[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.884792] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.756338] random: sshd: uninitialized urandom read (32 bytes read) [ 29.122039] random: sshd: uninitialized urandom read (32 bytes read) [ 29.710345] random: sshd: uninitialized urandom read (32 bytes read) [ 49.572650] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.234' (ECDSA) to the list of known hosts. [ 55.312796] random: sshd: uninitialized urandom read (32 bytes read) [ 55.448427] ================================================================== [ 55.456001] BUG: KASAN: slab-out-of-bounds in mqueue_get_tree+0x2a2/0x2e0 [ 55.462960] Read of size 8 at addr ffff8801d8c569e8 by task syz-executor636/5564 [ 55.470500] [ 55.472139] CPU: 1 PID: 5564 Comm: syz-executor636 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 55.480835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.490194] Call Trace: [ 55.492798] dump_stack+0x1d3/0x2c4 [ 55.496438] ? dump_stack_print_info.cold.2+0x52/0x52 [ 55.501636] ? printk+0xa7/0xcf [ 55.504922] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 55.509699] print_address_description.cold.8+0x9/0x1ff [ 55.515077] kasan_report.cold.9+0x242/0x309 [ 55.519504] ? mqueue_get_tree+0x2a2/0x2e0 [ 55.523752] __asan_report_load8_noabort+0x14/0x20 [ 55.528700] mqueue_get_tree+0x2a2/0x2e0 [ 55.532764] vfs_get_tree+0x1cb/0x5c0 [ 55.536584] mq_create_mount+0xe3/0x190 [ 55.540593] mq_init_ns+0x15a/0x210 [ 55.544228] copy_ipcs+0x3d2/0x580 [ 55.547773] ? ipcns_get+0xe0/0xe0 [ 55.551323] ? do_mount+0x1db0/0x1db0 [ 55.555127] ? kmem_cache_alloc+0x33a/0x730 [ 55.559463] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.565018] ? perf_event_namespaces+0x136/0x400 [ 55.569789] create_new_namespaces+0x376/0x900 [ 55.574389] ? sys_ni_syscall+0x20/0x20 [ 55.578781] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.584328] ? ns_capable_common+0x13f/0x170 [ 55.588754] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 55.593699] ksys_unshare+0x79c/0x10b0 [ 55.597630] ? walk_process_tree+0x440/0x440 [ 55.602049] ? lock_downgrade+0x900/0x900 [ 55.606213] ? kasan_check_read+0x11/0x20 [ 55.610371] ? do_raw_spin_unlock+0xa7/0x2f0 [ 55.614784] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 55.619380] ? kasan_check_write+0x14/0x20 [ 55.623640] ? do_raw_read_unlock+0x3f/0x60 [ 55.627986] ? do_syscall_64+0x9a/0x820 [ 55.631970] ? do_syscall_64+0x9a/0x820 [ 55.635954] ? lockdep_hardirqs_on+0x421/0x5c0 [ 55.640570] ? trace_hardirqs_on+0xbd/0x310 [ 55.644932] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.650305] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 55.655771] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 55.660454] __x64_sys_unshare+0x31/0x40 [ 55.664536] do_syscall_64+0x1b9/0x820 [ 55.668431] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.673826] ? syscall_return_slowpath+0x5e0/0x5e0 [ 55.678763] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.683624] ? trace_hardirqs_on_caller+0x310/0x310 [ 55.688652] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 55.693936] ? prepare_exit_to_usermode+0x291/0x3b0 [ 55.698969] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.703830] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.709023] RIP: 0033:0x44ab57 [ 55.712227] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2d d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.731162] RSP: 002b:00007fffe95bfda8 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 55.738887] RAX: ffffffffffffffda RBX: 00007fffe95bfdd0 RCX: 000000000044ab57 [ 55.746165] RDX: 0000000000000000 RSI: 00007fffe95bfdc0 RDI: 0000000008000000 [ 55.753437] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000001b1d940 [ 55.760713] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000408810 [ 55.767987] R13: 00000000004088a0 R14: 0000000000000000 R15: 0000000000000000 [ 55.775282] [ 55.776914] Allocated by task 5564: [ 55.780561] save_stack+0x43/0xd0 [ 55.784024] kasan_kmalloc+0xc7/0xe0 [ 55.787743] kmem_cache_alloc_trace+0x152/0x750 [ 55.792434] copy_ipcs+0x1c6/0x580 [ 55.795978] create_new_namespaces+0x376/0x900 [ 55.800561] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 55.805508] ksys_unshare+0x79c/0x10b0 [ 55.809405] __x64_sys_unshare+0x31/0x40 [ 55.813473] do_syscall_64+0x1b9/0x820 [ 55.817377] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.822559] [ 55.824188] Freed by task 0: [ 55.827198] (stack is not available) [ 55.830903] [ 55.832536] The buggy address belongs to the object at ffff8801d8c562c0 [ 55.832536] which belongs to the cache kmalloc-2048 of size 2048 [ 55.845395] The buggy address is located 1832 bytes inside of [ 55.845395] 2048-byte region [ffff8801d8c562c0, ffff8801d8c56ac0) [ 55.857454] The buggy address belongs to the page: [ 55.862401] page:ffffea0007631580 count:1 mapcount:0 mapping:ffff8801da800c40 index:0x0 compound_mapcount: 0 [ 55.872386] flags: 0x2fffc0000008100(slab|head) [ 55.877070] raw: 02fffc0000008100 ffffea0007632008 ffff8801da801948 ffff8801da800c40 [ 55.884960] raw: 0000000000000000 ffff8801d8c562c0 0000000100000003 0000000000000000 [ 55.892838] page dumped because: kasan: bad access detected [ 55.898545] [ 55.900214] Memory state around the buggy address: [ 55.905147] ffff8801d8c56880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.912519] ffff8801d8c56900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.920240] >ffff8801d8c56980: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 55.927602] ^ [ 55.934362] ffff8801d8c56a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.941724] ffff8801d8c56a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.949081] ================================================================== [ 55.956439] Disabling lock debugging due to kernel taint [ 55.962347] Kernel panic - not syncing: panic_on_warn set ... [ 55.962347] [ 55.969731] CPU: 1 PID: 5564 Comm: syz-executor636 Tainted: G B 4.19.0-rc3-next-20180912+ #72 [ 55.979693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.989046] Call Trace: [ 55.991646] dump_stack+0x1d3/0x2c4 [ 55.995280] ? dump_stack_print_info.cold.2+0x52/0x52 [ 56.000475] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.005251] panic+0x238/0x4e7 [ 56.008446] ? add_taint.cold.5+0x16/0x16 [ 56.012622] ? trace_hardirqs_on+0x9a/0x310 [ 56.016947] ? trace_hardirqs_on+0xb4/0x310 [ 56.021271] ? trace_hardirqs_on+0xb4/0x310 [ 56.025625] kasan_end_report+0x47/0x4f [ 56.029607] kasan_report.cold.9+0x76/0x309 [ 56.033932] ? mqueue_get_tree+0x2a2/0x2e0 [ 56.038173] __asan_report_load8_noabort+0x14/0x20 [ 56.043113] mqueue_get_tree+0x2a2/0x2e0 [ 56.047180] vfs_get_tree+0x1cb/0x5c0 [ 56.050985] mq_create_mount+0xe3/0x190 [ 56.054963] mq_init_ns+0x15a/0x210 [ 56.058593] copy_ipcs+0x3d2/0x580 [ 56.062134] ? ipcns_get+0xe0/0xe0 [ 56.065681] ? do_mount+0x1db0/0x1db0 [ 56.069490] ? kmem_cache_alloc+0x33a/0x730 [ 56.073822] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.079363] ? perf_event_namespaces+0x136/0x400 [ 56.084124] create_new_namespaces+0x376/0x900 [ 56.088718] ? sys_ni_syscall+0x20/0x20 [ 56.092704] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.098246] ? ns_capable_common+0x13f/0x170 [ 56.102660] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 56.107607] ksys_unshare+0x79c/0x10b0 [ 56.111507] ? walk_process_tree+0x440/0x440 [ 56.115924] ? lock_downgrade+0x900/0x900 [ 56.120076] ? kasan_check_read+0x11/0x20 [ 56.124225] ? do_raw_spin_unlock+0xa7/0x2f0 [ 56.128636] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 56.133222] ? kasan_check_write+0x14/0x20 [ 56.137458] ? do_raw_read_unlock+0x3f/0x60 [ 56.141790] ? do_syscall_64+0x9a/0x820 [ 56.145767] ? do_syscall_64+0x9a/0x820 [ 56.149745] ? lockdep_hardirqs_on+0x421/0x5c0 [ 56.154332] ? trace_hardirqs_on+0xbd/0x310 [ 56.158663] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.164033] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 56.169497] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 56.174172] __x64_sys_unshare+0x31/0x40 [ 56.178239] do_syscall_64+0x1b9/0x820 [ 56.182142] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 56.187514] ? syscall_return_slowpath+0x5e0/0x5e0 [ 56.192449] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.197306] ? trace_hardirqs_on_caller+0x310/0x310 [ 56.202328] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 56.207347] ? prepare_exit_to_usermode+0x291/0x3b0 [ 56.212370] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.217221] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.222429] RIP: 0033:0x44ab57 [ 56.225631] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2d d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.244562] RSP: 002b:00007fffe95bfda8 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 56.252322] RAX: ffffffffffffffda RBX: 00007fffe95bfdd0 RCX: 000000000044ab57 [ 56.259598] RDX: 0000000000000000 RSI: 00007fffe95bfdc0 RDI: 0000000008000000 [ 56.266877] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000001b1d940 [ 56.274147] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000408810 [ 56.281415] R13: 00000000004088a0 R14: 0000000000000000 R15: 0000000000000000 [ 56.289609] Kernel Offset: disabled [ 56.293290] Rebooting in 86400 seconds..