[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.522788] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.367210] random: sshd: uninitialized urandom read (32 bytes read) [ 30.823330] random: sshd: uninitialized urandom read (32 bytes read) [ 31.437974] random: sshd: uninitialized urandom read (32 bytes read) [ 171.997141] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. [ 177.770266] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/08 12:53:39 parsed 1 programs [ 178.915043] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/08 12:53:40 executed programs: 0 [ 180.002340] IPVS: ftp: loaded support on port[0] = 21 [ 180.247528] bridge0: port 1(bridge_slave_0) entered blocking state [ 180.254355] bridge0: port 1(bridge_slave_0) entered disabled state [ 180.261668] device bridge_slave_0 entered promiscuous mode [ 180.281153] bridge0: port 2(bridge_slave_1) entered blocking state [ 180.287590] bridge0: port 2(bridge_slave_1) entered disabled state [ 180.294541] device bridge_slave_1 entered promiscuous mode [ 180.312655] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 180.331352] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 180.380748] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 180.400497] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 180.479279] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 180.486717] team0: Port device team_slave_0 added [ 180.504477] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 180.511699] team0: Port device team_slave_1 added [ 180.529525] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 180.549183] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 180.570278] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 180.591684] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 180.737924] bridge0: port 2(bridge_slave_1) entered blocking state [ 180.744495] bridge0: port 2(bridge_slave_1) entered forwarding state [ 180.751337] bridge0: port 1(bridge_slave_0) entered blocking state [ 180.757730] bridge0: port 1(bridge_slave_0) entered forwarding state [ 181.275373] 8021q: adding VLAN 0 to HW filter on device bond0 [ 181.327165] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 181.379140] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 181.385313] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 181.393697] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 181.438714] 8021q: adding VLAN 0 to HW filter on device team0 [ 181.785270] ================================================================== [ 181.792749] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 181.798708] Read of size 8 at addr ffff8801c4fc65b0 by task syz-executor0/5641 [ 181.806048] [ 181.807669] CPU: 1 PID: 5641 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #227 [ 181.814920] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 181.824304] Call Trace: [ 181.826939] dump_stack+0x1c4/0x2b4 [ 181.830566] ? dump_stack_print_info.cold.2+0x52/0x52 [ 181.835765] ? printk+0xa7/0xcf [ 181.839033] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 181.843781] print_address_description.cold.8+0x9/0x1ff [ 181.849132] kasan_report.cold.9+0x242/0x309 [ 181.853529] ? sock_i_ino+0x94/0xa0 [ 181.857151] __asan_report_load8_noabort+0x14/0x20 [ 181.862067] sock_i_ino+0x94/0xa0 [ 181.865509] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 181.870173] ? tipc_diag_dump+0x30/0x30 [ 181.874174] ? tipc_getname+0x7f0/0x7f0 [ 181.878152] ? graph_lock+0x170/0x170 [ 181.881940] ? __lock_sock+0x203/0x350 [ 181.885834] ? find_held_lock+0x36/0x1c0 [ 181.889886] ? mark_held_locks+0xc7/0x130 [ 181.894021] ? __local_bh_enable_ip+0x160/0x260 [ 181.898677] ? __local_bh_enable_ip+0x160/0x260 [ 181.903334] ? lockdep_hardirqs_on+0x421/0x5c0 [ 181.907910] ? trace_hardirqs_on+0xbd/0x310 [ 181.912220] ? lock_release+0x970/0x970 [ 181.916566] ? lock_sock_nested+0xe2/0x120 [ 181.920795] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 181.925794] ? skb_put+0x17b/0x1e0 [ 181.929328] ? memset+0x31/0x40 [ 181.932613] ? __nlmsg_put+0x14c/0x1b0 [ 181.936490] __tipc_add_sock_diag+0x233/0x360 [ 181.940978] tipc_nl_sk_walk+0x122/0x1d0 [ 181.945028] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 181.950303] tipc_diag_dump+0x24/0x30 [ 181.954097] netlink_dump+0x519/0xd50 [ 181.957891] ? netlink_broadcast+0x50/0x50 [ 181.962121] __netlink_dump_start+0x4f1/0x6f0 [ 181.966605] ? tipc_data_ready+0x3e0/0x3e0 [ 181.970832] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 181.975923] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 181.980735] ? tipc_data_ready+0x3e0/0x3e0 [ 181.984958] ? tipc_unregister_sysctl+0x20/0x20 [ 181.989619] ? tipc_ioctl+0x3a0/0x3a0 [ 181.993434] ? netlink_deliver_tap+0x355/0xf80 [ 181.998004] sock_diag_rcv_msg+0x31d/0x410 [ 182.002228] netlink_rcv_skb+0x172/0x440 [ 182.006299] ? sock_diag_bind+0x80/0x80 [ 182.010277] ? netlink_ack+0xb80/0xb80 [ 182.014154] sock_diag_rcv+0x2a/0x40 [ 182.017852] netlink_unicast+0x5a5/0x760 [ 182.021905] ? netlink_attachskb+0x9a0/0x9a0 [ 182.026298] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.031818] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 182.036822] netlink_sendmsg+0xa18/0xfc0 [ 182.040877] ? netlink_unicast+0x760/0x760 [ 182.045097] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 182.050017] ? apparmor_socket_sendmsg+0x29/0x30 [ 182.054758] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.060280] ? security_socket_sendmsg+0x94/0xc0 [ 182.065020] ? netlink_unicast+0x760/0x760 [ 182.069238] sock_sendmsg+0xd5/0x120 [ 182.072937] ___sys_sendmsg+0x7fd/0x930 [ 182.076894] ? __local_bh_enable_ip+0x160/0x260 [ 182.081553] ? copy_msghdr_from_user+0x580/0x580 [ 182.086305] ? kasan_check_write+0x14/0x20 [ 182.090528] ? _raw_spin_unlock_bh+0x30/0x40 [ 182.094923] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 182.100363] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.105884] ? release_sock+0x1ec/0x2c0 [ 182.109845] ? __fget_light+0x2e9/0x430 [ 182.113804] ? fget_raw+0x20/0x20 [ 182.117261] ? __release_sock+0x3a0/0x3a0 [ 182.121421] ? tipc_nametbl_build_group+0x273/0x360 [ 182.126452] ? tipc_setsockopt+0x726/0xd70 [ 182.130776] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 182.136297] ? sockfd_lookup_light+0xc5/0x160 [ 182.140780] __sys_sendmsg+0x11d/0x280 [ 182.144653] ? __ia32_sys_shutdown+0x80/0x80 [ 182.149044] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 182.154582] ? fput+0x130/0x1a0 [ 182.157866] ? __x64_sys_futex+0x47f/0x6a0 [ 182.162086] ? do_syscall_64+0x9a/0x820 [ 182.166042] ? do_syscall_64+0x9a/0x820 [ 182.170007] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 182.175447] __x64_sys_sendmsg+0x78/0xb0 [ 182.179492] do_syscall_64+0x1b9/0x820 [ 182.183377] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 182.188724] ? syscall_return_slowpath+0x5e0/0x5e0 [ 182.193643] ? trace_hardirqs_on_caller+0x310/0x310 [ 182.198643] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 182.203654] ? recalc_sigpending_tsk+0x180/0x180 [ 182.208394] ? kasan_check_write+0x14/0x20 [ 182.212617] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 182.217445] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 182.222615] RIP: 0033:0x457099 [ 182.225802] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 182.244690] RSP: 002b:00007f3779eb5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 182.252393] RAX: ffffffffffffffda RBX: 00007f3779eb66d4 RCX: 0000000000457099 [ 182.259655] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 182.266918] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 182.274173] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 182.281424] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 182.288681] [ 182.290293] Allocated by task 5641: [ 182.293905] save_stack+0x43/0xd0 [ 182.297339] kasan_kmalloc+0xc7/0xe0 [ 182.301047] kasan_slab_alloc+0x12/0x20 [ 182.305007] kmem_cache_alloc+0x12e/0x730 [ 182.309138] sock_alloc_inode+0x1d/0x260 [ 182.313182] alloc_inode+0x63/0x190 [ 182.316791] new_inode_pseudo+0x71/0x1a0 [ 182.320837] sock_alloc+0x41/0x270 [ 182.324363] __sock_create+0x175/0x930 [ 182.328230] __sys_socket+0x106/0x260 [ 182.332013] __x64_sys_socket+0x73/0xb0 [ 182.335982] do_syscall_64+0x1b9/0x820 [ 182.339858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 182.345023] [ 182.346631] Freed by task 5640: [ 182.349894] save_stack+0x43/0xd0 [ 182.353327] __kasan_slab_free+0x102/0x150 [ 182.357555] kasan_slab_free+0xe/0x10 [ 182.361384] kmem_cache_free+0x83/0x290 [ 182.365339] sock_destroy_inode+0x51/0x60 [ 182.369476] destroy_inode+0x159/0x200 [ 182.373344] evict+0x5e0/0x980 [ 182.376521] iput+0x679/0xa90 [ 182.379611] dentry_unlink_inode+0x461/0x5e0 [ 182.384003] __dentry_kill+0x44c/0x7a0 [ 182.387875] dentry_kill+0xc9/0x5a0 [ 182.391485] dput.part.26+0x660/0x790 [ 182.395271] dput+0x15/0x20 [ 182.398186] __fput+0x4cf/0xa30 [ 182.401449] ____fput+0x15/0x20 [ 182.404713] task_work_run+0x1e8/0x2a0 [ 182.408590] exit_to_usermode_loop+0x318/0x380 [ 182.413157] do_syscall_64+0x6be/0x820 [ 182.417030] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 182.422195] [ 182.423805] The buggy address belongs to the object at ffff8801c4fc6540 [ 182.423805] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 182.437661] The buggy address is located 112 bytes inside of [ 182.437661] 984-byte region [ffff8801c4fc6540, ffff8801c4fc6918) [ 182.449517] The buggy address belongs to the page: [ 182.454426] page:ffffea000713f180 count:1 mapcount:0 mapping:ffff8801c57e3800 index:0xffff8801c4fc6ffd [ 182.463853] flags: 0x2fffc0000000100(slab) [ 182.468075] raw: 02fffc0000000100 ffffea0006dce3c8 ffffea000713fc88 ffff8801c57e3800 [ 182.475943] raw: ffff8801c4fc6ffd ffff8801c4fc60c0 0000000100000003 ffff8801b9246680 [ 182.483803] page dumped because: kasan: bad access detected [ 182.489493] page->mem_cgroup:ffff8801b9246680 [ 182.493974] [ 182.495585] Memory state around the buggy address: [ 182.500496] ffff8801c4fc6480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 182.507836] ffff8801c4fc6500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 182.515179] >ffff8801c4fc6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.522529] ^ [ 182.527451] ffff8801c4fc6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.534790] ffff8801c4fc6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 182.542132] ================================================================== [ 182.549497] Disabling lock debugging due to kernel taint [ 182.555020] Kernel panic - not syncing: panic_on_warn set ... [ 182.555020] [ 182.562393] CPU: 1 PID: 5641 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #227 [ 182.571049] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 182.580388] Call Trace: [ 182.582958] dump_stack+0x1c4/0x2b4 [ 182.586569] ? dump_stack_print_info.cold.2+0x52/0x52 [ 182.591761] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 182.596503] panic+0x238/0x4e7 [ 182.599698] ? add_taint.cold.5+0x16/0x16 [ 182.603836] ? trace_hardirqs_on+0x9a/0x310 [ 182.608147] ? trace_hardirqs_on+0xb4/0x310 [ 182.612480] ? trace_hardirqs_on+0xb4/0x310 [ 182.616806] kasan_end_report+0x47/0x4f [ 182.620765] kasan_report.cold.9+0x76/0x309 [ 182.625076] ? sock_i_ino+0x94/0xa0 [ 182.628685] __asan_report_load8_noabort+0x14/0x20 [ 182.633600] sock_i_ino+0x94/0xa0 [ 182.637043] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 182.641725] ? tipc_diag_dump+0x30/0x30 [ 182.645687] ? tipc_getname+0x7f0/0x7f0 [ 182.649694] ? graph_lock+0x170/0x170 [ 182.653492] ? __lock_sock+0x203/0x350 [ 182.657373] ? find_held_lock+0x36/0x1c0 [ 182.661443] ? mark_held_locks+0xc7/0x130 [ 182.665599] ? __local_bh_enable_ip+0x160/0x260 [ 182.670257] ? __local_bh_enable_ip+0x160/0x260 [ 182.674925] ? lockdep_hardirqs_on+0x421/0x5c0 [ 182.679500] ? trace_hardirqs_on+0xbd/0x310 [ 182.683803] ? lock_release+0x970/0x970 [ 182.687759] ? lock_sock_nested+0xe2/0x120 [ 182.691975] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 182.696974] ? skb_put+0x17b/0x1e0 [ 182.700506] ? memset+0x31/0x40 [ 182.703768] ? __nlmsg_put+0x14c/0x1b0 [ 182.707640] __tipc_add_sock_diag+0x233/0x360 [ 182.712123] tipc_nl_sk_walk+0x122/0x1d0 [ 182.716166] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 182.721425] tipc_diag_dump+0x24/0x30 [ 182.725208] netlink_dump+0x519/0xd50 [ 182.729002] ? netlink_broadcast+0x50/0x50 [ 182.733222] __netlink_dump_start+0x4f1/0x6f0 [ 182.737704] ? tipc_data_ready+0x3e0/0x3e0 [ 182.741922] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 182.747008] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 182.751660] ? tipc_data_ready+0x3e0/0x3e0 [ 182.755891] ? tipc_unregister_sysctl+0x20/0x20 [ 182.760544] ? tipc_ioctl+0x3a0/0x3a0 [ 182.764341] ? netlink_deliver_tap+0x355/0xf80 [ 182.768929] sock_diag_rcv_msg+0x31d/0x410 [ 182.773163] netlink_rcv_skb+0x172/0x440 [ 182.777220] ? sock_diag_bind+0x80/0x80 [ 182.781179] ? netlink_ack+0xb80/0xb80 [ 182.785054] sock_diag_rcv+0x2a/0x40 [ 182.788751] netlink_unicast+0x5a5/0x760 [ 182.792800] ? netlink_attachskb+0x9a0/0x9a0 [ 182.797196] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.802717] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 182.807720] netlink_sendmsg+0xa18/0xfc0 [ 182.811771] ? netlink_unicast+0x760/0x760 [ 182.815999] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 182.820930] ? apparmor_socket_sendmsg+0x29/0x30 [ 182.825670] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.831191] ? security_socket_sendmsg+0x94/0xc0 [ 182.835930] ? netlink_unicast+0x760/0x760 [ 182.840152] sock_sendmsg+0xd5/0x120 [ 182.843856] ___sys_sendmsg+0x7fd/0x930 [ 182.847817] ? __local_bh_enable_ip+0x160/0x260 [ 182.852470] ? copy_msghdr_from_user+0x580/0x580 [ 182.857237] ? kasan_check_write+0x14/0x20 [ 182.861463] ? _raw_spin_unlock_bh+0x30/0x40 [ 182.865857] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 182.871296] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 182.876824] ? release_sock+0x1ec/0x2c0 [ 182.880805] ? __fget_light+0x2e9/0x430 [ 182.884774] ? fget_raw+0x20/0x20 [ 182.888245] ? __release_sock+0x3a0/0x3a0 [ 182.892394] ? tipc_nametbl_build_group+0x273/0x360 [ 182.897397] ? tipc_setsockopt+0x726/0xd70 [ 182.901617] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 182.907139] ? sockfd_lookup_light+0xc5/0x160 [ 182.911617] __sys_sendmsg+0x11d/0x280 [ 182.915489] ? __ia32_sys_shutdown+0x80/0x80 [ 182.919883] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 182.925402] ? fput+0x130/0x1a0 [ 182.928671] ? __x64_sys_futex+0x47f/0x6a0 [ 182.932891] ? do_syscall_64+0x9a/0x820 [ 182.936849] ? do_syscall_64+0x9a/0x820 [ 182.940823] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 182.946273] __x64_sys_sendmsg+0x78/0xb0 [ 182.950317] do_syscall_64+0x1b9/0x820 [ 182.954197] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 182.959580] ? syscall_return_slowpath+0x5e0/0x5e0 [ 182.964500] ? trace_hardirqs_on_caller+0x310/0x310 [ 182.969503] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 182.974529] ? recalc_sigpending_tsk+0x180/0x180 [ 182.979283] ? kasan_check_write+0x14/0x20 [ 182.983508] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 182.988338] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 182.993522] RIP: 0033:0x457099 [ 182.996698] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 183.015587] RSP: 002b:00007f3779eb5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 183.023278] RAX: ffffffffffffffda RBX: 00007f3779eb66d4 RCX: 0000000000457099 [ 183.030526] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 183.037777] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 183.045030] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 183.052311] R13: 00000000004d4bc0 R14: 00000000004c910b R15: 0000000000000000 [ 183.059906] Dumping ftrace buffer: [ 183.063432] (ftrace buffer empty) [ 183.067742] Kernel Offset: disabled [ 183.071366] Rebooting in 86400 seconds..