[....] Starting OpenBSD Secure Shell server: sshd[ 17.193877] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 17.796103] random: sshd: uninitialized urandom read (32 bytes read) [ 18.027711] sshd (4466) used greatest stack depth: 17000 bytes left [ 18.043491] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.859591] random: sshd: uninitialized urandom read (32 bytes read) [ 49.082835] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 54.579831] random: sshd: uninitialized urandom read (32 bytes read) 2018/06/24 05:18:31 parsed 1 programs [ 56.081873] random: cc1: uninitialized urandom read (8 bytes read) 2018/06/24 05:18:33 executed programs: 0 [ 56.982899] IPVS: ftp: loaded support on port[0] = 21 [ 57.165126] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.171582] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.178805] device bridge_slave_0 entered promiscuous mode [ 57.194804] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.201179] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.208163] device bridge_slave_1 entered promiscuous mode [ 57.222606] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 57.238210] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 57.276242] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 57.292789] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 57.350515] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 57.357698] team0: Port device team_slave_0 added [ 57.371499] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 57.379075] team0: Port device team_slave_1 added [ 57.392984] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.408599] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.424371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 57.440308] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 57.545761] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.552198] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.558996] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.565351] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.940540] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 57.946648] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.986821] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.025621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.032868] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.067234] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.073333] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.112218] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.506281] ================================================================== [ 58.513749] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x51e/0x550 [ 58.521433] Write of size 8 at addr ffff8801c6b256e8 by task syz-executor0/4790 [ 58.528851] [ 58.530461] CPU: 1 PID: 4790 Comm: syz-executor0 Not tainted 4.18.0-rc1+ #18 [ 58.537649] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.546981] Call Trace: [ 58.549553] dump_stack+0x1c9/0x2b4 [ 58.553165] ? dump_stack_print_info.cold.2+0x52/0x52 [ 58.558336] ? printk+0xa7/0xcf [ 58.561595] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.566336] ? irq_bypass_register_consumer+0x51e/0x550 [ 58.571690] print_address_description+0x6c/0x20b [ 58.576514] ? irq_bypass_register_consumer+0x51e/0x550 [ 58.581860] kasan_report.cold.7+0x242/0x2fe [ 58.586252] __asan_report_store8_noabort+0x17/0x20 [ 58.591339] irq_bypass_register_consumer+0x51e/0x550 [ 58.596511] ? __disconnect+0x1b0/0x1b0 [ 58.600477] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 58.605475] kvm_irqfd+0x1511/0x1e80 [ 58.609179] ? refill_pi_state_cache.part.8+0x320/0x320 [ 58.614526] ? kvm_eventfd_init+0x2c0/0x2c0 [ 58.618826] ? futex_wait_setup+0x281/0x410 [ 58.623140] ? lock_downgrade+0x8f0/0x8f0 [ 58.627270] ? lock_release+0xa30/0xa30 [ 58.631223] ? check_same_owner+0x340/0x340 [ 58.635533] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.641053] ? _copy_from_user+0xdf/0x150 [ 58.645187] kvm_vm_ioctl+0xf80/0x1d80 [ 58.649077] ? kvm_set_memory_region+0x50/0x50 [ 58.653642] ? lock_downgrade+0x8f0/0x8f0 [ 58.657781] ? do_futex+0x249/0x27d0 [ 58.661474] ? kasan_check_read+0x11/0x20 [ 58.665600] ? do_raw_spin_unlock+0xa7/0x2f0 [ 58.669988] ? graph_lock+0x170/0x170 [ 58.673768] ? compat_start_thread+0x80/0x80 [ 58.678154] ? _raw_spin_unlock_irq+0x27/0x70 [ 58.682628] ? exit_robust_list+0x290/0x290 [ 58.686941] ? find_held_lock+0x36/0x1c0 [ 58.690992] ? lock_downgrade+0x8f0/0x8f0 [ 58.695119] ? kasan_check_read+0x11/0x20 [ 58.699242] ? rcu_is_watching+0x8c/0x150 [ 58.703366] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 58.707758] ? __fget+0x414/0x670 [ 58.711212] ? expand_files.part.8+0x9c0/0x9c0 [ 58.715783] ? trace_hardirqs_off+0xd/0x10 [ 58.720001] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 58.725090] ? kasan_check_read+0x11/0x20 [ 58.729223] ? __fget_light+0x2f7/0x440 [ 58.733185] kvm_vm_compat_ioctl+0x143/0x430 [ 58.737574] ? kvm_vm_ioctl+0x1d80/0x1d80 [ 58.741702] ? __ia32_compat_sys_futex+0x3e6/0x5f0 [ 58.746624] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 58.752315] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.757842] ? kvm_vm_ioctl+0x1d80/0x1d80 [ 58.761975] __ia32_compat_sys_ioctl+0x221/0x640 [ 58.766716] do_fast_syscall_32+0x34d/0xfb2 [ 58.771030] ? do_int80_syscall_32+0x890/0x890 [ 58.775606] ? _raw_spin_unlock_irq+0x27/0x70 [ 58.780085] ? finish_task_switch+0x1d3/0x890 [ 58.784580] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.790101] ? syscall_return_slowpath+0x31d/0x5e0 [ 58.795012] ? sysret32_from_system_call+0x5/0x46 [ 58.799837] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.804666] entry_SYSENTER_compat+0x70/0x7f [ 58.809053] RIP: 0023:0xf7f72cb9 [ 58.812393] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 58.831579] RSP: 002b:00000000f7f6e0ac EFLAGS: 00000282 ORIG_RAX: 0000000000000036 [ 58.839280] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000004020ae76 [ 58.846541] RDX: 00000000200015c0 RSI: 0000000000000000 RDI: 0000000000000000 [ 58.854059] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 58.861320] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 58.868572] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 58.875838] [ 58.877454] Allocated by task 4790: [ 58.881071] save_stack+0x43/0xd0 [ 58.884516] kasan_kmalloc+0xc4/0xe0 [ 58.888216] kmem_cache_alloc_trace+0x152/0x780 [ 58.892867] kvm_irqfd+0x18f/0x1e80 [ 58.896476] kvm_vm_ioctl+0xf80/0x1d80 [ 58.900352] kvm_vm_compat_ioctl+0x143/0x430 [ 58.904746] __ia32_compat_sys_ioctl+0x221/0x640 [ 58.909481] do_fast_syscall_32+0x34d/0xfb2 [ 58.913787] entry_SYSENTER_compat+0x70/0x7f [ 58.918169] [ 58.919777] Freed by task 2132: [ 58.923046] save_stack+0x43/0xd0 [ 58.926484] __kasan_slab_free+0x11a/0x170 [ 58.930714] kasan_slab_free+0xe/0x10 [ 58.934495] kfree+0xd9/0x260 [ 58.937599] irqfd_shutdown+0x144/0x1c0 [ 58.941554] process_one_work+0xc73/0x1ba0 [ 58.945767] worker_thread+0x189/0x13c0 [ 58.949720] kthread+0x345/0x410 [ 58.953069] ret_from_fork+0x3a/0x50 [ 58.956759] [ 58.958368] The buggy address belongs to the object at ffff8801c6b25580 [ 58.958368] which belongs to the cache kmalloc-512 of size 512 [ 58.971017] The buggy address is located 360 bytes inside of [ 58.971017] 512-byte region [ffff8801c6b25580, ffff8801c6b25780) [ 58.982883] The buggy address belongs to the page: [ 58.987794] page:ffffea00071ac940 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 58.995914] flags: 0x2fffc0000000100(slab) [ 59.000133] raw: 02fffc0000000100 ffffea00071a78c8 ffffea0007182b48 ffff8801da800940 [ 59.007997] raw: 0000000000000000 ffff8801c6b25080 0000000100000006 0000000000000000 [ 59.015869] page dumped because: kasan: bad access detected [ 59.021558] [ 59.023163] Memory state around the buggy address: [ 59.028083] ffff8801c6b25580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.035429] ffff8801c6b25600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.042771] >ffff8801c6b25680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.050110] ^ [ 59.056841] ffff8801c6b25700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.064179] ffff8801c6b25780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.071516] ================================================================== [ 59.078853] Disabling lock debugging due to kernel taint [ 59.084718] Kernel panic - not syncing: panic_on_warn set ... [ 59.084718] [ 59.092089] CPU: 1 PID: 4790 Comm: syz-executor0 Tainted: G B 4.18.0-rc1+ #18 [ 59.100654] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.109985] Call Trace: [ 59.112562] dump_stack+0x1c9/0x2b4 [ 59.116173] ? dump_stack_print_info.cold.2+0x52/0x52 [ 59.121350] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.126091] panic+0x238/0x4e7 [ 59.129267] ? add_taint.cold.5+0x16/0x16 [ 59.133398] ? do_raw_spin_unlock+0xa7/0x2f0 [ 59.137790] ? irq_bypass_register_consumer+0x51e/0x550 [ 59.143133] kasan_end_report+0x47/0x4f [ 59.147088] kasan_report.cold.7+0x76/0x2fe [ 59.151393] __asan_report_store8_noabort+0x17/0x20 [ 59.156391] irq_bypass_register_consumer+0x51e/0x550 [ 59.161559] ? __disconnect+0x1b0/0x1b0 [ 59.165515] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 59.170511] kvm_irqfd+0x1511/0x1e80 [ 59.174208] ? refill_pi_state_cache.part.8+0x320/0x320 [ 59.179568] ? kvm_eventfd_init+0x2c0/0x2c0 [ 59.183868] ? futex_wait_setup+0x281/0x410 [ 59.188178] ? lock_downgrade+0x8f0/0x8f0 [ 59.192306] ? lock_release+0xa30/0xa30 [ 59.196273] ? check_same_owner+0x340/0x340 [ 59.200584] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.206103] ? _copy_from_user+0xdf/0x150 [ 59.210233] kvm_vm_ioctl+0xf80/0x1d80 [ 59.214103] ? kvm_set_memory_region+0x50/0x50 [ 59.218668] ? lock_downgrade+0x8f0/0x8f0 [ 59.222797] ? do_futex+0x249/0x27d0 [ 59.226491] ? kasan_check_read+0x11/0x20 [ 59.230635] ? do_raw_spin_unlock+0xa7/0x2f0 [ 59.235035] ? graph_lock+0x170/0x170 [ 59.238824] ? compat_start_thread+0x80/0x80 [ 59.243216] ? _raw_spin_unlock_irq+0x27/0x70 [ 59.247692] ? exit_robust_list+0x290/0x290 [ 59.252006] ? find_held_lock+0x36/0x1c0 [ 59.256057] ? lock_downgrade+0x8f0/0x8f0 [ 59.260195] ? kasan_check_read+0x11/0x20 [ 59.264323] ? rcu_is_watching+0x8c/0x150 [ 59.268457] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 59.272856] ? __fget+0x414/0x670 [ 59.276288] ? expand_files.part.8+0x9c0/0x9c0 [ 59.280850] ? trace_hardirqs_off+0xd/0x10 [ 59.285067] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 59.290149] ? kasan_check_read+0x11/0x20 [ 59.294280] ? __fget_light+0x2f7/0x440 [ 59.298242] kvm_vm_compat_ioctl+0x143/0x430 [ 59.302633] ? kvm_vm_ioctl+0x1d80/0x1d80 [ 59.306772] ? __ia32_compat_sys_futex+0x3e6/0x5f0 [ 59.311690] ? __x32_compat_sys_get_robust_list+0x430/0x430 [ 59.317386] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.322908] ? kvm_vm_ioctl+0x1d80/0x1d80 [ 59.327045] __ia32_compat_sys_ioctl+0x221/0x640 [ 59.331787] do_fast_syscall_32+0x34d/0xfb2 [ 59.336086] ? do_int80_syscall_32+0x890/0x890 [ 59.340648] ? _raw_spin_unlock_irq+0x27/0x70 [ 59.345122] ? finish_task_switch+0x1d3/0x890 [ 59.349598] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.355116] ? syscall_return_slowpath+0x31d/0x5e0 [ 59.360030] ? sysret32_from_system_call+0x5/0x46 [ 59.364860] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.369683] entry_SYSENTER_compat+0x70/0x7f [ 59.374069] RIP: 0023:0xf7f72cb9 [ 59.377407] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 59.396534] RSP: 002b:00000000f7f6e0ac EFLAGS: 00000282 ORIG_RAX: 0000000000000036 [ 59.404222] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000004020ae76 [ 59.411470] RDX: 00000000200015c0 RSI: 0000000000000000 RDI: 0000000000000000 [ 59.418716] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 59.425969] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 59.433218] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 59.440968] Dumping ftrace buffer: [ 59.444487] (ftrace buffer empty) [ 59.448170] Kernel Offset: disabled [ 59.451771] Rebooting in 86400 seconds..