[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.924282] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.889335] random: sshd: uninitialized urandom read (32 bytes read) [ 26.407840] random: sshd: uninitialized urandom read (32 bytes read) [ 27.261919] random: sshd: uninitialized urandom read (32 bytes read) [ 27.449504] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. [ 32.913711] random: sshd: uninitialized urandom read (32 bytes read) [ 33.014280] IPVS: ftp: loaded support on port[0] = 21 [ 33.163844] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.170366] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.177785] device bridge_slave_0 entered promiscuous mode [ 33.194870] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.201289] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.208594] device bridge_slave_1 entered promiscuous mode [ 33.224846] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.242180] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.287887] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.307120] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.374142] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.381867] team0: Port device team_slave_0 added [ 33.397954] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.405349] team0: Port device team_slave_1 added [ 33.422628] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.441616] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.460185] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.478496] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 33.610849] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.617402] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.624549] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.630978] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 34.098732] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 34.104911] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.144720] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.155481] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.203362] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.209921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.217678] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.257763] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 34.525784] FAULT_INJECTION: forcing a failure. [ 34.525784] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 34.537869] CPU: 0 PID: 4600 Comm: syz-executor377 Not tainted 4.17.0-rc6+ #61 [ 34.545235] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.554588] Call Trace: [ 34.557173] dump_stack+0x1b9/0x294 [ 34.560793] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.565997] ? print_usage_bug+0xc0/0xc0 [ 34.570080] should_fail.cold.4+0xa/0x1a [ 34.574157] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 34.579252] ? graph_lock+0x170/0x170 [ 34.583051] ? print_usage_bug+0xc0/0xc0 [ 34.587103] ? __wake_up_common_lock+0x1c2/0x300 [ 34.591876] ? __lock_acquire+0x7f5/0x5140 [ 34.596116] ? __lock_acquire+0x7f5/0x5140 [ 34.600371] ? __lock_acquire+0x7f5/0x5140 [ 34.604603] ? print_usage_bug+0xc0/0xc0 [ 34.608678] ? debug_check_no_locks_freed+0x310/0x310 [ 34.613860] ? debug_check_no_locks_freed+0x310/0x310 [ 34.619044] ? debug_check_no_locks_freed+0x310/0x310 [ 34.625096] ? debug_check_no_locks_freed+0x310/0x310 [ 34.630298] __alloc_pages_nodemask+0x34e/0xd70 [ 34.634969] ? __alloc_pages_slowpath+0x2db0/0x2db0 [ 34.639981] ? debug_check_no_locks_freed+0x310/0x310 [ 34.645169] ? __lock_acquire+0x7f5/0x5140 [ 34.649421] ? print_usage_bug+0xc0/0xc0 [ 34.653490] ? print_usage_bug+0xc0/0xc0 [ 34.657587] ? debug_check_no_locks_freed+0x310/0x310 [ 34.662808] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.668370] alloc_pages_current+0x10c/0x210 [ 34.672838] skb_page_frag_refill+0x453/0x6a0 [ 34.677340] ? graph_lock+0x170/0x170 [ 34.681159] ? sock_kzfree_s+0x60/0x60 [ 34.685070] ? debug_check_no_locks_freed+0x310/0x310 [ 34.690273] ? print_usage_bug+0xc0/0xc0 [ 34.694336] ? find_held_lock+0x36/0x1c0 [ 34.698398] sk_page_frag_refill+0x55/0x1f0 [ 34.702712] sk_alloc_sg+0x1df/0x9b0 [ 34.706417] ? sk_page_frag_refill+0x1f0/0x1f0 [ 34.711000] ? __local_bh_enable_ip+0x161/0x230 [ 34.715674] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.720687] ? lock_sock_nested+0x9f/0x120 [ 34.724940] ? trace_hardirqs_on+0xd/0x10 [ 34.729077] ? __local_bh_enable_ip+0x161/0x230 [ 34.733735] tls_sw_sendmsg+0x575/0x12b0 [ 34.737785] ? lock_release+0xa10/0xa10 [ 34.741764] ? check_same_owner+0x320/0x320 [ 34.746088] ? tls_sw_push_pending_record+0x30/0x30 [ 34.751091] ? lock_downgrade+0x8e0/0x8e0 [ 34.755239] ? __sanitizer_cov_trace_cmp2+0x7/0x20 [ 34.760156] ? lock_release+0xa10/0xa10 [ 34.764120] ? __check_object_size+0x95/0x5d9 [ 34.768602] inet_sendmsg+0x19f/0x690 [ 34.772387] ? __might_sleep+0x95/0x190 [ 34.776354] ? ipip_gro_receive+0x100/0x100 [ 34.780662] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.786182] ? security_socket_sendmsg+0x94/0xc0 [ 34.790924] ? ipip_gro_receive+0x100/0x100 [ 34.795242] sock_sendmsg+0xd5/0x120 [ 34.798941] __sys_sendto+0x3d7/0x670 [ 34.802726] ? __ia32_sys_getpeername+0xb0/0xb0 [ 34.807382] ? lock_downgrade+0x8e0/0x8e0 [ 34.811516] ? __lock_is_held+0xb5/0x140 [ 34.815577] ? __sb_end_write+0xac/0xe0 [ 34.819542] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.825074] ? ksys_write+0x1a6/0x250 [ 34.828861] ? __ia32_sys_read+0xb0/0xb0 [ 34.832906] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 34.837734] __x64_sys_sendto+0xe1/0x1a0 [ 34.841782] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.846889] do_syscall_64+0x1b1/0x800 [ 34.850770] ? syscall_return_slowpath+0x5c0/0x5c0 [ 34.855698] ? syscall_return_slowpath+0x30f/0x5c0 [ 34.860616] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 34.865966] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.870805] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.875980] RIP: 0033:0x4416d9 [ 34.879152] RSP: 002b:00007ffd6ccdd758 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 34.886847] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004416d9 [ 34.894099] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 34.901622] RBP: 00007ffd6ccdd780 R08: 0000000020000000 R09: 000000000000001c [ 34.908878] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000004 [ 34.916143] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 37.984572] ================================================================== [ 37.992087] BUG: KASAN: use-after-free in tls_push_record+0x1023/0x13e0 [ 37.998853] Write of size 1 at addr ffff8801d88d5000 by task syz-executor377/4600 [ 38.006483] [ 38.008123] CPU: 1 PID: 4600 Comm: syz-executor377 Not tainted 4.17.0-rc6+ #61 [ 38.015470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.024824] Call Trace: [ 38.027414] dump_stack+0x1b9/0x294 [ 38.031042] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.036254] ? printk+0x9e/0xba [ 38.039567] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 38.044353] ? kasan_check_write+0x14/0x20 [ 38.048594] print_address_description+0x6c/0x20b [ 38.053439] ? tls_push_record+0x1023/0x13e0 [ 38.057941] kasan_report.cold.7+0x242/0x2fe [ 38.062357] __asan_report_store1_noabort+0x17/0x20 [ 38.067376] tls_push_record+0x1023/0x13e0 [ 38.071617] tls_sw_sendmsg+0x9de/0x12b0 [ 38.075682] ? lock_release+0xa10/0xa10 [ 38.079689] ? tls_sw_push_pending_record+0x30/0x30 [ 38.084714] ? lock_downgrade+0x8e0/0x8e0 [ 38.088862] ? __sanitizer_cov_trace_cmp2+0x7/0x20 [ 38.093791] ? lock_release+0xa10/0xa10 [ 38.097763] ? __check_object_size+0x95/0x5d9 [ 38.102257] inet_sendmsg+0x19f/0x690 [ 38.106056] ? __might_sleep+0x95/0x190 [ 38.110034] ? ipip_gro_receive+0x100/0x100 [ 38.114360] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.119891] ? security_socket_sendmsg+0x94/0xc0 [ 38.124641] ? ipip_gro_receive+0x100/0x100 [ 38.128954] sock_sendmsg+0xd5/0x120 [ 38.132683] __sys_sendto+0x3d7/0x670 [ 38.136476] ? __ia32_sys_getpeername+0xb0/0xb0 [ 38.141152] ? lock_downgrade+0x8e0/0x8e0 [ 38.145299] ? __lock_is_held+0xb5/0x140 [ 38.149363] ? __sb_end_write+0xac/0xe0 [ 38.153341] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.158873] ? ksys_write+0x1a6/0x250 [ 38.162677] ? __ia32_sys_read+0xb0/0xb0 [ 38.166754] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 38.171600] __x64_sys_sendto+0xe1/0x1a0 [ 38.175654] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.180671] do_syscall_64+0x1b1/0x800 [ 38.184558] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.189500] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.194428] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 38.199792] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.204633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.209819] RIP: 0033:0x4416d9 [ 38.213012] RSP: 002b:00007ffd6ccdd758 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 38.220723] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004416d9 [ 38.227995] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 38.235262] RBP: 00007ffd6ccdd780 R08: 0000000020000000 R09: 000000000000001c [ 38.242539] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000004 [ 38.249812] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 38.257107] [ 38.258778] The buggy address belongs to the page: [ 38.263713] page:ffffea0007623540 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 38.271858] flags: 0x2fffc0000000000() [ 38.275745] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 38.283631] raw: ffffea0007592b60 ffff8801dae2fdd8 0000000000000000 0000000000000000 [ 38.291522] page dumped because: kasan: bad access detected [ 38.297224] [ 38.298850] Memory state around the buggy address: [ 38.303785] ffff8801d88d4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.311322] ffff8801d88d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.318691] >ffff8801d88d5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.326062] ^ [ 38.329489] ffff8801d88d5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.336872] ffff8801d88d5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 38.344248] ================================================================== [ 38.351624] Disabling lock debugging due to kernel taint [ 38.357377] Kernel panic - not syncing: panic_on_warn set ... [ 38.357377] [ 38.364775] CPU: 1 PID: 4600 Comm: syz-executor377 Tainted: G B 4.17.0-rc6+ #61 [ 38.373518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.382872] Call Trace: [ 38.385469] dump_stack+0x1b9/0x294 [ 38.389087] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.394281] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.399043] ? tls_push_record+0xf90/0x13e0 [ 38.403368] panic+0x22f/0x4de [ 38.406553] ? add_taint.cold.5+0x16/0x16 [ 38.410692] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.415104] ? do_raw_spin_unlock+0x9e/0x2e0 [ 38.419508] ? tls_push_record+0x1023/0x13e0 [ 38.423911] kasan_end_report+0x47/0x4f [ 38.427874] kasan_report.cold.7+0x76/0x2fe [ 38.432185] __asan_report_store1_noabort+0x17/0x20 [ 38.437194] tls_push_record+0x1023/0x13e0 [ 38.441442] tls_sw_sendmsg+0x9de/0x12b0 [ 38.445527] ? lock_release+0xa10/0xa10 [ 38.449537] ? tls_sw_push_pending_record+0x30/0x30 [ 38.454573] ? lock_downgrade+0x8e0/0x8e0 [ 38.458727] ? __sanitizer_cov_trace_cmp2+0x7/0x20 [ 38.463655] ? lock_release+0xa10/0xa10 [ 38.467632] ? __check_object_size+0x95/0x5d9 [ 38.472123] inet_sendmsg+0x19f/0x690 [ 38.475917] ? __might_sleep+0x95/0x190 [ 38.479902] ? ipip_gro_receive+0x100/0x100 [ 38.484226] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.489777] ? security_socket_sendmsg+0x94/0xc0 [ 38.494530] ? ipip_gro_receive+0x100/0x100 [ 38.499946] sock_sendmsg+0xd5/0x120 [ 38.503678] __sys_sendto+0x3d7/0x670 [ 38.507476] ? __ia32_sys_getpeername+0xb0/0xb0 [ 38.512150] ? lock_downgrade+0x8e0/0x8e0 [ 38.516305] ? __lock_is_held+0xb5/0x140 [ 38.520381] ? __sb_end_write+0xac/0xe0 [ 38.524349] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.529889] ? ksys_write+0x1a6/0x250 [ 38.533688] ? __ia32_sys_read+0xb0/0xb0 [ 38.537750] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 38.542590] __x64_sys_sendto+0xe1/0x1a0 [ 38.546647] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.551663] do_syscall_64+0x1b1/0x800 [ 38.555563] ? syscall_return_slowpath+0x5c0/0x5c0 [ 38.560488] ? syscall_return_slowpath+0x30f/0x5c0 [ 38.565420] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 38.570780] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.575625] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.580815] RIP: 0033:0x4416d9 [ 38.583994] RSP: 002b:00007ffd6ccdd758 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 38.591706] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004416d9 [ 38.598972] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 38.606248] RBP: 00007ffd6ccdd780 R08: 0000000020000000 R09: 000000000000001c [ 38.613515] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000004 [ 38.620792] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 38.628703] Dumping ftrace buffer: [ 38.632246] (ftrace buffer empty) [ 38.635941] Kernel Offset: disabled [ 38.639557] Rebooting in 86400 seconds..