[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   25.070397] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   28.133461] random: sshd: uninitialized urandom read (32 bytes read)
[   28.494103] random: sshd: uninitialized urandom read (32 bytes read)
[   29.141579] random: sshd: uninitialized urandom read (32 bytes read)
[  107.197111] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts.
[  112.771211] random: sshd: uninitialized urandom read (32 bytes read)
2018/09/12 13:11:11 parsed 1 programs
[  113.997658] random: cc1: uninitialized urandom read (8 bytes read)
2018/09/12 13:11:13 executed programs: 0
[  115.786272] IPVS: ftp: loaded support on port[0] = 21
[  115.902146] ip (5372) used greatest stack depth: 16104 bytes left
[  116.029759] bridge0: port 1(bridge_slave_0) entered blocking state
[  116.036675] bridge0: port 1(bridge_slave_0) entered disabled state
[  116.044001] device bridge_slave_0 entered promiscuous mode
[  116.061945] bridge0: port 2(bridge_slave_1) entered blocking state
[  116.068406] bridge0: port 2(bridge_slave_1) entered disabled state
[  116.075502] device bridge_slave_1 entered promiscuous mode
[  116.093507] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  116.111170] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  116.159871] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  116.179641] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  116.254147] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  116.261660] team0: Port device team_slave_0 added
[  116.278684] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  116.286219] team0: Port device team_slave_1 added
[  116.303432] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  116.324079] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  116.343151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  116.362940] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  116.506623] bridge0: port 2(bridge_slave_1) entered blocking state
[  116.513366] bridge0: port 2(bridge_slave_1) entered forwarding state
[  116.520190] bridge0: port 1(bridge_slave_0) entered blocking state
[  116.526983] bridge0: port 1(bridge_slave_0) entered forwarding state
[  117.038778] 8021q: adding VLAN 0 to HW filter on device bond0
[  117.088910] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  117.140735] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  117.147223] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  117.155533] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  117.199793] 8021q: adding VLAN 0 to HW filter on device team0
[  117.774256] ==================================================================
[  117.783151] BUG: KASAN: use-after-free in __dev_map_entry_free+0x2ab/0x300
[  117.790529] Read of size 8 at addr ffff8801ceb788c8 by task ksoftirqd/1/18
[  117.797542] 
[  117.799170] CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc2+ #95
[  117.806156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  117.815666] Call Trace:
[  117.818258]  dump_stack+0x1c4/0x2b4
[  117.821892]  ? dump_stack_print_info.cold.2+0x52/0x52
[  117.827933]  ? printk+0xa7/0xcf
[  117.831218]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  117.835978]  print_address_description.cold.8+0x9/0x1ff
[  117.841694]  kasan_report.cold.9+0x242/0x309
[  117.846254]  ? __dev_map_entry_free+0x2ab/0x300
[  117.851063]  __asan_report_load8_noabort+0x14/0x20
[  117.856162]  __dev_map_entry_free+0x2ab/0x300
[  117.860660]  ? dev_map_delete_elem+0x120/0x120
[  117.865246]  rcu_process_callbacks+0xf23/0x2670
[  117.870044]  ? __rcu_read_unlock+0x2f0/0x2f0
[  117.874460]  ? lock_is_held_type+0x210/0x210
[  117.878874]  ? pick_next_task_fair+0x98e/0x17c0
[  117.883552]  ? finish_task_switch+0x1f5/0x900
[  117.888047]  ? _raw_spin_unlock_irq+0x27/0x80
[  117.892998]  ? _raw_spin_unlock_irq+0x27/0x80
[  117.897696]  ? lockdep_hardirqs_on+0x421/0x5c0
[  117.902310]  ? trace_hardirqs_on+0xbd/0x310
[  117.906781]  ? kasan_check_read+0x11/0x20
[  117.911061]  ? finish_task_switch+0x1f5/0x900
[  117.915558]  ? compat_start_thread+0x80/0x80
[  117.920402]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.926498]  ? kasan_check_write+0x14/0x20
[  117.931148]  ? finish_task_switch+0x2f5/0x900
[  117.935952]  ? __switch_to_asm+0x40/0x70
[  117.940020]  ? preempt_notifier_register+0x200/0x200
[  117.945254]  ? __switch_to_asm+0x34/0x70
[  117.949322]  ? __switch_to_asm+0x34/0x70
[  117.953816]  ? __switch_to_asm+0x40/0x70
[  117.958339]  ? __switch_to_asm+0x34/0x70
[  117.962398]  ? __switch_to_asm+0x40/0x70
[  117.966796]  ? __switch_to_asm+0x34/0x70
[  117.971637]  ? __switch_to_asm+0x40/0x70
[  117.975856]  ? __switch_to_asm+0x34/0x70
[  117.980522]  ? pvclock_read_flags+0x160/0x160
[  117.985530]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  117.991075]  ? check_preemption_disabled+0x48/0x200
[  117.996255]  ? check_preemption_disabled+0x48/0x200
[  118.001662]  ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0
[  118.007338]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[  118.012772]  ? rcu_pm_notify+0xc0/0xc0
[  118.016668]  __do_softirq+0x30b/0xad8
[  118.020608]  ? __irqentry_text_end+0x1f9618/0x1f9618
[  118.025741]  ? schedule+0x108/0x460
[  118.029375]  ? trace_hardirqs_off+0xb8/0x300
[  118.033785]  ? ___might_sleep+0x1ed/0x300
[  118.037929]  ? smpboot_thread_fn+0x68b/0xa00
[  118.042475]  ? trace_hardirqs_on+0x310/0x310
[  118.047259]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  118.053115]  ? check_preemption_disabled+0x48/0x200
[  118.058376]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  118.064244]  ? takeover_tasklets+0xa90/0xa90
[  118.068658]  run_ksoftirqd+0x94/0x100
[  118.072643]  smpboot_thread_fn+0x68b/0xa00
[  118.077040]  ? sort_range+0x30/0x30
[  118.080815]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  118.086181]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  118.091904]  ? __kthread_parkme+0xfb/0x1a0
[  118.096270]  kthread+0x35a/0x420
[  118.099637]  ? sort_range+0x30/0x30
[  118.103455]  ? kthread_bind+0x40/0x40
[  118.107258]  ret_from_fork+0x3a/0x50
[  118.110973] 
[  118.112595] Allocated by task 5692:
[  118.116242]  save_stack+0x43/0xd0
[  118.119689]  kasan_kmalloc+0xc7/0xe0
[  118.123602]  kmem_cache_alloc_trace+0x152/0x750
[  118.128448]  dev_map_alloc+0x210/0x810
[  118.132488]  map_create+0x3bd/0x10f0
[  118.136203]  __x64_sys_bpf+0x303/0x510
[  118.140109]  do_syscall_64+0x1b9/0x820
[  118.143998]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  118.149354] 
[  118.151073] Freed by task 14:
[  118.154286]  save_stack+0x43/0xd0
[  118.157774]  __kasan_slab_free+0x102/0x150
[  118.162144]  kasan_slab_free+0xe/0x10
[  118.165945]  kfree+0xcf/0x230
[  118.169047]  dev_map_free+0x514/0x690
[  118.172979]  bpf_map_free_deferred+0xba/0xf0
[  118.177754]  process_one_work+0xc90/0x1b90
[  118.182134]  worker_thread+0x17f/0x1390
[  118.186108]  kthread+0x35a/0x420
[  118.189473]  ret_from_fork+0x3a/0x50
[  118.193800] 
[  118.195543] The buggy address belongs to the object at ffff8801ceb787c0
[  118.195543]  which belongs to the cache kmalloc-512 of size 512
[  118.209287] The buggy address is located 264 bytes inside of
[  118.209287]  512-byte region [ffff8801ceb787c0, ffff8801ceb789c0)
[  118.221669] The buggy address belongs to the page:
[  118.226741] page:ffffea00073ade00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[  118.235137] flags: 0x2fffc0000000100(slab)
[  118.239529] raw: 02fffc0000000100 ffffea0007384d88 ffffea0007386188 ffff8801da800940
[  118.247744] raw: 0000000000000000 ffff8801ceb78040 0000000100000006 0000000000000000
[  118.256047] page dumped because: kasan: bad access detected
[  118.261905] 
[  118.263655] Memory state around the buggy address:
[  118.268954]  ffff8801ceb78780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  118.276464]  ffff8801ceb78800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.283823] >ffff8801ceb78880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.291493]                                               ^
[  118.297191]  ffff8801ceb78900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.305057]  ffff8801ceb78980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  118.312528] ==================================================================
[  118.320240] Disabling lock debugging due to kernel taint
[  118.326802] Kernel panic - not syncing: panic_on_warn set ...
[  118.326802] 
[  118.334443] CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G    B             4.19.0-rc2+ #95
[  118.342838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  118.346487] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.352652] Call Trace:
[  118.361666]  dump_stack+0x1c4/0x2b4
[  118.362276] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.365291]  ? dump_stack_print_info.cold.2+0x52/0x52
[  118.365304]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  118.365314]  panic+0x238/0x4e7
[  118.365321]  ? add_taint.cold.5+0x16/0x16
[  118.365338]  ? trace_hardirqs_on+0xb4/0x310
[  118.387699] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.388885]  kasan_end_report+0x47/0x4f
[  118.393147] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.397449]  kasan_report.cold.9+0x76/0x309
[  118.397459]  ? __dev_map_entry_free+0x2ab/0x300
[  118.397467]  __asan_report_load8_noabort+0x14/0x20
[  118.397474]  __dev_map_entry_free+0x2ab/0x300
[  118.397481]  ? dev_map_delete_elem+0x120/0x120
[  118.397493]  rcu_process_callbacks+0xf23/0x2670
[  118.397506]  ? __rcu_read_unlock+0x2f0/0x2f0
[  118.427870] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.432478]  ? lock_is_held_type+0x210/0x210
[  118.438884] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.441804]  ? pick_next_task_fair+0x98e/0x17c0
[  118.441822]  ? finish_task_switch+0x1f5/0x900
[  118.460799] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.461973]  ? _raw_spin_unlock_irq+0x27/0x80
[  118.473081] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.476082]  ? _raw_spin_unlock_irq+0x27/0x80
[  118.476091]  ? lockdep_hardirqs_on+0x421/0x5c0
[  118.476100]  ? trace_hardirqs_on+0xbd/0x310
[  118.476110]  ? kasan_check_read+0x11/0x20
[  118.476123]  ? finish_task_switch+0x1f5/0x900
[  118.500290] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.501525]  ? compat_start_thread+0x80/0x80
[  118.508659] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.510942]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  118.510958]  ? kasan_check_write+0x14/0x20
[  118.528641] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.531532]  ? finish_task_switch+0x2f5/0x900
[  118.537515] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.545821]  ? __switch_to_asm+0x40/0x70
[  118.545832]  ? preempt_notifier_register+0x200/0x200
[  118.545838]  ? __switch_to_asm+0x34/0x70
[  118.545845]  ? __switch_to_asm+0x34/0x70
[  118.545851]  ? __switch_to_asm+0x40/0x70
[  118.545862]  ? __switch_to_asm+0x34/0x70
[  118.564382] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.566970]  ? __switch_to_asm+0x40/0x70
[  118.577948] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.580460]  ? __switch_to_asm+0x34/0x70
[  118.580467]  ? __switch_to_asm+0x40/0x70
[  118.580478]  ? __switch_to_asm+0x34/0x70
[  118.595509] cgroup: fork rejected by pids controller in 
[  118.598051]  ? pvclock_read_flags+0x160/0x160
[  118.598066]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  118.602142] /syz0
[  118.608667]  ? check_preemption_disabled+0x48/0x200
[  118.622499]  ? check_preemption_disabled+0x48/0x200
[  118.622521]  ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0
[  118.631191] kobject: 'loop0' (000000004d5d105e): kobject_uevent_env
[  118.634733]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[  118.634748]  ? rcu_pm_notify+0xc0/0xc0
[  118.634770]  __do_softirq+0x30b/0xad8
[  118.634790]  ? __irqentry_text_end+0x1f9618/0x1f9618
[  118.644808] kobject: 'loop0' (000000004d5d105e): fill_kobj_path: path = '/devices/virtual/block/loop0'
[  118.650310]  ? schedule+0x108/0x460
[  118.650331]  ? trace_hardirqs_off+0xb8/0x300
[  118.712475]  ? ___might_sleep+0x1ed/0x300
[  118.716624]  ? smpboot_thread_fn+0x68b/0xa00
[  118.721029]  ? trace_hardirqs_on+0x310/0x310
[  118.725437]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  118.730974]  ? check_preemption_disabled+0x48/0x200
[  118.736047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  118.741661]  ? takeover_tasklets+0xa90/0xa90
[  118.746247]  run_ksoftirqd+0x94/0x100
[  118.750045]  smpboot_thread_fn+0x68b/0xa00
[  118.754278]  ? sort_range+0x30/0x30
[  118.757905]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  118.763006]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  118.768543]  ? __kthread_parkme+0xfb/0x1a0
[  118.772777]  kthread+0x35a/0x420
[  118.776217]  ? sort_range+0x30/0x30
[  118.779846]  ? kthread_bind+0x40/0x40
[  118.783643]  ret_from_fork+0x3a/0x50
[  118.788551] Kernel Offset: disabled
[  118.792187] Rebooting in 86400 seconds..