[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.625390] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.274312] random: sshd: uninitialized urandom read (32 bytes read) [ 25.600209] random: sshd: uninitialized urandom read (32 bytes read) [ 26.440439] random: sshd: uninitialized urandom read (32 bytes read) [ 26.586759] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. [ 32.068634] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/11 13:31:27 parsed 1 programs [ 33.774395] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/11 13:31:29 executed programs: 0 [ 34.913502] IPVS: ftp: loaded support on port[0] = 21 [ 35.093622] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.100079] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.107319] device bridge_slave_0 entered promiscuous mode [ 35.122866] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.129223] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.136460] device bridge_slave_1 entered promiscuous mode [ 35.150771] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 35.165882] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 35.203630] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 35.220523] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 35.279016] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 35.286419] team0: Port device team_slave_0 added [ 35.300604] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 35.307659] team0: Port device team_slave_1 added [ 35.321694] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 35.338667] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 35.354643] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 35.371190] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 35.478739] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.485180] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.492084] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.498442] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.875752] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 35.881988] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.922485] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.962267] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.969943] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.005834] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.011940] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.041290] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 2018/07/11 13:31:36 executed programs: 2 2018/07/11 13:31:43 executed programs: 4 [ 48.281544] ================================================================== [ 48.288964] BUG: KASAN: use-after-free in __lock_acquire+0x3829/0x5020 [ 48.295629] Read of size 8 at addr ffff8801caca8b58 by task kworker/0:4/4587 [ 48.302802] [ 48.304434] CPU: 0 PID: 4587 Comm: kworker/0:4 Not tainted 4.18.0-rc4+ #44 [ 48.311440] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.320783] Workqueue: events p9_poll_workfn [ 48.325180] Call Trace: [ 48.327757] dump_stack+0x1c9/0x2b4 [ 48.331372] ? dump_stack_print_info.cold.2+0x52/0x52 [ 48.336540] ? printk+0xa7/0xcf [ 48.339797] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 48.344533] ? __lock_acquire+0x3829/0x5020 [ 48.348835] print_address_description+0x6c/0x20b [ 48.353660] ? __lock_acquire+0x3829/0x5020 [ 48.357960] kasan_report.cold.7+0x242/0x2fe [ 48.362347] __asan_report_load8_noabort+0x14/0x20 [ 48.367255] __lock_acquire+0x3829/0x5020 [ 48.371385] ? lock_downgrade+0x8f0/0x8f0 [ 48.375520] ? trace_hardirqs_on+0x10/0x10 [ 48.379734] ? __free_pages+0x149/0x190 [ 48.383687] ? free_unref_page+0x9a0/0x9a0 [ 48.387901] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.392896] ? trace_hardirqs_on+0xd/0x10 [ 48.397032] ? account_kernel_stack+0x2bd/0x410 [ 48.401690] ? trace_hardirqs_on+0xd/0x10 [ 48.405817] ? put_task_stack+0x188/0x2c0 [ 48.409957] ? kasan_check_write+0x14/0x20 [ 48.414171] ? finish_task_switch+0x5e7/0x870 [ 48.418644] ? preempt_notifier_register+0x200/0x200 [ 48.423726] ? lock_repin_lock+0x430/0x430 [ 48.427941] ? __schedule+0x884/0x1ed0 [ 48.431806] ? graph_lock+0x170/0x170 [ 48.435585] ? __sched_text_start+0x8/0x8 [ 48.439713] lock_acquire+0x1e4/0x540 [ 48.443496] ? ep_scan_ready_list+0xb77/0xf50 [ 48.447969] ? lock_release+0xa30/0xa30 [ 48.451920] ? check_same_owner+0x340/0x340 [ 48.456224] ? ep_scan_ready_list+0xb77/0xf50 [ 48.460699] __mutex_lock+0x176/0x1820 [ 48.464580] ? ep_scan_ready_list+0xb77/0xf50 [ 48.469066] ? graph_lock+0x170/0x170 [ 48.472847] ? trace_hardirqs_off+0xd/0x10 [ 48.477061] ? ep_scan_ready_list+0xb77/0xf50 [ 48.481545] ? p9_pollwake+0x16d/0x300 [ 48.485413] ? mutex_trylock+0x2b0/0x2b0 [ 48.489452] ? print_usage_bug+0xc0/0xc0 [ 48.493495] ? lock_downgrade+0x8f0/0x8f0 [ 48.497622] ? mark_held_locks+0xc9/0x160 [ 48.501748] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 48.506312] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 48.511393] ? print_usage_bug+0xc0/0xc0 [ 48.515450] ? trace_hardirqs_on+0xd/0x10 [ 48.519589] ? ep_call_nested.constprop.19+0x468/0x580 [ 48.524843] ? retint_kernel+0x10/0x10 [ 48.528711] ? ep_show_fdinfo+0x360/0x360 [ 48.532845] ? ep_ptable_queue_proc+0x520/0x520 [ 48.537492] ? __lock_acquire+0x7fc/0x5020 [ 48.541708] ? ep_item_poll.isra.14+0x400/0x400 [ 48.546364] mutex_lock_nested+0x16/0x20 [ 48.550403] ? mutex_lock_nested+0x16/0x20 [ 48.554627] ep_scan_ready_list+0xb77/0xf50 [ 48.558930] ? ep_poll_callback+0x10f0/0x10f0 [ 48.563421] ? print_usage_bug+0xc0/0xc0 [ 48.567470] ? print_usage_bug+0xc0/0xc0 [ 48.571510] ? kasan_check_read+0x11/0x20 [ 48.575636] ? do_raw_spin_unlock+0xa7/0x2f0 [ 48.580043] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 48.584610] ? print_usage_bug+0xc0/0xc0 [ 48.588661] ? print_usage_bug+0xc0/0xc0 [ 48.592705] ? graph_lock+0x170/0x170 [ 48.596483] ? mark_held_locks+0xc9/0x160 [ 48.600612] ? retint_kernel+0x10/0x10 [ 48.604485] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.609479] ? print_usage_bug+0xc0/0xc0 [ 48.613522] ep_eventpoll_poll+0x192/0x200 [ 48.617734] ? mounts_poll+0x1f9/0x290 [ 48.621600] ? ep_scan_ready_list+0xf50/0xf50 [ 48.626073] ? mark_held_locks+0xc9/0x160 [ 48.630201] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 48.635281] ? ep_scan_ready_list+0xf50/0xf50 [ 48.639755] p9_fd_poll+0x1ce/0x2b0 [ 48.643360] p9_poll_workfn+0x463/0x6d0 [ 48.647320] ? p9_read_work+0x1060/0x1060 [ 48.651446] ? graph_lock+0x170/0x170 [ 48.655225] ? lock_acquire+0x1e4/0x540 [ 48.659182] ? process_one_work+0xb9b/0x1ba0 [ 48.663568] ? kasan_check_read+0x11/0x20 [ 48.667705] ? __lock_is_held+0xb5/0x140 [ 48.671746] process_one_work+0xc73/0x1ba0 [ 48.675960] ? trace_hardirqs_on+0x10/0x10 [ 48.680180] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 48.684834] ? lock_repin_lock+0x430/0x430 [ 48.689058] ? __sched_text_start+0x8/0x8 [ 48.693201] ? lock_downgrade+0x8f0/0x8f0 [ 48.697342] ? graph_lock+0x170/0x170 [ 48.701135] ? lock_acquire+0x1e4/0x540 [ 48.705095] ? worker_thread+0x3dc/0x13c0 [ 48.709222] ? lock_downgrade+0x8f0/0x8f0 [ 48.713351] ? lock_release+0xa30/0xa30 [ 48.717306] ? kasan_check_read+0x11/0x20 [ 48.721433] ? do_raw_spin_unlock+0xa7/0x2f0 [ 48.725820] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 48.730382] ? kasan_check_write+0x14/0x20 [ 48.734595] ? do_raw_spin_lock+0xc1/0x200 [ 48.738819] worker_thread+0x189/0x13c0 [ 48.742774] ? process_one_work+0x1ba0/0x1ba0 [ 48.747248] ? graph_lock+0x170/0x170 [ 48.751035] ? graph_lock+0x170/0x170 [ 48.754818] ? find_held_lock+0x36/0x1c0 [ 48.758859] ? find_held_lock+0x36/0x1c0 [ 48.762900] ? lock_downgrade+0x8f0/0x8f0 [ 48.767035] ? kasan_check_read+0x11/0x20 [ 48.771164] ? do_raw_spin_unlock+0xa7/0x2f0 [ 48.775553] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 48.780631] ? __kthread_parkme+0x58/0x1b0 [ 48.784844] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 48.789838] ? trace_hardirqs_on+0xd/0x10 [ 48.793966] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 48.799481] ? __kthread_parkme+0x106/0x1b0 [ 48.803782] kthread+0x345/0x410 [ 48.807127] ? process_one_work+0x1ba0/0x1ba0 [ 48.811598] ? kthread_bind+0x40/0x40 [ 48.815378] ret_from_fork+0x3a/0x50 [ 48.819077] [ 48.820688] Allocated by task 4798: [ 48.824293] save_stack+0x43/0xd0 [ 48.827728] kasan_kmalloc+0xc4/0xe0 [ 48.831419] kmem_cache_alloc_trace+0x152/0x780 [ 48.836075] do_epoll_create+0x170/0x5c0 [ 48.840115] __ia32_sys_epoll_create1+0x31/0x40 [ 48.844761] do_fast_syscall_32+0x34d/0xfb2 [ 48.849057] entry_SYSENTER_compat+0x70/0x7f [ 48.853448] [ 48.855053] Freed by task 4798: [ 48.858313] save_stack+0x43/0xd0 [ 48.861744] __kasan_slab_free+0x11a/0x170 [ 48.865962] kasan_slab_free+0xe/0x10 [ 48.869739] kfree+0xd9/0x260 [ 48.872822] ep_free+0x273/0x310 [ 48.876168] ep_eventpoll_release+0x44/0x60 [ 48.880473] __fput+0x355/0x8b0 [ 48.883740] ____fput+0x15/0x20 [ 48.886997] task_work_run+0x1ec/0x2a0 [ 48.890881] do_exit+0x1b08/0x2750 [ 48.894396] do_group_exit+0x177/0x440 [ 48.898258] get_signal+0x88e/0x1970 [ 48.901950] do_signal+0x9c/0x21c0 [ 48.905479] exit_to_usermode_loop+0x2e0/0x370 [ 48.910045] do_fast_syscall_32+0xcd5/0xfb2 [ 48.914366] entry_SYSENTER_compat+0x70/0x7f [ 48.918755] [ 48.920362] The buggy address belongs to the object at ffff8801caca8ac0 [ 48.920362] which belongs to the cache kmalloc-512 of size 512 [ 48.932996] The buggy address is located 152 bytes inside of [ 48.932996] 512-byte region [ffff8801caca8ac0, ffff8801caca8cc0) [ 48.944850] The buggy address belongs to the page: [ 48.949756] page:ffffea00072b2a00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 48.957876] flags: 0x2fffc0000000100(slab) [ 48.962089] raw: 02fffc0000000100 ffffea00072e7b48 ffffea00073d8188 ffff8801da800940 [ 48.969950] raw: 0000000000000000 ffff8801caca80c0 0000000100000006 0000000000000000 [ 48.977802] page dumped because: kasan: bad access detected [ 48.983486] [ 48.985097] Memory state around the buggy address: [ 48.990005] ffff8801caca8a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.997346] ffff8801caca8a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.004683] >ffff8801caca8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.012030] ^ [ 49.018237] ffff8801caca8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.025581] ffff8801caca8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.032916] ================================================================== [ 49.040255] Disabling lock debugging due to kernel taint [ 49.045679] Kernel panic - not syncing: panic_on_warn set ... [ 49.045679] [ 49.053029] CPU: 0 PID: 4587 Comm: kworker/0:4 Tainted: G B 4.18.0-rc4+ #44 [ 49.061412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.070767] Workqueue: events p9_poll_workfn [ 49.075160] Call Trace: [ 49.077737] dump_stack+0x1c9/0x2b4 [ 49.081342] ? dump_stack_print_info.cold.2+0x52/0x52 [ 49.086509] ? lock_downgrade+0x8f0/0x8f0 [ 49.090639] panic+0x238/0x4e7 [ 49.093810] ? add_taint.cold.5+0x16/0x16 [ 49.097936] ? add_taint.cold.5+0x5/0x16 [ 49.101983] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.106374] ? __lock_acquire+0x3829/0x5020 [ 49.110681] kasan_end_report+0x47/0x4f [ 49.114630] kasan_report.cold.7+0x76/0x2fe [ 49.118930] __asan_report_load8_noabort+0x14/0x20 [ 49.123836] __lock_acquire+0x3829/0x5020 [ 49.127961] ? lock_downgrade+0x8f0/0x8f0 [ 49.132093] ? trace_hardirqs_on+0x10/0x10 [ 49.136314] ? __free_pages+0x149/0x190 [ 49.140265] ? free_unref_page+0x9a0/0x9a0 [ 49.144477] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.149472] ? trace_hardirqs_on+0xd/0x10 [ 49.153597] ? account_kernel_stack+0x2bd/0x410 [ 49.158242] ? trace_hardirqs_on+0xd/0x10 [ 49.162369] ? put_task_stack+0x188/0x2c0 [ 49.166498] ? kasan_check_write+0x14/0x20 [ 49.170717] ? finish_task_switch+0x5e7/0x870 [ 49.175224] ? preempt_notifier_register+0x200/0x200 [ 49.180311] ? lock_repin_lock+0x430/0x430 [ 49.184526] ? __schedule+0x884/0x1ed0 [ 49.188392] ? graph_lock+0x170/0x170 [ 49.192170] ? __sched_text_start+0x8/0x8 [ 49.196304] lock_acquire+0x1e4/0x540 [ 49.200096] ? ep_scan_ready_list+0xb77/0xf50 [ 49.204570] ? lock_release+0xa30/0xa30 [ 49.208523] ? check_same_owner+0x340/0x340 [ 49.212825] ? ep_scan_ready_list+0xb77/0xf50 [ 49.217297] __mutex_lock+0x176/0x1820 [ 49.221164] ? ep_scan_ready_list+0xb77/0xf50 [ 49.225639] ? graph_lock+0x170/0x170 [ 49.229418] ? trace_hardirqs_off+0xd/0x10 [ 49.233629] ? ep_scan_ready_list+0xb77/0xf50 [ 49.238104] ? p9_pollwake+0x16d/0x300 [ 49.241979] ? mutex_trylock+0x2b0/0x2b0 [ 49.246029] ? print_usage_bug+0xc0/0xc0 [ 49.250071] ? lock_downgrade+0x8f0/0x8f0 [ 49.254202] ? mark_held_locks+0xc9/0x160 [ 49.258328] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 49.262891] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 49.267971] ? print_usage_bug+0xc0/0xc0 [ 49.272014] ? trace_hardirqs_on+0xd/0x10 [ 49.276146] ? ep_call_nested.constprop.19+0x468/0x580 [ 49.281399] ? retint_kernel+0x10/0x10 [ 49.285262] ? ep_show_fdinfo+0x360/0x360 [ 49.289391] ? ep_ptable_queue_proc+0x520/0x520 [ 49.294043] ? __lock_acquire+0x7fc/0x5020 [ 49.298257] ? ep_item_poll.isra.14+0x400/0x400 [ 49.302904] mutex_lock_nested+0x16/0x20 [ 49.306940] ? mutex_lock_nested+0x16/0x20 [ 49.311152] ep_scan_ready_list+0xb77/0xf50 [ 49.315453] ? ep_poll_callback+0x10f0/0x10f0 [ 49.319926] ? print_usage_bug+0xc0/0xc0 [ 49.323966] ? print_usage_bug+0xc0/0xc0 [ 49.328013] ? kasan_check_read+0x11/0x20 [ 49.332145] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.336530] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 49.341090] ? print_usage_bug+0xc0/0xc0 [ 49.345128] ? print_usage_bug+0xc0/0xc0 [ 49.349167] ? graph_lock+0x170/0x170 [ 49.352960] ? mark_held_locks+0xc9/0x160 [ 49.357090] ? retint_kernel+0x10/0x10 [ 49.360957] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.365954] ? print_usage_bug+0xc0/0xc0 [ 49.369996] ep_eventpoll_poll+0x192/0x200 [ 49.374220] ? mounts_poll+0x1f9/0x290 [ 49.378087] ? ep_scan_ready_list+0xf50/0xf50 [ 49.382559] ? mark_held_locks+0xc9/0x160 [ 49.386688] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 49.391772] ? ep_scan_ready_list+0xf50/0xf50 [ 49.396256] p9_fd_poll+0x1ce/0x2b0 [ 49.399861] p9_poll_workfn+0x463/0x6d0 [ 49.403816] ? p9_read_work+0x1060/0x1060 [ 49.407940] ? graph_lock+0x170/0x170 [ 49.411718] ? lock_acquire+0x1e4/0x540 [ 49.415669] ? process_one_work+0xb9b/0x1ba0 [ 49.420068] ? kasan_check_read+0x11/0x20 [ 49.424195] ? __lock_is_held+0xb5/0x140 [ 49.428236] process_one_work+0xc73/0x1ba0 [ 49.432455] ? trace_hardirqs_on+0x10/0x10 [ 49.436668] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 49.441325] ? lock_repin_lock+0x430/0x430 [ 49.445540] ? __sched_text_start+0x8/0x8 [ 49.449665] ? lock_downgrade+0x8f0/0x8f0 [ 49.453790] ? graph_lock+0x170/0x170 [ 49.457571] ? lock_acquire+0x1e4/0x540 [ 49.461523] ? worker_thread+0x3dc/0x13c0 [ 49.465648] ? lock_downgrade+0x8f0/0x8f0 [ 49.469773] ? lock_release+0xa30/0xa30 [ 49.473733] ? kasan_check_read+0x11/0x20 [ 49.477857] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.482242] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 49.486802] ? kasan_check_write+0x14/0x20 [ 49.491021] ? do_raw_spin_lock+0xc1/0x200 [ 49.495238] worker_thread+0x189/0x13c0 [ 49.499203] ? process_one_work+0x1ba0/0x1ba0 [ 49.503679] ? graph_lock+0x170/0x170 [ 49.507457] ? graph_lock+0x170/0x170 [ 49.511237] ? find_held_lock+0x36/0x1c0 [ 49.515276] ? find_held_lock+0x36/0x1c0 [ 49.519328] ? lock_downgrade+0x8f0/0x8f0 [ 49.523456] ? kasan_check_read+0x11/0x20 [ 49.527582] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.531970] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 49.537066] ? __kthread_parkme+0x58/0x1b0 [ 49.541278] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 49.546284] ? trace_hardirqs_on+0xd/0x10 [ 49.550412] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 49.555925] ? __kthread_parkme+0x106/0x1b0 [ 49.560225] kthread+0x345/0x410 [ 49.563571] ? process_one_work+0x1ba0/0x1ba0 [ 49.568046] ? kthread_bind+0x40/0x40 [ 49.571838] ret_from_fork+0x3a/0x50 [ 49.575964] Dumping ftrace buffer: [ 49.579478] (ftrace buffer empty) [ 49.583167] Kernel Offset: disabled [ 49.586770] Rebooting in 86400 seconds..