[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.468182] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.592908] random: sshd: uninitialized urandom read (32 bytes read) [ 29.959381] random: sshd: uninitialized urandom read (32 bytes read) [ 30.617884] random: sshd: uninitialized urandom read (32 bytes read) [ 49.291848] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.57' (ECDSA) to the list of known hosts. [ 54.920861] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/10 05:11:40 parsed 1 programs [ 56.601617] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/10 05:11:42 executed programs: 0 [ 57.978247] IPVS: ftp: loaded support on port[0] = 21 [ 58.092232] ip (5360) used greatest stack depth: 16808 bytes left [ 58.227989] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.234684] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.242189] device bridge_slave_0 entered promiscuous mode [ 58.260468] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.266958] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.274166] device bridge_slave_1 entered promiscuous mode [ 58.292373] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 58.309689] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 58.359293] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.379150] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.454372] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.461717] team0: Port device team_slave_0 added [ 58.479084] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.486573] team0: Port device team_slave_1 added [ 58.503830] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.524312] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.543795] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 58.563593] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 58.618877] ip (5422) used greatest stack depth: 16600 bytes left [ 58.666475] ip (5430) used greatest stack depth: 16520 bytes left [ 58.709952] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.716562] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.723518] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.729859] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.245983] 8021q: adding VLAN 0 to HW filter on device bond0 [ 59.299023] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 59.350549] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 59.357070] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 59.365356] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 59.411003] 8021q: adding VLAN 0 to HW filter on device team0 [ 59.791362] hrtimer: interrupt took 37351 ns 2018/09/10 05:11:47 executed programs: 52 2018/09/10 05:11:52 executed programs: 133 2018/09/10 05:11:57 executed programs: 225 [ 74.349829] ================================================================== [ 74.357410] BUG: KASAN: use-after-free in ucma_put_ctx+0x1d/0x60 [ 74.363568] Write of size 4 at addr ffff8801c1eaeed8 by task syz-executor0/7799 [ 74.371004] [ 74.372641] CPU: 0 PID: 7799 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #133 [ 74.379911] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.389258] Call Trace: [ 74.391875] dump_stack+0x1c4/0x2b4 [ 74.395522] ? dump_stack_print_info.cold.2+0x52/0x52 [ 74.400718] ? printk+0xa7/0xcf [ 74.404004] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 74.408760] print_address_description.cold.8+0x9/0x1ff [ 74.414131] kasan_report.cold.9+0x242/0x309 [ 74.418538] ? ucma_put_ctx+0x1d/0x60 [ 74.422365] check_memory_region+0x13e/0x1b0 [ 74.426782] kasan_check_write+0x14/0x20 [ 74.430845] ucma_put_ctx+0x1d/0x60 [ 74.434496] ucma_resolve_ip+0x24d/0x2a0 [ 74.438567] ? ucma_query+0xb20/0xb20 [ 74.442408] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.447966] ? _copy_from_user+0xdf/0x150 [ 74.452121] ? ucma_query+0xb20/0xb20 [ 74.455929] ucma_write+0x336/0x420 [ 74.459563] ? ucma_close_id+0x60/0x60 [ 74.463457] ? trace_hardirqs_on_caller+0xc0/0x310 [ 74.468402] __vfs_write+0x119/0x9f0 [ 74.472120] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 74.477054] ? ucma_close_id+0x60/0x60 [ 74.480942] ? kernel_read+0x120/0x120 [ 74.484834] ? apparmor_path_rmdir+0x30/0x30 [ 74.489252] ? retint_kernel+0x2d/0x2d [ 74.493149] ? fsnotify_first_mark+0x350/0x350 [ 74.497741] ? apparmor_file_permission+0x24/0x30 [ 74.502585] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.508129] ? security_file_permission+0x1c2/0x230 [ 74.513154] ? rw_verify_area+0x118/0x360 [ 74.517311] vfs_write+0x1fc/0x560 [ 74.520875] ksys_write+0x101/0x260 [ 74.524510] ? __ia32_sys_read+0xb0/0xb0 [ 74.528590] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 74.534052] __ia32_sys_write+0x71/0xb0 [ 74.538035] do_fast_syscall_32+0x34d/0xfb2 [ 74.542375] ? do_int80_syscall_32+0x890/0x890 [ 74.546962] ? entry_SYSENTER_compat+0x68/0x7f [ 74.551550] ? trace_hardirqs_off_caller+0xbb/0x310 [ 74.556572] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.561418] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.566273] ? trace_hardirqs_on_caller+0x310/0x310 [ 74.571306] ? prepare_exit_to_usermode+0x291/0x3b0 [ 74.576369] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.581226] entry_SYSENTER_compat+0x70/0x7f [ 74.585637] RIP: 0023:0xf7f51ca9 [ 74.589008] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 74.607908] RSP: 002b:00000000f7f4d0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 74.615615] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 0000000020000240 [ 74.622883] RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000000 [ 74.630151] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 74.637418] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 74.644684] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 74.651965] [ 74.653589] Allocated by task 7802: [ 74.657218] save_stack+0x43/0xd0 [ 74.660670] kasan_kmalloc+0xc7/0xe0 [ 74.664384] kmem_cache_alloc_trace+0x152/0x750 [ 74.669055] ucma_alloc_ctx+0xce/0x690 [ 74.672938] ucma_create_id+0x27d/0x990 [ 74.676908] ucma_write+0x336/0x420 [ 74.680544] __vfs_write+0x119/0x9f0 [ 74.684256] vfs_write+0x1fc/0x560 [ 74.687794] ksys_write+0x101/0x260 [ 74.691435] __ia32_sys_write+0x71/0xb0 [ 74.695412] do_fast_syscall_32+0x34d/0xfb2 [ 74.699746] entry_SYSENTER_compat+0x70/0x7f [ 74.704147] [ 74.705771] Freed by task 7798: [ 74.709048] save_stack+0x43/0xd0 [ 74.712505] __kasan_slab_free+0x102/0x150 [ 74.716742] kasan_slab_free+0xe/0x10 [ 74.720542] kfree+0xcf/0x230 [ 74.723652] ucma_free_ctx+0x9e6/0xdb0 [ 74.727540] ucma_close+0x10d/0x300 [ 74.731168] __fput+0x385/0xa30 [ 74.734449] ____fput+0x15/0x20 [ 74.737730] task_work_run+0x1e8/0x2a0 [ 74.741620] exit_to_usermode_loop+0x318/0x380 [ 74.746212] do_fast_syscall_32+0xcd5/0xfb2 [ 74.750532] entry_SYSENTER_compat+0x70/0x7f [ 74.754928] [ 74.756568] The buggy address belongs to the object at ffff8801c1eaee80 [ 74.756568] which belongs to the cache kmalloc-256 of size 256 [ 74.769225] The buggy address is located 88 bytes inside of [ 74.769225] 256-byte region [ffff8801c1eaee80, ffff8801c1eaef80) [ 74.781008] The buggy address belongs to the page: [ 74.785939] page:ffffea000707ab80 count:1 mapcount:0 mapping:ffff8801da8007c0 index:0x0 [ 74.794081] flags: 0x2fffc0000000100(slab) [ 74.798318] raw: 02fffc0000000100 ffffea00071e5548 ffff8801da801648 ffff8801da8007c0 [ 74.806221] raw: 0000000000000000 ffff8801c1eae0c0 000000010000000c 0000000000000000 [ 74.814097] page dumped because: kasan: bad access detected [ 74.819798] [ 74.821429] Memory state around the buggy address: [ 74.826367] ffff8801c1eaed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 74.833724] ffff8801c1eaee00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 74.841093] >ffff8801c1eaee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.848446] ^ [ 74.854677] ffff8801c1eaef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.862032] ffff8801c1eaef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.869383] ================================================================== [ 74.876732] Disabling lock debugging due to kernel taint [ 74.883999] Kernel panic - not syncing: panic_on_warn set ... [ 74.883999] [ 74.891391] CPU: 0 PID: 7799 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #133 [ 74.900039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.909388] Call Trace: [ 74.911978] dump_stack+0x1c4/0x2b4 [ 74.915594] ? dump_stack_print_info.cold.2+0x52/0x52 [ 74.920786] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 74.925532] panic+0x238/0x4e7 [ 74.928708] ? add_taint.cold.5+0x16/0x16 [ 74.932842] ? preempt_schedule+0x4d/0x60 [ 74.936978] ? ___preempt_schedule+0x16/0x18 [ 74.941380] ? trace_hardirqs_on+0xb4/0x310 [ 74.945716] kasan_end_report+0x47/0x4f [ 74.949688] kasan_report.cold.9+0x76/0x309 [ 74.953996] ? ucma_put_ctx+0x1d/0x60 [ 74.957785] check_memory_region+0x13e/0x1b0 [ 74.962183] kasan_check_write+0x14/0x20 [ 74.966227] ucma_put_ctx+0x1d/0x60 [ 74.969842] ucma_resolve_ip+0x24d/0x2a0 [ 74.973931] ? ucma_query+0xb20/0xb20 [ 74.977732] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.983276] ? _copy_from_user+0xdf/0x150 [ 74.987417] ? ucma_query+0xb20/0xb20 [ 74.991200] ucma_write+0x336/0x420 [ 74.994813] ? ucma_close_id+0x60/0x60 [ 74.998685] ? trace_hardirqs_on_caller+0xc0/0x310 [ 75.003616] __vfs_write+0x119/0x9f0 [ 75.007348] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 75.012266] ? ucma_close_id+0x60/0x60 [ 75.016138] ? kernel_read+0x120/0x120 [ 75.020011] ? apparmor_path_rmdir+0x30/0x30 [ 75.024407] ? retint_kernel+0x2d/0x2d [ 75.028280] ? fsnotify_first_mark+0x350/0x350 [ 75.032850] ? apparmor_file_permission+0x24/0x30 [ 75.037681] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.043221] ? security_file_permission+0x1c2/0x230 [ 75.048232] ? rw_verify_area+0x118/0x360 [ 75.052367] vfs_write+0x1fc/0x560 [ 75.055893] ksys_write+0x101/0x260 [ 75.059519] ? __ia32_sys_read+0xb0/0xb0 [ 75.063575] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 75.069053] __ia32_sys_write+0x71/0xb0 [ 75.073017] do_fast_syscall_32+0x34d/0xfb2 [ 75.077354] ? do_int80_syscall_32+0x890/0x890 [ 75.081928] ? entry_SYSENTER_compat+0x68/0x7f [ 75.086494] ? trace_hardirqs_off_caller+0xbb/0x310 [ 75.091506] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 75.096353] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 75.101182] ? trace_hardirqs_on_caller+0x310/0x310 [ 75.106186] ? prepare_exit_to_usermode+0x291/0x3b0 [ 75.111188] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 75.116021] entry_SYSENTER_compat+0x70/0x7f [ 75.120412] RIP: 0023:0xf7f51ca9 [ 75.123764] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 75.142664] RSP: 002b:00000000f7f4d0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 75.150356] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 0000000020000240 [ 75.157611] RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.164861] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 75.172137] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 75.179403] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 75.186995] Dumping ftrace buffer: [ 75.190529] (ftrace buffer empty) [ 75.194763] Kernel Offset: disabled [ 75.198382] Rebooting in 86400 seconds..