[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.928589] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.686719] random: sshd: uninitialized urandom read (32 bytes read) [ 24.270464] random: sshd: uninitialized urandom read (32 bytes read) [ 25.127381] random: sshd: uninitialized urandom read (32 bytes read) [ 25.283992] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 30.773151] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.869396] ================================================================== [ 30.876849] BUG: KASAN: slab-out-of-bounds in process_preds+0x3ecf/0x4160 [ 30.883765] Write of size 4 at addr ffff8801d3c974f0 by task syz-executor154/4562 [ 30.891365] [ 30.892977] CPU: 0 PID: 4562 Comm: syz-executor154 Not tainted 4.17.0+ #105 [ 30.900066] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.909403] Call Trace: [ 30.911978] dump_stack+0x1c9/0x2b4 [ 30.915596] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.920768] ? printk+0xa7/0xcf [ 30.924036] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.928788] ? process_preds+0x3ecf/0x4160 [ 30.933003] print_address_description+0x6c/0x20b [ 30.937824] ? process_preds+0x3ecf/0x4160 [ 30.942040] kasan_report.cold.7+0x242/0x2fe [ 30.946428] __asan_report_store4_noabort+0x17/0x20 [ 30.951432] process_preds+0x3ecf/0x4160 [ 30.955481] ? filter_parse_regex+0x2b0/0x2b0 [ 30.959966] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 30.965569] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.970563] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.975391] ? create_filter_start.constprop.14+0x55/0x2b0 [ 30.980996] create_filter+0x167/0x280 [ 30.984864] ? process_preds+0x4160/0x4160 [ 30.989089] ftrace_profile_set_filter+0x135/0x2f0 [ 30.993999] ? ftrace_profile_free_filter+0x70/0x70 [ 30.998997] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.004513] ? memdup_user+0x6b/0xa0 [ 31.008217] perf_event_set_filter+0x251/0x1260 [ 31.012881] ? mutex_trylock+0x2b0/0x2b0 [ 31.016925] ? __mutex_lock+0x7e8/0x1820 [ 31.020967] ? graph_lock+0x170/0x170 [ 31.024748] ? graph_lock+0x170/0x170 [ 31.028527] ? perf_pmu_unregister+0x540/0x540 [ 31.033096] ? mutex_trylock+0x2b0/0x2b0 [ 31.037146] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.042661] ? smp_call_function_single+0x2d6/0x5c0 [ 31.047661] ? find_held_lock+0x36/0x1c0 [ 31.051714] ? graph_lock+0x170/0x170 [ 31.055937] ? lock_downgrade+0x8f0/0x8f0 [ 31.060084] _perf_ioctl+0x865/0x1600 [ 31.063870] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 31.069048] ? lock_downgrade+0x8f0/0x8f0 [ 31.073178] ? kasan_check_read+0x11/0x20 [ 31.077316] ? rcu_is_watching+0x8c/0x150 [ 31.081441] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 31.085832] ? mutex_lock_nested+0x16/0x20 [ 31.090048] ? mutex_lock_nested+0x16/0x20 [ 31.094262] ? perf_event_ctx_lock_nested+0x415/0x500 [ 31.099441] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 31.104437] ? perf_event_read_event+0x450/0x450 [ 31.109174] ? fd_install+0x4d/0x60 [ 31.112791] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 31.117878] perf_ioctl+0x59/0x80 [ 31.121313] ? _perf_ioctl+0x1600/0x1600 [ 31.125357] do_vfs_ioctl+0x1de/0x1720 [ 31.129228] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.134746] ? ioctl_preallocate+0x300/0x300 [ 31.139133] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.144649] ? __fget_light+0x2f7/0x440 [ 31.148606] ? fget_raw+0x20/0x20 [ 31.152054] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.157578] ? __do_page_fault+0x449/0xe50 [ 31.161796] ? mm_fault_error+0x380/0x380 [ 31.165925] ? security_file_ioctl+0x94/0xc0 [ 31.170313] ksys_ioctl+0xa9/0xd0 [ 31.173756] __x64_sys_ioctl+0x73/0xb0 [ 31.177630] do_syscall_64+0x1b9/0x820 [ 31.181496] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.186411] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.191331] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.196677] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.201503] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.206670] RIP: 0033:0x43fdb9 [ 31.209833] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.229000] RSP: 002b:00007ffdcf4b7138 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.236687] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 31.243935] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.251181] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.258438] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 31.265687] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 31.272943] [ 31.274553] Allocated by task 1: [ 31.277913] save_stack+0x43/0xd0 [ 31.281347] kasan_kmalloc+0xc4/0xe0 [ 31.285038] kmem_cache_alloc_trace+0x152/0x780 [ 31.289683] __kthread_create_on_node+0x127/0x4c0 [ 31.294500] kthread_create_on_node+0xb1/0xe0 [ 31.298971] kswapd_run+0xa4/0x1b0 [ 31.302487] kswapd_init+0x56/0xbd [ 31.306008] do_one_initcall+0x127/0x913 [ 31.310046] kernel_init_freeable+0x49b/0x58e [ 31.314517] kernel_init+0x11/0x1b3 [ 31.318124] ret_from_fork+0x3a/0x50 [ 31.321807] [ 31.323409] Freed by task 1: [ 31.326405] save_stack+0x43/0xd0 [ 31.329838] __kasan_slab_free+0x11a/0x170 [ 31.334049] kasan_slab_free+0xe/0x10 [ 31.337823] kfree+0xd9/0x260 [ 31.340906] __kthread_create_on_node+0x34a/0x4c0 [ 31.345725] kthread_create_on_node+0xb1/0xe0 [ 31.350211] kswapd_run+0xa4/0x1b0 [ 31.353728] kswapd_init+0x56/0xbd [ 31.357246] do_one_initcall+0x127/0x913 [ 31.361284] kernel_init_freeable+0x49b/0x58e [ 31.365756] kernel_init+0x11/0x1b3 [ 31.369361] ret_from_fork+0x3a/0x50 [ 31.373049] [ 31.374658] The buggy address belongs to the object at ffff8801d3c97480 [ 31.374658] which belongs to the cache kmalloc-64 of size 64 [ 31.387129] The buggy address is located 48 bytes to the right of [ 31.387129] 64-byte region [ffff8801d3c97480, ffff8801d3c974c0) [ 31.399325] The buggy address belongs to the page: [ 31.404233] page:ffffea00074f25c0 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0 [ 31.412354] flags: 0x2fffc0000000100(slab) [ 31.416573] raw: 02fffc0000000100 ffffea00074f4ac8 ffffea00075f7fc8 ffff8801da800340 [ 31.424443] raw: 0000000000000000 ffff8801d3c97000 0000000100000020 0000000000000000 [ 31.432312] page dumped because: kasan: bad access detected [ 31.437998] [ 31.439603] Memory state around the buggy address: [ 31.444510] ffff8801d3c97380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.451852] ffff8801d3c97400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.459200] >ffff8801d3c97480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.466533] ^ [ 31.473522] ffff8801d3c97500: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 31.480858] ffff8801d3c97580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.488190] ================================================================== [ 31.495522] Disabling lock debugging due to kernel taint [ 31.501038] Kernel panic - not syncing: panic_on_warn set ... [ 31.501038] [ 31.508409] CPU: 0 PID: 4562 Comm: syz-executor154 Tainted: G B 4.17.0+ #105 [ 31.516891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.526217] Call Trace: [ 31.528784] dump_stack+0x1c9/0x2b4 [ 31.532391] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.537564] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.542296] panic+0x238/0x4e7 [ 31.545465] ? add_taint.cold.5+0x16/0x16 [ 31.549591] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.553978] ? process_preds+0x3ecf/0x4160 [ 31.558188] kasan_end_report+0x47/0x4f [ 31.562138] kasan_report.cold.7+0x76/0x2fe [ 31.566470] __asan_report_store4_noabort+0x17/0x20 [ 31.571464] process_preds+0x3ecf/0x4160 [ 31.575505] ? filter_parse_regex+0x2b0/0x2b0 [ 31.579990] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 31.585602] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.590595] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.595417] ? create_filter_start.constprop.14+0x55/0x2b0 [ 31.601028] create_filter+0x167/0x280 [ 31.604897] ? process_preds+0x4160/0x4160 [ 31.609111] ftrace_profile_set_filter+0x135/0x2f0 [ 31.614024] ? ftrace_profile_free_filter+0x70/0x70 [ 31.619026] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.624538] ? memdup_user+0x6b/0xa0 [ 31.628352] perf_event_set_filter+0x251/0x1260 [ 31.632996] ? mutex_trylock+0x2b0/0x2b0 [ 31.637036] ? __mutex_lock+0x7e8/0x1820 [ 31.641077] ? graph_lock+0x170/0x170 [ 31.644855] ? graph_lock+0x170/0x170 [ 31.648641] ? perf_pmu_unregister+0x540/0x540 [ 31.653198] ? mutex_trylock+0x2b0/0x2b0 [ 31.657234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.662747] ? smp_call_function_single+0x2d6/0x5c0 [ 31.667738] ? find_held_lock+0x36/0x1c0 [ 31.671775] ? graph_lock+0x170/0x170 [ 31.675553] ? lock_downgrade+0x8f0/0x8f0 [ 31.679679] _perf_ioctl+0x865/0x1600 [ 31.683458] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 31.688626] ? lock_downgrade+0x8f0/0x8f0 [ 31.692755] ? kasan_check_read+0x11/0x20 [ 31.696877] ? rcu_is_watching+0x8c/0x150 [ 31.701005] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 31.705400] ? mutex_lock_nested+0x16/0x20 [ 31.709618] ? mutex_lock_nested+0x16/0x20 [ 31.713828] ? perf_event_ctx_lock_nested+0x415/0x500 [ 31.719006] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 31.724006] ? perf_event_read_event+0x450/0x450 [ 31.728745] ? fd_install+0x4d/0x60 [ 31.732349] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 31.737435] perf_ioctl+0x59/0x80 [ 31.740867] ? _perf_ioctl+0x1600/0x1600 [ 31.744908] do_vfs_ioctl+0x1de/0x1720 [ 31.748777] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.754291] ? ioctl_preallocate+0x300/0x300 [ 31.758678] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.764193] ? __fget_light+0x2f7/0x440 [ 31.768147] ? fget_raw+0x20/0x20 [ 31.771580] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.777103] ? __do_page_fault+0x449/0xe50 [ 31.781314] ? mm_fault_error+0x380/0x380 [ 31.785443] ? security_file_ioctl+0x94/0xc0 [ 31.789830] ksys_ioctl+0xa9/0xd0 [ 31.793270] __x64_sys_ioctl+0x73/0xb0 [ 31.797135] do_syscall_64+0x1b9/0x820 [ 31.801012] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.805925] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.810834] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.816178] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.820997] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.826166] RIP: 0033:0x43fdb9 [ 31.829330] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 31.848445] RSP: 002b:00007ffdcf4b7138 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.856138] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 31.863385] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.870631] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.877876] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 31.885119] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 31.892814] Dumping ftrace buffer: [ 31.896500] (ftrace buffer empty) [ 31.900183] Kernel Offset: disabled [ 31.903784] Rebooting in 86400 seconds..