[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.445602] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.908879] random: sshd: uninitialized urandom read (32 bytes read)
[   25.269764] random: sshd: uninitialized urandom read (32 bytes read)
[   25.854733] random: sshd: uninitialized urandom read (32 bytes read)
[  105.368030] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts.
[  110.983988] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/24 16:41:56 parsed 1 programs
[  112.124685] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/24 16:41:58 executed programs: 0
[  113.413579] IPVS: ftp: loaded support on port[0] = 21
[  113.626772] bridge0: port 1(bridge_slave_0) entered blocking state
[  113.633270] bridge0: port 1(bridge_slave_0) entered disabled state
[  113.641031] device bridge_slave_0 entered promiscuous mode
[  113.658736] bridge0: port 2(bridge_slave_1) entered blocking state
[  113.665167] bridge0: port 2(bridge_slave_1) entered disabled state
[  113.672316] device bridge_slave_1 entered promiscuous mode
[  113.689024] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  113.705379] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  113.748461] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  113.766872] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  113.832420] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  113.839766] team0: Port device team_slave_0 added
[  113.855383] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  113.862727] team0: Port device team_slave_1 added
[  113.878987] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  113.896506] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  113.913191] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  113.930036] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  114.053210] bridge0: port 2(bridge_slave_1) entered blocking state
[  114.059652] bridge0: port 2(bridge_slave_1) entered forwarding state
[  114.066434] bridge0: port 1(bridge_slave_0) entered blocking state
[  114.072782] bridge0: port 1(bridge_slave_0) entered forwarding state
[  114.509498] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  114.515730] 8021q: adding VLAN 0 to HW filter on device bond0
[  114.561946] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  114.601943] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  114.610895] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  114.617247] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  114.624075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  114.669248] 8021q: adding VLAN 0 to HW filter on device team0
[  114.937834] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
2018/08/24 16:42:03 executed programs: 12
2018/08/24 16:42:08 executed programs: 28
[  125.452218] ==================================================================
[  125.459725] BUG: KASAN: use-after-free in tls_push_record+0x10a9/0x1400
[  125.466486] Write of size 1 at addr ffff8801d831bf5c by task syz-executor0/4873
[  125.473925] 
[  125.475557] CPU: 0 PID: 4873 Comm: syz-executor0 Not tainted 4.18.0+ #205
[  125.482465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  125.491800] Call Trace:
[  125.494382]  dump_stack+0x1c9/0x2b4
[  125.498001]  ? dump_stack_print_info.cold.2+0x52/0x52
[  125.503195]  ? printk+0xa7/0xcf
[  125.506476]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  125.511238]  ? tls_push_record+0x10a9/0x1400
[  125.515639]  print_address_description+0x6c/0x20b
[  125.520472]  ? tls_push_record+0x10a9/0x1400
[  125.524869]  kasan_report.cold.7+0x242/0x30d
[  125.529270]  __asan_report_store1_noabort+0x17/0x20
[  125.534287]  tls_push_record+0x10a9/0x1400
[  125.538524]  ? do_raw_spin_trylock+0x1c0/0x1c0
[  125.543108]  tls_sw_push_pending_record+0x22/0x30
[  125.547963]  tls_sk_proto_close+0x759/0xb90
[  125.552375]  ? lock_acquire+0x1e4/0x4f0
[  125.556449]  ? tcp_check_oom+0x530/0x530
[  125.560560]  ? tls_write_space+0x360/0x360
[  125.564792]  ? rcu_note_context_switch+0x680/0x680
[  125.569714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  125.575241]  ? ipv6_sock_ac_close+0x356/0x490
[  125.579728]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  125.585305]  ? ipv6_sock_mc_close+0x162/0x1d0
[  125.589844]  ? ip_mc_drop_socket+0x20f/0x270
[  125.594260]  ? down_write+0x8f/0x130
[  125.597964]  inet_release+0x104/0x1f0
[  125.601752]  inet6_release+0x50/0x70
[  125.605453]  __sock_release+0xd7/0x250
[  125.609432]  ? __sock_release+0x250/0x250
[  125.613571]  sock_close+0x19/0x20
[  125.617016]  __fput+0x36e/0x8c0
[  125.620288]  ? __alloc_file+0x400/0x400
[  125.624254]  ? kasan_check_write+0x14/0x20
[  125.628489]  ? do_raw_spin_lock+0xc1/0x200
[  125.632726]  ____fput+0x15/0x20
[  125.636040]  task_work_run+0x1e8/0x2a0
[  125.639970]  ? task_work_cancel+0x240/0x240
[  125.644290]  ? copy_fd_bitmaps+0x210/0x210
[  125.648527]  ? do_syscall_64+0x9a/0x820
[  125.652500]  exit_to_usermode_loop+0x318/0x380
[  125.657072]  ? syscall_slow_exit_work+0x490/0x490
[  125.661905]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  125.667538]  do_syscall_64+0x6be/0x820
[  125.671477]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  125.676891]  ? syscall_return_slowpath+0x5e0/0x5e0
[  125.681817]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  125.686648]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[  125.691665]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  125.696673]  ? prepare_exit_to_usermode+0x291/0x3b0
[  125.702037]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  125.706891]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  125.712068] RIP: 0033:0x410c41
[  125.715254] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 19 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[  125.734273] RSP: 002b:0000000000a3fdc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  125.741988] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410c41
[  125.749265] RDX: 0000000000000000 RSI: 0000000000730ea0 RDI: 0000000000000004
[  125.756518] RBP: 0000000000000000 R08: 000000000000000e R09: 0000000000000001
[  125.763777] R10: 0000000000a3fcf0 R11: 0000000000000293 R12: 000000000000000b
[  125.771099] R13: 000000000001e881 R14: 0000000000000022 R15: badc0ffeebadface
[  125.778368] 
[  125.780030] The buggy address belongs to the page:
[  125.784959] page:ffffea000760c6c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  125.793082] flags: 0x2fffc0000000000()
[  125.796952] raw: 02fffc0000000000 0000000000000000 ffffffff07600101 0000000000000000
[  125.804812] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  125.812672] page dumped because: kasan: bad access detected
[  125.818364] 
[  125.819972] Memory state around the buggy address:
[  125.824886]  ffff8801d831be00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  125.832231]  ffff8801d831be80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  125.839576] >ffff8801d831bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  125.846918]                                                     ^
[  125.853135]  ffff8801d831bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  125.860480]  ffff8801d831c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  125.867822] ==================================================================
[  125.875163] Disabling lock debugging due to kernel taint
[  125.880886] Kernel panic - not syncing: panic_on_warn set ...
[  125.880886] 
[  125.888271] CPU: 0 PID: 4873 Comm: syz-executor0 Tainted: G    B             4.18.0+ #205
[  125.896577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  125.905909] Call Trace:
[  125.908484]  dump_stack+0x1c9/0x2b4
[  125.912097]  ? dump_stack_print_info.cold.2+0x52/0x52
[  125.917277]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  125.922018]  panic+0x238/0x4e7
[  125.925194]  ? add_taint.cold.5+0x16/0x16
[  125.929329]  ? trace_hardirqs_on+0xb4/0x2c0
[  125.933632]  ? trace_hardirqs_on+0x9a/0x2c0
[  125.937939]  ? tls_push_record+0x10a9/0x1400
[  125.942331]  kasan_end_report+0x47/0x4f
[  125.946289]  kasan_report.cold.7+0x76/0x30d
[  125.950595]  __asan_report_store1_noabort+0x17/0x20
[  125.955594]  tls_push_record+0x10a9/0x1400
[  125.959815]  ? do_raw_spin_trylock+0x1c0/0x1c0
[  125.964442]  tls_sw_push_pending_record+0x22/0x30
[  125.969278]  tls_sk_proto_close+0x759/0xb90
[  125.973583]  ? lock_acquire+0x1e4/0x4f0
[  125.977550]  ? tcp_check_oom+0x530/0x530
[  125.981598]  ? tls_write_space+0x360/0x360
[  125.985819]  ? rcu_note_context_switch+0x680/0x680
[  125.990734]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  125.996310]  ? ipv6_sock_ac_close+0x356/0x490
[  126.000798]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  126.006321]  ? ipv6_sock_mc_close+0x162/0x1d0
[  126.010797]  ? ip_mc_drop_socket+0x20f/0x270
[  126.015188]  ? down_write+0x8f/0x130
[  126.018888]  inet_release+0x104/0x1f0
[  126.022678]  inet6_release+0x50/0x70
[  126.026380]  __sock_release+0xd7/0x250
[  126.030253]  ? __sock_release+0x250/0x250
[  126.034382]  sock_close+0x19/0x20
[  126.037826]  __fput+0x36e/0x8c0
[  126.041138]  ? __alloc_file+0x400/0x400
[  126.045130]  ? kasan_check_write+0x14/0x20
[  126.049362]  ? do_raw_spin_lock+0xc1/0x200
[  126.053689]  ____fput+0x15/0x20
[  126.056957]  task_work_run+0x1e8/0x2a0
[  126.060872]  ? task_work_cancel+0x240/0x240
[  126.065185]  ? copy_fd_bitmaps+0x210/0x210
[  126.069404]  ? do_syscall_64+0x9a/0x820
[  126.073364]  exit_to_usermode_loop+0x318/0x380
[  126.077931]  ? syscall_slow_exit_work+0x490/0x490
[  126.082760]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  126.088287]  do_syscall_64+0x6be/0x820
[  126.092171]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  126.097519]  ? syscall_return_slowpath+0x5e0/0x5e0
[  126.102452]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.107278]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[  126.112283]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  126.117290]  ? prepare_exit_to_usermode+0x291/0x3b0
[  126.122299]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.127141]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  126.132324] RIP: 0033:0x410c41
[  126.135502] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 19 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
[  126.154385] RSP: 002b:0000000000a3fdc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  126.162079] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410c41
[  126.169334] RDX: 0000000000000000 RSI: 0000000000730ea0 RDI: 0000000000000004
[  126.176590] RBP: 0000000000000000 R08: 000000000000000e R09: 0000000000000001
[  126.183841] R10: 0000000000a3fcf0 R11: 0000000000000293 R12: 000000000000000b
[  126.191094] R13: 000000000001e881 R14: 0000000000000022 R15: badc0ffeebadface
[  126.198714] Dumping ftrace buffer:
[  126.202315]    (ftrace buffer empty)
[  126.206011] Kernel Offset: disabled
[  126.209618] Rebooting in 86400 seconds..