[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 30.944367] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c[ 31.035815] random: sshd: uninitialized urandom read (32 bytes read)
.
[ 31.359772] random: sshd: uninitialized urandom read (32 bytes read)
[ 32.015547] random: sshd: uninitialized urandom read (32 bytes read)
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 45.634650] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts.
[ 51.193010] random: sshd: uninitialized urandom read (32 bytes read)
[ 51.309071] kauditd_printk_skb: 11 callbacks suppressed
[ 51.309080] audit: type=1400 audit(1578418623.091:36): avc: denied { map } for pid=7100 comm="syz-executor575" path="/root/syz-executor575941067" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[ 51.550850] IPVS: ftp: loaded support on port[0] = 21
[ 52.329514] chnl_net:caif_netlink_parms(): no params data found
[ 52.362721] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.369301] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.376551] device bridge_slave_0 entered promiscuous mode
[ 52.383382] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.389918] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.396946] device bridge_slave_1 entered promiscuous mode
[ 52.410599] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 52.419211] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 52.434914] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 52.442254] team0: Port device team_slave_0 added
[ 52.447660] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 52.454810] team0: Port device team_slave_1 added
[ 52.460729] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 52.468099] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 52.551767] device hsr_slave_0 entered promiscuous mode
[ 52.600355] device hsr_slave_1 entered promiscuous mode
[ 52.670624] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 52.677661] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 52.715225] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.721647] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.728365] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.734735] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.762488] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 52.768556] 8021q: adding VLAN 0 to HW filter on device bond0
[ 52.776711] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 52.785376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 52.803202] bridge0: port 1(bridge_slave_0) entered disabled state
[ 52.810558] bridge0: port 2(bridge_slave_1) entered disabled state
[ 52.819279] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 52.825459] 8021q: adding VLAN 0 to HW filter on device team0
[ 52.833741] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 52.841337] bridge0: port 1(bridge_slave_0) entered blocking state
[ 52.847651] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 52.856181] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 52.863864] bridge0: port 2(bridge_slave_1) entered blocking state
[ 52.870228] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 52.883796] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 52.891303] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 52.899886] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 52.912522] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 52.922334] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 52.933083] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 52.939351] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 52.947218] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 52.954800] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 52.967367] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 52.974530] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 52.981929] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 52.992539] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 53.045673] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 53.056114] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 53.086141] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 53.093693] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 53.100167] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 53.108433] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 53.116285] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 53.123322] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
executing program
[ 53.131927] device veth0_vlan entered promiscuous mode
[ 53.140638] device veth1_vlan entered promiscuous mode
[ 53.146294] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 53.155478] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 53.200598] ==================================================================
[ 53.208049] BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0
[ 53.214780] Read of size 4 at addr ffff88808cf17541 by task syz-executor575/7101
[ 53.222334]
[ 53.223943] CPU: 1 PID: 7101 Comm: syz-executor575 Not tainted 4.14.162-syzkaller #0
[ 53.231799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.241130] Call Trace:
[ 53.243698] dump_stack+0x142/0x197
[ 53.247305] ? macvlan_broadcast+0x4b9/0x5c0
[ 53.251692] print_address_description.cold+0x7c/0x1dc
[ 53.256946] ? macvlan_broadcast+0x4b9/0x5c0
[ 53.261340] kasan_report.cold+0xa9/0x2af
[ 53.265492] __asan_report_load_n_noabort+0xf/0x20
[ 53.270406] macvlan_broadcast+0x4b9/0x5c0
[ 53.274625] ? validate_xmit_skb+0x650/0x9d0
[ 53.279053] macvlan_start_xmit+0x56b/0x72d
[ 53.283404] packet_direct_xmit+0x431/0x640
[ 53.287724] packet_sendmsg+0x1dd4/0x5a60
[ 53.291862] ? avc_has_perm_noaudit+0x420/0x420
[ 53.296565] ? trace_hardirqs_on+0x10/0x10
[ 53.300831] ? packet_notifier+0x760/0x760
[ 53.305052] ? release_sock+0x14a/0x1b0
[ 53.309015] ? security_socket_sendmsg+0x89/0xb0
[ 53.313751] ? packet_notifier+0x760/0x760
[ 53.317965] sock_sendmsg+0xce/0x110
[ 53.321661] SYSC_sendto+0x206/0x310
[ 53.325355] ? SYSC_connect+0x2d0/0x2d0
[ 53.329327] ? move_addr_to_kernel.part.0+0x100/0x100
[ 53.334509] ? ioctl_preallocate+0x1c0/0x1c0
[ 53.338954] ? security_file_ioctl+0x7d/0xb0
[ 53.343354] ? security_file_ioctl+0x89/0xb0
[ 53.347747] SyS_sendto+0x40/0x50
[ 53.351181] ? SyS_getpeername+0x30/0x30
[ 53.355228] do_syscall_64+0x1e8/0x640
[ 53.359093] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.363920] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 53.369087] RIP: 0033:0x442329
[ 53.372265] RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 53.379953] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329
[ 53.387205] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[ 53.394468] RBP: 00007fff4e3d1210 R08: 0000000000000000 R09: 0000000000000000
[ 53.401733] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 53.408992] R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000
[ 53.416258]
[ 53.417869] Allocated by task 6450:
[ 53.421480] save_stack_trace+0x16/0x20
[ 53.425430] save_stack+0x45/0xd0
[ 53.428873] kasan_kmalloc+0xce/0xf0
[ 53.432575] kasan_slab_alloc+0xf/0x20
[ 53.436442] kmem_cache_alloc+0x12e/0x780
[ 53.440568] getname_flags+0xcb/0x580
[ 53.444359] user_path_at_empty+0x2f/0x50
[ 53.448488] vfs_statx+0xcd/0x160
[ 53.451919] SYSC_newstat+0x95/0x100
[ 53.455613] SyS_newstat+0x1e/0x30
[ 53.459145] do_syscall_64+0x1e8/0x640
[ 53.463011] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 53.468173]
[ 53.469793] Freed by task 6450:
[ 53.473050] save_stack_trace+0x16/0x20
[ 53.477016] save_stack+0x45/0xd0
[ 53.480465] kasan_slab_free+0x75/0xc0
[ 53.484341] kmem_cache_free+0x83/0x2b0
[ 53.488298] putname+0xdb/0x120
[ 53.491604] filename_lookup+0x23a/0x380
[ 53.495701] user_path_at_empty+0x43/0x50
[ 53.499887] vfs_statx+0xcd/0x160
[ 53.503321] SYSC_newstat+0x95/0x100
[ 53.507021] SyS_newstat+0x1e/0x30
[ 53.510586] do_syscall_64+0x1e8/0x640
[ 53.514452] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 53.519618]
[ 53.521223] The buggy address belongs to the object at ffff88808cf16a40
[ 53.521223] which belongs to the cache names_cache of size 4096
[ 53.533985] The buggy address is located 2817 bytes inside of
[ 53.533985] 4096-byte region [ffff88808cf16a40, ffff88808cf17a40)
[ 53.546012] The buggy address belongs to the page:
[ 53.550922] page:ffffea000233c580 count:1 mapcount:0 mapping:ffff88808cf16a40 index:0x0 compound_mapcount: 0
[ 53.560872] flags: 0xfffe0000008100(slab|head)
[ 53.565491] raw: 00fffe0000008100 ffff88808cf16a40 0000000000000000 0000000100000001
[ 53.573350] raw: ffffea0001ff6520 ffffea00020af8a0 ffff8880aa9e9cc0 0000000000000000
[ 53.581203] page dumped because: kasan: bad access detected
[ 53.586888]
[ 53.588491] Memory state around the buggy address:
[ 53.593396] ffff88808cf17400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.600743] ffff88808cf17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.608080] >ffff88808cf17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.615412] ^
[ 53.620857] ffff88808cf17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.628191] ffff88808cf17600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.635541] ==================================================================
[ 53.642899] Disabling lock debugging due to kernel taint
[ 53.648390] Kernel panic - not syncing: panic_on_warn set ...
[ 53.648390]
[ 53.650630] protocol 88fb is buggy, dev hsr_slave_0
[ 53.655774] CPU: 1 PID: 7101 Comm: syz-executor575 Tainted: G B 4.14.162-syzkaller #0
[ 53.660833] protocol 88fb is buggy, dev hsr_slave_1
[ 53.669867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 53.684203] Call Trace:
[ 53.686769] dump_stack+0x142/0x197
[ 53.690380] ? macvlan_broadcast+0x4b9/0x5c0
[ 53.694771] panic+0x1f9/0x42d
[ 53.697940] ? add_taint.cold+0x16/0x16
[ 53.701893] kasan_end_report+0x47/0x4f
[ 53.705847] kasan_report.cold+0x130/0x2af
[ 53.710074] __asan_report_load_n_noabort+0xf/0x20
[ 53.714993] macvlan_broadcast+0x4b9/0x5c0
[ 53.719205] ? validate_xmit_skb+0x650/0x9d0
[ 53.723590] macvlan_start_xmit+0x56b/0x72d
[ 53.727893] packet_direct_xmit+0x431/0x640
[ 53.732190] packet_sendmsg+0x1dd4/0x5a60
[ 53.736330] ? avc_has_perm_noaudit+0x420/0x420
[ 53.741019] ? trace_hardirqs_on+0x10/0x10
[ 53.745238] ? packet_notifier+0x760/0x760
[ 53.749450] ? release_sock+0x14a/0x1b0
[ 53.753408] ? security_socket_sendmsg+0x89/0xb0
[ 53.758156] ? packet_notifier+0x760/0x760
[ 53.762377] sock_sendmsg+0xce/0x110
[ 53.766121] SYSC_sendto+0x206/0x310
[ 53.769811] ? SYSC_connect+0x2d0/0x2d0
[ 53.773768] ? move_addr_to_kernel.part.0+0x100/0x100
[ 53.778948] ? ioctl_preallocate+0x1c0/0x1c0
[ 53.783337] ? security_file_ioctl+0x7d/0xb0
[ 53.787723] ? security_file_ioctl+0x89/0xb0
[ 53.792109] SyS_sendto+0x40/0x50
[ 53.795540] ? SyS_getpeername+0x30/0x30
[ 53.799581] do_syscall_64+0x1e8/0x640
[ 53.803444] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.808265] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 53.813430] RIP: 0033:0x442329
[ 53.816599] RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 53.824283] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329
[ 53.831529] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[ 53.838790] RBP: 00007fff4e3d1210 R08: 0000000000000000 R09: 0000000000000000
[ 53.846051] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 53.853309] R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000
[ 53.861939] Kernel Offset: disabled
[ 53.865563] Rebooting in 86400 seconds..