[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.758041] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.143649] random: sshd: uninitialized urandom read (32 bytes read) [ 30.689883] random: sshd: uninitialized urandom read (32 bytes read) [ 31.469577] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts. [ 37.050568] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/12 07:32:54 fuzzer started [ 38.483121] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/12 07:32:57 dialing manager at 10.128.0.26:42863 2018/09/12 07:32:57 syscalls: 1 2018/09/12 07:32:57 code coverage: enabled 2018/09/12 07:32:57 comparison tracing: enabled 2018/09/12 07:32:57 setuid sandbox: enabled 2018/09/12 07:32:57 namespace sandbox: enabled 2018/09/12 07:32:57 fault injection: enabled 2018/09/12 07:32:57 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/09/12 07:32:57 net packed injection: enabled 2018/09/12 07:32:57 net device setup: enabled [ 41.462553] random: crng init done 07:36:48 executing program 0: shmat(0x0, &(0x7f0000ffd000/0x3000)=nil, 0xfffffffffffffffe) seccomp(0x1, 0x0, &(0x7f0000000100)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) openat$fuse(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fuse\x00', 0x2, 0x0) write$FUSE_DIRENT(0xffffffffffffffff, &(0x7f0000000240)={0x10}, 0x10) syz_execute_func(&(0x7f00000001c0)="42805da0690fef69dc0f01ee0dce41ff0fc4a33d062900770f78993d233d23410feefa6b2179660f38302fe5e54175450f2e1ac4010d64ac1e5d31a3b7c44379dfb9d6adbe90dfe2989f7f") dup3(0xffffffffffffff9c, 0xffffffffffffff9c, 0x0) write$FUSE_NOTIFY_RETRIEVE(0xffffffffffffffff, &(0x7f0000000040)={0x30}, 0x30) socketpair$inet_tcp(0x2, 0x1, 0x0, &(0x7f00000000c0)) epoll_ctl$EPOLL_CTL_DEL(0xffffffffffffffff, 0x2, 0xffffffffffffffff) 07:36:48 executing program 1: pipe2(&(0x7f0000001340), 0x0) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffff9c, &(0x7f0000001500)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000001380)}}, 0x20) write$RDMA_USER_CM_CMD_BIND_IP(0xffffffffffffffff, &(0x7f0000001540)={0x2, 0x28, 0xfa00, {0x0, {0xa, 0x0, 0x0, @remote}}}, 0x30) stat(&(0x7f00000001c0)='./file1\x00', &(0x7f00000013c0)) getegid() stat(&(0x7f0000001440)='./file0\x00', &(0x7f0000001480)) setgroups(0x0, &(0x7f0000001500)) listxattr(&(0x7f0000000240)='./file0\x00', &(0x7f0000000280)=""/4096, 0x1000) semget$private(0x0, 0x0, 0x0) semtimedop(0x0, &(0x7f00000000c0), 0x0, &(0x7f0000000200)={0x0, 0x989680}) clock_gettime(0x0, &(0x7f0000003380)) recvmmsg(0xffffffffffffffff, &(0x7f0000003240), 0x0, 0x0, &(0x7f00000033c0)) getsockopt$inet_sctp6_SCTP_CONTEXT(0xffffffffffffff9c, 0x84, 0x11, &(0x7f0000003400), &(0x7f0000003440)=0x8) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(0xffffffffffffffff, 0x84, 0x6d, &(0x7f0000003480), &(0x7f00000044c0)=0xfffffffffffffedd) creat(&(0x7f00000000c0)='./file0\x00', 0x0) getpgrp(0xffffffffffffffff) getpgid(0xffffffffffffffff) kcmp$KCMP_EPOLL_TFD(0x0, 0x0, 0x7, 0xffffffffffffffff, &(0x7f0000000080)) clock_getres(0x0, &(0x7f0000001280)) setsockopt$inet_sctp_SCTP_PARTIAL_DELIVERY_POINT(0xffffffffffffffff, 0x84, 0x13, &(0x7f0000001300), 0x4) getdents64(0xffffffffffffffff, &(0x7f0000000140)=""/87, 0x57) ppoll(&(0x7f0000001580), 0x0, &(0x7f0000001600), &(0x7f0000001640), 0x8) openat$cgroup_subtree(0xffffffffffffffff, &(0x7f00000015c0)='cgroup.subtree_control\x00', 0x2, 0x0) ioctl$BLKREPORTZONE(0xffffffffffffffff, 0xc0101282, &(0x7f00000012c0)) ioctl$PIO_FONT(0xffffffffffffffff, 0x4b61, &(0x7f0000001500)) seccomp(0x1, 0x0, &(0x7f0000000100)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) syz_execute_func(&(0x7f0000000040)="428055a0636969ef69dc00d99069203637c3397c2a0f0fcdae300f38211a40a564a741dfe0400f01efe5e57d0fecec1a1a01460f01ee31a3b786e2989f") 07:36:48 executing program 5: keyctl$dh_compute(0x9, &(0x7f0000000100), &(0x7f0000a53ffb)=""/5, 0x332, &(0x7f0000000280)={&(0x7f0000a3dffa)={'crc32c-intel\x00'}}) openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0x0, 0x0) futex(&(0x7f00000006c0), 0x0, 0x0, &(0x7f0000000700), &(0x7f0000000740), 0x0) socket$inet(0x2, 0x0, 0x0) setsockopt$bt_BT_SECURITY(0xffffffffffffffff, 0x112, 0x4, &(0x7f0000000080), 0x2) dup2(0xffffffffffffffff, 0xffffffffffffffff) dup3(0xffffffffffffff9c, 0xffffffffffffff9c, 0x0) getsockopt$inet6_tcp_buf(0xffffffffffffffff, 0x6, 0x0, &(0x7f0000002f00)=""/4096, &(0x7f0000000600)=0x14e6) munlockall() ioctl$FIGETBSZ(0xffffffffffffffff, 0x2, &(0x7f0000000680)) seccomp(0x1, 0x0, &(0x7f0000000300)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x58fe4}]}) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f0000000240)) capget(&(0x7f0000000580), &(0x7f0000000640)) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(0xffffffffffffffff, 0x84, 0x6b, &(0x7f0000000780), 0x0) ioctl$FITRIM(0xffffffffffffffff, 0xc0185879, &(0x7f0000000040)) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, &(0x7f00000000c0)) syz_open_procfs(0x0, &(0x7f00000005c0)='timers\x00') timer_create(0x0, &(0x7f0000000140), &(0x7f0000000180)) clock_gettime(0x0, &(0x7f00000001c0)) recvfrom(0xffffffffffffffff, &(0x7f0000000480)=""/246, 0xf6, 0x0, &(0x7f0000000380)=@llc={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @remote}, 0x80) clock_gettime(0x0, &(0x7f0000000200)) timer_settime(0x0, 0x0, &(0x7f00000002c0), &(0x7f0000000340)) preadv(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) syz_execute_func(&(0x7f0000000400)="428055a0636969ef69dc00d9c421a05d2f8a20f2420f58410dc3397c2a0f0fcdae300f38211a40a5c07f41dfe0400f01efe5e57d0fecec1a1a01460f01ee45dfde9f") 07:36:48 executing program 2: pipe(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$LOOP_SET_DIRECT_IO(r1, 0x4c08, 0x3fd) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$loop_ctrl(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/loop-control\x00', 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) ioctl$TIOCGSID(r1, 0x5429, &(0x7f0000000100)=0x0) ioctl$sock_SIOCSPGRP(r0, 0x8902, &(0x7f0000000280)=r2) openat$cgroup_procs(0xffffffffffffffff, &(0x7f0000000180)='cgroup.procs\x00', 0x2, 0x0) unshare(0x40000000) r3 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, &(0x7f0000000040)={'tunl0\x00', @ifru_names='bridge0\x00'}) ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r3, 0x80dc5521, &(0x7f00000001c0)=""/153) setsockopt$packet_fanout(0xffffffffffffffff, 0x107, 0x12, &(0x7f00000000c0)={0x2, 0x0, 0x2000}, 0x4) pipe2(&(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) clock_gettime(0x0, &(0x7f0000000080)) ioctl$KVM_CREATE_DEVICE(r3, 0xc00caee0, &(0x7f0000000300)={0x7, r4, 0x1}) r5 = syz_open_dev$sg(&(0x7f0000000180)='/dev/sg#\x00', 0x0, 0x0) ioctl$BLKTRACESTART(r5, 0x1274, 0x0) ioctl$BLKTRACESETUP(r5, 0x227b, &(0x7f0000000000)={[], 0x0, 0x100, 0x279d}) ioctl$BLKTRACESTOP(r5, 0x1275, 0x0) 07:36:48 executing program 3: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000ed1000)={0x3, 0x4, 0x80000000004, 0x8000000007}, 0x2c) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0xd, 0xdd, 0x4, 0x6, 0x0, r0}, 0x2c) 07:36:48 executing program 4: r0 = socket$inet6(0xa, 0x1, 0x8010000000000084) io_setup(0x7, &(0x7f00000000c0)=0x0) io_destroy(r1) getsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000040), &(0x7f0000000080)=0x4) io_submit(r1, 0x0, &(0x7f0000000500)) [ 271.776047] IPVS: ftp: loaded support on port[0] = 21 [ 271.807917] IPVS: ftp: loaded support on port[0] = 21 [ 271.814744] IPVS: ftp: loaded support on port[0] = 21 [ 271.830643] kasan: CONFIG_KASAN_INLINE enabled [ 271.835347] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 271.842904] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 271.849143] CPU: 0 PID: 5636 Comm: syz-executor2 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 271.857542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 271.866905] RIP: 0010:mqueue_get_tree+0xba/0x2e0 [ 271.871663] Code: 4c 8d b3 98 00 00 00 4d 85 ed 0f 84 d1 00 00 00 e8 6b 44 3f fe 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e3 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b [ 271.890575] RSP: 0018:ffff88016500f928 EFLAGS: 00010207 [ 271.895948] RAX: dffffc0000000000 RBX: ffff8801d9bf2340 RCX: ffffffff8160aca1 [ 271.903213] RDX: 0fb1d875ae54b3e4 RSI: ffffffff833deb15 RDI: 7d8ec3ad72a59f25 [ 271.910480] RBP: ffff88016500f948 R08: fffffbfff13555fd R09: fffffbfff13555fc [ 271.917743] R10: fffffbfff13555fc R11: ffffffff89aaafe3 R12: ffff8801d75160c0 [ 271.925025] R13: 7d8ec3ad72a59f1d R14: ffff8801d9bf23d8 R15: ffff8801d9bf23d8 [ 271.932325] FS: 0000000001232940(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000 [ 271.940547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 271.946447] CR2: 0000000000482e00 CR3: 00000001657da000 CR4: 00000000001406f0 [ 271.953735] Call Trace: [ 271.956352] vfs_get_tree+0x1cb/0x5c0 [ 271.960167] mq_create_mount+0xe3/0x190 [ 271.964141] mq_init_ns+0x15a/0x210 [ 271.967766] copy_ipcs+0x3d2/0x580 [ 271.971324] ? ipcns_get+0xe0/0xe0 [ 271.974878] ? do_mount+0x1db0/0x1db0 [ 271.978694] ? kmem_cache_alloc+0x33a/0x730 [ 271.983017] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 271.988555] ? perf_event_namespaces+0x136/0x400 [ 271.993321] create_new_namespaces+0x376/0x900 [ 271.997910] ? sys_ni_syscall+0x20/0x20 [ 272.001908] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 272.007443] ? ns_capable_common+0x13f/0x170 [ 272.011857] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 272.016790] ksys_unshare+0x79c/0x10b0 [ 272.020683] ? walk_process_tree+0x440/0x440 [ 272.025102] ? lock_downgrade+0x900/0x900 [ 272.029253] ? kasan_check_read+0x11/0x20 [ 272.033400] ? do_raw_spin_unlock+0xa7/0x2f0 [ 272.037830] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 272.042417] ? kasan_check_write+0x14/0x20 [ 272.046668] ? do_raw_read_unlock+0x3f/0x60 [ 272.050993] ? do_syscall_64+0x9a/0x820 [ 272.054973] ? do_syscall_64+0x9a/0x820 [ 272.058948] ? lockdep_hardirqs_on+0x421/0x5c0 [ 272.063535] ? trace_hardirqs_on+0xbd/0x310 [ 272.067859] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 272.073236] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 272.078734] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 272.083413] __x64_sys_unshare+0x31/0x40 [ 272.087473] do_syscall_64+0x1b9/0x820 [ 272.091388] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 272.096790] ? syscall_return_slowpath+0x5e0/0x5e0 [ 272.101718] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 272.106561] ? trace_hardirqs_on_caller+0x310/0x310 [ 272.111578] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 272.116592] ? prepare_exit_to_usermode+0x291/0x3b0 [ 272.121621] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 272.126690] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 272.131877] RIP: 0033:0x459d87 [ 272.135073] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 272.153971] RSP: 002b:00007fffd5585158 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 [ 272.161700] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459d87 [ 272.168969] RDX: 0000000000000000 RSI: 00007fffd5585160 RDI: 0000000008000000 [ 272.176237] RBP: 0000000000930b28 R08: 0000000000000000 R09: 0000000000000018 [ 272.183501] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010 [ 272.190785] R13: 0000000000412cc0 R14: 0000000000000000 R15: 0000000000000000 [ 272.198065] Modules linked in: [ 272.201333] ---[ end trace 057c5d04c223f56e ]--- [ 272.206116] RIP: 0010:mqueue_get_tree+0xba/0x2e0 [ 272.210909] Code: 4c 8d b3 98 00 00 00 4d 85 ed 0f 84 d1 00 00 00 e8 6b 44 3f fe 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e3 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b [ 272.229844] RSP: 0018:ffff88016500f928 EFLAGS: 00010207 [ 272.235213] RAX: dffffc0000000000 RBX: ffff8801d9bf2340 RCX: ffffffff8160aca1 [ 272.242507] RDX: 0fb1d875ae54b3e4 RSI: ffffffff833deb15 RDI: 7d8ec3ad72a59f25 [ 272.249806] RBP: ffff88016500f948 R08: fffffbfff13555fd R09: fffffbfff13555fc [ 272.257106] R10: fffffbfff13555fc R11: ffffffff89aaafe3 R12: ffff8801d75160c0 [ 272.264416] R13: 7d8ec3ad72a59f1d R14: ffff8801d9bf23d8 R15: ffff8801d9bf23d8 [ 272.271710] FS: 0000000001232940(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000 [ 272.279968] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.285860] CR2: 0000000000482e00 CR3: 00000001657da000 CR4: 00000000001406f0 [ 272.293151] Kernel panic - not syncing: Fatal exception [ 272.299516] Kernel Offset: disabled [ 272.303142] Rebooting in 86400 seconds..