[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.005636] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.435841] random: sshd: uninitialized urandom read (32 bytes read) [ 26.742064] random: sshd: uninitialized urandom read (32 bytes read) [ 27.342983] random: sshd: uninitialized urandom read (32 bytes read) [ 62.859034] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 68.373837] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/06 21:44:30 parsed 1 programs [ 69.402870] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/06 21:44:31 executed programs: 0 [ 70.459338] IPVS: ftp: loaded support on port[0] = 21 [ 70.680326] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.686781] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.694121] device bridge_slave_0 entered promiscuous mode [ 70.711671] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.718063] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.724986] device bridge_slave_1 entered promiscuous mode [ 70.741458] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 70.759142] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 70.804081] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 70.823416] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 70.892470] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 70.899860] team0: Port device team_slave_0 added [ 70.916228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 70.923563] team0: Port device team_slave_1 added [ 70.940544] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.957671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.975549] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 70.993132] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 71.122915] bridge0: port 2(bridge_slave_1) entered blocking state [ 71.129388] bridge0: port 2(bridge_slave_1) entered forwarding state [ 71.136144] bridge0: port 1(bridge_slave_0) entered blocking state [ 71.142512] bridge0: port 1(bridge_slave_0) entered forwarding state [ 71.601950] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 71.608083] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.633709] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 71.663073] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 71.708481] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 71.714694] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 71.723076] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 71.763656] 8021q: adding VLAN 0 to HW filter on device team0 [ 72.053202] hrtimer: interrupt took 27351 ns [ 73.314035] ================================================================== [ 73.321570] BUG: KASAN: use-after-free in ucma_put_ctx+0x1d/0x60 [ 73.327724] Write of size 4 at addr ffff8801d9193858 by task syz-executor0/5348 [ 73.335159] [ 73.336795] CPU: 1 PID: 5348 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #224 [ 73.344064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.353414] Call Trace: [ 73.356011] dump_stack+0x1c9/0x2b4 [ 73.359649] ? dump_stack_print_info.cold.2+0x52/0x52 [ 73.364840] ? printk+0xa7/0xcf [ 73.368131] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 73.372911] ? ucma_put_ctx+0x1d/0x60 [ 73.376719] print_address_description+0x6c/0x20b [ 73.381568] ? ucma_put_ctx+0x1d/0x60 [ 73.385378] kasan_report.cold.7+0x242/0x30d [ 73.389792] check_memory_region+0x13e/0x1b0 [ 73.394207] kasan_check_write+0x14/0x20 [ 73.398272] ucma_put_ctx+0x1d/0x60 [ 73.401904] ucma_resolve_ip+0x24d/0x2a0 [ 73.405975] ? ucma_query+0xb20/0xb20 [ 73.409793] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 73.415333] ? _copy_from_user+0xdf/0x150 [ 73.419489] ? ucma_query+0xb20/0xb20 [ 73.423298] ucma_write+0x336/0x420 [ 73.426938] ? ucma_close_id+0x60/0x60 [ 73.430832] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.435426] __vfs_write+0x117/0x9d0 [ 73.439146] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 73.444612] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 73.449548] ? ucma_close_id+0x60/0x60 [ 73.453453] ? kernel_read+0x120/0x120 [ 73.458249] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.463015] ? retint_kernel+0x10/0x10 [ 73.466918] ? security_file_permission+0xee/0x230 [ 73.471855] vfs_write+0x1fc/0x560 [ 73.475405] ksys_write+0x101/0x260 [ 73.479041] ? __ia32_sys_read+0xb0/0xb0 [ 73.483107] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 73.488225] __x64_sys_write+0x73/0xb0 [ 73.492128] do_syscall_64+0x1b9/0x820 [ 73.496017] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 73.501392] ? syscall_return_slowpath+0x5e0/0x5e0 [ 73.506338] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.511194] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 73.516223] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 73.521245] ? prepare_exit_to_usermode+0x291/0x3b0 [ 73.526282] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.531146] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.536338] RIP: 0033:0x457099 [ 73.539538] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.558453] RSP: 002b:00007f95c9f42c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 73.569214] RAX: ffffffffffffffda RBX: 00007f95c9f436d4 RCX: 0000000000457099 [ 73.576489] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005 [ 73.583767] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 73.591037] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 73.598310] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 73.605835] [ 73.607464] Allocated by task 5348: [ 73.611097] save_stack+0x43/0xd0 [ 73.614559] kasan_kmalloc+0xc4/0xe0 [ 73.618310] kmem_cache_alloc_trace+0x152/0x730 [ 73.622979] ucma_alloc_ctx+0xd5/0x670 [ 73.626878] ucma_create_id+0x276/0x9d0 [ 73.630860] ucma_write+0x336/0x420 [ 73.634495] __vfs_write+0x117/0x9d0 [ 73.638210] vfs_write+0x1fc/0x560 [ 73.641771] ksys_write+0x101/0x260 [ 73.645409] __x64_sys_write+0x73/0xb0 [ 73.649299] do_syscall_64+0x1b9/0x820 [ 73.653188] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.658376] [ 73.660020] Freed by task 5344: [ 73.663301] save_stack+0x43/0xd0 [ 73.666759] __kasan_slab_free+0x11a/0x170 [ 73.670996] kasan_slab_free+0xe/0x10 [ 73.674796] kfree+0xd9/0x210 [ 73.677903] ucma_free_ctx+0x9e2/0xe20 [ 73.681794] ucma_close+0x10d/0x300 [ 73.685421] __fput+0x38a/0xa40 [ 73.688700] ____fput+0x15/0x20 [ 73.691984] task_work_run+0x1e8/0x2a0 [ 73.695878] exit_to_usermode_loop+0x318/0x380 [ 73.700464] do_syscall_64+0x6be/0x820 [ 73.704352] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.710026] [ 73.711654] The buggy address belongs to the object at ffff8801d9193800 [ 73.711654] which belongs to the cache kmalloc-256 of size 256 [ 73.724321] The buggy address is located 88 bytes inside of [ 73.724321] 256-byte region [ffff8801d9193800, ffff8801d9193900) [ 73.736118] The buggy address belongs to the page: [ 73.741055] page:ffffea00076464c0 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0x0 [ 73.749209] flags: 0x2fffc0000000100(slab) [ 73.753458] raw: 02fffc0000000100 ffffea0007658488 ffffea000766a688 ffff8801dac007c0 [ 73.761343] raw: 0000000000000000 ffff8801d9193080 000000010000000c 0000000000000000 [ 73.769217] page dumped because: kasan: bad access detected [ 73.774921] [ 73.776540] Memory state around the buggy address: [ 73.781465] ffff8801d9193700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.788825] ffff8801d9193780: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.796190] >ffff8801d9193800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.803546] ^ [ 73.809780] ffff8801d9193880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.817152] ffff8801d9193900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 73.824509] ================================================================== [ 73.831861] Disabling lock debugging due to kernel taint [ 73.837464] Kernel panic - not syncing: panic_on_warn set ... [ 73.837464] [ 73.844847] CPU: 1 PID: 5348 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #224 [ 73.853508] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.862844] Call Trace: [ 73.865417] dump_stack+0x1c9/0x2b4 [ 73.869031] ? dump_stack_print_info.cold.2+0x52/0x52 [ 73.874215] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.878956] panic+0x238/0x4e7 [ 73.882133] ? add_taint.cold.5+0x16/0x16 [ 73.886267] ? trace_hardirqs_on+0x9a/0x2c0 [ 73.890569] ? trace_hardirqs_on+0xb4/0x2c0 [ 73.894894] ? trace_hardirqs_on+0xb4/0x2c0 [ 73.899207] ? trace_hardirqs_on+0x9a/0x2c0 [ 73.903519] ? ucma_put_ctx+0x1d/0x60 [ 73.907302] kasan_end_report+0x47/0x4f [ 73.911267] kasan_report.cold.7+0x76/0x30d [ 73.915571] check_memory_region+0x13e/0x1b0 [ 73.919968] kasan_check_write+0x14/0x20 [ 73.924014] ucma_put_ctx+0x1d/0x60 [ 73.927627] ucma_resolve_ip+0x24d/0x2a0 [ 73.931673] ? ucma_query+0xb20/0xb20 [ 73.935460] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 73.940982] ? _copy_from_user+0xdf/0x150 [ 73.945118] ? ucma_query+0xb20/0xb20 [ 73.948903] ucma_write+0x336/0x420 [ 73.952515] ? ucma_close_id+0x60/0x60 [ 73.956386] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.960957] __vfs_write+0x117/0x9d0 [ 73.964653] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 73.970099] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 73.975018] ? ucma_close_id+0x60/0x60 [ 73.978891] ? kernel_read+0x120/0x120 [ 73.982767] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.987509] ? retint_kernel+0x10/0x10 [ 73.991383] ? security_file_permission+0xee/0x230 [ 73.996304] vfs_write+0x1fc/0x560 [ 73.999845] ksys_write+0x101/0x260 [ 74.003458] ? __ia32_sys_read+0xb0/0xb0 [ 74.007507] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 74.012616] __x64_sys_write+0x73/0xb0 [ 74.016507] do_syscall_64+0x1b9/0x820 [ 74.020381] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 74.025728] ? syscall_return_slowpath+0x5e0/0x5e0 [ 74.030641] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.035467] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 74.040473] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 74.045475] ? prepare_exit_to_usermode+0x291/0x3b0 [ 74.050478] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.055307] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.060478] RIP: 0033:0x457099 [ 74.063654] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.082539] RSP: 002b:00007f95c9f42c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 74.090232] RAX: ffffffffffffffda RBX: 00007f95c9f436d4 RCX: 0000000000457099 [ 74.097483] RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005 [ 74.104749] RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000 [ 74.112002] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 74.119253] R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000001 [ 74.126820] Dumping ftrace buffer: [ 74.130346] (ftrace buffer empty) [ 74.134035] Kernel Offset: disabled [ 74.137643] Rebooting in 86400 seconds..