[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.318886] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.713941] random: sshd: uninitialized urandom read (32 bytes read) [ 24.017267] random: sshd: uninitialized urandom read (32 bytes read) [ 24.577661] random: sshd: uninitialized urandom read (32 bytes read) [ 96.585210] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. [ 102.144318] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/23 18:18:20 parsed 1 programs [ 103.901306] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/23 18:18:23 executed programs: 0 [ 105.374935] IPVS: ftp: loaded support on port[0] = 21 [ 105.582854] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.590139] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.606877] device bridge_slave_0 entered promiscuous mode [ 105.623925] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.630419] bridge0: port 2(bridge_slave_1) entered disabled state [ 105.637437] device bridge_slave_1 entered promiscuous mode [ 105.654185] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 105.670600] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 105.713557] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 105.733180] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 105.798473] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 105.805728] team0: Port device team_slave_0 added [ 105.820680] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 105.827820] team0: Port device team_slave_1 added [ 105.843417] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 105.861946] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 105.879628] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 105.893323] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 106.013365] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.019866] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.026821] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.033183] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.474803] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 106.480924] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.527300] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 106.560069] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 106.582582] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 106.588798] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 106.596011] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 106.639712] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.958992] hrtimer: interrupt took 26757 ns 2018/08/23 18:18:28 executed programs: 76 2018/08/23 18:18:33 executed programs: 184 2018/08/23 18:18:38 executed programs: 294 2018/08/23 18:18:43 executed programs: 403 2018/08/23 18:18:48 executed programs: 513 2018/08/23 18:18:53 executed programs: 620 2018/08/23 18:18:58 executed programs: 732 2018/08/23 18:19:03 executed programs: 841 2018/08/23 18:19:08 executed programs: 948 2018/08/23 18:19:13 executed programs: 1053 2018/08/23 18:19:18 executed programs: 1157 2018/08/23 18:19:23 executed programs: 1267 2018/08/23 18:19:28 executed programs: 1371 2018/08/23 18:19:33 executed programs: 1476 2018/08/23 18:19:38 executed programs: 1580 2018/08/23 18:19:43 executed programs: 1686 [ 189.720020] ================================================================== [ 189.727621] BUG: KASAN: use-after-free in sctp_transport_get_next+0x11c/0x140 [ 189.734900] Read of size 8 at addr ffff8801d97c84e0 by task syz-executor0/12694 [ 189.742339] [ 189.743980] CPU: 1 PID: 12694 Comm: syz-executor0 Not tainted 4.18.0+ #107 [ 189.750999] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 189.760362] Call Trace: [ 189.762968] dump_stack+0x1c9/0x2b4 [ 189.766610] ? dump_stack_print_info.cold.2+0x52/0x52 [ 189.771887] ? printk+0xa7/0xcf [ 189.775174] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 189.779940] ? sctp_transport_get_next+0x11c/0x140 [ 189.784878] print_address_description+0x6c/0x20b [ 189.789726] ? sctp_transport_get_next+0x11c/0x140 [ 189.794662] kasan_report.cold.7+0x242/0x30d [ 189.799077] __asan_report_load8_noabort+0x14/0x20 [ 189.804289] sctp_transport_get_next+0x11c/0x140 [ 189.809053] sctp_for_each_transport+0x152/0x370 [ 189.813811] ? sctp_ep_dump+0xaa0/0xaa0 [ 189.817786] ? sctp_v6_copy_ip_options.cold.17+0x28/0x28 [ 189.823241] ? sctp_transport_get_next+0x140/0x140 [ 189.828171] ? sctp_for_each_endpoint+0x130/0x1c0 [ 189.833026] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 189.838051] ? sctp_for_each_endpoint+0x165/0x1c0 [ 189.842903] sctp_diag_dump+0x3a7/0x620 [ 189.846890] ? inet_diag_msg_sctpladdrs_fill+0x360/0x360 [ 189.852346] ? skb_scrub_packet+0x490/0x490 [ 189.856683] ? mutex_lock_nested+0x16/0x20 [ 189.860929] __inet_diag_dump+0xa8/0x140 [ 189.865002] inet_diag_dump+0x9b/0x110 [ 189.868900] netlink_dump+0x519/0xd50 [ 189.872709] ? netlink_broadcast+0x50/0x50 [ 189.876955] __netlink_dump_start+0x4f1/0x6f0 [ 189.881470] ? kasan_check_read+0x11/0x20 [ 189.885633] inet_diag_handler_cmd+0x2ce/0x3f0 [ 189.890221] ? inet_diag_rcv_msg_compat+0x3f0/0x3f0 [ 189.895244] ? inet_diag_dump_compat+0x4b0/0x4b0 [ 189.900011] sock_diag_rcv_msg+0x31d/0x410 [ 189.904261] netlink_rcv_skb+0x172/0x440 [ 189.908325] ? sock_diag_bind+0x80/0x80 [ 189.912306] ? netlink_ack+0xbe0/0xbe0 [ 189.916194] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 189.920875] sock_diag_rcv+0x2a/0x40 [ 189.924594] netlink_unicast+0x5a0/0x760 [ 189.928667] ? netlink_attachskb+0x9a0/0x9a0 [ 189.933086] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 189.938650] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 189.943699] netlink_sendmsg+0xa18/0xfc0 [ 189.947774] ? netlink_unicast+0x760/0x760 [ 189.952021] ? security_socket_sendmsg+0x94/0xc0 [ 189.956781] ? netlink_unicast+0x760/0x760 [ 189.961023] sock_sendmsg+0xd5/0x120 [ 189.964742] sock_write_iter+0x362/0x5c0 [ 189.968806] ? sock_sendmsg+0x120/0x120 [ 189.972783] ? rcu_is_watching+0x8c/0x150 [ 189.976946] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 189.981716] do_iter_readv_writev+0x8b0/0xa80 [ 189.986218] ? vfs_dedupe_file_range+0x670/0x670 [ 189.990985] ? rw_verify_area+0x118/0x360 [ 189.995142] do_iter_write+0x185/0x5f0 [ 189.999035] ? iov_iter_get_pages+0x1210/0x1210 [ 190.003717] compat_writev+0x234/0x420 [ 190.007614] ? do_pwritev+0x280/0x280 [ 190.011415] ? fget_raw+0x20/0x20 [ 190.014883] ? get_unused_fd_flags+0x1a0/0x1a0 [ 190.019483] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 190.024260] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 190.029802] ? __fdget_pos+0xde/0x200 [ 190.033608] ? __fdget_raw+0x20/0x20 [ 190.037339] do_compat_writev+0x128/0x260 [ 190.041495] ? compat_writev+0x420/0x420 [ 190.045563] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 190.050677] __ia32_compat_sys_writev+0x74/0xb0 [ 190.055354] do_fast_syscall_32+0x34d/0xfb2 [ 190.059685] ? do_int80_syscall_32+0x890/0x890 [ 190.064276] ? entry_SYSENTER_compat+0x68/0x7f [ 190.068862] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 190.073882] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.078726] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.083569] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 190.088589] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 190.093610] ? prepare_exit_to_usermode+0x291/0x3b0 [ 190.098635] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.103498] entry_SYSENTER_compat+0x70/0x7f [ 190.107908] RIP: 0023:0xf7f6aca9 [ 190.111284] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 190.130196] RSP: 002b:00000000f7f660cc EFLAGS: 00000296 ORIG_RAX: 0000000000000092 [ 190.137929] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 0000000020000000 [ 190.145217] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 [ 190.152498] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 190.159776] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 190.167057] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 190.174351] [ 190.175984] Allocated by task 12694: [ 190.179706] save_stack+0x43/0xd0 [ 190.183159] kasan_kmalloc+0xc4/0xe0 [ 190.186872] kmem_cache_alloc_trace+0x152/0x730 [ 190.191543] sctp_association_new+0x127/0x2290 [ 190.196132] sctp_unpack_cookie+0x7b4/0x1160 [ 190.200545] sctp_sf_do_5_1D_ce+0x451/0x14c0 [ 190.204952] sctp_do_sm+0x1c1/0x71e0 [ 190.208676] sctp_endpoint_bh_rcv+0x465/0x960 [ 190.213168] sctp_inq_push+0x272/0x340 [ 190.217055] sctp_rcv+0x2cb2/0x3ab0 [ 190.220681] sctp6_rcv+0x15/0x30 [ 190.224047] ip6_input_finish+0x407/0x1a40 [ 190.228279] ip6_input+0xe9/0x600 [ 190.231736] ip6_rcv_finish+0x17a/0x330 [ 190.235712] ipv6_rcv+0x11e/0x650 [ 190.239170] __netif_receive_skb_one_core+0x14d/0x200 [ 190.244363] __netif_receive_skb+0x2c/0x1e0 [ 190.248687] process_backlog+0x219/0x760 [ 190.252750] net_rx_action+0x799/0x1900 [ 190.256731] __do_softirq+0x2eb/0xa74 [ 190.260521] [ 190.262145] Freed by task 12693: [ 190.265517] save_stack+0x43/0xd0 [ 190.268976] __kasan_slab_free+0x11a/0x170 [ 190.273214] kasan_slab_free+0xe/0x10 [ 190.277026] kfree+0xd9/0x210 [ 190.280134] sctp_association_put+0x264/0x350 [ 190.284628] sctp_association_free+0x6c9/0x972 [ 190.289207] sctp_do_sm+0x4a5c/0x71e0 [ 190.293016] sctp_primitive_ABORT+0xa0/0xd0 [ 190.297339] sctp_close+0x279/0xa80 [ 190.300990] inet_release+0x104/0x1f0 [ 190.304791] inet6_release+0x50/0x70 [ 190.308527] __sock_release+0xd7/0x250 [ 190.312416] sock_close+0x19/0x20 [ 190.315878] __fput+0x36e/0x8c0 [ 190.319154] ____fput+0x15/0x20 [ 190.322434] task_work_run+0x1e8/0x2a0 [ 190.326364] exit_to_usermode_loop+0x318/0x380 [ 190.330952] do_fast_syscall_32+0xcd5/0xfb2 [ 190.335286] entry_SYSENTER_compat+0x70/0x7f [ 190.339687] [ 190.341317] The buggy address belongs to the object at ffff8801d97c84c0 [ 190.341317] which belongs to the cache kmalloc-4096 of size 4096 [ 190.354167] The buggy address is located 32 bytes inside of [ 190.354167] 4096-byte region [ffff8801d97c84c0, ffff8801d97c94c0) [ 190.366054] The buggy address belongs to the page: [ 190.371007] page:ffffea000765f200 count:1 mapcount:0 mapping:ffff8801dac00dc0 index:0x0 compound_mapcount: 0 [ 190.381003] flags: 0x2fffc0000008100(slab|head) [ 190.385695] raw: 02fffc0000008100 ffffea0007628888 ffffea0007620608 ffff8801dac00dc0 [ 190.393600] raw: 0000000000000000 ffff8801d97c84c0 0000000100000001 0000000000000000 [ 190.401494] page dumped because: kasan: bad access detected [ 190.407213] [ 190.408843] Memory state around the buggy address: [ 190.413785] ffff8801d97c8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 190.421161] ffff8801d97c8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 190.428547] >ffff8801d97c8480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 190.435918] ^ [ 190.442436] ffff8801d97c8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 190.449834] ffff8801d97c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 190.457197] ================================================================== [ 190.464586] Disabling lock debugging due to kernel taint [ 190.470203] Kernel panic - not syncing: panic_on_warn set ... [ 190.470203] [ 190.477585] CPU: 1 PID: 12694 Comm: syz-executor0 Tainted: G B 4.18.0+ #107 [ 190.485994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 190.495362] Call Trace: [ 190.497982] dump_stack+0x1c9/0x2b4 [ 190.501637] ? dump_stack_print_info.cold.2+0x52/0x52 [ 190.506842] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 190.511614] panic+0x238/0x4e7 [ 190.514813] ? add_taint.cold.5+0x16/0x16 [ 190.518973] ? trace_hardirqs_on+0xb4/0x2c0 [ 190.523296] ? trace_hardirqs_on+0x9a/0x2c0 [ 190.527625] ? sctp_transport_get_next+0x11c/0x140 [ 190.532554] kasan_end_report+0x47/0x4f [ 190.536532] kasan_report.cold.7+0x76/0x30d [ 190.540861] __asan_report_load8_noabort+0x14/0x20 [ 190.545795] sctp_transport_get_next+0x11c/0x140 [ 190.550555] sctp_for_each_transport+0x152/0x370 [ 190.555314] ? sctp_ep_dump+0xaa0/0xaa0 [ 190.559287] ? sctp_v6_copy_ip_options.cold.17+0x28/0x28 [ 190.564740] ? sctp_transport_get_next+0x140/0x140 [ 190.569670] ? sctp_for_each_endpoint+0x130/0x1c0 [ 190.574520] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 190.579536] ? sctp_for_each_endpoint+0x165/0x1c0 [ 190.584380] sctp_diag_dump+0x3a7/0x620 [ 190.588358] ? inet_diag_msg_sctpladdrs_fill+0x360/0x360 [ 190.593816] ? skb_scrub_packet+0x490/0x490 [ 190.598147] ? mutex_lock_nested+0x16/0x20 [ 190.602408] __inet_diag_dump+0xa8/0x140 [ 190.606480] inet_diag_dump+0x9b/0x110 [ 190.610375] netlink_dump+0x519/0xd50 [ 190.614179] ? netlink_broadcast+0x50/0x50 [ 190.618421] __netlink_dump_start+0x4f1/0x6f0 [ 190.622922] ? kasan_check_read+0x11/0x20 [ 190.627074] inet_diag_handler_cmd+0x2ce/0x3f0 [ 190.631658] ? inet_diag_rcv_msg_compat+0x3f0/0x3f0 [ 190.636675] ? inet_diag_dump_compat+0x4b0/0x4b0 [ 190.641436] sock_diag_rcv_msg+0x31d/0x410 [ 190.645689] netlink_rcv_skb+0x172/0x440 [ 190.649753] ? sock_diag_bind+0x80/0x80 [ 190.653729] ? netlink_ack+0xbe0/0xbe0 [ 190.657616] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 190.662293] sock_diag_rcv+0x2a/0x40 [ 190.666009] netlink_unicast+0x5a0/0x760 [ 190.670080] ? netlink_attachskb+0x9a0/0x9a0 [ 190.674495] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 190.680040] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 190.685092] netlink_sendmsg+0xa18/0xfc0 [ 190.689161] ? netlink_unicast+0x760/0x760 [ 190.693404] ? security_socket_sendmsg+0x94/0xc0 [ 190.698161] ? netlink_unicast+0x760/0x760 [ 190.702396] sock_sendmsg+0xd5/0x120 [ 190.706113] sock_write_iter+0x362/0x5c0 [ 190.710176] ? sock_sendmsg+0x120/0x120 [ 190.714153] ? rcu_is_watching+0x8c/0x150 [ 190.718312] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 190.723077] do_iter_readv_writev+0x8b0/0xa80 [ 190.727583] ? vfs_dedupe_file_range+0x670/0x670 [ 190.732348] ? rw_verify_area+0x118/0x360 [ 190.736501] do_iter_write+0x185/0x5f0 [ 190.740393] ? iov_iter_get_pages+0x1210/0x1210 [ 190.745076] compat_writev+0x234/0x420 [ 190.748980] ? do_pwritev+0x280/0x280 [ 190.752786] ? fget_raw+0x20/0x20 [ 190.756252] ? get_unused_fd_flags+0x1a0/0x1a0 [ 190.760838] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 190.765602] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 190.771138] ? __fdget_pos+0xde/0x200 [ 190.774966] ? __fdget_raw+0x20/0x20 [ 190.778694] do_compat_writev+0x128/0x260 [ 190.782844] ? compat_writev+0x420/0x420 [ 190.786907] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 190.792018] __ia32_compat_sys_writev+0x74/0xb0 [ 190.796696] do_fast_syscall_32+0x34d/0xfb2 [ 190.801030] ? do_int80_syscall_32+0x890/0x890 [ 190.805620] ? entry_SYSENTER_compat+0x68/0x7f [ 190.810204] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 190.815225] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.820071] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.824914] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 190.829943] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 190.834972] ? prepare_exit_to_usermode+0x291/0x3b0 [ 190.839997] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 190.844851] entry_SYSENTER_compat+0x70/0x7f [ 190.849262] RIP: 0023:0xf7f6aca9 [ 190.852636] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 190.871544] RSP: 002b:00000000f7f660cc EFLAGS: 00000296 ORIG_RAX: 0000000000000092 [ 190.879276] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 0000000020000000 [ 190.886555] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 [ 190.893832] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 190.901113] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 190.908394] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 190.916038] Dumping ftrace buffer: [ 190.919583] (ftrace buffer empty) [ 190.923286] Kernel Offset: disabled [ 190.926903] Rebooting in 86400 seconds..