[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.879723] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.698814] random: sshd: uninitialized urandom read (32 bytes read)
[   23.917276] random: sshd: uninitialized urandom read (32 bytes read)
[   24.420362] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts.
[   30.131839] urandom_read: 1 callbacks suppressed
[   30.131844] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.231066] vhci_hcd: invalid port number 132
[   30.235732] ==================================================================
[   30.243193] BUG: KASAN: use-after-free in vhci_hub_control+0x1b88/0x1bf0
[   30.250019] Read of size 4 at addr ffff8801ce635ebc by task syz-executor268/4643
[   30.257523] 
[   30.259137] CPU: 1 PID: 4643 Comm: syz-executor268 Not tainted 4.19.0-rc1+ #217
[   30.266569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.275896] Call Trace:
[   30.278470]  dump_stack+0x1c9/0x2b4
[   30.282082]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.287271]  ? printk+0xa7/0xcf
[   30.290530]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.295269]  ? vhci_hub_control+0x1b88/0x1bf0
[   30.299743]  print_address_description+0x6c/0x20b
[   30.304561]  ? vhci_hub_control+0x1b88/0x1bf0
[   30.309034]  kasan_report.cold.7+0x242/0x30d
[   30.313431]  __asan_report_load4_noabort+0x14/0x20
[   30.318383]  vhci_hub_control+0x1b88/0x1bf0
[   30.322690]  ? vhci_hcd_probe+0x240/0x240
[   30.326832]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.331829]  ? __kmalloc+0x594/0x720
[   30.335530]  ? kasan_check_write+0x14/0x20
[   30.339745]  ? do_raw_spin_lock+0xc1/0x200
[   30.343958]  ? usb_hcd_submit_urb+0x70e/0x2160
[   30.348540]  usb_hcd_submit_urb+0x184a/0x2160
[   30.353014]  ? vhci_hcd_probe+0x240/0x240
[   30.357150]  ? usb_create_hcd+0x40/0x40
[   30.361115]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.366467]  ? __x64_sys_ioctl+0x73/0xb0
[   30.370505]  ? do_syscall_64+0x1b9/0x820
[   30.374542]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.379914]  ? find_held_lock+0x36/0x1c0
[   30.383956]  ? __lockdep_init_map+0x105/0x590
[   30.388429]  ? __lockdep_init_map+0x105/0x590
[   30.392906]  usb_submit_urb+0x895/0x14d0
[   30.396945]  ? rcu_is_watching+0x8c/0x150
[   30.401072]  usb_start_wait_urb+0x140/0x360
[   30.405373]  ? sg_clean+0x240/0x240
[   30.408986]  usb_control_msg+0x332/0x4e0
[   30.413040]  ? usb_start_wait_urb+0x360/0x360
[   30.417512]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.423078]  proc_control+0x99b/0xef0
[   30.426909]  ? proc_bulk+0xaa0/0xaa0
[   30.430602]  ? lock_downgrade+0x8f0/0x8f0
[   30.434735]  usbdev_do_ioctl+0x1eb4/0x3b30
[   30.438950]  ? processcompl_compat+0x680/0x680
[   30.443510]  ? mntput_no_expire+0x1ea/0xc10
[   30.447810]  ? __lock_acquire+0x7fc/0x5020
[   30.452023]  ? graph_lock+0x170/0x170
[   30.455801]  ? dput.part.26+0x276/0x7a0
[   30.459766]  ? find_held_lock+0x36/0x1c0
[   30.463829]  ? lock_downgrade+0x8f0/0x8f0
[   30.467958]  ? kasan_check_read+0x11/0x20
[   30.472082]  ? rcu_is_watching+0x8c/0x150
[   30.476216]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   30.480864]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   30.485529]  ? is_bpf_text_address+0xd7/0x170
[   30.490011]  ? kernel_text_address+0x79/0xf0
[   30.494398]  ? __kernel_text_address+0xd/0x40
[   30.498872]  ? unwind_get_return_address+0x61/0xa0
[   30.503779]  ? __save_stack_trace+0x8d/0xf0
[   30.508102]  ? save_stack+0xa9/0xd0
[   30.511718]  ? save_stack+0x43/0xd0
[   30.515324]  ? __kasan_slab_free+0x11a/0x170
[   30.519718]  ? kasan_slab_free+0xe/0x10
[   30.523671]  ? kmem_cache_free+0x86/0x280
[   30.527795]  ? putname+0xf2/0x130
[   30.531314]  ? do_sys_open+0x569/0x720
[   30.535191]  ? __x64_sys_open+0x7e/0xc0
[   30.539156]  ? do_syscall_64+0x1b9/0x820
[   30.543209]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.548554]  ? trace_hardirqs_off+0xb8/0x2b0
[   30.552939]  ? kasan_check_read+0x11/0x20
[   30.557065]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.561447]  ? trace_hardirqs_on+0x2c0/0x2c0
[   30.565830]  ? kasan_check_write+0x14/0x20
[   30.570039]  ? trace_hardirqs_off+0xb8/0x2b0
[   30.574431]  usbdev_ioctl+0x25/0x30
[   30.578034]  ? usbdev_compat_ioctl+0x30/0x30
[   30.582418]  do_vfs_ioctl+0x1de/0x1720
[   30.586282]  ? kasan_check_read+0x11/0x20
[   30.590407]  ? rcu_is_watching+0x8c/0x150
[   30.594530]  ? trace_hardirqs_on+0xbd/0x2c0
[   30.598830]  ? ioctl_preallocate+0x300/0x300
[   30.603221]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.608736]  ? __fget_light+0x2f7/0x440
[   30.612699]  ? putname+0xf2/0x130
[   30.616152]  ? fget_raw+0x20/0x20
[   30.619590]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.624583]  ? kmem_cache_free+0x246/0x280
[   30.628813]  ? do_syscall_64+0x9a/0x820
[   30.632783]  ? do_syscall_64+0x9a/0x820
[   30.636753]  ? lockdep_hardirqs_on+0x421/0x5c0
[   30.641310]  ? security_file_ioctl+0x94/0xc0
[   30.645714]  ksys_ioctl+0xa9/0xd0
[   30.649172]  __x64_sys_ioctl+0x73/0xb0
[   30.653046]  do_syscall_64+0x1b9/0x820
[   30.656936]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   30.662276]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.667198]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.672028]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   30.677037]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   30.682032]  ? prepare_exit_to_usermode+0x291/0x3b0
[   30.687026]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.691845]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.697022] RIP: 0033:0x443d89
[   30.700205] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   30.719103] RSP: 002b:00007ffe827be308 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   30.726828] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d89
[   30.734072] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003
[   30.741314] RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
[   30.748564] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000401a90
[   30.755807] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   30.763058] 
[   30.764673] The buggy address belongs to the page:
[   30.769578] page:ffffea0007398d40 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   30.777695] flags: 0x2fffc0000000000()
[   30.781560] raw: 02fffc0000000000 0000000000000000 ffffffff07390101 0000000000000000
[   30.789417] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   30.797268] page dumped because: kasan: bad access detected
[   30.802947] 
[   30.804548] Memory state around the buggy address:
[   30.809451]  ffff8801ce635d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.816794]  ffff8801ce635e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.824145] >ffff8801ce635e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.831506]                                         ^
[   30.836669]  ffff8801ce635f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.844002]  ffff8801ce635f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.851340] ==================================================================
[   30.858672] Disabling lock debugging due to kernel taint
[   30.864106] Kernel panic - not syncing: panic_on_warn set ...
[   30.864106] 
[   30.871454] CPU: 1 PID: 4643 Comm: syz-executor268 Tainted: G    B             4.19.0-rc1+ #217
[   30.880273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.889610] Call Trace:
[   30.892188]  dump_stack+0x1c9/0x2b4
[   30.895805]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.900966]  ? lock_downgrade+0x8f0/0x8f0
[   30.905085]  panic+0x238/0x4e7
[   30.908262]  ? add_taint.cold.5+0x16/0x16
[   30.912384]  ? add_taint.cold.5+0x5/0x16
[   30.916419]  ? trace_hardirqs_off+0xaf/0x2b0
[   30.920811]  ? trace_hardirqs_off+0x77/0x2b0
[   30.925198]  ? vhci_hub_control+0x1b88/0x1bf0
[   30.929681]  kasan_end_report+0x47/0x4f
[   30.933628]  kasan_report.cold.7+0x76/0x30d
[   30.937929]  __asan_report_load4_noabort+0x14/0x20
[   30.942837]  vhci_hub_control+0x1b88/0x1bf0
[   30.947143]  ? vhci_hcd_probe+0x240/0x240
[   30.951282]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.956271]  ? __kmalloc+0x594/0x720
[   30.959957]  ? kasan_check_write+0x14/0x20
[   30.964163]  ? do_raw_spin_lock+0xc1/0x200
[   30.968371]  ? usb_hcd_submit_urb+0x70e/0x2160
[   30.972927]  usb_hcd_submit_urb+0x184a/0x2160
[   30.977397]  ? vhci_hcd_probe+0x240/0x240
[   30.981569]  ? usb_create_hcd+0x40/0x40
[   30.985535]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.990874]  ? __x64_sys_ioctl+0x73/0xb0
[   30.994923]  ? do_syscall_64+0x1b9/0x820
[   30.998957]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.004296]  ? find_held_lock+0x36/0x1c0
[   31.008339]  ? __lockdep_init_map+0x105/0x590
[   31.012822]  ? __lockdep_init_map+0x105/0x590
[   31.017294]  usb_submit_urb+0x895/0x14d0
[   31.021338]  ? rcu_is_watching+0x8c/0x150
[   31.025465]  usb_start_wait_urb+0x140/0x360
[   31.029764]  ? sg_clean+0x240/0x240
[   31.033392]  usb_control_msg+0x332/0x4e0
[   31.037452]  ? usb_start_wait_urb+0x360/0x360
[   31.041929]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.047445]  proc_control+0x99b/0xef0
[   31.051242]  ? proc_bulk+0xaa0/0xaa0
[   31.054944]  ? lock_downgrade+0x8f0/0x8f0
[   31.059071]  usbdev_do_ioctl+0x1eb4/0x3b30
[   31.063282]  ? processcompl_compat+0x680/0x680
[   31.067837]  ? mntput_no_expire+0x1ea/0xc10
[   31.072151]  ? __lock_acquire+0x7fc/0x5020
[   31.076381]  ? graph_lock+0x170/0x170
[   31.080168]  ? dput.part.26+0x276/0x7a0
[   31.084126]  ? find_held_lock+0x36/0x1c0
[   31.088180]  ? lock_downgrade+0x8f0/0x8f0
[   31.092302]  ? kasan_check_read+0x11/0x20
[   31.096424]  ? rcu_is_watching+0x8c/0x150
[   31.100545]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   31.105186]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   31.109829]  ? is_bpf_text_address+0xd7/0x170
[   31.114307]  ? kernel_text_address+0x79/0xf0
[   31.118704]  ? __kernel_text_address+0xd/0x40
[   31.123189]  ? unwind_get_return_address+0x61/0xa0
[   31.128104]  ? __save_stack_trace+0x8d/0xf0
[   31.132414]  ? save_stack+0xa9/0xd0
[   31.136016]  ? save_stack+0x43/0xd0
[   31.139631]  ? __kasan_slab_free+0x11a/0x170
[   31.144024]  ? kasan_slab_free+0xe/0x10
[   31.147968]  ? kmem_cache_free+0x86/0x280
[   31.152104]  ? putname+0xf2/0x130
[   31.155541]  ? do_sys_open+0x569/0x720
[   31.159469]  ? __x64_sys_open+0x7e/0xc0
[   31.163421]  ? do_syscall_64+0x1b9/0x820
[   31.167470]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.172808]  ? trace_hardirqs_off+0xb8/0x2b0
[   31.177195]  ? kasan_check_read+0x11/0x20
[   31.181322]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.185714]  ? trace_hardirqs_on+0x2c0/0x2c0
[   31.190104]  ? kasan_check_write+0x14/0x20
[   31.194325]  ? trace_hardirqs_off+0xb8/0x2b0
[   31.198722]  usbdev_ioctl+0x25/0x30
[   31.202336]  ? usbdev_compat_ioctl+0x30/0x30
[   31.206723]  do_vfs_ioctl+0x1de/0x1720
[   31.210601]  ? kasan_check_read+0x11/0x20
[   31.214744]  ? rcu_is_watching+0x8c/0x150
[   31.218870]  ? trace_hardirqs_on+0xbd/0x2c0
[   31.223174]  ? ioctl_preallocate+0x300/0x300
[   31.227567]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.233084]  ? __fget_light+0x2f7/0x440
[   31.237053]  ? putname+0xf2/0x130
[   31.240480]  ? fget_raw+0x20/0x20
[   31.243924]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.248914]  ? kmem_cache_free+0x246/0x280
[   31.253143]  ? do_syscall_64+0x9a/0x820
[   31.257130]  ? do_syscall_64+0x9a/0x820
[   31.261102]  ? lockdep_hardirqs_on+0x421/0x5c0
[   31.265680]  ? security_file_ioctl+0x94/0xc0
[   31.270068]  ksys_ioctl+0xa9/0xd0
[   31.273502]  __x64_sys_ioctl+0x73/0xb0
[   31.277370]  do_syscall_64+0x1b9/0x820
[   31.281241]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   31.286582]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.291523]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.296351]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   31.301351]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   31.306352]  ? prepare_exit_to_usermode+0x291/0x3b0
[   31.311353]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.316171]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.321355] RIP: 0033:0x443d89
[   31.324527] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   31.343401] RSP: 002b:00007ffe827be308 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   31.351084] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d89
[   31.358341] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003
[   31.365584] RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
[   31.372825] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000401a90
[   31.380075] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   31.387665] Dumping ftrace buffer:
[   31.391190]    (ftrace buffer empty)
[   31.394875] Kernel Offset: disabled
[   31.398478] Rebooting in 86400 seconds..