[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.298849] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.041321] random: sshd: uninitialized urandom read (32 bytes read)
[   25.438754] random: sshd: uninitialized urandom read (32 bytes read)
[   26.218436] random: sshd: uninitialized urandom read (32 bytes read)
[   26.380808] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts.
[   31.827777] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.926968] ==================================================================
[   31.934475] BUG: KASAN: use-after-free in nla_strlcpy+0x13d/0x150
[   31.940698] Read of size 1 at addr ffff8801cf2a04dd by task syz-executor717/4561
[   31.948305] 
[   31.949931] CPU: 1 PID: 4561 Comm: syz-executor717 Not tainted 4.17.0-rc6+ #68
[   31.957286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.966630] Call Trace:
[   31.969226]  dump_stack+0x1b9/0x294
[   31.972849]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.978037]  ? printk+0x9e/0xba
[   31.981334]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.986081]  ? kasan_check_write+0x14/0x20
[   31.990318]  print_address_description+0x6c/0x20b
[   31.995151]  ? nla_strlcpy+0x13d/0x150
[   31.999037]  kasan_report.cold.7+0x242/0x2fe
[   32.003459]  __asan_report_load1_noabort+0x14/0x20
[   32.008392]  nla_strlcpy+0x13d/0x150
[   32.012103]  nfnl_acct_new+0x574/0xc50
[   32.015980]  ? nfnl_acct_overquota+0x380/0x380
[   32.020553]  ? debug_check_no_locks_freed+0x310/0x310
[   32.025733]  ? graph_lock+0x170/0x170
[   32.029520]  ? print_usage_bug+0xc0/0xc0
[   32.033585]  ? print_usage_bug+0xc0/0xc0
[   32.037646]  ? find_held_lock+0x36/0x1c0
[   32.041697]  ? graph_lock+0x170/0x170
[   32.045488]  ? lock_downgrade+0x8e0/0x8e0
[   32.049631]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.055161]  ? __lock_is_held+0xb5/0x140
[   32.059221]  ? nfnl_acct_overquota+0x380/0x380
[   32.063803]  nfnetlink_rcv_msg+0xdb5/0xff0
[   32.068056]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   32.073059]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   32.077463]  ? nfnetlink_bind+0x3a0/0x3a0
[   32.081606]  ? graph_lock+0x170/0x170
[   32.085394]  ? find_held_lock+0x36/0x1c0
[   32.089470]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.095018]  netlink_rcv_skb+0x172/0x440
[   32.099082]  ? nfnetlink_bind+0x3a0/0x3a0
[   32.103218]  ? netlink_ack+0xbc0/0xbc0
[   32.107109]  ? __netlink_ns_capable+0x100/0x130
[   32.111766]  nfnetlink_rcv+0x1fe/0x1ba0
[   32.115729]  ? kasan_check_read+0x11/0x20
[   32.119863]  ? rcu_is_watching+0x85/0x140
[   32.124012]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.129204]  ? nfnl_err_reset+0x2d0/0x2d0
[   32.133342]  ? netlink_remove_tap+0x610/0x610
[   32.137843]  ? refcount_add_not_zero+0x320/0x320
[   32.142590]  ? kasan_check_read+0x11/0x20
[   32.146726]  ? rcu_is_watching+0x85/0x140
[   32.150861]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.156049]  ? netlink_skb_destructor+0x210/0x210
[   32.160894]  ? kasan_check_write+0x14/0x20
[   32.165134]  netlink_unicast+0x58b/0x740
[   32.169185]  ? netlink_attachskb+0x970/0x970
[   32.173585]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.179110]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   32.184117]  ? security_netlink_send+0x88/0xb0
[   32.188689]  netlink_sendmsg+0x9f0/0xfa0
[   32.192739]  ? netlink_unicast+0x740/0x740
[   32.196970]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.202497]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.208042]  ? security_socket_sendmsg+0x94/0xc0
[   32.212791]  ? netlink_unicast+0x740/0x740
[   32.217016]  sock_sendmsg+0xd5/0x120
[   32.220728]  sock_write_iter+0x35a/0x5a0
[   32.224780]  ? sock_sendmsg+0x120/0x120
[   32.228745]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.234277]  ? iov_iter_init+0xc9/0x1f0
[   32.238297]  __vfs_write+0x64d/0x960
[   32.242024]  ? kernel_read+0x120/0x120
[   32.245909]  ? lock_downgrade+0x8e0/0x8e0
[   32.250051]  ? handle_mm_fault+0x8c0/0xc70
[   32.254274]  ? handle_mm_fault+0x55a/0xc70
[   32.258498]  ? rw_verify_area+0x118/0x360
[   32.262638]  vfs_write+0x1f8/0x560
[   32.266168]  ksys_write+0xf9/0x250
[   32.269695]  ? __ia32_sys_read+0xb0/0xb0
[   32.273740]  ? __ia32_sys_fallocate+0xf0/0xf0
[   32.278225]  __x64_sys_write+0x73/0xb0
[   32.282112]  do_syscall_64+0x1b1/0x800
[   32.285988]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.290913]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.295836]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.301365]  ? retint_user+0x18/0x18
[   32.305080]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.309921]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.315096] RIP: 0033:0x43fcf9
[   32.318268] RSP: 002b:00007ffc5c634518 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   32.325966] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9
[   32.333224] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   32.340478] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   32.347731] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620
[   32.354991] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000
[   32.362293] 
[   32.363913] Allocated by task 1:
[   32.367268]  save_stack+0x43/0xd0
[   32.370704]  kasan_kmalloc+0xc4/0xe0
[   32.374400]  kasan_slab_alloc+0x12/0x20
[   32.378355]  kmem_cache_alloc+0x12e/0x760
[   32.382486]  mempool_alloc_slab+0x44/0x60
[   32.386620]  mempool_create_node+0x2cf/0x610
[   32.391020]  mempool_create+0x37/0x40
[   32.394944]  bioset_create+0x6b3/0x900
[   32.398819]  blk_alloc_queue_node+0x16e/0xe40
[   32.403310]  blk_mq_init_queue+0x4b/0xb0
[   32.407359]  scsi_mq_alloc_queue+0x45/0x190
[   32.411665]  scsi_alloc_sdev+0xc0e/0x11a0
[   32.415805]  scsi_probe_and_add_lun+0x20aa/0x3260
[   32.420632]  __scsi_scan_target+0x2c0/0xfe0
[   32.424947]  scsi_scan_channel.part.7+0x11f/0x190
[   32.429772]  scsi_scan_host_selected+0x2b9/0x3d0
[   32.434517]  do_scsi_scan_host+0x1ee/0x260
[   32.438740]  scsi_scan_host+0x4a2/0x590
[   32.442703]  virtscsi_probe+0xbe5/0xf04
[   32.446660]  virtio_dev_probe+0x592/0x942
[   32.450793]  driver_probe_device+0x69b/0x960
[   32.455185]  __driver_attach+0x1b2/0x1f0
[   32.459235]  bus_for_each_dev+0x151/0x1d0
[   32.463378]  driver_attach+0x3d/0x50
[   32.467085]  bus_add_driver+0x4b2/0x600
[   32.471058]  driver_register+0x1bf/0x320
[   32.475113]  register_virtio_driver+0x79/0xd0
[   32.479594]  init+0xa3/0x114
[   32.482597]  do_one_initcall+0x127/0x913
[   32.486643]  kernel_init_freeable+0x49b/0x58e
[   32.491123]  kernel_init+0x11/0x1b3
[   32.494736]  ret_from_fork+0x3a/0x50
[   32.498427] 
[   32.500041] Freed by task 25:
[   32.503137]  save_stack+0x43/0xd0
[   32.506574]  __kasan_slab_free+0x11a/0x170
[   32.510792]  kasan_slab_free+0xe/0x10
[   32.514590]  kmem_cache_free+0x86/0x2d0
[   32.518551]  mempool_free_slab+0x1d/0x30
[   32.522602]  mempool_destroy.part.6+0xcc/0x180
[   32.527180]  mempool_destroy+0x1f/0x30
[   32.531064]  bioset_free+0xa9/0x320
[   32.534686]  __blk_release_queue+0x195/0x380
[   32.539079]  process_one_work+0xc1e/0x1b50
[   32.543297]  worker_thread+0x1cc/0x1440
[   32.547254]  kthread+0x345/0x410
[   32.550614]  ret_from_fork+0x3a/0x50
[   32.554328] 
[   32.555943] The buggy address belongs to the object at ffff8801cf2a0200
[   32.555943]  which belongs to the cache biovec-max of size 8192
[   32.568595] The buggy address is located 733 bytes inside of
[   32.568595]  8192-byte region [ffff8801cf2a0200, ffff8801cf2a2200)
[   32.580541] The buggy address belongs to the page:
[   32.585460] page:ffffea00073ca800 count:1 mapcount:0 mapping:ffff8801cf2a0200 index:0xffff8801cf2a0200 compound_mapcount: 0
[   32.596723] flags: 0x2fffc0000008100(slab|head)
[   32.601385] raw: 02fffc0000008100 ffff8801cf2a0200 ffff8801cf2a0200 0000000100000000
[   32.609267] raw: ffff8801d7f33458 ffffea00073d4c20 ffff8801d7f38300 0000000000000000
[   32.617128] page dumped because: kasan: bad access detected
[   32.622817] 
[   32.624424] Memory state around the buggy address:
[   32.629338]  ffff8801cf2a0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.637588]  ffff8801cf2a0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.644936] >ffff8801cf2a0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.652276]                                                     ^
[   32.658511]  ffff8801cf2a0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.665872]  ffff8801cf2a0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.673416] ==================================================================
[   32.680757] Disabling lock debugging due to kernel taint
[   32.686280] Kernel panic - not syncing: panic_on_warn set ...
[   32.686280] 
[   32.693690] CPU: 1 PID: 4561 Comm: syz-executor717 Tainted: G    B             4.17.0-rc6+ #68
[   32.702435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.711784] Call Trace:
[   32.714363]  dump_stack+0x1b9/0x294
[   32.717981]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.723160]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.727905]  ? nla_strlcpy+0x70/0x150
[   32.731688]  panic+0x22f/0x4de
[   32.734873]  ? add_taint.cold.5+0x16/0x16
[   32.739021]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.743421]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.747819]  ? nla_strlcpy+0x13d/0x150
[   32.751695]  kasan_end_report+0x47/0x4f
[   32.755654]  kasan_report.cold.7+0x76/0x2fe
[   32.759966]  __asan_report_load1_noabort+0x14/0x20
[   32.764885]  nla_strlcpy+0x13d/0x150
[   32.768592]  nfnl_acct_new+0x574/0xc50
[   32.772470]  ? nfnl_acct_overquota+0x380/0x380
[   32.777051]  ? debug_check_no_locks_freed+0x310/0x310
[   32.782234]  ? graph_lock+0x170/0x170
[   32.786026]  ? print_usage_bug+0xc0/0xc0
[   32.790097]  ? print_usage_bug+0xc0/0xc0
[   32.794143]  ? find_held_lock+0x36/0x1c0
[   32.798193]  ? graph_lock+0x170/0x170
[   32.801987]  ? lock_downgrade+0x8e0/0x8e0
[   32.806136]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.811674]  ? __lock_is_held+0xb5/0x140
[   32.815738]  ? nfnl_acct_overquota+0x380/0x380
[   32.820323]  nfnetlink_rcv_msg+0xdb5/0xff0
[   32.824550]  ? __sanitizer_cov_trace_cmp1+0x17/0x20
[   32.829550]  ? nfnetlink_rcv_msg+0x3bc/0xff0
[   32.833946]  ? nfnetlink_bind+0x3a0/0x3a0
[   32.838077]  ? graph_lock+0x170/0x170
[   32.841862]  ? find_held_lock+0x36/0x1c0
[   32.845916]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.851440]  netlink_rcv_skb+0x172/0x440
[   32.855501]  ? nfnetlink_bind+0x3a0/0x3a0
[   32.859635]  ? netlink_ack+0xbc0/0xbc0
[   32.863515]  ? __netlink_ns_capable+0x100/0x130
[   32.868178]  nfnetlink_rcv+0x1fe/0x1ba0
[   32.872146]  ? kasan_check_read+0x11/0x20
[   32.876294]  ? rcu_is_watching+0x85/0x140
[   32.880428]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.885614]  ? nfnl_err_reset+0x2d0/0x2d0
[   32.889749]  ? netlink_remove_tap+0x610/0x610
[   32.894232]  ? refcount_add_not_zero+0x320/0x320
[   32.898990]  ? kasan_check_read+0x11/0x20
[   32.903133]  ? rcu_is_watching+0x85/0x140
[   32.907265]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   32.912443]  ? netlink_skb_destructor+0x210/0x210
[   32.917279]  ? kasan_check_write+0x14/0x20
[   32.921502]  netlink_unicast+0x58b/0x740
[   32.925562]  ? netlink_attachskb+0x970/0x970
[   32.929955]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.935477]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   32.940482]  ? security_netlink_send+0x88/0xb0
[   32.945052]  netlink_sendmsg+0x9f0/0xfa0
[   32.949098]  ? netlink_unicast+0x740/0x740
[   32.953318]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.958854]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.964383]  ? security_socket_sendmsg+0x94/0xc0
[   32.969134]  ? netlink_unicast+0x740/0x740
[   32.973365]  sock_sendmsg+0xd5/0x120
[   32.977072]  sock_write_iter+0x35a/0x5a0
[   32.981119]  ? sock_sendmsg+0x120/0x120
[   32.985086]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.990620]  ? iov_iter_init+0xc9/0x1f0
[   32.994592]  __vfs_write+0x64d/0x960
[   32.998293]  ? kernel_read+0x120/0x120
[   33.002178]  ? lock_downgrade+0x8e0/0x8e0
[   33.006317]  ? handle_mm_fault+0x8c0/0xc70
[   33.010544]  ? handle_mm_fault+0x55a/0xc70
[   33.014767]  ? rw_verify_area+0x118/0x360
[   33.018913]  vfs_write+0x1f8/0x560
[   33.022442]  ksys_write+0xf9/0x250
[   33.025968]  ? __ia32_sys_read+0xb0/0xb0
[   33.030014]  ? __ia32_sys_fallocate+0xf0/0xf0
[   33.034501]  __x64_sys_write+0x73/0xb0
[   33.038376]  do_syscall_64+0x1b1/0x800
[   33.042260]  ? syscall_return_slowpath+0x5c0/0x5c0
[   33.047173]  ? syscall_return_slowpath+0x30f/0x5c0
[   33.052092]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.057614]  ? retint_user+0x18/0x18
[   33.061314]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.066145]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.071319] RIP: 0033:0x43fcf9
[   33.074508] RSP: 002b:00007ffc5c634518 EFLAGS: 00000213 ORIG_RAX: 0000000000000001
[   33.082211] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fcf9
[   33.089465] RDX: 000000000000001f RSI: 0000000020390000 RDI: 0000000000000003
[   33.096726] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   33.103998] R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401620
[   33.111284] R13: 00000000004016b0 R14: 0000000000000000 R15: 0000000000000000
[   33.119109] Dumping ftrace buffer:
[   33.122630]    (ftrace buffer empty)
[   33.126321] Kernel Offset: disabled
[   33.129934] Rebooting in 86400 seconds..