[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.629317] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.033677] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 22.201981] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [ 23.715766] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) [ 44.494964] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 50.037350] random: sshd: uninitialized urandom read (32 bytes read, 122 bits of entropy available) 2018/06/30 10:54:50 parsed 1 programs [ 51.567806] random: cc1: uninitialized urandom read (8 bytes read, 124 bits of entropy available) 2018/06/30 10:54:53 executed programs: 0 [ 53.106152] random: nonblocking pool is initialized [ 53.160970] IPVS: Creating netns size=2552 id=1 [ 53.411059] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 53.426096] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 53.507312] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 53.522767] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 53.605753] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 53.621024] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 53.636457] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 53.652969] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 54.412636] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 54.452475] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 54.744214] ================================================================== [ 54.751637] BUG: KASAN: use-after-free in inet_shutdown+0x2e9/0x370 [ 54.758026] Read of size 4 at addr ffff8801c7724440 by task syz-executor0/4224 [ 54.765508] [ 54.767140] CPU: 0 PID: 4224 Comm: syz-executor0 Not tainted 4.4.138-gcf21a9a #62 [ 54.774746] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.784072] 0000000000000000 42f239834f51da51 ffff8801d6e4fb58 ffffffff81e0ed0d [ 54.792074] ffffea00071dc900 ffff8801c7724440 0000000000000000 ffff8801c7724440 [ 54.800068] ffff8801d98f5458 ffff8801d6e4fb90 ffffffff81515a16 ffff8801c7724440 [ 54.808055] Call Trace: [ 54.810624] [] dump_stack+0xc1/0x124 [ 54.815965] [] print_address_description+0x6c/0x216 [ 54.822702] [] kasan_report.cold.7+0x175/0x2f7 [ 54.828914] [] ? inet_shutdown+0x2e9/0x370 [ 54.834774] [] __asan_report_load4_noabort+0x14/0x20 [ 54.841504] [] inet_shutdown+0x2e9/0x370 [ 54.847206] [] ? pppol2tp_seq_show+0xc30/0xc30 [ 54.853410] [] pppol2tp_session_close+0xa0/0xe0 [ 54.859702] [] l2tp_tunnel_closeall+0x205/0x350 [ 54.865997] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 54.873858] [] ? sock_release+0x1c0/0x1c0 [ 54.879637] [] l2tp_udp_encap_destroy+0x8b/0xf0 [ 54.886104] [] ? l2tp_tunnel_destruct+0x590/0x590 [ 54.892577] [] udpv6_destroy_sock+0xb1/0xd0 [ 54.898525] [] sk_common_release+0x6d/0x300 [ 54.904469] [] udp_lib_close+0x15/0x20 [ 54.909989] [] inet_release+0xff/0x1d0 [ 54.915504] [] inet6_release+0x50/0x70 [ 54.921035] [] sock_release+0x96/0x1c0 [ 54.927329] [] sock_close+0x16/0x20 [ 54.932581] [] __fput+0x235/0x6f0 [ 54.937657] [] ____fput+0x15/0x20 [ 54.942748] [] task_work_run+0x10f/0x190 [ 54.948609] [] exit_to_usermode_loop+0x13d/0x160 [ 54.954984] [] do_fast_syscall_32+0x620/0x8b0 [ 54.961102] [] sysenter_flags_fixed+0xd/0x17 [ 54.967139] [ 54.968746] Allocated by task 4224: [ 54.972342] [] save_stack_trace+0x26/0x50 [ 54.978235] [] save_stack+0x43/0xd0 [ 54.984043] [] kasan_kmalloc+0xc7/0xe0 [ 54.989687] [] kasan_slab_alloc+0x12/0x20 [ 54.995576] [] kmem_cache_alloc+0xbe/0x2a0 [ 55.001547] [] sock_alloc_inode+0x1d/0x260 [ 55.007520] [] alloc_inode+0x63/0x180 [ 55.013061] [] new_inode_pseudo+0x17/0xe0 [ 55.018973] [] sock_alloc+0x41/0x280 [ 55.024439] [] __sock_create+0x8d/0x5f0 [ 55.030160] [] SyS_socket+0xf0/0x1b0 [ 55.035627] [] do_fast_syscall_32+0x326/0x8b0 [ 55.041863] [] sysenter_flags_fixed+0xd/0x17 [ 55.048019] [ 55.049630] Freed by task 4226: [ 55.052889] [] save_stack_trace+0x26/0x50 [ 55.058787] [] save_stack+0x43/0xd0 [ 55.064159] [] kasan_slab_free+0x72/0xc0 [ 55.069970] [] kmem_cache_free+0xbe/0x340 [ 55.075870] [] sock_destroy_inode+0x56/0x70 [ 55.083159] [] destroy_inode+0xc2/0x120 [ 55.088896] [] evict+0x322/0x4f0 [ 55.094000] [] iput+0x391/0x980 [ 55.099028] [] __dentry_kill+0x492/0x5f0 [ 55.104826] [] dput.part.26+0x587/0x760 [ 55.110552] [] dput+0x1f/0x30 [ 55.115401] [] __fput+0x401/0x6f0 [ 55.120601] [] ____fput+0x15/0x20 [ 55.125817] [] task_work_run+0x10f/0x190 [ 55.131621] [] exit_to_usermode_loop+0x13d/0x160 [ 55.138117] [] do_fast_syscall_32+0x620/0x8b0 [ 55.144350] [] sysenter_flags_fixed+0xd/0x17 [ 55.150501] [ 55.152108] The buggy address belongs to the object at ffff8801c7724440 [ 55.152108] which belongs to the cache sock_inode_cache of size 936 [ 55.165170] The buggy address is located 0 bytes inside of [ 55.165170] 936-byte region [ffff8801c7724440, ffff8801c77247e8) [ 55.176842] The buggy address belongs to the page: [ 55.258884] kasan: CONFIG_KASAN_INLINE enabled [ 55.263347] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 55.276196] Dumping ftrace buffer: [ 55.279708] (ftrace buffer empty) [ 55.283390] Modules linked in: [ 55.286672] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-gcf21a9a #62 [ 55.293652] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.302977] task: ffff8801d9a41800 task.stack: ffff8801d9a50000 [ 55.309003] RIP: 0010:[] [] timerqueue_add+0xb8/0x2b0 [ 55.317498] RSP: 0018:ffff8801db307d30 EFLAGS: 00010007 [ 55.322917] RAX: ffffed003b66338b RBX: ffff8801db319c40 RCX: 0000000000000000 [ 55.330157] RDX: 000000001083e1e8 RSI: ffffffff81e2c65c RDI: 00000000841f0f46 [ 55.337412] RBP: ffff8801db307d70 R08: 0000000000000096 R09: 0000000000000001 [ 55.344655] R10: 0000000000000000 R11: ffff8801d9a41800 R12: dffffc0000000000 [ 55.351897] R13: 00000000841f0f2e R14: 0000000c8cb0bb00 R15: ffffffff8148cf87 [ 55.359142] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 55.367339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.373196] CR2: 00007f13f8436000 CR3: 00000000ad9a5000 CR4: 00000000001606f0 [ 55.380441] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.387686] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.394928] Stack: [ 55.397046] ffff8801db319c58 ffff8801db319710 ffffed003b66338b ffff8801db319700 [ 55.405041] ffff8801db319c40 ffff8801db319640 0000000000000001 0000000000000000 [ 55.413026] ffff8801db307da8 ffffffff8129b35f ffff8801db319c40 0000000000000001 [ 55.421025] Call Trace: [ 55.423597] [ 55.425640] [] enqueue_hrtimer+0x15f/0x440 [ 55.431788] [] __hrtimer_run_queues+0x6b2/0x1000 [ 55.438188] [] ? retrigger_next_event+0x1c0/0x1c0 [ 55.444809] [] ? kvm_clock_read+0x23/0x40 [ 55.450621] [] ? kvm_clock_get_cycles+0x9/0x10 [ 55.456863] [] ? hrtimer_interrupt+0x12d/0x430 [ 55.463107] [] hrtimer_interrupt+0x1b1/0x430 [ 55.469171] [] local_apic_timer_interrupt+0x74/0xa0 [ 55.475844] [] smp_apic_timer_interrupt+0x7c/0xa0 [ 55.482356] [] apic_timer_interrupt+0xa0/0xb0 [ 55.488501] [ 55.490577] [] ? native_safe_halt+0x6/0x10 [ 55.496782] [] default_idle+0x55/0x3c0 [ 55.502334] [] arch_cpu_idle+0x10/0x20 [ 55.507885] [] default_idle_call+0x57/0x70 [ 55.513787] [] cpu_startup_entry+0x6af/0x780 [ 55.519859] [] ? call_cpuidle+0xe0/0xe0 [ 55.525496] [] start_secondary+0x324/0x400 [ 55.531397] [] ? set_cpu_sibling_map+0x1180/0x1180 [ 55.537974] Code: 00 00 4d 8b 2f 4d 85 ed 74 3d e8 54 4e 52 ff 48 8b 45 d0 80 38 00 0f 85 96 01 00 00 49 8d 7d 18 4c 8b 73 18 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 4d 3b 75 18 7c a3 e8 22 4e 52 [ 55.565731] RIP [] timerqueue_add+0xb8/0x2b0 [ 55.571934] RSP [ 55.575558] ---[ end trace f35182ce9c183740 ]--- [ 55.580309] Kernel panic - not syncing: Fatal exception in interrupt [ 56.710347] Shutting down cpus with NMI [ 56.714946] Dumping ftrace buffer: [ 56.718478] (ftrace buffer empty) [ 56.722160] Kernel Offset: disabled [ 56.725759] Rebooting in 86400 seconds..