[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.924214] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 25.597058] random: sshd: uninitialized urandom read (32 bytes read) [ 25.935596] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.485954] random: sshd: uninitialized urandom read (32 bytes read) [ 116.643942] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. [ 122.454685] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/27 19:37:40 parsed 1 programs [ 124.156073] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/27 19:37:42 executed programs: 0 [ 125.207144] IPVS: ftp: loaded support on port[0] = 21 [ 125.422792] bridge0: port 1(bridge_slave_0) entered blocking state [ 125.429245] bridge0: port 1(bridge_slave_0) entered disabled state [ 125.436477] device bridge_slave_0 entered promiscuous mode [ 125.453368] bridge0: port 2(bridge_slave_1) entered blocking state [ 125.459837] bridge0: port 2(bridge_slave_1) entered disabled state [ 125.467514] device bridge_slave_1 entered promiscuous mode [ 125.485125] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 125.501741] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 125.546361] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 125.567536] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 125.634981] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 125.642231] team0: Port device team_slave_0 added [ 125.657720] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 125.665266] team0: Port device team_slave_1 added [ 125.680979] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 125.699861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 125.717882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 125.735974] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 125.864449] bridge0: port 2(bridge_slave_1) entered blocking state [ 125.870893] bridge0: port 2(bridge_slave_1) entered forwarding state [ 125.877913] bridge0: port 1(bridge_slave_0) entered blocking state [ 125.884299] bridge0: port 1(bridge_slave_0) entered forwarding state [ 126.337939] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 126.344070] 8021q: adding VLAN 0 to HW filter on device bond0 [ 126.373609] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 126.394999] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 126.440334] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 126.446525] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 126.454317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 126.493447] 8021q: adding VLAN 0 to HW filter on device team0 [ 126.856817] [ 126.858467] ===================================== [ 126.863292] WARNING: bad unlock balance detected! [ 126.868169] 4.19.0-rc1+ #114 Not tainted [ 126.872211] ------------------------------------- [ 126.877029] syz-executor0/4824 is trying to release lock (&file->mut) at: [ 126.883943] [] ucma_destroy_id+0x2cb/0x550 [ 126.889714] but there are no more locks to release! [ 126.894705] [ 126.894705] other info that might help us debug this: [ 126.901391] 1 lock held by syz-executor0/4824: [ 126.905956] #0: 000000005eccfa39 (&file->mut){+.+.}, at: ucma_destroy_id+0x26b/0x550 [ 126.913920] [ 126.913920] stack backtrace: [ 126.918396] CPU: 1 PID: 4824 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #114 [ 126.925644] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 126.934972] Call Trace: [ 126.937545] dump_stack+0x1c9/0x2b4 [ 126.941152] ? dump_stack_print_info.cold.2+0x52/0x52 [ 126.946380] ? vprintk_func+0x81/0x117 [ 126.950296] ? ucma_destroy_id+0x2cb/0x550 [ 126.954517] print_unlock_imbalance_bug.cold.49+0xcc/0xd8 [ 126.960032] lock_release+0x76e/0x9f0 [ 126.963819] ? ucma_destroy_id+0x2cb/0x550 [ 126.968035] ? lock_downgrade+0x8f0/0x8f0 [ 126.972162] ? radix_tree_descend+0x2e0/0x2e0 [ 126.976640] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 126.982157] ? node_tag_set+0xc4/0x160 [ 126.986043] __mutex_unlock_slowpath+0x102/0x8c0 [ 126.990786] ? wait_for_completion+0x8d0/0x8d0 [ 126.995349] ? radix_tree_delete_item+0x188/0x350 [ 127.000171] ? radix_tree_lookup+0x30/0x30 [ 127.004387] mutex_unlock+0xd/0x10 [ 127.007922] ucma_destroy_id+0x2cb/0x550 [ 127.011969] ? ucma_close+0x300/0x300 [ 127.015754] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 127.021270] ? _copy_from_user+0xdf/0x150 [ 127.025394] ? ucma_close+0x300/0x300 [ 127.029173] ucma_write+0x336/0x420 [ 127.032792] ? ucma_close_id+0x60/0x60 [ 127.036662] ? kasan_check_read+0x11/0x20 [ 127.040790] ? do_raw_spin_unlock+0xa7/0x2f0 [ 127.045178] __vfs_write+0x117/0x9d0 [ 127.048872] ? __fget_light+0x2f7/0x440 [ 127.052822] ? ucma_close_id+0x60/0x60 [ 127.056764] ? kernel_read+0x120/0x120 [ 127.060639] ? trace_hardirqs_on+0x2c0/0x2c0 [ 127.065030] ? kmem_cache_free+0xa0/0x280 [ 127.069174] ? kasan_check_read+0x11/0x20 [ 127.073330] ? rcu_is_watching+0x8c/0x150 [ 127.077454] ? trace_hardirqs_on+0xbd/0x2c0 [ 127.081756] ? rcu_pm_notify+0xc0/0xc0 [ 127.085626] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.091160] ? security_file_permission+0x1c2/0x230 [ 127.096159] ? rw_verify_area+0x118/0x360 [ 127.100286] vfs_write+0x1fc/0x560 [ 127.103807] ksys_write+0x101/0x260 [ 127.107414] ? __ia32_sys_read+0xb0/0xb0 [ 127.111457] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 127.116541] __ia32_sys_write+0x71/0xb0 [ 127.120515] do_fast_syscall_32+0x34d/0xfb2 [ 127.124830] ? do_int80_syscall_32+0x890/0x890 [ 127.129397] ? entry_SYSENTER_compat+0x68/0x7f [ 127.134022] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 127.139029] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 127.143854] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 127.148878] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 127.153881] ? recalc_sigpending_tsk+0x180/0x180 [ 127.158647] ? kasan_check_write+0x14/0x20 [ 127.162870] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 127.167802] entry_SYSENTER_compat+0x70/0x7f [ 127.172204] RIP: 0023:0xf7fb4ca9 [ 127.175556] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 127.194454] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 127.202145] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480 [ 127.209409] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000 [ 127.216660] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 127.223910] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 127.231163] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 127.239252] ================================================================== [ 127.246630] BUG: KASAN: use-after-free in ucma_destroy_id+0x524/0x550 [ 127.253193] Read of size 8 at addr ffff8801d9722d68 by task syz-executor0/4824 [ 127.260529] [ 127.262144] CPU: 1 PID: 4824 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #114 [ 127.269560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 127.278897] Call Trace: [ 127.281472] dump_stack+0x1c9/0x2b4 [ 127.285080] ? dump_stack_print_info.cold.2+0x52/0x52 [ 127.290251] ? printk+0xa7/0xcf [ 127.293509] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 127.298246] ? ucma_destroy_id+0x524/0x550 [ 127.302459] print_address_description+0x6c/0x20b [ 127.307280] ? ucma_destroy_id+0x524/0x550 [ 127.311493] kasan_report.cold.7+0x242/0x30d [ 127.315883] __asan_report_load8_noabort+0x14/0x20 [ 127.320790] ucma_destroy_id+0x524/0x550 [ 127.324830] ? ucma_close+0x300/0x300 [ 127.328618] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 127.334216] ? _copy_from_user+0xdf/0x150 [ 127.338350] ? ucma_close+0x300/0x300 [ 127.342129] ucma_write+0x336/0x420 [ 127.345735] ? ucma_close_id+0x60/0x60 [ 127.349601] ? kasan_check_read+0x11/0x20 [ 127.353727] ? do_raw_spin_unlock+0xa7/0x2f0 [ 127.358116] __vfs_write+0x117/0x9d0 [ 127.361813] ? __fget_light+0x2f7/0x440 [ 127.365767] ? ucma_close_id+0x60/0x60 [ 127.369635] ? kernel_read+0x120/0x120 [ 127.373503] ? trace_hardirqs_on+0x2c0/0x2c0 [ 127.377906] ? kmem_cache_free+0xa0/0x280 [ 127.382033] ? kasan_check_read+0x11/0x20 [ 127.386160] ? rcu_is_watching+0x8c/0x150 [ 127.390289] ? trace_hardirqs_on+0xbd/0x2c0 [ 127.394588] ? rcu_pm_notify+0xc0/0xc0 [ 127.398466] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.404000] ? security_file_permission+0x1c2/0x230 [ 127.408998] ? rw_verify_area+0x118/0x360 [ 127.413127] vfs_write+0x1fc/0x560 [ 127.416657] ksys_write+0x101/0x260 [ 127.420263] ? __ia32_sys_read+0xb0/0xb0 [ 127.424315] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 127.429399] __ia32_sys_write+0x71/0xb0 [ 127.433354] do_fast_syscall_32+0x34d/0xfb2 [ 127.437657] ? do_int80_syscall_32+0x890/0x890 [ 127.442288] ? entry_SYSENTER_compat+0x68/0x7f [ 127.446859] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 127.451852] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 127.456671] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 127.461668] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 127.466674] ? recalc_sigpending_tsk+0x180/0x180 [ 127.471408] ? kasan_check_write+0x14/0x20 [ 127.475624] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 127.480455] entry_SYSENTER_compat+0x70/0x7f [ 127.484843] RIP: 0023:0xf7fb4ca9 [ 127.488190] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 127.507073] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 127.514760] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480 [ 127.522013] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000 [ 127.529258] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 127.536531] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 127.543782] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 127.551034] [ 127.552638] Allocated by task 4820: [ 127.556245] save_stack+0x43/0xd0 [ 127.559700] kasan_kmalloc+0xc4/0xe0 [ 127.563390] kmem_cache_alloc_trace+0x152/0x730 [ 127.568039] ucma_alloc_ctx+0xd5/0x670 [ 127.571903] ucma_create_id+0x276/0x9d0 [ 127.575853] ucma_write+0x336/0x420 [ 127.579569] __vfs_write+0x117/0x9d0 [ 127.583278] vfs_write+0x1fc/0x560 [ 127.586809] ksys_write+0x101/0x260 [ 127.590414] __ia32_sys_write+0x71/0xb0 [ 127.594366] do_fast_syscall_32+0x34d/0xfb2 [ 127.598666] entry_SYSENTER_compat+0x70/0x7f [ 127.603044] [ 127.604646] Freed by task 4819: [ 127.607904] save_stack+0x43/0xd0 [ 127.611342] __kasan_slab_free+0x11a/0x170 [ 127.615556] kasan_slab_free+0xe/0x10 [ 127.619351] kfree+0xd9/0x210 [ 127.622453] ucma_free_ctx+0x9e2/0xe20 [ 127.626319] ucma_close+0x10d/0x300 [ 127.629935] __fput+0x36e/0x8c0 [ 127.633240] ____fput+0x15/0x20 [ 127.636507] task_work_run+0x1e8/0x2a0 [ 127.640375] exit_to_usermode_loop+0x318/0x380 [ 127.644934] do_fast_syscall_32+0xcd5/0xfb2 [ 127.649232] entry_SYSENTER_compat+0x70/0x7f [ 127.653634] [ 127.655237] The buggy address belongs to the object at ffff8801d9722d00 [ 127.655237] which belongs to the cache kmalloc-256 of size 256 [ 127.667869] The buggy address is located 104 bytes inside of [ 127.667869] 256-byte region [ffff8801d9722d00, ffff8801d9722e00) [ 127.679716] The buggy address belongs to the page: [ 127.684732] page:ffffea000765c880 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0x0 [ 127.692862] flags: 0x2fffc0000000100(slab) [ 127.697089] raw: 02fffc0000000100 ffffea000766cd08 ffffea000765bac8 ffff8801dac007c0 [ 127.704949] raw: 0000000000000000 ffff8801d9722080 000000010000000c 0000000000000000 [ 127.712803] page dumped because: kasan: bad access detected [ 127.718486] [ 127.720087] Memory state around the buggy address: [ 127.725004] ffff8801d9722c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 127.732339] ffff8801d9722c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 127.739684] >ffff8801d9722d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 127.747019] ^ [ 127.753751] ffff8801d9722d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 127.761090] ffff8801d9722e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 127.768430] ================================================================== [ 127.775828] Kernel panic - not syncing: panic_on_warn set ... [ 127.775828] [ 127.783203] CPU: 1 PID: 4824 Comm: syz-executor0 Tainted: G B 4.19.0-rc1+ #114 [ 127.791856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 127.801222] Call Trace: [ 127.803799] dump_stack+0x1c9/0x2b4 [ 127.807411] ? dump_stack_print_info.cold.2+0x52/0x52 [ 127.812586] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 127.817324] panic+0x238/0x4e7 [ 127.820499] ? add_taint.cold.5+0x16/0x16 [ 127.824652] ? trace_hardirqs_on+0x9a/0x2c0 [ 127.828975] ? trace_hardirqs_on+0xb4/0x2c0 [ 127.833322] ? trace_hardirqs_on+0xb4/0x2c0 [ 127.837647] ? trace_hardirqs_on+0x9a/0x2c0 [ 127.841953] ? ucma_destroy_id+0x524/0x550 [ 127.846215] kasan_end_report+0x47/0x4f [ 127.850210] kasan_report.cold.7+0x76/0x30d [ 127.854525] __asan_report_load8_noabort+0x14/0x20 [ 127.859457] ucma_destroy_id+0x524/0x550 [ 127.863502] ? ucma_close+0x300/0x300 [ 127.867291] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 127.872813] ? _copy_from_user+0xdf/0x150 [ 127.876955] ? ucma_close+0x300/0x300 [ 127.880758] ucma_write+0x336/0x420 [ 127.884368] ? ucma_close_id+0x60/0x60 [ 127.888250] ? kasan_check_read+0x11/0x20 [ 127.892398] ? do_raw_spin_unlock+0xa7/0x2f0 [ 127.896798] __vfs_write+0x117/0x9d0 [ 127.900509] ? __fget_light+0x2f7/0x440 [ 127.904466] ? ucma_close_id+0x60/0x60 [ 127.908339] ? kernel_read+0x120/0x120 [ 127.912216] ? trace_hardirqs_on+0x2c0/0x2c0 [ 127.916655] ? kmem_cache_free+0xa0/0x280 [ 127.920793] ? kasan_check_read+0x11/0x20 [ 127.924928] ? rcu_is_watching+0x8c/0x150 [ 127.929069] ? trace_hardirqs_on+0xbd/0x2c0 [ 127.933377] ? rcu_pm_notify+0xc0/0xc0 [ 127.937255] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.942777] ? security_file_permission+0x1c2/0x230 [ 127.947777] ? rw_verify_area+0x118/0x360 [ 127.951910] vfs_write+0x1fc/0x560 [ 127.955447] ksys_write+0x101/0x260 [ 127.959064] ? __ia32_sys_read+0xb0/0xb0 [ 127.963107] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 127.968195] __ia32_sys_write+0x71/0xb0 [ 127.972152] do_fast_syscall_32+0x34d/0xfb2 [ 127.976457] ? do_int80_syscall_32+0x890/0x890 [ 127.981078] ? entry_SYSENTER_compat+0x68/0x7f [ 127.985645] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 127.990645] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 127.995468] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 128.000467] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 128.005467] ? recalc_sigpending_tsk+0x180/0x180 [ 128.010205] ? kasan_check_write+0x14/0x20 [ 128.014423] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 128.019250] entry_SYSENTER_compat+0x70/0x7f [ 128.023647] RIP: 0023:0xf7fb4ca9 [ 128.027013] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 128.045897] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 128.053587] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480 [ 128.060864] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000 [ 128.068201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 128.075453] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 128.082707] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 128.090316] Dumping ftrace buffer: [ 128.093845] (ftrace buffer empty) [ 128.097534] Kernel Offset: disabled [ 128.101176] Rebooting in 86400 seconds..