[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   24.073453] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   24.775054] random: sshd: uninitialized urandom read (32 bytes read)
[   25.074694] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.670444] random: sshd: uninitialized urandom read (32 bytes read)
[   86.074709] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
[   91.724166] random: sshd: uninitialized urandom read (32 bytes read)
2018/09/06 04:49:32 parsed 1 programs
[   92.962965] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/06 04:49:34 executed programs: 0
[   94.093037] IPVS: ftp: loaded support on port[0] = 21
[   94.314859] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.321377] bridge0: port 1(bridge_slave_0) entered disabled state
[   94.329033] device bridge_slave_0 entered promiscuous mode
[   94.348226] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.354701] bridge0: port 2(bridge_slave_1) entered disabled state
[   94.361951] device bridge_slave_1 entered promiscuous mode
[   94.379086] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   94.396577] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   94.441444] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   94.460271] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   94.525463] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   94.532849] team0: Port device team_slave_0 added
[   94.547945] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   94.555076] team0: Port device team_slave_1 added
[   94.571213] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   94.587750] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   94.604691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   94.621469] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   94.748868] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.755396] bridge0: port 2(bridge_slave_1) entered forwarding state
[   94.762261] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.768735] bridge0: port 1(bridge_slave_0) entered forwarding state
[   95.209924] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   95.216197] 8021q: adding VLAN 0 to HW filter on device bond0
[   95.261042] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   95.298689] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   95.312814] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   95.318984] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   95.326265] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   95.364751] 8021q: adding VLAN 0 to HW filter on device team0
[   95.785813] ==================================================================
[   95.793465] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0
[   95.799432] Read of size 8 at addr ffff8801badf16f0 by task syz-executor0/5013
[   95.806875] 
[   95.808495] CPU: 0 PID: 5013 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #85
[   95.815669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   95.825013] Call Trace:
[   95.827603]  dump_stack+0x1c9/0x2b4
[   95.831233]  ? dump_stack_print_info.cold.2+0x52/0x52
[   95.836623]  ? printk+0xa7/0xcf
[   95.839903]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   95.844648]  ? sock_i_ino+0x94/0xa0
[   95.848333]  print_address_description+0x6c/0x20b
[   95.853175]  ? sock_i_ino+0x94/0xa0
[   95.856790]  kasan_report.cold.7+0x242/0x30d
[   95.861191]  __asan_report_load8_noabort+0x14/0x20
[   95.866108]  sock_i_ino+0x94/0xa0
[   95.869547]  tipc_sk_fill_sock_diag+0x3be/0xdb0
[   95.874203]  ? tipc_diag_dump+0x30/0x30
[   95.878177]  ? tipc_getname+0x7f0/0x7f0
[   95.882152]  ? print_usage_bug+0xc0/0xc0
[   95.886194]  ? graph_lock+0x170/0x170
[   95.889975]  ? __lock_sock+0x203/0x360
[   95.893853]  ? find_held_lock+0x36/0x1c0
[   95.897896]  ? mark_held_locks+0xc9/0x160
[   95.902029]  ? __local_bh_enable_ip+0x161/0x230
[   95.906744]  ? __local_bh_enable_ip+0x161/0x230
[   95.911413]  ? lockdep_hardirqs_on+0x421/0x5c0
[   95.916027]  ? trace_hardirqs_on+0xbd/0x2c0
[   95.920464]  ? lock_release+0x9f0/0x9f0
[   95.924429]  ? lock_sock_nested+0xe7/0x120
[   95.928661]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   95.933661]  ? skb_put+0x17b/0x1e0
[   95.937198]  ? memset+0x31/0x40
[   95.940466]  ? __nlmsg_put+0x14c/0x1b0
[   95.944340]  __tipc_add_sock_diag+0x22f/0x360
[   95.948825]  tipc_nl_sk_walk+0x122/0x1d0
[   95.952877]  ? tipc_sock_diag_handler_dump+0x3d0/0x3d0
[   95.958140]  tipc_diag_dump+0x24/0x30
[   95.961922]  netlink_dump+0x519/0xd50
[   95.965706]  ? netlink_broadcast+0x50/0x50
[   95.969924]  __netlink_dump_start+0x4f1/0x6f0
[   95.974472]  ? kasan_check_read+0x11/0x20
[   95.978622]  ? tipc_data_ready+0x3f0/0x3f0
[   95.982852]  tipc_sock_diag_handler_dump+0x28e/0x3d0
[   95.987960]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   95.992620]  ? tipc_data_ready+0x3f0/0x3f0
[   95.996840]  ? tipc_unregister_sysctl+0x20/0x20
[   96.001494]  ? tipc_ioctl+0x3b0/0x3b0
[   96.005283]  ? netlink_deliver_tap+0x356/0xfb0
[   96.009861]  sock_diag_rcv_msg+0x31d/0x410
[   96.014198]  netlink_rcv_skb+0x172/0x440
[   96.018258]  ? sock_diag_bind+0x80/0x80
[   96.022320]  ? netlink_ack+0xbe0/0xbe0
[   96.026198]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   96.030878]  sock_diag_rcv+0x2a/0x40
[   96.034603]  netlink_unicast+0x5a0/0x760
[   96.038675]  ? netlink_attachskb+0x9a0/0x9a0
[   96.043195]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.048828]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   96.053838]  netlink_sendmsg+0xa18/0xfc0
[   96.057891]  ? netlink_unicast+0x760/0x760
[   96.062116]  ? aa_sock_msg_perm.isra.13+0xba/0x160
[   96.067045]  ? apparmor_socket_sendmsg+0x29/0x30
[   96.071797]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.077418]  ? security_socket_sendmsg+0x94/0xc0
[   96.082175]  ? netlink_unicast+0x760/0x760
[   96.086477]  sock_sendmsg+0xd5/0x120
[   96.090184]  ___sys_sendmsg+0x7fd/0x930
[   96.094151]  ? copy_msghdr_from_user+0x580/0x580
[   96.098907]  ? __sched_text_start+0x8/0x8
[   96.103049]  ? __fget_light+0x2f7/0x440
[   96.107012]  ? __local_bh_enable_ip+0x161/0x230
[   96.111672]  ? fget_raw+0x20/0x20
[   96.115292]  ? __fget_light+0x2f7/0x440
[   96.119255]  ? fget_raw+0x20/0x20
[   96.122708]  ? tipc_nametbl_build_group+0x279/0x360
[   96.127748]  ? tipc_setsockopt+0x726/0xd70
[   96.131975]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   96.137498]  ? sockfd_lookup_light+0xc5/0x160
[   96.141996]  __sys_sendmsg+0x11d/0x290
[   96.145874]  ? __ia32_sys_shutdown+0x80/0x80
[   96.150280]  ? __x64_sys_futex+0x47f/0x6a0
[   96.154512]  ? do_syscall_64+0x9a/0x820
[   96.158486]  ? do_syscall_64+0x9a/0x820
[   96.162493]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   96.167658]  __x64_sys_sendmsg+0x78/0xb0
[   96.171739]  do_syscall_64+0x1b9/0x820
[   96.175668]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   96.181031]  ? syscall_return_slowpath+0x5e0/0x5e0
[   96.185953]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   96.190968]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   96.195987]  ? recalc_sigpending_tsk+0x180/0x180
[   96.200877]  ? kasan_check_write+0x14/0x20
[   96.205172]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   96.210120]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   96.215298] RIP: 0033:0x457099
[   96.218481] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   96.237380] RSP: 002b:00007fb977cc7c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   96.246351] RAX: ffffffffffffffda RBX: 00007fb977cc86d4 RCX: 0000000000457099
[   96.253609] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   96.260883] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   96.268145] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   96.275486] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000
[   96.282769] 
[   96.284403] Allocated by task 5013:
[   96.288027]  save_stack+0x43/0xd0
[   96.291467]  kasan_kmalloc+0xc4/0xe0
[   96.295163]  kasan_slab_alloc+0x12/0x20
[   96.299163]  kmem_cache_alloc+0x12e/0x710
[   96.303314]  sock_alloc_inode+0x1d/0x260
[   96.307392]  alloc_inode+0x63/0x190
[   96.311006]  new_inode_pseudo+0x71/0x1a0
[   96.315069]  sock_alloc+0x41/0x270
[   96.318603]  __sock_create+0x175/0x940
[   96.322481]  __sys_socket+0x106/0x260
[   96.326285]  __x64_sys_socket+0x73/0xb0
[   96.330253]  do_syscall_64+0x1b9/0x820
[   96.334130]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   96.339297] 
[   96.340908] Freed by task 5012:
[   96.344179]  save_stack+0x43/0xd0
[   96.347619]  __kasan_slab_free+0x11a/0x170
[   96.351875]  kasan_slab_free+0xe/0x10
[   96.355679]  kmem_cache_free+0x86/0x280
[   96.359644]  sock_destroy_inode+0x51/0x60
[   96.363777]  destroy_inode+0x159/0x200
[   96.367646]  evict+0x5d5/0x990
[   96.370829]  iput+0x5fa/0xa00
[   96.373941]  dentry_unlink_inode+0x461/0x5e0
[   96.378369]  __dentry_kill+0x44c/0x7a0
[   96.382241]  dentry_kill+0xc9/0x5a0
[   96.385881]  dput.part.26+0x66b/0x7a0
[   96.389665]  dput+0x15/0x20
[   96.392584]  __fput+0x4d4/0xa40
[   96.395848]  ____fput+0x15/0x20
[   96.399120]  task_work_run+0x1e8/0x2a0
[   96.403001]  exit_to_usermode_loop+0x318/0x380
[   96.407590]  do_syscall_64+0x6be/0x820
[   96.411501]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   96.416690] 
[   96.418303] The buggy address belongs to the object at ffff8801badf1680
[   96.418303]  which belongs to the cache sock_inode_cache(17:syz0) of size 984
[   96.432163] The buggy address is located 112 bytes inside of
[   96.432163]  984-byte region [ffff8801badf1680, ffff8801badf1a58)
[   96.444039] The buggy address belongs to the page:
[   96.448955] page:ffffea0006eb7c40 count:1 mapcount:0 mapping:ffff8801cbcd96c0 index:0xffff8801badf1ffd
[   96.458384] flags: 0x2fffc0000000100(slab)
[   96.462604] raw: 02fffc0000000100 ffffea0006eb6008 ffffea0006eb09c8 ffff8801cbcd96c0
[   96.470493] raw: ffff8801badf1ffd ffff8801badf1200 0000000100000003 ffff8801d00e0800
[   96.478360] page dumped because: kasan: bad access detected
[   96.484050] page->mem_cgroup:ffff8801d00e0800
[   96.488544] 
[   96.490150] Memory state around the buggy address:
[   96.495064]  ffff8801badf1580: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   96.502417]  ffff8801badf1600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.509762] >ffff8801badf1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.517108]                                                              ^
[   96.524118]  ffff8801badf1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.531484]  ffff8801badf1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   96.538834] ==================================================================
[   96.546174] Disabling lock debugging due to kernel taint
[   96.551700] Kernel panic - not syncing: panic_on_warn set ...
[   96.551700] 
[   96.559075] CPU: 0 PID: 5013 Comm: syz-executor0 Tainted: G    B             4.19.0-rc2+ #85
[   96.567647] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   96.576996] Call Trace:
[   96.579577]  dump_stack+0x1c9/0x2b4
[   96.583191]  ? dump_stack_print_info.cold.2+0x52/0x52
[   96.588370]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   96.593115]  panic+0x238/0x4e7
[   96.596296]  ? add_taint.cold.5+0x16/0x16
[   96.600449]  ? trace_hardirqs_on+0xb4/0x2c0
[   96.604757]  ? trace_hardirqs_on+0x9a/0x2c0
[   96.609065]  ? sock_i_ino+0x94/0xa0
[   96.612686]  kasan_end_report+0x47/0x4f
[   96.616660]  kasan_report.cold.7+0x76/0x30d
[   96.620979]  __asan_report_load8_noabort+0x14/0x20
[   96.625911]  sock_i_ino+0x94/0xa0
[   96.629356]  tipc_sk_fill_sock_diag+0x3be/0xdb0
[   96.634009]  ? tipc_diag_dump+0x30/0x30
[   96.637985]  ? tipc_getname+0x7f0/0x7f0
[   96.641958]  ? print_usage_bug+0xc0/0xc0
[   96.646003]  ? graph_lock+0x170/0x170
[   96.649789]  ? __lock_sock+0x203/0x360
[   96.653662]  ? find_held_lock+0x36/0x1c0
[   96.657707]  ? mark_held_locks+0xc9/0x160
[   96.661875]  ? __local_bh_enable_ip+0x161/0x230
[   96.666537]  ? __local_bh_enable_ip+0x161/0x230
[   96.671188]  ? lockdep_hardirqs_on+0x421/0x5c0
[   96.675780]  ? trace_hardirqs_on+0xbd/0x2c0
[   96.680117]  ? lock_release+0x9f0/0x9f0
[   96.684107]  ? lock_sock_nested+0xe7/0x120
[   96.688357]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   96.693357]  ? skb_put+0x17b/0x1e0
[   96.696899]  ? memset+0x31/0x40
[   96.700194]  ? __nlmsg_put+0x14c/0x1b0
[   96.704070]  __tipc_add_sock_diag+0x22f/0x360
[   96.708563]  tipc_nl_sk_walk+0x122/0x1d0
[   96.712634]  ? tipc_sock_diag_handler_dump+0x3d0/0x3d0
[   96.717896]  tipc_diag_dump+0x24/0x30
[   96.721681]  netlink_dump+0x519/0xd50
[   96.725468]  ? netlink_broadcast+0x50/0x50
[   96.729697]  __netlink_dump_start+0x4f1/0x6f0
[   96.734180]  ? kasan_check_read+0x11/0x20
[   96.738327]  ? tipc_data_ready+0x3f0/0x3f0
[   96.742547]  tipc_sock_diag_handler_dump+0x28e/0x3d0
[   96.747635]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   96.752289]  ? tipc_data_ready+0x3f0/0x3f0
[   96.756506]  ? tipc_unregister_sysctl+0x20/0x20
[   96.761177]  ? tipc_ioctl+0x3b0/0x3b0
[   96.764970]  ? netlink_deliver_tap+0x356/0xfb0
[   96.769541]  sock_diag_rcv_msg+0x31d/0x410
[   96.773763]  netlink_rcv_skb+0x172/0x440
[   96.777820]  ? sock_diag_bind+0x80/0x80
[   96.781797]  ? netlink_ack+0xbe0/0xbe0
[   96.785671]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   96.790350]  sock_diag_rcv+0x2a/0x40
[   96.794052]  netlink_unicast+0x5a0/0x760
[   96.798110]  ? netlink_attachskb+0x9a0/0x9a0
[   96.802542]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.808067]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   96.813089]  netlink_sendmsg+0xa18/0xfc0
[   96.817170]  ? netlink_unicast+0x760/0x760
[   96.821394]  ? aa_sock_msg_perm.isra.13+0xba/0x160
[   96.826309]  ? apparmor_socket_sendmsg+0x29/0x30
[   96.831075]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.836637]  ? security_socket_sendmsg+0x94/0xc0
[   96.841374]  ? netlink_unicast+0x760/0x760
[   96.845598]  sock_sendmsg+0xd5/0x120
[   96.849300]  ___sys_sendmsg+0x7fd/0x930
[   96.853267]  ? copy_msghdr_from_user+0x580/0x580
[   96.858012]  ? __sched_text_start+0x8/0x8
[   96.862168]  ? __fget_light+0x2f7/0x440
[   96.866126]  ? __local_bh_enable_ip+0x161/0x230
[   96.870780]  ? fget_raw+0x20/0x20
[   96.874219]  ? __fget_light+0x2f7/0x440
[   96.878199]  ? fget_raw+0x20/0x20
[   96.881648]  ? tipc_nametbl_build_group+0x279/0x360
[   96.886657]  ? tipc_setsockopt+0x726/0xd70
[   96.890879]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   96.896421]  ? sockfd_lookup_light+0xc5/0x160
[   96.900903]  __sys_sendmsg+0x11d/0x290
[   96.904794]  ? __ia32_sys_shutdown+0x80/0x80
[   96.909210]  ? __x64_sys_futex+0x47f/0x6a0
[   96.913443]  ? do_syscall_64+0x9a/0x820
[   96.917403]  ? do_syscall_64+0x9a/0x820
[   96.921364]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   96.926481]  __x64_sys_sendmsg+0x78/0xb0
[   96.930549]  do_syscall_64+0x1b9/0x820
[   96.934422]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   96.939771]  ? syscall_return_slowpath+0x5e0/0x5e0
[   96.944684]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   96.949697]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   96.954700]  ? recalc_sigpending_tsk+0x180/0x180
[   96.959440]  ? kasan_check_write+0x14/0x20
[   96.963675]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   96.968509]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   96.973728] RIP: 0033:0x457099
[   96.976906] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   96.995792] RSP: 002b:00007fb977cc7c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   97.003502] RAX: ffffffffffffffda RBX: 00007fb977cc86d4 RCX: 0000000000457099
[   97.010839] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   97.018109] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   97.025369] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   97.032621] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000
[   97.040201] Dumping ftrace buffer:
[   97.043727]    (ftrace buffer empty)
[   97.047417] Kernel Offset: disabled
[   97.051027] Rebooting in 86400 seconds..