[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   24.924214] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   25.597058] random: sshd: uninitialized urandom read (32 bytes read)
[   25.935596] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.485954] random: sshd: uninitialized urandom read (32 bytes read)
[  116.643942] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts.
[  122.454685] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/27 19:37:40 parsed 1 programs
[  124.156073] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/27 19:37:42 executed programs: 0
[  125.207144] IPVS: ftp: loaded support on port[0] = 21
[  125.422792] bridge0: port 1(bridge_slave_0) entered blocking state
[  125.429245] bridge0: port 1(bridge_slave_0) entered disabled state
[  125.436477] device bridge_slave_0 entered promiscuous mode
[  125.453368] bridge0: port 2(bridge_slave_1) entered blocking state
[  125.459837] bridge0: port 2(bridge_slave_1) entered disabled state
[  125.467514] device bridge_slave_1 entered promiscuous mode
[  125.485125] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  125.501741] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  125.546361] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  125.567536] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  125.634981] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  125.642231] team0: Port device team_slave_0 added
[  125.657720] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  125.665266] team0: Port device team_slave_1 added
[  125.680979] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  125.699861] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  125.717882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  125.735974] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  125.864449] bridge0: port 2(bridge_slave_1) entered blocking state
[  125.870893] bridge0: port 2(bridge_slave_1) entered forwarding state
[  125.877913] bridge0: port 1(bridge_slave_0) entered blocking state
[  125.884299] bridge0: port 1(bridge_slave_0) entered forwarding state
[  126.337939] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  126.344070] 8021q: adding VLAN 0 to HW filter on device bond0
[  126.373609] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  126.394999] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  126.440334] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  126.446525] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  126.454317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  126.493447] 8021q: adding VLAN 0 to HW filter on device team0
[  126.856817] 
[  126.858467] =====================================
[  126.863292] WARNING: bad unlock balance detected!
[  126.868169] 4.19.0-rc1+ #114 Not tainted
[  126.872211] -------------------------------------
[  126.877029] syz-executor0/4824 is trying to release lock (&file->mut) at:
[  126.883943] [<ffffffff84c3796b>] ucma_destroy_id+0x2cb/0x550
[  126.889714] but there are no more locks to release!
[  126.894705] 
[  126.894705] other info that might help us debug this:
[  126.901391] 1 lock held by syz-executor0/4824:
[  126.905956]  #0: 000000005eccfa39 (&file->mut){+.+.}, at: ucma_destroy_id+0x26b/0x550
[  126.913920] 
[  126.913920] stack backtrace:
[  126.918396] CPU: 1 PID: 4824 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #114
[  126.925644] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  126.934972] Call Trace:
[  126.937545]  dump_stack+0x1c9/0x2b4
[  126.941152]  ? dump_stack_print_info.cold.2+0x52/0x52
[  126.946380]  ? vprintk_func+0x81/0x117
[  126.950296]  ? ucma_destroy_id+0x2cb/0x550
[  126.954517]  print_unlock_imbalance_bug.cold.49+0xcc/0xd8
[  126.960032]  lock_release+0x76e/0x9f0
[  126.963819]  ? ucma_destroy_id+0x2cb/0x550
[  126.968035]  ? lock_downgrade+0x8f0/0x8f0
[  126.972162]  ? radix_tree_descend+0x2e0/0x2e0
[  126.976640]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  126.982157]  ? node_tag_set+0xc4/0x160
[  126.986043]  __mutex_unlock_slowpath+0x102/0x8c0
[  126.990786]  ? wait_for_completion+0x8d0/0x8d0
[  126.995349]  ? radix_tree_delete_item+0x188/0x350
[  127.000171]  ? radix_tree_lookup+0x30/0x30
[  127.004387]  mutex_unlock+0xd/0x10
[  127.007922]  ucma_destroy_id+0x2cb/0x550
[  127.011969]  ? ucma_close+0x300/0x300
[  127.015754]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  127.021270]  ? _copy_from_user+0xdf/0x150
[  127.025394]  ? ucma_close+0x300/0x300
[  127.029173]  ucma_write+0x336/0x420
[  127.032792]  ? ucma_close_id+0x60/0x60
[  127.036662]  ? kasan_check_read+0x11/0x20
[  127.040790]  ? do_raw_spin_unlock+0xa7/0x2f0
[  127.045178]  __vfs_write+0x117/0x9d0
[  127.048872]  ? __fget_light+0x2f7/0x440
[  127.052822]  ? ucma_close_id+0x60/0x60
[  127.056764]  ? kernel_read+0x120/0x120
[  127.060639]  ? trace_hardirqs_on+0x2c0/0x2c0
[  127.065030]  ? kmem_cache_free+0xa0/0x280
[  127.069174]  ? kasan_check_read+0x11/0x20
[  127.073330]  ? rcu_is_watching+0x8c/0x150
[  127.077454]  ? trace_hardirqs_on+0xbd/0x2c0
[  127.081756]  ? rcu_pm_notify+0xc0/0xc0
[  127.085626]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.091160]  ? security_file_permission+0x1c2/0x230
[  127.096159]  ? rw_verify_area+0x118/0x360
[  127.100286]  vfs_write+0x1fc/0x560
[  127.103807]  ksys_write+0x101/0x260
[  127.107414]  ? __ia32_sys_read+0xb0/0xb0
[  127.111457]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[  127.116541]  __ia32_sys_write+0x71/0xb0
[  127.120515]  do_fast_syscall_32+0x34d/0xfb2
[  127.124830]  ? do_int80_syscall_32+0x890/0x890
[  127.129397]  ? entry_SYSENTER_compat+0x68/0x7f
[  127.134022]  ? trace_hardirqs_off_caller+0xbb/0x2b0
[  127.139029]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  127.143854]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[  127.148878]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  127.153881]  ? recalc_sigpending_tsk+0x180/0x180
[  127.158647]  ? kasan_check_write+0x14/0x20
[  127.162870]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  127.167802]  entry_SYSENTER_compat+0x70/0x7f
[  127.172204] RIP: 0023:0xf7fb4ca9
[  127.175556] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  127.194454] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[  127.202145] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480
[  127.209409] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000
[  127.216660] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  127.223910] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  127.231163] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  127.239252] ==================================================================
[  127.246630] BUG: KASAN: use-after-free in ucma_destroy_id+0x524/0x550
[  127.253193] Read of size 8 at addr ffff8801d9722d68 by task syz-executor0/4824
[  127.260529] 
[  127.262144] CPU: 1 PID: 4824 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #114
[  127.269560] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  127.278897] Call Trace:
[  127.281472]  dump_stack+0x1c9/0x2b4
[  127.285080]  ? dump_stack_print_info.cold.2+0x52/0x52
[  127.290251]  ? printk+0xa7/0xcf
[  127.293509]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  127.298246]  ? ucma_destroy_id+0x524/0x550
[  127.302459]  print_address_description+0x6c/0x20b
[  127.307280]  ? ucma_destroy_id+0x524/0x550
[  127.311493]  kasan_report.cold.7+0x242/0x30d
[  127.315883]  __asan_report_load8_noabort+0x14/0x20
[  127.320790]  ucma_destroy_id+0x524/0x550
[  127.324830]  ? ucma_close+0x300/0x300
[  127.328618]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  127.334216]  ? _copy_from_user+0xdf/0x150
[  127.338350]  ? ucma_close+0x300/0x300
[  127.342129]  ucma_write+0x336/0x420
[  127.345735]  ? ucma_close_id+0x60/0x60
[  127.349601]  ? kasan_check_read+0x11/0x20
[  127.353727]  ? do_raw_spin_unlock+0xa7/0x2f0
[  127.358116]  __vfs_write+0x117/0x9d0
[  127.361813]  ? __fget_light+0x2f7/0x440
[  127.365767]  ? ucma_close_id+0x60/0x60
[  127.369635]  ? kernel_read+0x120/0x120
[  127.373503]  ? trace_hardirqs_on+0x2c0/0x2c0
[  127.377906]  ? kmem_cache_free+0xa0/0x280
[  127.382033]  ? kasan_check_read+0x11/0x20
[  127.386160]  ? rcu_is_watching+0x8c/0x150
[  127.390289]  ? trace_hardirqs_on+0xbd/0x2c0
[  127.394588]  ? rcu_pm_notify+0xc0/0xc0
[  127.398466]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.404000]  ? security_file_permission+0x1c2/0x230
[  127.408998]  ? rw_verify_area+0x118/0x360
[  127.413127]  vfs_write+0x1fc/0x560
[  127.416657]  ksys_write+0x101/0x260
[  127.420263]  ? __ia32_sys_read+0xb0/0xb0
[  127.424315]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[  127.429399]  __ia32_sys_write+0x71/0xb0
[  127.433354]  do_fast_syscall_32+0x34d/0xfb2
[  127.437657]  ? do_int80_syscall_32+0x890/0x890
[  127.442288]  ? entry_SYSENTER_compat+0x68/0x7f
[  127.446859]  ? trace_hardirqs_off_caller+0xbb/0x2b0
[  127.451852]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  127.456671]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[  127.461668]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  127.466674]  ? recalc_sigpending_tsk+0x180/0x180
[  127.471408]  ? kasan_check_write+0x14/0x20
[  127.475624]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  127.480455]  entry_SYSENTER_compat+0x70/0x7f
[  127.484843] RIP: 0023:0xf7fb4ca9
[  127.488190] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  127.507073] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[  127.514760] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480
[  127.522013] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000
[  127.529258] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  127.536531] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  127.543782] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  127.551034] 
[  127.552638] Allocated by task 4820:
[  127.556245]  save_stack+0x43/0xd0
[  127.559700]  kasan_kmalloc+0xc4/0xe0
[  127.563390]  kmem_cache_alloc_trace+0x152/0x730
[  127.568039]  ucma_alloc_ctx+0xd5/0x670
[  127.571903]  ucma_create_id+0x276/0x9d0
[  127.575853]  ucma_write+0x336/0x420
[  127.579569]  __vfs_write+0x117/0x9d0
[  127.583278]  vfs_write+0x1fc/0x560
[  127.586809]  ksys_write+0x101/0x260
[  127.590414]  __ia32_sys_write+0x71/0xb0
[  127.594366]  do_fast_syscall_32+0x34d/0xfb2
[  127.598666]  entry_SYSENTER_compat+0x70/0x7f
[  127.603044] 
[  127.604646] Freed by task 4819:
[  127.607904]  save_stack+0x43/0xd0
[  127.611342]  __kasan_slab_free+0x11a/0x170
[  127.615556]  kasan_slab_free+0xe/0x10
[  127.619351]  kfree+0xd9/0x210
[  127.622453]  ucma_free_ctx+0x9e2/0xe20
[  127.626319]  ucma_close+0x10d/0x300
[  127.629935]  __fput+0x36e/0x8c0
[  127.633240]  ____fput+0x15/0x20
[  127.636507]  task_work_run+0x1e8/0x2a0
[  127.640375]  exit_to_usermode_loop+0x318/0x380
[  127.644934]  do_fast_syscall_32+0xcd5/0xfb2
[  127.649232]  entry_SYSENTER_compat+0x70/0x7f
[  127.653634] 
[  127.655237] The buggy address belongs to the object at ffff8801d9722d00
[  127.655237]  which belongs to the cache kmalloc-256 of size 256
[  127.667869] The buggy address is located 104 bytes inside of
[  127.667869]  256-byte region [ffff8801d9722d00, ffff8801d9722e00)
[  127.679716] The buggy address belongs to the page:
[  127.684732] page:ffffea000765c880 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0x0
[  127.692862] flags: 0x2fffc0000000100(slab)
[  127.697089] raw: 02fffc0000000100 ffffea000766cd08 ffffea000765bac8 ffff8801dac007c0
[  127.704949] raw: 0000000000000000 ffff8801d9722080 000000010000000c 0000000000000000
[  127.712803] page dumped because: kasan: bad access detected
[  127.718486] 
[  127.720087] Memory state around the buggy address:
[  127.725004]  ffff8801d9722c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  127.732339]  ffff8801d9722c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  127.739684] >ffff8801d9722d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  127.747019]                                                           ^
[  127.753751]  ffff8801d9722d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  127.761090]  ffff8801d9722e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  127.768430] ==================================================================
[  127.775828] Kernel panic - not syncing: panic_on_warn set ...
[  127.775828] 
[  127.783203] CPU: 1 PID: 4824 Comm: syz-executor0 Tainted: G    B             4.19.0-rc1+ #114
[  127.791856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  127.801222] Call Trace:
[  127.803799]  dump_stack+0x1c9/0x2b4
[  127.807411]  ? dump_stack_print_info.cold.2+0x52/0x52
[  127.812586]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  127.817324]  panic+0x238/0x4e7
[  127.820499]  ? add_taint.cold.5+0x16/0x16
[  127.824652]  ? trace_hardirqs_on+0x9a/0x2c0
[  127.828975]  ? trace_hardirqs_on+0xb4/0x2c0
[  127.833322]  ? trace_hardirqs_on+0xb4/0x2c0
[  127.837647]  ? trace_hardirqs_on+0x9a/0x2c0
[  127.841953]  ? ucma_destroy_id+0x524/0x550
[  127.846215]  kasan_end_report+0x47/0x4f
[  127.850210]  kasan_report.cold.7+0x76/0x30d
[  127.854525]  __asan_report_load8_noabort+0x14/0x20
[  127.859457]  ucma_destroy_id+0x524/0x550
[  127.863502]  ? ucma_close+0x300/0x300
[  127.867291]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  127.872813]  ? _copy_from_user+0xdf/0x150
[  127.876955]  ? ucma_close+0x300/0x300
[  127.880758]  ucma_write+0x336/0x420
[  127.884368]  ? ucma_close_id+0x60/0x60
[  127.888250]  ? kasan_check_read+0x11/0x20
[  127.892398]  ? do_raw_spin_unlock+0xa7/0x2f0
[  127.896798]  __vfs_write+0x117/0x9d0
[  127.900509]  ? __fget_light+0x2f7/0x440
[  127.904466]  ? ucma_close_id+0x60/0x60
[  127.908339]  ? kernel_read+0x120/0x120
[  127.912216]  ? trace_hardirqs_on+0x2c0/0x2c0
[  127.916655]  ? kmem_cache_free+0xa0/0x280
[  127.920793]  ? kasan_check_read+0x11/0x20
[  127.924928]  ? rcu_is_watching+0x8c/0x150
[  127.929069]  ? trace_hardirqs_on+0xbd/0x2c0
[  127.933377]  ? rcu_pm_notify+0xc0/0xc0
[  127.937255]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  127.942777]  ? security_file_permission+0x1c2/0x230
[  127.947777]  ? rw_verify_area+0x118/0x360
[  127.951910]  vfs_write+0x1fc/0x560
[  127.955447]  ksys_write+0x101/0x260
[  127.959064]  ? __ia32_sys_read+0xb0/0xb0
[  127.963107]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[  127.968195]  __ia32_sys_write+0x71/0xb0
[  127.972152]  do_fast_syscall_32+0x34d/0xfb2
[  127.976457]  ? do_int80_syscall_32+0x890/0x890
[  127.981078]  ? entry_SYSENTER_compat+0x68/0x7f
[  127.985645]  ? trace_hardirqs_off_caller+0xbb/0x2b0
[  127.990645]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  127.995468]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[  128.000467]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  128.005467]  ? recalc_sigpending_tsk+0x180/0x180
[  128.010205]  ? kasan_check_write+0x14/0x20
[  128.014423]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  128.019250]  entry_SYSENTER_compat+0x70/0x7f
[  128.023647] RIP: 0023:0xf7fb4ca9
[  128.027013] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  128.045897] RSP: 002b:00000000f7f8f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004
[  128.053587] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000480
[  128.060864] RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000000
[  128.068201] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  128.075453] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  128.082707] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  128.090316] Dumping ftrace buffer:
[  128.093845]    (ftrace buffer empty)
[  128.097534] Kernel Offset: disabled
[  128.101176] Rebooting in 86400 seconds..