[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.353181] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.640407] random: sshd: uninitialized urandom read (32 bytes read) [ 23.924153] random: sshd: uninitialized urandom read (32 bytes read) [ 24.671250] random: sshd: uninitialized urandom read (32 bytes read) [ 24.821174] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. [ 30.199973] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/21 07:43:34 parsed 1 programs 2018/05/21 07:43:34 executed programs: 0 [ 30.704933] IPVS: ftp: loaded support on port[0] = 21 [ 30.825353] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.831783] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.839105] device bridge_slave_0 entered promiscuous mode [ 30.855793] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.862178] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.869284] device bridge_slave_1 entered promiscuous mode [ 30.884095] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.900084] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.939411] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.956598] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.015656] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.022865] team0: Port device team_slave_0 added [ 31.036796] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.043938] team0: Port device team_slave_1 added [ 31.059520] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 31.075619] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 31.092125] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.109008] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.186124] ip (4633) used greatest stack depth: 16120 bytes left [ 31.221378] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.227799] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.234701] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.241079] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.633460] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.639563] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.681199] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.722985] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.731078] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.767807] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.773917] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.780706] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 32.099962] ================================================================== [ 32.107469] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3 [ 32.114472] Read of size 8 at addr ffff8801d69b2ce0 by task syz-executor0/4836 [ 32.121815] [ 32.123426] CPU: 0 PID: 4836 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #86 [ 32.130595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.139932] Call Trace: [ 32.142505] dump_stack+0x1b9/0x294 [ 32.146116] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.151284] ? printk+0x9e/0xba [ 32.154546] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.159288] ? kasan_check_write+0x14/0x20 [ 32.163506] print_address_description+0x6c/0x20b [ 32.168328] ? __list_del_entry_valid+0xe7/0xf3 [ 32.172978] kasan_report.cold.7+0x242/0x2fe [ 32.177369] __asan_report_load8_noabort+0x14/0x20 [ 32.182276] __list_del_entry_valid+0xe7/0xf3 [ 32.186757] cma_cancel_operation+0x457/0xe90 [ 32.191244] ? finish_task_switch+0x28b/0x840 [ 32.195735] ? find_held_lock+0x36/0x1c0 [ 32.199776] ? rdma_destroy_id+0xe50/0xe50 [ 32.203993] ? lock_downgrade+0x8e0/0x8e0 [ 32.208130] ? kasan_check_read+0x11/0x20 [ 32.212278] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.216680] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.221246] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.226336] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.231343] rdma_destroy_id+0xff/0xe50 [ 32.235301] ? cma_release_dev+0x370/0x370 [ 32.239520] ? radix_tree_delete_item+0x14d/0x2d0 [ 32.244341] ? rcu_is_watching+0x85/0x140 [ 32.248468] ? radix_tree_lookup+0x30/0x30 [ 32.252689] ucma_close+0x100/0x300 [ 32.256296] ? ucma_free_ctx+0xdf0/0xdf0 [ 32.260336] __fput+0x34d/0x890 [ 32.263595] ? fput+0x1a0/0x1a0 [ 32.266859] ? check_same_owner+0x320/0x320 [ 32.271160] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.275639] ____fput+0x15/0x20 [ 32.278898] task_work_run+0x1e4/0x290 [ 32.282775] ? task_work_cancel+0x240/0x240 [ 32.287088] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.292621] ? switch_task_namespaces+0xa2/0xd0 [ 32.297274] do_exit+0x1aee/0x2730 [ 32.300796] ? mm_update_next_owner+0x980/0x980 [ 32.305452] ? print_usage_bug+0xc0/0xc0 [ 32.309494] ? graph_lock+0x170/0x170 [ 32.313275] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.317664] ? rcu_note_context_switch+0x710/0x710 [ 32.322577] ? lock_acquire+0x1dc/0x520 [ 32.326534] ? __might_sleep+0x95/0x190 [ 32.330489] ? __lock_acquire+0x7f5/0x5140 [ 32.334705] ? lock_downgrade+0x8e0/0x8e0 [ 32.338840] ? debug_check_no_locks_freed+0x310/0x310 [ 32.344016] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.348413] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.352985] ? kasan_check_write+0x14/0x20 [ 32.357207] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.362380] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 32.367462] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.372978] ? futex_wait+0x5c1/0x9f0 [ 32.376761] ? futex_wait_setup+0x400/0x400 [ 32.381069] ? graph_lock+0x170/0x170 [ 32.384864] ? memset+0x31/0x40 [ 32.388126] ? find_held_lock+0x36/0x1c0 [ 32.392175] ? lock_downgrade+0x8e0/0x8e0 [ 32.396308] do_group_exit+0x16f/0x430 [ 32.400178] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.404743] ? __ia32_sys_exit+0x50/0x50 [ 32.408795] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.413272] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.418274] get_signal+0x886/0x1960 [ 32.421980] ? ptrace_notify+0x130/0x130 [ 32.426036] ? __schedule+0x809/0x1e30 [ 32.429905] ? _copy_from_user+0xdf/0x150 [ 32.434048] ? __sched_text_start+0x8/0x8 [ 32.438179] ? ucma_close_id+0x60/0x60 [ 32.442061] ? expand_files.part.8+0x9a0/0x9a0 [ 32.446627] do_signal+0x98/0x2040 [ 32.450148] ? __vfs_write+0x113/0x960 [ 32.454021] ? __fget_light+0x2ef/0x430 [ 32.457983] ? ucma_close_id+0x60/0x60 [ 32.461853] ? kernel_read+0x120/0x120 [ 32.465725] ? setup_sigcontext+0x7d0/0x7d0 [ 32.470039] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.475555] ? fsnotify+0x415/0xfc0 [ 32.479177] ? schedule+0xef/0x430 [ 32.482713] ? fsnotify+0xfc0/0xfc0 [ 32.486322] ? __schedule+0x1e30/0x1e30 [ 32.490282] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 32.495191] ? exit_to_usermode_loop+0x87/0x310 [ 32.499846] exit_to_usermode_loop+0x28a/0x310 [ 32.504408] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.509233] ? __ia32_compat_sys_vmsplice+0x226/0x270 [ 32.514403] ? do_fast_syscall_32+0x148/0xf9b [ 32.518881] do_fast_syscall_32+0xcc3/0xf9b [ 32.523183] ? do_int80_syscall_32+0x880/0x880 [ 32.527750] ? kasan_check_write+0x14/0x20 [ 32.531966] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.537483] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.542393] ? sysret32_from_system_call+0x5/0x46 [ 32.547217] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.552053] entry_SYSENTER_compat+0x70/0x7f [ 32.556443] RIP: 0023:0xf7f26cb9 [ 32.559784] RSP: 002b:00000000f7f0110c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 32.567471] RAX: fffffffffffffe00 RBX: 000000000814af94 RCX: 0000000000000000 [ 32.574727] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 32.581977] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 32.589228] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 32.596484] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.603754] [ 32.605360] Allocated by task 4833: [ 32.609704] save_stack+0x43/0xd0 [ 32.613136] kasan_kmalloc+0xc4/0xe0 [ 32.616828] kmem_cache_alloc_trace+0x152/0x780 [ 32.621477] __rdma_create_id+0xd7/0x710 [ 32.625517] ucma_create_id+0x385/0x9b0 [ 32.629480] ucma_write+0x328/0x410 [ 32.633093] __vfs_write+0x10b/0x960 [ 32.636783] vfs_write+0x1f8/0x560 [ 32.640300] ksys_write+0xf9/0x250 [ 32.643825] __ia32_sys_write+0x71/0xb0 [ 32.647777] do_fast_syscall_32+0x345/0xf9b [ 32.652081] entry_SYSENTER_compat+0x70/0x7f [ 32.656463] [ 32.658067] Freed by task 4836: [ 32.661324] save_stack+0x43/0xd0 [ 32.664760] __kasan_slab_free+0x11a/0x170 [ 32.668974] kasan_slab_free+0xe/0x10 [ 32.672766] kfree+0xd9/0x260 [ 32.675853] rdma_destroy_id+0x8c5/0xe50 [ 32.679893] ucma_close+0x100/0x300 [ 32.683496] __fput+0x34d/0x890 [ 32.686756] ____fput+0x15/0x20 [ 32.690022] task_work_run+0x1e4/0x290 [ 32.693895] do_exit+0x1aee/0x2730 [ 32.697413] do_group_exit+0x16f/0x430 [ 32.701278] get_signal+0x886/0x1960 [ 32.704970] do_signal+0x98/0x2040 [ 32.708488] exit_to_usermode_loop+0x28a/0x310 [ 32.713048] do_fast_syscall_32+0xcc3/0xf9b [ 32.717350] entry_SYSENTER_compat+0x70/0x7f [ 32.721729] [ 32.723336] The buggy address belongs to the object at ffff8801d69b2b00 [ 32.723336] which belongs to the cache kmalloc-2048 of size 2048 [ 32.736155] The buggy address is located 480 bytes inside of [ 32.736155] 2048-byte region [ffff8801d69b2b00, ffff8801d69b3300) [ 32.748114] The buggy address belongs to the page: [ 32.753037] page:ffffea00075a6c80 count:1 mapcount:0 mapping:ffff8801d69b2280 index:0x0 compound_mapcount: 0 [ 32.762987] flags: 0x2fffc0000008100(slab|head) [ 32.767639] raw: 02fffc0000008100 ffff8801d69b2280 0000000000000000 0000000100000003 [ 32.775499] raw: ffffea0006abd220 ffffea000765e7a0 ffff8801da800c40 0000000000000000 [ 32.783352] page dumped because: kasan: bad access detected [ 32.789042] [ 32.790646] Memory state around the buggy address: [ 32.795551] ffff8801d69b2b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.802893] ffff8801d69b2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.810493] >ffff8801d69b2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.817829] ^ [ 32.824300] ffff8801d69b2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.831639] ffff8801d69b2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.838974] ================================================================== [ 32.846313] Disabling lock debugging due to kernel taint [ 32.853796] Kernel panic - not syncing: panic_on_warn set ... [ 32.853796] [ 32.861172] CPU: 0 PID: 4836 Comm: syz-executor0 Tainted: G B 4.17.0-rc6+ #86 [ 32.869742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.879073] Call Trace: [ 32.881643] dump_stack+0x1b9/0x294 [ 32.885251] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.890427] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.895169] ? __list_del_entry_valid+0xe0/0xf3 [ 32.899821] panic+0x22f/0x4de [ 32.902991] ? add_taint.cold.5+0x16/0x16 [ 32.907123] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.911511] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.915906] ? __list_del_entry_valid+0xe7/0xf3 [ 32.920567] kasan_end_report+0x47/0x4f [ 32.924527] kasan_report.cold.7+0x76/0x2fe [ 32.928835] __asan_report_load8_noabort+0x14/0x20 [ 32.933745] __list_del_entry_valid+0xe7/0xf3 [ 32.938222] cma_cancel_operation+0x457/0xe90 [ 32.942698] ? finish_task_switch+0x28b/0x840 [ 32.947171] ? find_held_lock+0x36/0x1c0 [ 32.951212] ? rdma_destroy_id+0xe50/0xe50 [ 32.955426] ? lock_downgrade+0x8e0/0x8e0 [ 32.959555] ? kasan_check_read+0x11/0x20 [ 32.963687] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.968073] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.972635] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.977717] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.982711] rdma_destroy_id+0xff/0xe50 [ 32.986667] ? cma_release_dev+0x370/0x370 [ 32.990881] ? radix_tree_delete_item+0x14d/0x2d0 [ 32.995702] ? rcu_is_watching+0x85/0x140 [ 32.999829] ? radix_tree_lookup+0x30/0x30 [ 33.004047] ucma_close+0x100/0x300 [ 33.007654] ? ucma_free_ctx+0xdf0/0xdf0 [ 33.011696] __fput+0x34d/0x890 [ 33.014952] ? fput+0x1a0/0x1a0 [ 33.018213] ? check_same_owner+0x320/0x320 [ 33.022514] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.026986] ____fput+0x15/0x20 [ 33.030253] task_work_run+0x1e4/0x290 [ 33.034122] ? task_work_cancel+0x240/0x240 [ 33.038423] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.043940] ? switch_task_namespaces+0xa2/0xd0 [ 33.048596] do_exit+0x1aee/0x2730 [ 33.052137] ? mm_update_next_owner+0x980/0x980 [ 33.056786] ? print_usage_bug+0xc0/0xc0 [ 33.060829] ? graph_lock+0x170/0x170 [ 33.064606] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.068992] ? rcu_note_context_switch+0x710/0x710 [ 33.073902] ? lock_acquire+0x1dc/0x520 [ 33.077853] ? __might_sleep+0x95/0x190 [ 33.081809] ? __lock_acquire+0x7f5/0x5140 [ 33.086030] ? lock_downgrade+0x8e0/0x8e0 [ 33.090159] ? debug_check_no_locks_freed+0x310/0x310 [ 33.095334] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.099721] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.104283] ? kasan_check_write+0x14/0x20 [ 33.108497] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.113667] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 33.118746] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.124269] ? futex_wait+0x5c1/0x9f0 [ 33.128056] ? futex_wait_setup+0x400/0x400 [ 33.132360] ? graph_lock+0x170/0x170 [ 33.136143] ? memset+0x31/0x40 [ 33.139400] ? find_held_lock+0x36/0x1c0 [ 33.143441] ? lock_downgrade+0x8e0/0x8e0 [ 33.147566] do_group_exit+0x16f/0x430 [ 33.151430] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.155989] ? __ia32_sys_exit+0x50/0x50 [ 33.160035] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.164506] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.169499] get_signal+0x886/0x1960 [ 33.173191] ? ptrace_notify+0x130/0x130 [ 33.177232] ? __schedule+0x809/0x1e30 [ 33.181098] ? _copy_from_user+0xdf/0x150 [ 33.185243] ? __sched_text_start+0x8/0x8 [ 33.189417] ? ucma_close_id+0x60/0x60 [ 33.193298] ? expand_files.part.8+0x9a0/0x9a0 [ 33.197861] do_signal+0x98/0x2040 [ 33.201377] ? __vfs_write+0x113/0x960 [ 33.205240] ? __fget_light+0x2ef/0x430 [ 33.209192] ? ucma_close_id+0x60/0x60 [ 33.213054] ? kernel_read+0x120/0x120 [ 33.216919] ? setup_sigcontext+0x7d0/0x7d0 [ 33.221217] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.226732] ? fsnotify+0x415/0xfc0 [ 33.230336] ? schedule+0xef/0x430 [ 33.233850] ? fsnotify+0xfc0/0xfc0 [ 33.237454] ? __schedule+0x1e30/0x1e30 [ 33.241410] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 33.246317] ? exit_to_usermode_loop+0x87/0x310 [ 33.250968] exit_to_usermode_loop+0x28a/0x310 [ 33.255530] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.260352] ? __ia32_compat_sys_vmsplice+0x226/0x270 [ 33.265521] ? do_fast_syscall_32+0x148/0xf9b [ 33.269996] do_fast_syscall_32+0xcc3/0xf9b [ 33.274300] ? do_int80_syscall_32+0x880/0x880 [ 33.278860] ? kasan_check_write+0x14/0x20 [ 33.283076] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.288590] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.293498] ? sysret32_from_system_call+0x5/0x46 [ 33.298320] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.303141] entry_SYSENTER_compat+0x70/0x7f [ 33.307526] RIP: 0023:0xf7f26cb9 [ 33.310866] RSP: 002b:00000000f7f0110c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 [ 33.318560] RAX: fffffffffffffe00 RBX: 000000000814af94 RCX: 0000000000000000 [ 33.325806] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.333053] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.340300] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 [ 33.347546] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.354836] Dumping ftrace buffer: [ 33.358348] (ftrace buffer empty) [ 33.362031] Kernel Offset: disabled [ 33.365639] Rebooting in 86400 seconds..