[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.931961] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 27.146473] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.612071] random: sshd: uninitialized urandom read (32 bytes read) [ 28.229021] random: sshd: uninitialized urandom read (32 bytes read) [ 28.447022] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 33.954359] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/12 13:04:51 parsed 1 programs [ 35.088761] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/12 13:04:53 executed programs: 0 [ 36.458234] ================================================================== [ 36.465736] BUG: KASAN: use-after-free in mqueue_get_tree+0x2ac/0x2e0 [ 36.472316] Read of size 8 at addr ffff8801d7cc0688 by task syz-executor4/5584 [ 36.479971] [ 36.481609] CPU: 0 PID: 5584 Comm: syz-executor4 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 36.490018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.499370] Call Trace: [ 36.501966] dump_stack+0x1d3/0x2c4 [ 36.505602] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.510792] ? printk+0xa7/0xcf [ 36.514075] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 36.518845] print_address_description.cold.8+0x9/0x1ff [ 36.524218] kasan_report.cold.9+0x242/0x309 [ 36.528629] ? mqueue_get_tree+0x2ac/0x2e0 [ 36.532871] __asan_report_load8_noabort+0x14/0x20 [ 36.537805] mqueue_get_tree+0x2ac/0x2e0 [ 36.541872] vfs_get_tree+0x1cb/0x5c0 [ 36.545682] mq_create_mount+0xe3/0x190 [ 36.549666] mq_init_ns+0x15a/0x210 [ 36.553319] copy_ipcs+0x3d2/0x580 [ 36.556869] ? ipcns_get+0xe0/0xe0 [ 36.560422] ? do_mount+0x1db0/0x1db0 [ 36.564226] ? kmem_cache_alloc+0x33a/0x730 [ 36.568557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.574097] ? perf_event_namespaces+0x136/0x400 [ 36.578865] create_new_namespaces+0x376/0x900 [ 36.583462] ? sys_ni_syscall+0x20/0x20 [ 36.587448] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.592992] ? ns_capable_common+0x13f/0x170 [ 36.597411] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 36.602350] ksys_unshare+0x79c/0x10b0 [ 36.606245] ? walk_process_tree+0x440/0x440 [ 36.610661] ? lock_downgrade+0x900/0x900 [ 36.614822] ? kasan_check_read+0x11/0x20 [ 36.618981] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.623396] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.627988] ? kasan_check_write+0x14/0x20 [ 36.632223] ? do_raw_read_unlock+0x3f/0x60 [ 36.636549] ? do_syscall_64+0x9a/0x820 [ 36.640525] ? do_syscall_64+0x9a/0x820 [ 36.644509] ? lockdep_hardirqs_on+0x421/0x5c0 [ 36.649099] ? trace_hardirqs_on+0xbd/0x310 [ 36.653428] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.658798] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.664252] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 36.668949] __x64_sys_unshare+0x31/0x40 [ 36.673021] do_syscall_64+0x1b9/0x820 [ 36.676914] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.682306] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.687241] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.692095] ? trace_hardirqs_on_caller+0x310/0x310 [ 36.697122] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.702148] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.707005] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.712193] RIP: 0033:0x459d87 [ 36.715396] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.734309] RSP: 002b:00007ffddc9e7fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 [ 36.742035] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459d87 [ 36.749309] RDX: 0000000000000000 RSI: 00007ffddc9e7fc0 RDI: 0000000008000000 [ 36.756583] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000018 [ 36.763859] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000412c30 [ 36.771125] R13: 0000000000412cc0 R14: 0000000000000000 R15: 0000000000000000 [ 36.778412] [ 36.780051] Allocated by task 3455: [ 36.783687] save_stack+0x43/0xd0 [ 36.787138] kasan_kmalloc+0xc7/0xe0 [ 36.790851] kasan_slab_alloc+0x12/0x20 [ 36.794824] kmem_cache_alloc+0x12e/0x730 [ 36.798978] getname_flags+0xd0/0x5a0 [ 36.802782] do_symlinkat+0x8b/0x2d0 [ 36.806500] __x64_sys_symlink+0x59/0x80 [ 36.810565] do_syscall_64+0x1b9/0x820 [ 36.814453] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.819634] [ 36.821260] Freed by task 3455: [ 36.824544] save_stack+0x43/0xd0 [ 36.827995] __kasan_slab_free+0x102/0x150 [ 36.832228] kasan_slab_free+0xe/0x10 [ 36.836046] kmem_cache_free+0x83/0x290 [ 36.840022] putname+0xf2/0x130 [ 36.843300] do_symlinkat+0x18c/0x2d0 [ 36.847105] __x64_sys_symlink+0x59/0x80 [ 36.851164] do_syscall_64+0x1b9/0x820 [ 36.855054] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.860236] [ 36.861863] The buggy address belongs to the object at ffff8801d7cc0540 [ 36.861863] which belongs to the cache names_cache of size 4096 [ 36.874613] The buggy address is located 328 bytes inside of [ 36.874613] 4096-byte region [ffff8801d7cc0540, ffff8801d7cc1540) [ 36.886572] The buggy address belongs to the page: [ 36.891507] page:ffffea00075f3000 count:1 mapcount:0 mapping:ffff8801da972d80 index:0x0 compound_mapcount: 0 [ 36.901484] flags: 0x2fffc0000008100(slab|head) [ 36.906157] raw: 02fffc0000008100 ffffea00075fa788 ffffea00075f0b08 ffff8801da972d80 [ 36.914041] raw: 0000000000000000 ffff8801d7cc0540 0000000100000001 0000000000000000 [ 36.921916] page dumped because: kasan: bad access detected [ 36.927638] [ 36.929261] Memory state around the buggy address: [ 36.934192] ffff8801d7cc0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.941547] ffff8801d7cc0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.948907] >ffff8801d7cc0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.956273] ^ [ 36.959896] ffff8801d7cc0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.967269] ffff8801d7cc0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.974619] ================================================================== [ 36.981970] Disabling lock debugging due to kernel taint [ 36.987641] Kernel panic - not syncing: panic_on_warn set ... [ 36.987641] [ 36.995013] CPU: 0 PID: 5584 Comm: syz-executor4 Tainted: G B 4.19.0-rc3-next-20180912+ #72 [ 37.004815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.014159] Call Trace: [ 37.016751] dump_stack+0x1d3/0x2c4 [ 37.020382] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.025573] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 37.030333] panic+0x238/0x4e7 [ 37.033530] ? add_taint.cold.5+0x16/0x16 [ 37.037685] ? trace_hardirqs_on+0x9a/0x310 [ 37.042005] ? trace_hardirqs_on+0xb4/0x310 [ 37.046330] ? trace_hardirqs_on+0xb4/0x310 [ 37.050681] kasan_end_report+0x47/0x4f [ 37.054658] kasan_report.cold.9+0x76/0x309 [ 37.058980] ? mqueue_get_tree+0x2ac/0x2e0 [ 37.063223] __asan_report_load8_noabort+0x14/0x20 [ 37.068154] mqueue_get_tree+0x2ac/0x2e0 [ 37.072215] vfs_get_tree+0x1cb/0x5c0 [ 37.076020] mq_create_mount+0xe3/0x190 [ 37.079997] mq_init_ns+0x15a/0x210 [ 37.083622] copy_ipcs+0x3d2/0x580 [ 37.087163] ? ipcns_get+0xe0/0xe0 [ 37.090706] ? do_mount+0x1db0/0x1db0 [ 37.094505] ? kmem_cache_alloc+0x33a/0x730 [ 37.098829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.104363] ? perf_event_namespaces+0x136/0x400 [ 37.109122] create_new_namespaces+0x376/0x900 [ 37.113711] ? sys_ni_syscall+0x20/0x20 [ 37.117689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.123227] ? ns_capable_common+0x13f/0x170 [ 37.127639] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 37.132574] ksys_unshare+0x79c/0x10b0 [ 37.136466] ? walk_process_tree+0x440/0x440 [ 37.140877] ? lock_downgrade+0x900/0x900 [ 37.145027] ? kasan_check_read+0x11/0x20 [ 37.149175] ? do_raw_spin_unlock+0xa7/0x2f0 [ 37.153582] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.158170] ? kasan_check_write+0x14/0x20 [ 37.162403] ? do_raw_read_unlock+0x3f/0x60 [ 37.166730] ? do_syscall_64+0x9a/0x820 [ 37.170704] ? do_syscall_64+0x9a/0x820 [ 37.174681] ? lockdep_hardirqs_on+0x421/0x5c0 [ 37.179269] ? trace_hardirqs_on+0xbd/0x310 [ 37.183595] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.188965] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 37.194417] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 37.199114] __x64_sys_unshare+0x31/0x40 [ 37.203354] do_syscall_64+0x1b9/0x820 [ 37.207243] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.212612] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.217542] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.222389] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.227852] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.232873] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.237723] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.242913] RIP: 0033:0x459d87 [ 37.246124] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1d 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.265024] RSP: 002b:00007ffddc9e7fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 [ 37.272732] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459d87 [ 37.280000] RDX: 0000000000000000 RSI: 00007ffddc9e7fc0 RDI: 0000000008000000 [ 37.287271] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000018 [ 37.294540] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000412c30 [ 37.301806] R13: 0000000000412cc0 R14: 0000000000000000 R15: 0000000000000000 [ 37.310114] Kernel Offset: disabled [ 37.313743] Rebooting in 86400 seconds..