] Call Trace: [ 39.403175] dump_stack+0x1c9/0x2b4 [ 39.406792] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.412126] ? printk+0xa7/0xcf [ 39.415397] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.420142] ? sock_i_ino+0x94/0xa0 [ 39.423764] print_address_description+0x6c/0x20b [ 39.428606] ? sock_i_ino+0x94/0xa0 [ 39.432223] kasan_report.cold.7+0x242/0x30d [ 39.436678] __asan_report_load8_noabort+0x14/0x20 [ 39.441600] sock_i_ino+0x94/0xa0 [ 39.445046] tipc_sk_fill_sock_diag+0x3be/0xdb0 [ 39.449700] ? tipc_diag_dump+0x30/0x30 [ 39.453672] ? tipc_getname+0x7f0/0x7f0 [ 39.457633] ? print_usage_bug+0xc0/0xc0 [ 39.461756] ? graph_lock+0x170/0x170 [ 39.465559] ? __lock_sock+0x203/0x360 [ 39.469433] ? find_held_lock+0x36/0x1c0 [ 39.473483] ? mark_held_locks+0xc9/0x160 [ 39.477619] ? __local_bh_enable_ip+0x161/0x230 [ 39.482274] ? __local_bh_enable_ip+0x161/0x230 [ 39.486931] ? lockdep_hardirqs_on+0x421/0x5c0 [ 39.491500] ? trace_hardirqs_on+0xbd/0x2c0 [ 39.495807] ? lock_release+0x9f0/0x9f0 [ 39.499771] ? lock_sock_nested+0xe7/0x120 [ 39.504011] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 39.509029] ? skb_put+0x17b/0x1e0 [ 39.512555] ? memset+0x31/0x40 [ 39.515830] ? __nlmsg_put+0x14c/0x1b0 [ 39.519707] __tipc_add_sock_diag+0x22f/0x360 [ 39.524208] tipc_nl_sk_walk+0x122/0x1d0 [ 39.528255] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 39.533517] tipc_diag_dump+0x24/0x30 [ 39.537302] netlink_dump+0x519/0xd50 [ 39.541088] ? netlink_broadcast+0x50/0x50 [ 39.545361] __netlink_dump_start+0x4f1/0x6f0 [ 39.549865] ? kasan_check_read+0x11/0x20 [ 39.554089] ? tipc_data_ready+0x3f0/0x3f0 [ 39.558322] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 39.563411] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 39.568077] ? tipc_data_ready+0x3f0/0x3f0 [ 39.572310] ? tipc_unregister_sysctl+0x20/0x20 [ 39.576964] ? tipc_ioctl+0x3b0/0x3b0 [ 39.580763] ? netlink_deliver_tap+0x356/0xfb0 [ 39.585339] sock_diag_rcv_msg+0x31d/0x410 [ 39.589568] netlink_rcv_skb+0x172/0x440 [ 39.593623] ? sock_diag_bind+0x80/0x80 [ 39.597627] ? netlink_ack+0xbe0/0xbe0 [ 39.601507] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 39.606174] sock_diag_rcv+0x2a/0x40 [ 39.610069] netlink_unicast+0x5a0/0x760 [ 39.614128] ? netlink_attachskb+0x9a0/0x9a0 [ 39.618529] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.624055] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 39.629060] netlink_sendmsg+0xa18/0xfc0 [ 39.633111] ? netlink_unicast+0x760/0x760 [ 39.637337] ? aa_sock_msg_perm.isra.13+0xba/0x160 [ 39.642323] ? apparmor_socket_sendmsg+0x29/0x30 [ 39.647081] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.652607] ? security_socket_sendmsg+0x94/0xc0 [ 39.657348] ? netlink_unicast+0x760/0x760 [ 39.661574] sock_sendmsg+0xd5/0x120 [ 39.665275] ___sys_sendmsg+0x7fd/0x930 [ 39.669243] ? copy_msghdr_from_user+0x580/0x580 [ 39.673989] ? __sched_text_start+0x8/0x8 [ 39.678125] ? __fget_light+0x2f7/0x440 [ 39.682096] ? __local_bh_enable_ip+0x161/0x230 [ 39.686767] ? fget_raw+0x20/0x20 [ 39.690211] ? __fget_light+0x2f7/0x440 [ 39.694171] ? fget_raw+0x20/0x20 [ 39.697620] ? tipc_nametbl_build_group+0x279/0x360 [ 39.702641] ? tipc_setsockopt+0x726/0xd70 [ 39.706886] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.712424] ? sockfd_lookup_light+0xc5/0x160 [ 39.716913] __sys_sendmsg+0x11d/0x290 [ 39.720787] ? __ia32_sys_shutdown+0x80/0x80 [ 39.725187] ? __x64_sys_futex+0x47f/0x6a0 [ 39.729411] ? do_syscall_64+0x9a/0x820 [ 39.733449] ? do_syscall_64+0x9a/0x820 [ 39.737421] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 39.742523] __x64_sys_sendmsg+0x78/0xb0 [ 39.746576] do_syscall_64+0x1b9/0x820 [ 39.750455] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.755812] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.760727] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 39.765728] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.770729] ? recalc_sigpending_tsk+0x180/0x180 [ 39.775503] ? kasan_check_write+0x14/0x20 [ 39.779727] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.784560] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.789734] RIP: 0033:0x457099 [ 39.792923] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 39.811815] RSP: 002b:00007fa6def9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 39.819516] RAX: ffffffffffffffda RBX: 00007fa6def9e6d4 RCX: 0000000000457099 [ 39.826913] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 39.834281] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 39.841538] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 39.848802] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 39.856065] [ 39.857678] Allocated by task 4904: [ 39.861292] save_stack+0x43/0xd0 [ 39.864734] kasan_kmalloc+0xc4/0xe0 [ 39.868433] kasan_slab_alloc+0x12/0x20 [ 39.872394] kmem_cache_alloc+0x12e/0x710 [ 39.876612] sock_alloc_inode+0x1d/0x260 [ 39.880659] alloc_inode+0x63/0x190 [ 39.884273] new_inode_pseudo+0x71/0x1a0 [ 39.888316] sock_alloc+0x41/0x270 [ 39.891838] __sock_create+0x175/0x940 [ 39.895707] __sys_socket+0x106/0x260 [ 39.899490] __x64_sys_socket+0x73/0xb0 [ 39.903545] do_syscall_64+0x1b9/0x820 [ 39.907415] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.912585] [ 39.914195] Freed by task 4903: [ 39.917461] save_stack+0x43/0xd0 [ 39.920897] __kasan_slab_free+0x11a/0x170 [ 39.925119] kasan_slab_free+0xe/0x10 [ 39.928916] kmem_cache_free+0x86/0x280 [ 39.932875] sock_destroy_inode+0x51/0x60 [ 39.937013] destroy_inode+0x159/0x200 [ 39.940880] evict+0x5d5/0x990 [ 39.944058] iput+0x5fa/0xa00 [ 39.947149] dentry_unlink_inode+0x461/0x5e0 [ 39.951538] __dentry_kill+0x44c/0x7a0 [ 39.955403] dentry_kill+0xc9/0x5a0 [ 39.959059] dput.part.26+0x66b/0x7a0 [ 39.962848] dput+0x15/0x20 [ 39.965762] __fput+0x4d4/0xa40 [ 39.969023] ____fput+0x15/0x20 [ 39.972282] task_work_run+0x1e8/0x2a0 [ 39.976153] exit_to_usermode_loop+0x318/0x380 [ 39.980713] do_syscall_64+0x6be/0x820 [ 39.984645] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.989816] [ 39.991434] The buggy address belongs to the object at ffff8801bdac8540 [ 39.991434] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 40.005289] The buggy address is located 112 bytes inside of [ 40.005289] 984-byte region [ffff8801bdac8540, ffff8801bdac8918) [ 40.017149] The buggy address belongs to the page: [ 40.022076] page:ffffea0006f6b200 count:1 mapcount:0 mapping:ffff8801cbcf80c0 index:0xffff8801bdac8ffd [ 40.031510] flags: 0x2fffc0000000100(slab) [ 40.035742] raw: 02fffc0000000100 ffffea0006f6b0c8 ffffea0006d0b548 ffff8801cbcf80c0 [ 40.043620] raw: ffff8801bdac8ffd ffff8801bdac80c0 0000000100000003 ffff8801d7546b80 [ 40.051480] page dumped because: kasan: bad access detected [ 40.057184] page->mem_cgroup:ffff8801d7546b80 [ 40.061659] [ 40.063275] Memory state around the buggy address: [ 40.068194] ffff8801bdac8480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.075553] ffff8801bdac8500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.082908] >ffff8801bdac8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.090250] ^ [ 40.095164] ffff8801bdac8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.102507] ffff8801bdac8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.109868] ================================================================== [ 40.117208] Disabling lock debugging due to kernel taint [ 40.122694] Kernel panic - not syncing: panic_on_warn set ... [ 40.122694] [ 40.130083] CPU: 1 PID: 4904 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #223 [ 40.138746] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.148087] Call Trace: [ 40.150673] dump_stack+0x1c9/0x2b4 [ 40.154289] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.159485] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.164227] panic+0x238/0x4e7 [ 40.167402] ? add_taint.cold.5+0x16/0x16 [ 40.171820] ? trace_hardirqs_on+0xb4/0x2c0 [ 40.176125] ? trace_hardirqs_on+0x9a/0x2c0 [ 40.180433] ? sock_i_ino+0x94/0xa0 [ 40.184046] kasan_end_report+0x47/0x4f [ 40.188003] kasan_report.cold.7+0x76/0x30d [ 40.192309] __asan_report_load8_noabort+0x14/0x20 [ 40.197223] sock_i_ino+0x94/0xa0 [ 40.200672] tipc_sk_fill_sock_diag+0x3be/0xdb0 [ 40.205341] ? tipc_diag_dump+0x30/0x30 [ 40.209303] ? tipc_getname+0x7f0/0x7f0 [ 40.213269] ? print_usage_bug+0xc0/0xc0 [ 40.217318] ? graph_lock+0x170/0x170 [ 40.221105] ? __lock_sock+0x203/0x360 [ 40.224980] ? find_held_lock+0x36/0x1c0 [ 40.229025] ? mark_held_locks+0xc9/0x160 [ 40.233160] ? __local_bh_enable_ip+0x161/0x230 [ 40.237815] ? __local_bh_enable_ip+0x161/0x230 [ 40.242467] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.247035] ? trace_hardirqs_on+0xbd/0x2c0 [ 40.251339] ? lock_release+0x9f0/0x9f0 [ 40.255295] ? lock_sock_nested+0xe7/0x120 [ 40.259536] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 40.264536] ? skb_put+0x17b/0x1e0 [ 40.268060] ? memset+0x31/0x40 [ 40.271325] ? __nlmsg_put+0x14c/0x1b0 [ 40.275198] __tipc_add_sock_diag+0x22f/0x360 [ 40.279683] tipc_nl_sk_walk+0x122/0x1d0 [ 40.283752] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 40.289038] tipc_diag_dump+0x24/0x30 [ 40.292822] netlink_dump+0x519/0xd50 [ 40.296607] ? netlink_broadcast+0x50/0x50 [ 40.300826] __netlink_dump_start+0x4f1/0x6f0 [ 40.305303] ? kasan_check_read+0x11/0x20 [ 40.309433] ? tipc_data_ready+0x3f0/0x3f0 [ 40.313652] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 40.318759] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 40.323416] ? tipc_data_ready+0x3f0/0x3f0 [ 40.327632] ? tipc_unregister_sysctl+0x20/0x20 [ 40.332284] ? tipc_ioctl+0x3b0/0x3b0 [ 40.336083] ? netlink_deliver_tap+0x356/0xfb0 [ 40.340669] sock_diag_rcv_msg+0x31d/0x410 [ 40.344928] netlink_rcv_skb+0x172/0x440 [ 40.348975] ? sock_diag_bind+0x80/0x80 [ 40.352933] ? netlink_ack+0xbe0/0xbe0 [ 40.356807] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 40.361483] sock_diag_rcv+0x2a/0x40 [ 40.365182] netlink_unicast+0x5a0/0x760 [ 40.369239] ? netlink_attachskb+0x9a0/0x9a0 [ 40.373634] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.379155] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 40.384157] netlink_sendmsg+0xa18/0xfc0 [ 40.388207] ? netlink_unicast+0x760/0x760 [ 40.392448] ? aa_sock_msg_perm.isra.13+0xba/0x160 [ 40.397362] ? apparmor_socket_sendmsg+0x29/0x30 [ 40.402104] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.407627] ? security_socket_sendmsg+0x94/0xc0 [ 40.412370] ? netlink_unicast+0x760/0x760 [ 40.416591] sock_sendmsg+0xd5/0x120 [ 40.420289] ___sys_sendmsg+0x7fd/0x930 [ 40.424250] ? copy_msghdr_from_user+0x580/0x580 [ 40.428992] ? __sched_text_start+0x8/0x8 [ 40.433137] ? __fget_light+0x2f7/0x440 [ 40.437110] ? __local_bh_enable_ip+0x161/0x230 [ 40.441768] ? fget_raw+0x20/0x20 [ 40.445206] ? __fget_light+0x2f7/0x440 [ 40.449164] ? fget_raw+0x20/0x20 [ 40.452605] ? tipc_nametbl_build_group+0x279/0x360 [ 40.457620] ? tipc_setsockopt+0x726/0xd70 [ 40.461858] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.467378] ? sockfd_lookup_light+0xc5/0x160 [ 40.471861] __sys_sendmsg+0x11d/0x290 [ 40.475742] ? __ia32_sys_shutdown+0x80/0x80 [ 40.480145] ? __x64_sys_futex+0x47f/0x6a0 [ 40.484367] ? do_syscall_64+0x9a/0x820 [ 40.488333] ? do_syscall_64+0x9a/0x820 [ 40.492294] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 40.497380] __x64_sys_sendmsg+0x78/0xb0 [ 40.501445] do_syscall_64+0x1b9/0x820 [ 40.505317] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.510670] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.515583] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.520583] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.525582] ? recalc_sigpending_tsk+0x180/0x180 [ 40.530324] ? kasan_check_write+0x14/0x20 [ 40.534543] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.539371] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.544551] RIP: 0033:0x457099 [ 40.547737] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.566630] RSP: 002b:00007fa6def9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 40.574341] RAX: ffffffffffffffda RBX: 00007fa6def9e6d4 RCX: 0000000000457099 [ 40.581592] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 40.588845] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 40.596096] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 40.603347] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 40.610992] Dumping ftrace buffer: [ 40.614520] (ftrace buffer empty) [ 40.618210] Kernel Offset: disabled [ 40.621817] Rebooting in 86400 seconds..