Starting mcstransd: [ 16.697566] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.414236] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 21.853976] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.943431] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 28.332925] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) 2018/01/17 17:22:34 fuzzer started 2018/01/17 17:22:34 dialing manager at 10.128.0.26:33869 [ 29.490465] random: nonblocking pool is initialized 2018/01/17 17:22:38 kcov=true, comps=false 2018/01/17 17:22:38 executing program 1: 2018/01/17 17:22:38 executing program 0: 2018/01/17 17:22:38 executing program 4: 2018/01/17 17:22:38 executing program 7: 2018/01/17 17:22:38 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xe2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getitimer(0x0, &(0x7f0000012000)={{0x0, 0x0}, {0x0, 0x0}}) 2018/01/17 17:22:38 executing program 3: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x5, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, @perf_bp={&(0x7f0000000000)=0x0, 0x1}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_dccp(0xa, 0x6, 0x0) getsockopt(r0, 0x2000000000010d, 0x2, &(0x7f0000000000)=""/4, &(0x7f00009d7000-0x4)=0x4) 2018/01/17 17:22:38 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x802, 0x88) sendto$inet6(r0, &(0x7f00004d5000-0x1000)="dfe278d84f047e1808a3a992ddc389ae510e72c21d071d767c92f5a76aabd0152fcbd05c4db7f4e5e729497dfc375f1a021a5b1fd8ea7d7047775b8daf66303ddae94f4cc9d10f0e4bd21802c30927bf91de19baad5d68d29e6c0265b15278bc3a26defe99b129cae1e0377939e119e495cb84900b82d2c0689fd8d30bcd08437ed371f99c2b1cb8434a8ed7a106d463883ccdd36f76022dd29c59311fd01f26dc7cb7bb2578798d919b871cbb90dda4fccbca8d521c0c9c95c6278cad91c144f5079d7aa44b35c54465cb314586eae1b2afb0d94912bea757906d494c2e049598bae15d4a1b6892ed414e4ca5448a7e457350859333529825a60e93889fece46d4917cb7b429852148679694cbbb5d71bd8c81da130daf7387dc095c6ea85a19f5c62434a0b42723ae95420971a2edaa24f04e1c558283be5b08d1903dd2aa5b55ff876b7df8ad497a163fc1667bf677560acc9bdc58fd2190ceb7ee16969f2b7924651b5256b83fa8cee4a85b601371092d883db7c63cc060f80cc96a47d90dfc06ebf61665b68ab6c40e701325f2ad65b98bbc038fc1f70c5cec0ef6de84b30f331304e18333bf6018ab00b454771618a74cdcb90bae013843a586b8da3f26fc134faea8f02f500ccfc8d8e056bfe8154a816b1c836d2f0345fe72801be88a7bf12b5b70f3fca631f4f27ade17670201ca78090a2ce78f7660b62d6b1ae74b433a537ec8972cd75ed3aef141e6e274274ceed44bdcd0b8da06e8862dfb649d39a860042261fc9ab949991711eac9264633a7f15ff272779b3015c402e43e63fa3cbb3baaffe971b739673c5313ef74a7c2a480a7302734a607e1cd559189f4aee38fbcd3bde9776c29fc8426b18bb0029546358d39ce716f03359f656cb3103e1ef253bd0614af54f8d7d03f6bf80ab3ae047aadfd7a3e006f9f04e326f391426a8618dcf4747f189c892ca162d7a2949aedf8eb6ead2a7f8673c03830282983f880d7ff55b9bc04afd7439857238bef451407dbd506b94d8a0085a9649e9d2f24d4442ce81791d7f0b00eefc6547c57493812cb93d1166bd506ff8cd0852edd7d8ccf90a2f5f137e82c7f2b356ab3f7fc0f854f82608949d79e780d563642ee0ee73397a83117059d2b30f4dc169f98474d01200cd765918dde6c075b3444d46c0859a7d921469c7ffa6a1caac885a8f285fe70c48233d29061f13b216ac406247a68aa3c516fac4cacbd78a303377130cd92ba8331614365765b2c80cb717626c9f6e9b45d6d16b10ca7325316e8107c2b57d630b46fb8369905a2e9b75e0a3b0972634b46e44430310580e9ae49ac0f065261ca26053dc08aafb3308e40d709a6404fa39e45e9643edf205ba121470c36389e3c161ab41179418b71652f92cb4b3a6d925fcd7d5c0a13ab9c020446aae0e7d3eedf23fec3ffa6ed748953bf7a5e19960f43313f16e5bb43f3e6adc62a5a45db3ea43e44ed6ee5596a6c66c747aab8757ee26d5912a07edecd4e4b9d6f6a03c6f4d7445d041fab5cdd668280b392be052ca3095a8408ac836e6d361f5c7512768f6897b7529d658503f61bcffc714e95adabd1178191b3d82d959200e508c6358af53b7684d2cab8ed404cdfd134e004a71deaaaec8c9835e5a711b51e1829f96c2be8ad2c851f8b70c70114cbb7d647cfb26ba91f62ec29925e6f10aebbb0a28a7ffcfc360d86a70ade4d3d2bbbea005b41823f2a54b1513ee080e62d3f337a0e250d592ef3a43be37bef30496fe34eb2eb7b038bf1a8ad837c18cd9745e937d7c0503d1c50ed4a9f3d446eccc3cddc586df7c077e09119b5172dee9d6349783329c2c7a2d71dfb7c2d7aa656f2599b84fab8ee1c21073c7cf64babeb4f768d8c283ff7599849e36d5a7d7071b396fbde96af351d02ff61b159bddbb8d66e51d6431eee6173857d089d4ab3ac1c05b57c80a08fe3d1c89aefb7fe07df71b0d0f636e5b8a609af0a1e708390f828907e7691fad891c5d7a6cf7cd8842ce264ecdc1caf78795883e37a3a8b7dbd67cff31ab2c868a79691ca540660039aca28aada03950c0b00ae1d945654838b1765ed03fa2c3998e37639aa324f7dface766d31cc84e7a58571322cb066b7a01428e7d77b3bce65c6260742cb8c5b6b914623f31293a1ac91948264d17643d719b9247ecc14906e21e1c6e8e8d943652f3597f26dabc85b17a3d1a805fe2794eda2ed168913270671f7799c9d6486dc8f9095b19fbeda576dbc78919c8916e715bd08ed49a59bf17d43d5f561a11861598785cb02857324c3f063fb05092839d26c6da5177235c41cc78963b653651de1f73469aac58dfec92b22f7468f35a287f72fb3638ff85924d86c585a0df30afbef9545baef0ee83d12a50d520d9c26eae7819fe577337125dbe250b059d7e2dfde4f6bb26a2af60d2b95b07fc66c74e95fd646bb1b269dbee8cba32667499c514ce0d23f60a11c639c6379f71220a2eac32d7b1c6771643dcb66e94e6574cfda0d9513b0286843755196ce43e0580331e915d66ebbb31488cb36e0c3e2250f97cc43a46bc84a9df4c8ec952615f50f4f2f80d9849cc61d0c78e2b238fc1b66d857b11213d2321ababdeae57bddade6cfde43713ca34acbf01b3ff4ba6a205cd04d94d94d76b1ecdeb7d31339d07ddc2f25dfe3c2d2fd53c5dda58b18f3969b734a9f9767ef250ce20833a6de5caa57778d7c3f2288e1bef5f5981942f26a7519157357f35ae990931835b6c5da7fa6a1e7ce2bf4e00c11d7aed40ecb3dc662953cbdc4bec3d8a70692e47f9b73f5f3e8855ad00c324dfccea81b4dbe7795de35ba560d3c63c1203cc8f74c26c75f723ccfc372dd07f266e41a6be0528b4f0317c7af3a2a94e0c9e82135a174bc22ec8fcd2847ec28c00ed54fb5ad2e477b123becb3197b6ac6b3c2965f9d45577", 0x821, 0x0, &(0x7f0000089000)={0xa, 0x3, 0x0, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0xffffffffffffffff, 0xbb}, 0x0}, 0x1c) setsockopt$sock_int(r0, 0x1, 0x7, &(0x7f00005a3000)=0x0, 0x4) sendto$inet6(r0, &(0x7f0000987000-0x2e)="", 0x0, 0x0, &(0x7f0000a43000-0x1c)={0xa, 0x0, 0x0, @ipv4={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0xff, 0xff], @dev={0xac, 0x14, 0x0, 0x10}}, 0x0}, 0x1c) 2018/01/17 17:22:38 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000644000-0xd)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = epoll_create(0x4000000010011) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000337000-0xc)={0x0, 0x0}) perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xe2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) [ 32.783630] IPVS: Creating netns size=2552 id=1 [ 32.861533] IPVS: Creating netns size=2552 id=2 [ 32.913385] IPVS: Creating netns size=2552 id=3 [ 32.978654] IPVS: Creating netns size=2552 id=4 [ 33.068396] IPVS: Creating netns size=2552 id=5 [ 33.179406] IPVS: Creating netns size=2552 id=6 [ 33.275075] IPVS: Creating netns size=2552 id=7 [ 33.382820] IPVS: Creating netns size=2552 id=8 [ 38.372235] ================================================================== [ 38.379645] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 38.386330] Read of size 8 at addr ffff8801d0597738 by task syz-executor6/5096 [ 38.393671] [ 38.395290] CPU: 0 PID: 5096 Comm: syz-executor6 Not tainted 4.4.112-g5f6325b #21 [ 38.402895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.412242] 0000000000000000 e7d5c0cc07b39df3 ffff8801cf87f530 ffffffff81d0579d [ 38.420241] ffffea0007416580 ffff8801d0597738 0000000000000000 ffff8801d0597738 [ 38.428219] 0000000000000000 ffff8801cf87f568 ffffffff814fd9f3 ffff8801d0597738 [ 38.436185] Call Trace: [ 38.438744] [] dump_stack+0xc1/0x124 [ 38.444085] [] print_address_description+0x73/0x260 [ 38.450722] [] kasan_report+0x285/0x370 [ 38.456316] [] ? __lock_acquire+0x387e/0x4b50 [ 38.462429] [] __asan_report_load8_noabort+0x14/0x20 [ 38.469153] [] __lock_acquire+0x387e/0x4b50 [ 38.475093] [] ? __lock_acquire+0xb5f/0x4b50 [ 38.481143] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.488135] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.495118] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.502101] [] lock_acquire+0x15e/0x460 [ 38.507696] [] ? remove_wait_queue+0x14/0x40 [ 38.513726] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 38.520014] [] ? remove_wait_queue+0x14/0x40 [ 38.526043] [] remove_wait_queue+0x14/0x40 [ 38.531904] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 38.538893] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 38.546144] [] ? ep_free+0x1c0/0x1c0 [ 38.551475] [] ep_free+0x93/0x1c0 [ 38.556547] [] ? ep_free+0x1c0/0x1c0 [ 38.561886] [] ep_eventpoll_release+0x44/0x60 [ 38.568005] [] __fput+0x233/0x6d0 [ 38.573077] [] ____fput+0x15/0x20 [ 38.578153] [] task_work_run+0x104/0x180 [ 38.583841] [] do_exit+0x871/0x2a20 [ 38.589095] [] ? release_task+0x1240/0x1240 [ 38.595036] [] ? recalc_sigpending+0x76/0xa0 [ 38.601063] [] do_group_exit+0x108/0x320 [ 38.606746] [] get_signal+0x565/0x1660 [ 38.612255] [] do_signal+0x8b/0x1d40 [ 38.617598] [] ? fput+0x20/0x150 [ 38.622585] [] ? SyS_epoll_ctl+0x230/0x2050 [ 38.628526] [] ? setup_sigcontext+0x780/0x780 [ 38.634647] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 38.640769] [] ? compat_SyS_get_robust_list+0x300/0x300 [ 38.647755] [] ? filp_open+0x70/0x70 [ 38.653088] [] ? exit_to_usermode_loop+0xec/0x170 [ 38.659559] [] exit_to_usermode_loop+0x122/0x170 [ 38.665944] [] do_fast_syscall_32+0x607/0x890 [ 38.672062] [] sysenter_flags_fixed+0xd/0x17 [ 38.678176] [ 38.679777] Allocated by task 5096: [ 38.683372] [] save_stack_trace+0x26/0x50 [ 38.689267] [] save_stack+0x43/0xd0 [ 38.694640] [] kasan_kmalloc+0xad/0xe0 [ 38.700271] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 38.706859] [] binder_get_thread+0x181/0x7a0 [ 38.713012] [] binder_poll+0x4a/0x210 [ 38.718548] [] SyS_epoll_ctl+0x10b1/0x2050 [ 38.724527] [] do_fast_syscall_32+0x314/0x890 [ 38.730778] [] sysenter_flags_fixed+0xd/0x17 [ 38.736941] [ 38.738545] Freed by task 5096: [ 38.741795] [] save_stack_trace+0x26/0x50 [ 38.747692] [] save_stack+0x43/0xd0 [ 38.753058] [] kasan_slab_free+0x72/0xc0 [ 38.758856] [] kfree+0xfc/0x300 [ 38.763916] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 38.770673] [] binder_thread_release+0x27d/0x540 [ 38.777169] [] binder_ioctl+0xb94/0x12e0 [ 38.782970] [] compat_SyS_ioctl+0x28a/0x2540 [ 38.789124] [] do_fast_syscall_32+0x314/0x890 [ 38.795377] [] sysenter_flags_fixed+0xd/0x17 [ 38.801539] [ 38.803139] The buggy address belongs to the object at ffff8801d0597680 [ 38.803139] which belongs to the cache kmalloc-512 of size 512 [ 38.815763] The buggy address is located 184 bytes inside of [ 38.815763] 512-byte region [ffff8801d0597680, ffff8801d0597880) [ 38.827606] The buggy address belongs to the page: [ 38.854695] ------------[ cut here ]------------ [ 38.859488] WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:973 __bfs+0x2c4/0x5d0() [ 38.867531] Kernel panic - not syncing: panic_on_warn set ... [ 38.867531] [ 38.874891] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.112-g5f6325b #21 [ 38.881901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.891252] 0000000000000000 32f2e149404d814c ffff8801db3076b8 ffffffff81d0579d [ 38.899314] ffffffff83843200 ffff8801db307790 ffffffff83854fe0 0000000000000009 [ 38.907415] 00000000000003cd ffff8801db307780 ffffffff81419e6a 0000000041b58ab3 [ 38.915478] Call Trace: [ 38.918047] [] dump_stack+0xc1/0x124 [ 38.924166] [] panic+0x1aa/0x388 [ 38.929191] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 38.936121] [] ? pm_qos_get_value.part.4+0xb/0xb [ 38.942531] [] ? warn_slowpath_common+0x10a/0x140 [ 38.949026] [] warn_slowpath_common+0x125/0x140 [ 38.955346] [] ? __bfs+0x2c4/0x5d0 [ 38.960551] [] warn_slowpath_null+0x29/0x30 [ 38.966524] [] __bfs+0x2c4/0x5d0 [ 38.971542] [] ? noop_count+0x40/0x40 [ 38.976997] [] check_usage_forwards+0x174/0x310 [ 38.983321] [] ? print_shortest_lock_dependencies+0x360/0x360 [ 38.990860] [] ? dump_trace+0x14c/0x350 [ 38.996489] [] ? save_stack_trace+0x26/0x50 [ 39.002463] [] mark_lock+0x8b1/0xfd0 [ 39.007829] [] ? print_shortest_lock_dependencies+0x360/0x360 [ 39.015376] [] __lock_acquire+0x9b3/0x4b50 [ 39.021271] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 39.028297] [] lock_acquire+0x15e/0x460 [ 39.033925] [] ? try_to_wake_up+0x2c/0xf60 [ 39.039816] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 39.046137] [] ? try_to_wake_up+0x2c/0xf60 [ 39.052047] [] try_to_wake_up+0x2c/0xf60 [ 39.057764] [] ? __lock_is_held+0xa1/0xf0 [ 39.064725] [] wake_up_process+0x15/0x20 [ 39.070441] [] process_timeout+0x15/0x20 [ 39.076163] [] call_timer_fn+0x18b/0x860 [ 39.081882] [] ? call_timer_fn+0xdc/0x860 [ 39.087685] [] ? init_timer_key+0x360/0x360 [ 39.093661] [] ? process_timeout+0x20/0x20 [ 39.099548] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 39.105867] [] ? init_timer_key+0x360/0x360 [ 39.111843] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 39.118686] [] ? init_timer_key+0x360/0x360 [ 39.124659] [] run_timer_softirq+0x604/0xbb0 [ 39.130721] [] ? msleep+0xe0/0xe0 [ 39.135833] [] __do_softirq+0x24d/0xa59 [ 39.141460] [] irq_exit+0x119/0x140 [ 39.146742] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 39.153241] [] apic_timer_interrupt+0xa0/0xb0 [ 39.159378] [] ? native_safe_halt+0x6/0x10 [ 39.166018] [] ? trace_hardirqs_on+0xd/0x10 [ 39.171988] [] default_idle+0x55/0x3c0 [ 39.177530] [] arch_cpu_idle+0xa/0x10 [ 39.182989] [] default_idle_call+0x48/0x70 [ 39.188875] [] cpu_startup_entry+0x605/0x820 [ 39.194934] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 39.201777] [] ? call_cpuidle+0xe0/0xe0 [ 39.207406] [] ? clockevents_register_device+0x122/0x230 [ 39.214505] [] start_secondary+0x304/0x3e0 [ 39.220393] [] ? set_cpu_sibling_map+0x1040/0x1040 [ 40.354375] Shutting down cpus with NMI [ 40.358841] Dumping ftrace buffer: [ 40.362383] (ftrace buffer empty) [ 40.366063] Kernel Offset: disabled [ 40.369667] Rebooting in 86400 seconds..