[....] Starting OpenBSD Secure Shell server: sshd[   25.906320] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   30.467061] random: sshd: uninitialized urandom read (32 bytes read)
[   30.970002] random: sshd: uninitialized urandom read (32 bytes read)
[   31.607236] sshd (5546) used greatest stack depth: 16872 bytes left
[   31.629302] random: sshd: uninitialized urandom read (32 bytes read)
[   36.248519] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts.
[   41.830622] random: sshd: uninitialized urandom read (32 bytes read)
[   41.964449] ==================================================================
[   41.972062] BUG: KASAN: use-after-free in mqueue_get_tree+0x2ac/0x2e0
[   41.978630] Read of size 8 at addr ffff8801d88ce9c8 by task syz-executor123/5567
[   41.986140] 
[   41.987756] CPU: 1 PID: 5567 Comm: syz-executor123 Not tainted 4.19.0-rc3-next-20180912+ #72
[   41.996309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.005754] Call Trace:
[   42.008341]  dump_stack+0x1d3/0x2c4
[   42.011954]  ? dump_stack_print_info.cold.2+0x52/0x52
[   42.017133]  ? printk+0xa7/0xcf
[   42.020400]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   42.025147]  print_address_description.cold.8+0x9/0x1ff
[   42.030494]  kasan_report.cold.9+0x242/0x309
[   42.034893]  ? mqueue_get_tree+0x2ac/0x2e0
[   42.039246]  __asan_report_load8_noabort+0x14/0x20
[   42.044162]  mqueue_get_tree+0x2ac/0x2e0
[   42.048213]  vfs_get_tree+0x1cb/0x5c0
[   42.052000]  mq_create_mount+0xe3/0x190
[   42.055958]  mq_init_ns+0x15a/0x210
[   42.059567]  copy_ipcs+0x3d2/0x580
[   42.063090]  ? ipcns_get+0xe0/0xe0
[   42.066623]  ? do_mount+0x1db0/0x1db0
[   42.070405]  ? kmem_cache_alloc+0x33a/0x730
[   42.074811]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.080341]  ? perf_event_namespaces+0x136/0x400
[   42.085086]  create_new_namespaces+0x376/0x900
[   42.089669]  ? sys_ni_syscall+0x20/0x20
[   42.093635]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.099159]  ? ns_capable_common+0x13f/0x170
[   42.103555]  unshare_nsproxy_namespaces+0xc3/0x1f0
[   42.108476]  ksys_unshare+0x79c/0x10b0
[   42.112363]  ? walk_process_tree+0x440/0x440
[   42.116767]  ? lock_downgrade+0x900/0x900
[   42.120907]  ? kasan_check_read+0x11/0x20
[   42.125056]  ? do_raw_spin_unlock+0xa7/0x2f0
[   42.129449]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   42.134017]  ? kasan_check_write+0x14/0x20
[   42.138236]  ? do_raw_read_unlock+0x3f/0x60
[   42.142545]  ? do_syscall_64+0x9a/0x820
[   42.146501]  ? do_syscall_64+0x9a/0x820
[   42.150460]  ? lockdep_hardirqs_on+0x421/0x5c0
[   42.155028]  ? trace_hardirqs_on+0xbd/0x310
[   42.159334]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   42.164692]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   42.170132]  ? __ia32_sys_prlimit64+0x8c0/0x8c0
[   42.174792]  __x64_sys_unshare+0x31/0x40
[   42.178869]  do_syscall_64+0x1b9/0x820
[   42.182742]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   42.188091]  ? syscall_return_slowpath+0x5e0/0x5e0
[   42.193135]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.197968]  ? trace_hardirqs_on_caller+0x310/0x310
[   42.203004]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   42.208133]  ? prepare_exit_to_usermode+0x291/0x3b0
[   42.213148]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.217982]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   42.223153] RIP: 0033:0x44e547
[   42.226337] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   42.245242] RSP: 002b:00007ffc80298538 EFLAGS: 00000217 ORIG_RAX: 0000000000000110
[   42.252934] RAX: ffffffffffffffda RBX: 00007ffc80298bc0 RCX: 000000000044e547
[   42.260185] RDX: 0000000000000000 RSI: 00007ffc80298540 RDI: 0000000008000000
[   42.267437] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018
[   42.274697] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e
[   42.281956] R13: 0000000000408a80 R14: 0000000000000000 R15: 0000000000000000
[   42.289219] 
[   42.290826] The buggy address belongs to the page:
[   42.295752] page:ffffea0007623380 count:0 mapcount:0 mapping:0000000000000000 index:0xffff8801d88ced00
[   42.305180] flags: 0x2fffc0000000000()
[   42.309076] raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
[   42.317074] raw: ffff8801d88ced00 0000000000000000 00000000ffffffff 0000000000000000
[   42.325010] page dumped because: kasan: bad access detected
[   42.330716] 
[   42.332323] Memory state around the buggy address:
[   42.337236]  ffff8801d88ce880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.344577]  ffff8801d88ce900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.351917] >ffff8801d88ce980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.359252]                                               ^
[   42.364940]  ffff8801d88cea00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.372298]  ffff8801d88cea80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   42.379649] ==================================================================
[   42.386998] Disabling lock debugging due to kernel taint
[   42.392643] Kernel panic - not syncing: panic_on_warn set ...
[   42.392643] 
[   42.400000] CPU: 1 PID: 5567 Comm: syz-executor123 Tainted: G    B             4.19.0-rc3-next-20180912+ #72
[   42.409942] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.419278] Call Trace:
[   42.421868]  dump_stack+0x1d3/0x2c4
[   42.425481]  ? dump_stack_print_info.cold.2+0x52/0x52
[   42.430655]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   42.435397]  panic+0x238/0x4e7
[   42.438576]  ? add_taint.cold.5+0x16/0x16
[   42.442711]  ? trace_hardirqs_on+0x9a/0x310
[   42.447011]  ? trace_hardirqs_on+0xb4/0x310
[   42.451431]  ? trace_hardirqs_on+0xb4/0x310
[   42.455737]  kasan_end_report+0x47/0x4f
[   42.459805]  kasan_report.cold.9+0x76/0x309
[   42.464116]  ? mqueue_get_tree+0x2ac/0x2e0
[   42.468337]  __asan_report_load8_noabort+0x14/0x20
[   42.473245]  mqueue_get_tree+0x2ac/0x2e0
[   42.477299]  vfs_get_tree+0x1cb/0x5c0
[   42.481090]  mq_create_mount+0xe3/0x190
[   42.485056]  mq_init_ns+0x15a/0x210
[   42.488663]  copy_ipcs+0x3d2/0x580
[   42.492411]  ? ipcns_get+0xe0/0xe0
[   42.495936]  ? do_mount+0x1db0/0x1db0
[   42.499717]  ? kmem_cache_alloc+0x33a/0x730
[   42.504020]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.509546]  ? perf_event_namespaces+0x136/0x400
[   42.514293]  create_new_namespaces+0x376/0x900
[   42.518858]  ? sys_ni_syscall+0x20/0x20
[   42.522817]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.528342]  ? ns_capable_common+0x13f/0x170
[   42.532737]  unshare_nsproxy_namespaces+0xc3/0x1f0
[   42.537715]  ksys_unshare+0x79c/0x10b0
[   42.541603]  ? walk_process_tree+0x440/0x440
[   42.546003]  ? lock_downgrade+0x900/0x900
[   42.550142]  ? kasan_check_read+0x11/0x20
[   42.554272]  ? do_raw_spin_unlock+0xa7/0x2f0
[   42.558698]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   42.563273]  ? kasan_check_write+0x14/0x20
[   42.567495]  ? do_raw_read_unlock+0x3f/0x60
[   42.571806]  ? do_syscall_64+0x9a/0x820
[   42.575762]  ? do_syscall_64+0x9a/0x820
[   42.579720]  ? lockdep_hardirqs_on+0x421/0x5c0
[   42.584287]  ? trace_hardirqs_on+0xbd/0x310
[   42.588590]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   42.593933]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   42.599372]  ? __ia32_sys_prlimit64+0x8c0/0x8c0
[   42.604026]  __x64_sys_unshare+0x31/0x40
[   42.608067]  do_syscall_64+0x1b9/0x820
[   42.611936]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   42.617294]  ? syscall_return_slowpath+0x5e0/0x5e0
[   42.622797]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.627625]  ? trace_hardirqs_on_caller+0x310/0x310
[   42.632625]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   42.637636]  ? prepare_exit_to_usermode+0x291/0x3b0
[   42.642633]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   42.647465]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   42.652648] RIP: 0033:0x44e547
[   42.655820] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d a0 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   42.675169] RSP: 002b:00007ffc80298538 EFLAGS: 00000217 ORIG_RAX: 0000000000000110
[   42.682861] RAX: ffffffffffffffda RBX: 00007ffc80298bc0 RCX: 000000000044e547
[   42.690233] RDX: 0000000000000000 RSI: 00007ffc80298540 RDI: 0000000008000000
[   42.697486] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018
[   42.704737] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e
[   42.711988] R13: 0000000000408a80 R14: 0000000000000000 R15: 0000000000000000
[   42.720166] Kernel Offset: disabled
[   42.723788] Rebooting in 86400 seconds..