[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.238580] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.994340] random: sshd: uninitialized urandom read (32 bytes read) [ 30.369250] random: sshd: uninitialized urandom read (32 bytes read) [ 30.941617] random: sshd: uninitialized urandom read (32 bytes read) [ 47.316667] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 53.046698] random: sshd: uninitialized urandom read (32 bytes read) [ 53.181995] IPVS: ftp: loaded support on port[0] = 21 [ 53.182010] IPVS: ftp: loaded support on port[0] = 21 [ 53.197573] ================================================================== [ 53.205227] BUG: KASAN: slab-out-of-bounds in mqueue_get_tree+0x2ac/0x2e0 [ 53.212256] Read of size 8 at addr ffff8801d8a67e00 by task syz-executor666/5561 [ 53.219772] [ 53.221399] CPU: 0 PID: 5561 Comm: syz-executor666 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 53.230086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.239426] Call Trace: [ 53.242005] dump_stack+0x1d3/0x2c4 [ 53.245621] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.250803] ? printk+0xa7/0xcf [ 53.254092] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.258877] print_address_description.cold.8+0x9/0x1ff [ 53.264374] kasan_report.cold.9+0x242/0x309 [ 53.268783] ? mqueue_get_tree+0x2ac/0x2e0 [ 53.273102] __asan_report_load8_noabort+0x14/0x20 [ 53.278042] mqueue_get_tree+0x2ac/0x2e0 [ 53.282102] vfs_get_tree+0x1cb/0x5c0 [ 53.286110] mq_create_mount+0xe3/0x190 [ 53.290072] mq_init_ns+0x15a/0x210 [ 53.293684] copy_ipcs+0x3d2/0x580 [ 53.297211] ? ipcns_get+0xe0/0xe0 [ 53.300814] ? do_mount+0x1db0/0x1db0 [ 53.304624] ? kmem_cache_alloc+0x33a/0x730 [ 53.308942] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.314474] ? perf_event_namespaces+0x136/0x400 [ 53.319223] create_new_namespaces+0x376/0x900 [ 53.323795] ? sys_ni_syscall+0x20/0x20 [ 53.327757] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.333281] ? ns_capable_common+0x13f/0x170 [ 53.337686] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 53.342608] ksys_unshare+0x79c/0x10b0 [ 53.346484] ? walk_process_tree+0x440/0x440 [ 53.350882] ? lock_downgrade+0x900/0x900 [ 53.355018] ? kasan_check_read+0x11/0x20 [ 53.359153] ? do_raw_spin_unlock+0xa7/0x2f0 [ 53.363546] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 53.368117] ? kasan_check_write+0x14/0x20 [ 53.372337] ? do_raw_read_unlock+0x3f/0x60 [ 53.376653] ? do_syscall_64+0x9a/0x820 [ 53.380614] ? do_syscall_64+0x9a/0x820 [ 53.384635] ? lockdep_hardirqs_on+0x421/0x5c0 [ 53.389218] ? trace_hardirqs_on+0xbd/0x310 [ 53.393621] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.398984] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 53.404430] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 53.409104] __x64_sys_unshare+0x31/0x40 [ 53.413154] do_syscall_64+0x1b9/0x820 [ 53.417117] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.422477] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.427459] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.432301] ? trace_hardirqs_on_caller+0x310/0x310 [ 53.437395] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.442524] ? prepare_exit_to_usermode+0x291/0x3b0 [ 53.447539] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.452468] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.457706] RIP: 0033:0x44a757 [ 53.460897] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 0d d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ed d4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.479789] RSP: 002b:00007ffd4a213b08 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 53.487490] RAX: ffffffffffffffda RBX: 00007ffd4a213bb0 RCX: 000000000044a757 [ 53.494751] RDX: 0000000000000000 RSI: 00007ffd4a213b20 RDI: 0000000008000000 [ 53.502016] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018 [ 53.509485] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e [ 53.516748] R13: 0000000000408160 R14: 0000000000000000 R15: 0000000000000000 [ 53.524043] [ 53.525659] Allocated by task 5561: [ 53.529273] save_stack+0x43/0xd0 [ 53.532716] kasan_kmalloc+0xc7/0xe0 [ 53.536419] kmem_cache_alloc_trace+0x152/0x750 [ 53.541072] copy_ipcs+0x1c6/0x580 [ 53.544605] create_new_namespaces+0x376/0x900 [ 53.549172] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 53.554211] ksys_unshare+0x79c/0x10b0 [ 53.558151] __x64_sys_unshare+0x31/0x40 [ 53.562202] do_syscall_64+0x1b9/0x820 [ 53.566081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.571253] [ 53.572865] Freed by task 0: [ 53.575865] (stack is not available) [ 53.579568] [ 53.581224] The buggy address belongs to the object at ffff8801d8a67680 [ 53.581224] which belongs to the cache kmalloc-2048 of size 2048 [ 53.594054] The buggy address is located 1920 bytes inside of [ 53.594054] 2048-byte region [ffff8801d8a67680, ffff8801d8a67e80) [ 53.606090] The buggy address belongs to the page: [ 53.611009] page:ffffea0007629980 count:1 mapcount:0 mapping:ffff8801da800c40 index:0x0 compound_mapcount: 0 [ 53.621079] flags: 0x2fffc0000008100(slab|head) [ 53.625734] raw: 02fffc0000008100 ffffea0007611888 ffff8801da801948 ffff8801da800c40 [ 53.633603] raw: 0000000000000000 ffff8801d8a66580 0000000100000003 0000000000000000 [ 53.641511] page dumped because: kasan: bad access detected [ 53.647208] [ 53.648814] Memory state around the buggy address: [ 53.653731] ffff8801d8a67d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.661087] ffff8801d8a67d80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.668431] >ffff8801d8a67e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.675876] ^ [ 53.679232] ffff8801d8a67e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.686573] ffff8801d8a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.693960] ================================================================== [ 53.701413] Disabling lock debugging due to kernel taint [ 53.706904] Kernel panic - not syncing: panic_on_warn set ... [ 53.706904] [ 53.714255] CPU: 0 PID: 5561 Comm: syz-executor666 Tainted: G B 4.19.0-rc3-next-20180912+ #72 [ 53.724313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.733659] Call Trace: [ 53.736239] dump_stack+0x1d3/0x2c4 [ 53.739860] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.745048] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.749852] panic+0x238/0x4e7 [ 53.753037] ? add_taint.cold.5+0x16/0x16 [ 53.757176] ? trace_hardirqs_on+0x9a/0x310 [ 53.761489] ? trace_hardirqs_on+0xb4/0x310 [ 53.765800] ? trace_hardirqs_on+0xb4/0x310 [ 53.770115] kasan_end_report+0x47/0x4f [ 53.774077] kasan_report.cold.9+0x76/0x309 [ 53.778444] ? mqueue_get_tree+0x2ac/0x2e0 [ 53.782673] __asan_report_load8_noabort+0x14/0x20 [ 53.787588] mqueue_get_tree+0x2ac/0x2e0 [ 53.791635] vfs_get_tree+0x1cb/0x5c0 [ 53.795423] mq_create_mount+0xe3/0x190 [ 53.799389] mq_init_ns+0x15a/0x210 [ 53.803009] copy_ipcs+0x3d2/0x580 [ 53.806532] ? ipcns_get+0xe0/0xe0 [ 53.810115] ? do_mount+0x1db0/0x1db0 [ 53.813949] ? kmem_cache_alloc+0x33a/0x730 [ 53.819995] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.825622] ? perf_event_namespaces+0x136/0x400 [ 53.830414] create_new_namespaces+0x376/0x900 [ 53.834990] ? sys_ni_syscall+0x20/0x20 [ 53.839004] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.844531] ? ns_capable_common+0x13f/0x170 [ 53.848926] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 53.853856] ksys_unshare+0x79c/0x10b0 [ 53.857731] ? walk_process_tree+0x440/0x440 [ 53.862131] ? lock_downgrade+0x900/0x900 [ 53.866367] ? kasan_check_read+0x11/0x20 [ 53.870580] ? do_raw_spin_unlock+0xa7/0x2f0 [ 53.874983] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 53.879557] ? kasan_check_write+0x14/0x20 [ 53.883779] ? do_raw_read_unlock+0x3f/0x60 [ 53.888086] ? do_syscall_64+0x9a/0x820 [ 53.892049] ? do_syscall_64+0x9a/0x820 [ 53.896026] ? lockdep_hardirqs_on+0x421/0x5c0 [ 53.900606] ? trace_hardirqs_on+0xbd/0x310 [ 53.904920] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.910383] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 53.915898] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 53.920571] __x64_sys_unshare+0x31/0x40 [ 53.924620] do_syscall_64+0x1b9/0x820 [ 53.928501] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.933882] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.938800] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.943642] ? trace_hardirqs_on_caller+0x310/0x310 [ 53.948648] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.953662] ? prepare_exit_to_usermode+0x291/0x3b0 [ 53.958676] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.963521] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.968699] RIP: 0033:0x44a757 [ 53.971878] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 0d d5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ed d4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.990771] RSP: 002b:00007ffd4a213b08 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 53.998465] RAX: ffffffffffffffda RBX: 00007ffd4a213bb0 RCX: 000000000044a757 [ 54.005819] RDX: 0000000000000000 RSI: 00007ffd4a213b20 RDI: 0000000008000000 [ 54.013091] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018 [ 54.020346] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e [ 54.027600] R13: 0000000000408160 R14: 0000000000000000 R15: 0000000000000000 [ 54.035822] Kernel Offset: disabled [ 54.039468] Rebooting in 86400 seconds..