[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.684366] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.506938] random: sshd: uninitialized urandom read (32 bytes read) [ 25.101761] random: sshd: uninitialized urandom read (32 bytes read) [ 25.993913] random: sshd: uninitialized urandom read (32 bytes read) [ 26.156648] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. [ 31.625947] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.725566] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 31.748370] ================================================================== [ 31.755759] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3829/0x5020 [ 31.762799] Read of size 8 at addr ffff8801ad925e08 by task syz-executor884/4438 [ 31.770317] [ 31.771931] CPU: 0 PID: 4438 Comm: syz-executor884 Not tainted 4.18.0-rc6+ #167 [ 31.779354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.788686] Call Trace: [ 31.791263] dump_stack+0x1c9/0x2b4 [ 31.794872] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.800044] ? printk+0xa7/0xcf [ 31.803306] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.808058] ? __lock_acquire+0x3829/0x5020 [ 31.812359] print_address_description+0x6c/0x20b [ 31.817181] ? __lock_acquire+0x3829/0x5020 [ 31.821481] kasan_report.cold.7+0x242/0x2fe [ 31.825869] __asan_report_load8_noabort+0x14/0x20 [ 31.830778] __lock_acquire+0x3829/0x5020 [ 31.834906] ? print_usage_bug+0xc0/0xc0 [ 31.838951] ? trace_hardirqs_on+0x10/0x10 [ 31.843181] ? lock_downgrade+0x8f0/0x8f0 [ 31.847311] ? mark_held_locks+0xc9/0x160 [ 31.851447] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.856018] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 31.861113] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 31.866122] ? trace_hardirqs_on+0xd/0x10 [ 31.870263] ? depot_save_stack+0x291/0x470 [ 31.874586] ? save_stack+0xa9/0xd0 [ 31.878194] ? save_stack+0x43/0xd0 [ 31.881800] ? kasan_kmalloc+0xc4/0xe0 [ 31.885667] ? __kmalloc_node+0x47/0x70 [ 31.889635] ? sock_hash_ctx_update_elem.isra.26+0xa86/0x14d0 [ 31.895515] ? sock_hash_update_elem+0x1e2/0x510 [ 31.900254] ? map_update_elem+0x72d/0xcb0 [ 31.904470] ? __x64_sys_bpf+0x32d/0x510 [ 31.908510] ? do_syscall_64+0x1b9/0x820 [ 31.912563] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.917914] ? graph_lock+0x170/0x170 [ 31.921695] ? print_usage_bug+0xc0/0xc0 [ 31.925738] ? graph_lock+0x170/0x170 [ 31.929522] lock_acquire+0x1e4/0x540 [ 31.933304] ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 31.939179] ? lock_release+0xa30/0xa30 [ 31.943142] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.948148] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 31.953408] ? kasan_unpoison_shadow+0x35/0x50 [ 31.957977] ? kasan_kmalloc+0xc4/0xe0 [ 31.961846] _raw_spin_lock_bh+0x31/0x40 [ 31.965889] ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 31.971762] sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 31.977455] ? smap_data_ready+0x320/0x320 [ 31.981675] ? print_usage_bug+0xc0/0xc0 [ 31.985715] ? find_held_lock+0x36/0x1c0 [ 31.989772] ? lock_acquire+0x1e4/0x540 [ 31.993732] ? lock_acquire+0x1e4/0x540 [ 31.997688] ? sock_hash_update_elem+0x130/0x510 [ 32.002447] ? kasan_check_read+0x11/0x20 [ 32.006583] ? rcu_is_watching+0x8c/0x150 [ 32.010714] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 32.015102] ? __local_bh_enable_ip+0x161/0x230 [ 32.019755] sock_hash_update_elem+0x1e2/0x510 [ 32.024328] ? bpf_sock_hash_update+0x90/0x90 [ 32.028807] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.034326] ? _copy_from_user+0xdf/0x150 [ 32.038458] ? bpf_sock_hash_update+0x90/0x90 [ 32.042934] map_update_elem+0x72d/0xcb0 [ 32.046976] __x64_sys_bpf+0x32d/0x510 [ 32.050846] ? bpf_prog_get+0x20/0x20 [ 32.054626] ? ksys_ioctl+0x81/0xd0 [ 32.058253] ? do_syscall_64+0x9a/0x820 [ 32.062225] do_syscall_64+0x1b9/0x820 [ 32.066094] ? syscall_slow_exit_work+0x500/0x500 [ 32.070914] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.075823] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.080753] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.086098] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.090924] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.096094] RIP: 0033:0x440449 [ 32.099257] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.118355] RSP: 002b:00007ffd721a7e58 EFLAGS: 00000203 ORIG_RAX: 0000000000000141 [ 32.126051] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449 [ 32.133302] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002 [ 32.140559] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.147809] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0 [ 32.155061] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000 [ 32.162319] [ 32.163927] Allocated by task 4438: [ 32.167546] save_stack+0x43/0xd0 [ 32.171110] kasan_kmalloc+0xc4/0xe0 [ 32.174798] kasan_slab_alloc+0x12/0x20 [ 32.178753] kmem_cache_alloc+0x12e/0x760 [ 32.182888] kcm_ioctl+0xd10/0x1930 [ 32.186506] sock_do_ioctl+0xe4/0x3e0 [ 32.190315] sock_ioctl+0x30d/0x680 [ 32.193921] do_vfs_ioctl+0x1de/0x1720 [ 32.197798] ksys_ioctl+0xa9/0xd0 [ 32.201232] __x64_sys_ioctl+0x73/0xb0 [ 32.205101] do_syscall_64+0x1b9/0x820 [ 32.208966] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.214130] [ 32.215734] Freed by task 0: [ 32.218730] (stack is not available) [ 32.222417] [ 32.224035] The buggy address belongs to the object at ffff8801ad925bc0 [ 32.224035] which belongs to the cache kcm_psock_cache of size 544 [ 32.237037] The buggy address is located 40 bytes to the right of [ 32.237037] 544-byte region [ffff8801ad925bc0, ffff8801ad925de0) [ 32.249336] The buggy address belongs to the page: [ 32.254250] page:ffffea0006b64900 count:1 mapcount:0 mapping:ffff8801cde561c0 index:0x0 compound_mapcount: 0 [ 32.264221] flags: 0x2fffc0000008100(slab|head) [ 32.268874] raw: 02fffc0000008100 ffff8801cdf31448 ffff8801cdf31448 ffff8801cde561c0 [ 32.276745] raw: 0000000000000000 ffff8801ad924040 000000010000000b 0000000000000000 [ 32.284600] page dumped because: kasan: bad access detected [ 32.290296] [ 32.291898] Memory state around the buggy address: [ 32.296820] ffff8801ad925d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.304158] ffff8801ad925d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 32.311496] >ffff8801ad925e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.318829] ^ [ 32.322431] ffff8801ad925e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.329766] ffff8801ad925f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.337103] ================================================================== [ 32.344442] Disabling lock debugging due to kernel taint [ 32.349880] Kernel panic - not syncing: panic_on_warn set ... [ 32.349880] [ 32.357231] CPU: 0 PID: 4438 Comm: syz-executor884 Tainted: G B 4.18.0-rc6+ #167 [ 32.366046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.375381] Call Trace: [ 32.377961] dump_stack+0x1c9/0x2b4 [ 32.381578] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.386751] ? lock_downgrade+0x8f0/0x8f0 [ 32.390883] panic+0x238/0x4e7 [ 32.394058] ? add_taint.cold.5+0x16/0x16 [ 32.398186] ? add_taint.cold.5+0x5/0x16 [ 32.402235] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.406623] ? __lock_acquire+0x3829/0x5020 [ 32.410922] kasan_end_report+0x47/0x4f [ 32.414885] kasan_report.cold.7+0x76/0x2fe [ 32.419188] __asan_report_load8_noabort+0x14/0x20 [ 32.424111] __lock_acquire+0x3829/0x5020 [ 32.428243] ? print_usage_bug+0xc0/0xc0 [ 32.432296] ? trace_hardirqs_on+0x10/0x10 [ 32.436509] ? lock_downgrade+0x8f0/0x8f0 [ 32.440640] ? mark_held_locks+0xc9/0x160 [ 32.444784] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.449358] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.454450] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 32.459454] ? trace_hardirqs_on+0xd/0x10 [ 32.463587] ? depot_save_stack+0x291/0x470 [ 32.467894] ? save_stack+0xa9/0xd0 [ 32.471511] ? save_stack+0x43/0xd0 [ 32.475115] ? kasan_kmalloc+0xc4/0xe0 [ 32.478980] ? __kmalloc_node+0x47/0x70 [ 32.482935] ? sock_hash_ctx_update_elem.isra.26+0xa86/0x14d0 [ 32.488799] ? sock_hash_update_elem+0x1e2/0x510 [ 32.493534] ? map_update_elem+0x72d/0xcb0 [ 32.497749] ? __x64_sys_bpf+0x32d/0x510 [ 32.501793] ? do_syscall_64+0x1b9/0x820 [ 32.505834] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.511180] ? graph_lock+0x170/0x170 [ 32.514962] ? print_usage_bug+0xc0/0xc0 [ 32.519006] ? graph_lock+0x170/0x170 [ 32.522796] lock_acquire+0x1e4/0x540 [ 32.526591] ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 32.532458] ? lock_release+0xa30/0xa30 [ 32.536415] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.541422] ? kmem_cache_alloc_node_trace+0x34e/0x770 [ 32.546680] ? kasan_unpoison_shadow+0x35/0x50 [ 32.551245] ? kasan_kmalloc+0xc4/0xe0 [ 32.555126] _raw_spin_lock_bh+0x31/0x40 [ 32.559170] ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 32.565047] sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0 [ 32.570759] ? smap_data_ready+0x320/0x320 [ 32.574987] ? print_usage_bug+0xc0/0xc0 [ 32.579036] ? find_held_lock+0x36/0x1c0 [ 32.583082] ? lock_acquire+0x1e4/0x540 [ 32.587040] ? lock_acquire+0x1e4/0x540 [ 32.591008] ? sock_hash_update_elem+0x130/0x510 [ 32.595762] ? kasan_check_read+0x11/0x20 [ 32.599888] ? rcu_is_watching+0x8c/0x150 [ 32.604018] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 32.608416] ? __local_bh_enable_ip+0x161/0x230 [ 32.613067] sock_hash_update_elem+0x1e2/0x510 [ 32.617633] ? bpf_sock_hash_update+0x90/0x90 [ 32.622118] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.627641] ? _copy_from_user+0xdf/0x150 [ 32.631782] ? bpf_sock_hash_update+0x90/0x90 [ 32.636268] map_update_elem+0x72d/0xcb0 [ 32.640314] __x64_sys_bpf+0x32d/0x510 [ 32.644186] ? bpf_prog_get+0x20/0x20 [ 32.647968] ? ksys_ioctl+0x81/0xd0 [ 32.651586] ? do_syscall_64+0x9a/0x820 [ 32.655542] do_syscall_64+0x1b9/0x820 [ 32.659408] ? syscall_slow_exit_work+0x500/0x500 [ 32.664236] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.669143] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.674060] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.679411] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.684238] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.689410] RIP: 0033:0x440449 [ 32.692575] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.711674] RSP: 002b:00007ffd721a7e58 EFLAGS: 00000203 ORIG_RAX: 0000000000000141 [ 32.719371] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449 [ 32.726621] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002 [ 32.733870] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.741119] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0 [ 32.748366] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000 [ 32.756185] Dumping ftrace buffer: [ 32.759716] (ftrace buffer empty) [ 32.763403] Kernel Offset: disabled [ 32.767006] Rebooting in 86400 seconds..