[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.358659] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.034488] random: sshd: uninitialized urandom read (32 bytes read) [ 26.354450] random: sshd: uninitialized urandom read (32 bytes read) [ 26.915089] random: sshd: uninitialized urandom read (32 bytes read) [ 27.114312] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. [ 32.682778] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/11 07:38:16 parsed 1 programs [ 34.007336] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/11 07:38:19 executed programs: 0 [ 35.730183] IPVS: ftp: loaded support on port[0] = 21 [ 35.943966] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.950767] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.958341] device bridge_slave_0 entered promiscuous mode [ 35.974343] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.980992] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.988191] device bridge_slave_1 entered promiscuous mode [ 36.003672] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 36.019659] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 36.064784] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.083206] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.151060] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.158512] team0: Port device team_slave_0 added [ 36.173491] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.181384] team0: Port device team_slave_1 added [ 36.197341] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.215757] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.233671] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 36.252447] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 36.376808] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.383367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.390180] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.396518] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.848768] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.854860] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.887810] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.904224] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.948812] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 36.954939] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 36.962659] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.004666] 8021q: adding VLAN 0 to HW filter on device team0 [ 37.275473] ================================================================== [ 37.283016] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 37.288970] Read of size 8 at addr ffff8801b6fd75b0 by task syz-executor0/5534 [ 37.296321] [ 37.297931] CPU: 0 PID: 5534 Comm: syz-executor0 Not tainted 4.19.0-rc3+ #231 [ 37.305180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.314828] Call Trace: [ 37.317423] dump_stack+0x1c4/0x2b4 [ 37.321033] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.326203] ? printk+0xa7/0xcf [ 37.329463] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.334203] print_address_description.cold.8+0x9/0x1ff [ 37.339663] kasan_report.cold.9+0x242/0x309 [ 37.344153] ? sock_i_ino+0x94/0xa0 [ 37.347774] __asan_report_load8_noabort+0x14/0x20 [ 37.352800] sock_i_ino+0x94/0xa0 [ 37.356237] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 37.360981] ? tipc_diag_dump+0x30/0x30 [ 37.364936] ? tipc_getname+0x7f0/0x7f0 [ 37.368894] ? graph_lock+0x170/0x170 [ 37.372670] ? __lock_sock+0x203/0x350 [ 37.376612] ? find_held_lock+0x36/0x1c0 [ 37.380662] ? mark_held_locks+0xc7/0x130 [ 37.384795] ? __local_bh_enable_ip+0x160/0x260 [ 37.389543] ? __local_bh_enable_ip+0x160/0x260 [ 37.394214] ? lockdep_hardirqs_on+0x421/0x5c0 [ 37.398887] ? trace_hardirqs_on+0xbd/0x310 [ 37.403260] ? lock_release+0x970/0x970 [ 37.407219] ? lock_sock_nested+0xe2/0x120 [ 37.411540] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 37.416571] ? skb_put+0x17b/0x1e0 [ 37.420103] ? memset+0x31/0x40 [ 37.423367] ? __nlmsg_put+0x14c/0x1b0 [ 37.427253] __tipc_add_sock_diag+0x233/0x360 [ 37.431746] tipc_nl_sk_walk+0x122/0x1d0 [ 37.435802] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 37.441062] tipc_diag_dump+0x24/0x30 [ 37.444848] netlink_dump+0x519/0xd50 [ 37.448632] ? netlink_broadcast+0x50/0x50 [ 37.452866] __netlink_dump_start+0x4f1/0x6f0 [ 37.457455] ? tipc_data_ready+0x3e0/0x3e0 [ 37.461692] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 37.466802] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 37.471453] ? tipc_data_ready+0x3e0/0x3e0 [ 37.475662] ? tipc_unregister_sysctl+0x20/0x20 [ 37.480322] ? tipc_ioctl+0x3a0/0x3a0 [ 37.484137] ? netlink_deliver_tap+0x355/0xf80 [ 37.488701] sock_diag_rcv_msg+0x31d/0x410 [ 37.492917] netlink_rcv_skb+0x172/0x440 [ 37.496961] ? sock_diag_bind+0x80/0x80 [ 37.501036] ? netlink_ack+0xb80/0xb80 [ 37.504980] sock_diag_rcv+0x2a/0x40 [ 37.508689] netlink_unicast+0x5a5/0x760 [ 37.512734] ? netlink_attachskb+0x9a0/0x9a0 [ 37.517123] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.522639] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 37.527637] netlink_sendmsg+0xa18/0xfc0 [ 37.531701] ? netlink_unicast+0x760/0x760 [ 37.535914] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 37.540825] ? apparmor_socket_sendmsg+0x29/0x30 [ 37.545562] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.551246] ? security_socket_sendmsg+0x94/0xc0 [ 37.556025] ? netlink_unicast+0x760/0x760 [ 37.560253] sock_sendmsg+0xd5/0x120 [ 37.563963] ___sys_sendmsg+0x7fd/0x930 [ 37.567930] ? __local_bh_enable_ip+0x160/0x260 [ 37.572635] ? copy_msghdr_from_user+0x580/0x580 [ 37.577742] ? kasan_check_write+0x14/0x20 [ 37.581960] ? _raw_spin_unlock_bh+0x30/0x40 [ 37.586347] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 37.591776] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.597305] ? release_sock+0x1ec/0x2c0 [ 37.601283] ? __fget_light+0x2e9/0x430 [ 37.605252] ? fget_raw+0x20/0x20 [ 37.608718] ? __release_sock+0x3a0/0x3a0 [ 37.612848] ? tipc_nametbl_build_group+0x273/0x360 [ 37.617951] ? tipc_setsockopt+0x726/0xd70 [ 37.622170] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.627699] ? sockfd_lookup_light+0xc5/0x160 [ 37.632178] __sys_sendmsg+0x11d/0x280 [ 37.636097] ? __ia32_sys_shutdown+0x80/0x80 [ 37.640482] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.646136] ? fput+0x130/0x1a0 [ 37.649425] ? __x64_sys_futex+0x47f/0x6a0 [ 37.653656] ? do_syscall_64+0x9a/0x820 [ 37.657691] ? do_syscall_64+0x9a/0x820 [ 37.661720] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 37.667161] __x64_sys_sendmsg+0x78/0xb0 [ 37.671325] do_syscall_64+0x1b9/0x820 [ 37.675398] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.680766] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.685677] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.690677] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.695672] ? recalc_sigpending_tsk+0x180/0x180 [ 37.700436] ? kasan_check_write+0x14/0x20 [ 37.704655] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.709482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.714649] RIP: 0033:0x4572a9 [ 37.717836] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.736715] RSP: 002b:00007f76bdf00c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 37.744399] RAX: ffffffffffffffda RBX: 00007f76bdf016d4 RCX: 00000000004572a9 [ 37.751662] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 37.758949] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 37.766199] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 37.773458] R13: 00000000004d4e40 R14: 00000000004c9389 R15: 0000000000000000 [ 37.780747] [ 37.782352] Allocated by task 5534: [ 37.785967] save_stack+0x43/0xd0 [ 37.789400] kasan_kmalloc+0xc7/0xe0 [ 37.793104] kasan_slab_alloc+0x12/0x20 [ 37.797067] kmem_cache_alloc+0x12e/0x730 [ 37.801189] sock_alloc_inode+0x1d/0x260 [ 37.805241] alloc_inode+0x63/0x190 [ 37.808845] new_inode_pseudo+0x71/0x1a0 [ 37.812881] sock_alloc+0x41/0x270 [ 37.816424] __sock_create+0x175/0x930 [ 37.820291] __sys_socket+0x106/0x260 [ 37.824078] __x64_sys_socket+0x73/0xb0 [ 37.828031] do_syscall_64+0x1b9/0x820 [ 37.831897] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.837110] [ 37.838716] Freed by task 5533: [ 37.841968] save_stack+0x43/0xd0 [ 37.845395] __kasan_slab_free+0x102/0x150 [ 37.849605] kasan_slab_free+0xe/0x10 [ 37.853403] kmem_cache_free+0x83/0x290 [ 37.857367] sock_destroy_inode+0x51/0x60 [ 37.861507] destroy_inode+0x159/0x200 [ 37.865399] evict+0x5e0/0x980 [ 37.868567] iput+0x679/0xa90 [ 37.871662] dentry_unlink_inode+0x461/0x5e0 [ 37.876058] __dentry_kill+0x44c/0x7a0 [ 37.879921] dentry_kill+0xc9/0x5a0 [ 37.883539] dput.part.26+0x660/0x790 [ 37.887314] dput+0x15/0x20 [ 37.890225] __fput+0x4cf/0xa30 [ 37.893491] ____fput+0x15/0x20 [ 37.896773] task_work_run+0x1e8/0x2a0 [ 37.900635] exit_to_usermode_loop+0x318/0x380 [ 37.905205] do_syscall_64+0x6be/0x820 [ 37.909069] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.914245] [ 37.915872] The buggy address belongs to the object at ffff8801b6fd7540 [ 37.915872] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 37.929720] The buggy address is located 112 bytes inside of [ 37.929720] 984-byte region [ffff8801b6fd7540, ffff8801b6fd7918) [ 37.941580] The buggy address belongs to the page: [ 37.946497] page:ffffea0006dbf5c0 count:1 mapcount:0 mapping:ffff8801cb026800 index:0xffff8801b6fd7ffd [ 37.955918] flags: 0x2fffc0000000100(slab) [ 37.960142] raw: 02fffc0000000100 ffffea0006cd0a08 ffffea0006dbf708 ffff8801cb026800 [ 37.968014] raw: ffff8801b6fd7ffd ffff8801b6fd70c0 0000000100000003 ffff8801d15289c0 [ 37.975870] page dumped because: kasan: bad access detected [ 37.981554] page->mem_cgroup:ffff8801d15289c0 [ 37.986032] [ 37.987641] Memory state around the buggy address: [ 37.992547] ffff8801b6fd7480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.999906] ffff8801b6fd7500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.007253] >ffff8801b6fd7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.014597] ^ [ 38.019501] ffff8801b6fd7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.026849] ffff8801b6fd7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.034191] ================================================================== [ 38.041552] Disabling lock debugging due to kernel taint [ 38.047025] Kernel panic - not syncing: panic_on_warn set ... [ 38.047025] [ 38.054433] CPU: 0 PID: 5534 Comm: syz-executor0 Tainted: G B 4.19.0-rc3+ #231 [ 38.063084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.072444] Call Trace: [ 38.075004] dump_stack+0x1c4/0x2b4 [ 38.078609] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.083778] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.088511] panic+0x238/0x4e7 [ 38.091706] ? add_taint.cold.5+0x16/0x16 [ 38.095845] ? trace_hardirqs_on+0x9a/0x310 [ 38.100155] ? trace_hardirqs_on+0xb4/0x310 [ 38.104452] ? trace_hardirqs_on+0xb4/0x310 [ 38.108748] kasan_end_report+0x47/0x4f [ 38.112700] kasan_report.cold.9+0x76/0x309 [ 38.116998] ? sock_i_ino+0x94/0xa0 [ 38.120603] __asan_report_load8_noabort+0x14/0x20 [ 38.125528] sock_i_ino+0x94/0xa0 [ 38.128977] tipc_sk_fill_sock_diag+0x39c/0xd90 [ 38.133629] ? tipc_diag_dump+0x30/0x30 [ 38.137585] ? tipc_getname+0x7f0/0x7f0 [ 38.141560] ? graph_lock+0x170/0x170 [ 38.145358] ? __lock_sock+0x203/0x350 [ 38.149228] ? find_held_lock+0x36/0x1c0 [ 38.153284] ? mark_held_locks+0xc7/0x130 [ 38.157424] ? __local_bh_enable_ip+0x160/0x260 [ 38.162094] ? __local_bh_enable_ip+0x160/0x260 [ 38.166788] ? lockdep_hardirqs_on+0x421/0x5c0 [ 38.171348] ? trace_hardirqs_on+0xbd/0x310 [ 38.175669] ? lock_release+0x970/0x970 [ 38.179646] ? lock_sock_nested+0xe2/0x120 [ 38.183856] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 38.188888] ? skb_put+0x17b/0x1e0 [ 38.192449] ? memset+0x31/0x40 [ 38.195706] ? __nlmsg_put+0x14c/0x1b0 [ 38.199582] __tipc_add_sock_diag+0x233/0x360 [ 38.204057] tipc_nl_sk_walk+0x122/0x1d0 [ 38.208108] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 38.213362] tipc_diag_dump+0x24/0x30 [ 38.217151] netlink_dump+0x519/0xd50 [ 38.220933] ? netlink_broadcast+0x50/0x50 [ 38.225186] __netlink_dump_start+0x4f1/0x6f0 [ 38.229691] ? tipc_data_ready+0x3e0/0x3e0 [ 38.233905] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 38.238992] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 38.243640] ? tipc_data_ready+0x3e0/0x3e0 [ 38.247861] ? tipc_unregister_sysctl+0x20/0x20 [ 38.252508] ? tipc_ioctl+0x3a0/0x3a0 [ 38.256297] ? netlink_deliver_tap+0x355/0xf80 [ 38.260861] sock_diag_rcv_msg+0x31d/0x410 [ 38.265078] netlink_rcv_skb+0x172/0x440 [ 38.269117] ? sock_diag_bind+0x80/0x80 [ 38.273098] ? netlink_ack+0xb80/0xb80 [ 38.276979] sock_diag_rcv+0x2a/0x40 [ 38.280696] netlink_unicast+0x5a5/0x760 [ 38.284761] ? netlink_attachskb+0x9a0/0x9a0 [ 38.289162] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.294692] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 38.299705] netlink_sendmsg+0xa18/0xfc0 [ 38.303749] ? netlink_unicast+0x760/0x760 [ 38.307965] ? aa_sock_msg_perm.isra.12+0xba/0x160 [ 38.312882] ? apparmor_socket_sendmsg+0x29/0x30 [ 38.317627] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.323158] ? security_socket_sendmsg+0x94/0xc0 [ 38.327904] ? netlink_unicast+0x760/0x760 [ 38.332118] sock_sendmsg+0xd5/0x120 [ 38.335815] ___sys_sendmsg+0x7fd/0x930 [ 38.339772] ? __local_bh_enable_ip+0x160/0x260 [ 38.344426] ? copy_msghdr_from_user+0x580/0x580 [ 38.349158] ? kasan_check_write+0x14/0x20 [ 38.353392] ? _raw_spin_unlock_bh+0x30/0x40 [ 38.357981] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 38.363420] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.369032] ? release_sock+0x1ec/0x2c0 [ 38.373001] ? __fget_light+0x2e9/0x430 [ 38.376978] ? fget_raw+0x20/0x20 [ 38.380406] ? __release_sock+0x3a0/0x3a0 [ 38.384530] ? tipc_nametbl_build_group+0x273/0x360 [ 38.389553] ? tipc_setsockopt+0x726/0xd70 [ 38.393767] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.399294] ? sockfd_lookup_light+0xc5/0x160 [ 38.403767] __sys_sendmsg+0x11d/0x280 [ 38.407634] ? __ia32_sys_shutdown+0x80/0x80 [ 38.412029] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 38.417548] ? fput+0x130/0x1a0 [ 38.420806] ? __x64_sys_futex+0x47f/0x6a0 [ 38.425018] ? do_syscall_64+0x9a/0x820 [ 38.428973] ? do_syscall_64+0x9a/0x820 [ 38.432940] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 38.438396] __x64_sys_sendmsg+0x78/0xb0 [ 38.442439] do_syscall_64+0x1b9/0x820 [ 38.446315] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 38.451671] ? syscall_return_slowpath+0x5e0/0x5e0 [ 38.456595] ? trace_hardirqs_on_caller+0x310/0x310 [ 38.461587] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 38.466578] ? recalc_sigpending_tsk+0x180/0x180 [ 38.471325] ? kasan_check_write+0x14/0x20 [ 38.475560] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.480392] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.485568] RIP: 0033:0x4572a9 [ 38.488735] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.507611] RSP: 002b:00007f76bdf00c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 38.515309] RAX: ffffffffffffffda RBX: 00007f76bdf016d4 RCX: 00000000004572a9 [ 38.522598] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 38.529857] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 38.537104] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 38.544351] R13: 00000000004d4e40 R14: 00000000004c9389 R15: 0000000000000000 [ 38.551923] Dumping ftrace buffer: [ 38.555448] (ftrace buffer empty) [ 38.559773] Kernel Offset: disabled [ 38.563401] Rebooting in 86400 seconds..