[....] Starting OpenBSD Secure Shell server: sshd[ 24.621724] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.316172] random: sshd: uninitialized urandom read (32 bytes read) [ 28.654299] random: sshd: uninitialized urandom read (32 bytes read) [ 29.262113] random: sshd: uninitialized urandom read (32 bytes read) [ 160.486251] random: sshd: uninitialized urandom read (32 bytes read) [ 160.631962] sshd (5322) used greatest stack depth: 16440 bytes left Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. [ 166.146126] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/08 11:13:56 parsed 1 programs [ 167.698686] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/08 11:13:58 executed programs: 0 [ 168.987368] IPVS: ftp: loaded support on port[0] = 21 [ 169.228575] bridge0: port 1(bridge_slave_0) entered blocking state [ 169.235340] bridge0: port 1(bridge_slave_0) entered disabled state [ 169.242599] device bridge_slave_0 entered promiscuous mode [ 169.261967] bridge0: port 2(bridge_slave_1) entered blocking state [ 169.268670] bridge0: port 2(bridge_slave_1) entered disabled state [ 169.275651] device bridge_slave_1 entered promiscuous mode [ 169.293760] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 169.312028] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 169.361818] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 169.381849] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 169.457951] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 169.465238] team0: Port device team_slave_0 added [ 169.482092] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 169.489423] team0: Port device team_slave_1 added [ 169.506885] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 169.526632] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 169.547757] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 169.568338] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 169.716229] bridge0: port 2(bridge_slave_1) entered blocking state [ 169.722952] bridge0: port 2(bridge_slave_1) entered forwarding state [ 169.729913] bridge0: port 1(bridge_slave_0) entered blocking state [ 169.736255] bridge0: port 1(bridge_slave_0) entered forwarding state [ 170.242934] 8021q: adding VLAN 0 to HW filter on device bond0 [ 170.294150] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 170.345547] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 170.352048] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 170.359645] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 170.404396] 8021q: adding VLAN 0 to HW filter on device team0 [ 170.764880] ================================================================== [ 170.772494] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 170.778456] Read of size 8 at addr ffff8801c37fe0f0 by task syz-executor0/5598 [ 170.785797] [ 170.787421] CPU: 1 PID: 5598 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #130 [ 170.794789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 170.804204] Call Trace: [ 170.806877] dump_stack+0x1c4/0x2b4 [ 170.810500] ? dump_stack_print_info.cold.2+0x52/0x52 [ 170.815743] ? printk+0xa7/0xcf [ 170.819022] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 170.823772] print_address_description.cold.8+0x9/0x1ff [ 170.829126] kasan_report.cold.9+0x242/0x309 [ 170.833523] ? sock_i_ino+0x94/0xa0 [ 170.837138] __asan_report_load8_noabort+0x14/0x20 [ 170.842061] sock_i_ino+0x94/0xa0 [ 170.845507] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 170.850168] ? tipc_diag_dump+0x30/0x30 [ 170.854143] ? tipc_getname+0x7f0/0x7f0 [ 170.858111] ? graph_lock+0x170/0x170 [ 170.861896] ? __lock_sock+0x203/0x350 [ 170.865775] ? find_held_lock+0x36/0x1c0 [ 170.869831] ? mark_held_locks+0xc7/0x130 [ 170.873969] ? __local_bh_enable_ip+0x160/0x260 [ 170.878622] ? __local_bh_enable_ip+0x160/0x260 [ 170.883273] ? lockdep_hardirqs_on+0x421/0x5c0 [ 170.887846] ? trace_hardirqs_on+0xbd/0x310 [ 170.892151] ? lock_release+0x970/0x970 [ 170.896113] ? lock_sock_nested+0xe2/0x120 [ 170.900333] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 170.905334] ? skb_put+0x17b/0x1e0 [ 170.908928] ? memset+0x31/0x40 [ 170.912204] ? __nlmsg_put+0x14c/0x1b0 [ 170.916081] __tipc_add_sock_diag+0x233/0x360 [ 170.920575] tipc_nl_sk_walk+0x122/0x1d0 [ 170.924624] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 170.929892] tipc_diag_dump+0x24/0x30 [ 170.933759] netlink_dump+0x519/0xd50 [ 170.937574] ? netlink_broadcast+0x50/0x50 [ 170.941814] __netlink_dump_start+0x4f1/0x6f0 [ 170.946460] ? tipc_data_ready+0x3e0/0x3e0 [ 170.950752] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 170.955852] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 170.960519] ? tipc_data_ready+0x3e0/0x3e0 [ 170.964746] ? tipc_unregister_sysctl+0x20/0x20 [ 170.969414] ? tipc_ioctl+0x3a0/0x3a0 [ 170.973202] ? netlink_deliver_tap+0x355/0xf80 [ 170.977774] sock_diag_rcv_msg+0x31d/0x410 [ 170.982005] netlink_rcv_skb+0x172/0x440 [ 170.986060] ? sock_diag_bind+0x80/0x80 [ 170.990025] ? netlink_ack+0xb80/0xb80 [ 170.993901] sock_diag_rcv+0x2a/0x40 [ 170.997601] netlink_unicast+0x5a5/0x760 [ 171.001743] ? netlink_attachskb+0x9a0/0x9a0 [ 171.006153] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.011690] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 171.016703] netlink_sendmsg+0xa18/0xfc0 [ 171.020755] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 171.025988] ? netlink_unicast+0x760/0x760 [ 171.030220] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 171.035143] ? apparmor_socket_sendmsg+0x29/0x30 [ 171.039890] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.045420] ? security_socket_sendmsg+0x94/0xc0 [ 171.050174] ? netlink_unicast+0x760/0x760 [ 171.054402] sock_sendmsg+0xd5/0x120 [ 171.058107] ___sys_sendmsg+0x7fd/0x930 [ 171.062072] ? __local_bh_enable_ip+0x160/0x260 [ 171.066734] ? copy_msghdr_from_user+0x580/0x580 [ 171.071479] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 171.076920] ? release_sock+0x1ec/0x2c0 [ 171.080888] ? __fget_light+0x2e9/0x430 [ 171.084850] ? fget_raw+0x20/0x20 [ 171.088299] ? __release_sock+0x3a0/0x3a0 [ 171.092442] ? tipc_nametbl_build_group+0x273/0x360 [ 171.097456] ? tipc_setsockopt+0x726/0xd70 [ 171.101684] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 171.107211] ? sockfd_lookup_light+0xc5/0x160 [ 171.111694] __sys_sendmsg+0x11d/0x280 [ 171.115609] ? __ia32_sys_shutdown+0x80/0x80 [ 171.120716] ? do_fast_syscall_32+0x150/0xfb2 [ 171.125207] ? do_fast_syscall_32+0x150/0xfb2 [ 171.129808] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 171.135253] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 171.140008] do_fast_syscall_32+0x34d/0xfb2 [ 171.144324] ? do_int80_syscall_32+0x890/0x890 [ 171.148903] ? entry_SYSENTER_compat+0x68/0x7f [ 171.153475] ? trace_hardirqs_off_caller+0xbb/0x310 [ 171.158490] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.163330] ? trace_hardirqs_on_caller+0x310/0x310 [ 171.168338] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 171.173346] ? recalc_sigpending_tsk+0x180/0x180 [ 171.178094] ? kasan_check_write+0x14/0x20 [ 171.182324] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.187163] entry_SYSENTER_compat+0x70/0x7f [ 171.191564] RIP: 0023:0xf7fb7ca9 [ 171.194920] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 171.213829] RSP: 002b:00000000f7fb30cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172 [ 171.221534] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040 [ 171.228845] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 171.236114] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 171.243374] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 171.250631] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 171.257899] [ 171.259511] Allocated by task 5598: [ 171.263189] save_stack+0x43/0xd0 [ 171.266640] kasan_kmalloc+0xc7/0xe0 [ 171.270341] kasan_slab_alloc+0x12/0x20 [ 171.274312] kmem_cache_alloc+0x12e/0x730 [ 171.278446] sock_alloc_inode+0x1d/0x260 [ 171.282545] alloc_inode+0x63/0x190 [ 171.286166] new_inode_pseudo+0x71/0x1a0 [ 171.290222] sock_alloc+0x41/0x270 [ 171.293749] __sock_create+0x175/0x930 [ 171.297653] __sys_socket+0x106/0x260 [ 171.301953] __ia32_sys_socket+0x73/0xb0 [ 171.306006] do_fast_syscall_32+0x34d/0xfb2 [ 171.310316] entry_SYSENTER_compat+0x70/0x7f [ 171.314703] [ 171.316309] Freed by task 5597: [ 171.319572] save_stack+0x43/0xd0 [ 171.323004] __kasan_slab_free+0x102/0x150 [ 171.327220] kasan_slab_free+0xe/0x10 [ 171.331001] kmem_cache_free+0x83/0x290 [ 171.334955] sock_destroy_inode+0x51/0x60 [ 171.339086] destroy_inode+0x159/0x200 [ 171.342952] evict+0x5e0/0x980 [ 171.346124] iput+0x679/0xa90 [ 171.349305] dentry_unlink_inode+0x461/0x5e0 [ 171.353694] __dentry_kill+0x44c/0x7a0 [ 171.357566] dentry_kill+0xc9/0x5a0 [ 171.361173] dput.part.26+0x660/0x790 [ 171.364955] dput+0x15/0x20 [ 171.367869] __fput+0x4cf/0xa30 [ 171.371126] ____fput+0x15/0x20 [ 171.374390] task_work_run+0x1e8/0x2a0 [ 171.378261] exit_to_usermode_loop+0x318/0x380 [ 171.382834] do_fast_syscall_32+0xcd5/0xfb2 [ 171.387142] entry_SYSENTER_compat+0x70/0x7f [ 171.391540] [ 171.393152] The buggy address belongs to the object at ffff8801c37fe080 [ 171.393152] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 171.407005] The buggy address is located 112 bytes inside of [ 171.407005] 984-byte region [ffff8801c37fe080, ffff8801c37fe458) [ 171.418856] The buggy address belongs to the page: [ 171.423767] page:ffffea00070dff80 count:1 mapcount:0 mapping:ffff8801cb126800 index:0xffff8801c37feffd [ 171.433193] flags: 0x2fffc0000000100(slab) [ 171.437415] raw: 02fffc0000000100 ffffea00070d2988 ffffea0007690788 ffff8801cb126800 [ 171.445282] raw: ffff8801c37feffd ffff8801c37fe080 0000000100000003 ffff8801b9330980 [ 171.453141] page dumped because: kasan: bad access detected [ 171.458832] page->mem_cgroup:ffff8801b9330980 [ 171.463302] [ 171.464907] Memory state around the buggy address: [ 171.469903] ffff8801c37fdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 171.477240] ffff8801c37fe000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 171.484663] >ffff8801c37fe080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 171.491998] ^ [ 171.498992] ffff8801c37fe100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 171.506330] ffff8801c37fe180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 171.513668] ================================================================== [ 171.521088] Disabling lock debugging due to kernel taint [ 171.526592] Kernel panic - not syncing: panic_on_warn set ... [ 171.526592] [ 171.533966] CPU: 1 PID: 5598 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #130 [ 171.542618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 171.551951] Call Trace: [ 171.554527] dump_stack+0x1c4/0x2b4 [ 171.558138] ? dump_stack_print_info.cold.2+0x52/0x52 [ 171.563315] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 171.568059] panic+0x238/0x4e7 [ 171.571235] ? add_taint.cold.5+0x16/0x16 [ 171.575366] ? trace_hardirqs_on+0x9a/0x310 [ 171.579681] ? trace_hardirqs_on+0xb4/0x310 [ 171.583998] ? trace_hardirqs_on+0xb4/0x310 [ 171.588307] kasan_end_report+0x47/0x4f [ 171.592266] kasan_report.cold.9+0x76/0x309 [ 171.596581] ? sock_i_ino+0x94/0xa0 [ 171.600191] __asan_report_load8_noabort+0x14/0x20 [ 171.605147] sock_i_ino+0x94/0xa0 [ 171.608591] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 171.613245] ? tipc_diag_dump+0x30/0x30 [ 171.617204] ? tipc_getname+0x7f0/0x7f0 [ 171.621180] ? graph_lock+0x170/0x170 [ 171.624966] ? __lock_sock+0x203/0x350 [ 171.628840] ? find_held_lock+0x36/0x1c0 [ 171.632885] ? mark_held_locks+0xc7/0x130 [ 171.637017] ? __local_bh_enable_ip+0x160/0x260 [ 171.641666] ? __local_bh_enable_ip+0x160/0x260 [ 171.646318] ? lockdep_hardirqs_on+0x421/0x5c0 [ 171.650885] ? trace_hardirqs_on+0xbd/0x310 [ 171.655189] ? lock_release+0x970/0x970 [ 171.659147] ? lock_sock_nested+0xe2/0x120 [ 171.663364] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 171.668361] ? skb_put+0x17b/0x1e0 [ 171.671891] ? memset+0x31/0x40 [ 171.675177] ? __nlmsg_put+0x14c/0x1b0 [ 171.679062] __tipc_add_sock_diag+0x233/0x360 [ 171.683543] tipc_nl_sk_walk+0x122/0x1d0 [ 171.687594] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 171.692855] tipc_diag_dump+0x24/0x30 [ 171.696638] netlink_dump+0x519/0xd50 [ 171.700424] ? netlink_broadcast+0x50/0x50 [ 171.704644] __netlink_dump_start+0x4f1/0x6f0 [ 171.709127] ? tipc_data_ready+0x3e0/0x3e0 [ 171.713349] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 171.718434] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 171.723086] ? tipc_data_ready+0x3e0/0x3e0 [ 171.727303] ? tipc_unregister_sysctl+0x20/0x20 [ 171.731953] ? tipc_ioctl+0x3a0/0x3a0 [ 171.735738] ? netlink_deliver_tap+0x355/0xf80 [ 171.740311] sock_diag_rcv_msg+0x31d/0x410 [ 171.744533] netlink_rcv_skb+0x172/0x440 [ 171.748577] ? sock_diag_bind+0x80/0x80 [ 171.752535] ? netlink_ack+0xb80/0xb80 [ 171.756407] sock_diag_rcv+0x2a/0x40 [ 171.760106] netlink_unicast+0x5a5/0x760 [ 171.764152] ? netlink_attachskb+0x9a0/0x9a0 [ 171.768548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.774070] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 171.779073] netlink_sendmsg+0xa18/0xfc0 [ 171.783118] ? move_addr_to_kernel.part.18+0xc6/0x100 [ 171.788303] ? netlink_unicast+0x760/0x760 [ 171.792524] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 171.797438] ? apparmor_socket_sendmsg+0x29/0x30 [ 171.802179] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.807718] ? security_socket_sendmsg+0x94/0xc0 [ 171.812456] ? netlink_unicast+0x760/0x760 [ 171.816675] sock_sendmsg+0xd5/0x120 [ 171.820373] ___sys_sendmsg+0x7fd/0x930 [ 171.824333] ? __local_bh_enable_ip+0x160/0x260 [ 171.828988] ? copy_msghdr_from_user+0x580/0x580 [ 171.833727] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 171.839177] ? release_sock+0x1ec/0x2c0 [ 171.843139] ? __fget_light+0x2e9/0x430 [ 171.847096] ? fget_raw+0x20/0x20 [ 171.850549] ? __release_sock+0x3a0/0x3a0 [ 171.854683] ? tipc_nametbl_build_group+0x273/0x360 [ 171.859700] ? tipc_setsockopt+0x726/0xd70 [ 171.863924] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 171.869446] ? sockfd_lookup_light+0xc5/0x160 [ 171.873928] __sys_sendmsg+0x11d/0x280 [ 171.877802] ? __ia32_sys_shutdown+0x80/0x80 [ 171.882204] ? do_fast_syscall_32+0x150/0xfb2 [ 171.886688] ? do_fast_syscall_32+0x150/0xfb2 [ 171.891199] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 171.896647] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 171.901389] do_fast_syscall_32+0x34d/0xfb2 [ 171.905696] ? do_int80_syscall_32+0x890/0x890 [ 171.910262] ? entry_SYSENTER_compat+0x68/0x7f [ 171.914839] ? trace_hardirqs_off_caller+0xbb/0x310 [ 171.919862] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.924688] ? trace_hardirqs_on_caller+0x310/0x310 [ 171.937638] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 171.942641] ? recalc_sigpending_tsk+0x180/0x180 [ 171.947384] ? kasan_check_write+0x14/0x20 [ 171.951618] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.956466] entry_SYSENTER_compat+0x70/0x7f [ 171.960867] RIP: 0023:0xf7fb7ca9 [ 171.964238] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 171.983125] RSP: 002b:00000000f7fb30cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172 [ 171.990817] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000040 [ 171.998074] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 172.005325] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 172.012601] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 172.019851] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 172.027540] Dumping ftrace buffer: [ 172.031069] (ftrace buffer empty) [ 172.035369] Kernel Offset: disabled [ 172.038993] Rebooting in 86400 seconds..