[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.229324] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 16.842927] random: sshd: uninitialized urandom read (32 bytes read) [ 17.063815] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.126886] random: sshd: uninitialized urandom read (32 bytes read) [ 18.248787] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. [ 23.724076] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/08 03:25:01 parsed 1 programs 2018/05/08 03:25:01 executed programs: 0 [ 24.187743] IPVS: Creating netns size=2536 id=1 [ 29.633095] INFO: trying to register non-static key. [ 29.638221] the code is fine but needs lockdep annotation. [ 29.643817] turning off the locking correctness validator. [ 29.649415] CPU: 0 PID: 3836 Comm: syz-executor0 Not tainted 4.9.98-ga03d0bb #21 [ 29.657093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.666423] ffff8801d8c4f750 ffffffff81eb0e89 0000000000000000 ffffffff85b2d700 [ 29.674417] ffff8801d977c9a0 ffffffff855823e0 0000000000000000 ffff8801d8c4f7d0 [ 29.682396] ffffffff81230b40 000000000000377a ffff8801c62c38e0 ffff8801c62c38b8 [ 29.690402] Call Trace: [ 29.692964] [] dump_stack+0xc1/0x128 [ 29.698316] [] register_lock_class+0x1460/0x1470 [ 29.704955] [] __lock_acquire+0x169/0x4070 [ 29.710983] [] ? lock_is_held+0x140/0x140 [ 29.716756] [] ? check_preemption_disabled+0x3b/0x170 [ 29.723666] [] ? debug_check_no_locks_freed+0x210/0x210 [ 29.730664] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 29.736957] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 29.743781] [] ? _raw_spin_unlock_irq+0x38/0x50 [ 29.750085] [] ? finish_task_switch+0x1ed/0x640 [ 29.756464] [] ? finish_task_switch+0x1c1/0x640 [ 29.762758] [] ? __schedule+0x61f/0x1bd0 [ 29.768536] [] lock_acquire+0x130/0x3e0 [ 29.774142] [] ? tun_do_read.part.42+0x74d/0x1250 [ 29.780623] [] _raw_spin_lock+0x36/0x50 [ 29.786844] [] ? tun_do_read.part.42+0x74d/0x1250 [ 29.793316] [] tun_do_read.part.42+0x74d/0x1250 [ 29.799622] [] ? tun_cleanup_tx_array.part.39+0x1f0/0x1f0 [ 29.806788] [] ? get_futex_key+0x1090/0x1090 [ 29.813381] [] ? mutex_unlock+0x9/0x10 [ 29.818900] [] ? check_preemption_disabled+0x3b/0x170 [ 29.825728] [] ? wake_up_q+0xe0/0xe0 [ 29.831070] [] tun_chr_read_iter+0x161/0x1f0 [ 29.837105] [] __vfs_read+0x3dd/0x570 [ 29.842530] [] ? do_iter_readv_writev+0x4b0/0x4b0 [ 29.848995] [] ? __fsnotify_update_child_dentry_flags.part.1+0x300/0x300 [ 29.857608] [] ? fsnotify+0x1100/0x1100 [ 29.863208] [] ? avc_policy_seqno+0x9/0x20 [ 29.869065] [] ? selinux_file_permission+0x82/0x470 [ 29.875727] [] ? rw_verify_area+0xe5/0x2b0 [ 29.881602] [] vfs_read+0x120/0x380 [ 29.887026] [] SyS_pread64+0x145/0x170 [ 29.892621] [] ? SyS_write+0x1c0/0x1c0 [ 29.898217] [] ? fput+0xd2/0x140 [ 29.903206] [] sys32_pread+0x39/0x50 [ 29.908718] [] ? sys32_waitpid+0x30/0x30 [ 29.914508] [] do_fast_syscall_32+0x2f7/0x870 [ 29.920631] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.927367] [] entry_SYSENTER_compat+0x90/0xa2 2018/05/08 03:25:07 executed programs: 6 2018/05/08 03:25:12 executed programs: 12 [ 37.181885] ================================================================== [ 37.189278] BUG: KASAN: use-after-free in tun_do_read.part.42+0x1033/0x1250 [ 37.196375] Read of size 8 at addr ffff8801b5840000 by task syz-executor0/3880 [ 37.204010] [ 37.205626] CPU: 1 PID: 3880 Comm: syz-executor0 Not tainted 4.9.98-ga03d0bb #21 [ 37.213450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.222780] ffff8801ca677990 ffffffff81eb0e89 ffffea0006d61000 ffff8801b5840000 [ 37.230805] 0000000000000000 ffff8801b5840000 1ffff10036bc82d9 ffff8801ca6779c8 [ 37.238787] ffffffff815652cb ffff8801b5840000 0000000000000008 0000000000000000 [ 37.246774] Call Trace: [ 37.249343] [] dump_stack+0xc1/0x128 [ 37.254680] [] print_address_description+0x6c/0x234 [ 37.261320] [] kasan_report.cold.6+0x242/0x2fe [ 37.267540] [] ? tun_do_read.part.42+0x1033/0x1250 [ 37.274104] [] __asan_report_load8_noabort+0x14/0x20 [ 37.280837] [] tun_do_read.part.42+0x1033/0x1250 [ 37.287219] [] ? tun_cleanup_tx_array.part.39+0x1f0/0x1f0 [ 37.294381] [] ? get_futex_key+0x1090/0x1090 [ 37.300416] [] ? ___sys_sendmsg+0x2a0/0x840 [ 37.306368] [] ? wake_up_q+0xe0/0xe0 [ 37.311709] [] tun_chr_read_iter+0x161/0x1f0 [ 37.317746] [] __vfs_read+0x3dd/0x570 [ 37.323175] [] ? do_iter_readv_writev+0x4b0/0x4b0 [ 37.329658] [] ? __fsnotify_update_child_dentry_flags.part.1+0x300/0x300 [ 37.338124] [] ? fsnotify+0x1100/0x1100 [ 37.343726] [] ? avc_policy_seqno+0x9/0x20 [ 37.349585] [] ? selinux_file_permission+0x82/0x470 [ 37.356227] [] ? rw_verify_area+0xe5/0x2b0 [ 37.362088] [] vfs_read+0x120/0x380 [ 37.367340] [] SyS_pread64+0x145/0x170 [ 37.372853] [] ? SyS_write+0x1c0/0x1c0 [ 37.378718] [] ? move_addr_to_kernel+0x50/0x50 [ 37.385105] [] ? finish_task_switch+0x1c1/0x640 [ 37.391397] [] sys32_pread+0x39/0x50 [ 37.396734] [] ? sys32_waitpid+0x30/0x30 [ 37.402425] [] do_fast_syscall_32+0x2f7/0x870 [ 37.408542] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.415196] [] entry_SYSENTER_compat+0x90/0xa2 [ 37.421398] [ 37.423017] Allocated by task 3872: [ 37.426879] save_stack_trace+0x16/0x20 [ 37.430825] save_stack+0x43/0xd0 [ 37.434251] kasan_kmalloc+0xc7/0xe0 [ 37.437938] __kmalloc+0x11d/0x300 [ 37.441462] tun_attach+0x63c/0xa70 [ 37.445061] __tun_chr_ioctl+0x2663/0x3450 [ 37.449268] tun_chr_compat_ioctl+0x29/0x30 [ 37.453577] compat_SyS_ioctl+0x126/0x1fe0 [ 37.457808] do_fast_syscall_32+0x2f7/0x870 [ 37.462102] entry_SYSENTER_compat+0x90/0xa2 [ 37.466477] [ 37.468078] Freed by task 3881: [ 37.471344] save_stack_trace+0x16/0x20 [ 37.475302] save_stack+0x43/0xd0 [ 37.478738] kasan_slab_free+0x72/0xc0 [ 37.482605] kfree+0xfb/0x310 [ 37.485687] tun_cleanup_tx_array.part.39+0x16f/0x1f0 [ 37.490864] tun_detach_all+0x394/0x7e0 [ 37.494818] tun_net_uninit+0x15/0x20 [ 37.498597] rollback_registered_many+0x684/0x920 [ 37.503415] unregister_netdevice_many.part.106+0x1b/0x110 [ 37.509035] unregister_netdevice_many+0x39/0x50 [ 37.513765] rtnl_delete_link+0xdc/0x130 [ 37.517896] rtnl_dellink+0x1e7/0x670 [ 37.521668] rtnetlink_rcv_msg+0x49c/0x650 [ 37.525894] netlink_rcv_skb+0x145/0x370 [ 37.529929] rtnetlink_rcv+0x2a/0x40 [ 37.533617] netlink_unicast+0x4d8/0x6f0 [ 37.537650] netlink_sendmsg+0x78b/0xc10 [ 37.541682] sock_sendmsg+0xcc/0x110 [ 37.545369] ___sys_sendmsg+0x6fc/0x840 [ 37.549316] __sys_sendmsg+0xd9/0x190 [ 37.553092] compat_SyS_sendmsg+0x2a/0x40 [ 37.557215] do_fast_syscall_32+0x2f7/0x870 [ 37.561513] entry_SYSENTER_compat+0x90/0xa2 [ 37.565892] [ 37.567505] The buggy address belongs to the object at ffff8801b5840000 [ 37.567505] which belongs to the cache kmalloc-4096 of size 4096 [ 37.580310] The buggy address is located 0 bytes inside of [ 37.580310] 4096-byte region [ffff8801b5840000, ffff8801b5841000) [ 37.592081] The buggy address belongs to the page: [ 37.597003] page:ffffea0006d61000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.607197] flags: 0x8000000000004080(slab|head) [ 37.611936] page dumped because: kasan: bad access detected [ 37.617615] [ 37.619221] Memory state around the buggy address: [ 37.624122] ffff8801b583ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.631456] ffff8801b583ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.638790] >ffff8801b5840000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.646124] ^ [ 37.649466] ffff8801b5840080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.656813] ffff8801b5840100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.664154] ================================================================== [ 37.671607] Kernel panic - not syncing: panic_on_warn set ... [ 37.671607] [ 37.678953] CPU: 1 PID: 3880 Comm: syz-executor0 Tainted: G B 4.9.98-ga03d0bb #21 [ 37.687676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.697019] ffff8801ca6778f0 ffffffff81eb0e89 ffffffff843c4fe5 00000000ffffffff [ 37.705014] 0000000000000000 0000000000000001 1ffff10036bc82d9 ffff8801ca6779b0 [ 37.713006] ffffffff8141f835 0000000041b58ab3 ffffffff843b86e8 ffffffff8141f676 [ 37.720997] Call Trace: [ 37.723570] [] dump_stack+0xc1/0x128 [ 37.728908] [] panic+0x1bf/0x3bc [ 37.733901] [] ? add_taint.cold.6+0x16/0x16 [ 37.739848] [] kasan_end_report+0x47/0x4f [ 37.745619] [] kasan_report.cold.6+0x76/0x2fe [ 37.751741] [] ? tun_do_read.part.42+0x1033/0x1250 [ 37.758299] [] __asan_report_load8_noabort+0x14/0x20 [ 37.765033] [] tun_do_read.part.42+0x1033/0x1250 [ 37.771433] [] ? tun_cleanup_tx_array.part.39+0x1f0/0x1f0 [ 37.778605] [] ? get_futex_key+0x1090/0x1090 [ 37.784644] [] ? ___sys_sendmsg+0x2a0/0x840 [ 37.790594] [] ? wake_up_q+0xe0/0xe0 [ 37.795943] [] tun_chr_read_iter+0x161/0x1f0 [ 37.801987] [] __vfs_read+0x3dd/0x570 [ 37.807849] [] ? do_iter_readv_writev+0x4b0/0x4b0 [ 37.814841] [] ? __fsnotify_update_child_dentry_flags.part.1+0x300/0x300 [ 37.823306] [] ? fsnotify+0x1100/0x1100 [ 37.829665] [] ? avc_policy_seqno+0x9/0x20 [ 37.835526] [] ? selinux_file_permission+0x82/0x470 [ 37.842180] [] ? rw_verify_area+0xe5/0x2b0 [ 37.848044] [] vfs_read+0x120/0x380 [ 37.853380] [] SyS_pread64+0x145/0x170 [ 37.858889] [] ? SyS_write+0x1c0/0x1c0 [ 37.864403] [] ? move_addr_to_kernel+0x50/0x50 [ 37.870887] [] ? finish_task_switch+0x1c1/0x640 [ 37.878408] [] sys32_pread+0x39/0x50 [ 37.883758] [] ? sys32_waitpid+0x30/0x30 [ 37.889452] [] do_fast_syscall_32+0x2f7/0x870 [ 37.895573] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.902228] [] entry_SYSENTER_compat+0x90/0xa2 [ 37.909013] Dumping ftrace buffer: [ 37.912531] (ftrace buffer empty) [ 37.916213] Kernel Offset: disabled [ 37.919813] Rebooting in 86400 seconds..