[....] Starting OpenBSD Secure Shell server: sshd[ 25.048344] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.754307] random: sshd: uninitialized urandom read (32 bytes read) [ 27.132740] random: sshd: uninitialized urandom read (32 bytes read) [ 27.732922] sshd (5322) used greatest stack depth: 16584 bytes left [ 27.755614] random: sshd: uninitialized urandom read (32 bytes read) [ 45.034746] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 50.550412] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/10 03:59:14 parsed 1 programs [ 51.820831] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/10 03:59:16 executed programs: 0 [ 53.127205] IPVS: ftp: loaded support on port[0] = 21 [ 53.372301] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.379622] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.387300] device bridge_slave_0 entered promiscuous mode [ 53.407736] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.414206] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.421367] device bridge_slave_1 entered promiscuous mode [ 53.439739] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.458941] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.508961] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 53.529263] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 53.605226] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 53.612455] team0: Port device team_slave_0 added [ 53.629333] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 53.636974] team0: Port device team_slave_1 added [ 53.654521] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.676937] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.696901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.718272] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.867404] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.873821] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.880540] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.886892] bridge0: port 1(bridge_slave_0) entered forwarding state [ 54.414886] 8021q: adding VLAN 0 to HW filter on device bond0 [ 54.467190] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.520567] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.527054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.534276] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.588674] 8021q: adding VLAN 0 to HW filter on device team0 [ 54.969621] hrtimer: interrupt took 24623 ns 2018/09/10 03:59:21 executed programs: 65 [ 62.083139] ================================================================== [ 62.090641] BUG: KASAN: use-after-free in ucma_put_ctx+0x1d/0x60 [ 62.096787] Write of size 4 at addr ffff8801d2dbb998 by task syz-executor0/6896 [ 62.104210] [ 62.105827] CPU: 0 PID: 6896 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #230 [ 62.113076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.122414] Call Trace: [ 62.124991] dump_stack+0x1c4/0x2b4 [ 62.128605] ? dump_stack_print_info.cold.2+0x52/0x52 [ 62.133779] ? printk+0xa7/0xcf [ 62.137057] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 62.142038] print_address_description.cold.8+0x9/0x1ff [ 62.147383] kasan_report.cold.9+0x242/0x309 [ 62.151799] ? ucma_put_ctx+0x1d/0x60 [ 62.155585] check_memory_region+0x13e/0x1b0 [ 62.159977] kasan_check_write+0x14/0x20 [ 62.164037] ucma_put_ctx+0x1d/0x60 [ 62.167664] ucma_resolve_ip+0x24d/0x2a0 [ 62.171707] ? ucma_query+0xb20/0xb20 [ 62.175501] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 62.181018] ? _copy_from_user+0xdf/0x150 [ 62.185177] ? ucma_query+0xb20/0xb20 [ 62.188970] ucma_write+0x336/0x420 [ 62.192596] ? ucma_close_id+0x60/0x60 [ 62.196476] __vfs_write+0x119/0x9f0 [ 62.200186] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 62.205117] ? ucma_close_id+0x60/0x60 [ 62.209030] ? kernel_read+0x120/0x120 [ 62.212902] ? apparmor_path_rmdir+0x30/0x30 [ 62.217307] ? rtc_dev_fasync+0x60/0x60 [ 62.221267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.226788] ? do_vfs_ioctl+0x201/0x1720 [ 62.230833] ? fsnotify_first_mark+0x350/0x350 [ 62.235415] ? apparmor_file_permission+0x24/0x30 [ 62.240239] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.245789] ? security_file_permission+0x1c2/0x230 [ 62.250804] ? rw_verify_area+0x118/0x360 [ 62.254934] vfs_write+0x1fc/0x560 [ 62.258462] ksys_write+0x101/0x260 [ 62.262075] ? __ia32_sys_read+0xb0/0xb0 [ 62.266118] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 62.271902] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 62.277338] ? ksys_ioctl+0x81/0xd0 [ 62.280951] __x64_sys_write+0x73/0xb0 [ 62.284825] do_syscall_64+0x1b9/0x820 [ 62.288698] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.294044] ? syscall_return_slowpath+0x5e0/0x5e0 [ 62.298956] ? trace_hardirqs_on_caller+0x310/0x310 [ 62.303969] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 62.308969] ? recalc_sigpending_tsk+0x180/0x180 [ 62.313737] ? kasan_check_write+0x14/0x20 [ 62.317958] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.322789] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.327960] RIP: 0033:0x457099 [ 62.331133] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.350017] RSP: 002b:00007f792c563c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 62.357725] RAX: ffffffffffffffda RBX: 00007f792c5646d4 RCX: 0000000000457099 [ 62.364977] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000008 [ 62.372224] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 62.379474] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.386724] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 62.393980] [ 62.395603] Allocated by task 6896: [ 62.399228] save_stack+0x43/0xd0 [ 62.402658] kasan_kmalloc+0xc7/0xe0 [ 62.406354] kmem_cache_alloc_trace+0x152/0x750 [ 62.411003] ucma_alloc_ctx+0xce/0x690 [ 62.414868] ucma_create_id+0x27d/0x990 [ 62.418820] ucma_write+0x336/0x420 [ 62.422425] __vfs_write+0x119/0x9f0 [ 62.426120] vfs_write+0x1fc/0x560 [ 62.429637] ksys_write+0x101/0x260 [ 62.433242] __x64_sys_write+0x73/0xb0 [ 62.437142] do_syscall_64+0x1b9/0x820 [ 62.441025] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.446189] [ 62.447810] Freed by task 6891: [ 62.451086] save_stack+0x43/0xd0 [ 62.454532] __kasan_slab_free+0x102/0x150 [ 62.458747] kasan_slab_free+0xe/0x10 [ 62.462531] kfree+0xcf/0x230 [ 62.465621] ucma_free_ctx+0x9e6/0xdb0 [ 62.469488] ucma_close+0x10d/0x300 [ 62.473124] __fput+0x385/0xa30 [ 62.476380] ____fput+0x15/0x20 [ 62.479651] task_work_run+0x1e8/0x2a0 [ 62.483518] exit_to_usermode_loop+0x318/0x380 [ 62.488096] do_syscall_64+0x6be/0x820 [ 62.491964] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.497139] [ 62.498764] The buggy address belongs to the object at ffff8801d2dbb940 [ 62.498764] which belongs to the cache kmalloc-256 of size 256 [ 62.511430] The buggy address is located 88 bytes inside of [ 62.511430] 256-byte region [ffff8801d2dbb940, ffff8801d2dbba40) [ 62.523200] The buggy address belongs to the page: [ 62.528114] page:ffffea00074b6ec0 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 62.536239] flags: 0x2fffc0000000100(slab) [ 62.540457] raw: 02fffc0000000100 ffffea00074b6c48 ffffea00074b70c8 ffff8801da8007c0 [ 62.548318] raw: 0000000000000000 ffff8801d2dbb080 000000010000000c 0000000000000000 [ 62.556173] page dumped because: kasan: bad access detected [ 62.561860] [ 62.563466] Memory state around the buggy address: [ 62.568377] ffff8801d2dbb880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 62.575749] ffff8801d2dbb900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 62.583126] >ffff8801d2dbb980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.590479] ^ [ 62.594604] ffff8801d2dbba00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 62.601945] ffff8801d2dbba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.609280] ================================================================== [ 62.616614] Disabling lock debugging due to kernel taint [ 62.624172] Kernel panic - not syncing: panic_on_warn set ... [ 62.624172] [ 62.631557] CPU: 0 PID: 6896 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #230 [ 62.640213] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.649548] Call Trace: [ 62.652122] dump_stack+0x1c4/0x2b4 [ 62.655731] ? dump_stack_print_info.cold.2+0x52/0x52 [ 62.660906] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 62.665646] panic+0x238/0x4e7 [ 62.668823] ? add_taint.cold.5+0x16/0x16 [ 62.672953] ? preempt_schedule+0x4d/0x60 [ 62.677083] ? ___preempt_schedule+0x16/0x18 [ 62.681474] ? trace_hardirqs_on+0xb4/0x310 [ 62.685782] kasan_end_report+0x47/0x4f [ 62.689737] kasan_report.cold.9+0x76/0x309 [ 62.694040] ? ucma_put_ctx+0x1d/0x60 [ 62.697838] check_memory_region+0x13e/0x1b0 [ 62.702241] kasan_check_write+0x14/0x20 [ 62.706294] ucma_put_ctx+0x1d/0x60 [ 62.709917] ucma_resolve_ip+0x24d/0x2a0 [ 62.713973] ? ucma_query+0xb20/0xb20 [ 62.717759] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 62.723277] ? _copy_from_user+0xdf/0x150 [ 62.727441] ? ucma_query+0xb20/0xb20 [ 62.731226] ucma_write+0x336/0x420 [ 62.734839] ? ucma_close_id+0x60/0x60 [ 62.738713] __vfs_write+0x119/0x9f0 [ 62.742423] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 62.747341] ? ucma_close_id+0x60/0x60 [ 62.751219] ? kernel_read+0x120/0x120 [ 62.755089] ? apparmor_path_rmdir+0x30/0x30 [ 62.759482] ? rtc_dev_fasync+0x60/0x60 [ 62.763454] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.768989] ? do_vfs_ioctl+0x201/0x1720 [ 62.773037] ? fsnotify_first_mark+0x350/0x350 [ 62.777602] ? apparmor_file_permission+0x24/0x30 [ 62.782428] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.787948] ? security_file_permission+0x1c2/0x230 [ 62.792945] ? rw_verify_area+0x118/0x360 [ 62.797073] vfs_write+0x1fc/0x560 [ 62.800600] ksys_write+0x101/0x260 [ 62.804208] ? __ia32_sys_read+0xb0/0xb0 [ 62.808253] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 62.813773] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 62.819207] ? ksys_ioctl+0x81/0xd0 [ 62.822815] __x64_sys_write+0x73/0xb0 [ 62.826704] do_syscall_64+0x1b9/0x820 [ 62.830577] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.835927] ? syscall_return_slowpath+0x5e0/0x5e0 [ 62.840849] ? trace_hardirqs_on_caller+0x310/0x310 [ 62.845853] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 62.850850] ? recalc_sigpending_tsk+0x180/0x180 [ 62.855589] ? kasan_check_write+0x14/0x20 [ 62.859808] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.864638] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.869806] RIP: 0033:0x457099 [ 62.872983] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.891866] RSP: 002b:00007f792c563c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 62.899553] RAX: ffffffffffffffda RBX: 00007f792c5646d4 RCX: 0000000000457099 [ 62.906804] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000008 [ 62.914071] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 62.921319] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 62.928566] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 62.935896] Dumping ftrace buffer: [ 62.939419] (ftrace buffer empty) [ 62.943694] Kernel Offset: disabled [ 62.947314] Rebooting in 86400 seconds..