[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.378041] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.912026] random: sshd: uninitialized urandom read (32 bytes read) [ 30.394487] random: sshd: uninitialized urandom read (32 bytes read) [ 30.925803] random: sshd: uninitialized urandom read (32 bytes read) [ 97.100289] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. [ 102.733256] random: sshd: uninitialized urandom read (32 bytes read) 2018/08/30 18:51:16 parsed 1 programs [ 104.070768] random: cc1: uninitialized urandom read (8 bytes read) 2018/08/30 18:51:18 executed programs: 0 [ 105.745706] IPVS: ftp: loaded support on port[0] = 21 [ 105.963267] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.969742] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.977219] device bridge_slave_0 entered promiscuous mode [ 105.994711] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.001099] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.008407] device bridge_slave_1 entered promiscuous mode [ 106.024836] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 106.041536] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 106.087475] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.106511] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 106.174695] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 106.182868] team0: Port device team_slave_0 added [ 106.198380] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 106.205577] team0: Port device team_slave_1 added [ 106.221826] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 106.240846] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 106.259136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 106.277234] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 106.408134] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.414722] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.421811] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.428200] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.876983] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 106.883100] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.927978] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 106.937410] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 106.983413] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 106.989590] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 106.996857] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.036776] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.352660] ================================================================== [ 107.360120] BUG: KASAN: use-after-free in sock_i_ino+0x94/0xa0 [ 107.366081] Read of size 8 at addr ffff8801ba5e40b0 by task syz-executor0/5008 [ 107.373419] [ 107.375033] CPU: 0 PID: 5008 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #77 [ 107.382202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.391638] Call Trace: [ 107.394215] dump_stack+0x1c9/0x2b4 [ 107.397838] ? dump_stack_print_info.cold.2+0x52/0x52 [ 107.403021] ? printk+0xa7/0xcf [ 107.406333] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 107.411133] ? sock_i_ino+0x94/0xa0 [ 107.414761] print_address_description+0x6c/0x20b [ 107.419591] ? sock_i_ino+0x94/0xa0 [ 107.423210] kasan_report.cold.7+0x242/0x30d [ 107.427621] __asan_report_load8_noabort+0x14/0x20 [ 107.432558] sock_i_ino+0x94/0xa0 [ 107.436074] tipc_sk_fill_sock_diag+0x3be/0xdb0 [ 107.440735] ? tipc_diag_dump+0x30/0x30 [ 107.444703] ? tipc_getname+0x7f0/0x7f0 [ 107.448670] ? print_usage_bug+0xc0/0xc0 [ 107.452717] ? graph_lock+0x170/0x170 [ 107.456500] ? __lock_sock+0x203/0x360 [ 107.460375] ? find_held_lock+0x36/0x1c0 [ 107.464531] ? mark_held_locks+0xc9/0x160 [ 107.468848] ? __local_bh_enable_ip+0x161/0x230 [ 107.473510] ? __local_bh_enable_ip+0x161/0x230 [ 107.478163] ? lockdep_hardirqs_on+0x421/0x5c0 [ 107.482774] ? trace_hardirqs_on+0xbd/0x2c0 [ 107.487090] ? lock_release+0x9f0/0x9f0 [ 107.491057] ? lock_sock_nested+0xe7/0x120 [ 107.495281] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 107.500282] ? skb_put+0x17b/0x1e0 [ 107.503816] ? memset+0x31/0x40 [ 107.507083] ? __nlmsg_put+0x14c/0x1b0 [ 107.510962] __tipc_add_sock_diag+0x22f/0x360 [ 107.515457] tipc_nl_sk_walk+0x122/0x1d0 [ 107.519525] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 107.524891] tipc_diag_dump+0x24/0x30 [ 107.528680] netlink_dump+0x519/0xd50 [ 107.532479] ? netlink_broadcast+0x50/0x50 [ 107.536707] __netlink_dump_start+0x4f1/0x6f0 [ 107.541190] ? kasan_check_read+0x11/0x20 [ 107.545324] ? tipc_data_ready+0x3f0/0x3f0 [ 107.549550] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 107.554644] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 107.559390] ? tipc_data_ready+0x3f0/0x3f0 [ 107.563614] ? tipc_unregister_sysctl+0x20/0x20 [ 107.568267] ? tipc_ioctl+0x3b0/0x3b0 [ 107.572054] ? netlink_deliver_tap+0x356/0xfb0 [ 107.576634] sock_diag_rcv_msg+0x31d/0x410 [ 107.580863] netlink_rcv_skb+0x172/0x440 [ 107.584918] ? sock_diag_bind+0x80/0x80 [ 107.588880] ? netlink_ack+0xbe0/0xbe0 [ 107.592750] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 107.597492] sock_diag_rcv+0x2a/0x40 [ 107.601212] netlink_unicast+0x5a0/0x760 [ 107.605264] ? netlink_attachskb+0x9a0/0x9a0 [ 107.609665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.615193] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 107.620203] netlink_sendmsg+0xa18/0xfc0 [ 107.624346] ? netlink_unicast+0x760/0x760 [ 107.628620] ? aa_sock_msg_perm.isra.13+0xba/0x160 [ 107.633608] ? apparmor_socket_sendmsg+0x29/0x30 [ 107.638357] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.643884] ? security_socket_sendmsg+0x94/0xc0 [ 107.648631] ? netlink_unicast+0x760/0x760 [ 107.652899] sock_sendmsg+0xd5/0x120 [ 107.656609] ___sys_sendmsg+0x7fd/0x930 [ 107.660635] ? __switch_to_asm+0x40/0x70 [ 107.664686] ? __switch_to_asm+0x40/0x70 [ 107.668733] ? copy_msghdr_from_user+0x580/0x580 [ 107.673488] ? __sched_text_start+0x8/0x8 [ 107.677639] ? __fget_light+0x2f7/0x440 [ 107.681613] ? __local_bh_enable_ip+0x161/0x230 [ 107.686271] ? fget_raw+0x20/0x20 [ 107.689715] ? __release_sock+0x3a0/0x3a0 [ 107.693853] ? tipc_nametbl_build_group+0x279/0x360 [ 107.698864] ? tipc_setsockopt+0x726/0xd70 [ 107.703091] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 107.708611] ? sockfd_lookup_light+0xc5/0x160 [ 107.713109] __sys_sendmsg+0x11d/0x290 [ 107.716986] ? __ia32_sys_shutdown+0x80/0x80 [ 107.721386] ? fput+0x130/0x1a0 [ 107.724668] ? __x64_sys_futex+0x47f/0x6a0 [ 107.728895] ? do_syscall_64+0x9a/0x820 [ 107.732861] ? do_syscall_64+0x9a/0x820 [ 107.736869] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 107.742008] __x64_sys_sendmsg+0x78/0xb0 [ 107.746066] do_syscall_64+0x1b9/0x820 [ 107.749947] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 107.755409] ? syscall_return_slowpath+0x5e0/0x5e0 [ 107.760329] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 107.765163] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 107.770237] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 107.775248] ? prepare_exit_to_usermode+0x291/0x3b0 [ 107.780253] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 107.785083] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.790258] RIP: 0033:0x457089 [ 107.793438] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 107.812333] RSP: 002b:00007fa11f7e0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 107.820028] RAX: ffffffffffffffda RBX: 00007fa11f7e16d4 RCX: 0000000000457089 [ 107.827283] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 107.834576] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 107.841898] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 107.849159] R13: 00000000004d4570 R14: 00000000004c8d49 R15: 0000000000000000 [ 107.856422] [ 107.858079] Allocated by task 5008: [ 107.861693] save_stack+0x43/0xd0 [ 107.865128] kasan_kmalloc+0xc4/0xe0 [ 107.868823] kasan_slab_alloc+0x12/0x20 [ 107.872787] kmem_cache_alloc+0x12e/0x710 [ 107.876928] sock_alloc_inode+0x1d/0x260 [ 107.880974] alloc_inode+0x63/0x190 [ 107.884588] new_inode_pseudo+0x71/0x1a0 [ 107.888634] sock_alloc+0x41/0x270 [ 107.892167] __sock_create+0x175/0x940 [ 107.896044] __sys_socket+0x106/0x260 [ 107.899834] __x64_sys_socket+0x73/0xb0 [ 107.903794] do_syscall_64+0x1b9/0x820 [ 107.907671] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.912842] [ 107.914452] Freed by task 5007: [ 107.917766] save_stack+0x43/0xd0 [ 107.921212] __kasan_slab_free+0x11a/0x170 [ 107.925438] kasan_slab_free+0xe/0x10 [ 107.929235] kmem_cache_free+0x86/0x280 [ 107.933195] sock_destroy_inode+0x51/0x60 [ 107.937486] destroy_inode+0x159/0x200 [ 107.941360] evict+0x5d5/0x990 [ 107.944539] iput+0x5fa/0xa00 [ 107.947638] dentry_unlink_inode+0x461/0x5e0 [ 107.952030] __dentry_kill+0x44c/0x7a0 [ 107.955898] dentry_kill+0xc9/0x5a0 [ 107.959511] dput.part.26+0x66b/0x7a0 [ 107.963302] dput+0x15/0x20 [ 107.966217] __fput+0x4d4/0xa40 [ 107.969479] ____fput+0x15/0x20 [ 107.972741] task_work_run+0x1e8/0x2a0 [ 107.976612] exit_to_usermode_loop+0x318/0x380 [ 107.981175] do_syscall_64+0x6be/0x820 [ 107.985050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.990220] [ 107.991838] The buggy address belongs to the object at ffff8801ba5e4040 [ 107.991838] which belongs to the cache sock_inode_cache(17:syz0) of size 984 [ 108.005740] The buggy address is located 112 bytes inside of [ 108.005740] 984-byte region [ffff8801ba5e4040, ffff8801ba5e4418) [ 108.017606] The buggy address belongs to the page: [ 108.022524] page:ffffea0006e97900 count:1 mapcount:0 mapping:ffff8801d09a3780 index:0xffff8801ba5e4ffd [ 108.031952] flags: 0x2fffc0000000100(slab) [ 108.036177] raw: 02fffc0000000100 ffffea0006e93e08 ffffea0006e97988 ffff8801d09a3780 [ 108.044131] raw: ffff8801ba5e4ffd ffff8801ba5e4040 0000000100000003 ffff8801b1d94a40 [ 108.051989] page dumped because: kasan: bad access detected [ 108.057711] page->mem_cgroup:ffff8801b1d94a40 [ 108.062193] [ 108.063848] Memory state around the buggy address: [ 108.068811] ffff8801ba5e3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 108.076168] ffff8801ba5e4000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 108.083527] >ffff8801ba5e4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.090870] ^ [ 108.095782] ffff8801ba5e4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.103127] ffff8801ba5e4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 108.110568] ================================================================== [ 108.117984] Disabling lock debugging due to kernel taint [ 108.123492] Kernel panic - not syncing: panic_on_warn set ... [ 108.123492] [ 108.130848] CPU: 0 PID: 5008 Comm: syz-executor0 Tainted: G B 4.19.0-rc1+ #77 [ 108.139406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 108.148742] Call Trace: [ 108.151321] dump_stack+0x1c9/0x2b4 [ 108.154976] ? dump_stack_print_info.cold.2+0x52/0x52 [ 108.160228] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 108.164971] panic+0x238/0x4e7 [ 108.168151] ? add_taint.cold.5+0x16/0x16 [ 108.172281] ? trace_hardirqs_on+0xb4/0x2c0 [ 108.176584] ? trace_hardirqs_on+0x9a/0x2c0 [ 108.180889] ? sock_i_ino+0x94/0xa0 [ 108.185562] kasan_end_report+0x47/0x4f [ 108.189524] kasan_report.cold.7+0x76/0x30d [ 108.193830] __asan_report_load8_noabort+0x14/0x20 [ 108.198754] sock_i_ino+0x94/0xa0 [ 108.202207] tipc_sk_fill_sock_diag+0x3be/0xdb0 [ 108.206862] ? tipc_diag_dump+0x30/0x30 [ 108.210829] ? tipc_getname+0x7f0/0x7f0 [ 108.214801] ? print_usage_bug+0xc0/0xc0 [ 108.218844] ? graph_lock+0x170/0x170 [ 108.222636] ? __lock_sock+0x203/0x360 [ 108.226521] ? find_held_lock+0x36/0x1c0 [ 108.230583] ? mark_held_locks+0xc9/0x160 [ 108.234722] ? __local_bh_enable_ip+0x161/0x230 [ 108.239374] ? __local_bh_enable_ip+0x161/0x230 [ 108.244027] ? lockdep_hardirqs_on+0x421/0x5c0 [ 108.248595] ? trace_hardirqs_on+0xbd/0x2c0 [ 108.252913] ? lock_release+0x9f0/0x9f0 [ 108.256884] ? lock_sock_nested+0xe7/0x120 [ 108.261107] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 108.266108] ? skb_put+0x17b/0x1e0 [ 108.269642] ? memset+0x31/0x40 [ 108.272915] ? __nlmsg_put+0x14c/0x1b0 [ 108.276788] __tipc_add_sock_diag+0x22f/0x360 [ 108.281272] tipc_nl_sk_walk+0x122/0x1d0 [ 108.285320] ? tipc_sock_diag_handler_dump+0x3d0/0x3d0 [ 108.290582] tipc_diag_dump+0x24/0x30 [ 108.294368] netlink_dump+0x519/0xd50 [ 108.298152] ? netlink_broadcast+0x50/0x50 [ 108.302374] __netlink_dump_start+0x4f1/0x6f0 [ 108.306873] ? kasan_check_read+0x11/0x20 [ 108.311007] ? tipc_data_ready+0x3f0/0x3f0 [ 108.315234] tipc_sock_diag_handler_dump+0x28e/0x3d0 [ 108.320319] ? __tipc_diag_gen_cookie+0xc0/0xc0 [ 108.324971] ? tipc_data_ready+0x3f0/0x3f0 [ 108.329221] ? tipc_unregister_sysctl+0x20/0x20 [ 108.333985] ? tipc_ioctl+0x3b0/0x3b0 [ 108.337773] ? netlink_deliver_tap+0x356/0xfb0 [ 108.342342] sock_diag_rcv_msg+0x31d/0x410 [ 108.346562] netlink_rcv_skb+0x172/0x440 [ 108.350608] ? sock_diag_bind+0x80/0x80 [ 108.354578] ? netlink_ack+0xbe0/0xbe0 [ 108.358448] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 108.363117] sock_diag_rcv+0x2a/0x40 [ 108.366815] netlink_unicast+0x5a0/0x760 [ 108.370862] ? netlink_attachskb+0x9a0/0x9a0 [ 108.375257] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.380797] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 108.385800] netlink_sendmsg+0xa18/0xfc0 [ 108.389846] ? netlink_unicast+0x760/0x760 [ 108.394083] ? aa_sock_msg_perm.isra.13+0xba/0x160 [ 108.399001] ? apparmor_socket_sendmsg+0x29/0x30 [ 108.403752] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.409274] ? security_socket_sendmsg+0x94/0xc0 [ 108.414013] ? netlink_unicast+0x760/0x760 [ 108.418234] sock_sendmsg+0xd5/0x120 [ 108.421958] ___sys_sendmsg+0x7fd/0x930 [ 108.425921] ? __switch_to_asm+0x40/0x70 [ 108.429968] ? __switch_to_asm+0x40/0x70 [ 108.434019] ? copy_msghdr_from_user+0x580/0x580 [ 108.438761] ? __sched_text_start+0x8/0x8 [ 108.442897] ? __fget_light+0x2f7/0x440 [ 108.446856] ? __local_bh_enable_ip+0x161/0x230 [ 108.451510] ? fget_raw+0x20/0x20 [ 108.454949] ? __release_sock+0x3a0/0x3a0 [ 108.459081] ? tipc_nametbl_build_group+0x279/0x360 [ 108.464093] ? tipc_setsockopt+0x726/0xd70 [ 108.468331] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.473855] ? sockfd_lookup_light+0xc5/0x160 [ 108.478337] __sys_sendmsg+0x11d/0x290 [ 108.482230] ? __ia32_sys_shutdown+0x80/0x80 [ 108.486628] ? fput+0x130/0x1a0 [ 108.489907] ? __x64_sys_futex+0x47f/0x6a0 [ 108.494129] ? do_syscall_64+0x9a/0x820 [ 108.498104] ? do_syscall_64+0x9a/0x820 [ 108.502065] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 108.507154] __x64_sys_sendmsg+0x78/0xb0 [ 108.511201] do_syscall_64+0x1b9/0x820 [ 108.515076] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 108.520431] ? syscall_return_slowpath+0x5e0/0x5e0 [ 108.525370] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 108.530196] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 108.535196] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 108.540205] ? prepare_exit_to_usermode+0x291/0x3b0 [ 108.545221] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 108.550054] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 108.555226] RIP: 0033:0x457089 [ 108.558411] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 108.577671] RSP: 002b:00007fa11f7e0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 108.585362] RAX: ffffffffffffffda RBX: 00007fa11f7e16d4 RCX: 0000000000457089 [ 108.592620] RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000006 [ 108.599884] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 108.607135] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 108.614386] R13: 00000000004d4570 R14: 00000000004c8d49 R15: 0000000000000000 [ 108.621989] Dumping ftrace buffer: [ 108.625529] (ftrace buffer empty) [ 108.629220] Kernel Offset: disabled [ 108.632831] Rebooting in 86400 seconds..