[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.853644] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.057508] random: sshd: uninitialized urandom read (32 bytes read)
[   22.361432] random: sshd: uninitialized urandom read (32 bytes read)
[   23.187878] random: sshd: uninitialized urandom read (32 bytes read)
[   23.344253] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts.
[   28.860450] random: sshd: uninitialized urandom read (32 bytes read)
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[   28.959507] IPVS: ftp: loaded support on port[0] = 21
[   29.148349] bridge0: port 1(bridge_slave_0) entered blocking state
[   29.154791] bridge0: port 1(bridge_slave_0) entered disabled state
[   29.162904] device bridge_slave_0 entered promiscuous mode
[   29.178552] bridge0: port 2(bridge_slave_1) entered blocking state
[   29.184918] bridge0: port 2(bridge_slave_1) entered disabled state
[   29.192052] device bridge_slave_1 entered promiscuous mode
[   29.207394] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   29.222678] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   29.262267] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   29.279663] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   29.340064] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   29.347458] team0: Port device team_slave_0 added
[   29.361981] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   29.369740] team0: Port device team_slave_1 added
[   29.384384] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   29.401802] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   29.418402] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   29.435349] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   29.548859] bridge0: port 2(bridge_slave_1) entered blocking state
[   29.555316] bridge0: port 2(bridge_slave_1) entered forwarding state
[   29.562282] bridge0: port 1(bridge_slave_0) entered blocking state
[   29.568636] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   29.966480] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   29.972603] 8021q: adding VLAN 0 to HW filter on device bond0
[   30.014085] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.055873] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   30.063644] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   30.105909] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[   30.355769] IPVS: ftp: loaded support on port[0] = 21
[   30.408412] IPVS: ftp: loaded support on port[0] = 21
[   31.302915] ==================================================================
[   31.310414] BUG: KASAN: use-after-free in rds_cong_queue_updates+0x255/0x590
[   31.317587] Read of size 4 at addr ffff8801ab180044 by task syz-executor199/4800
[   31.325094] 
[   31.326703] CPU: 1 PID: 4800 Comm: syz-executor199 Not tainted 4.17.0+ #84
[   31.333696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.343037] Call Trace:
[   31.345615]  dump_stack+0x1b9/0x294
[   31.349228]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.354400]  ? printk+0x9e/0xba
[   31.357669]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.362411]  ? kasan_check_write+0x14/0x20
[   31.366637]  print_address_description+0x6c/0x20b
[   31.371461]  ? rds_cong_queue_updates+0x255/0x590
[   31.376290]  kasan_report.cold.7+0x242/0x2fe
[   31.380680]  check_memory_region+0x13e/0x1b0
[   31.385068]  kasan_check_read+0x11/0x20
[   31.389029]  rds_cong_queue_updates+0x255/0x590
[   31.393688]  ? rds_cong_get_maps+0x140/0x140
[   31.398081]  ? print_usage_bug+0xc0/0xc0
[   31.402125]  rds_recv_rcvbuf_delta.part.3+0x211/0x350
[   31.407297]  rds_clear_recv_queue+0x2f0/0x4c0
[   31.411774]  ? lock_downgrade+0x8e0/0x8e0
[   31.415996]  ? rds_recvmsg+0x1b90/0x1b90
[   31.420146]  ? __local_bh_enable_ip+0x161/0x230
[   31.424797]  ? rds_release+0x154/0x550
[   31.428664]  ? trace_hardirqs_on+0xd/0x10
[   31.432791]  ? __local_bh_enable_ip+0x161/0x230
[   31.437443]  rds_release+0x15c/0x550
[   31.441146]  ? rds_getname+0x2f0/0x2f0
[   31.445025]  ? down_write+0x87/0x120
[   31.448722]  ? __sock_release+0x8b/0x260
[   31.452764]  ? down_read+0x1b0/0x1b0
[   31.456459]  ? fsnotify+0xfc0/0xfc0
[   31.460076]  __sock_release+0xd7/0x260
[   31.463946]  ? __sock_release+0x260/0x260
[   31.468076]  sock_close+0x19/0x20
[   31.471516]  __fput+0x353/0x890
[   31.474780]  ? fput+0x1a0/0x1a0
[   31.478042]  ? check_same_owner+0x320/0x320
[   31.482355]  ? _raw_spin_unlock_irq+0x27/0x70
[   31.486831]  ____fput+0x15/0x20
[   31.490106]  task_work_run+0x1e4/0x290
[   31.493978]  ? task_work_cancel+0x240/0x240
[   31.498288]  ? switch_task_namespaces+0xbd/0xd0
[   31.502937]  do_exit+0x1aee/0x2730
[   31.506466]  ? plist_add+0x770/0x770
[   31.510160]  ? mm_update_next_owner+0x980/0x980
[   31.514811]  ? print_usage_bug+0xc0/0xc0
[   31.518853]  ? graph_lock+0x170/0x170
[   31.522633]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.527042]  ? rcu_note_context_switch+0x710/0x710
[   31.531952]  ? lock_acquire+0x1dc/0x520
[   31.535913]  ? __might_sleep+0x95/0x190
[   31.539872]  ? __lock_acquire+0x7f5/0x5140
[   31.544097]  ? kasan_check_read+0x11/0x20
[   31.548222]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.552611]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   31.557175]  ? kasan_check_write+0x14/0x20
[   31.561400]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.566569]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.572086]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   31.577166]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.582690]  ? futex_wait+0x5c1/0x9f0
[   31.586474]  ? futex_wait_setup+0x400/0x400
[   31.590777]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.595955]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.601475]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   31.606561]  ? graph_lock+0x170/0x170
[   31.610351]  ? memset+0x31/0x40
[   31.613611]  ? find_held_lock+0x36/0x1c0
[   31.617656]  ? lock_downgrade+0x8e0/0x8e0
[   31.621788]  do_group_exit+0x16f/0x430
[   31.625657]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   31.630218]  ? __ia32_sys_exit+0x50/0x50
[   31.634260]  ? _raw_spin_unlock_irq+0x27/0x70
[   31.638735]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.643743]  get_signal+0x886/0x1960
[   31.647441]  ? ptrace_notify+0x130/0x130
[   31.651482]  ? find_held_lock+0x36/0x1c0
[   31.655526]  ? lock_downgrade+0x8e0/0x8e0
[   31.659656]  ? kasan_check_read+0x11/0x20
[   31.663784]  ? rcu_is_watching+0x85/0x140
[   31.667911]  ? __lock_is_held+0xb5/0x140
[   31.671963]  do_signal+0x9c/0x21c0
[   31.675485]  ? __fd_install+0x2de/0x880
[   31.679441]  ? setup_sigcontext+0x7d0/0x7d0
[   31.683767]  ? get_unused_fd_flags+0x190/0x190
[   31.688331]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.693845]  ? alloc_file+0x44/0x3e0
[   31.697550]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.703065]  ? sock_alloc_file+0x2a4/0x4f0
[   31.707288]  ? exit_to_usermode_loop+0x87/0x360
[   31.711939]  exit_to_usermode_loop+0x2cf/0x360
[   31.716502]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.721969]  ? ksys_ioctl+0x81/0xd0
[   31.725584]  ? do_syscall_64+0x92/0x800
[   31.729540]  do_syscall_64+0x6ac/0x800
[   31.733406]  ? finish_task_switch+0x1ca/0x840
[   31.737883]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.742811]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.747724]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.753079]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.757903]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.763072] RIP: 0033:0x44f439
[   31.766245] Code: e8 ac be 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b ff fb ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.785418] RSP: 002b:00007fc65567dcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   31.793108] RAX: fffffffffffffe00 RBX: 00000000006edadc RCX: 000000000044f439
[   31.800354] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006edadc
[   31.807599] RBP: 00000000006edad8 R08: 0000000000000000 R09: 0000000000000000
[   31.814846] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   31.822093] R13: 00007fff3df31b1f R14: 00007fc65567e9c0 R15: 0000000000000061
[   31.829347] 
[   31.830959] Allocated by task 4800:
[   31.834571]  save_stack+0x43/0xd0
[   31.838002]  kasan_kmalloc+0xc4/0xe0
[   31.841701]  kasan_slab_alloc+0x12/0x20
[   31.845654]  kmem_cache_alloc+0x12e/0x760
[   31.849794]  copy_net_ns+0x159/0x4c0
[   31.853487]  create_new_namespaces+0x69d/0x8f0
[   31.858046]  unshare_nsproxy_namespaces+0xc3/0x1f0
[   31.862958]  ksys_unshare+0x708/0xf90
[   31.866755]  __x64_sys_unshare+0x31/0x40
[   31.870796]  do_syscall_64+0x1b1/0x800
[   31.874665]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.879828] 
[   31.881438] Freed by task 746:
[   31.884610]  save_stack+0x43/0xd0
[   31.888043]  __kasan_slab_free+0x11a/0x170
[   31.892254]  kasan_slab_free+0xe/0x10
[   31.896037]  kmem_cache_free+0x86/0x2d0
[   31.899992]  net_drop_ns.part.14+0x11a/0x130
[   31.904391]  cleanup_net+0x6a1/0xb20
[   31.908083]  process_one_work+0xc64/0x1b70
[   31.912296]  worker_thread+0x181/0x13a0
[   31.916255]  kthread+0x345/0x410
[   31.919602]  ret_from_fork+0x3a/0x50
[   31.923288] 
[   31.924894] The buggy address belongs to the object at ffff8801ab180040
[   31.924894]  which belongs to the cache net_namespace(17:syz0) of size 8896
[   31.938572] The buggy address is located 4 bytes inside of
[   31.938572]  8896-byte region [ffff8801ab180040, ffff8801ab182300)
[   31.950335] The buggy address belongs to the page:
[   31.955250] page:ffffea0006ac6000 count:1 mapcount:0 mapping:ffff8801aeaa0080 index:0x0 compound_mapcount: 0
[   31.965198] flags: 0x2fffc0000008100(slab|head)
[   31.969848] raw: 02fffc0000008100 ffff8801d3827048 ffff8801d3827048 ffff8801aeaa0080
[   31.977714] raw: 0000000000000000 ffff8801ab180040 0000000100000001 ffff8801ab7cae40
[   31.985570] page dumped because: kasan: bad access detected
[   31.991256] page->mem_cgroup:ffff8801ab7cae40
[   31.995731] 
[   31.997341] Memory state around the buggy address:
[   32.002248]  ffff8801ab17ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.009589]  ffff8801ab17ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.016933] >ffff8801ab180000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   32.024276]                                            ^
[   32.029701]  ffff8801ab180080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.037037]  ffff8801ab180100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.044375] ==================================================================
[   32.051711] Disabling lock debugging due to kernel taint
[   32.057135] Kernel panic - not syncing: panic_on_warn set ...
[   32.057135] 
[   32.064482] CPU: 1 PID: 4800 Comm: syz-executor199 Tainted: G    B             4.17.0+ #84
[   32.072859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.082197] Call Trace:
[   32.084767]  dump_stack+0x1b9/0x294
[   32.088380]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.093548]  ? lock_downgrade+0x8e0/0x8e0
[   32.097672]  ? vprintk_default+0x28/0x30
[   32.101712]  ? rds_cong_queue_updates+0x190/0x590
[   32.106530]  panic+0x22f/0x4de
[   32.109707]  ? add_taint.cold.5+0x16/0x16
[   32.113831]  ? add_taint.cold.5+0x5/0x16
[   32.117877]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.122264]  ? rds_cong_queue_updates+0x255/0x590
[   32.127089]  kasan_end_report+0x47/0x4f
[   32.131045]  kasan_report.cold.7+0x76/0x2fe
[   32.135352]  check_memory_region+0x13e/0x1b0
[   32.139739]  kasan_check_read+0x11/0x20
[   32.143692]  rds_cong_queue_updates+0x255/0x590
[   32.148337]  ? rds_cong_get_maps+0x140/0x140
[   32.152730]  ? print_usage_bug+0xc0/0xc0
[   32.156779]  rds_recv_rcvbuf_delta.part.3+0x211/0x350
[   32.161945]  rds_clear_recv_queue+0x2f0/0x4c0
[   32.166415]  ? lock_downgrade+0x8e0/0x8e0
[   32.170548]  ? rds_recvmsg+0x1b90/0x1b90
[   32.174586]  ? __local_bh_enable_ip+0x161/0x230
[   32.179231]  ? rds_release+0x154/0x550
[   32.183094]  ? trace_hardirqs_on+0xd/0x10
[   32.187216]  ? __local_bh_enable_ip+0x161/0x230
[   32.191867]  rds_release+0x15c/0x550
[   32.195560]  ? rds_getname+0x2f0/0x2f0
[   32.199424]  ? down_write+0x87/0x120
[   32.203121]  ? __sock_release+0x8b/0x260
[   32.207158]  ? down_read+0x1b0/0x1b0
[   32.210850]  ? fsnotify+0xfc0/0xfc0
[   32.214453]  __sock_release+0xd7/0x260
[   32.218316]  ? __sock_release+0x260/0x260
[   32.222439]  sock_close+0x19/0x20
[   32.225869]  __fput+0x353/0x890
[   32.229132]  ? fput+0x1a0/0x1a0
[   32.232388]  ? check_same_owner+0x320/0x320
[   32.236692]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.241170]  ____fput+0x15/0x20
[   32.244429]  task_work_run+0x1e4/0x290
[   32.248294]  ? task_work_cancel+0x240/0x240
[   32.252607]  ? switch_task_namespaces+0xbd/0xd0
[   32.257263]  do_exit+0x1aee/0x2730
[   32.260781]  ? plist_add+0x770/0x770
[   32.264471]  ? mm_update_next_owner+0x980/0x980
[   32.269116]  ? print_usage_bug+0xc0/0xc0
[   32.273161]  ? graph_lock+0x170/0x170
[   32.276938]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.281329]  ? rcu_note_context_switch+0x710/0x710
[   32.286234]  ? lock_acquire+0x1dc/0x520
[   32.290187]  ? __might_sleep+0x95/0x190
[   32.294149]  ? __lock_acquire+0x7f5/0x5140
[   32.298372]  ? kasan_check_read+0x11/0x20
[   32.302495]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.306886]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.311457]  ? kasan_check_write+0x14/0x20
[   32.315677]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.320844]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.326446]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   32.331527]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.337043]  ? futex_wait+0x5c1/0x9f0
[   32.340837]  ? futex_wait_setup+0x400/0x400
[   32.345135]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.350310]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.355826]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   32.360907]  ? graph_lock+0x170/0x170
[   32.364684]  ? memset+0x31/0x40
[   32.367943]  ? find_held_lock+0x36/0x1c0
[   32.371986]  ? lock_downgrade+0x8e0/0x8e0
[   32.376202]  do_group_exit+0x16f/0x430
[   32.380065]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.384624]  ? __ia32_sys_exit+0x50/0x50
[   32.388666]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.393140]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.398142]  get_signal+0x886/0x1960
[   32.401836]  ? ptrace_notify+0x130/0x130
[   32.405877]  ? find_held_lock+0x36/0x1c0
[   32.409918]  ? lock_downgrade+0x8e0/0x8e0
[   32.414060]  ? kasan_check_read+0x11/0x20
[   32.418187]  ? rcu_is_watching+0x85/0x140
[   32.422312]  ? __lock_is_held+0xb5/0x140
[   32.426360]  do_signal+0x9c/0x21c0
[   32.429878]  ? __fd_install+0x2de/0x880
[   32.433839]  ? setup_sigcontext+0x7d0/0x7d0
[   32.438136]  ? get_unused_fd_flags+0x190/0x190
[   32.442703]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.448215]  ? alloc_file+0x44/0x3e0
[   32.451906]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.457430]  ? sock_alloc_file+0x2a4/0x4f0
[   32.461649]  ? exit_to_usermode_loop+0x87/0x360
[   32.466296]  exit_to_usermode_loop+0x2cf/0x360
[   32.470858]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   32.475679]  ? ksys_ioctl+0x81/0xd0
[   32.479295]  ? do_syscall_64+0x92/0x800
[   32.483246]  do_syscall_64+0x6ac/0x800
[   32.487115]  ? finish_task_switch+0x1ca/0x840
[   32.491592]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.496511]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.501426]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.506768]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.511590]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.516756] RIP: 0033:0x44f439
[   32.519918] Code: e8 ac be 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b ff fb ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.539055] RSP: 002b:00007fc65567dcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   32.546741] RAX: fffffffffffffe00 RBX: 00000000006edadc RCX: 000000000044f439
[   32.553993] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006edadc
[   32.561243] RBP: 00000000006edad8 R08: 0000000000000000 R09: 0000000000000000
[   32.568500] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   32.575753] R13: 00007fff3df31b1f R14: 00007fc65567e9c0 R15: 0000000000000061
[   32.583498] Dumping ftrace buffer:
[   32.587019]    (ftrace buffer empty)
[   32.590710] Kernel Offset: disabled
[   32.594315] Rebooting in 86400 seconds..