[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.970076] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.540030] random: sshd: uninitialized urandom read (32 bytes read)
[   24.826107] random: sshd: uninitialized urandom read (32 bytes read)
[   25.373383] random: sshd: uninitialized urandom read (32 bytes read)
[   79.812729] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts.
[   85.369279] random: sshd: uninitialized urandom read (32 bytes read)
2018/08/19 00:37:02 parsed 1 programs
[   86.532959] random: cc1: uninitialized urandom read (8 bytes read)
2018/08/19 00:37:03 executed programs: 0
[   87.725313] IPVS: ftp: loaded support on port[0] = 21
[   87.931029] bridge0: port 1(bridge_slave_0) entered blocking state
[   87.937505] bridge0: port 1(bridge_slave_0) entered disabled state
[   87.945266] device bridge_slave_0 entered promiscuous mode
[   87.962111] bridge0: port 2(bridge_slave_1) entered blocking state
[   87.968475] bridge0: port 2(bridge_slave_1) entered disabled state
[   87.975723] device bridge_slave_1 entered promiscuous mode
[   87.993195] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   88.009857] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   88.054202] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   88.073172] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   88.138242] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   88.145498] team0: Port device team_slave_0 added
[   88.160965] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   88.168150] team0: Port device team_slave_1 added
[   88.183774] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   88.200418] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   88.215914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   88.231662] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   88.350529] bridge0: port 2(bridge_slave_1) entered blocking state
[   88.357070] bridge0: port 2(bridge_slave_1) entered forwarding state
[   88.364007] bridge0: port 1(bridge_slave_0) entered blocking state
[   88.370372] bridge0: port 1(bridge_slave_0) entered forwarding state
[   88.793156] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   88.799635] 8021q: adding VLAN 0 to HW filter on device bond0
[   88.843366] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   88.875317] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   88.893507] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   88.899643] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   88.907566] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   88.944622] 8021q: adding VLAN 0 to HW filter on device team0
[   92.617030] ==================================================================
[   92.624564] BUG: KASAN: use-after-free in tipc_group_fill_sock_diag+0x74d/0x84b
[   92.632012] Read of size 4 at addr ffff8801b6bce364 by task syz-executor0/5574
[   92.639363] 
[   92.640998] CPU: 1 PID: 5574 Comm: syz-executor0 Not tainted 4.18.0+ #60
[   92.647831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   92.657177] Call Trace:
[   92.659777]  dump_stack+0x1c9/0x2b4
[   92.663414]  ? dump_stack_print_info.cold.2+0x52/0x52
[   92.668605]  ? printk+0xa7/0xcf
[   92.671886]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   92.676652]  ? tipc_group_fill_sock_diag+0x74d/0x84b
[   92.681768]  print_address_description+0x6c/0x20b
[   92.686613]  ? tipc_group_fill_sock_diag+0x74d/0x84b
[   92.691721]  kasan_report.cold.7+0x242/0x2fe
[   92.696154]  __asan_report_load4_noabort+0x14/0x20
[   92.701089]  tipc_group_fill_sock_diag+0x74d/0x84b
[   92.706026]  ? tipc_group_member_evt+0xe30/0xe30
[   92.710791]  ? skb_put+0x17b/0x1e0
[   92.714337]  ? memset+0x31/0x40
[   92.717620]  ? memcpy+0x45/0x50
[   92.720907]  ? nla_put+0x11a/0x150
[   92.724467]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   92.729139]  ? tipc_diag_dump+0x30/0x30
[   92.733120]  ? tipc_getname+0x7f0/0x7f0
[   92.737101]  ? save_stack+0xa9/0xd0
[   92.740728]  ? save_stack+0x43/0xd0
[   92.744357]  ? kasan_kmalloc+0xc4/0xe0
[   92.748246]  ? __kmalloc_node_track_caller+0x47/0x70
[   92.753354]  ? graph_lock+0x170/0x170
[   92.757157]  ? __netlink_dump_start+0x4f1/0x6f0
[   92.761926]  ? sock_diag_rcv_msg+0x31d/0x410
[   92.766347]  ? netlink_rcv_skb+0x172/0x440
[   92.770583]  ? sock_diag_rcv+0x2a/0x40
[   92.774470]  ? netlink_unicast+0x5a0/0x760
[   92.778705]  ? netlink_sendmsg+0xa18/0xfc0
[   92.782947]  ? sock_sendmsg+0xd5/0x120
[   92.786839]  ? ___sys_sendmsg+0x7fd/0x930
[   92.790988]  ? __x64_sys_sendmsg+0x78/0xb0
[   92.795229]  ? do_syscall_64+0x1b9/0x820
[   92.799291]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.804668]  ? lock_acquire+0x1e4/0x540
[   92.808651]  ? tipc_nl_sk_walk+0x60a/0xd30
[   92.812887]  ? tipc_nl_sk_walk+0x311/0xd30
[   92.817127]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   92.822147]  ? skb_put+0x17b/0x1e0
[   92.825690]  ? __nlmsg_put+0x14c/0x1b0
[   92.829585]  __tipc_add_sock_diag+0x22f/0x360
[   92.834093]  tipc_nl_sk_walk+0x68d/0xd30
[   92.838169]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   92.843454]  ? __tipc_nl_add_sk+0x400/0x400
[   92.847784]  ? skb_scrub_packet+0x490/0x490
[   92.852115]  ? kasan_check_write+0x14/0x20
[   92.856354]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   92.861294]  ? lock_downgrade+0x8f0/0x8f0
[   92.865448]  tipc_diag_dump+0x24/0x30
[   92.869251]  netlink_dump+0x519/0xd50
[   92.873073]  ? netlink_broadcast+0x50/0x50
[   92.877316]  __netlink_dump_start+0x4f1/0x6f0
[   92.881813]  ? kasan_check_read+0x11/0x20
[   92.885976]  tipc_sock_diag_handler_dump+0x234/0x340
[   92.891082]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   92.895757]  ? tipc_unregister_sysctl+0x20/0x20
[   92.900429]  ? netlink_deliver_tap+0x356/0xfb0
[   92.905025]  sock_diag_rcv_msg+0x31d/0x410
[   92.909265]  netlink_rcv_skb+0x172/0x440
[   92.913331]  ? sock_diag_bind+0x80/0x80
[   92.917307]  ? netlink_ack+0xbe0/0xbe0
[   92.921197]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   92.925878]  sock_diag_rcv+0x2a/0x40
[   92.929595]  netlink_unicast+0x5a0/0x760
[   92.933661]  ? netlink_attachskb+0x9a0/0x9a0
[   92.938075]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   92.943613]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   92.948634]  netlink_sendmsg+0xa18/0xfc0
[   92.952703]  ? netlink_unicast+0x760/0x760
[   92.956952]  ? move_addr_to_kernel.part.18+0x100/0x100
[   92.962239]  ? security_socket_sendmsg+0x94/0xc0
[   92.967000]  ? netlink_unicast+0x760/0x760
[   92.971234]  sock_sendmsg+0xd5/0x120
[   92.974958]  ___sys_sendmsg+0x7fd/0x930
[   92.978949]  ? copy_msghdr_from_user+0x580/0x580
[   92.983710]  ? kasan_check_read+0x11/0x20
[   92.987861]  ? do_raw_spin_unlock+0xa7/0x2f0
[   92.992276]  ? __fget_light+0x2f7/0x440
[   92.996250]  ? __local_bh_enable_ip+0x161/0x230
[   93.000925]  ? fget_raw+0x20/0x20
[   93.004394]  ? __release_sock+0x3a0/0x3a0
[   93.008548]  ? tipc_nametbl_build_group+0x279/0x360
[   93.013572]  ? tipc_setsockopt+0x726/0xd70
[   93.017813]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   93.023351]  ? sockfd_lookup_light+0xc5/0x160
[   93.027849]  __sys_sendmsg+0x11d/0x290
[   93.031738]  ? __ia32_sys_shutdown+0x80/0x80
[   93.036153]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   93.041694]  ? fput+0x130/0x1a0
[   93.044987]  ? __x64_sys_futex+0x47f/0x6a0
[   93.049243]  __x64_sys_sendmsg+0x78/0xb0
[   93.053308]  do_syscall_64+0x1b9/0x820
[   93.057195]  ? finish_task_switch+0x1d3/0x870
[   93.061696]  ? syscall_return_slowpath+0x5e0/0x5e0
[   93.066635]  ? syscall_return_slowpath+0x31d/0x5e0
[   93.071565]  ? __switch_to_asm+0x34/0x70
[   93.075626]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   93.080998]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   93.085847]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.091036] RIP: 0033:0x457089
[   93.094233] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   93.113137] RSP: 002b:00007f9676ab4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   93.120846] RAX: ffffffffffffffda RBX: 00007f9676ab56d4 RCX: 0000000000457089
[   93.128114] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   93.135381] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   93.142648] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   93.149915] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[   93.157202] 
[   93.158829] Allocated by task 5574:
[   93.162458]  save_stack+0x43/0xd0
[   93.165907]  kasan_kmalloc+0xc4/0xe0
[   93.169634]  kmem_cache_alloc_trace+0x152/0x780
[   93.174302]  tipc_group_create+0x155/0xa70
[   93.178536]  tipc_setsockopt+0x2d1/0xd70
[   93.182601]  __sys_setsockopt+0x1c5/0x3b0
[   93.186746]  __x64_sys_setsockopt+0xbe/0x150
[   93.191162]  do_syscall_64+0x1b9/0x820
[   93.195048]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.200227] 
[   93.201852] Freed by task 5573:
[   93.205130]  save_stack+0x43/0xd0
[   93.208579]  __kasan_slab_free+0x11a/0x170
[   93.212810]  kasan_slab_free+0xe/0x10
[   93.216606]  kfree+0xd9/0x260
[   93.219712]  tipc_group_delete+0x2e5/0x3f0
[   93.223955]  tipc_sk_leave+0x113/0x220
[   93.227842]  tipc_release+0x14e/0x12b0
[   93.231729]  __sock_release+0xd7/0x250
[   93.235623]  sock_close+0x19/0x20
[   93.239078]  __fput+0x39b/0x860
[   93.242358]  ____fput+0x15/0x20
[   93.245662]  task_work_run+0x1e8/0x2a0
[   93.249576]  exit_to_usermode_loop+0x318/0x380
[   93.254187]  do_syscall_64+0x6be/0x820
[   93.258074]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.263253] 
[   93.264879] The buggy address belongs to the object at ffff8801b6bce300
[   93.264879]  which belongs to the cache kmalloc-192 of size 192
[   93.277540] The buggy address is located 100 bytes inside of
[   93.277540]  192-byte region [ffff8801b6bce300, ffff8801b6bce3c0)
[   93.289410] The buggy address belongs to the page:
[   93.294340] page:ffffea0006daf380 count:1 mapcount:0 mapping:ffff8801dac00040 index:0x0
[   93.302485] flags: 0x2fffc0000000100(slab)
[   93.306725] raw: 02fffc0000000100 ffffea0006cf5f48 ffffea0006cdec48 ffff8801dac00040
[   93.314612] raw: 0000000000000000 ffff8801b6bce000 0000000100000010 0000000000000000
[   93.322487] page dumped because: kasan: bad access detected
[   93.328190] 
[   93.329813] Memory state around the buggy address:
[   93.334780]  ffff8801b6bce200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   93.342140]  ffff8801b6bce280: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   93.349494] >ffff8801b6bce300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.356846]                                                        ^
[   93.363335]  ffff8801b6bce380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   93.370688]  ffff8801b6bce400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.378040] ==================================================================
[   93.385387] Disabling lock debugging due to kernel taint
[   93.390884] Kernel panic - not syncing: panic_on_warn set ...
[   93.390884] 
[   93.398253] CPU: 1 PID: 5574 Comm: syz-executor0 Tainted: G    B             4.18.0+ #60
[   93.406477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   93.415825] Call Trace:
[   93.418422]  dump_stack+0x1c9/0x2b4
[   93.422051]  ? dump_stack_print_info.cold.2+0x52/0x52
[   93.427242]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   93.432003]  panic+0x238/0x4e7
[   93.435197]  ? add_taint.cold.5+0x16/0x16
[   93.439346]  ? do_raw_spin_unlock+0xa7/0x2f0
[   93.443757]  ? tipc_group_fill_sock_diag+0x74d/0x84b
[   93.448858]  kasan_end_report+0x47/0x4f
[   93.452828]  kasan_report.cold.7+0x76/0x2fe
[   93.457152]  __asan_report_load4_noabort+0x14/0x20
[   93.462078]  tipc_group_fill_sock_diag+0x74d/0x84b
[   93.467007]  ? tipc_group_member_evt+0xe30/0xe30
[   93.471773]  ? skb_put+0x17b/0x1e0
[   93.475310]  ? memset+0x31/0x40
[   93.478590]  ? memcpy+0x45/0x50
[   93.481872]  ? nla_put+0x11a/0x150
[   93.485415]  tipc_sk_fill_sock_diag+0x9f8/0xdb0
[   93.490085]  ? tipc_diag_dump+0x30/0x30
[   93.494062]  ? tipc_getname+0x7f0/0x7f0
[   93.498040]  ? save_stack+0xa9/0xd0
[   93.501665]  ? save_stack+0x43/0xd0
[   93.505292]  ? kasan_kmalloc+0xc4/0xe0
[   93.509177]  ? __kmalloc_node_track_caller+0x47/0x70
[   93.514282]  ? graph_lock+0x170/0x170
[   93.518083]  ? __netlink_dump_start+0x4f1/0x6f0
[   93.522761]  ? sock_diag_rcv_msg+0x31d/0x410
[   93.527178]  ? netlink_rcv_skb+0x172/0x440
[   93.531410]  ? sock_diag_rcv+0x2a/0x40
[   93.535296]  ? netlink_unicast+0x5a0/0x760
[   93.539524]  ? netlink_sendmsg+0xa18/0xfc0
[   93.543760]  ? sock_sendmsg+0xd5/0x120
[   93.547644]  ? ___sys_sendmsg+0x7fd/0x930
[   93.551790]  ? __x64_sys_sendmsg+0x78/0xb0
[   93.556024]  ? do_syscall_64+0x1b9/0x820
[   93.560083]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.565448]  ? lock_acquire+0x1e4/0x540
[   93.569421]  ? tipc_nl_sk_walk+0x60a/0xd30
[   93.573651]  ? tipc_nl_sk_walk+0x311/0xd30
[   93.577889]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   93.582907]  ? skb_put+0x17b/0x1e0
[   93.586452]  ? __nlmsg_put+0x14c/0x1b0
[   93.590342]  __tipc_add_sock_diag+0x22f/0x360
[   93.594842]  tipc_nl_sk_walk+0x68d/0xd30
[   93.599391]  ? tipc_sock_diag_handler_dump+0x340/0x340
[   93.604669]  ? __tipc_nl_add_sk+0x400/0x400
[   93.608997]  ? skb_scrub_packet+0x490/0x490
[   93.613322]  ? kasan_check_write+0x14/0x20
[   93.617556]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   93.622490]  ? lock_downgrade+0x8f0/0x8f0
[   93.626638]  tipc_diag_dump+0x24/0x30
[   93.630435]  netlink_dump+0x519/0xd50
[   93.634246]  ? netlink_broadcast+0x50/0x50
[   93.638484]  __netlink_dump_start+0x4f1/0x6f0
[   93.642977]  ? kasan_check_read+0x11/0x20
[   93.647127]  tipc_sock_diag_handler_dump+0x234/0x340
[   93.652227]  ? __tipc_diag_gen_cookie+0xc0/0xc0
[   93.656896]  ? tipc_unregister_sysctl+0x20/0x20
[   93.661561]  ? netlink_deliver_tap+0x356/0xfb0
[   93.666147]  sock_diag_rcv_msg+0x31d/0x410
[   93.670382]  netlink_rcv_skb+0x172/0x440
[   93.674446]  ? sock_diag_bind+0x80/0x80
[   93.678415]  ? netlink_ack+0xbe0/0xbe0
[   93.682299]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   93.686976]  sock_diag_rcv+0x2a/0x40
[   93.690687]  netlink_unicast+0x5a0/0x760
[   93.694755]  ? netlink_attachskb+0x9a0/0x9a0
[   93.699166]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   93.704701]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   93.709719]  netlink_sendmsg+0xa18/0xfc0
[   93.713785]  ? netlink_unicast+0x760/0x760
[   93.718022]  ? move_addr_to_kernel.part.18+0x100/0x100
[   93.723302]  ? security_socket_sendmsg+0x94/0xc0
[   93.728057]  ? netlink_unicast+0x760/0x760
[   93.732291]  sock_sendmsg+0xd5/0x120
[   93.736002]  ___sys_sendmsg+0x7fd/0x930
[   93.739979]  ? copy_msghdr_from_user+0x580/0x580
[   93.744733]  ? kasan_check_read+0x11/0x20
[   93.748884]  ? do_raw_spin_unlock+0xa7/0x2f0
[   93.753296]  ? __fget_light+0x2f7/0x440
[   93.757269]  ? __local_bh_enable_ip+0x161/0x230
[   93.761949]  ? fget_raw+0x20/0x20
[   93.765405]  ? __release_sock+0x3a0/0x3a0
[   93.769552]  ? tipc_nametbl_build_group+0x279/0x360
[   93.774570]  ? tipc_setsockopt+0x726/0xd70
[   93.778811]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   93.784347]  ? sockfd_lookup_light+0xc5/0x160
[   93.788838]  __sys_sendmsg+0x11d/0x290
[   93.792726]  ? __ia32_sys_shutdown+0x80/0x80
[   93.797142]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   93.802679]  ? fput+0x130/0x1a0
[   93.805972]  ? __x64_sys_futex+0x47f/0x6a0
[   93.810214]  __x64_sys_sendmsg+0x78/0xb0
[   93.814280]  do_syscall_64+0x1b9/0x820
[   93.818164]  ? finish_task_switch+0x1d3/0x870
[   93.822657]  ? syscall_return_slowpath+0x5e0/0x5e0
[   93.827587]  ? syscall_return_slowpath+0x31d/0x5e0
[   93.832516]  ? __switch_to_asm+0x34/0x70
[   93.836573]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   93.841949]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   93.846799]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.851987] RIP: 0033:0x457089
[   93.855184] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   93.874082] RSP: 002b:00007f9676ab4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   93.881789] RAX: ffffffffffffffda RBX: 00007f9676ab56d4 RCX: 0000000000457089
[   93.889055] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006
[   93.896320] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
[   93.903588] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   93.910851] R13: 00000000004d4088 R14: 00000000004c8ab0 R15: 0000000000000000
[   93.918462] Dumping ftrace buffer:
[   93.922000]    (ftrace buffer empty)
[   93.925689] Kernel Offset: disabled
[   93.929297] Rebooting in 86400 seconds..