[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.627702] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 24.639939] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.008290] random: sshd: uninitialized urandom read (32 bytes read) [ 25.564515] random: sshd: uninitialized urandom read (32 bytes read) [ 70.053206] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts. [ 75.599286] random: sshd: uninitialized urandom read (32 bytes read) 2018/09/07 01:33:06 parsed 1 programs [ 77.209786] random: cc1: uninitialized urandom read (8 bytes read) 2018/09/07 01:33:09 executed programs: 0 [ 78.585842] IPVS: ftp: loaded support on port[0] = 21 [ 78.796006] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.802518] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.809769] device bridge_slave_0 entered promiscuous mode [ 78.826991] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.833366] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.840422] device bridge_slave_1 entered promiscuous mode [ 78.858051] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 78.874226] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 78.918765] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 78.937692] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 79.002297] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 79.010266] team0: Port device team_slave_0 added [ 79.025292] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 79.034053] team0: Port device team_slave_1 added [ 79.050506] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.067468] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.084057] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 79.101002] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 79.225725] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.232294] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.239076] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.245432] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.696004] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 79.702106] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.748441] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 79.755711] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.802721] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 79.808951] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 79.816047] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.856410] 8021q: adding VLAN 0 to HW filter on device team0 [ 80.154200] hrtimer: interrupt took 27322 ns [ 82.348603] ================================================================== [ 82.356209] BUG: KASAN: use-after-free in ucma_put_ctx+0x1d/0x60 [ 82.362364] Write of size 4 at addr ffff8801d8bcaa98 by task syz-executor0/5505 [ 82.369815] [ 82.371452] CPU: 1 PID: 5505 Comm: syz-executor0 Not tainted 4.19.0-rc2+ #128 [ 82.378724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.388072] Call Trace: [ 82.390673] dump_stack+0x1c9/0x2b4 [ 82.394308] ? dump_stack_print_info.cold.2+0x52/0x52 [ 82.399588] ? printk+0xa7/0xcf [ 82.402874] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 82.407638] ? ucma_put_ctx+0x1d/0x60 [ 82.411443] print_address_description+0x6c/0x20b [ 82.416299] ? ucma_put_ctx+0x1d/0x60 [ 82.420111] kasan_report.cold.7+0x242/0x30d [ 82.424525] check_memory_region+0x13e/0x1b0 [ 82.428945] kasan_check_write+0x14/0x20 [ 82.433016] ucma_put_ctx+0x1d/0x60 [ 82.436650] ucma_resolve_ip+0x24d/0x2a0 [ 82.440717] ? ucma_query+0xb20/0xb20 [ 82.444550] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 82.450090] ? _copy_from_user+0xdf/0x150 [ 82.454242] ? ucma_query+0xb20/0xb20 [ 82.458051] ucma_write+0x336/0x420 [ 82.461687] ? ucma_close_id+0x60/0x60 [ 82.465588] __vfs_write+0x117/0x9d0 [ 82.469311] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 82.474249] ? ucma_close_id+0x60/0x60 [ 82.478143] ? kernel_read+0x120/0x120 [ 82.482038] ? apparmor_capget+0xfa0/0xfa0 [ 82.486280] ? fsnotify_first_mark+0x350/0x350 [ 82.490870] ? apparmor_file_permission+0x24/0x30 [ 82.495719] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.501263] ? security_file_permission+0x1c2/0x230 [ 82.506287] ? rw_verify_area+0x118/0x360 [ 82.510442] vfs_write+0x1fc/0x560 [ 82.514000] ksys_write+0x101/0x260 [ 82.517642] ? __ia32_sys_read+0xb0/0xb0 [ 82.521707] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 82.526820] __ia32_sys_write+0x71/0xb0 [ 82.530801] do_fast_syscall_32+0x34d/0xfb2 [ 82.535128] ? do_int80_syscall_32+0x890/0x890 [ 82.539717] ? entry_SYSENTER_compat+0x68/0x7f [ 82.544303] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 82.549324] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 82.554170] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 82.559022] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 82.564041] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 82.569058] ? prepare_exit_to_usermode+0x291/0x3b0 [ 82.574102] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 82.578963] entry_SYSENTER_compat+0x70/0x7f [ 82.583374] RIP: 0023:0xf7f54ca9 [ 82.586744] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 82.605680] RSP: 002b:00000000f7f2f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 82.613402] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000240 [ 82.620674] RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000000 [ 82.627950] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 82.635219] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 82.642490] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 82.649772] [ 82.651396] Allocated by task 5505: [ 82.655027] save_stack+0x43/0xd0 [ 82.658488] kasan_kmalloc+0xc4/0xe0 [ 82.662202] kmem_cache_alloc_trace+0x152/0x730 [ 82.666872] ucma_alloc_ctx+0xd5/0x670 [ 82.670758] ucma_create_id+0x276/0x9d0 [ 82.674736] ucma_write+0x336/0x420 [ 82.678364] __vfs_write+0x117/0x9d0 [ 82.682076] vfs_write+0x1fc/0x560 [ 82.685617] ksys_write+0x101/0x260 [ 82.689254] __ia32_sys_write+0x71/0xb0 [ 82.693230] do_fast_syscall_32+0x34d/0xfb2 [ 82.697555] entry_SYSENTER_compat+0x70/0x7f [ 82.701959] [ 82.703584] Freed by task 5501: [ 82.706863] save_stack+0x43/0xd0 [ 82.710316] __kasan_slab_free+0x11a/0x170 [ 82.714549] kasan_slab_free+0xe/0x10 [ 82.718348] kfree+0xd9/0x210 [ 82.721452] ucma_free_ctx+0x9e2/0xe20 [ 82.725339] ucma_close+0x10d/0x300 [ 82.728964] __fput+0x38a/0xa40 [ 82.732242] ____fput+0x15/0x20 [ 82.735519] task_work_run+0x1e8/0x2a0 [ 82.739408] exit_to_usermode_loop+0x318/0x380 [ 82.743993] do_fast_syscall_32+0xcd5/0xfb2 [ 82.748315] entry_SYSENTER_compat+0x70/0x7f [ 82.752713] [ 82.754341] The buggy address belongs to the object at ffff8801d8bcaa40 [ 82.754341] which belongs to the cache kmalloc-256 of size 256 [ 82.766999] The buggy address is located 88 bytes inside of [ 82.766999] 256-byte region [ffff8801d8bcaa40, ffff8801d8bcab40) [ 82.778780] The buggy address belongs to the page: [ 82.784319] page:ffffea000762f280 count:1 mapcount:0 mapping:ffff8801dac007c0 index:0x0 [ 82.792463] flags: 0x2fffc0000000100(slab) [ 82.796705] raw: 02fffc0000000100 ffffea0007620308 ffffea0007601188 ffff8801dac007c0 [ 82.804602] raw: 0000000000000000 ffff8801d8bca040 000000010000000c 0000000000000000 [ 82.812481] page dumped because: kasan: bad access detected [ 82.818185] [ 82.819807] Memory state around the buggy address: [ 82.824755] ffff8801d8bca980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 82.832117] ffff8801d8bcaa00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 82.839482] >ffff8801d8bcaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.846835] ^ [ 82.850987] ffff8801d8bcab00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 82.858346] ffff8801d8bcab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 82.865699] ================================================================== [ 82.873050] Disabling lock debugging due to kernel taint [ 82.878734] Kernel panic - not syncing: panic_on_warn set ... [ 82.878734] [ 82.886114] CPU: 1 PID: 5505 Comm: syz-executor0 Tainted: G B 4.19.0-rc2+ #128 [ 82.894768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.904104] Call Trace: [ 82.906703] dump_stack+0x1c9/0x2b4 [ 82.910322] ? dump_stack_print_info.cold.2+0x52/0x52 [ 82.915513] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 82.920253] panic+0x238/0x4e7 [ 82.923433] ? add_taint.cold.5+0x16/0x16 [ 82.927567] ? trace_hardirqs_on+0x9a/0x2c0 [ 82.931869] ? trace_hardirqs_on+0xb4/0x2c0 [ 82.936181] ? trace_hardirqs_on+0xb4/0x2c0 [ 82.940496] ? trace_hardirqs_on+0x9a/0x2c0 [ 82.944821] ? ucma_put_ctx+0x1d/0x60 [ 82.948624] kasan_end_report+0x47/0x4f [ 82.952581] kasan_report.cold.7+0x76/0x30d [ 82.956888] check_memory_region+0x13e/0x1b0 [ 82.961281] kasan_check_write+0x14/0x20 [ 82.965329] ucma_put_ctx+0x1d/0x60 [ 82.968949] ucma_resolve_ip+0x24d/0x2a0 [ 82.972998] ? ucma_query+0xb20/0xb20 [ 82.976788] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 82.982322] ? _copy_from_user+0xdf/0x150 [ 82.986453] ? ucma_query+0xb20/0xb20 [ 82.990240] ucma_write+0x336/0x420 [ 82.993854] ? ucma_close_id+0x60/0x60 [ 82.997730] __vfs_write+0x117/0x9d0 [ 83.001431] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 83.006346] ? ucma_close_id+0x60/0x60 [ 83.010228] ? kernel_read+0x120/0x120 [ 83.014103] ? apparmor_capget+0xfa0/0xfa0 [ 83.018324] ? fsnotify_first_mark+0x350/0x350 [ 83.022906] ? apparmor_file_permission+0x24/0x30 [ 83.027744] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.033266] ? security_file_permission+0x1c2/0x230 [ 83.038268] ? rw_verify_area+0x118/0x360 [ 83.042401] vfs_write+0x1fc/0x560 [ 83.045927] ksys_write+0x101/0x260 [ 83.049546] ? __ia32_sys_read+0xb0/0xb0 [ 83.053591] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 83.058679] __ia32_sys_write+0x71/0xb0 [ 83.062640] do_fast_syscall_32+0x34d/0xfb2 [ 83.066951] ? do_int80_syscall_32+0x890/0x890 [ 83.071522] ? entry_SYSENTER_compat+0x68/0x7f [ 83.076087] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 83.081087] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.085911] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.090750] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 83.095776] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 83.100794] ? prepare_exit_to_usermode+0x291/0x3b0 [ 83.105795] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.110623] entry_SYSENTER_compat+0x70/0x7f [ 83.115013] RIP: 0023:0xf7f54ca9 [ 83.118368] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 83.137252] RSP: 002b:00000000f7f2f0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000004 [ 83.144951] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000240 [ 83.152211] RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000000 [ 83.159466] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 83.166738] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 83.173990] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 83.181592] Dumping ftrace buffer: [ 83.185125] (ftrace buffer empty) [ 83.188814] Kernel Offset: disabled [ 83.192421] Rebooting in 86400 seconds..