[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.675249] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.197143] random: sshd: uninitialized urandom read (32 bytes read)
[   22.628084] random: sshd: uninitialized urandom read (32 bytes read)
[   23.367683] random: sshd: uninitialized urandom read (32 bytes read)
[   35.678133] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
[   41.061284] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/26 20:25:40 parsed 1 programs
2018/05/26 20:25:40 executed programs: 0
[   41.545820] IPVS: ftp: loaded support on port[0] = 21
[   41.664477] bridge0: port 1(bridge_slave_0) entered blocking state
[   41.670933] bridge0: port 1(bridge_slave_0) entered disabled state
[   41.678145] device bridge_slave_0 entered promiscuous mode
[   41.694243] bridge0: port 2(bridge_slave_1) entered blocking state
[   41.700610] bridge0: port 2(bridge_slave_1) entered disabled state
[   41.707519] device bridge_slave_1 entered promiscuous mode
[   41.721865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   41.736730] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   41.775045] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   41.791760] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   41.848722] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   41.855884] team0: Port device team_slave_0 added
[   41.869239] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   41.876308] team0: Port device team_slave_1 added
[   41.890016] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   41.905449] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   41.920705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   41.937528] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   42.043500] bridge0: port 2(bridge_slave_1) entered blocking state
[   42.049933] bridge0: port 2(bridge_slave_1) entered forwarding state
[   42.056720] bridge0: port 1(bridge_slave_0) entered blocking state
[   42.063064] bridge0: port 1(bridge_slave_0) entered forwarding state
[   42.444483] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   42.450587] 8021q: adding VLAN 0 to HW filter on device bond0
[   42.492452] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   42.532347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   42.539643] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   42.573969] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   42.580084] 8021q: adding VLAN 0 to HW filter on device team0
[   42.616226] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   42.819711] ==================================================================
[   42.827148] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150
[   42.833360] Read of size 1 at addr ffff8801d310d05d by task syz-executor0/4737
[   42.840699] 
[   42.842311] CPU: 0 PID: 4737 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #93
[   42.849471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   42.858802] Call Trace:
[   42.861375]  dump_stack+0x1b9/0x294
[   42.864993]  ? dump_stack_print_info.cold.2+0x52/0x52
[   42.870160]  ? printk+0x9e/0xba
[   42.873429]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   42.878171]  ? kasan_check_write+0x14/0x20
[   42.882385]  print_address_description+0x6c/0x20b
[   42.887214]  ? nla_strlcpy+0x13d/0x150
[   42.891081]  kasan_report.cold.7+0x242/0x2fe
[   42.895471]  __asan_report_load1_noabort+0x14/0x20
[   42.900383]  nla_strlcpy+0x13d/0x150
[   42.904079]  nfnl_acct_new+0x574/0xc50
[   42.907945]  ? nfnl_acct_overquota+0x380/0x380
[   42.912509]  ? debug_check_no_locks_freed+0x310/0x310
[   42.917679]  ? graph_lock+0x170/0x170
[   42.921462]  ? print_usage_bug+0xc0/0xc0
[   42.925508]  ? get_futex_key+0xf83/0x1e90
[   42.929644]  ? find_held_lock+0x36/0x1c0
[   42.933683]  ? graph_lock+0x170/0x170
[   42.937550]  ? lock_downgrade+0x8e0/0x8e0
[   42.941680]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.947197]  ? __lock_is_held+0xb5/0x140
[   42.951241]  ? nfnl_acct_overquota+0x380/0x380
[   42.955800]  nfnetlink_rcv_msg+0xdb5/0xff0
[   42.960014]  ? __lock_is_held+0xb5/0x140
[   42.964060]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   42.969063]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   42.973454]  ? nfnetlink_bind+0x3a0/0x3a0
[   42.977583]  ? graph_lock+0x170/0x170
[   42.981359]  ? find_held_lock+0x36/0x1c0
[   42.985399]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   42.990917]  netlink_rcv_skb+0x172/0x440
[   42.994964]  ? nfnetlink_bind+0x3a0/0x3a0
[   42.999092]  ? netlink_ack+0xbc0/0xbc0
[   43.002959]  ? __netlink_ns_capable+0x100/0x130
[   43.007610]  nfnetlink_rcv+0x1fe/0x1ba0
[   43.011564]  ? kasan_check_read+0x11/0x20
[   43.015694]  ? rcu_is_watching+0x85/0x140
[   43.019822]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.024993]  ? nfnl_err_reset+0x2d0/0x2d0
[   43.029120]  ? netlink_remove_tap+0x610/0x610
[   43.033594]  ? refcount_add_not_zero+0x320/0x320
[   43.038329]  ? kasan_check_read+0x11/0x20
[   43.042455]  ? rcu_is_watching+0x85/0x140
[   43.046585]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.051753]  ? netlink_skb_destructor+0x210/0x210
[   43.056572]  ? kasan_check_write+0x14/0x20
[   43.060785]  netlink_unicast+0x58b/0x740
[   43.064830]  ? netlink_attachskb+0x970/0x970
[   43.069219]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.074741]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   43.079744]  ? security_netlink_send+0x88/0xb0
[   43.084305]  netlink_sendmsg+0x9f0/0xfa0
[   43.088347]  ? netlink_unicast+0x740/0x740
[   43.092560]  ? pud_val+0x80/0xf0
[   43.095908]  ? security_socket_sendmsg+0x94/0xc0
[   43.100641]  ? netlink_unicast+0x740/0x740
[   43.104943]  sock_sendmsg+0xd5/0x120
[   43.108636]  sock_write_iter+0x35a/0x5a0
[   43.112677]  ? sock_sendmsg+0x120/0x120
[   43.116642]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   43.121397]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.126917]  ? iov_iter_init+0xc9/0x1f0
[   43.130877]  __vfs_write+0x64d/0x960
[   43.134578]  ? kernel_read+0x120/0x120
[   43.138457]  ? handle_mm_fault+0x8c0/0xc70
[   43.142678]  ? rw_verify_area+0x118/0x360
[   43.146816]  vfs_write+0x1f8/0x560
[   43.150342]  ksys_write+0xf9/0x250
[   43.153866]  ? __ia32_sys_read+0xb0/0xb0
[   43.157918]  ? mm_fault_error+0x380/0x380
[   43.162056]  __ia32_sys_write+0x71/0xb0
[   43.166033]  do_fast_syscall_32+0x345/0xf9b
[   43.170354]  ? do_int80_syscall_32+0x880/0x880
[   43.174929]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.179674]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.185196]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.190114]  ? sysret32_from_system_call+0x5/0x46
[   43.194950]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.199778]  entry_SYSENTER_compat+0x70/0x7f
[   43.204165] RIP: 0023:0xf7f02cb9
[   43.207507] RSP: 002b:000000000845e91c EFLAGS: 00000202 ORIG_RAX: 0000000000000004
[   43.215200] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000
[   43.222450] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000
[   43.229698] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   43.236949] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   43.244208] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   43.251468] 
[   43.253074] Allocated by task 4646:
[   43.256683]  save_stack+0x43/0xd0
[   43.260120]  kasan_kmalloc+0xc4/0xe0
[   43.263811]  __kmalloc_node_track_caller+0x47/0x70
[   43.268721]  __kmalloc_reserve.isra.38+0x3a/0xe0
[   43.273455]  __alloc_skb+0x14d/0x780
[   43.277153]  netlink_ack+0x2d7/0xbc0
[   43.280844]  netlink_rcv_skb+0x35d/0x440
[   43.284886]  rtnetlink_rcv+0x1c/0x20
[   43.288581]  netlink_unicast+0x58b/0x740
[   43.292622]  netlink_sendmsg+0x9f0/0xfa0
[   43.296672]  sock_sendmsg+0xd5/0x120
[   43.300371]  __sys_sendto+0x3d7/0x670
[   43.304149]  __x64_sys_sendto+0xe1/0x1a0
[   43.308192]  do_syscall_64+0x1b1/0x800
[   43.312061]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.317221] 
[   43.318826] Freed by task 4646:
[   43.322093]  save_stack+0x43/0xd0
[   43.325528]  __kasan_slab_free+0x11a/0x170
[   43.329745]  kasan_slab_free+0xe/0x10
[   43.333524]  kfree+0xd9/0x260
[   43.336610]  skb_free_head+0x99/0xc0
[   43.340302]  skb_release_data+0x690/0x860
[   43.344429]  skb_release_all+0x4a/0x60
[   43.348297]  consume_skb+0x18b/0x550
[   43.351997]  skb_free_datagram+0x1a/0xf0
[   43.356049]  netlink_recvmsg+0x6fe/0x1450
[   43.360185]  sock_recvmsg+0xd0/0x110
[   43.363886]  ___sys_recvmsg+0x2b6/0x680
[   43.367840]  __sys_recvmsg+0x112/0x260
[   43.371707]  __x64_sys_recvmsg+0x78/0xb0
[   43.375749]  do_syscall_64+0x1b1/0x800
[   43.379618]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.384781] 
[   43.386398] The buggy address belongs to the object at ffff8801d310d000
[   43.386398]  which belongs to the cache kmalloc-512 of size 512
[   43.399038] The buggy address is located 93 bytes inside of
[   43.399038]  512-byte region [ffff8801d310d000, ffff8801d310d200)
[   43.410917] The buggy address belongs to the page:
[   43.415827] page:ffffea00074c4340 count:1 mapcount:0 mapping:ffff8801d310d000 index:0x0
[   43.423959] flags: 0x2fffc0000000100(slab)
[   43.428176] raw: 02fffc0000000100 ffff8801d310d000 0000000000000000 0000000100000006
[   43.436045] raw: ffffea00074d8960 ffffea00074c43a0 ffff8801da800940 0000000000000000
[   43.443901] page dumped because: kasan: bad access detected
[   43.449585] 
[   43.451194] Memory state around the buggy address:
[   43.456112]  ffff8801d310cf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   43.463451]  ffff8801d310cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.470788] >ffff8801d310d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.478135]                                                     ^
[   43.484348]  ffff8801d310d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.491689]  ffff8801d310d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.499030] ==================================================================
[   43.506368] Disabling lock debugging due to kernel taint
[   43.512368] Kernel panic - not syncing: panic_on_warn set ...
[   43.512368] 
[   43.519744] CPU: 0 PID: 4737 Comm: syz-executor0 Tainted: G    B             4.17.0-rc6+ #93
[   43.528303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.537634] Call Trace:
[   43.540225]  dump_stack+0x1b9/0x294
[   43.543837]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.549007]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.553762]  ? nla_strlcpy+0x70/0x150
[   43.557543]  panic+0x22f/0x4de
[   43.560716]  ? add_taint.cold.5+0x16/0x16
[   43.564843]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.569232]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.573626]  ? nla_strlcpy+0x13d/0x150
[   43.577493]  kasan_end_report+0x47/0x4f
[   43.581444]  kasan_report.cold.7+0x76/0x2fe
[   43.585746]  __asan_report_load1_noabort+0x14/0x20
[   43.590651]  nla_strlcpy+0x13d/0x150
[   43.594347]  nfnl_acct_new+0x574/0xc50
[   43.598211]  ? nfnl_acct_overquota+0x380/0x380
[   43.602779]  ? debug_check_no_locks_freed+0x310/0x310
[   43.607947]  ? graph_lock+0x170/0x170
[   43.611726]  ? print_usage_bug+0xc0/0xc0
[   43.615767]  ? get_futex_key+0xf83/0x1e90
[   43.619898]  ? find_held_lock+0x36/0x1c0
[   43.623940]  ? graph_lock+0x170/0x170
[   43.627719]  ? lock_downgrade+0x8e0/0x8e0
[   43.631847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.637362]  ? __lock_is_held+0xb5/0x140
[   43.641421]  ? nfnl_acct_overquota+0x380/0x380
[   43.645980]  nfnetlink_rcv_msg+0xdb5/0xff0
[   43.650196]  ? __lock_is_held+0xb5/0x140
[   43.654242]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   43.659244]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   43.663634]  ? nfnetlink_bind+0x3a0/0x3a0
[   43.667759]  ? graph_lock+0x170/0x170
[   43.671540]  ? find_held_lock+0x36/0x1c0
[   43.675584]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.681102]  netlink_rcv_skb+0x172/0x440
[   43.685148]  ? nfnetlink_bind+0x3a0/0x3a0
[   43.689274]  ? netlink_ack+0xbc0/0xbc0
[   43.693141]  ? __netlink_ns_capable+0x100/0x130
[   43.697787]  nfnetlink_rcv+0x1fe/0x1ba0
[   43.701742]  ? kasan_check_read+0x11/0x20
[   43.705868]  ? rcu_is_watching+0x85/0x140
[   43.709992]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.715164]  ? nfnl_err_reset+0x2d0/0x2d0
[   43.719304]  ? netlink_remove_tap+0x610/0x610
[   43.723782]  ? refcount_add_not_zero+0x320/0x320
[   43.728516]  ? kasan_check_read+0x11/0x20
[   43.732642]  ? rcu_is_watching+0x85/0x140
[   43.736769]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.741939]  ? netlink_skb_destructor+0x210/0x210
[   43.746767]  ? kasan_check_write+0x14/0x20
[   43.750984]  netlink_unicast+0x58b/0x740
[   43.755038]  ? netlink_attachskb+0x970/0x970
[   43.759432]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.764947]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   43.769943]  ? security_netlink_send+0x88/0xb0
[   43.774504]  netlink_sendmsg+0x9f0/0xfa0
[   43.778552]  ? netlink_unicast+0x740/0x740
[   43.782764]  ? pud_val+0x80/0xf0
[   43.786114]  ? security_socket_sendmsg+0x94/0xc0
[   43.790849]  ? netlink_unicast+0x740/0x740
[   43.795063]  sock_sendmsg+0xd5/0x120
[   43.798762]  sock_write_iter+0x35a/0x5a0
[   43.802800]  ? sock_sendmsg+0x120/0x120
[   43.806753]  ? vm_insert_mixed_mkwrite+0x40/0x40
[   43.811492]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.817014]  ? iov_iter_init+0xc9/0x1f0
[   43.820977]  __vfs_write+0x64d/0x960
[   43.824668]  ? kernel_read+0x120/0x120
[   43.828536]  ? handle_mm_fault+0x8c0/0xc70
[   43.832748]  ? rw_verify_area+0x118/0x360
[   43.836875]  vfs_write+0x1f8/0x560
[   43.840395]  ksys_write+0xf9/0x250
[   43.843915]  ? __ia32_sys_read+0xb0/0xb0
[   43.847954]  ? mm_fault_error+0x380/0x380
[   43.852080]  __ia32_sys_write+0x71/0xb0
[   43.856041]  do_fast_syscall_32+0x345/0xf9b
[   43.860349]  ? do_int80_syscall_32+0x880/0x880
[   43.864910]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.869647]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.875165]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.880078]  ? sysret32_from_system_call+0x5/0x46
[   43.884898]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.889720]  entry_SYSENTER_compat+0x70/0x7f
[   43.894105] RIP: 0023:0xf7f02cb9
[   43.897445] RSP: 002b:000000000845e91c EFLAGS: 00000202 ORIG_RAX: 0000000000000004
[   43.905130] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020390000
[   43.912374] RDX: 000000000000001f RSI: 0000000000000000 RDI: 0000000000000000
[   43.919621] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   43.926873] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
[   43.934120] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   43.941830] Dumping ftrace buffer:
[   43.945350]    (ftrace buffer empty)
[   43.949032] Kernel Offset: disabled
[   43.952635] Rebooting in 86400 seconds..