[....] Starting OpenBSD Secure Shell server: sshd[   24.669992] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   28.759509] random: sshd: uninitialized urandom read (32 bytes read)
[   29.125987] random: sshd: uninitialized urandom read (32 bytes read)
[   29.824680] random: sshd: uninitialized urandom read (32 bytes read)
[  192.781182] random: sshd: uninitialized urandom read (32 bytes read)
[  192.928719] sshd (5332) used greatest stack depth: 15976 bytes left
Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts.
[  198.387240] random: sshd: uninitialized urandom read (32 bytes read)
2018/09/11 23:35:43 parsed 1 programs
[  199.460714] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/11 23:35:45 executed programs: 0
[  200.697866] IPVS: ftp: loaded support on port[0] = 21
[  200.950004] bridge0: port 1(bridge_slave_0) entered blocking state
[  200.957627] bridge0: port 1(bridge_slave_0) entered disabled state
[  200.965765] device bridge_slave_0 entered promiscuous mode
[  200.985355] bridge0: port 2(bridge_slave_1) entered blocking state
[  200.991903] bridge0: port 2(bridge_slave_1) entered disabled state
[  200.999274] device bridge_slave_1 entered promiscuous mode
[  201.017684] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  201.036807] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  201.089088] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  201.109903] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  201.188268] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  201.195884] team0: Port device team_slave_0 added
[  201.212745] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  201.220269] team0: Port device team_slave_1 added
[  201.238443] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  201.258978] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  201.279856] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  201.301548] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  201.450660] bridge0: port 2(bridge_slave_1) entered blocking state
[  201.457518] bridge0: port 2(bridge_slave_1) entered forwarding state
[  201.464563] bridge0: port 1(bridge_slave_0) entered blocking state
[  201.471050] bridge0: port 1(bridge_slave_0) entered forwarding state
[  202.006177] 8021q: adding VLAN 0 to HW filter on device bond0
[  202.062196] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  202.115474] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  202.121766] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  202.130340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  202.182102] 8021q: adding VLAN 0 to HW filter on device team0
[  202.516526] netlink: 'syz-executor0': attribute type 14 has an invalid length.
[  202.534963] netlink: 'syz-executor0': attribute type 14 has an invalid length.
[  202.543520] 
[  202.545157] ======================================================
[  202.551458] WARNING: possible circular locking dependency detected
[  202.557896] 4.19.0-rc3+ #231 Not tainted
[  202.561958] ------------------------------------------------------
[  202.568358] syz-executor0/5608 is trying to acquire lock:
[  202.573972] 000000001fa13696 ((wq_completion)bond_dev->name){+.+.}, at: flush_workqueue+0x2db/0x1e10
[  202.583361] 
[  202.583361] but task is already holding lock:
[  202.589447] 00000000b52b7859 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40e/0xc20
[  202.597410] 
[  202.597410] which lock already depends on the new lock.
[  202.597410] 
[  202.605829] 
[  202.605829] the existing dependency chain (in reverse order) is:
[  202.613539] 
[  202.613539] -> #2 (rtnl_mutex){+.+.}:
[  202.619100]        __mutex_lock+0x166/0x1710
[  202.623510]        mutex_lock_nested+0x16/0x20
[  202.628179]        rtnl_lock+0x17/0x20
[  202.632948]        bond_netdev_notify_work+0x44/0xd0
[  202.638053]        process_one_work+0xc90/0x1b90
[  202.642807]        worker_thread+0x17f/0x1390
[  202.647444]        kthread+0x35a/0x420
[  202.651326]        ret_from_fork+0x3a/0x50
[  202.655817] 
[  202.655817] -> #1 ((work_completion)(&(&nnw->work)->work)){+.+.}:
[  202.663637]        process_one_work+0xc0a/0x1b90
[  202.668429]        worker_thread+0x17f/0x1390
[  202.673016]        kthread+0x35a/0x420
[  202.676905]        ret_from_fork+0x3a/0x50
[  202.681126] 
[  202.681126] -> #0 ((wq_completion)bond_dev->name){+.+.}:
[  202.688067]        lock_acquire+0x1ed/0x520
[  202.693024]        flush_workqueue+0x30a/0x1e10
[  202.697780]        drain_workqueue+0x2a9/0x640
[  202.702385]        destroy_workqueue+0xc6/0x9c0
[  202.707093]        __alloc_workqueue_key+0xed8/0x1170
[  202.712337]        bond_init+0x274/0x970
[  202.716799]        register_netdevice+0x332/0x10f0
[  202.721744]        bond_newlink+0x49/0xa0
[  202.725888]        rtnl_newlink+0xec6/0x1d40
[  202.730342]        rtnetlink_rcv_msg+0x46a/0xc20
[  202.735182]        netlink_rcv_skb+0x172/0x440
[  202.739813]        rtnetlink_rcv+0x1c/0x20
[  202.744168]        netlink_unicast+0x5a5/0x760
[  202.748795]        netlink_sendmsg+0xa18/0xfc0
[  202.753389]        sock_sendmsg+0xd5/0x120
[  202.757723]        ___sys_sendmsg+0x7fd/0x930
[  202.762211]        __sys_sendmsg+0x11d/0x280
[  202.766714]        __x64_sys_sendmsg+0x78/0xb0
[  202.771384]        do_syscall_64+0x1b9/0x820
[  202.775803]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  202.781503] 
[  202.781503] other info that might help us debug this:
[  202.781503] 
[  202.789639] Chain exists of:
[  202.789639]   (wq_completion)bond_dev->name --> (work_completion)(&(&nnw->work)->work) --> rtnl_mutex
[  202.789639] 
[  202.803396]  Possible unsafe locking scenario:
[  202.803396] 
[  202.809479]        CPU0                    CPU1
[  202.814131]        ----                    ----
[  202.818784]   lock(rtnl_mutex);
[  202.822158]                                lock((work_completion)(&(&nnw->work)->work));
[  202.830483]                                lock(rtnl_mutex);
[  202.836270]   lock((wq_completion)bond_dev->name);
[  202.841387] 
[  202.841387]  *** DEADLOCK ***
[  202.841387] 
[  202.847578] 1 lock held by syz-executor0/5608:
[  202.852143]  #0: 00000000b52b7859 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x40e/0xc20
[  202.861205] 
[  202.861205] stack backtrace:
[  202.865697] CPU: 1 PID: 5608 Comm: syz-executor0 Not tainted 4.19.0-rc3+ #231
[  202.872957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  202.882300] Call Trace:
[  202.884893]  dump_stack+0x1c4/0x2b4
[  202.888520]  ? dump_stack_print_info.cold.2+0x52/0x52
[  202.893724]  ? vprintk_func+0x85/0x181
[  202.897647]  print_circular_bug.isra.33.cold.54+0x1bd/0x27d
[  202.903763]  ? save_trace+0xe0/0x290
[  202.907486]  __lock_acquire+0x33e4/0x4ec0
[  202.911633]  ? mark_held_locks+0x130/0x130
[  202.915870]  ? graph_lock+0x170/0x170
[  202.919679]  ? __lock_is_held+0xb5/0x140
[  202.923741]  ? __lock_is_held+0xb5/0x140
[  202.927804]  ? select_task_rq_fair+0x34f0/0x34f0
[  202.932561]  ? graph_lock+0x170/0x170
[  202.936360]  ? print_usage_bug+0xc0/0xc0
[  202.940429]  ? pick_next_task_fair+0x98e/0x17c0
[  202.945116]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  202.950650]  ? check_preemption_disabled+0x48/0x200
[  202.955739]  lock_acquire+0x1ed/0x520
[  202.959539]  ? flush_workqueue+0x2db/0x1e10
[  202.963865]  ? lock_release+0x970/0x970
[  202.967838]  ? lockdep_init_map+0x9/0x10
[  202.971907]  ? __init_waitqueue_head+0x9e/0x150
[  202.976578]  ? init_wait_entry+0x1c0/0x1c0
[  202.981689]  flush_workqueue+0x30a/0x1e10
[  202.986002]  ? flush_workqueue+0x2db/0x1e10
[  202.990321]  ? lock_acquire+0x1ed/0x520
[  202.994593]  ? drain_workqueue+0xa9/0x640
[  202.998739]  ? lock_release+0x970/0x970
[  203.002816]  ? preempt_notifier_register+0x200/0x200
[  203.007918]  ? __switch_to_asm+0x34/0x70
[  203.011982]  ? __switch_to_asm+0x34/0x70
[  203.016143]  ? __switch_to_asm+0x40/0x70
[  203.020199]  ? flush_rcu_work+0x90/0x90
[  203.024279]  ? graph_lock+0x170/0x170
[  203.028171]  ? __mutex_lock+0x872/0x1710
[  203.032308]  ? __schedule+0x874/0x1ed0
[  203.036241]  ? drain_workqueue+0xa9/0x640
[  203.040393]  ? find_held_lock+0x36/0x1c0
[  203.044458]  ? drain_workqueue+0x13f/0x640
[  203.048703]  ? lock_downgrade+0x900/0x900
[  203.052861]  ? graph_lock+0x170/0x170
[  203.056772]  ? find_held_lock+0x36/0x1c0
[  203.061495]  ? kasan_check_write+0x14/0x20
[  203.065730]  ? __mutex_unlock_slowpath+0x197/0x8c0
[  203.070652]  ? wait_for_completion+0x8a0/0x8a0
[  203.075343]  ? do_raw_spin_unlock+0xa7/0x2f0
[  203.079776]  drain_workqueue+0x2a9/0x640
[  203.083852]  ? drain_workqueue+0x2a9/0x640
[  203.088185]  ? flush_workqueue+0x1e10/0x1e10
[  203.092751]  ? save_stack+0xa9/0xd0
[  203.096610]  ? save_stack+0x43/0xd0
[  203.100268]  ? __kasan_slab_free+0x102/0x150
[  203.105018]  ? kasan_slab_free+0xe/0x10
[  203.109039]  ? kfree+0xcf/0x230
[  203.112325]  ? print_usage_bug+0xc0/0xc0
[  203.116380]  ? register_netdevice+0x332/0x10f0
[  203.120956]  ? bond_newlink+0x49/0xa0
[  203.124748]  ? rtnl_newlink+0xec6/0x1d40
[  203.128800]  ? rtnetlink_rcv_msg+0x46a/0xc20
[  203.133289]  ? netlink_rcv_skb+0x172/0x440
[  203.137543]  ? rtnetlink_rcv+0x1c/0x20
[  203.141424]  ? netlink_unicast+0x5a5/0x760
[  203.145664]  ? netlink_sendmsg+0xa18/0xfc0
[  203.149893]  ? sock_sendmsg+0xd5/0x120
[  203.153787]  destroy_workqueue+0xc6/0x9c0
[  203.157947]  ? kasan_check_write+0x14/0x20
[  203.162174]  ? wq_watchdog_timer_fn+0x810/0x810
[  203.166839]  ? mark_held_locks+0xc7/0x130
[  203.171029]  ? kfree+0x107/0x230
[  203.174402]  ? kfree+0x107/0x230
[  203.177759]  ? lockdep_hardirqs_on+0x421/0x5c0
[  203.182336]  ? trace_hardirqs_on+0xbd/0x310
[  203.186651]  ? init_rescuer.part.25+0x155/0x190
[  203.191312]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  203.196802]  ? __kasan_slab_free+0x119/0x150
[  203.201207]  ? init_rescuer.part.25+0x155/0x190
[  203.205912]  __alloc_workqueue_key+0xed8/0x1170
[  203.210577]  ? workqueue_sysfs_register+0x3f0/0x3f0
[  203.215584]  ? put_dec+0xf0/0xf0
[  203.218940]  ? format_decode+0x1b2/0xaf0
[  203.223023]  ? set_precision+0xe0/0xe0
[  203.226905]  ? simple_strtoll+0xa0/0xa0
[  203.230900]  ? graph_lock+0x170/0x170
[  203.234705]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  203.240663]  ? find_held_lock+0x36/0x1c0
[  203.244718]  ? lock_downgrade+0x900/0x900
[  203.248875]  ? check_preemption_disabled+0x48/0x200
[  203.253891]  ? rcu_read_unlock_special.part.39+0x11f0/0x11f0
[  203.259680]  ? kasan_check_read+0x11/0x20
[  203.263822]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[  203.269114]  ? rcu_bh_qs+0xc0/0xc0
[  203.272652]  bond_init+0x274/0x970
[  203.276187]  ? __dev_get_by_name+0x170/0x170
[  203.280584]  ? bond_set_rx_mode+0x560/0x560
[  203.284925]  ? rtnl_is_locked+0xb5/0xf0
[  203.288898]  ? bond_set_rx_mode+0x560/0x560
[  203.293238]  register_netdevice+0x332/0x10f0
[  203.297672]  ? netdev_change_features+0x110/0x110
[  203.302516]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  203.308046]  ? ns_capable_common+0x13f/0x170
[  203.312458]  bond_newlink+0x49/0xa0
[  203.316087]  ? bond_changelink+0x2370/0x2370
[  203.320495]  rtnl_newlink+0xec6/0x1d40
[  203.324378]  ? rtnl_link_unregister+0x390/0x390
[  203.329061]  ? __switch_to_asm+0x34/0x70
[  203.333125]  ? print_usage_bug+0xc0/0xc0
[  203.337201]  ? __switch_to_asm+0x40/0x70
[  203.341257]  ? __switch_to_asm+0x34/0x70
[  203.345317]  ? __switch_to_asm+0x34/0x70
[  203.349390]  ? print_usage_bug+0xc0/0xc0
[  203.353463]  ? __schedule+0x874/0x1ed0
[  203.357354]  ? print_usage_bug+0xc0/0xc0
[  203.361408]  ? __lock_acquire+0x7ec/0x4ec0
[  203.365702]  ? lock_acquire+0x1ed/0x520
[  203.369666]  ? rtnetlink_rcv_msg+0x40e/0xc20
[  203.374065]  ? lock_release+0x970/0x970
[  203.378062]  ? arch_local_save_flags+0x40/0x40
[  203.382649]  ? mutex_trylock+0x2b0/0x2b0
[  203.386700]  ? __lock_acquire+0x7ec/0x4ec0
[  203.390936]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  203.396476]  ? refcount_sub_and_test_checked+0x203/0x310
[  203.402049]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  203.407796]  ? rtnl_get_link+0x170/0x370
[  203.411866]  ? rtnl_dump_all+0x600/0x600
[  203.415932]  ? kasan_check_read+0x11/0x20
[  203.420201]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[  203.425670]  ? ns_capable_common+0x13f/0x170
[  203.430109]  ? rtnl_link_unregister+0x390/0x390
[  203.434800]  rtnetlink_rcv_msg+0x46a/0xc20
[  203.439049]  ? rtnetlink_put_metrics+0x690/0x690
[  203.443816]  netlink_rcv_skb+0x172/0x440
[  203.447880]  ? rtnetlink_put_metrics+0x690/0x690
[  203.452636]  ? netlink_ack+0xb80/0xb80
[  203.456547]  rtnetlink_rcv+0x1c/0x20
[  203.460301]  netlink_unicast+0x5a5/0x760
[  203.464384]  ? netlink_attachskb+0x9a0/0x9a0
[  203.468788]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  203.474355]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  203.479379]  netlink_sendmsg+0xa18/0xfc0
[  203.483462]  ? netlink_unicast+0x760/0x760
[  203.487694]  ? aa_sock_msg_perm.isra.12+0xba/0x160
[  203.492651]  ? apparmor_socket_sendmsg+0x29/0x30
[  203.497430]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  203.503144]  ? security_socket_sendmsg+0x94/0xc0
[  203.507899]  ? netlink_unicast+0x760/0x760
[  203.512132]  sock_sendmsg+0xd5/0x120
[  203.515841]  ___sys_sendmsg+0x7fd/0x930
[  203.519813]  ? copy_msghdr_from_user+0x580/0x580
[  203.524683]  ? __fd_install+0x2b5/0x8f0
[  203.528653]  ? check_preemption_disabled+0x48/0x200
[  203.533674]  ? __fget_light+0x2e9/0x430
[  203.537647]  ? fget_raw+0x20/0x20
[  203.541096]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  203.546649]  ? __fd_install+0x2f9/0x8f0
[  203.550651]  ? get_unused_fd_flags+0x1a0/0x1a0
[  203.555241]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  203.560789]  ? sockfd_lookup_light+0xc5/0x160
[  203.565303]  __sys_sendmsg+0x11d/0x280
[  203.569222]  ? __ia32_sys_shutdown+0x80/0x80
[  203.573632]  ? __x64_sys_futex+0x47f/0x6a0
[  203.577887]  ? do_syscall_64+0x9a/0x820
[  203.581873]  ? do_syscall_64+0x9a/0x820
[  203.585849]  ? __bpf_trace_preemptirq_template+0x30/0x30
[  203.591508]  ? trace_hardirqs_off+0xb8/0x310
[  203.595935]  __x64_sys_sendmsg+0x78/0xb0
[  203.600025]  do_syscall_64+0x1b9/0x820
[  203.603924]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  203.609308]  ? syscall_return_slowpath+0x5e0/0x5e0
[  203.614260]  ? trace_hardirqs_on_caller+0x310/0x310
[  203.619270]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  203.624281]  ? recalc_sigpending_tsk+0x180/0x180
[  203.629049]  ? kasan_check_write+0x14/0x20
[  203.633278]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  203.638116]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  203.643331] RIP: 0033:0x4572d9
[  203.646518] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  203.665407] RSP: 002b:00007f96fefffc78 EFLAGS: 00000246 ORIG_RAX: 00