[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.161539] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.207521] random: sshd: uninitialized urandom read (32 bytes read)
[   26.633380] random: sshd: uninitialized urandom read (32 bytes read)
[   27.140750] random: sshd: uninitialized urandom read (32 bytes read)
[   27.314513] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts.
[   33.105228] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.212318] FAULT_INJECTION: forcing a failure.
[   33.212318] name failslab, interval 1, probability 0, space 0, times 1
[   33.223780] CPU: 0 PID: 4445 Comm: syz-executor439 Not tainted 4.18.0-rc8+ #181
[   33.231219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.240564] Call Trace:
[   33.243153]  dump_stack+0x1c9/0x2b4
[   33.246773]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.251954]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.257565]  ? __do_page_fault+0x449/0xe50
[   33.261794]  should_fail.cold.4+0xa/0x1a
[   33.265845]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[   33.270957]  ? graph_lock+0x170/0x170
[   33.274755]  ? graph_lock+0x170/0x170
[   33.278545]  ? graph_lock+0x170/0x170
[   33.282333]  ? vmalloc_sync_all+0x30/0x30
[   33.286467]  ? sk_busy_loop_end+0x1c0/0x1c0
[   33.290775]  ? trace_hardirqs_on+0x10/0x10
[   33.294998]  ? find_held_lock+0x36/0x1c0
[   33.299064]  ? __lock_is_held+0xb5/0x140
[   33.303122]  ? check_same_owner+0x340/0x340
[   33.307428]  ? check_same_owner+0x340/0x340
[   33.311737]  ? rcu_note_context_switch+0x730/0x730
[   33.316661]  __should_failslab+0x124/0x180
[   33.320888]  should_failslab+0x9/0x14
[   33.324676]  __kmalloc+0x2c8/0x760
[   33.328219]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   33.333225]  ? _copy_from_iter+0x39d/0x1090
[   33.337557]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   33.342560]  ? tls_push_record+0x10d/0x1400
[   33.346888]  ? __check_object_size+0x9d/0x5f2
[   33.351392]  tls_push_record+0x10d/0x1400
[   33.355552]  ? _copy_from_iter_nocache+0x1050/0x1050
[   33.360643]  ? __local_bh_enable_ip+0x161/0x230
[   33.365304]  tls_sw_sendmsg+0x9e2/0x12c0
[   33.369353]  ? lock_release+0xa30/0xa30
[   33.373321]  ? tls_sw_push_pending_record+0x30/0x30
[   33.378324]  ? lock_downgrade+0x8f0/0x8f0
[   33.382485]  ? __sanitizer_cov_trace_cmp8+0x17/0x20
[   33.387508]  ? lock_release+0xa30/0xa30
[   33.391492]  ? __check_object_size+0x9d/0x5f2
[   33.395976]  inet_sendmsg+0x1a1/0x690
[   33.399766]  ? ipip_gro_receive+0x100/0x100
[   33.404082]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.409606]  ? security_socket_sendmsg+0x94/0xc0
[   33.414346]  ? ipip_gro_receive+0x100/0x100
[   33.419025]  sock_sendmsg+0xd5/0x120
[   33.422741]  __sys_sendto+0x3d7/0x670
[   33.426530]  ? __ia32_sys_getpeername+0xb0/0xb0
[   33.431188]  ? lock_downgrade+0x8f0/0x8f0
[   33.435326]  ? __lock_is_held+0xb5/0x140
[   33.439383]  ? __sb_end_write+0xac/0xe0
[   33.443349]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.448895]  ? ksys_write+0x1ae/0x260
[   33.452684]  ? __ia32_sys_read+0xb0/0xb0
[   33.456739]  ? syscall_slow_exit_work+0x500/0x500
[   33.461572]  __x64_sys_sendto+0xe1/0x1a0
[   33.465621]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.470626]  do_syscall_64+0x1b9/0x820
[   33.474501]  ? syscall_slow_exit_work+0x500/0x500
[   33.479331]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.484248]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.489167]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.494518]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.499351]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.504526] RIP: 0033:0x440539
[   33.507696] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   33.526878] RSP: 002b:00007fffce967348 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   33.534572] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440539
[   33.541826] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003
[   33.549086] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c
[   33.556345] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000004
[   33.563598] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
[   33.572563] ==================================================================
[   33.580071] BUG: KASAN: use-after-free in tls_push_record+0x1091/0x1400
[   33.586813] Write of size 1 at addr ffff8801acf20000 by task syz-executor439/4445
[   33.594411] 
[   33.596038] CPU: 0 PID: 4445 Comm: syz-executor439 Not tainted 4.18.0-rc8+ #181
[   33.603475] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.612814] Call Trace:
[   33.615398]  dump_stack+0x1c9/0x2b4
[   33.619023]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.624233]  ? printk+0xa7/0xcf
[   33.627500]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.632279]  ? tls_push_record+0x1091/0x1400
[   33.636677]  print_address_description+0x6c/0x20b
[   33.641617]  ? tls_push_record+0x1091/0x1400
[   33.646016]  kasan_report.cold.7+0x242/0x2fe
[   33.650446]  __asan_report_store1_noabort+0x17/0x20
[   33.655446]  tls_push_record+0x1091/0x1400
[   33.659674]  ? lock_sock_nested+0x9f/0x120
[   33.663913]  tls_sw_push_pending_record+0x22/0x30
[   33.668742]  tls_sk_proto_close+0x74c/0xae0
[   33.673059]  ? lock_acquire+0x1e4/0x540
[   33.677054]  ? tcp_check_oom+0x530/0x530
[   33.681112]  ? tls_write_space+0x360/0x360
[   33.685336]  ? kasan_check_read+0x11/0x20
[   33.689471]  ? rcu_note_context_switch+0x730/0x730
[   33.694388]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.699926]  ? ipv6_sock_ac_close+0x356/0x490
[   33.704435]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.710007]  ? ipv6_sock_mc_close+0x162/0x1d0
[   33.714504]  ? ip_mc_drop_socket+0x20f/0x270
[   33.718921]  ? down_write+0x8f/0x130
[   33.722624]  inet_release+0x104/0x1f0
[   33.726414]  inet6_release+0x50/0x70
[   33.730116]  __sock_release+0xd7/0x260
[   33.733992]  ? __sock_release+0x260/0x260
[   33.738130]  sock_close+0x19/0x20
[   33.741569]  __fput+0x355/0x8b0
[   33.744839]  ? fput+0x1a0/0x1a0
[   33.748110]  ? check_same_owner+0x340/0x340
[   33.752419]  ? _raw_spin_unlock_irq+0x27/0x70
[   33.756903]  ____fput+0x15/0x20
[   33.760172]  task_work_run+0x1ec/0x2a0
[   33.764057]  ? task_work_cancel+0x250/0x250
[   33.768382]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.773923]  ? switch_task_namespaces+0xa2/0xd0
[   33.778582]  do_exit+0x1b08/0x2750
[   33.782111]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.787115]  ? mm_update_next_owner+0x9a0/0x9a0
[   33.791774]  ? release_sock+0x1ec/0x2c0
[   33.795735]  ? __release_sock+0x3a0/0x3a0
[   33.799875]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.805401]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.810924]  ? tls_sw_sendmsg+0xa9d/0x12c0
[   33.815147]  ? lock_release+0xa30/0xa30
[   33.819119]  ? tls_sw_push_pending_record+0x30/0x30
[   33.824124]  ? lock_downgrade+0x8f0/0x8f0
[   33.828260]  ? __sanitizer_cov_trace_cmp8+0x17/0x20
[   33.833263]  ? lock_release+0xa30/0xa30
[   33.837229]  ? __check_object_size+0x9d/0x5f2
[   33.841719]  ? inet_sendmsg+0x1a8/0x690
[   33.845680]  ? ipip_gro_receive+0x100/0x100
[   33.849998]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.855536]  ? security_socket_sendmsg+0x94/0xc0
[   33.860282]  ? ipip_gro_receive+0x100/0x100
[   33.864603]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.870127]  ? sock_sendmsg+0x5a/0x120
[   33.874011]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.879558]  ? __sys_sendto+0x475/0x670
[   33.883545]  ? __ia32_sys_getpeername+0xb0/0xb0
[   33.888208]  ? lock_downgrade+0x8f0/0x8f0
[   33.892349]  ? __lock_is_held+0xb5/0x140
[   33.896430]  ? __sb_end_write+0xac/0xe0
[   33.900399]  do_group_exit+0x177/0x440
[   33.904276]  ? __ia32_sys_exit+0x50/0x50
[   33.908327]  ? syscall_slow_exit_work+0x500/0x500
[   33.913159]  ? do_syscall_64+0x9a/0x820
[   33.917122]  __x64_sys_exit_group+0x3e/0x50
[   33.921461]  do_syscall_64+0x1b9/0x820
[   33.925362]  ? syscall_slow_exit_work+0x500/0x500
[   33.930189]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.935107]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.940039]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.945405]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.950237]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.955413] RIP: 0033:0x43f1f8
[   33.958584] Code: Bad RIP value.
[   33.961944] RSP: 002b:00007fffce967368 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   33.969640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   33.976900] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   33.984166] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   33.991428] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   33.998691] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   34.005965] 
[   34.007581] The buggy address belongs to the page:
[   34.012501] page:ffffea0006b3c800 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   34.020902] flags: 0x2fffc0000000000()
[   34.024789] raw: 02fffc0000000000 ffffea000729be08 ffff88021fffac18 0000000000000000
[   34.032686] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   34.040573] page dumped because: kasan: bad access detected
[   34.046273] 
[   34.047889] Memory state around the buggy address:
[   34.052808]  ffff8801acf1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.060160]  ffff8801acf1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.067519] >ffff8801acf20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.074875]                    ^
[   34.078234]  ffff8801acf20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.085591]  ffff8801acf20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   34.092947] ==================================================================
[   34.100291] Disabling lock debugging due to kernel taint
[   34.106018] Kernel panic - not syncing: panic_on_warn set ...
[   34.106018] 
[   34.113409] CPU: 0 PID: 4445 Comm: syz-executor439 Tainted: G    B             4.18.0-rc8+ #181
[   34.122238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.131580] Call Trace:
[   34.134165]  dump_stack+0x1c9/0x2b4
[   34.137796]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.142989]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.147755]  panic+0x238/0x4e7
[   34.150953]  ? add_taint.cold.5+0x16/0x16
[   34.155102]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.159499]  ? tls_push_record+0x1091/0x1400
[   34.163890]  kasan_end_report+0x47/0x4f
[   34.167849]  kasan_report.cold.7+0x76/0x2fe
[   34.172158]  __asan_report_store1_noabort+0x17/0x20
[   34.177158]  tls_push_record+0x1091/0x1400
[   34.181378]  ? lock_sock_nested+0x9f/0x120
[   34.185596]  tls_sw_push_pending_record+0x22/0x30
[   34.190442]  tls_sk_proto_close+0x74c/0xae0
[   34.194751]  ? lock_acquire+0x1e4/0x540
[   34.198712]  ? tcp_check_oom+0x530/0x530
[   34.202758]  ? tls_write_space+0x360/0x360
[   34.207001]  ? kasan_check_read+0x11/0x20
[   34.211147]  ? rcu_note_context_switch+0x730/0x730
[   34.216064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.221608]  ? ipv6_sock_ac_close+0x356/0x490
[   34.226094]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.231615]  ? ipv6_sock_mc_close+0x162/0x1d0
[   34.236095]  ? ip_mc_drop_socket+0x20f/0x270
[   34.240490]  ? down_write+0x8f/0x130
[   34.244189]  inet_release+0x104/0x1f0
[   34.247978]  inet6_release+0x50/0x70
[   34.251689]  __sock_release+0xd7/0x260
[   34.255565]  ? __sock_release+0x260/0x260
[   34.259697]  sock_close+0x19/0x20
[   34.263144]  __fput+0x355/0x8b0
[   34.266408]  ? fput+0x1a0/0x1a0
[   34.269674]  ? check_same_owner+0x340/0x340
[   34.273979]  ? _raw_spin_unlock_irq+0x27/0x70
[   34.278484]  ____fput+0x15/0x20
[   34.281773]  task_work_run+0x1ec/0x2a0
[   34.285647]  ? task_work_cancel+0x250/0x250
[   34.289956]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.295479]  ? switch_task_namespaces+0xa2/0xd0
[   34.300132]  do_exit+0x1b08/0x2750
[   34.303660]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.308663]  ? mm_update_next_owner+0x9a0/0x9a0
[   34.313317]  ? release_sock+0x1ec/0x2c0
[   34.317273]  ? __release_sock+0x3a0/0x3a0
[   34.321408]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.326946]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.332470]  ? tls_sw_sendmsg+0xa9d/0x12c0
[   34.336694]  ? lock_release+0xa30/0xa30
[   34.340665]  ? tls_sw_push_pending_record+0x30/0x30
[   34.345682]  ? lock_downgrade+0x8f0/0x8f0
[   34.349837]  ? __sanitizer_cov_trace_cmp8+0x17/0x20
[   34.354859]  ? lock_release+0xa30/0xa30
[   34.358823]  ? __check_object_size+0x9d/0x5f2
[   34.363310]  ? inet_sendmsg+0x1a8/0x690
[   34.367268]  ? ipip_gro_receive+0x100/0x100
[   34.371575]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.377098]  ? security_socket_sendmsg+0x94/0xc0
[   34.381838]  ? ipip_gro_receive+0x100/0x100
[   34.386146]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.391668]  ? sock_sendmsg+0x5a/0x120
[   34.395541]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.401066]  ? __sys_sendto+0x475/0x670
[   34.405040]  ? __ia32_sys_getpeername+0xb0/0xb0
[   34.409728]  ? lock_downgrade+0x8f0/0x8f0
[   34.413866]  ? __lock_is_held+0xb5/0x140
[   34.417920]  ? __sb_end_write+0xac/0xe0
[   34.421882]  do_group_exit+0x177/0x440
[   34.425779]  ? __ia32_sys_exit+0x50/0x50
[   34.429828]  ? syscall_slow_exit_work+0x500/0x500
[   34.434655]  ? do_syscall_64+0x9a/0x820
[   34.438629]  __x64_sys_exit_group+0x3e/0x50
[   34.442937]  do_syscall_64+0x1b9/0x820
[   34.446808]  ? syscall_slow_exit_work+0x500/0x500
[   34.451635]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.456562]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.461480]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   34.466834]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.471665]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.476837] RIP: 0033:0x43f1f8
[   34.480005] Code: Bad RIP value.
[   34.483406] RSP: 002b:00007fffce967368 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   34.491099] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   34.498350] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   34.505602] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   34.512853] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   34.520103] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   34.527669] Dumping ftrace buffer:
[   34.531213]    (ftrace buffer empty)
[   34.534923] Kernel Offset: disabled
[   34.538535] Rebooting in 86400 seconds..