[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.619577] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.550114] random: sshd: uninitialized urandom read (32 bytes read) [ 27.923822] random: sshd: uninitialized urandom read (32 bytes read) [ 28.548858] random: sshd: uninitialized urandom read (32 bytes read) [ 28.764904] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. [ 34.505432] random: sshd: uninitialized urandom read (32 bytes read) [ 34.648820] BUG: spinlock bad magic on CPU#0, syz-executor607/5569 [ 34.652863] IPVS: ftp: loaded support on port[0] = 21 [ 34.655218] lock: root_task_group+0xe8/0x320, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 34.655231] CPU: 0 PID: 5569 Comm: syz-executor607 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 34.655238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.655243] Call Trace: [ 34.655257] dump_stack+0x1d3/0x2c4 [ 34.655272] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.655288] ? lock_release+0x970/0x970 [ 34.655303] spin_dump+0x160/0x169 [ 34.655317] do_raw_spin_lock.cold.3+0x37/0x3c [ 34.655333] _raw_spin_lock+0x35/0x40 [ 34.655346] ? lockref_get+0x15/0x50 [ 34.655357] lockref_get+0x15/0x50 [ 34.655372] mqueue_get_tree+0x101/0x2e0 [ 34.655386] vfs_get_tree+0x1cb/0x5c0 [ 34.655409] mq_create_mount+0xe3/0x190 [ 34.664530] IPVS: ftp: loaded support on port[0] = 21 [ 34.669626] mq_init_ns+0x15a/0x210 [ 34.682103] kobject: 'lo' (00000000aab97c31): kobject_add_internal: parent: 'net', set: 'devices' [ 34.687537] copy_ipcs+0x3d2/0x580 [ 34.687551] ? ipcns_get+0xe0/0xe0 [ 34.687567] ? do_mount+0x1db0/0x1db0 [ 34.687584] ? kmem_cache_alloc+0x33a/0x730 [ 34.691445] kobject: 'lo' (00000000aab97c31): kobject_uevent_env [ 34.693862] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.702624] kobject: 'lo' (00000000aab97c31): fill_kobj_path: path = '/devices/virtual/net/lo' [ 34.703001] ? perf_event_namespaces+0x136/0x400 [ 34.706710] kobject: 'queues' (000000002365bd8c): kobject_add_internal: parent: 'lo', set: '' [ 34.711193] create_new_namespaces+0x376/0x900 [ 34.715222] kobject: 'queues' (000000002365bd8c): kobject_uevent_env [ 34.718684] ? sys_ni_syscall+0x20/0x20 [ 34.722203] kobject: 'queues' (000000002365bd8c): kobject_uevent_env: filter function caused the event to drop! [ 34.726343] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.726356] ? ns_capable_common+0x13f/0x170 [ 34.726371] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 34.726388] ksys_unshare+0x79c/0x10b0 [ 34.726406] ? walk_process_tree+0x440/0x440 [ 34.730379] kobject: 'rx-0' (0000000045cbaa93): kobject_add_internal: parent: 'queues', set: 'queues' [ 34.734434] ? lock_downgrade+0x900/0x900 [ 34.734450] ? kasan_check_read+0x11/0x20 [ 34.734462] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.734473] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.734488] ? kasan_check_write+0x14/0x20 [ 34.734505] ? do_raw_read_unlock+0x3f/0x60 [ 34.740002] kobject: 'rx-0' (0000000045cbaa93): kobject_uevent_env [ 34.743355] ? do_syscall_64+0x9a/0x820 [ 34.753443] kobject: 'rx-0' (0000000045cbaa93): fill_kobj_path: path = '/devices/virtual/net/lo/queues/rx-0' [ 34.756633] ? do_syscall_64+0x9a/0x820 [ 34.756650] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.756667] ? trace_hardirqs_on+0xbd/0x310 [ 34.756686] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.764222] IPVS: ftp: loaded support on port[0] = 21 [ 34.768323] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 34.774649] kobject: 'tx-0' (00000000198833ed): kobject_add_internal: parent: 'queues', set: 'queues' [ 34.780010] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 34.792136] kobject: 'tx-0' (00000000198833ed): kobject_uevent_env [ 34.793504] __x64_sys_unshare+0x31/0x40 [ 34.803397] kobject: 'tx-0' (00000000198833ed): fill_kobj_path: path = '/devices/virtual/net/lo/queues/tx-0' [ 34.807285] do_syscall_64+0x1b9/0x820 [ 34.807301] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.807319] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.983616] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.988461] ? trace_hardirqs_on_caller+0x310/0x310 [ 34.993476] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 34.998493] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.003514] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.008369] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.013560] RIP: 0033:0x44a837 [ 35.016757] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 35.035660] RSP: 002b:00007ffc5d7d6b08 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 35.043378] RAX: ffffffffffffffda RBX: 00007ffc5d7d6c70 RCX: 000000000044a837 [ 35.050641] RDX: 0000000000000000 RSI: 00007ffc5d7d6b10 RDI: 0000000008000000 [ 35.057908] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018 [ 35.065182] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e [ 35.072451] R13: 00000000004083d0 R14: 0000000000000000 R15: 0000000000000000 [ 35.079974] ================================================================== [ 35.087363] BUG: KASAN: slab-out-of-bounds in mqueue_get_tree+0x169/0x2e0 [ 35.094294] Write of size 4 at addr ffff8801da80c5f4 by task syz-executor607/5569 [ 35.101908] [ 35.103547] CPU: 0 PID: 5569 Comm: syz-executor607 Not tainted 4.19.0-rc3-next-20180912+ #72 [ 35.112124] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.121494] Call Trace: [ 35.124096] dump_stack+0x1d3/0x2c4 [ 35.127745] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.132951] ? printk+0xa7/0xcf [ 35.136243] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.141018] print_address_description.cold.8+0x9/0x1ff [ 35.146401] kasan_report.cold.9+0x242/0x309 [ 35.150826] ? mqueue_get_tree+0x169/0x2e0 [ 35.155074] check_memory_region+0x13e/0x1b0 [ 35.159503] kasan_check_write+0x14/0x20 [ 35.163573] mqueue_get_tree+0x169/0x2e0 [ 35.167672] vfs_get_tree+0x1cb/0x5c0 [ 35.171499] mq_create_mount+0xe3/0x190 [ 35.175487] mq_init_ns+0x15a/0x210 [ 35.179138] copy_ipcs+0x3d2/0x580 [ 35.182687] ? ipcns_get+0xe0/0xe0 [ 35.186230] ? do_mount+0x1db0/0x1db0 [ 35.190035] ? kmem_cache_alloc+0x33a/0x730 [ 35.194360] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.199896] ? perf_event_namespaces+0x136/0x400 [ 35.204656] create_new_namespaces+0x376/0x900 [ 35.209249] ? sys_ni_syscall+0x20/0x20 [ 35.213229] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.218763] ? ns_capable_common+0x13f/0x170 [ 35.223179] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 35.228111] ksys_unshare+0x79c/0x10b0 [ 35.231999] ? walk_process_tree+0x440/0x440 [ 35.236411] ? lock_downgrade+0x900/0x900 [ 35.240571] ? kasan_check_read+0x11/0x20 [ 35.244722] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.249130] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.253725] ? kasan_check_write+0x14/0x20 [ 35.257961] ? do_raw_read_unlock+0x3f/0x60 [ 35.262283] ? do_syscall_64+0x9a/0x820 [ 35.266260] ? do_syscall_64+0x9a/0x820 [ 35.270237] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.274820] ? trace_hardirqs_on+0xbd/0x310 [ 35.279143] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.284515] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 35.289976] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 35.294653] __x64_sys_unshare+0x31/0x40 [ 35.298714] do_syscall_64+0x1b9/0x820 [ 35.302610] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.307976] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.312903] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.317748] ? trace_hardirqs_on_caller+0x310/0x310 [ 35.322769] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.327789] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.332808] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.337658] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.342844] RIP: 0033:0x44a837 [ 35.346035] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 35.364938] RSP: 002b:00007ffc5d7d6b08 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 35.372649] RAX: ffffffffffffffda RBX: 00007ffc5d7d6c70 RCX: 000000000044a837 [ 35.379914] RDX: 0000000000000000 RSI: 00007ffc5d7d6b10 RDI: 0000000008000000 [ 35.387224] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018 [ 35.394493] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e [ 35.401759] R13: 00000000004083d0 R14: 0000000000000000 R15: 0000000000000000 [ 35.409044] [ 35.410668] Allocated by task 0: [ 35.414034] save_stack+0x43/0xd0 [ 35.417484] kasan_kmalloc+0xc7/0xe0 [ 35.421194] kmem_cache_alloc_trace+0x152/0x750 [ 35.425866] alloc_workqueue_attrs+0x63/0x100 [ 35.430366] init_worker_pool+0x4a3/0x620 [ 35.434532] workqueue_init_early+0x25c/0x772 [ 35.439027] start_kernel+0x4b5/0x915 [ 35.442827] x86_64_start_reservations+0x29/0x2b [ 35.447586] x86_64_start_kernel+0x76/0x79 [ 35.451822] secondary_startup_64+0xa4/0xb0 [ 35.456131] [ 35.457758] Freed by task 0: [ 35.460762] (stack is not available) [ 35.464461] [ 35.466088] The buggy address belongs to the object at ffff8801da80c5c0 [ 35.466088] which belongs to the cache kmalloc-32 of size 32 [ 35.478581] The buggy address is located 20 bytes to the right of [ 35.478581] 32-byte region [ffff8801da80c5c0, ffff8801da80c5e0) [ 35.490817] The buggy address belongs to the page: [ 35.495754] page:ffffea00076a0300 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801da80cfc1 [ 35.505205] flags: 0x2fffc0000000100(slab) [ 35.509458] raw: 02fffc0000000100 ffff8801da801248 ffffea00076a5a48 ffff8801da8001c0 [ 35.517346] raw: ffff8801da80cfc1 ffff8801da80c000 000000010000003f 0000000000000000 [ 35.525220] page dumped because: kasan: bad access detected [ 35.530920] [ 35.532541] Memory state around the buggy address: [ 35.537574] ffff8801da80c480: 00 00 04 fc fc fc fc fc 00 00 04 fc fc fc fc fc [ 35.544937] ffff8801da80c500: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc [ 35.552301] >ffff8801da80c580: 00 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 35.559746] ^ [ 35.566769] ffff8801da80c600: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 35.574139] ffff8801da80c680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 35.581521] ================================================================== [ 35.588915] Kernel panic - not syncing: panic_on_warn set ... [ 35.588915] [ 35.596291] CPU: 0 PID: 5569 Comm: syz-executor607 Tainted: G B 4.19.0-rc3-next-20180912+ #72 [ 35.606256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.615633] Call Trace: [ 35.619763] dump_stack+0x1d3/0x2c4 [ 35.623391] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.628597] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.633364] panic+0x238/0x4e7 [ 35.636567] ? add_taint.cold.5+0x16/0x16 [ 35.640726] ? trace_hardirqs_on+0xb4/0x310 [ 35.645060] kasan_end_report+0x47/0x4f [ 35.649048] kasan_report.cold.9+0x76/0x309 [ 35.653378] ? mqueue_get_tree+0x169/0x2e0 [ 35.657627] check_memory_region+0x13e/0x1b0 [ 35.662040] kasan_check_write+0x14/0x20 [ 35.666115] mqueue_get_tree+0x169/0x2e0 [ 35.670195] vfs_get_tree+0x1cb/0x5c0 [ 35.674000] mq_create_mount+0xe3/0x190 [ 35.678001] mq_init_ns+0x15a/0x210 [ 35.681656] copy_ipcs+0x3d2/0x580 [ 35.685204] ? ipcns_get+0xe0/0xe0 [ 35.688748] ? do_mount+0x1db0/0x1db0 [ 35.692560] ? kmem_cache_alloc+0x33a/0x730 [ 35.696885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.702455] ? perf_event_namespaces+0x136/0x400 [ 35.707222] create_new_namespaces+0x376/0x900 [ 35.711818] ? sys_ni_syscall+0x20/0x20 [ 35.715801] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.721348] ? ns_capable_common+0x13f/0x170 [ 35.725786] unshare_nsproxy_namespaces+0xc3/0x1f0 [ 35.730725] ksys_unshare+0x79c/0x10b0 [ 35.734622] ? walk_process_tree+0x440/0x440 [ 35.739036] ? lock_downgrade+0x900/0x900 [ 35.743197] ? kasan_check_read+0x11/0x20 [ 35.747345] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.751761] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.756349] ? kasan_check_write+0x14/0x20 [ 35.760583] ? do_raw_read_unlock+0x3f/0x60 [ 35.764977] ? do_syscall_64+0x9a/0x820 [ 35.768954] ? do_syscall_64+0x9a/0x820 [ 35.772934] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.777523] ? trace_hardirqs_on+0xbd/0x310 [ 35.781850] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.787310] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 35.792765] ? __ia32_sys_prlimit64+0x8c0/0x8c0 [ 35.797450] __x64_sys_unshare+0x31/0x40 [ 35.801523] do_syscall_64+0x1b9/0x820 [ 35.805416] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.810795] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.815733] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.820583] ? trace_hardirqs_on_caller+0x310/0x310 [ 35.825609] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.830635] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.835669] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.840528] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.845721] RIP: 0033:0x44a837 [ 35.848917] Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 35.867857] RSP: 002b:00007ffc5d7d6b08 EFLAGS: 00000217 ORIG_RAX: 0000000000000110 [ 35.875677] RAX: ffffffffffffffda RBX: 00007ffc5d7d6c70 RCX: 000000000044a837 [ 35.882962] RDX: 0000000000000000 RSI: 00007ffc5d7d6b10 RDI: 0000000008000000 [ 35.890238] RBP: 585858582e72656c R08: 0000000000000000 R09: 0000000000000018 [ 35.897508] R10: 0000000000000000 R11: 0000000000000217 R12: 6c616b7a79732f2e [ 35.904870] R13: 00000000004083d0 R14: 0000000000000000 R15: 0000000000000000 [ 35.913135] Kernel Offset: disabled [ 35.916768] Rebooting in 86400 seconds..