[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.854260] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.278712] random: sshd: uninitialized urandom read (32 bytes read)
[   22.673699] random: sshd: uninitialized urandom read (32 bytes read)
[   23.410790] random: sshd: uninitialized urandom read (32 bytes read)
[   28.647271] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts.
[   34.193659] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/14 01:55:15 parsed 1 programs
2018/05/14 01:55:15 executed programs: 0
[   34.710162] IPVS: ftp: loaded support on port[0] = 21
[   34.713426] IPVS: ftp: loaded support on port[0] = 21
[   34.717451] IPVS: ftp: loaded support on port[0] = 21
[   34.753096] IPVS: ftp: loaded support on port[0] = 21
[   34.769456] IPVS: ftp: loaded support on port[0] = 21
[   34.773713] IPVS: ftp: loaded support on port[0] = 21
[   34.820709] IPVS: ftp: loaded support on port[0] = 21
[   34.820783] IPVS: ftp: loaded support on port[0] = 21
[   36.611114] INFO: trying to register non-static key.
[   36.616259] the code is fine but needs lockdep annotation.
[   36.621859] turning off the locking correctness validator.
[   36.627466] CPU: 1 PID: 4604 Comm: syz-executor7 Not tainted 4.17.0-rc4+ #71
[   36.634632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.643965] Call Trace:
[   36.646535]  dump_stack+0x1b9/0x294
[   36.650141]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.655312]  ? vprintk_func+0x81/0xe7
[   36.659091]  register_lock_class+0x1dd2/0x2630
[   36.663649]  ? __lock_acquire+0x7f5/0x5140
[   36.667860]  ? debug_check_no_locks_freed+0x310/0x310
[   36.673030]  ? update_curr+0x1f8/0xbe0
[   36.676895]  ? check_noncircular+0x20/0x20
[   36.681105]  ? debug_check_no_locks_freed+0x310/0x310
[   36.686274]  ? graph_lock+0x170/0x170
[   36.690052]  ? lock_downgrade+0x8e0/0x8e0
[   36.694177]  ? graph_lock+0x170/0x170
[   36.697954]  ? lock_is_held_type+0x210/0x210
[   36.702336]  ? graph_lock+0x170/0x170
[   36.706126]  ? find_held_lock+0x36/0x1c0
[   36.710185]  ? find_held_lock+0x36/0x1c0
[   36.714248]  ? lock_downgrade+0x8e0/0x8e0
[   36.718390]  ? finish_task_switch+0x182/0x840
[   36.722867]  __lock_acquire+0x1a7/0x5140
[   36.726910]  ? kasan_check_read+0x11/0x20
[   36.731043]  ? do_raw_spin_unlock+0x9e/0x2e0
[   36.735434]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   36.740004]  ? compat_start_thread+0x80/0x80
[   36.744400]  ? _raw_spin_unlock_irq+0x27/0x70
[   36.748874]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   36.753873]  ? debug_check_no_locks_freed+0x310/0x310
[   36.759048]  ? finish_task_switch+0x1ca/0x840
[   36.763523]  ? finish_task_switch+0x182/0x840
[   36.768012]  ? preempt_notifier_register+0x1e0/0x1e0
[   36.773154]  ? lock_repin_lock+0x410/0x410
[   36.777379]  ? __schedule+0x809/0x1e30
[   36.781248]  ? __sched_text_start+0x8/0x8
[   36.785382]  ? graph_lock+0x170/0x170
[   36.789170]  ? find_held_lock+0x36/0x1c0
[   36.793217]  ? find_held_lock+0x36/0x1c0
[   36.797266]  lock_acquire+0x1dc/0x520
[   36.801063]  ? tun_do_read+0x18b1/0x29f0
[   36.805110]  ? lock_downgrade+0x8e0/0x8e0
[   36.809245]  ? lock_release+0xa10/0xa10
[   36.813214]  ? kasan_check_read+0x11/0x20
[   36.817355]  ? do_raw_spin_unlock+0x9e/0x2e0
[   36.821741]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   36.826315]  ? kasan_check_write+0x14/0x20
[   36.830537]  ? do_raw_spin_lock+0xc1/0x200
[   36.834757]  _raw_spin_lock+0x2a/0x40
[   36.838540]  ? tun_do_read+0x18b1/0x29f0
[   36.842594]  tun_do_read+0x18b1/0x29f0
[   36.846472]  ? __enqueue_entity+0x10d/0x1f0
[   36.850774]  ? tun_flow_update+0x10d0/0x10d0
[   36.855162]  ? find_held_lock+0x36/0x1c0
[   36.859204]  ? graph_lock+0x170/0x170
[   36.862985]  ? finish_task_switch+0x182/0x840
[   36.867462]  ? kasan_check_read+0x11/0x20
[   36.872313]  ? do_raw_spin_unlock+0x9e/0x2e0
[   36.876705]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   36.881270]  ? find_held_lock+0x36/0x1c0
[   36.885327]  ? kasan_check_read+0x11/0x20
[   36.889464]  ? rcu_is_watching+0x85/0x140
[   36.893592]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   36.898763]  ? wake_up_q+0x100/0x100
[   36.902460]  tun_chr_read_iter+0xe5/0x1e0
[   36.906589]  __vfs_read+0x696/0xa50
[   36.910203]  ? vfs_copy_file_range+0xb80/0xb80
[   36.914778]  ? fsnotify+0xfc0/0xfc0
[   36.918402]  ? fsnotify_first_mark+0x330/0x330
[   36.922964]  ? __fget_light+0x2ef/0x430
[   36.926915]  ? fget_raw+0x20/0x20
[   36.930346]  ? rw_verify_area+0x118/0x360
[   36.934472]  vfs_read+0x17f/0x3d0
[   36.937906]  ksys_pread64+0x174/0x1a0
[   36.941687]  ? __ia32_sys_write+0xb0/0xb0
[   36.945814]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   36.950641]  __ia32_compat_sys_x86_pread+0xc4/0x130
[   36.955647]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   36.960658]  do_fast_syscall_32+0x345/0xf9b
[   36.964960]  ? do_int80_syscall_32+0x880/0x880
[   36.969530]  ? _raw_spin_unlock_irq+0x27/0x70
[   36.974013]  ? finish_task_switch+0x1ca/0x840
[   36.978495]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.984027]  ? syscall_return_slowpath+0x30f/0x5c0
[   36.988954]  ? sysret32_from_system_call+0x5/0x46
[   36.993792]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.998634]  entry_SYSENTER_compat+0x70/0x7f
[   37.003030] RIP: 0023:0xf7ff8cb9
[   37.006378] RSP: 002b:00000000f7ff40ac EFLAGS: 00000282 ORIG_RAX: 00000000000000b4
[   37.014071] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[   37.021321] RDX: 0000000000000062 RSI: 0000000000000000 RDI: 0000000000000000
[   37.028566] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   37.035815] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   37.043068] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   39.031057] ==================================================================
[   39.038475] BUG: KASAN: use-after-free in tun_do_read+0x25a1/0x29f0
[   39.044891] Read of size 8 at addr ffff8801d64c4040 by task syz-executor4/4686
[   39.052240] 
[   39.053854] CPU: 1 PID: 4686 Comm: syz-executor4 Not tainted 4.17.0-rc4+ #71
[   39.061028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.070458] Call Trace:
[   39.073039]  dump_stack+0x1b9/0x294
[   39.076654]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.081822]  ? printk+0x9e/0xba
[   39.085084]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.089824]  ? kasan_check_write+0x14/0x20
[   39.094046]  print_address_description+0x6c/0x20b
[   39.098872]  ? tun_do_read+0x25a1/0x29f0
[   39.102919]  kasan_report.cold.7+0x242/0x2fe
[   39.107312]  __asan_report_load8_noabort+0x14/0x20
[   39.112226]  tun_do_read+0x25a1/0x29f0
[   39.116099]  ? futex_wait_setup+0x400/0x400
[   39.120408]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.125583]  ? tun_flow_update+0x10d0/0x10d0
[   39.129973]  ? get_futex_key+0x1e90/0x1e90
[   39.134191]  ? __netlink_sendskb+0xd0/0xd0
[   39.138420]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.143599]  ? do_futex+0x249/0x27d0
[   39.147302]  ? rtmsg_ifinfo_build_skb+0xc8/0x190
[   39.152046]  ? lock_acquire+0x1dc/0x520
[   39.156027]  ? tun_get+0x202/0x360
[   39.159555]  ? lock_release+0xa10/0xa10
[   39.163509]  ? check_same_owner+0x320/0x320
[   39.167812]  ? __might_sleep+0x95/0x190
[   39.171776]  ? wake_up_q+0x100/0x100
[   39.175490]  tun_chr_read_iter+0xe5/0x1e0
[   39.179628]  __vfs_read+0x696/0xa50
[   39.183233]  ? vfs_copy_file_range+0xb80/0xb80
[   39.187801]  ? fsnotify+0xfc0/0xfc0
[   39.191408]  ? fsnotify_first_mark+0x330/0x330
[   39.195972]  ? __fget_light+0x2ef/0x430
[   39.199929]  ? fget_raw+0x20/0x20
[   39.203363]  ? rw_verify_area+0x118/0x360
[   39.207498]  vfs_read+0x17f/0x3d0
[   39.210941]  ksys_pread64+0x174/0x1a0
[   39.214729]  ? __ia32_sys_write+0xb0/0xb0
[   39.218858]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   39.224374]  ? fput+0x130/0x1a0
[   39.227636]  ? __tun_chr_ioctl+0x4420/0x4420
[   39.232033]  __ia32_compat_sys_x86_pread+0xc4/0x130
[   39.237040]  do_fast_syscall_32+0x345/0xf9b
[   39.241359]  ? do_int80_syscall_32+0x880/0x880
[   39.245929]  ? _raw_spin_unlock_irq+0x27/0x70
[   39.250406]  ? finish_task_switch+0x1ca/0x840
[   39.254880]  ? finish_task_switch+0x182/0x840
[   39.259355]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.264874]  ? syscall_return_slowpath+0x30f/0x5c0
[   39.269792]  ? prepare_exit_to_usermode+0x390/0x390
[   39.274794]  ? prepare_exit_to_usermode+0x285/0x390
[   39.279790]  ? perf_trace_sys_enter+0xaf0/0xaf0
[   39.284438]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.289264]  entry_SYSENTER_compat+0x70/0x7f
[   39.293649] RIP: 0023:0xf7ffacb9
[   39.296988] RSP: 002b:00000000f7ff60ac EFLAGS: 00000282 ORIG_RAX: 00000000000000b4
[   39.304697] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[   39.311954] RDX: 0000000000000062 RSI: 0000000000000000 RDI: 0000000000000000
[   39.319202] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   39.326451] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   39.333698] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   39.340947] 
[   39.342552] Allocated by task 4686:
[   39.346169]  save_stack+0x43/0xd0
[   39.349621]  kasan_kmalloc+0xc4/0xe0
[   39.353315]  __kmalloc_node+0x47/0x70
[   39.357102]  kvmalloc_node+0x6b/0x100
[   39.360888]  tun_attach+0xa6a/0x12f0
[   39.364579]  __tun_chr_ioctl+0x235a/0x4420
[   39.368799]  tun_chr_compat_ioctl+0x29/0x30
[   39.373101]  __ia32_compat_sys_ioctl+0x221/0x640
[   39.377842]  do_fast_syscall_32+0x345/0xf9b
[   39.382153]  entry_SYSENTER_compat+0x70/0x7f
[   39.386546] 
[   39.388153] Freed by task 4714:
[   39.391413]  save_stack+0x43/0xd0
[   39.394847]  __kasan_slab_free+0x11a/0x170
[   39.399060]  kasan_slab_free+0xe/0x10
[   39.402843]  kfree+0xd9/0x260
[   39.405936]  kvfree+0x61/0x70
[   39.409031]  tun_cleanup_tx_ring.part.47+0x370/0x590
[   39.414375]  tun_detach_all+0x57d/0xcf0
[   39.418325]  tun_net_uninit+0x15/0x20
[   39.422106]  rollback_registered_many+0xa4c/0xed0
[   39.426927]  unregister_netdevice_many+0xf3/0x4c0
[   39.431745]  rtnl_delete_link+0x111/0x180
[   39.435869]  rtnl_dellink+0x49d/0xb10
[   39.439650]  rtnetlink_rcv_msg+0x466/0xc10
[   39.443867]  netlink_rcv_skb+0x172/0x440
[   39.447921]  rtnetlink_rcv+0x1c/0x20
[   39.451623]  netlink_unicast+0x58b/0x740
[   39.455677]  netlink_sendmsg+0x9f0/0xfa0
[   39.459725]  sock_sendmsg+0xd5/0x120
[   39.463417]  ___sys_sendmsg+0x805/0x940
[   39.467367]  __sys_sendmsg+0x115/0x270
[   39.471233]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[   39.475966]  do_fast_syscall_32+0x345/0xf9b
[   39.480265]  entry_SYSENTER_compat+0x70/0x7f
[   39.484644] 
[   39.486262] The buggy address belongs to the object at ffff8801d64c4040
[   39.486262]  which belongs to the cache kmalloc-4096 of size 4096
[   39.499077] The buggy address is located 0 bytes inside of
[   39.499077]  4096-byte region [ffff8801d64c4040, ffff8801d64c5040)
[   39.510841] The buggy address belongs to the page:
[   39.515748] page:ffffea0007593100 count:1 mapcount:0 mapping:ffff8801d64c4040 index:0x0 compound_mapcount: 0
[   39.525694] flags: 0x2fffc0000008100(slab|head)
[   39.530345] raw: 02fffc0000008100 ffff8801d64c4040 0000000000000000 0000000100000001
[   39.538205] raw: ffffea00074f3c20 ffffea00075930a0 ffff8801da800dc0 0000000000000000
[   39.546061] page dumped because: kasan: bad access detected
[   39.551741] 
[   39.553342] Memory state around the buggy address:
[   39.558264]  ffff8801d64c3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.565609]  ffff8801d64c3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.572957] >ffff8801d64c4000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   39.580301]                                            ^
[   39.585729]  ffff8801d64c4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.593065]  ffff8801d64c4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.600398] ==================================================================
[   39.607863] Kernel panic - not syncing: panic_on_warn set ...
[   39.607863] 
[   39.615224] CPU: 1 PID: 4686 Comm: syz-executor4 Tainted: G    B             4.17.0-rc4+ #71
[   39.623781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.633116] Call Trace:
[   39.635698]  dump_stack+0x1b9/0x294
[   39.639314]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.644488]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   39.649227]  ? tun_do_read+0x24b0/0x29f0
[   39.653267]  panic+0x22f/0x4de
[   39.656442]  ? add_taint.cold.5+0x16/0x16
[   39.660573]  ? do_raw_spin_unlock+0x9e/0x2e0
[   39.664966]  ? do_raw_spin_unlock+0x9e/0x2e0
[   39.669361]  ? tun_do_read+0x25a1/0x29f0
[   39.673402]  kasan_end_report+0x47/0x4f
[   39.677355]  kasan_report.cold.7+0x76/0x2fe
[   39.681658]  __asan_report_load8_noabort+0x14/0x20
[   39.686578]  tun_do_read+0x25a1/0x29f0
[   39.690454]  ? futex_wait_setup+0x400/0x400
[   39.694768]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.699940]  ? tun_flow_update+0x10d0/0x10d0
[   39.704328]  ? get_futex_key+0x1e90/0x1e90
[   39.708554]  ? __netlink_sendskb+0xd0/0xd0
[   39.712794]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.717976]  ? do_futex+0x249/0x27d0
[   39.721682]  ? rtmsg_ifinfo_build_skb+0xc8/0x190
[   39.726437]  ? lock_acquire+0x1dc/0x520
[   39.730397]  ? tun_get+0x202/0x360
[   39.733919]  ? lock_release+0xa10/0xa10
[   39.737878]  ? check_same_owner+0x320/0x320
[   39.742197]  ? __might_sleep+0x95/0x190
[   39.746160]  ? wake_up_q+0x100/0x100
[   39.749864]  tun_chr_read_iter+0xe5/0x1e0
[   39.753999]  __vfs_read+0x696/0xa50
[   39.757616]  ? vfs_copy_file_range+0xb80/0xb80
[   39.762178]  ? fsnotify+0xfc0/0xfc0
[   39.765782]  ? fsnotify_first_mark+0x330/0x330
[   39.770345]  ? __fget_light+0x2ef/0x430
[   39.774301]  ? fget_raw+0x20/0x20
[   39.777747]  ? rw_verify_area+0x118/0x360
[   39.781881]  vfs_read+0x17f/0x3d0
[   39.785318]  ksys_pread64+0x174/0x1a0
[   39.789106]  ? __ia32_sys_write+0xb0/0xb0
[   39.793246]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   39.798767]  ? fput+0x130/0x1a0
[   39.802048]  ? __tun_chr_ioctl+0x4420/0x4420
[   39.806441]  __ia32_compat_sys_x86_pread+0xc4/0x130
[   39.811448]  do_fast_syscall_32+0x345/0xf9b
[   39.815758]  ? do_int80_syscall_32+0x880/0x880
[   39.820324]  ? _raw_spin_unlock_irq+0x27/0x70
[   39.824807]  ? finish_task_switch+0x1ca/0x840
[   39.829285]  ? finish_task_switch+0x182/0x840
[   39.833764]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.839280]  ? syscall_return_slowpath+0x30f/0x5c0
[   39.844191]  ? prepare_exit_to_usermode+0x390/0x390
[   39.849194]  ? prepare_exit_to_usermode+0x285/0x390
[   39.854202]  ? perf_trace_sys_enter+0xaf0/0xaf0
[   39.858851]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.863678]  entry_SYSENTER_compat+0x70/0x7f
[   39.868065] RIP: 0023:0xf7ffacb9
[   39.871407] RSP: 002b:00000000f7ff60ac EFLAGS: 00000282 ORIG_RAX: 00000000000000b4
[   39.879097] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080
[   39.886354] RDX: 0000000000000062 RSI: 0000000000000000 RDI: 0000000000000000
[   39.893605] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   39.900855] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   39.908102] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   39.915836] Dumping ftrace buffer:
[   39.919358]    (ftrace buffer empty)
[   39.923046] Kernel Offset: disabled
[   39.926649] Rebooting in 86400 seconds..