[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.400478] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.442056] random: sshd: uninitialized urandom read (32 bytes read) [ 20.754237] random: sshd: uninitialized urandom read (32 bytes read) [ 21.454728] random: sshd: uninitialized urandom read (32 bytes read) [ 21.588832] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.56' (ECDSA) to the list of known hosts. [ 27.192402] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.280601] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 92.370904] ================================================================== [ 92.378454] BUG: KASAN: use-after-free in __mutex_lock+0x185/0x1680 [ 92.384844] Read of size 8 at addr ffff8801c62d85b8 by task kworker/0:2/2137 [ 92.392014] [ 92.393642] CPU: 0 PID: 2137 Comm: kworker/0:2 Not tainted 4.18.0-rc4-next-20180711+ #4 [ 92.401772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.411217] Workqueue: events p9_poll_workfn [ 92.415605] Call Trace: [ 92.418195] dump_stack+0x1c9/0x2b4 [ 92.421891] ? dump_stack_print_info.cold.2+0x52/0x52 [ 92.427076] ? printk+0xa7/0xcf [ 92.430338] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 92.435081] ? __mutex_lock+0x185/0x1680 [ 92.439128] print_address_description+0x6c/0x20b [ 92.443952] ? __mutex_lock+0x185/0x1680 [ 92.448021] kasan_report.cold.7+0x242/0x30d [ 92.452423] ? ep_scan_ready_list+0xb77/0xf50 [ 92.456901] check_memory_region+0x13e/0x1b0 [ 92.461300] kasan_check_read+0x11/0x20 [ 92.465259] __mutex_lock+0x185/0x1680 [ 92.469132] ? ep_scan_ready_list+0xb77/0xf50 [ 92.473613] ? p9_pollwake+0x16d/0x300 [ 92.477481] ? ep_scan_ready_list+0xb77/0xf50 [ 92.481959] ? mutex_trylock+0x2b0/0x2b0 [ 92.486013] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.491556] ? lock_acquire+0x1e4/0x540 [ 92.495528] ? ep_call_nested.constprop.19+0x468/0x580 [ 92.500796] ? lock_downgrade+0x8f0/0x8f0 [ 92.504939] ? kasan_check_read+0x11/0x20 [ 92.509081] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.513476] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 92.518051] ? kasan_check_write+0x14/0x20 [ 92.522283] ? do_raw_spin_lock+0xc1/0x200 [ 92.526503] ? trace_hardirqs_on+0xd/0x10 [ 92.530637] ? ep_call_nested.constprop.19+0x468/0x580 [ 92.535899] ? ep_show_fdinfo+0x360/0x360 [ 92.540037] ? ep_ptable_queue_proc+0x520/0x520 [ 92.544698] ? kasan_check_read+0x11/0x20 [ 92.548830] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.553222] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 92.557808] ? kasan_check_write+0x14/0x20 [ 92.562031] ? do_raw_spin_lock+0xc1/0x200 [ 92.566255] ? ep_item_poll.isra.14+0x400/0x400 [ 92.570906] mutex_lock_nested+0x16/0x20 [ 92.574952] ? mutex_lock_nested+0x16/0x20 [ 92.579181] ep_scan_ready_list+0xb77/0xf50 [ 92.583488] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.587889] ? ep_poll_callback+0x10f0/0x10f0 [ 92.592372] ? __queue_work+0x688/0x1410 [ 92.596419] ? lock_downgrade+0x8f0/0x8f0 [ 92.600552] ? workqueue_congested+0x3c0/0x3c0 [ 92.605123] ? kasan_check_read+0x11/0x20 [ 92.609267] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.613662] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 92.618238] ? kasan_check_write+0x14/0x20 [ 92.622458] ? do_raw_spin_lock+0xc1/0x200 [ 92.626678] ? _raw_spin_unlock+0x22/0x30 [ 92.630810] ? __queue_work+0x68d/0x1410 [ 92.634872] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.639617] ? retint_kernel+0x10/0x10 [ 92.643498] ? lock_acquire+0x1e4/0x540 [ 92.647467] ? p9_poll_workfn+0x3ec/0x6d0 [ 92.651697] ep_eventpoll_poll+0x192/0x200 [ 92.655927] ? mounts_poll+0x1f9/0x290 [ 92.659800] ? ep_scan_ready_list+0xf50/0xf50 [ 92.664282] ? kasan_check_write+0x14/0x20 [ 92.668522] ? ep_scan_ready_list+0xf50/0xf50 [ 92.673003] p9_fd_poll+0x1ce/0x2b0 [ 92.676624] p9_poll_workfn+0x463/0x6d0 [ 92.680589] ? p9_read_work+0x1060/0x1060 [ 92.684743] ? lock_acquire+0x1e4/0x540 [ 92.688707] ? process_one_work+0xb9b/0x1ba0 [ 92.693119] ? kasan_check_read+0x11/0x20 [ 92.697261] ? lock_release+0xa30/0xa30 [ 92.701215] ? kasan_check_read+0x11/0x20 [ 92.705345] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.709748] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 92.714322] ? read_word_at_a_time+0x20/0x20 [ 92.718718] ? compat_start_thread+0x80/0x80 [ 92.723116] process_one_work+0xc73/0x1ba0 [ 92.727339] ? trace_hardirqs_on+0x10/0x10 [ 92.731564] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 92.736226] ? lock_repin_lock+0x430/0x430 [ 92.740455] ? __sched_text_start+0x8/0x8 [ 92.744608] ? lock_downgrade+0x8f0/0x8f0 [ 92.748750] ? lock_acquire+0x1e4/0x540 [ 92.752708] ? __update_idle_core+0x304/0x610 [ 92.757194] ? kasan_check_write+0x14/0x20 [ 92.761415] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 92.766329] ? lock_downgrade+0x8f0/0x8f0 [ 92.770469] ? lock_acquire+0x1e4/0x540 [ 92.774430] ? worker_thread+0x3dc/0x13c0 [ 92.778567] ? lock_downgrade+0x8f0/0x8f0 [ 92.782700] ? lock_release+0xa30/0xa30 [ 92.786671] ? kasan_check_read+0x11/0x20 [ 92.790805] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.795200] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 92.799780] ? kasan_check_write+0x14/0x20 [ 92.803997] ? do_raw_spin_lock+0xc1/0x200 [ 92.808232] worker_thread+0x189/0x13c0 [ 92.812206] ? process_one_work+0x1ba0/0x1ba0 [ 92.816710] ? finish_task_switch+0x1d3/0x870 [ 92.821191] ? lock_acquire+0x1e4/0x540 [ 92.825152] ? __kthread_parkme+0xd7/0x1b0 [ 92.829381] ? lock_downgrade+0x8f0/0x8f0 [ 92.833612] ? kasan_check_read+0x11/0x20 [ 92.837749] ? do_raw_spin_unlock+0xa7/0x2f0 [ 92.842150] ? kasan_check_write+0x14/0x20 [ 92.846366] ? trace_hardirqs_on+0xd/0x10 [ 92.850516] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 92.856065] ? __kthread_parkme+0x106/0x1b0 [ 92.860370] kthread+0x345/0x410 [ 92.863733] ? process_one_work+0x1ba0/0x1ba0 [ 92.868209] ? kthread_bind+0x40/0x40 [ 92.872006] ret_from_fork+0x3a/0x50 [ 92.875726] [ 92.877355] Allocated by task 4472: [ 92.880969] save_stack+0x43/0xd0 [ 92.884415] kasan_kmalloc+0xc4/0xe0 [ 92.888118] kmem_cache_alloc_trace+0x152/0x780 [ 92.892784] do_epoll_create+0x170/0x5c0 [ 92.896835] __x64_sys_epoll_create1+0x31/0x40 [ 92.901494] do_syscall_64+0x1b9/0x820 [ 92.905369] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.910533] [ 92.912151] Freed by task 4472: [ 92.915422] save_stack+0x43/0xd0 [ 92.918869] __kasan_slab_free+0x11a/0x170 [ 92.923087] kasan_slab_free+0xe/0x10 [ 92.926869] kfree+0xd9/0x260 [ 92.929968] ep_free+0x273/0x310 [ 92.933321] ep_eventpoll_release+0x44/0x60 [ 92.937634] __fput+0x35d/0x930 [ 92.940895] ____fput+0x15/0x20 [ 92.944170] task_work_run+0x1ec/0x2a0 [ 92.948049] do_exit+0x1b08/0x2750 [ 92.951570] do_group_exit+0x177/0x440 [ 92.955437] get_signal+0x88e/0x1970 [ 92.959142] do_signal+0x9c/0x21c0 [ 92.962677] exit_to_usermode_loop+0x2e5/0x380 [ 92.967239] do_syscall_64+0x6be/0x820 [ 92.971121] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.976289] [ 92.977917] The buggy address belongs to the object at ffff8801c62d8580 [ 92.977917] which belongs to the cache kmalloc-512 of size 512 [ 92.990564] The buggy address is located 56 bytes inside of [ 92.990564] 512-byte region [ffff8801c62d8580, ffff8801c62d8780) [ 93.002421] The buggy address belongs to the page: [ 93.007341] page:ffffea000718b600 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 93.015480] flags: 0x2fffc0000000100(slab) [ 93.019716] raw: 02fffc0000000100 ffffea0006b54dc8 ffffea000764a188 ffff8801da800940 [ 93.027584] raw: 0000000000000000 ffff8801c62d8080 0000000100000006 0000000000000000 [ 93.035454] page dumped because: kasan: bad access detected [ 93.041153] [ 93.042761] Memory state around the buggy address: [ 93.047677] ffff8801c62d8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.055032] ffff8801c62d8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.062394] >ffff8801c62d8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program [ 93.069763] ^ [ 93.074938] ffff8801c62d8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.082282] ffff8801c62d8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.089623] ================================================================== [ 93.097228] Kernel panic - not syncing: panic_on_warn set ... [ 93.097228] [ 93.104613] CPU: 0 PID: 2137 Comm: kworker/0:2 Tainted: G B 4.18.0-rc4-next-20180711+ #4 [ 93.114155] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 93.123532] Workqueue: events p9_poll_workfn [ 93.127923] Call Trace: [ 93.130514] dump_stack+0x1c9/0x2b4 [ 93.134139] ? dump_stack_print_info.cold.2+0x52/0x52 [ 93.139316] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 93.144066] panic+0x238/0x4e7 [ 93.147264] ? add_taint.cold.5+0x16/0x16 [ 93.151402] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.155815] ? __mutex_lock+0x185/0x1680 [ 93.159871] kasan_end_report+0x47/0x4f [ 93.163832] kasan_report.cold.7+0x76/0x30d [ 93.168155] ? ep_scan_ready_list+0xb77/0xf50 [ 93.172728] check_memory_region+0x13e/0x1b0 [ 93.177122] kasan_check_read+0x11/0x20 [ 93.181095] __mutex_lock+0x185/0x1680 [ 93.184988] ? ep_scan_ready_list+0xb77/0xf50 [ 93.189482] ? p9_pollwake+0x16d/0x300 [ 93.193353] ? ep_scan_ready_list+0xb77/0xf50 [ 93.197923] ? mutex_trylock+0x2b0/0x2b0 [ 93.202022] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 93.207566] ? lock_acquire+0x1e4/0x540 [ 93.211540] ? ep_call_nested.constprop.19+0x468/0x580 [ 93.216818] ? lock_downgrade+0x8f0/0x8f0 [ 93.220980] ? kasan_check_read+0x11/0x20 [ 93.225139] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.229540] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 93.234111] ? kasan_check_write+0x14/0x20 [ 93.238343] ? do_raw_spin_lock+0xc1/0x200 [ 93.242563] ? trace_hardirqs_on+0xd/0x10 [ 93.246700] ? ep_call_nested.constprop.19+0x468/0x580 [ 93.251975] ? ep_show_fdinfo+0x360/0x360 [ 93.256113] ? ep_ptable_queue_proc+0x520/0x520 [ 93.260779] ? kasan_check_read+0x11/0x20 [ 93.264926] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.269322] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 93.273895] ? kasan_check_write+0x14/0x20 [ 93.278136] ? do_raw_spin_lock+0xc1/0x200 [ 93.282386] ? ep_item_poll.isra.14+0x400/0x400 [ 93.287091] mutex_lock_nested+0x16/0x20 [ 93.291147] ? mutex_lock_nested+0x16/0x20 [ 93.295376] ep_scan_ready_list+0xb77/0xf50 [ 93.299696] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.304109] ? ep_poll_callback+0x10f0/0x10f0 [ 93.308605] ? __queue_work+0x688/0x1410 [ 93.312659] ? lock_downgrade+0x8f0/0x8f0 [ 93.316795] ? workqueue_congested+0x3c0/0x3c0 [ 93.321366] ? kasan_check_read+0x11/0x20 [ 93.325527] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.329928] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 93.334497] ? kasan_check_write+0x14/0x20 [ 93.338765] ? do_raw_spin_lock+0xc1/0x200 [ 93.343017] ? _raw_spin_unlock+0x22/0x30 [ 93.347171] ? __queue_work+0x68d/0x1410 [ 93.351239] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 93.355982] ? retint_kernel+0x10/0x10 [ 93.359858] ? lock_acquire+0x1e4/0x540 [ 93.363821] ? p9_poll_workfn+0x3ec/0x6d0 [ 93.367975] ep_eventpoll_poll+0x192/0x200 [ 93.372233] ? mounts_poll+0x1f9/0x290 [ 93.376117] ? ep_scan_ready_list+0xf50/0xf50 [ 93.380625] ? kasan_check_write+0x14/0x20 [ 93.384937] ? ep_scan_ready_list+0xf50/0xf50 [ 93.389437] p9_fd_poll+0x1ce/0x2b0 [ 93.393074] p9_poll_workfn+0x463/0x6d0 [ 93.397046] ? p9_read_work+0x1060/0x1060 [ 93.401195] ? lock_acquire+0x1e4/0x540 [ 93.405158] ? process_one_work+0xb9b/0x1ba0 [ 93.409569] ? kasan_check_read+0x11/0x20 [ 93.413716] ? lock_release+0xa30/0xa30 [ 93.417686] ? kasan_check_read+0x11/0x20 [ 93.421836] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.426240] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 93.430827] ? read_word_at_a_time+0x20/0x20 [ 93.435226] ? compat_start_thread+0x80/0x80 [ 93.439644] process_one_work+0xc73/0x1ba0 [ 93.443865] ? trace_hardirqs_on+0x10/0x10 [ 93.448108] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 93.452774] ? lock_repin_lock+0x430/0x430 [ 93.457038] ? __sched_text_start+0x8/0x8 [ 93.461190] ? lock_downgrade+0x8f0/0x8f0 [ 93.465342] ? lock_acquire+0x1e4/0x540 [ 93.469303] ? __update_idle_core+0x304/0x610 [ 93.473795] ? kasan_check_write+0x14/0x20 [ 93.478031] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 93.482949] ? lock_downgrade+0x8f0/0x8f0 [ 93.487099] ? lock_acquire+0x1e4/0x540 [ 93.491071] ? worker_thread+0x3dc/0x13c0 [ 93.495211] ? lock_downgrade+0x8f0/0x8f0 [ 93.499355] ? lock_release+0xa30/0xa30 [ 93.503319] ? kasan_check_read+0x11/0x20 [ 93.507479] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.511876] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 93.516473] ? kasan_check_write+0x14/0x20 [ 93.520802] ? do_raw_spin_lock+0xc1/0x200 [ 93.525049] worker_thread+0x189/0x13c0 [ 93.529021] ? process_one_work+0x1ba0/0x1ba0 [ 93.533529] ? finish_task_switch+0x1d3/0x870 [ 93.538031] ? lock_acquire+0x1e4/0x540 [ 93.542001] ? __kthread_parkme+0xd7/0x1b0 [ 93.546243] ? lock_downgrade+0x8f0/0x8f0 [ 93.550385] ? kasan_check_read+0x11/0x20 [ 93.554544] ? do_raw_spin_unlock+0xa7/0x2f0 [ 93.558954] ? kasan_check_write+0x14/0x20 [ 93.563351] ? trace_hardirqs_on+0xd/0x10 [ 93.567494] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 93.573020] ? __kthread_parkme+0x106/0x1b0 [ 93.577349] kthread+0x345/0x410 [ 93.580712] ? process_one_work+0x1ba0/0x1ba0 [ 93.585190] ? kthread_bind+0x40/0x40 [ 93.588987] ret_from_fork+0x3a/0x50 [ 93.593238] Dumping ftrace buffer: [ 93.596777] (ftrace buffer empty) [ 93.600470] Kernel Offset: disabled [ 93.604088] Rebooting in 86400 seconds..