[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.246008] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.841991] random: sshd: uninitialized urandom read (32 bytes read)
[   22.178773] random: sshd: uninitialized urandom read (32 bytes read)
[   23.012807] random: sshd: uninitialized urandom read (32 bytes read)
[   23.164837] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts.
[   28.710858] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/21 05:55:33 parsed 1 programs
[   30.268173] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/21 05:55:35 executed programs: 0
[   31.104380] IPVS: ftp: loaded support on port[0] = 21
[   31.286817] bridge0: port 1(bridge_slave_0) entered blocking state
[   31.293269] bridge0: port 1(bridge_slave_0) entered disabled state
[   31.300626] device bridge_slave_0 entered promiscuous mode
[   31.315509] bridge0: port 2(bridge_slave_1) entered blocking state
[   31.321854] bridge0: port 2(bridge_slave_1) entered disabled state
[   31.328824] device bridge_slave_1 entered promiscuous mode
[   31.342961] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   31.357859] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   31.396490] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   31.413535] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   31.472679] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   31.480709] team0: Port device team_slave_0 added
[   31.495044] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   31.502530] team0: Port device team_slave_1 added
[   31.516902] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   31.533944] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   31.551127] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   31.567842] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   31.680345] bridge0: port 2(bridge_slave_1) entered blocking state
[   31.686791] bridge0: port 2(bridge_slave_1) entered forwarding state
[   31.693718] bridge0: port 1(bridge_slave_0) entered blocking state
[   31.700084] bridge0: port 1(bridge_slave_0) entered forwarding state
[   32.086871] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   32.092974] 8021q: adding VLAN 0 to HW filter on device bond0
[   32.132939] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   32.173067] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   32.180952] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   32.216677] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   32.222780] 8021q: adding VLAN 0 to HW filter on device team0
[   32.233298] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   32.475251] ==================================================================
[   32.482703] BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180
[   32.488915] Read of size 8 at addr ffff8801ae30e5c0 by task syz-executor0/4801
[   32.496249] 
[   32.497858] CPU: 0 PID: 4801 Comm: syz-executor0 Not tainted 4.18.0-rc1+ #14
[   32.505022] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.514355] Call Trace:
[   32.516925]  dump_stack+0x1c9/0x2b4
[   32.520533]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.525701]  ? printk+0xa7/0xcf
[   32.528963]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.533703]  ? skb_dequeue+0x16a/0x180
[   32.537570]  print_address_description+0x6c/0x20b
[   32.542401]  ? skb_dequeue+0x16a/0x180
[   32.546267]  kasan_report.cold.7+0x242/0x2fe
[   32.550656]  __asan_report_load8_noabort+0x14/0x20
[   32.555564]  skb_dequeue+0x16a/0x180
[   32.559269]  skb_queue_purge+0x26/0x40
[   32.563140]  packet_set_ring+0x675/0x1da0
[   32.567453]  ? prb_dispatch_next_block+0x1b0/0x1b0
[   32.572367]  ? lock_acquire+0x1e4/0x540
[   32.576406]  ? packet_release+0x5d9/0xd90
[   32.580536]  ? mark_held_locks+0xc9/0x160
[   32.584666]  ? __local_bh_enable_ip+0x161/0x230
[   32.589317]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.594321]  ? lock_sock_nested+0x9f/0x120
[   32.598537]  ? trace_hardirqs_on+0xd/0x10
[   32.602665]  ? __local_bh_enable_ip+0x161/0x230
[   32.607314]  packet_release+0x630/0xd90
[   32.611273]  ? lock_acquire+0x1e4/0x540
[   32.615227]  ? packet_set_ring+0x1da0/0x1da0
[   32.619619]  ? check_same_owner+0x340/0x340
[   32.623919]  ? depot_save_stack+0x291/0x470
[   32.628235]  ? rcu_note_context_switch+0x730/0x730
[   32.633149]  ? down_write+0x8f/0x130
[   32.636850]  ? __sock_release+0x8b/0x260
[   32.640891]  ? down_read+0x1d0/0x1d0
[   32.644585]  ? fsnotify+0x14e0/0x14e0
[   32.648367]  __sock_release+0xd7/0x260
[   32.652245]  ? __sock_release+0x260/0x260
[   32.656372]  sock_close+0x19/0x20
[   32.659805]  __fput+0x35b/0x8b0
[   32.663074]  ? fput+0x1a0/0x1a0
[   32.666337]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.670815]  ____fput+0x15/0x20
[   32.674079]  task_work_run+0x1ec/0x2a0
[   32.677951]  ? task_work_cancel+0x250/0x250
[   32.682254]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.687782]  ? switch_task_namespaces+0xa2/0xd0
[   32.692434]  do_exit+0x1b08/0x2750
[   32.695956]  ? mm_update_next_owner+0x9a0/0x9a0
[   32.700603]  ? graph_lock+0x170/0x170
[   32.704388]  ? do_futex+0x249/0x27d0
[   32.708097]  ? exit_robust_list+0x290/0x290
[   32.712409]  ? lock_downgrade+0x8f0/0x8f0
[   32.716540]  ? kasan_check_read+0x11/0x20
[   32.720667]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   32.725065]  ? tun_chr_close+0x180/0x180
[   32.729111]  ? compat_sock_ioctl+0x1c5/0x1f90
[   32.733598]  ? tun_chr_write_iter+0x110/0x154
[   32.738080]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.743599]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.749128]  ? fsnotify+0xbb4/0x14e0
[   32.752836]  ? expand_files.part.8+0x9c0/0x9c0
[   32.757400]  ? _copy_from_user+0xdf/0x150
[   32.761529]  ? fsnotify_first_mark+0x350/0x350
[   32.766096]  ? __fsnotify_parent+0xcc/0x420
[   32.770401]  ? fsnotify+0x14e0/0x14e0
[   32.774190]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[   32.779114]  do_group_exit+0x177/0x440
[   32.782980]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   32.788675]  ? __ia32_sys_exit+0x50/0x50
[   32.792723]  ? sock_unregister+0x160/0x160
[   32.796950]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.802468]  ? do_fast_syscall_32+0x150/0xfb2
[   32.806946]  __ia32_sys_exit_group+0x3e/0x50
[   32.811337]  do_fast_syscall_32+0x34d/0xfb2
[   32.815642]  ? do_int80_syscall_32+0x890/0x890
[   32.820206]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.824952]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.830479]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.835400]  ? sysret32_from_system_call+0x5/0x46
[   32.840229]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.845054]  entry_SYSENTER_compat+0x70/0x7f
[   32.849441] RIP: 0023:0xf7f55cb9
[   32.852778] Code: Bad RIP value.
[   32.856132] RSP: 002b:00000000ffd47b9c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
[   32.863820] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
[   32.871070] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   32.878320] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   32.885579] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   32.892825] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   32.900080] 
[   32.901691] Allocated by task 4801:
[   32.905300]  save_stack+0x43/0xd0
[   32.908732]  kasan_kmalloc+0xc4/0xe0
[   32.912423]  kasan_slab_alloc+0x12/0x20
[   32.916376]  kmem_cache_alloc+0x12e/0x760
[   32.920506]  skb_clone+0x1f5/0x500
[   32.924031]  tpacket_rcv+0x28f7/0x3200
[   32.927918]  __netif_receive_skb_core+0x1bfb/0x3680
[   32.932914]  __netif_receive_skb+0x2c/0x1e0
[   32.937219]  netif_receive_skb_internal+0x12e/0x7d0
[   32.942213]  netif_receive_skb+0xbf/0x420
[   32.946349]  tun_rx_batched.isra.55+0x4ba/0x8c0
[   32.950998]  tun_get_user+0x2af1/0x42f0
[   32.954962]  tun_chr_write_iter+0xb9/0x154
[   32.959180]  __vfs_write+0x6c6/0x9f0
[   32.962881]  vfs_write+0x1f8/0x560
[   32.966401]  ksys_write+0x101/0x260
[   32.970008]  __ia32_sys_write+0x71/0xb0
[   32.973984]  do_fast_syscall_32+0x34d/0xfb2
[   32.978287]  entry_SYSENTER_compat+0x70/0x7f
[   32.982679] 
[   32.984284] Freed by task 4801:
[   32.987543]  save_stack+0x43/0xd0
[   32.990975]  __kasan_slab_free+0x11a/0x170
[   32.995190]  kasan_slab_free+0xe/0x10
[   32.998971]  kmem_cache_free+0x86/0x2d0
[   33.002924]  kfree_skbmem+0x154/0x230
[   33.006703]  kfree_skb+0x1a5/0x580
[   33.010225]  tpacket_rcv+0x189e/0x3200
[   33.014098]  __netif_receive_skb_core+0x1bfb/0x3680
[   33.019097]  __netif_receive_skb+0x2c/0x1e0
[   33.023399]  netif_receive_skb_internal+0x12e/0x7d0
[   33.028395]  netif_receive_skb+0xbf/0x420
[   33.032526]  tun_rx_batched.isra.55+0x4ba/0x8c0
[   33.037173]  tun_get_user+0x2af1/0x42f0
[   33.041137]  tun_chr_write_iter+0xb9/0x154
[   33.045350]  __vfs_write+0x6c6/0x9f0
[   33.049042]  vfs_write+0x1f8/0x560
[   33.052567]  ksys_write+0x101/0x260
[   33.056184]  __ia32_sys_write+0x71/0xb0
[   33.060146]  do_fast_syscall_32+0x34d/0xfb2
[   33.064451]  entry_SYSENTER_compat+0x70/0x7f
[   33.068831] 
[   33.070440] The buggy address belongs to the object at ffff8801ae30e5c0
[   33.070440]  which belongs to the cache skbuff_head_cache of size 232
[   33.083615] The buggy address is located 0 bytes inside of
[   33.083615]  232-byte region [ffff8801ae30e5c0, ffff8801ae30e6a8)
[   33.095301] The buggy address belongs to the page:
[   33.100212] page:ffffea0006b8c380 count:1 mapcount:0 mapping:ffff8801d9458840 index:0x0
[   33.108371] flags: 0x2fffc0000000100(slab)
[   33.112590] raw: 02fffc0000000100 ffffea0007597048 ffffea00073ada48 ffff8801d9458840
[   33.120545] raw: 0000000000000000 ffff8801ae30e0c0 000000010000000c 0000000000000000
[   33.128403] page dumped because: kasan: bad access detected
[   33.134098] 
[   33.135789] Memory state around the buggy address:
[   33.140699]  ffff8801ae30e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.148046]  ffff8801ae30e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[   33.155384] >ffff8801ae30e580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.162732]                                            ^
[   33.168169]  ffff8801ae30e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.175532]  ffff8801ae30e680: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   33.182877] ==================================================================
[   33.190217] Disabling lock debugging due to kernel taint
[   33.195641] Kernel panic - not syncing: panic_on_warn set ...
[   33.195641] 
[   33.202984] CPU: 0 PID: 4801 Comm: syz-executor0 Tainted: G    B             4.18.0-rc1+ #14
[   33.211537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.220869] Call Trace:
[   33.223447]  dump_stack+0x1c9/0x2b4
[   33.227055]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.232232]  ? lock_downgrade+0x8f0/0x8f0
[   33.236357]  panic+0x238/0x4e7
[   33.239525]  ? add_taint.cold.5+0x16/0x16
[   33.243652]  ? add_taint.cold.5+0x5/0x16
[   33.247701]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.252097]  ? skb_dequeue+0x16a/0x180
[   33.255969]  kasan_end_report+0x47/0x4f
[   33.259921]  kasan_report.cold.7+0x76/0x2fe
[   33.264221]  __asan_report_load8_noabort+0x14/0x20
[   33.269127]  skb_dequeue+0x16a/0x180
[   33.272828]  skb_queue_purge+0x26/0x40
[   33.276701]  packet_set_ring+0x675/0x1da0
[   33.280830]  ? prb_dispatch_next_block+0x1b0/0x1b0
[   33.285742]  ? lock_acquire+0x1e4/0x540
[   33.289694]  ? packet_release+0x5d9/0xd90
[   33.293821]  ? mark_held_locks+0xc9/0x160
[   33.297947]  ? __local_bh_enable_ip+0x161/0x230
[   33.302595]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.307589]  ? lock_sock_nested+0x9f/0x120
[   33.311802]  ? trace_hardirqs_on+0xd/0x10
[   33.315929]  ? __local_bh_enable_ip+0x161/0x230
[   33.320579]  packet_release+0x630/0xd90
[   33.324534]  ? lock_acquire+0x1e4/0x540
[   33.328486]  ? packet_set_ring+0x1da0/0x1da0
[   33.332879]  ? check_same_owner+0x340/0x340
[   33.337189]  ? depot_save_stack+0x291/0x470
[   33.341502]  ? rcu_note_context_switch+0x730/0x730
[   33.346430]  ? down_write+0x8f/0x130
[   33.350130]  ? __sock_release+0x8b/0x260
[   33.354180]  ? down_read+0x1d0/0x1d0
[   33.357872]  ? fsnotify+0x14e0/0x14e0
[   33.361662]  __sock_release+0xd7/0x260
[   33.365528]  ? __sock_release+0x260/0x260
[   33.369672]  sock_close+0x19/0x20
[   33.373106]  __fput+0x35b/0x8b0
[   33.376376]  ? fput+0x1a0/0x1a0
[   33.379634]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.384107]  ____fput+0x15/0x20
[   33.387365]  task_work_run+0x1ec/0x2a0
[   33.391234]  ? task_work_cancel+0x250/0x250
[   33.395537]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.401062]  ? switch_task_namespaces+0xa2/0xd0
[   33.405717]  do_exit+0x1b08/0x2750
[   33.409237]  ? mm_update_next_owner+0x9a0/0x9a0
[   33.413884]  ? graph_lock+0x170/0x170
[   33.417667]  ? do_futex+0x249/0x27d0
[   33.421360]  ? exit_robust_list+0x290/0x290
[   33.425662]  ? lock_downgrade+0x8f0/0x8f0
[   33.429790]  ? kasan_check_read+0x11/0x20
[   33.433921]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   33.438312]  ? tun_chr_close+0x180/0x180
[   33.442359]  ? compat_sock_ioctl+0x1c5/0x1f90
[   33.446835]  ? tun_chr_write_iter+0x110/0x154
[   33.451317]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.456841]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.462356]  ? fsnotify+0xbb4/0x14e0
[   33.466048]  ? expand_files.part.8+0x9c0/0x9c0
[   33.470610]  ? _copy_from_user+0xdf/0x150
[   33.474737]  ? fsnotify_first_mark+0x350/0x350
[   33.479295]  ? __fsnotify_parent+0xcc/0x420
[   33.483591]  ? fsnotify+0x14e0/0x14e0
[   33.487373]  ? __ia32_compat_sys_futex+0x3e6/0x5f0
[   33.492279]  do_group_exit+0x177/0x440
[   33.496141]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   33.501825]  ? __ia32_sys_exit+0x50/0x50
[   33.505861]  ? sock_unregister+0x160/0x160
[   33.510077]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.515593]  ? do_fast_syscall_32+0x150/0xfb2
[   33.520069]  __ia32_sys_exit_group+0x3e/0x50
[   33.524456]  do_fast_syscall_32+0x34d/0xfb2
[   33.528764]  ? do_int80_syscall_32+0x890/0x890
[   33.533322]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.538060]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.543573]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.548480]  ? sysret32_from_system_call+0x5/0x46
[   33.553303]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.558123]  entry_SYSENTER_compat+0x70/0x7f
[   33.562507] RIP: 0023:0xf7f55cb9
[   33.565842] Code: Bad RIP value.
[   33.569203] RSP: 002b:00000000ffd47b9c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc
[   33.576896] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000
[   33.584149] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   33.591396] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   33.598643] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   33.605888] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   33.613632] Dumping ftrace buffer:
[   33.617151]    (ftrace buffer empty)
[   33.620839] Kernel Offset: disabled
[   33.624443] Rebooting in 86400 seconds..