[....] Starting OpenBSD Secure Shell server: sshd[ 18.241502] random: sshd: uninitialized urandom read (32 bytes read, 31 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.849008] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [ 20.203571] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [ 21.286837] random: sshd: uninitialized urandom read (32 bytes read, 125 bits of entropy available) [ 21.434710] random: sshd: uninitialized urandom read (32 bytes read, 128 bits of entropy available) [ 21.488990] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. 2018/04/11 18:11:06 parsed 1 programs 2018/04/11 18:11:06 executed programs: 0 [ 27.300161] IPVS: Creating netns size=2552 id=1 [ 27.362509] binder: 3768:3769 ERROR: BC_REGISTER_LOOPER called without request [ 28.163282] binder: release 3768:3769 transaction 3 out, still active [ 28.169917] binder: release 3768:3769 transaction 2 in, still active [ 28.176392] binder: undelivered TRANSACTION_COMPLETE [ 28.181792] binder: 3768:3769 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 28.189359] binder: 3768:3769 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000004 != 0000000000000000 [ 28.200627] binder: 3768:3769 BC_FREE_BUFFER u0000000000000000 no match [ 28.207378] binder: 3768:3769 got transaction to invalid handle [ 28.213439] binder: 3768:3769 transaction failed 29201/-22, size 0-0 line 3011 [ 28.223333] binder: undelivered TRANSACTION_ERROR: 29201 [ 28.228918] binder: release 3768:3770 transaction 5 in, still active [ 28.240898] binder: send failed reply for transaction 5 to 3768:3770 [ 28.247692] ================================================================== [ 28.255057] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 [ 28.261693] Read of size 8 at addr ffff8801d4b8a210 by task kworker/u4:1/19 [ 28.268760] [ 28.270362] CPU: 1 PID: 19 Comm: kworker/u4:1 Not tainted 4.4.125-g38f41ec #21 [ 28.277688] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.287021] Workqueue: binder binder_deferred_func [ 28.292038] 0000000000000000 53d1ade78f568b9a ffff8801d949fa58 ffffffff81d067bd [ 28.300021] ffffea000752e280 ffff8801d4b8a210 0000000000000000 ffff8801d4b8a210 [ 28.308005] ffffed00390dda89 ffff8801d949fa90 ffffffff814fea83 ffff8801d4b8a210 [ 28.315976] Call Trace: [ 28.318574] [] dump_stack+0xc1/0x124 [ 28.323918] [] print_address_description+0x73/0x260 [ 28.330577] [] kasan_report+0x285/0x370 [ 28.336173] [] ? __list_del_entry+0x196/0x1d0 [ 28.342301] [] __asan_report_load8_noabort+0x14/0x20 [ 28.349035] [] __list_del_entry+0x196/0x1d0 [ 28.354981] [] binder_release_work+0x6e/0x260 [ 28.361098] [] ? binder_send_failed_reply+0x1ce/0x380 [ 28.367910] [] binder_thread_release+0x425/0x600 [ 28.374289] [] binder_deferred_func+0x438/0xd10 [ 28.380579] [] ? __lock_is_held+0xa1/0xf0 [ 28.386350] [] process_one_work+0x7d7/0x16e0 [ 28.392386] [] ? process_one_work+0x6f7/0x16e0 [ 28.398597] [] ? pwq_dec_nr_in_flight+0x280/0x280 [ 28.405064] [] ? worker_thread+0x288/0xfc0 [ 28.410917] [] worker_thread+0xd9/0xfc0 [ 28.416514] [] kthread+0x268/0x300 [ 28.421673] [] ? process_one_work+0x16e0/0x16e0 [ 28.427970] [] ? kthread_create_on_node+0x400/0x400 [ 28.434608] [] ? kthread_create_on_node+0x400/0x400 [ 28.441246] [] ret_from_fork+0x55/0x80 [ 28.446767] [] ? kthread_create_on_node+0x400/0x400 [ 28.453402] [ 28.455001] Allocated by task 3770: [ 28.458600] [] save_stack_trace+0x26/0x50 [ 28.464500] [] save_stack+0x43/0xd0 [ 28.469912] [] kasan_kmalloc+0xad/0xe0 [ 28.469922] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 28.469936] [] binder_transaction+0x103c/0x7290 [ 28.469944] [] binder_thread_write+0x81f/0x33e0 [ 28.469951] [] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 [ 28.469956] [] binder_ioctl+0xc50/0x12e0 [ 28.469963] [] compat_SyS_ioctl+0x28a/0x2540 [ 28.469971] [] do_fast_syscall_32+0x321/0x8a0 [ 28.469979] [] sysenter_flags_fixed+0xd/0x17 [ 28.469981] [ 28.469984] Freed by task 19: [ 28.469993] [] save_stack_trace+0x26/0x50 [ 28.470000] [] save_stack+0x43/0xd0 [ 28.470006] [] kasan_slab_free+0x72/0xc0 [ 28.470012] [] kfree+0xfc/0x300 [ 28.470019] [] binder_free_transaction+0x6a/0x90 [ 28.470027] [] binder_send_failed_reply+0x1c9/0x380 [ 28.470034] [] binder_thread_release+0x413/0x600 [ 28.470041] [] binder_deferred_func+0x438/0xd10 [ 28.470049] [] process_one_work+0x7d7/0x16e0 [ 28.470055] [] worker_thread+0xd9/0xfc0 [ 28.470062] [] kthread+0x268/0x300 [ 28.470068] [] ret_from_fork+0x55/0x80 [ 28.470069] [ 28.470073] The buggy address belongs to the object at ffff8801d4b8a200 [ 28.470073] which belongs to the cache kmalloc-192 of size 192 [ 28.470078] The buggy address is located 16 bytes inside of [ 28.470078] 192-byte region [ffff8801d4b8a200, ffff8801d4b8a2c0) [ 28.470080] The buggy address belongs to the page: [ 28.498552] ------------[ cut here ]------------ [ 28.498571] WARNING: CPU: 0 PID: 3772 at lib/debugobjects.c:263 debug_print_object+0x17d/0x220() [ 28.498580] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: tick_sched_timer+0x0/0x120 [ 28.498708] Kernel panic - not syncing: panic_on_warn set ... [ 28.498708] [ 28.498715] CPU: 0 PID: 3772 Comm: init Not tainted 4.4.125-g38f41ec #21 [ 28.498717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.498725] 0000000000000000 d73f2009153d8a80 ffff8801db207ac8 ffffffff81d067bd [ 28.498732] ffffffff83843c60 ffff8801db207ba0 ffffffff839ff4a0 0000000000000009 [ 28.498738] 0000000000000107 ffff8801db207b90 ffffffff8141b46a 0000000041b58ab3 [ 28.498739] Call Trace: [ 28.498750] [] dump_stack+0xc1/0x124 [ 28.498759] [] panic+0x1aa/0x388 [ 28.498765] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 28.498773] [] ? warn_slowpath_common+0x10a/0x140 [ 28.498778] [] warn_slowpath_common+0x125/0x140 [ 28.498785] [] ? debug_print_object+0x17d/0x220 [ 28.498790] [] warn_slowpath_fmt+0xc1/0x110 [ 28.498796] [] ? warn_slowpath_common+0x140/0x140 [ 28.498803] [] ? ktime_add_safe+0xa0/0xa0 [ 28.498808] [] debug_print_object+0x17d/0x220 [ 28.498814] [] ? tick_sched_do_timer+0xa0/0xa0 [ 28.498819] [] debug_object_deactivate+0x25d/0x3c0 [ 28.498825] [] ? debug_object_activate+0x500/0x500 [ 28.498831] [] ? __lock_is_held+0xa1/0xf0 [ 28.498838] [] __hrtimer_run_queues+0x492/0xfe0 [ 28.498843] [] ? hrtimer_fixup_init+0x70/0x70 [ 28.498849] [] ? hrtimer_interrupt+0x131/0x440 [ 28.498855] [] hrtimer_interrupt+0x1a6/0x440 [ 28.498863] [] local_apic_timer_interrupt+0x6a/0xb0 [ 28.498871] [] smp_apic_timer_interrupt+0x76/0xa0 [ 28.498877] [] apic_timer_interrupt+0xa0/0xb0 [ 28.498887] [] ? console_unlock+0x5a6/0xa00 [ 28.498894] [] ? uart_set_termios+0x6b0/0x6b0 [ 28.498899] [] console_device+0x95/0xc0 [ 28.498908] [] tty_open+0x4e8/0xee0 [ 28.498914] [] ? tty_init_dev+0x430/0x430 [ 28.498920] [] ? chrdev_open+0xc7/0x4c0 [ 28.498926] [] ? tty_init_dev+0x430/0x430 [ 28.498931] [] chrdev_open+0x22b/0x4c0 [ 28.498937] [] ? cdev_put.part.0+0x50/0x50 [ 28.498944] [] do_dentry_open+0x59b/0xba0 [ 28.498949] [] ? __inode_permission2+0x9b/0x240 [ 28.498955] [] ? cdev_put.part.0+0x50/0x50 [ 28.498961] [] vfs_open+0x110/0x210 [ 28.498965] [] ? may_open+0x1ae/0x280 [ 28.498970] [] path_openat+0x923/0x3940 [ 28.498976] [] ? depot_save_stack+0x1c3/0x640 [ 28.498982] [] ? path_mountpoint+0x830/0x830 [ 28.498987] [] ? getname_flags+0xcb/0x580 [ 28.498991] [] ? getname+0x19/0x20 [ 28.498997] [] ? do_sys_open+0x21f/0x660 [ 28.499002] [] ? SyS_open+0x2d/0x40 [ 28.499008] [] ? entry_SYSCALL_64_fastpath+0x22/0x9e [ 28.499014] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.499019] [] ? __lock_is_held+0xa1/0xf0 [ 28.499025] [] do_filp_open+0x197/0x290 [ 28.499030] [] ? user_path_mountpoint_at+0x40/0x40 [ 28.499036] [] ? _raw_spin_unlock+0x2c/0x50 [ 28.499042] [] ? __alloc_fd+0x1e3/0x500 [ 28.499048] [] do_sys_open+0x369/0x660 [ 28.499054] [] ? filp_open+0x70/0x70 [ 28.499060] [] ? proc_clear_tty+0xd9/0x140 [ 28.499065] [] ? _raw_write_unlock_irq+0x27/0x50 [ 28.499071] [] SyS_open+0x2d/0x40 [ 28.499077] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 29.612430] Shutting down cpus with NMI [ 29.613006] Dumping ftrace buffer: [ 29.613110] (ftrace buffer empty) [ 29.613112] Kernel Offset: disabled [ 30.177458] Rebooting in 86400 seconds..