[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.639071] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.390258] random: sshd: uninitialized urandom read (32 bytes read) [ 18.587434] random: sshd: uninitialized urandom read (32 bytes read) [ 19.152662] random: sshd: uninitialized urandom read (32 bytes read) [ 40.698785] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts. [ 46.323896] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/19 11:04:47 parsed 1 programs [ 47.548275] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/19 11:04:49 executed programs: 0 [ 48.843713] IPVS: Creating netns size=2536 id=1 [ 48.866496] IPVS: Creating netns size=2536 id=2 [ 48.899422] IPVS: Creating netns size=2536 id=3 [ 48.914190] IPVS: Creating netns size=2536 id=4 [ 48.952375] IPVS: Creating netns size=2536 id=5 [ 48.976131] IPVS: Creating netns size=2536 id=6 [ 49.017016] IPVS: Creating netns size=2536 id=7 [ 49.078010] IPVS: Creating netns size=2536 id=8 [ 49.223864] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.254564] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.507279] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.519167] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.535303] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 49.546426] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.554025] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.587937] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.602272] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 49.618041] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.739580] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 49.763425] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.800304] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 49.820291] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.828363] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.837279] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 49.846160] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 49.854184] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 49.869846] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.890759] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 49.899457] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 49.922510] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 49.937289] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 49.952316] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.000455] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.047020] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.057554] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.068626] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.086452] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 50.100874] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 50.128461] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 50.152587] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.163811] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.172407] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 50.181344] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 50.190421] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.204289] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 50.222862] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.230807] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.245026] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.253777] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.260704] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.268302] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.276159] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.283567] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.309113] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.327015] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 50.339335] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.348360] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.357212] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.366332] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.375376] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 50.384920] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.396192] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.403763] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.414359] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.423206] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.433263] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.453900] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.466483] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.473976] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.492268] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.506005] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 50.521157] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.533251] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.546518] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 50.563532] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.578770] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.587264] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.604031] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.620992] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.636007] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.647859] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.654913] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.663497] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.686320] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.693488] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.702392] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.714505] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.733609] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.758149] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 50.765553] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.776287] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.783801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.811865] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 50.824953] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.837115] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.844646] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 50.871204] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 50.885040] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 50.895149] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 50.912979] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 50.924786] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 50.937763] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 53.756845] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.781944] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.917515] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.929390] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.939165] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.949689] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.958333] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.966779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.973690] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.048266] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.092722] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.111891] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.122609] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.140839] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.197966] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.205158] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.215003] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.232920] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.280114] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.298133] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.304924] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.313865] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.400320] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.416655] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.423490] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.439303] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.451408] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.460257] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.469422] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.588887] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 54.595071] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 54.605713] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/08/19 11:04:55 executed programs: 8 [ 58.906880] ================================================================== [ 58.914306] BUG: KASAN: use-after-free in cpuacct_charge+0x328/0x360 [ 58.920789] Read of size 8 at addr ffff8801d69087e0 by task syz-executor6/3851 [ 58.928652] [ 58.930275] CPU: 1 PID: 3851 Comm: syz-executor6 Not tainted 4.9.122-g54068d6 #26 [ 58.937878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.947236] ffff8801d8edfa08 ffffffff81eb8829 ffffea00075a4200 ffff8801d69087e0 [ 58.955305] 0000000000000000 ffff8801d69087e0 0000000000000000 ffff8801d8edfa40 [ 58.963369] ffffffff8156b6be ffff8801d69087e0 0000000000000008 0000000000000000 [ 58.971401] Call Trace: [ 58.973985] [] dump_stack+0xc1/0x128 [ 58.979340] [] print_address_description+0x6c/0x234 [ 58.985994] [] kasan_report.cold.6+0x242/0x2fe [ 58.992216] [] ? cpuacct_charge+0x328/0x360 [ 58.998211] [] __asan_report_load8_noabort+0x14/0x20 [ 59.004984] [] cpuacct_charge+0x328/0x360 [ 59.010778] [] ? cpuacct_charge+0x7c/0x360 [ 59.016655] [] update_curr+0x28b/0x680 [ 59.022191] [] dequeue_task_fair+0xe3/0x1000 [ 59.028243] [] ? __lock_is_held+0xa2/0xf0 [ 59.034032] [] deactivate_task+0xfb/0x2e0 [ 59.039819] [] __schedule+0x981/0x1bd0 [ 59.045345] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 59.052259] [] schedule+0x7f/0x1b0 [ 59.057437] [] do_nanosleep+0x1f5/0x4d0 [ 59.063047] [] ? schedule_timeout_idle+0x90/0x90 [ 59.069440] [] ? memset+0x31/0x40 [ 59.074535] [] hrtimer_nanosleep+0x210/0x540 [ 59.080583] [] ? hrtimer_run_queues+0x1c0/0x1c0 [ 59.086886] [] ? enqueue_hrtimer+0x3a0/0x3a0 [ 59.092936] [] ? do_nanosleep+0x197/0x4d0 [ 59.098726] [] SyS_nanosleep+0xcc/0x120 [ 59.104341] [] ? hrtimer_nanosleep+0x540/0x540 [ 59.110562] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 59.117394] [] ? hrtimer_nanosleep+0x540/0x540 [ 59.123612] [] do_syscall_64+0x1a6/0x490 [ 59.129313] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 59.136223] [ 59.137835] Allocated by task 7105: [ 59.141448] save_stack_trace+0x16/0x20 [ 59.145412] save_stack+0x43/0xd0 [ 59.148854] kasan_kmalloc+0xc7/0xe0 [ 59.152558] kmem_cache_alloc_trace+0xfd/0x2b0 [ 59.157126] cgroup_migrate_prepare_dst+0x779/0x1810 [ 59.162218] cgroup_apply_control+0x35f/0x650 [ 59.166877] cgroup_subtree_control_write+0x9d2/0xf40 [ 59.172053] cgroup_file_write+0x10d/0x550 [ 59.176307] kernfs_fop_write+0x2ae/0x460 [ 59.180445] __vfs_write+0x115/0x580 [ 59.184144] vfs_write+0x187/0x530 [ 59.187672] SyS_write+0xd9/0x1c0 [ 59.191128] do_syscall_64+0x1a6/0x490 [ 59.195014] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 59.200106] [ 59.201721] Freed by task 0: [ 59.204736] save_stack_trace+0x16/0x20 [ 59.208705] save_stack+0x43/0xd0 [ 59.212153] kasan_slab_free+0x72/0xc0 [ 59.216062] kfree+0xfb/0x310 [ 59.219164] rcu_process_callbacks+0x9d5/0x12b0 [ 59.223838] __do_softirq+0x210/0x940 [ 59.227623] [ 59.229243] The buggy address belongs to the object at ffff8801d6908780 [ 59.229243] which belongs to the cache kmalloc-512 of size 512 [ 59.241902] The buggy address is located 96 bytes inside of [ 59.241902] 512-byte region [ffff8801d6908780, ffff8801d6908980) [ 59.253684] The buggy address belongs to the page: [ 59.258609] page:ffffea00075a4200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 59.268819] flags: 0x8000000000004080(slab|head) [ 59.273564] page dumped because: kasan: bad access detected [ 59.279261] [ 59.280872] Memory state around the buggy address: [ 59.285792] ffff8801d6908680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.293143] ffff8801d6908700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.300496] >ffff8801d6908780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.307849] ^ [ 59.314338] ffff8801d6908800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.321863] ffff8801d6908880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.329211] ================================================================== [ 59.336562] Disabling lock debugging due to kernel taint [ 59.342000] Kernel panic - not syncing: panic_on_warn set ... [ 59.342000] [ 59.349353] CPU: 1 PID: 3851 Comm: syz-executor6 Tainted: G B 4.9.122-g54068d6 #26 [ 59.358178] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.367542] ffff8801d8edf968 ffffffff81eb8829 ffffffff843c81db 00000000ffffffff [ 59.375597] 0000000000000000 0000000000000001 0000000000000000 ffff8801d8edfa28 [ 59.383641] ffffffff81423f35 0000000041b58ab3 ffffffff843bb838 ffffffff81423d76 [ 59.391701] Call Trace: [ 59.394281] [] dump_stack+0xc1/0x128 [ 59.399633] [] panic+0x1bf/0x3bc [ 59.404637] [] ? add_taint.cold.6+0x16/0x16 [ 59.410598] [] ? kasan_end_report+0x32/0x4f [ 59.416567] [] kasan_end_report+0x47/0x4f [ 59.422367] [] kasan_report.cold.6+0x76/0x2fe [ 59.428516] [] ? cpuacct_charge+0x328/0x360 [ 59.434483] [] __asan_report_load8_noabort+0x14/0x20 [ 59.441246] [] cpuacct_charge+0x328/0x360 [ 59.447035] [] ? cpuacct_charge+0x7c/0x360 [ 59.452913] [] update_curr+0x28b/0x680 [ 59.458435] [] dequeue_task_fair+0xe3/0x1000 [ 59.464492] [] ? __lock_is_held+0xa2/0xf0 [ 59.470293] [] deactivate_task+0xfb/0x2e0 [ 59.476080] [] __schedule+0x981/0x1bd0 [ 59.481604] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 59.488618] [] schedule+0x7f/0x1b0 [ 59.493799] [] do_nanosleep+0x1f5/0x4d0 [ 59.499410] [] ? schedule_timeout_idle+0x90/0x90 [ 59.505803] [] ? memset+0x31/0x40 [ 59.510894] [] hrtimer_nanosleep+0x210/0x540 [ 59.516938] [] ? hrtimer_run_queues+0x1c0/0x1c0 [ 59.523250] [] ? enqueue_hrtimer+0x3a0/0x3a0 [ 59.529300] [] ? do_nanosleep+0x197/0x4d0 [ 59.535086] [] SyS_nanosleep+0xcc/0x120 [ 59.540699] [] ? hrtimer_nanosleep+0x540/0x540 [ 59.546923] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 59.553749] [] ? hrtimer_nanosleep+0x540/0x540 [ 59.559974] [] do_syscall_64+0x1a6/0x490 [ 59.565673] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 60.724704] Shutting down cpus with NMI [ 60.728999] Dumping ftrace buffer: [ 60.732526] (ftrace buffer empty) [ 60.736300] Kernel Offset: disabled [ 60.739908] Rebooting in 86400 seconds..