[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.125818] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 26.691500] random: sshd: uninitialized urandom read (32 bytes read) [ 27.109080] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.715602] random: sshd: uninitialized urandom read (32 bytes read) [ 98.087240] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. [ 103.842645] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/12 13:11:10 parsed 1 programs [ 105.112038] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/12 13:11:12 executed programs: 0 [ 106.192473] IPVS: ftp: loaded support on port[0] = 21 [ 106.439487] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.446175] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.453466] device bridge_slave_0 entered promiscuous mode [ 106.471874] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.478361] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.485805] device bridge_slave_1 entered promiscuous mode [ 106.503646] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 106.521619] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 106.573010] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.593188] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 106.667874] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 106.675553] team0: Port device team_slave_0 added [ 106.693139] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 106.700252] team0: Port device team_slave_1 added [ 106.717778] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 106.736465] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 106.755872] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 106.774936] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 106.922252] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.928761] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.935647] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.942087] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.456671] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.508476] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.561065] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 107.567181] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 107.574677] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.618138] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.999651] ================================================================== [ 108.007136] BUG: KASAN: use-after-free in __dev_map_entry_free+0x2ab/0x300 [ 108.014244] Read of size 8 at addr ffff8801cf56e888 by task ksoftirqd/1/18 [ 108.021240] [ 108.022868] CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc2+ #212 [ 108.029843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 108.039228] Call Trace: [ 108.039253] dump_stack+0x1c4/0x2b4 [ 108.039264] ? dump_stack_print_info.cold.2+0x52/0x52 [ 108.039274] ? printk+0xa7/0xcf [ 108.039283] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 108.039305] print_address_description.cold.8+0x9/0x1ff [ 108.039316] kasan_report.cold.9+0x242/0x309 [ 108.045606] ? __dev_map_entry_free+0x2ab/0x300 [ 108.073218] __asan_report_load8_noabort+0x14/0x20 [ 108.078166] __dev_map_entry_free+0x2ab/0x300 [ 108.082768] ? dev_map_delete_elem+0x120/0x120 [ 108.087354] rcu_process_callbacks+0xf23/0x2670 [ 108.092040] ? __rcu_read_unlock+0x2f0/0x2f0 [ 108.096448] ? lock_is_held_type+0x210/0x210 [ 108.100875] ? graph_lock+0x170/0x170 [ 108.104669] ? pick_next_task_fair+0x98e/0x17c0 [ 108.109373] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.115023] ? check_preemption_disabled+0x48/0x200 [ 108.120028] ? check_preemption_disabled+0x48/0x200 [ 108.125040] ? finish_task_switch+0x1f5/0x900 [ 108.129538] ? _raw_spin_unlock_irq+0x27/0x80 [ 108.129548] ? _raw_spin_unlock_irq+0x27/0x80 [ 108.129558] ? lockdep_hardirqs_on+0x421/0x5c0 [ 108.129569] ? trace_hardirqs_on+0xbd/0x310 [ 108.129580] ? kasan_check_read+0x11/0x20 [ 108.129602] ? finish_task_switch+0x1f5/0x900 [ 108.137194] cgroup: fork rejected by pids controller in [ 108.138574] ? compat_start_thread+0x80/0x80 [ 108.138589] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.149127] /syz0 [ 108.151693] ? kasan_check_write+0x14/0x20 [ 108.151708] ? finish_task_switch+0x2f5/0x900 [ 108.151719] ? __switch_to_asm+0x40/0x70 [ 108.161730] ? preempt_notifier_register+0x200/0x200 [ 108.161741] ? __switch_to_asm+0x34/0x70 [ 108.161749] ? __switch_to_asm+0x34/0x70 [ 108.161756] ? __switch_to_asm+0x40/0x70 [ 108.161763] ? __switch_to_asm+0x34/0x70 [ 108.161769] ? __switch_to_asm+0x40/0x70 [ 108.161776] ? __switch_to_asm+0x34/0x70 [ 108.161783] ? __switch_to_asm+0x40/0x70 [ 108.161790] ? __switch_to_asm+0x34/0x70 [ 108.161803] ? pvclock_read_flags+0x160/0x160 [ 108.161816] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.161826] ? check_preemption_disabled+0x48/0x200 [ 108.161833] ? check_preemption_disabled+0x48/0x200 [ 108.161848] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 108.161856] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 108.161865] ? rcu_pm_notify+0xc0/0xc0 [ 108.161882] __do_softirq+0x30b/0xad8 [ 108.161897] ? __irqentry_text_end+0x1f9618/0x1f9618 [ 108.161909] ? schedule+0x108/0x460 [ 108.161924] ? trace_hardirqs_off+0xb8/0x300 [ 108.161932] ? ___might_sleep+0x1ed/0x300 [ 108.161939] ? smpboot_thread_fn+0x68b/0xa00 [ 108.161947] ? trace_hardirqs_on+0x310/0x310 [ 108.161955] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.161963] ? check_preemption_disabled+0x48/0x200 [ 108.161970] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.161981] ? takeover_tasklets+0xa90/0xa90 [ 108.161999] run_ksoftirqd+0x94/0x100 [ 108.162008] smpboot_thread_fn+0x68b/0xa00 [ 108.162020] ? sort_range+0x30/0x30 [ 108.321092] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 108.326250] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.331792] ? __kthread_parkme+0xfb/0x1a0 [ 108.336029] kthread+0x35a/0x420 [ 108.339388] ? sort_range+0x30/0x30 [ 108.343012] ? kthread_bind+0x40/0x40 [ 108.346811] ret_from_fork+0x3a/0x50 [ 108.350626] [ 108.352348] Allocated by task 5620: [ 108.355965] save_stack+0x43/0xd0 [ 108.359426] kasan_kmalloc+0xc7/0xe0 [ 108.363127] kmem_cache_alloc_trace+0x152/0x750 [ 108.367830] dev_map_alloc+0x210/0x810 [ 108.371708] map_create+0x3bd/0x10f0 [ 108.375406] __x64_sys_bpf+0x303/0x510 [ 108.379280] do_syscall_64+0x1b9/0x820 [ 108.383154] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 108.388329] [ 108.389948] Freed by task 5: [ 108.392965] save_stack+0x43/0xd0 [ 108.396418] __kasan_slab_free+0x102/0x150 [ 108.400644] kasan_slab_free+0xe/0x10 [ 108.404436] kfree+0xcf/0x230 [ 108.407536] dev_map_free+0x514/0x690 [ 108.411353] bpf_map_free_deferred+0xba/0xf0 [ 108.415761] process_one_work+0xc90/0x1b90 [ 108.419983] worker_thread+0x17f/0x1390 [ 108.423959] kthread+0x35a/0x420 [ 108.427325] ret_from_fork+0x3a/0x50 [ 108.431058] [ 108.432679] The buggy address belongs to the object at ffff8801cf56e780 [ 108.432679] which belongs to the cache kmalloc-512 of size 512 [ 108.445364] The buggy address is located 264 bytes inside of [ 108.445364] 512-byte region [ffff8801cf56e780, ffff8801cf56e980) [ 108.457231] The buggy address belongs to the page: [ 108.462148] page:ffffea00073d5b80 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 108.470279] flags: 0x2fffc0000000100(slab) [ 108.474527] raw: 02fffc0000000100 ffffea00073d8308 ffffea00074f8288 ffff8801da800940 [ 108.482397] raw: 0000000000000000 ffff8801cf56e000 0000000100000006 0000000000000000 [ 108.490372] page dumped because: kasan: bad access detected [ 108.496089] [ 108.497697] Memory state around the buggy address: [ 108.502615] ffff8801cf56e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.510008] ffff8801cf56e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.517488] >ffff8801cf56e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.524840] ^ [ 108.528465] ffff8801cf56e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.535820] ffff8801cf56e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 108.543173] ================================================================== [ 108.550522] Disabling lock debugging due to kernel taint [ 108.556088] Kernel panic - not syncing: panic_on_warn set ... [ 108.556088] [ 108.563466] CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G B 4.19.0-rc2+ #212 [ 108.571770] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 108.581108] Call Trace: [ 108.583686] dump_stack+0x1c4/0x2b4 [ 108.587297] ? dump_stack_print_info.cold.2+0x52/0x52 [ 108.592471] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 108.597218] panic+0x238/0x4e7 [ 108.600397] ? add_taint.cold.5+0x16/0x16 [ 108.604597] ? trace_hardirqs_on+0xb4/0x310 [ 108.608911] kasan_end_report+0x47/0x4f [ 108.612877] kasan_report.cold.9+0x76/0x309 [ 108.617188] ? __dev_map_entry_free+0x2ab/0x300 [ 108.621852] __asan_report_load8_noabort+0x14/0x20 [ 108.626774] __dev_map_entry_free+0x2ab/0x300 [ 108.631254] ? dev_map_delete_elem+0x120/0x120 [ 108.635899] rcu_process_callbacks+0xf23/0x2670 [ 108.640784] ? __rcu_read_unlock+0x2f0/0x2f0 [ 108.645181] ? lock_is_held_type+0x210/0x210 [ 108.649579] ? graph_lock+0x170/0x170 [ 108.653433] ? pick_next_task_fair+0x98e/0x17c0 [ 108.658102] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.663657] ? check_preemption_disabled+0x48/0x200 [ 108.668660] ? check_preemption_disabled+0x48/0x200 [ 108.673665] ? finish_task_switch+0x1f5/0x900 [ 108.678157] ? _raw_spin_unlock_irq+0x27/0x80 [ 108.682638] ? _raw_spin_unlock_irq+0x27/0x80 [ 108.687118] ? lockdep_hardirqs_on+0x421/0x5c0 [ 108.691686] ? trace_hardirqs_on+0xbd/0x310 [ 108.695997] ? kasan_check_read+0x11/0x20 [ 108.700134] ? finish_task_switch+0x1f5/0x900 [ 108.704611] ? compat_start_thread+0x80/0x80 [ 108.709021] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.714563] ? kasan_check_write+0x14/0x20 [ 108.718785] ? finish_task_switch+0x2f5/0x900 [ 108.723265] ? __switch_to_asm+0x40/0x70 [ 108.727308] ? preempt_notifier_register+0x200/0x200 [ 108.732394] ? __switch_to_asm+0x34/0x70 [ 108.736437] ? __switch_to_asm+0x34/0x70 [ 108.740500] ? __switch_to_asm+0x40/0x70 [ 108.744569] ? __switch_to_asm+0x34/0x70 [ 108.748613] ? __switch_to_asm+0x40/0x70 [ 108.752656] ? __switch_to_asm+0x34/0x70 [ 108.756698] ? __switch_to_asm+0x40/0x70 [ 108.760742] ? __switch_to_asm+0x34/0x70 [ 108.764790] ? pvclock_read_flags+0x160/0x160 [ 108.769268] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.774788] ? check_preemption_disabled+0x48/0x200 [ 108.779801] ? check_preemption_disabled+0x48/0x200 [ 108.784822] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 108.790348] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 108.795628] ? rcu_pm_notify+0xc0/0xc0 [ 108.799505] __do_softirq+0x30b/0xad8 [ 108.803317] ? __irqentry_text_end+0x1f9618/0x1f9618 [ 108.808406] ? schedule+0x108/0x460 [ 108.812024] ? trace_hardirqs_off+0xb8/0x300 [ 108.816417] ? ___might_sleep+0x1ed/0x300 [ 108.820550] ? smpboot_thread_fn+0x68b/0xa00 [ 108.824947] ? trace_hardirqs_on+0x310/0x310 [ 108.829339] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.834861] ? check_preemption_disabled+0x48/0x200 [ 108.839866] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.845388] ? takeover_tasklets+0xa90/0xa90 [ 108.849782] run_ksoftirqd+0x94/0x100 [ 108.853565] smpboot_thread_fn+0x68b/0xa00 [ 108.857794] ? sort_range+0x30/0x30 [ 108.861409] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 108.866496] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.872026] ? __kthread_parkme+0xfb/0x1a0 [ 108.876267] kthread+0x35a/0x420 [ 108.879636] ? sort_range+0x30/0x30 [ 108.883245] ? kthread_bind+0x40/0x40 [ 108.887392] ret_from_fork+0x3a/0x50 [ 108.891953] Kernel Offset: disabled [ 108.895579] Rebooting in 86400 seconds..