[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   25.311532] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   26.481660] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.786561] random: sshd: uninitialized urandom read (32 bytes read)
[   27.393997] random: sshd: uninitialized urandom read (32 bytes read)
[  172.868159] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known hosts.
[  178.445820] random: sshd: uninitialized urandom read (32 bytes read)
2018/09/08 07:00:02 parsed 1 programs
[  179.494294] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/08 07:00:04 executed programs: 0
[  180.572594] IPVS: ftp: loaded support on port[0] = 21
[  180.810446] bridge0: port 1(bridge_slave_0) entered blocking state
[  180.817238] bridge0: port 1(bridge_slave_0) entered disabled state
[  180.824915] device bridge_slave_0 entered promiscuous mode
[  180.842556] bridge0: port 2(bridge_slave_1) entered blocking state
[  180.849076] bridge0: port 2(bridge_slave_1) entered disabled state
[  180.856268] device bridge_slave_1 entered promiscuous mode
[  180.874357] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  180.892497] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  180.941323] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  180.961180] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  181.033342] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  181.041375] team0: Port device team_slave_0 added
[  181.058445] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  181.065581] team0: Port device team_slave_1 added
[  181.082150] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  181.102291] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  181.121259] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  181.141169] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  181.241543] ip (5436) used greatest stack depth: 15992 bytes left
[  181.286566] bridge0: port 2(bridge_slave_1) entered blocking state
[  181.293314] bridge0: port 2(bridge_slave_1) entered forwarding state
[  181.300129] bridge0: port 1(bridge_slave_0) entered blocking state
[  181.306482] bridge0: port 1(bridge_slave_0) entered forwarding state
[  181.806385] 8021q: adding VLAN 0 to HW filter on device bond0
[  181.856103] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  181.908007] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  181.914998] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  181.923694] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  181.967418] 8021q: adding VLAN 0 to HW filter on device team0
[  182.276619] ==================================================================
[  182.284417] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0
[  182.290519] Read of size 8 at addr ffff8801c3fa35b0 by task syz-executor0/5607
[  182.297872] 
[  182.299498] CPU: 1 PID: 5607 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #208
[  182.306781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  182.316367] Call Trace:
[  182.318957]  dump_stack+0x1c4/0x2b4
[  182.322583]  ? dump_stack_print_info.cold.2+0x52/0x52
[  182.327938]  ? printk+0xa7/0xcf
[  182.331223]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  182.335981]  print_address_description.cold.8+0x9/0x1ff
[  182.341343]  kasan_report.cold.9+0x242/0x309
[  182.345977]  ? sock_i_ino+0x94/0xa0
[  182.349609]  __asan_report_load8_noabort+0x14/0x20
[  182.354533]  sock_i_ino+0x94/0xa0
[  182.357985]  tipc_sk_fill_sock_diag+0x39c/0xd90
[  182.362816]  ? tipc_diag_dump+0x30/0x30
[  182.366800]  ? tipc_getname+0x7f0/0x7f0
[  182.370881]  ? graph_lock+0x170/0x170
[  182.374686]  ? __lock_sock+0x203/0x350
[  182.378576]  ? find_held_lock+0x36/0x1c0
[  182.382634]  ? mark_held_locks+0xc7/0x130
[  182.386796]  ? __local_bh_enable_ip+0x160/0x260
[  182.391460]  ? __local_bh_enable_ip+0x160/0x260
[  182.396123]  ? lockdep_hardirqs_on+0x421/0x5c0
[  182.400831]  ? trace_hardirqs_on+0xbd/0x310
[  182.405153]  ? lock_release+0x970/0x970
[  182.409127]  ? lock_sock_nested+0xe2/0x120
[  182.413361]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  182.418372]  ? skb_put+0x17b/0x1e0
[  182.421908]  ? memset+0x31/0x40
[  182.425192]  ? __nlmsg_put+0x14c/0x1b0
[  182.429078]  __tipc_add_sock_diag+0x233/0x360
[  182.433575]  tipc_nl_sk_walk+0x122/0x1d0
[  182.437631]  ? tipc_sock_diag_handler_dump+0x3d0/0x3d0
[  182.442903]  tipc_diag_dump+0x24/0x30
[  182.446699]  netlink_dump+0x519/0xd50
[  182.450497]  ? netlink_broadcast+0x50/0x50
[  182.454734]  __netlink_dump_start+0x4f1/0x6f0
[  182.459380]  ? tipc_data_ready+0x3e0/0x3e0
[  182.463618]  tipc_sock_diag_handler_dump+0x28e/0x3d0
[  182.468854]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  182.473520]  ? tipc_data_ready+0x3e0/0x3e0
[  182.477772]  ? tipc_unregister_sysctl+0x20/0x20
[  182.482435]  ? tipc_ioctl+0x3a0/0x3a0
[  182.486230]  ? netlink_deliver_tap+0x355/0xf80
[  182.490899]  sock_diag_rcv_msg+0x31d/0x410
[  182.495131]  netlink_rcv_skb+0x172/0x440
[  182.499191]  ? sock_diag_bind+0x80/0x80
[  182.503166]  ? netlink_ack+0xb80/0xb80
[  182.507055]  sock_diag_rcv+0x2a/0x40
[  182.510786]  netlink_unicast+0x5a5/0x760
[  182.514844]  ? netlink_attachskb+0x9a0/0x9a0
[  182.519377]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  182.524911]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  182.529928]  netlink_sendmsg+0xa18/0xfc0
[  182.533997]  ? netlink_unicast+0x760/0x760
[  182.538230]  ? aa_sock_msg_perm.isra.12+0xba/0x160
[  182.543290]  ? apparmor_socket_sendmsg+0x29/0x30
[  182.548042]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  182.553578]  ? security_socket_sendmsg+0x94/0xc0
[  182.558327]  ? netlink_unicast+0x760/0x760
[  182.562699]  sock_sendmsg+0xd5/0x120
[  182.566411]  ___sys_sendmsg+0x7fd/0x930
[  182.570503]  ? __local_bh_enable_ip+0x160/0x260
[  182.575171]  ? copy_msghdr_from_user+0x580/0x580
[  182.579922]  ? kasan_check_write+0x14/0x20
[  182.584155]  ? _raw_spin_unlock_bh+0x30/0x40
[  182.588559]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  182.594006]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  182.599537]  ? release_sock+0x1ec/0x2c0
[  182.603508]  ? __fget_light+0x2e9/0x430
[  182.607474]  ? fget_raw+0x20/0x20
[  182.610921]  ? __release_sock+0x3a0/0x3a0
[  182.615064]  ? tipc_nametbl_build_group+0x273/0x360
[  182.620088]  ? tipc_setsockopt+0x726/0xd70
[  182.624318]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  182.629847]  ? sockfd_lookup_light+0xc5/0x160
[  182.634340]  __sys_sendmsg+0x11d/0x280
[  182.638220]  ? __ia32_sys_shutdown+0x80/0x80
[  182.642619]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  182.648148]  ? fput+0x130/0x1a0
[  182.651429]  ? __x64_sys_futex+0x47f/0x6a0
[  182.655662]  ? do_syscall_64+0x9a/0x820
[  182.659635]  ? do_syscall_64+0x9a/0x820
[  182.663613]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  182.669065]  __x64_sys_sendmsg+0x78/0xb0
[  182.673129]  do_syscall_64+0x1b9/0x820
[  182.677014]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  182.682374]  ? syscall_return_slowpath+0x5e0/0x5e0
[  182.687298]  ? trace_hardirqs_off+0x300/0x300
[  182.691793]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  182.696817]  ? recalc_sigpending_tsk+0x180/0x180
[  182.701569]  ? kasan_check_write+0x14/0x20
[  182.705815]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  182.710655]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  182.715841] RIP: 0033:0x457099
[  182.719032] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  182.737933] RSP: 002b:00007f76ed841c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  182.745636] RAX: ffffffffffffffda RBX: 00007f76ed8426d4 RCX: 0000000000457099
[  182.752899] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  182.760161] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  182.767547] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  182.774816] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000
[  182.782090] 
[  182.783713] Allocated by task 5607:
[  182.787468]  save_stack+0x43/0xd0
[  182.790917]  kasan_kmalloc+0xc7/0xe0
[  182.794624]  kasan_slab_alloc+0x12/0x20
[  182.798598]  kmem_cache_alloc+0x12e/0x730
[  182.802767]  sock_alloc_inode+0x1d/0x260
[  182.806827]  alloc_inode+0x63/0x190
[  182.810450]  new_inode_pseudo+0x71/0x1a0
[  182.814503]  sock_alloc+0x41/0x270
[  182.818038]  __sock_create+0x175/0x930
[  182.822086]  __sys_socket+0x106/0x260
[  182.825884]  __x64_sys_socket+0x73/0xb0
[  182.830125]  do_syscall_64+0x1b9/0x820
[  182.834027]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  182.839362] 
[  182.840989] Freed by task 5606:
[  182.844264]  save_stack+0x43/0xd0
[  182.847712]  __kasan_slab_free+0x102/0x150
[  182.851942]  kasan_slab_free+0xe/0x10
[  182.855763]  kmem_cache_free+0x83/0x290
[  182.859735]  sock_destroy_inode+0x51/0x60
[  182.863900]  destroy_inode+0x159/0x200
[  182.867789]  evict+0x5e0/0x980
[  182.870984]  iput+0x679/0xa90
[  182.874088]  dentry_unlink_inode+0x461/0x5e0
[  182.878490]  __dentry_kill+0x44c/0x7a0
[  182.882369]  dentry_kill+0xc9/0x5a0
[  182.885989]  dput.part.26+0x660/0x790
[  182.889794]  dput+0x15/0x20
[  182.892730]  __fput+0x4cf/0xa30
[  182.896111]  ____fput+0x15/0x20
[  182.899391]  task_work_run+0x1e8/0x2a0
[  182.903276]  exit_to_usermode_loop+0x318/0x380
[  182.907852]  do_syscall_64+0x6be/0x820
[  182.911734]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  182.917012] 
[  182.918642] The buggy address belongs to the object at ffff8801c3fa3540
[  182.918642]  which belongs to the cache sock_inode_cache(17:syz0) of size 984
[  182.932517] The buggy address is located 112 bytes inside of
[  182.932517]  984-byte region [ffff8801c3fa3540, ffff8801c3fa3918)
[  182.944382] The buggy address belongs to the page:
[  182.949305] page:ffffea00070fe8c0 count:1 mapcount:0 mapping:ffff8801d264ae00 index:0xffff8801c3fa3ffd
[  182.958764] flags: 0x2fffc0000000100(slab)
[  182.963189] raw: 02fffc0000000100 ffffea00070ff388 ffffea00070ff888 ffff8801d264ae00
[  182.971187] raw: ffff8801c3fa3ffd ffff8801c3fa30c0 0000000100000003 ffff8801ce908dc0
[  182.979059] page dumped because: kasan: bad access detected
[  182.984898] page->mem_cgroup:ffff8801ce908dc0
[  182.989518] 
[  182.991141] Memory state around the buggy address:
[  182.996224]  ffff8801c3fa3480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[  183.003578]  ffff8801c3fa3500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  183.011285] >ffff8801c3fa3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  183.018635]                                      ^
[  183.023816]  ffff8801c3fa3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  183.031304]  ffff8801c3fa3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  183.038655] ==================================================================
[  183.046011] Disabling lock debugging due to kernel taint
[  183.051522] Kernel panic - not syncing: panic_on_warn set ...
[  183.051522] 
[  183.058909] CPU: 1 PID: 5607 Comm: syz-executor0 Tainted: G    B             4.19.0-rc2+ #208
[  183.067573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  183.077129] Call Trace:
[  183.079736]  dump_stack+0x1c4/0x2b4
[  183.083388]  ? dump_stack_print_info.cold.2+0x52/0x52
[  183.088575]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.093330]  panic+0x238/0x4e7
[  183.096629]  ? add_taint.cold.5+0x16/0x16
[  183.100814]  ? trace_hardirqs_on+0x9a/0x310
[  183.105131]  ? trace_hardirqs_on+0xb4/0x310
[  183.109450]  ? trace_hardirqs_on+0xb4/0x310
[  183.113798]  kasan_end_report+0x47/0x4f
[  183.117886]  kasan_report.cold.9+0x76/0x309
[  183.122207]  ? sock_i_ino+0x94/0xa0
[  183.125833]  __asan_report_load8_noabort+0x14/0x20
[  183.130797]  sock_i_ino+0x94/0xa0
[  183.134273]  tipc_sk_fill_sock_diag+0x39c/0xd90
[  183.138941]  ? tipc_diag_dump+0x30/0x30
[  183.143039]  ? tipc_getname+0x7f0/0x7f0
[  183.147016]  ? graph_lock+0x170/0x170
[  183.150814]  ? __lock_sock+0x203/0x350
[  183.154704]  ? find_held_lock+0x36/0x1c0
[  183.158783]  ? mark_held_locks+0xc7/0x130
[  183.162932]  ? __local_bh_enable_ip+0x160/0x260
[  183.167788]  ? __local_bh_enable_ip+0x160/0x260
[  183.172461]  ? lockdep_hardirqs_on+0x421/0x5c0
[  183.177320]  ? trace_hardirqs_on+0xbd/0x310
[  183.181651]  ? lock_release+0x970/0x970
[  183.185776]  ? lock_sock_nested+0xe2/0x120
[  183.190023]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  183.195049]  ? skb_put+0x17b/0x1e0
[  183.198726]  ? memset+0x31/0x40
[  183.202033]  ? __nlmsg_put+0x14c/0x1b0
[  183.206055]  __tipc_add_sock_diag+0x233/0x360
[  183.210554]  tipc_nl_sk_walk+0x122/0x1d0
[  183.214700]  ? tipc_sock_diag_handler_dump+0x3d0/0x3d0
[  183.220429]  tipc_diag_dump+0x24/0x30
[  183.224230]  netlink_dump+0x519/0xd50
[  183.228282]  ? netlink_broadcast+0x50/0x50
[  183.232659]  __netlink_dump_start+0x4f1/0x6f0
[  183.237155]  ? tipc_data_ready+0x3e0/0x3e0
[  183.241388]  tipc_sock_diag_handler_dump+0x28e/0x3d0
[  183.246608]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[  183.251277]  ? tipc_data_ready+0x3e0/0x3e0
[  183.255707]  ? tipc_unregister_sysctl+0x20/0x20
[  183.260375]  ? tipc_ioctl+0x3a0/0x3a0
[  183.264179]  ? netlink_deliver_tap+0x355/0xf80
[  183.268784]  sock_diag_rcv_msg+0x31d/0x410
[  183.273024]  netlink_rcv_skb+0x172/0x440
[  183.277082]  ? sock_diag_bind+0x80/0x80
[  183.281056]  ? netlink_ack+0xb80/0xb80
[  183.284949]  sock_diag_rcv+0x2a/0x40
[  183.288790]  netlink_unicast+0x5a5/0x760
[  183.292997]  ? netlink_attachskb+0x9a0/0x9a0
[  183.297406]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.303073]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  183.308092]  netlink_sendmsg+0xa18/0xfc0
[  183.312154]  ? netlink_unicast+0x760/0x760
[  183.316502]  ? aa_sock_msg_perm.isra.12+0xba/0x160
[  183.321523]  ? apparmor_socket_sendmsg+0x29/0x30
[  183.326279]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.331815]  ? security_socket_sendmsg+0x94/0xc0
[  183.336908]  ? netlink_unicast+0x760/0x760
[  183.341143]  sock_sendmsg+0xd5/0x120
[  183.344856]  ___sys_sendmsg+0x7fd/0x930
[  183.348830]  ? __local_bh_enable_ip+0x160/0x260
[  183.353498]  ? copy_msghdr_from_user+0x580/0x580
[  183.358260]  ? kasan_check_write+0x14/0x20
[  183.362496]  ? _raw_spin_unlock_bh+0x30/0x40
[  183.366904]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  183.372358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.377899]  ? release_sock+0x1ec/0x2c0
[  183.381877]  ? __fget_light+0x2e9/0x430
[  183.385849]  ? fget_raw+0x20/0x20
[  183.389299]  ? __release_sock+0x3a0/0x3a0
[  183.393454]  ? tipc_nametbl_build_group+0x273/0x360
[  183.398485]  ? tipc_setsockopt+0x726/0xd70
[  183.402722]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.408282]  ? sockfd_lookup_light+0xc5/0x160
[  183.412846]  __sys_sendmsg+0x11d/0x280
[  183.416735]  ? __ia32_sys_shutdown+0x80/0x80
[  183.421172]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  183.426703]  ? fput+0x130/0x1a0
[  183.429993]  ? __x64_sys_futex+0x47f/0x6a0
[  183.434258]  ? do_syscall_64+0x9a/0x820
[  183.438239]  ? do_syscall_64+0x9a/0x820
[  183.442229]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  183.447682]  __x64_sys_sendmsg+0x78/0xb0
[  183.451766]  do_syscall_64+0x1b9/0x820
[  183.455660]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  183.461033]  ? syscall_return_slowpath+0x5e0/0x5e0
[  183.465969]  ? trace_hardirqs_off+0x300/0x300
[  183.470473]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  183.475488]  ? recalc_sigpending_tsk+0x180/0x180
[  183.480244]  ? kasan_check_write+0x14/0x20
[  183.484534]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.489384]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  183.494567] RIP: 0033:0x457099
[  183.497780] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  183.516677] RSP: 002b:00007f76ed841c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  183.524382] RAX: ffffffffffffffda RBX: 00007f76ed8426d4 RCX: 0000000000457099
[  183.531652] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[  183.538919] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[  183.546237] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[  183.553524] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000
[  183.561270] Dumping ftrace buffer:
[  183.564871]    (ftrace buffer empty)
[  183.569211] Kernel Offset: disabled
[  183.572850] Rebooting in 86400 seconds..