[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 30.944367] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c[ 31.035815] random: sshd: uninitialized urandom read (32 bytes read) . [ 31.359772] random: sshd: uninitialized urandom read (32 bytes read) [ 32.015547] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.634650] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. [ 51.193010] random: sshd: uninitialized urandom read (32 bytes read) [ 51.309071] kauditd_printk_skb: 11 callbacks suppressed [ 51.309080] audit: type=1400 audit(1578418623.091:36): avc: denied { map } for pid=7100 comm="syz-executor575" path="/root/syz-executor575941067" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.550850] IPVS: ftp: loaded support on port[0] = 21 [ 52.329514] chnl_net:caif_netlink_parms(): no params data found [ 52.362721] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.369301] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.376551] device bridge_slave_0 entered promiscuous mode [ 52.383382] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.389918] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.396946] device bridge_slave_1 entered promiscuous mode [ 52.410599] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.419211] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.434914] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.442254] team0: Port device team_slave_0 added [ 52.447660] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.454810] team0: Port device team_slave_1 added [ 52.460729] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 52.468099] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 52.551767] device hsr_slave_0 entered promiscuous mode [ 52.600355] device hsr_slave_1 entered promiscuous mode [ 52.670624] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 52.677661] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 52.715225] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.721647] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.728365] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.734735] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.762488] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.768556] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.776711] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.785376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.803202] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.810558] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.819279] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 52.825459] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.833741] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.841337] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.847651] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.856181] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.863864] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.870228] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.883796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.891303] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 52.899886] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.912522] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 52.922334] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 52.933083] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 52.939351] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 52.947218] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 52.954800] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 52.967367] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 52.974530] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 52.981929] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 52.992539] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.045673] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 53.056114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 53.086141] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 53.093693] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 53.100167] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 53.108433] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 53.116285] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 53.123322] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready executing program [ 53.131927] device veth0_vlan entered promiscuous mode [ 53.140638] device veth1_vlan entered promiscuous mode [ 53.146294] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 53.155478] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 53.200598] ================================================================== [ 53.208049] BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0 [ 53.214780] Read of size 4 at addr ffff88808cf17541 by task syz-executor575/7101 [ 53.222334] [ 53.223943] CPU: 1 PID: 7101 Comm: syz-executor575 Not tainted 4.14.162-syzkaller #0 [ 53.231799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.241130] Call Trace: [ 53.243698] dump_stack+0x142/0x197 [ 53.247305] ? macvlan_broadcast+0x4b9/0x5c0 [ 53.251692] print_address_description.cold+0x7c/0x1dc [ 53.256946] ? macvlan_broadcast+0x4b9/0x5c0 [ 53.261340] kasan_report.cold+0xa9/0x2af [ 53.265492] __asan_report_load_n_noabort+0xf/0x20 [ 53.270406] macvlan_broadcast+0x4b9/0x5c0 [ 53.274625] ? validate_xmit_skb+0x650/0x9d0 [ 53.279053] macvlan_start_xmit+0x56b/0x72d [ 53.283404] packet_direct_xmit+0x431/0x640 [ 53.287724] packet_sendmsg+0x1dd4/0x5a60 [ 53.291862] ? avc_has_perm_noaudit+0x420/0x420 [ 53.296565] ? trace_hardirqs_on+0x10/0x10 [ 53.300831] ? packet_notifier+0x760/0x760 [ 53.305052] ? release_sock+0x14a/0x1b0 [ 53.309015] ? security_socket_sendmsg+0x89/0xb0 [ 53.313751] ? packet_notifier+0x760/0x760 [ 53.317965] sock_sendmsg+0xce/0x110 [ 53.321661] SYSC_sendto+0x206/0x310 [ 53.325355] ? SYSC_connect+0x2d0/0x2d0 [ 53.329327] ? move_addr_to_kernel.part.0+0x100/0x100 [ 53.334509] ? ioctl_preallocate+0x1c0/0x1c0 [ 53.338954] ? security_file_ioctl+0x7d/0xb0 [ 53.343354] ? security_file_ioctl+0x89/0xb0 [ 53.347747] SyS_sendto+0x40/0x50 [ 53.351181] ? SyS_getpeername+0x30/0x30 [ 53.355228] do_syscall_64+0x1e8/0x640 [ 53.359093] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.363920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.369087] RIP: 0033:0x442329 [ 53.372265] RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.379953] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329 [ 53.387205] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 53.394468] RBP: 00007fff4e3d1210 R08: 0000000000000000 R09: 0000000000000000 [ 53.401733] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 53.408992] R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000 [ 53.416258] [ 53.417869] Allocated by task 6450: [ 53.421480] save_stack_trace+0x16/0x20 [ 53.425430] save_stack+0x45/0xd0 [ 53.428873] kasan_kmalloc+0xce/0xf0 [ 53.432575] kasan_slab_alloc+0xf/0x20 [ 53.436442] kmem_cache_alloc+0x12e/0x780 [ 53.440568] getname_flags+0xcb/0x580 [ 53.444359] user_path_at_empty+0x2f/0x50 [ 53.448488] vfs_statx+0xcd/0x160 [ 53.451919] SYSC_newstat+0x95/0x100 [ 53.455613] SyS_newstat+0x1e/0x30 [ 53.459145] do_syscall_64+0x1e8/0x640 [ 53.463011] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.468173] [ 53.469793] Freed by task 6450: [ 53.473050] save_stack_trace+0x16/0x20 [ 53.477016] save_stack+0x45/0xd0 [ 53.480465] kasan_slab_free+0x75/0xc0 [ 53.484341] kmem_cache_free+0x83/0x2b0 [ 53.488298] putname+0xdb/0x120 [ 53.491604] filename_lookup+0x23a/0x380 [ 53.495701] user_path_at_empty+0x43/0x50 [ 53.499887] vfs_statx+0xcd/0x160 [ 53.503321] SYSC_newstat+0x95/0x100 [ 53.507021] SyS_newstat+0x1e/0x30 [ 53.510586] do_syscall_64+0x1e8/0x640 [ 53.514452] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.519618] [ 53.521223] The buggy address belongs to the object at ffff88808cf16a40 [ 53.521223] which belongs to the cache names_cache of size 4096 [ 53.533985] The buggy address is located 2817 bytes inside of [ 53.533985] 4096-byte region [ffff88808cf16a40, ffff88808cf17a40) [ 53.546012] The buggy address belongs to the page: [ 53.550922] page:ffffea000233c580 count:1 mapcount:0 mapping:ffff88808cf16a40 index:0x0 compound_mapcount: 0 [ 53.560872] flags: 0xfffe0000008100(slab|head) [ 53.565491] raw: 00fffe0000008100 ffff88808cf16a40 0000000000000000 0000000100000001 [ 53.573350] raw: ffffea0001ff6520 ffffea00020af8a0 ffff8880aa9e9cc0 0000000000000000 [ 53.581203] page dumped because: kasan: bad access detected [ 53.586888] [ 53.588491] Memory state around the buggy address: [ 53.593396] ffff88808cf17400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.600743] ffff88808cf17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.608080] >ffff88808cf17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.615412] ^ [ 53.620857] ffff88808cf17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.628191] ffff88808cf17600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.635541] ================================================================== [ 53.642899] Disabling lock debugging due to kernel taint [ 53.648390] Kernel panic - not syncing: panic_on_warn set ... [ 53.648390] [ 53.650630] protocol 88fb is buggy, dev hsr_slave_0 [ 53.655774] CPU: 1 PID: 7101 Comm: syz-executor575 Tainted: G B 4.14.162-syzkaller #0 [ 53.660833] protocol 88fb is buggy, dev hsr_slave_1 [ 53.669867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.684203] Call Trace: [ 53.686769] dump_stack+0x142/0x197 [ 53.690380] ? macvlan_broadcast+0x4b9/0x5c0 [ 53.694771] panic+0x1f9/0x42d [ 53.697940] ? add_taint.cold+0x16/0x16 [ 53.701893] kasan_end_report+0x47/0x4f [ 53.705847] kasan_report.cold+0x130/0x2af [ 53.710074] __asan_report_load_n_noabort+0xf/0x20 [ 53.714993] macvlan_broadcast+0x4b9/0x5c0 [ 53.719205] ? validate_xmit_skb+0x650/0x9d0 [ 53.723590] macvlan_start_xmit+0x56b/0x72d [ 53.727893] packet_direct_xmit+0x431/0x640 [ 53.732190] packet_sendmsg+0x1dd4/0x5a60 [ 53.736330] ? avc_has_perm_noaudit+0x420/0x420 [ 53.741019] ? trace_hardirqs_on+0x10/0x10 [ 53.745238] ? packet_notifier+0x760/0x760 [ 53.749450] ? release_sock+0x14a/0x1b0 [ 53.753408] ? security_socket_sendmsg+0x89/0xb0 [ 53.758156] ? packet_notifier+0x760/0x760 [ 53.762377] sock_sendmsg+0xce/0x110 [ 53.766121] SYSC_sendto+0x206/0x310 [ 53.769811] ? SYSC_connect+0x2d0/0x2d0 [ 53.773768] ? move_addr_to_kernel.part.0+0x100/0x100 [ 53.778948] ? ioctl_preallocate+0x1c0/0x1c0 [ 53.783337] ? security_file_ioctl+0x7d/0xb0 [ 53.787723] ? security_file_ioctl+0x89/0xb0 [ 53.792109] SyS_sendto+0x40/0x50 [ 53.795540] ? SyS_getpeername+0x30/0x30 [ 53.799581] do_syscall_64+0x1e8/0x640 [ 53.803444] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.808265] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.813430] RIP: 0033:0x442329 [ 53.816599] RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 53.824283] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329 [ 53.831529] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 53.838790] RBP: 00007fff4e3d1210 R08: 0000000000000000 R09: 0000000000000000 [ 53.846051] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 53.853309] R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000 [ 53.861939] Kernel Offset: disabled [ 53.865563] Rebooting in 86400 seconds..