[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.627908] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   17.786591] random: sshd: uninitialized urandom read (32 bytes read)
[   18.077880] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.833890] random: sshd: uninitialized urandom read (32 bytes read)
[   21.915890] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts.
[   27.270799] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/19 12:46:42 parsed 1 programs
2018/05/19 12:46:42 executed programs: 0
[   27.800497] IPVS: ftp: loaded support on port[0] = 21
[   27.929215] bridge0: port 1(bridge_slave_0) entered blocking state
[   27.935670] bridge0: port 1(bridge_slave_0) entered disabled state
[   27.943060] device bridge_slave_0 entered promiscuous mode
[   27.959890] bridge0: port 2(bridge_slave_1) entered blocking state
[   27.966271] bridge0: port 2(bridge_slave_1) entered disabled state
[   27.973525] device bridge_slave_1 entered promiscuous mode
[   27.989944] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   28.005937] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   28.048318] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   28.066360] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   28.132143] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   28.139935] team0: Port device team_slave_0 added
[   28.155626] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   28.162730] team0: Port device team_slave_1 added
[   28.178279] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   28.195425] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   28.212526] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   28.230520] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   28.346959] bridge0: port 2(bridge_slave_1) entered blocking state
[   28.353428] bridge0: port 2(bridge_slave_1) entered forwarding state
[   28.360398] bridge0: port 1(bridge_slave_0) entered blocking state
[   28.366760] bridge0: port 1(bridge_slave_0) entered forwarding state
[   28.782406] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   28.788560] 8021q: adding VLAN 0 to HW filter on device bond0
[   28.832374] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   28.874940] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   28.882719] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   28.927602] 8021q: adding VLAN 0 to HW filter on device team0
[   29.292669] ==================================================================
[   29.300219] BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x4b1/0x530
[   29.307908] Read of size 8 at addr ffff8801cd647df8 by task syz-executor0/4733
[   29.315241] 
[   29.316852] CPU: 1 PID: 4733 Comm: syz-executor0 Not tainted 4.17.0-rc5+ #83
[   29.324020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.333358] Call Trace:
[   29.335933]  dump_stack+0x1b9/0x294
[   29.339539]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.344708]  ? printk+0x9e/0xba
[   29.347966]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.352703]  ? kasan_check_write+0x14/0x20
[   29.356921]  print_address_description+0x6c/0x20b
[   29.361743]  ? irq_bypass_register_consumer+0x4b1/0x530
[   29.367089]  kasan_report.cold.7+0x242/0x2fe
[   29.371645]  __asan_report_load8_noabort+0x14/0x20
[   29.376567]  irq_bypass_register_consumer+0x4b1/0x530
[   29.381737]  ? __disconnect+0x1b0/0x1b0
[   29.385690]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.390687]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   29.396211]  kvm_irqfd+0x1599/0x1ec0
[   29.399909]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.405448]  ? futex_wait_queue_me+0x550/0x820
[   29.410029]  ? kvm_eventfd_init+0x2a0/0x2a0
[   29.414333]  ? print_usage_bug+0xc0/0xc0
[   29.418376]  ? futex_wait_setup+0x279/0x400
[   29.422677]  ? debug_check_no_locks_freed+0x310/0x310
[   29.427861]  ? lock_downgrade+0x8e0/0x8e0
[   29.431994]  ? lock_release+0xa10/0xa10
[   29.435951]  ? check_same_owner+0x320/0x320
[   29.440267]  ? __might_sleep+0x95/0x190
[   29.444228]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.449743]  ? _copy_from_user+0xdf/0x150
[   29.453873]  kvm_vm_ioctl+0xf84/0x1d90
[   29.457743]  ? kvm_set_memory_region+0x50/0x50
[   29.462305]  ? lock_downgrade+0x8e0/0x8e0
[   29.466431]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   29.471598]  ? do_futex+0x249/0x27d0
[   29.475293]  ? kasan_check_read+0x11/0x20
[   29.479426]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.483813]  ? graph_lock+0x170/0x170
[   29.487594]  ? compat_start_thread+0x80/0x80
[   29.491978]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.496453]  ? exit_robust_list+0x290/0x290
[   29.500751]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.505224]  ? find_held_lock+0x36/0x1c0
[   29.509266]  ? lock_downgrade+0x8e0/0x8e0
[   29.513394]  ? kasan_check_read+0x11/0x20
[   29.517521]  ? rcu_is_watching+0x85/0x140
[   29.521648]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   29.526829]  ? __fget+0x40c/0x650
[   29.530261]  ? check_memory_region+0x151/0x1b0
[   29.534823]  ? expand_files.part.8+0x9a0/0x9a0
[   29.539381]  ? trace_hardirqs_off+0xd/0x10
[   29.543603]  ? debug_check_no_obj_freed+0x2ff/0x584
[   29.548598]  ? kasan_check_read+0x11/0x20
[   29.552727]  ? __fget_light+0x2ef/0x430
[   29.556683]  kvm_vm_compat_ioctl+0x13b/0x420
[   29.561069]  ? kvm_vm_ioctl+0x1d90/0x1d90
[   29.565195]  ? __ia32_compat_sys_futex+0x3de/0x5e0
[   29.570107]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   29.575799]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   29.580974]  ? kvm_vm_ioctl+0x1d90/0x1d90
[   29.585104]  __ia32_compat_sys_ioctl+0x221/0x640
[   29.589842]  do_fast_syscall_32+0x345/0xf9b
[   29.594142]  ? do_int80_syscall_32+0x880/0x880
[   29.598703]  ? _raw_spin_unlock_irq+0x27/0x70
[   29.603178]  ? finish_task_switch+0x1ca/0x840
[   29.607662]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.613179]  ? syscall_return_slowpath+0x30f/0x5c0
[   29.618089]  ? sysret32_from_system_call+0x5/0x46
[   29.622914]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.627746]  entry_SYSENTER_compat+0x70/0x7f
[   29.632138] RIP: 0023:0xf7f17cb9
[   29.635484] RSP: 002b:00000000f7f130ac EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   29.643170] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 000000004020ae76
[   29.650423] RDX: 0000000020000180 RSI: 0000000000000000 RDI: 0000000000000000
[   29.657670] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   29.664925] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   29.672174] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   29.679427] 
[   29.681034] Allocated by task 4733:
[   29.684659]  save_stack+0x43/0xd0
[   29.688090]  kasan_kmalloc+0xc4/0xe0
[   29.691782]  kmem_cache_alloc_trace+0x152/0x780
[   29.696427]  kvm_irqfd+0x187/0x1ec0
[   29.700036]  kvm_vm_ioctl+0xf84/0x1d90
[   29.703903]  kvm_vm_compat_ioctl+0x13b/0x420
[   29.708302]  __ia32_compat_sys_ioctl+0x221/0x640
[   29.713046]  do_fast_syscall_32+0x345/0xf9b
[   29.717355]  entry_SYSENTER_compat+0x70/0x7f
[   29.721738] 
[   29.723355] Freed by task 4513:
[   29.726616]  save_stack+0x43/0xd0
[   29.730051]  __kasan_slab_free+0x11a/0x170
[   29.734264]  kasan_slab_free+0xe/0x10
[   29.738049]  kfree+0xd9/0x260
[   29.741141]  irqfd_shutdown+0x13a/0x1a0
[   29.745103]  process_one_work+0xc1e/0x1b50
[   29.749331]  worker_thread+0x1cc/0x1440
[   29.753300]  kthread+0x345/0x410
[   29.756659]  ret_from_fork+0x3a/0x50
[   29.760347] 
[   29.761957] The buggy address belongs to the object at ffff8801cd647c80
[   29.761957]  which belongs to the cache kmalloc-512 of size 512
[   29.774592] The buggy address is located 376 bytes inside of
[   29.774592]  512-byte region [ffff8801cd647c80, ffff8801cd647e80)
[   29.786442] The buggy address belongs to the page:
[   29.791348] page:ffffea00073591c0 count:1 mapcount:0 mapping:ffff8801cd647000 index:0x0
[   29.799472] flags: 0x2fffc0000000100(slab)
[   29.803707] raw: 02fffc0000000100 ffff8801cd647000 0000000000000000 0000000100000006
[   29.811581] raw: ffffea0007355aa0 ffffea000731b2e0 ffff8801da800940 0000000000000000
[   29.819443] page dumped because: kasan: bad access detected
[   29.825137] 
[   29.826740] Memory state around the buggy address:
[   29.831649]  ffff8801cd647c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.838985]  ffff8801cd647d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.846322] >ffff8801cd647d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.853657]                                                                 ^
[   29.860910]  ffff8801cd647e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.868247]  ffff8801cd647e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.875591] ==================================================================
[   29.882925] Disabling lock debugging due to kernel taint
[   29.888936] Kernel panic - not syncing: panic_on_warn set ...
[   29.888936] 
[   29.896321] CPU: 1 PID: 4733 Comm: syz-executor0 Tainted: G    B             4.17.0-rc5+ #83
[   29.904887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.914223] Call Trace:
[   29.916794]  dump_stack+0x1b9/0x294
[   29.920408]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.925580]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.930331]  ? irq_bypass_register_consumer+0x450/0x530
[   29.935693]  panic+0x22f/0x4de
[   29.938876]  ? add_taint.cold.5+0x16/0x16
[   29.943018]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.947407]  ? do_raw_spin_unlock+0x9e/0x2e0
[   29.951796]  ? irq_bypass_register_consumer+0x4b1/0x530
[   29.957141]  kasan_end_report+0x47/0x4f
[   29.961104]  kasan_report.cold.7+0x76/0x2fe
[   29.965415]  __asan_report_load8_noabort+0x14/0x20
[   29.970340]  irq_bypass_register_consumer+0x4b1/0x530
[   29.975534]  ? __disconnect+0x1b0/0x1b0
[   29.979488]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.984485]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   29.990002]  kvm_irqfd+0x1599/0x1ec0
[   29.993702]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.999219]  ? futex_wait_queue_me+0x550/0x820
[   30.003788]  ? kvm_eventfd_init+0x2a0/0x2a0
[   30.008089]  ? print_usage_bug+0xc0/0xc0
[   30.012132]  ? futex_wait_setup+0x279/0x400
[   30.016432]  ? debug_check_no_locks_freed+0x310/0x310
[   30.021604]  ? lock_downgrade+0x8e0/0x8e0
[   30.025746]  ? lock_release+0xa10/0xa10
[   30.029704]  ? check_same_owner+0x320/0x320
[   30.034010]  ? __might_sleep+0x95/0x190
[   30.037973]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.043488]  ? _copy_from_user+0xdf/0x150
[   30.047618]  kvm_vm_ioctl+0xf84/0x1d90
[   30.051495]  ? kvm_set_memory_region+0x50/0x50
[   30.056066]  ? lock_downgrade+0x8e0/0x8e0
[   30.060216]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.065392]  ? do_futex+0x249/0x27d0
[   30.069084]  ? kasan_check_read+0x11/0x20
[   30.073215]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.077599]  ? graph_lock+0x170/0x170
[   30.081377]  ? compat_start_thread+0x80/0x80
[   30.085766]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.090253]  ? exit_robust_list+0x290/0x290
[   30.094551]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.099035]  ? find_held_lock+0x36/0x1c0
[   30.103081]  ? lock_downgrade+0x8e0/0x8e0
[   30.107217]  ? kasan_check_read+0x11/0x20
[   30.111344]  ? rcu_is_watching+0x85/0x140
[   30.115476]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.120654]  ? __fget+0x40c/0x650
[   30.124091]  ? check_memory_region+0x151/0x1b0
[   30.128656]  ? expand_files.part.8+0x9a0/0x9a0
[   30.133221]  ? trace_hardirqs_off+0xd/0x10
[   30.137446]  ? debug_check_no_obj_freed+0x2ff/0x584
[   30.142447]  ? kasan_check_read+0x11/0x20
[   30.146575]  ? __fget_light+0x2ef/0x430
[   30.150530]  kvm_vm_compat_ioctl+0x13b/0x420
[   30.154916]  ? kvm_vm_ioctl+0x1d90/0x1d90
[   30.159049]  ? __ia32_compat_sys_futex+0x3de/0x5e0
[   30.163958]  ? __x32_compat_sys_get_robust_list+0x430/0x430
[   30.169651]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.174819]  ? kvm_vm_ioctl+0x1d90/0x1d90
[   30.178948]  __ia32_compat_sys_ioctl+0x221/0x640
[   30.183685]  do_fast_syscall_32+0x345/0xf9b
[   30.187984]  ? do_int80_syscall_32+0x880/0x880
[   30.192543]  ? _raw_spin_unlock_irq+0x27/0x70
[   30.197021]  ? finish_task_switch+0x1ca/0x840
[   30.201499]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.207018]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.211930]  ? sysret32_from_system_call+0x5/0x46
[   30.216760]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.221582]  entry_SYSENTER_compat+0x70/0x7f
[   30.225965] RIP: 0023:0xf7f17cb9
[   30.229317] RSP: 002b:00000000f7f130ac EFLAGS: 00000282 ORIG_RAX: 0000000000000036
[   30.237003] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 000000004020ae76
[   30.244260] RDX: 0000000020000180 RSI: 0000000000000000 RDI: 0000000000000000
[   30.251506] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   30.258755] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   30.266000] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   30.273784] Dumping ftrace buffer:
[   30.277320]    (ftrace buffer empty)
[   30.281010] Kernel Offset: disabled
[   30.284615] Rebooting in 86400 seconds..