[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.957715] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.193008] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.418268] random: sshd: uninitialized urandom read (32 bytes read) [ 21.165726] random: sshd: uninitialized urandom read (32 bytes read) [ 26.602802] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. [ 32.060248] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 32.198846] ================================================================== [ 32.206337] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3 [ 32.213346] Read of size 8 at addr ffff8801aca794e0 by task syz-executor589/4566 [ 32.220865] [ 32.222484] CPU: 0 PID: 4566 Comm: syz-executor589 Not tainted 4.17.0-rc6+ #61 [ 32.229820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.239153] Call Trace: [ 32.241732] dump_stack+0x1b9/0x294 [ 32.245343] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.250517] ? printk+0x9e/0xba [ 32.253779] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.258519] ? kasan_check_write+0x14/0x20 [ 32.262736] print_address_description+0x6c/0x20b [ 32.267559] ? __list_del_entry_valid+0xe7/0xf3 [ 32.272210] kasan_report.cold.7+0x242/0x2fe [ 32.276602] __asan_report_load8_noabort+0x14/0x20 [ 32.281510] __list_del_entry_valid+0xe7/0xf3 [ 32.285988] cma_cancel_operation+0x457/0xe90 [ 32.290464] ? finish_task_switch+0x28b/0x840 [ 32.294940] ? find_held_lock+0x36/0x1c0 [ 32.298981] ? rdma_destroy_id+0xe50/0xe50 [ 32.303197] ? lock_downgrade+0x8e0/0x8e0 [ 32.307328] ? kasan_check_read+0x11/0x20 [ 32.311460] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.315847] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.320410] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.325495] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.330505] rdma_destroy_id+0xff/0xe50 [ 32.334462] ? cma_release_dev+0x370/0x370 [ 32.338683] ? radix_tree_delete_item+0x14d/0x2d0 [ 32.343510] ? rcu_is_watching+0x85/0x140 [ 32.347638] ? radix_tree_lookup+0x30/0x30 [ 32.351865] ucma_close+0x100/0x300 [ 32.355476] ? ucma_free_ctx+0xdf0/0xdf0 [ 32.359522] __fput+0x34d/0x890 [ 32.362784] ? fput+0x1a0/0x1a0 [ 32.366044] ? check_same_owner+0x320/0x320 [ 32.370343] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.374823] ____fput+0x15/0x20 [ 32.378084] task_work_run+0x1e4/0x290 [ 32.381952] ? task_work_cancel+0x240/0x240 [ 32.386256] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.391773] ? switch_task_namespaces+0xa2/0xd0 [ 32.396423] do_exit+0x1aee/0x2730 [ 32.399946] ? plist_add+0x770/0x770 [ 32.403649] ? mm_update_next_owner+0x980/0x980 [ 32.408300] ? print_usage_bug+0xc0/0xc0 [ 32.412341] ? graph_lock+0x170/0x170 [ 32.416121] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.420518] ? rcu_note_context_switch+0x710/0x710 [ 32.425427] ? lock_acquire+0x1dc/0x520 [ 32.429384] ? __might_sleep+0x95/0x190 [ 32.433340] ? __lock_acquire+0x7f5/0x5140 [ 32.437559] ? debug_check_no_locks_freed+0x310/0x310 [ 32.442731] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.447121] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.451689] ? kasan_check_write+0x14/0x20 [ 32.455906] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.461078] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.466600] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 32.471685] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.477203] ? futex_wait+0x5c1/0x9f0 [ 32.480994] ? futex_wait_setup+0x400/0x400 [ 32.485298] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.490469] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.495985] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 32.501066] ? futex_wake+0x2f6/0x750 [ 32.504847] ? graph_lock+0x170/0x170 [ 32.508632] ? memset+0x31/0x40 [ 32.511893] ? find_held_lock+0x36/0x1c0 [ 32.515937] ? lock_downgrade+0x8e0/0x8e0 [ 32.520069] do_group_exit+0x16f/0x430 [ 32.523937] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.528498] ? __ia32_sys_exit+0x50/0x50 [ 32.532539] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.537015] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.542013] get_signal+0x886/0x1960 [ 32.545709] ? ptrace_notify+0x130/0x130 [ 32.549752] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.555272] ? _copy_from_user+0xdf/0x150 [ 32.559413] ? ucma_notify+0x200/0x200 [ 32.563285] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.568800] ? ucma_write+0x128/0x410 [ 32.572584] ? ucma_close_id+0x60/0x60 [ 32.576457] do_signal+0x98/0x2040 [ 32.579980] ? __vfs_write+0x113/0x960 [ 32.583848] ? __fget_light+0x2ef/0x430 [ 32.587802] ? ucma_close_id+0x60/0x60 [ 32.591667] ? kernel_read+0x120/0x120 [ 32.595534] ? setup_sigcontext+0x7d0/0x7d0 [ 32.599836] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.605352] ? fsnotify+0x415/0xfc0 [ 32.608959] ? fsnotify+0xfc0/0xfc0 [ 32.612567] ? fsnotify_first_mark+0x330/0x330 [ 32.617140] ? exit_to_usermode_loop+0x87/0x310 [ 32.621794] exit_to_usermode_loop+0x28a/0x310 [ 32.626359] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.631181] ? do_syscall_64+0x92/0x800 [ 32.635137] do_syscall_64+0x6ac/0x800 [ 32.639003] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.643912] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.649405] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.654753] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.659580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.664748] RIP: 0033:0x445dc9 [ 32.667918] RSP: 002b:00007fc7a40a9da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.675606] RAX: fffffffffffffe00 RBX: 00000000006dbc3c RCX: 0000000000445dc9 [ 32.682852] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dbc3c [ 32.690103] RBP: 00000000006dbc38 R08: 0000000000000000 R09: 0000000000000000 [ 32.697352] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 32.704603] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 32.711854] [ 32.713464] Allocated by task 4563: [ 32.717082] save_stack+0x43/0xd0 [ 32.720513] kasan_kmalloc+0xc4/0xe0 [ 32.724204] kmem_cache_alloc_trace+0x152/0x780 [ 32.728853] __rdma_create_id+0xd7/0x710 [ 32.732892] ucma_create_id+0x385/0x9b0 [ 32.736845] ucma_write+0x328/0x410 [ 32.740452] __vfs_write+0x10b/0x960 [ 32.744143] vfs_write+0x1f8/0x560 [ 32.747660] ksys_write+0xf9/0x250 [ 32.751176] __x64_sys_write+0x73/0xb0 [ 32.755046] do_syscall_64+0x1b1/0x800 [ 32.758916] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.764078] [ 32.765685] Freed by task 4566: [ 32.768945] save_stack+0x43/0xd0 [ 32.772378] __kasan_slab_free+0x11a/0x170 [ 32.776591] kasan_slab_free+0xe/0x10 [ 32.780378] kfree+0xd9/0x260 [ 32.783466] rdma_destroy_id+0x8c5/0xe50 [ 32.787508] ucma_close+0x100/0x300 [ 32.791117] __fput+0x34d/0x890 [ 32.794375] ____fput+0x15/0x20 [ 32.797634] task_work_run+0x1e4/0x290 [ 32.801503] do_exit+0x1aee/0x2730 [ 32.805020] do_group_exit+0x16f/0x430 [ 32.808887] get_signal+0x886/0x1960 [ 32.812584] do_signal+0x98/0x2040 [ 32.816108] exit_to_usermode_loop+0x28a/0x310 [ 32.820670] do_syscall_64+0x6ac/0x800 [ 32.824540] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.829704] [ 32.831312] The buggy address belongs to the object at ffff8801aca79300 [ 32.831312] which belongs to the cache kmalloc-2048 of size 2048 [ 32.844121] The buggy address is located 480 bytes inside of [ 32.844121] 2048-byte region [ffff8801aca79300, ffff8801aca79b00) [ 32.856067] The buggy address belongs to the page: [ 32.860988] page:ffffea0006b29e00 count:1 mapcount:0 mapping:ffff8801aca78200 index:0x0 compound_mapcount: 0 [ 32.870938] flags: 0x2fffc0000008100(slab|head) [ 32.875603] raw: 02fffc0000008100 ffff8801aca78200 0000000000000000 0000000100000003 [ 32.883467] raw: ffffea0006b29220 ffff8801da801948 ffff8801da800c40 0000000000000000 [ 32.891326] page dumped because: kasan: bad access detected [ 32.897011] [ 32.898614] Memory state around the buggy address: [ 32.903520] ffff8801aca79380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.910856] ffff8801aca79400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.918193] >ffff8801aca79480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.925527] ^ [ 32.931995] ffff8801aca79500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.939332] ffff8801aca79580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.946752] ================================================================== [ 32.954096] Disabling lock debugging due to kernel taint [ 32.959661] Kernel panic - not syncing: panic_on_warn set ... [ 32.959661] [ 32.967013] CPU: 0 PID: 4566 Comm: syz-executor589 Tainted: G B 4.17.0-rc6+ #61 [ 32.975738] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.985070] Call Trace: [ 32.987642] dump_stack+0x1b9/0x294 [ 32.991250] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.996422] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.001161] ? __list_del_entry_valid+0xe0/0xf3 [ 33.005813] panic+0x22f/0x4de [ 33.008981] ? add_taint.cold.5+0x16/0x16 [ 33.013121] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.017511] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.021898] ? __list_del_entry_valid+0xe7/0xf3 [ 33.026551] kasan_end_report+0x47/0x4f [ 33.030506] kasan_report.cold.7+0x76/0x2fe [ 33.034816] __asan_report_load8_noabort+0x14/0x20 [ 33.039737] __list_del_entry_valid+0xe7/0xf3 [ 33.044213] cma_cancel_operation+0x457/0xe90 [ 33.048688] ? finish_task_switch+0x28b/0x840 [ 33.053164] ? find_held_lock+0x36/0x1c0 [ 33.057202] ? rdma_destroy_id+0xe50/0xe50 [ 33.061413] ? lock_downgrade+0x8e0/0x8e0 [ 33.065547] ? kasan_check_read+0x11/0x20 [ 33.069691] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.074077] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.078642] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 33.083725] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.088725] rdma_destroy_id+0xff/0xe50 [ 33.092680] ? cma_release_dev+0x370/0x370 [ 33.096895] ? radix_tree_delete_item+0x14d/0x2d0 [ 33.101716] ? rcu_is_watching+0x85/0x140 [ 33.105843] ? radix_tree_lookup+0x30/0x30 [ 33.110058] ucma_close+0x100/0x300 [ 33.113664] ? ucma_free_ctx+0xdf0/0xdf0 [ 33.117704] __fput+0x34d/0x890 [ 33.120960] ? fput+0x1a0/0x1a0 [ 33.124220] ? check_same_owner+0x320/0x320 [ 33.128516] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.132987] ____fput+0x15/0x20 [ 33.136244] task_work_run+0x1e4/0x290 [ 33.140109] ? task_work_cancel+0x240/0x240 [ 33.144411] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.149929] ? switch_task_namespaces+0xa2/0xd0 [ 33.154581] do_exit+0x1aee/0x2730 [ 33.158101] ? plist_add+0x770/0x770 [ 33.161800] ? mm_update_next_owner+0x980/0x980 [ 33.166445] ? print_usage_bug+0xc0/0xc0 [ 33.170484] ? graph_lock+0x170/0x170 [ 33.174261] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.178658] ? rcu_note_context_switch+0x710/0x710 [ 33.183566] ? lock_acquire+0x1dc/0x520 [ 33.187517] ? __might_sleep+0x95/0x190 [ 33.191469] ? __lock_acquire+0x7f5/0x5140 [ 33.195685] ? debug_check_no_locks_freed+0x310/0x310 [ 33.200851] ? do_raw_spin_unlock+0x9e/0x2e0 [ 33.205236] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.209808] ? kasan_check_write+0x14/0x20 [ 33.214034] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.219200] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.224717] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 33.229798] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.235313] ? futex_wait+0x5c1/0x9f0 [ 33.239104] ? futex_wait_setup+0x400/0x400 [ 33.243406] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.248576] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.254093] ? drop_futex_key_refs.isra.13+0x6d/0xe0 [ 33.259183] ? futex_wake+0x2f6/0x750 [ 33.262961] ? graph_lock+0x170/0x170 [ 33.266748] ? memset+0x31/0x40 [ 33.270008] ? find_held_lock+0x36/0x1c0 [ 33.274048] ? lock_downgrade+0x8e0/0x8e0 [ 33.278189] do_group_exit+0x16f/0x430 [ 33.282055] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 33.286613] ? __ia32_sys_exit+0x50/0x50 [ 33.290652] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.295123] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.300120] get_signal+0x886/0x1960 [ 33.303813] ? ptrace_notify+0x130/0x130 [ 33.307857] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.313372] ? _copy_from_user+0xdf/0x150 [ 33.317501] ? ucma_notify+0x200/0x200 [ 33.321367] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.326891] ? ucma_write+0x128/0x410 [ 33.330670] ? ucma_close_id+0x60/0x60 [ 33.334538] do_signal+0x98/0x2040 [ 33.338059] ? __vfs_write+0x113/0x960 [ 33.341925] ? __fget_light+0x2ef/0x430 [ 33.345875] ? ucma_close_id+0x60/0x60 [ 33.349739] ? kernel_read+0x120/0x120 [ 33.353604] ? setup_sigcontext+0x7d0/0x7d0 [ 33.357916] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.363430] ? fsnotify+0x415/0xfc0 [ 33.367034] ? fsnotify+0xfc0/0xfc0 [ 33.370640] ? fsnotify_first_mark+0x330/0x330 [ 33.375205] ? exit_to_usermode_loop+0x87/0x310 [ 33.379852] exit_to_usermode_loop+0x28a/0x310 [ 33.384416] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 33.389235] ? do_syscall_64+0x92/0x800 [ 33.393188] do_syscall_64+0x6ac/0x800 [ 33.397065] ? syscall_return_slowpath+0x5c0/0x5c0 [ 33.401971] ? syscall_return_slowpath+0x30f/0x5c0 [ 33.406881] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.412222] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.417041] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.422207] RIP: 0033:0x445dc9 [ 33.425372] RSP: 002b:00007fc7a40a9da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.433057] RAX: fffffffffffffe00 RBX: 00000000006dbc3c RCX: 0000000000445dc9 [ 33.440306] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dbc3c [ 33.447552] RBP: 00000000006dbc38 R08: 0000000000000000 R09: 0000000000000000 [ 33.454802] R10: 0000000000000000 R11: 0000000000000246 R12: 006d635f616d6472 [ 33.462047] R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 0000000000000005 [ 33.469724] Dumping ftrace buffer: [ 33.473239] (ftrace buffer empty) [ 33.476942] Kernel Offset: disabled [ 33.480547] Rebooting in 86400 seconds..