[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.126473] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.073303] random: sshd: uninitialized urandom read (32 bytes read) [ 29.411968] random: sshd: uninitialized urandom read (32 bytes read) [ 30.015074] random: sshd: uninitialized urandom read (32 bytes read) [ 112.639717] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. [ 118.192546] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/10 12:12:28 parsed 1 programs [ 119.700191] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/10 12:12:30 executed programs: 0 [ 121.019014] IPVS: ftp: loaded support on port[0] = 21 [ 121.278385] bridge0: port 1(bridge_slave_0) entered blocking state [ 121.285124] bridge0: port 1(bridge_slave_0) entered disabled state [ 121.292908] device bridge_slave_0 entered promiscuous mode [ 121.313365] bridge0: port 2(bridge_slave_1) entered blocking state [ 121.320039] bridge0: port 2(bridge_slave_1) entered disabled state [ 121.327087] device bridge_slave_1 entered promiscuous mode [ 121.346007] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 121.365372] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 121.416394] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 121.438341] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 121.514256] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 121.521753] team0: Port device team_slave_0 added [ 121.540435] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 121.548210] team0: Port device team_slave_1 added [ 121.565952] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 121.585815] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 121.606312] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 121.628079] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 121.780122] bridge0: port 2(bridge_slave_1) entered blocking state [ 121.786571] bridge0: port 2(bridge_slave_1) entered forwarding state [ 121.793559] bridge0: port 1(bridge_slave_0) entered blocking state [ 121.799986] bridge0: port 1(bridge_slave_0) entered forwarding state [ 122.314413] 8021q: adding VLAN 0 to HW filter on device bond0 [ 122.368209] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 122.421419] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 122.427858] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 122.435210] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 122.490751] 8021q: adding VLAN 0 to HW filter on device team0 [ 122.848897] ================================================================== [ 122.856578] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 122.862538] Read of size 8 at addr ffff8801b3813970 by task syz-executor0/5655 [ 122.869875] [ 122.871495] CPU: 0 PID: 5655 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #210 [ 122.878750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.888099] Call Trace: [ 122.890685] dump_stack+0x1c4/0x2b4 [ 122.894310] ? dump_stack_print_info.cold.2+0x52/0x52 [ 122.899488] ? printk+0xa7/0xcf [ 122.902779] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 122.907553] print_address_description.cold.8+0x9/0x1ff [ 122.913023] kasan_report.cold.9+0x242/0x309 [ 122.917423] ? sock_i_ino+0x94/0xa0 [ 122.921042] __asan_report_load8_noabort+0x14/0x20 [ 122.925955] sock_i_ino+0x94/0xa0 [ 122.929400] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 122.934054] ? tipc_diag_dump+0x30/0x30 [ 122.938136] ? tipc_getname+0x7f0/0x7f0 [ 122.942103] ? graph_lock+0x170/0x170 [ 122.945895] ? __lock_sock+0x203/0x350 [ 122.949780] ? find_held_lock+0x36/0x1c0 [ 122.953835] ? mark_held_locks+0xc7/0x130 [ 122.957978] ? __local_bh_enable_ip+0x160/0x260 [ 122.962646] ? __local_bh_enable_ip+0x160/0x260 [ 122.967308] ? lockdep_hardirqs_on+0x421/0x5c0 [ 122.971882] ? trace_hardirqs_on+0xbd/0x310 [ 122.976195] ? lock_release+0x970/0x970 [ 122.980161] ? lock_sock_nested+0xe2/0x120 [ 122.984384] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 122.989413] ? skb_put+0x17b/0x1e0 [ 122.992939] ? memset+0x31/0x40 [ 122.996205] ? __nlmsg_put+0x14c/0x1b0 [ 123.000083] __tipc_add_sock_diag+0x233/0x360 [ 123.004569] tipc_nl_sk_walk+0x122/0x1d0 [ 123.008799] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 123.014067] tipc_diag_dump+0x24/0x30 [ 123.017965] netlink_dump+0x519/0xd50 [ 123.021900] ? netlink_broadcast+0x50/0x50 [ 123.026157] __netlink_dump_start+0x4f1/0x6f0 [ 123.030642] ? tipc_data_ready+0x3e0/0x3e0 [ 123.034869] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 123.039976] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 123.044638] ? tipc_data_ready+0x3e0/0x3e0 [ 123.048864] ? tipc_unregister_sysctl+0x20/0x20 [ 123.053525] ? tipc_ioctl+0x3a0/0x3a0 [ 123.057315] ? netlink_deliver_tap+0x355/0xf80 [ 123.061886] sock_diag_rcv_msg+0x31d/0x410 [ 123.066106] netlink_rcv_skb+0x172/0x440 [ 123.070152] ? sock_diag_bind+0x80/0x80 [ 123.074118] ? netlink_ack+0xb80/0xb80 [ 123.078042] sock_diag_rcv+0x2a/0x40 [ 123.081757] netlink_unicast+0x5a5/0x760 [ 123.085907] ? netlink_attachskb+0x9a0/0x9a0 [ 123.090626] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.096154] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 123.101160] netlink_sendmsg+0xa18/0xfc0 [ 123.105292] ? netlink_unicast+0x760/0x760 [ 123.109642] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 123.114661] ? apparmor_socket_sendmsg+0x29/0x30 [ 123.119408] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.124933] ? security_socket_sendmsg+0x94/0xc0 [ 123.129679] ? netlink_unicast+0x760/0x760 [ 123.133908] sock_sendmsg+0xd5/0x120 [ 123.137614] ___sys_sendmsg+0x7fd/0x930 [ 123.141587] ? __local_bh_enable_ip+0x160/0x260 [ 123.146239] ? copy_msghdr_from_user+0x580/0x580 [ 123.150988] ? kasan_check_write+0x14/0x20 [ 123.155228] ? _raw_spin_unlock_bh+0x30/0x40 [ 123.160242] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 123.165689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.171211] ? release_sock+0x1ec/0x2c0 [ 123.175190] ? __fget_light+0x2e9/0x430 [ 123.179152] ? fget_raw+0x20/0x20 [ 123.182607] ? __release_sock+0x3a0/0x3a0 [ 123.186747] ? tipc_nametbl_build_group+0x273/0x360 [ 123.191767] ? tipc_setsockopt+0x726/0xd70 [ 123.195995] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 123.201517] ? sockfd_lookup_light+0xc5/0x160 [ 123.206000] __sys_sendmsg+0x11d/0x280 [ 123.209876] ? __ia32_sys_shutdown+0x80/0x80 [ 123.214273] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 123.219793] ? fput+0x130/0x1a0 [ 123.223063] ? __x64_sys_futex+0x47f/0x6a0 [ 123.227297] ? do_syscall_64+0x9a/0x820 [ 123.231290] ? do_syscall_64+0x9a/0x820 [ 123.235252] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 123.240701] __x64_sys_sendmsg+0x78/0xb0 [ 123.244749] do_syscall_64+0x1b9/0x820 [ 123.248623] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 123.253974] ? syscall_return_slowpath+0x5e0/0x5e0 [ 123.258888] ? trace_hardirqs_off+0x300/0x300 [ 123.263368] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 123.268370] ? recalc_sigpending_tsk+0x180/0x180 [ 123.273114] ? kasan_check_write+0x14/0x20 [ 123.277336] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 123.282171] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.287343] RIP: 0033:0x457099 [ 123.290520] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 123.309412] RSP: 002b:00007f1451c3ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 123.317104] RAX: ffffffffffffffda RBX: 00007f1451c3f6d4 RCX: 0000000000457099 [ 123.324355] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 123.331604] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 123.338855] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 123.346107] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 123.353366] [ 123.354996] Allocated by task 5655: [ 123.358608] save_stack+0x43/0xd0 [ 123.362060] kasan_kmalloc+0xc7/0xe0 [ 123.365754] kasan_slab_alloc+0x12/0x20 [ 123.369714] kmem_cache_alloc+0x12e/0x730 [ 123.373843] sock_alloc_inode+0x1d/0x260 [ 123.377888] alloc_inode+0x63/0x190 [ 123.381502] new_inode_pseudo+0x71/0x1a0 [ 123.385548] sock_alloc+0x41/0x270 [ 123.389069] __sock_create+0x175/0x930 [ 123.392993] __sys_socket+0x106/0x260 [ 123.396776] __x64_sys_socket+0x73/0xb0 [ 123.400733] do_syscall_64+0x1b9/0x820 [ 123.404604] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.409774] [ 123.411387] Freed by task 5654: [ 123.414648] save_stack+0x43/0xd0 [ 123.418107] __kasan_slab_free+0x102/0x150 [ 123.422333] kasan_slab_free+0xe/0x10 [ 123.426115] kmem_cache_free+0x83/0x290 [ 123.430073] sock_destroy_inode+0x51/0x60 [ 123.434202] destroy_inode+0x159/0x200 [ 123.438071] evict+0x5e0/0x980 [ 123.441244] iput+0x679/0xa90 [ 123.444342] dentry_unlink_inode+0x461/0x5e0 [ 123.448732] __dentry_kill+0x44c/0x7a0 [ 123.452601] dentry_kill+0xc9/0x5a0 [ 123.456249] dput.part.26+0x660/0x790 [ 123.460041] dput+0x15/0x20 [ 123.462955] __fput+0x4cf/0xa30 [ 123.466222] ____fput+0x15/0x20 [ 123.469494] task_work_run+0x1e8/0x2a0 [ 123.473368] exit_to_usermode_loop+0x318/0x380 [ 123.477935] do_syscall_64+0x6be/0x820 [ 123.481808] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 123.486971] [ 123.488583] The buggy address belongs to the object at ffff8801b3813900 [ 123.488583] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 123.502439] The buggy address is located 112 bytes inside of [ 123.502439] 984-byte region [ffff8801b3813900, ffff8801b3813cd8) [ 123.514326] The buggy address belongs to the page: [ 123.519243] page:ffffea0006ce04c0 count:1 mapcount:0 mapping:ffff8801cb1c8800 index:0xffff8801b3813ffd [ 123.528685] flags: 0x2fffc0000000100(slab) [ 123.532918] raw: 02fffc0000000100 ffffea0006ce0448 ffff8801d76a6548 ffff8801cb1c8800 [ 123.540794] raw: ffff8801b3813ffd ffff8801b3813000 0000000100000003 ffff8801ce6dc240 [ 123.548701] page dumped because: kasan: bad access detected [ 123.554422] page->mem_cgroup:ffff8801ce6dc240 [ 123.558901] [ 123.560520] Memory state around the buggy address: [ 123.565439] ffff8801b3813800: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc [ 123.572814] ffff8801b3813880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 123.580168] >ffff8801b3813900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.587523] ^ [ 123.594552] ffff8801b3813980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.601897] ffff8801b3813a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 123.609235] ================================================================== [ 123.616579] Disabling lock debugging due to kernel taint [ 123.622578] Kernel panic - not syncing: panic_on_warn set ... [ 123.622578] [ 123.629965] CPU: 0 PID: 5655 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #210 [ 123.638641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 123.647977] Call Trace: [ 123.650558] dump_stack+0x1c4/0x2b4 [ 123.654174] ? dump_stack_print_info.cold.2+0x52/0x52 [ 123.659355] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 123.664097] panic+0x238/0x4e7 [ 123.667282] ? add_taint.cold.5+0x16/0x16 [ 123.671419] ? trace_hardirqs_on+0x9a/0x310 [ 123.675735] ? trace_hardirqs_on+0xb4/0x310 [ 123.680073] ? trace_hardirqs_on+0xb4/0x310 [ 123.684385] kasan_end_report+0x47/0x4f [ 123.688346] kasan_report.cold.9+0x76/0x309 [ 123.692659] ? sock_i_ino+0x94/0xa0 [ 123.696280] __asan_report_load8_noabort+0x14/0x20 [ 123.701197] sock_i_ino+0x94/0xa0 [ 123.704637] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 123.709297] ? tipc_diag_dump+0x30/0x30 [ 123.713270] ? tipc_getname+0x7f0/0x7f0 [ 123.717240] ? graph_lock+0x170/0x170 [ 123.721034] ? __lock_sock+0x203/0x350 [ 123.724910] ? find_held_lock+0x36/0x1c0 [ 123.728956] ? mark_held_locks+0xc7/0x130 [ 123.733093] ? __local_bh_enable_ip+0x160/0x260 [ 123.737747] ? __local_bh_enable_ip+0x160/0x260 [ 123.742400] ? lockdep_hardirqs_on+0x421/0x5c0 [ 123.746968] ? trace_hardirqs_on+0xbd/0x310 [ 123.751278] ? lock_release+0x970/0x970 [ 123.755238] ? lock_sock_nested+0xe2/0x120 [ 123.759475] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 123.764503] ? skb_put+0x17b/0x1e0 [ 123.768030] ? memset+0x31/0x40 [ 123.771297] ? __nlmsg_put+0x14c/0x1b0 [ 123.775174] __tipc_add_sock_diag+0x233/0x360 [ 123.779672] tipc_nl_sk_walk+0x122/0x1d0 [ 123.783732] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 123.789019] tipc_diag_dump+0x24/0x30 [ 123.792808] netlink_dump+0x519/0xd50 [ 123.796597] ? netlink_broadcast+0x50/0x50 [ 123.800820] __netlink_dump_start+0x4f1/0x6f0 [ 123.805301] ? tipc_data_ready+0x3e0/0x3e0 [ 123.809608] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 123.814694] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 123.819345] ? tipc_data_ready+0x3e0/0x3e0 [ 123.823566] ? tipc_unregister_sysctl+0x20/0x20 [ 123.828218] ? tipc_ioctl+0x3a0/0x3a0 [ 123.832004] ? netlink_deliver_tap+0x355/0xf80 [ 123.836579] sock_diag_rcv_msg+0x31d/0x410 [ 123.840896] netlink_rcv_skb+0x172/0x440 [ 123.844938] ? sock_diag_bind+0x80/0x80 [ 123.848897] ? netlink_ack+0xb80/0xb80 [ 123.852768] sock_diag_rcv+0x2a/0x40 [ 123.856466] netlink_unicast+0x5a5/0x760 [ 123.860515] ? netlink_attachskb+0x9a0/0x9a0 [ 123.864941] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.870497] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 123.875499] netlink_sendmsg+0xa18/0xfc0 [ 123.879553] ? netlink_unicast+0x760/0x760 [ 123.883773] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 123.888690] ? apparmor_socket_sendmsg+0x29/0x30 [ 123.893431] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.898953] ? security_socket_sendmsg+0x94/0xc0 [ 123.903694] ? netlink_unicast+0x760/0x760 [ 123.907913] sock_sendmsg+0xd5/0x120 [ 123.911610] ___sys_sendmsg+0x7fd/0x930 [ 123.915569] ? __local_bh_enable_ip+0x160/0x260 [ 123.920222] ? copy_msghdr_from_user+0x580/0x580 [ 123.924962] ? kasan_check_write+0x14/0x20 [ 123.929183] ? _raw_spin_unlock_bh+0x30/0x40 [ 123.933583] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 123.939018] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 123.944550] ? release_sock+0x1ec/0x2c0 [ 123.948510] ? __fget_light+0x2e9/0x430 [ 123.952480] ? fget_raw+0x20/0x20 [ 123.955937] ? __release_sock+0x3a0/0x3a0 [ 123.960075] ? tipc_nametbl_build_group+0x273/0x360 [ 123.965076] ? tipc_setsockopt+0x726/0xd70 [ 123.969299] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 123.974833] ? sockfd_lookup_light+0xc5/0x160 [ 123.979314] __sys_sendmsg+0x11d/0x280 [ 123.983186] ? __ia32_sys_shutdown+0x80/0x80 [ 123.987581] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 123.993099] ? fput+0x130/0x1a0 [ 123.996366] ? __x64_sys_futex+0x47f/0x6a0 [ 124.000584] ? do_syscall_64+0x9a/0x820 [ 124.004550] ? do_syscall_64+0x9a/0x820 [ 124.008510] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 124.013973] __x64_sys_sendmsg+0x78/0xb0 [ 124.018020] do_syscall_64+0x1b9/0x820 [ 124.021894] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 124.027273] ? syscall_return_slowpath+0x5e0/0x5e0 [ 124.032204] ? trace_hardirqs_off+0x300/0x300 [ 124.036685] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 124.041684] ? recalc_sigpending_tsk+0x180/0x180 [ 124.046425] ? kasan_check_write+0x14/0x20 [ 124.050646] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 124.055482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 124.060656] RIP: 0033:0x457099 [ 124.063833] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 124.082736] RSP: 002b:00007f1451c3ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 124.090454] RAX: ffffffffffffffda RBX: 00007f1451c3f6d4 RCX: 0000000000457099 [ 124.097705] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 124.104954] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 124.112206] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 124.119457] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 124.127053] Dumping ftrace buffer: [ 124.130581] (ftrace buffer empty) [ 124.134861] Kernel Offset: disabled [ 124.138480] Rebooting in 86400 seconds..