[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.124213] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[ 26.263639] random: sshd: uninitialized urandom read (32 bytes read) [?25h[?0c. [ 26.649439] random: sshd: uninitialized urandom read (32 bytes read) [ 27.274732] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.613539] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. [ 42.248414] random: sshd: uninitialized urandom read (32 bytes read) [ 42.376491] ================================================================== [ 42.384085] BUG: KASAN: slab-out-of-bounds in mqueue_get_tree+0x2ac/0x2e0 [ 42.391017] Read of size 8 at addr ffff8801d8bce3e0 by task syz-executor656/5564 [ 42.398553] [ 42.400198] CPU: 0 PID: 5564 Comm: syz-executor656 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 42.408788] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.418134] Call Trace: [ 42.420734] dump_stack+0x1d3/0x2c4 [ 42.424400] ? dump_stack_print_info.cold.2+0x52/0x52 [ 42.429586] ? printk+0xa7/0xcf [ 42.432864] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 42.437629] print_address_description.cold.8+0x9/0x1ff [ 42.442999] kasan_report.cold.9+0x242/0x309 [ 42.447413] ? mqueue_get_tree+0x2ac/0x2e0 [ 42.451657] __asan_report_load8_noabort+0x14/0x20 [ 42.456599] mqueue_get_tree+0x2ac/0x2e0 [ 42.460702] vfs_get_tree+0x1cb/0x5c0 [ 42.464522] mq_create_mount+0xe3/0x190 [ 42.468504] mq_init_ns+0x15a/0x210 [ 42.472136] copy_ipcs+0x3d2/0x580 [ 42.475687] ? ipcns_get+0xe0/0xe0 [ 42.479236] ? do_mount+0x1db0/0x1db0 [ 42.483039] ? kmem_cache_alloc+0x33a/0x730 [ 42.487367] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.492909] ? perf_event_namespaces+0x136/0x400 [ 42.497674] create_new_namespaces+0x376/0x900 [ 42.502266] ? sys_ni_syscall+0x20/0x20 [ 42.506251] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 42.511788] ? ns_capable_common+0x13f/0x170 [ 42.516232] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 42.521174] ksys_unshare+0x79c/0x10b0 [ 42.525106] ? walk_process_tree+0x440/0x440 [ 42.529516] ? lock_downgrade+0x900/0x900 [ 42.533672] ? kasan_check_read+0x11/0x20 [ 42.537819] ? do_raw_spin_unlock+0xa7/0x2f0 [ 42.542228] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 42.546817] ? kasan_check_write+0x14/0x20 [ 42.551067] ? do_raw_read_unlock+0x3f/0x60 [ 42.555391] ? do_syscall_64+0x9a/0x820 [ 42.559369] ? do_syscall_64+0x9a/0x820 [ 42.563350] ? lockdep_hardirqs_on+0x421/0x5c0 [ 42.567949] ? trace_hardirqs_on+0xbd/0x310 [ 42.572294] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.577664] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 42.583115] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 42.587826] __x64_sys_unshare+0x31/0x40 [ 42.591894] do_syscall_64+0x1b9/0x820 [ 42.595796] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 42.601168] ? syscall_return_slowpath+0x5e0/0x5e0 [ 42.606099] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.610945] ? trace_hardirqs_on_caller+0x310/0x310 [ 42.615965] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 42.620982] ? prepare_exit_to_usermode+0x291/0x3b0 [ 42.626025] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.630882] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.636073] RIP: 0033:0x4447f7 [ 42.639270] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed df fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 cd df fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.658181] RSP: 002b:00007ffe5aa7e2a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 42.665894] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004447f7 [ 42.673174] RDX: 0000000000000000 RSI: 00007ffe5aa7e2b0 RDI: 0000000008000000 [ 42.680458] RBP: 00000000006cc018 R08: 0000000000000000 R09: 00000000019a3880 [ 42.687722] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402c50 [ 42.694991] R13: 0000000000402ce0 R14: 0000000000000000 R15: 0000000000000000 [ 42.702277] [ 42.703902] Allocated by task 3455: [ 42.707564] save_stack+0x43/0xd0 [ 42.711035] kasan_kmalloc+0xc7/0xe0 [ 42.714754] kmem_cache_alloc_trace+0x152/0x750 [ 42.719424] kernfs_iop_get_link+0x6d/0x660 [ 42.723748] vfs_readlink+0x2ac/0x4c0 [ 42.727547] do_readlinkat+0x359/0x410 [ 42.731433] __x64_sys_readlink+0x78/0xb0 [ 42.735596] do_syscall_64+0x1b9/0x820 [ 42.739514] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.744692] [ 42.746316] Freed by task 3455: [ 42.749596] save_stack+0x43/0xd0 [ 42.753047] __kasan_slab_free+0x102/0x150 [ 42.757296] kasan_slab_free+0xe/0x10 [ 42.761093] kfree+0xcf/0x230 [ 42.764195] kfree_link+0x15/0x20 [ 42.767649] vfs_readlink+0x207/0x4c0 [ 42.771449] do_readlinkat+0x359/0x410 [ 42.775348] __x64_sys_readlink+0x78/0xb0 [ 42.779494] do_syscall_64+0x1b9/0x820 [ 42.783399] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.788578] [ 42.790205] The buggy address belongs to the object at ffff8801d8bce740 [ 42.790205] which belongs to the cache kmalloc-4096 of size 4096 [ 42.803039] The buggy address is located 864 bytes to the left of [ 42.803039] 4096-byte region [ffff8801d8bce740, ffff8801d8bcf740) [ 42.815455] The buggy address belongs to the page: [ 42.820393] page:ffffea000762f380 count:1 mapcount:0 mapping:ffff8801da800dc0 index:0x0 compound_mapcount: 0 [ 42.830364] flags: 0x2fffc0000008100(slab|head) [ 42.835040] raw: 02fffc0000008100 ffffea0007628988 ffffea0007623008 ffff8801da800dc0 [ 42.842924] raw: 0000000000000000 ffff8801d8bce740 0000000100000001 0000000000000000 [ 42.850795] page dumped because: kasan: bad access detected [ 42.856497] [ 42.858117] Memory state around the buggy address: [ 42.863045] ffff8801d8bce280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.870409] ffff8801d8bce300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.877770] >ffff8801d8bce380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.885127] ^ [ 42.891629] ffff8801d8bce400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.899000] ffff8801d8bce480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.906354] ================================================================== [ 42.913706] Disabling lock debugging due to kernel taint [ 42.919426] Kernel panic - not syncing: panic_on_warn set ... [ 42.919426] [ 42.926803] CPU: 0 PID: 5564 Comm: syz-executor656 Tainted: G B 4.19.0-rc3-next-20180912+ #72 [ 42.936762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.946402] Call Trace: [ 42.949000] dump_stack+0x1d3/0x2c4 [ 42.952631] ? dump_stack_print_info.cold.2+0x52/0x52 [ 42.957836] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.962624] panic+0x238/0x4e7 [ 42.965829] ? add_taint.cold.5+0x16/0x16 [ 42.969997] ? trace_hardirqs_on+0x9a/0x310 [ 42.974353] ? trace_hardirqs_on+0xb4/0x310 [ 42.978705] ? trace_hardirqs_on+0xb4/0x310 [ 42.983029] kasan_end_report+0x47/0x4f [ 42.987007] kasan_report.cold.9+0x76/0x309 [ 42.991328] ? mqueue_get_tree+0x2ac/0x2e0 [ 42.995591] __asan_report_load8_noabort+0x14/0x20 [ 43.000562] mqueue_get_tree+0x2ac/0x2e0 [ 43.004652] vfs_get_tree+0x1cb/0x5c0 [ 43.008451] mq_create_mount+0xe3/0x190 [ 43.012423] mq_init_ns+0x15a/0x210 [ 43.016044] copy_ipcs+0x3d2/0x580 [ 43.019584] ? ipcns_get+0xe0/0xe0 [ 43.023126] ? do_mount+0x1db0/0x1db0 [ 43.026930] ? kmem_cache_alloc+0x33a/0x730 [ 43.031303] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.036878] ? perf_event_namespaces+0x136/0x400 [ 43.041683] create_new_namespaces+0x376/0x900 [ 43.046302] ? sys_ni_syscall+0x20/0x20 [ 43.050312] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.055891] ? ns_capable_common+0x13f/0x170 [ 43.060365] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 43.065350] ksys_unshare+0x79c/0x10b0 [ 43.069272] ? walk_process_tree+0x440/0x440 [ 43.073724] ? lock_downgrade+0x900/0x900 [ 43.077902] ? kasan_check_read+0x11/0x20 [ 43.082179] ? do_raw_spin_unlock+0xa7/0x2f0 [ 43.087121] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 43.091800] ? kasan_check_write+0x14/0x20 [ 43.096136] ? do_raw_read_unlock+0x3f/0x60 [ 43.100447] ? do_syscall_64+0x9a/0x820 [ 43.104438] ? do_syscall_64+0x9a/0x820 [ 43.108528] ? lockdep_hardirqs_on+0x421/0x5c0 [ 43.113113] ? trace_hardirqs_on+0xbd/0x310 [ 43.117664] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.123044] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 43.128518] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 43.133325] __x64_sys_unshare+0x31/0x40 [ 43.137421] do_syscall_64+0x1b9/0x820 [ 43.141487] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 43.146936] ? syscall_return_slowpath+0x5e0/0x5e0 [ 43.151848] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.156814] ? trace_hardirqs_on_caller+0x310/0x310 [ 43.161912] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 43.166910] ? prepare_exit_to_usermode+0x291/0x3b0 [ 43.172003] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.177085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.182470] RIP: 0033:0x4447f7 [ 43.185655] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ed df fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 cd df fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.204575] RSP: 002b:00007ffe5aa7e2a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 43.212321] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004447f7 [ 43.219603] RDX: 0000000000000000 RSI: 00007ffe5aa7e2b0 RDI: 0000000008000000 [ 43.226883] RBP: 00000000006cc018 R08: 0000000000000000 R09: 00000000019a3880 [ 43.234169] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402c50 [ 43.241456] R13: 0000000000402ce0 R14: 0000000000000000 R15: 0000000000000000 [ 43.249969] Kernel Offset: disabled [ 43.253608] Rebooting in 86400 seconds..