[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.992260] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.059948] random: sshd: uninitialized urandom read (32 bytes read) [ 29.530222] random: sshd: uninitialized urandom read (32 bytes read) [ 30.137709] random: sshd: uninitialized urandom read (32 bytes read) [ 103.729203] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts. [ 109.267450] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/08 06:40:12 parsed 1 programs [ 110.380973] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/08 06:40:14 executed programs: 0 [ 111.619442] IPVS: ftp: loaded support on port[0] = 21 [ 111.867418] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.874201] bridge0: port 1(bridge_slave_0) entered disabled state [ 111.881514] device bridge_slave_0 entered promiscuous mode [ 111.900197] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.906715] bridge0: port 2(bridge_slave_1) entered disabled state [ 111.914314] device bridge_slave_1 entered promiscuous mode [ 111.931752] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 111.950230] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 111.999193] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 112.019028] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 112.092729] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 112.100211] team0: Port device team_slave_0 added [ 112.117267] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 112.124319] team0: Port device team_slave_1 added [ 112.140962] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 112.164008] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 112.182623] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 112.201227] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 112.343770] bridge0: port 2(bridge_slave_1) entered blocking state [ 112.350405] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.357234] bridge0: port 1(bridge_slave_0) entered blocking state [ 112.363569] bridge0: port 1(bridge_slave_0) entered forwarding state [ 112.870431] 8021q: adding VLAN 0 to HW filter on device bond0 [ 112.923078] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 112.974846] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 112.981063] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 112.989663] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 113.035076] 8021q: adding VLAN 0 to HW filter on device team0 [ 113.349899] ================================================================== [ 113.357383] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 113.363343] Read of size 8 at addr ffff8801c33a70f0 by task syz-executor0/5603 [ 113.370684] [ 113.372298] CPU: 0 PID: 5603 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #227 [ 113.379552] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.388884] Call Trace: [ 113.391458] dump_stack+0x1c4/0x2b4 [ 113.395201] ? dump_stack_print_info.cold.2+0x52/0x52 [ 113.400393] ? printk+0xa7/0xcf [ 113.403670] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 113.408418] print_address_description.cold.8+0x9/0x1ff [ 113.413985] kasan_report.cold.9+0x242/0x309 [ 113.418408] ? sock_i_ino+0x94/0xa0 [ 113.422028] __asan_report_load8_noabort+0x14/0x20 [ 113.426943] sock_i_ino+0x94/0xa0 [ 113.430392] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 113.435043] ? tipc_diag_dump+0x30/0x30 [ 113.439001] ? tipc_getname+0x7f0/0x7f0 [ 113.442971] ? graph_lock+0x170/0x170 [ 113.446761] ? __lock_sock+0x203/0x350 [ 113.450640] ? find_held_lock+0x36/0x1c0 [ 113.454694] ? mark_held_locks+0xc7/0x130 [ 113.458832] ? __local_bh_enable_ip+0x160/0x260 [ 113.463494] ? __local_bh_enable_ip+0x160/0x260 [ 113.468149] ? lockdep_hardirqs_on+0x421/0x5c0 [ 113.472715] ? trace_hardirqs_on+0xbd/0x310 [ 113.477192] ? lock_release+0x970/0x970 [ 113.481152] ? lock_sock_nested+0xe2/0x120 [ 113.485379] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 113.490393] ? skb_put+0x17b/0x1e0 [ 113.493919] ? memset+0x31/0x40 [ 113.497193] ? __nlmsg_put+0x14c/0x1b0 [ 113.501120] __tipc_add_sock_diag+0x233/0x360 [ 113.505614] tipc_nl_sk_walk+0x122/0x1d0 [ 113.509658] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 113.514920] tipc_diag_dump+0x24/0x30 [ 113.518707] netlink_dump+0x519/0xd50 [ 113.522498] ? netlink_broadcast+0x50/0x50 [ 113.526724] __netlink_dump_start+0x4f1/0x6f0 [ 113.531204] ? tipc_data_ready+0x3e0/0x3e0 [ 113.535498] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 113.540698] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 113.545362] ? tipc_data_ready+0x3e0/0x3e0 [ 113.549606] ? tipc_unregister_sysctl+0x20/0x20 [ 113.554263] ? tipc_ioctl+0x3a0/0x3a0 [ 113.558169] ? netlink_deliver_tap+0x355/0xf80 [ 113.562743] sock_diag_rcv_msg+0x31d/0x410 [ 113.567072] netlink_rcv_skb+0x172/0x440 [ 113.571123] ? sock_diag_bind+0x80/0x80 [ 113.575084] ? netlink_ack+0xb80/0xb80 [ 113.579081] sock_diag_rcv+0x2a/0x40 [ 113.582804] netlink_unicast+0x5a5/0x760 [ 113.586853] ? netlink_attachskb+0x9a0/0x9a0 [ 113.591259] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.596847] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 113.602034] netlink_sendmsg+0xa18/0xfc0 [ 113.606139] ? netlink_unicast+0x760/0x760 [ 113.610379] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 113.615299] ? apparmor_socket_sendmsg+0x29/0x30 [ 113.620047] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.625576] ? security_socket_sendmsg+0x94/0xc0 [ 113.630526] ? netlink_unicast+0x760/0x760 [ 113.634768] sock_sendmsg+0xd5/0x120 [ 113.638471] ___sys_sendmsg+0x7fd/0x930 [ 113.642431] ? __local_bh_enable_ip+0x160/0x260 [ 113.647093] ? copy_msghdr_from_user+0x580/0x580 [ 113.651836] ? kasan_check_write+0x14/0x20 [ 113.656053] ? _raw_spin_unlock_bh+0x30/0x40 [ 113.660456] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 113.666073] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 113.671606] ? release_sock+0x1ec/0x2c0 [ 113.675570] ? __fget_light+0x2e9/0x430 [ 113.679557] ? fget_raw+0x20/0x20 [ 113.683003] ? __release_sock+0x3a0/0x3a0 [ 113.687135] ? tipc_nametbl_build_group+0x273/0x360 [ 113.692147] ? tipc_setsockopt+0x726/0xd70 [ 113.696389] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 113.701916] ? sockfd_lookup_light+0xc5/0x160 [ 113.706405] __sys_sendmsg+0x11d/0x280 [ 113.710281] ? __ia32_sys_shutdown+0x80/0x80 [ 113.714901] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 113.720433] ? fput+0x130/0x1a0 [ 113.723709] ? __x64_sys_futex+0x47f/0x6a0 [ 113.727984] ? do_syscall_64+0x9a/0x820 [ 113.731957] ? do_syscall_64+0x9a/0x820 [ 113.735933] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 113.741391] __x64_sys_sendmsg+0x78/0xb0 [ 113.745448] do_syscall_64+0x1b9/0x820 [ 113.749388] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 113.754751] ? syscall_return_slowpath+0x5e0/0x5e0 [ 113.759668] ? trace_hardirqs_on_caller+0x310/0x310 [ 113.764669] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 113.769674] ? recalc_sigpending_tsk+0x180/0x180 [ 113.774466] ? kasan_check_write+0x14/0x20 [ 113.778697] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 113.783527] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.788705] RIP: 0033:0x457099 [ 113.791888] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 113.810778] RSP: 002b:00007f422f5acc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 113.818526] RAX: ffffffffffffffda RBX: 00007f422f5ad6d4 RCX: 0000000000457099 [ 113.825965] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 113.833273] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 113.840532] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 113.847786] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 113.855050] [ 113.856664] Allocated by task 5603: [ 113.860281] save_stack+0x43/0xd0 [ 113.863719] kasan_kmalloc+0xc7/0xe0 [ 113.867427] kasan_slab_alloc+0x12/0x20 [ 113.871404] kmem_cache_alloc+0x12e/0x730 [ 113.875547] sock_alloc_inode+0x1d/0x260 [ 113.879594] alloc_inode+0x63/0x190 [ 113.883244] new_inode_pseudo+0x71/0x1a0 [ 113.887297] sock_alloc+0x41/0x270 [ 113.890822] __sock_create+0x175/0x930 [ 113.894689] __sys_socket+0x106/0x260 [ 113.898471] __x64_sys_socket+0x73/0xb0 [ 113.902523] do_syscall_64+0x1b9/0x820 [ 113.906410] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.911590] [ 113.913203] Freed by task 5602: [ 113.916466] save_stack+0x43/0xd0 [ 113.919898] __kasan_slab_free+0x102/0x150 [ 113.924120] kasan_slab_free+0xe/0x10 [ 113.927906] kmem_cache_free+0x83/0x290 [ 113.931870] sock_destroy_inode+0x51/0x60 [ 113.936007] destroy_inode+0x159/0x200 [ 113.939955] evict+0x5e0/0x980 [ 113.943147] iput+0x679/0xa90 [ 113.946242] dentry_unlink_inode+0x461/0x5e0 [ 113.950638] __dentry_kill+0x44c/0x7a0 [ 113.954511] dentry_kill+0xc9/0x5a0 [ 113.958137] dput.part.26+0x660/0x790 [ 113.961967] dput+0x15/0x20 [ 113.964896] __fput+0x4cf/0xa30 [ 113.968173] ____fput+0x15/0x20 [ 113.971468] task_work_run+0x1e8/0x2a0 [ 113.975343] exit_to_usermode_loop+0x318/0x380 [ 113.979965] do_syscall_64+0x6be/0x820 [ 113.983851] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.989029] [ 113.990645] The buggy address belongs to the object at ffff8801c33a7080 [ 113.990645] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 114.004502] The buggy address is located 112 bytes inside of [ 114.004502] 984-byte region [ffff8801c33a7080, ffff8801c33a7458) [ 114.016357] The buggy address belongs to the page: [ 114.021289] page:ffffea00070ce9c0 count:1 mapcount:0 mapping:ffff8801cd0c8800 index:0xffff8801c33a7ffd [ 114.030722] flags: 0x2fffc0000000100(slab) [ 114.034945] raw: 02fffc0000000100 ffffea00070ce948 ffffea0006dcfc08 ffff8801cd0c8800 [ 114.042812] raw: ffff8801c33a7ffd ffff8801c33a7080 0000000100000003 ffff8801b8ce2200 [ 114.050672] page dumped because: kasan: bad access detected [ 114.056381] page->mem_cgroup:ffff8801b8ce2200 [ 114.060877] [ 114.062488] Memory state around the buggy address: [ 114.067406] ffff8801c33a6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 114.074762] ffff8801c33a7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 114.082104] >ffff8801c33a7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.089444] ^ [ 114.096448] ffff8801c33a7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.103809] ffff8801c33a7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.111147] ================================================================== [ 114.118485] Disabling lock debugging due to kernel taint [ 114.123970] Kernel panic - not syncing: panic_on_warn set ... [ 114.123970] [ 114.131346] CPU: 0 PID: 5603 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #227 [ 114.140010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 114.149344] Call Trace: [ 114.151926] dump_stack+0x1c4/0x2b4 [ 114.155557] ? dump_stack_print_info.cold.2+0x52/0x52 [ 114.160752] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 114.165498] panic+0x238/0x4e7 [ 114.168675] ? add_taint.cold.5+0x16/0x16 [ 114.172808] ? trace_hardirqs_on+0x9a/0x310 [ 114.177112] ? trace_hardirqs_on+0xb4/0x310 [ 114.181417] ? trace_hardirqs_on+0xb4/0x310 [ 114.185723] kasan_end_report+0x47/0x4f [ 114.189680] kasan_report.cold.9+0x76/0x309 [ 114.193986] ? sock_i_ino+0x94/0xa0 [ 114.197600] __asan_report_load8_noabort+0x14/0x20 [ 114.202516] sock_i_ino+0x94/0xa0 [ 114.205961] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 114.210632] ? tipc_diag_dump+0x30/0x30 [ 114.214594] ? tipc_getname+0x7f0/0x7f0 [ 114.218559] ? graph_lock+0x170/0x170 [ 114.222354] ? __lock_sock+0x203/0x350 [ 114.226249] ? find_held_lock+0x36/0x1c0 [ 114.230298] ? mark_held_locks+0xc7/0x130 [ 114.234438] ? __local_bh_enable_ip+0x160/0x260 [ 114.239099] ? __local_bh_enable_ip+0x160/0x260 [ 114.243753] ? lockdep_hardirqs_on+0x421/0x5c0 [ 114.248320] ? trace_hardirqs_on+0xbd/0x310 [ 114.252624] ? lock_release+0x970/0x970 [ 114.256586] ? lock_sock_nested+0xe2/0x120 [ 114.260813] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 114.265829] ? skb_put+0x17b/0x1e0 [ 114.269359] ? memset+0x31/0x40 [ 114.272648] ? __nlmsg_put+0x14c/0x1b0 [ 114.276537] __tipc_add_sock_diag+0x233/0x360 [ 114.281042] tipc_nl_sk_walk+0x122/0x1d0 [ 114.285090] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 114.290351] tipc_diag_dump+0x24/0x30 [ 114.294144] netlink_dump+0x519/0xd50 [ 114.297947] ? netlink_broadcast+0x50/0x50 [ 114.302173] __netlink_dump_start+0x4f1/0x6f0 [ 114.306655] ? tipc_data_ready+0x3e0/0x3e0 [ 114.310878] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 114.315967] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 114.320619] ? tipc_data_ready+0x3e0/0x3e0 [ 114.324836] ? tipc_unregister_sysctl+0x20/0x20 [ 114.329486] ? tipc_ioctl+0x3a0/0x3a0 [ 114.333275] ? netlink_deliver_tap+0x355/0xf80 [ 114.337845] sock_diag_rcv_msg+0x31d/0x410 [ 114.342067] netlink_rcv_skb+0x172/0x440 [ 114.346131] ? sock_diag_bind+0x80/0x80 [ 114.350089] ? netlink_ack+0xb80/0xb80 [ 114.353963] sock_diag_rcv+0x2a/0x40 [ 114.357662] netlink_unicast+0x5a5/0x760 [ 114.361709] ? netlink_attachskb+0x9a0/0x9a0 [ 114.366105] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 114.371631] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 114.376637] netlink_sendmsg+0xa18/0xfc0 [ 114.380684] ? netlink_unicast+0x760/0x760 [ 114.384925] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 114.389841] ? apparmor_socket_sendmsg+0x29/0x30 [ 114.394581] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 114.400101] ? security_socket_sendmsg+0x94/0xc0 [ 114.404846] ? netlink_unicast+0x760/0x760 [ 114.409084] sock_sendmsg+0xd5/0x120 [ 114.412783] ___sys_sendmsg+0x7fd/0x930 [ 114.416744] ? __local_bh_enable_ip+0x160/0x260 [ 114.421407] ? copy_msghdr_from_user+0x580/0x580 [ 114.426721] ? kasan_check_write+0x14/0x20 [ 114.430953] ? _raw_spin_unlock_bh+0x30/0x40 [ 114.435348] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 114.440790] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 114.446310] ? release_sock+0x1ec/0x2c0 [ 114.450270] ? __fget_light+0x2e9/0x430 [ 114.454235] ? fget_raw+0x20/0x20 [ 114.457687] ? __release_sock+0x3a0/0x3a0 [ 114.461823] ? tipc_nametbl_build_group+0x273/0x360 [ 114.466826] ? tipc_setsockopt+0x726/0xd70 [ 114.471050] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 114.476571] ? sockfd_lookup_light+0xc5/0x160 [ 114.481050] __sys_sendmsg+0x11d/0x280 [ 114.484923] ? __ia32_sys_shutdown+0x80/0x80 [ 114.489313] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 114.494833] ? fput+0x130/0x1a0 [ 114.498117] ? __x64_sys_futex+0x47f/0x6a0 [ 114.502335] ? do_syscall_64+0x9a/0x820 [ 114.506292] ? do_syscall_64+0x9a/0x820 [ 114.510266] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 114.515717] __x64_sys_sendmsg+0x78/0xb0 [ 114.519776] do_syscall_64+0x1b9/0x820 [ 114.523652] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 114.529000] ? syscall_return_slowpath+0x5e0/0x5e0 [ 114.533916] ? trace_hardirqs_on_caller+0x310/0x310 [ 114.538916] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 114.543917] ? recalc_sigpending_tsk+0x180/0x180 [ 114.548658] ? kasan_check_write+0x14/0x20 [ 114.552883] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 114.557714] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 114.562886] RIP: 0033:0x457099 [ 114.566152] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 114.585067] RSP: 002b:00007f422f5acc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 114.592766] RAX: ffffffffffffffda RBX: 00007f422f5ad6d4 RCX: 0000000000457099 [ 114.600022] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 114.607273] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 114.614525] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 114.621776] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 114.629378] Dumping ftrace buffer: [ 114.632916] (ftrace buffer empty) [ 114.637241] Kernel Offset: disabled [ 114.640868] Rebooting in 86400 seconds..