[....] Starting OpenBSD Secure Shell server: sshd[ 20.031707] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.134739] random: sshd: uninitialized urandom read (32 bytes read) [ 22.416815] sshd (4494) used greatest stack depth: 16360 bytes left [ 22.433491] random: sshd: uninitialized urandom read (32 bytes read) [ 23.186219] random: sshd: uninitialized urandom read (32 bytes read) [ 23.346170] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. [ 28.838491] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.942242] ================================================================== [ 28.949688] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 28.956595] Write of size 4 at addr ffff8801d2142ff0 by task syz-executor906/4510 [ 28.964189] [ 28.965805] CPU: 0 PID: 4510 Comm: syz-executor906 Not tainted 4.17.0-rc3+ #1 [ 28.973067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.982399] Call Trace: [ 28.984973] dump_stack+0x1b9/0x294 [ 28.988583] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.993786] ? printk+0x9e/0xba [ 28.997048] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.001789] ? kasan_check_write+0x14/0x20 [ 29.006008] print_address_description+0x6c/0x20b [ 29.010842] ? process_preds+0x191f/0x19d0 [ 29.015059] kasan_report.cold.7+0x242/0x2fe [ 29.019449] __asan_report_store4_noabort+0x17/0x20 [ 29.024449] process_preds+0x191f/0x19d0 [ 29.028497] ? parse_pred+0x28e0/0x28e0 [ 29.032455] ? create_filter_start.constprop.12+0x55/0x2b0 [ 29.038074] create_filter+0x155/0x270 [ 29.041950] ? process_preds+0x19d0/0x19d0 [ 29.046172] ftrace_profile_set_filter+0x130/0x2e0 [ 29.051085] ? ftrace_profile_free_filter+0x70/0x70 [ 29.056085] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.061606] ? memdup_user+0x6b/0xa0 [ 29.065304] perf_event_set_filter+0x248/0x1230 [ 29.069960] ? mutex_trylock+0x2a0/0x2a0 [ 29.074004] ? perf_pmu_unregister+0x530/0x530 [ 29.078581] ? __thp_get_unmapped_area+0x180/0x180 [ 29.083502] ? graph_lock+0x170/0x170 [ 29.087294] ? lock_downgrade+0x8e0/0x8e0 [ 29.091427] ? kasan_check_read+0x11/0x20 [ 29.095556] ? rcu_is_watching+0x85/0x140 [ 29.099686] ? __lock_is_held+0xb5/0x140 [ 29.103731] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.108906] _perf_ioctl+0x84c/0x15e0 [ 29.112691] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 29.117868] ? lock_downgrade+0x8e0/0x8e0 [ 29.122002] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.127533] ? kasan_check_read+0x11/0x20 [ 29.131662] ? rcu_is_watching+0x85/0x140 [ 29.135792] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.140966] ? mutex_lock_nested+0x16/0x20 [ 29.145188] ? mutex_lock_nested+0x16/0x20 [ 29.149409] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 29.154582] ? perf_event_read_event+0x430/0x430 [ 29.159319] ? find_held_lock+0x36/0x1c0 [ 29.163366] perf_ioctl+0x59/0x80 [ 29.166807] ? _perf_ioctl+0x15e0/0x15e0 [ 29.170848] do_vfs_ioctl+0x1cf/0x16a0 [ 29.174719] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.180247] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.184640] ? fget_raw+0x20/0x20 [ 29.188077] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.193596] ? __do_page_fault+0x441/0xe40 [ 29.197817] ? mm_fault_error+0x380/0x380 [ 29.201950] ? security_file_ioctl+0x94/0xc0 [ 29.206343] ksys_ioctl+0xa9/0xd0 [ 29.209778] __x64_sys_ioctl+0x73/0xb0 [ 29.213648] do_syscall_64+0x1b1/0x800 [ 29.217531] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.222440] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.227359] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.232887] ? retint_user+0x18/0x18 [ 29.236587] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.241417] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.246589] RIP: 0033:0x43fdb9 [ 29.249760] RSP: 002b:00007fff4972e4f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 29.257459] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 29.264746] RDX: 0000000020000200 RSI: 0000000040082406 RDI: 0000000000000003 [ 29.271997] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.279256] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 29.286511] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 29.293769] [ 29.295378] Allocated by task 1: [ 29.298754] save_stack+0x43/0xd0 [ 29.302190] kasan_kmalloc+0xc4/0xe0 [ 29.305889] kasan_slab_alloc+0x12/0x20 [ 29.309853] kmem_cache_alloc+0x12e/0x760 [ 29.313985] __kernfs_new_node+0xe7/0x580 [ 29.318129] kernfs_new_node+0x80/0xf0 [ 29.321999] __kernfs_create_file+0x4d/0x330 [ 29.326400] sysfs_add_file_mode_ns+0x21a/0x560 [ 29.331058] sysfs_create_file_ns+0x8b/0xb0 [ 29.335378] kobject_add_internal+0x4df/0xac0 [ 29.339855] kobject_add+0x13a/0x190 [ 29.343550] irq_sysfs_add+0x3e/0x60 [ 29.347246] __irq_alloc_descs+0x24e/0x3d0 [ 29.351475] irq_domain_alloc_descs+0xa7/0x130 [ 29.356045] __irq_domain_alloc_irqs+0x31c/0x830 [ 29.360796] msi_domain_alloc_irqs+0x292/0xc60 [ 29.365365] native_setup_msi_irqs+0xd9/0x130 [ 29.369845] arch_setup_msi_irqs+0x10/0x20 [ 29.374070] pci_msi_setup_msi_irqs+0x99/0xe0 [ 29.378553] __pci_enable_msix+0x9e9/0x13d0 [ 29.382867] pci_alloc_irq_vectors_affinity+0x176/0x290 [ 29.388213] vp_find_vqs_msix+0x232/0xcd0 [ 29.392345] vp_find_vqs+0x57/0x4b0 [ 29.395953] virtscsi_init+0x380/0xa10 [ 29.399839] virtscsi_probe+0x41e/0xf04 [ 29.403797] virtio_dev_probe+0x592/0x942 [ 29.407928] driver_probe_device+0x69b/0x960 [ 29.412318] __driver_attach+0x1b2/0x1f0 [ 29.416369] bus_for_each_dev+0x151/0x1d0 [ 29.420497] driver_attach+0x3d/0x50 [ 29.424191] bus_add_driver+0x4b2/0x600 [ 29.428144] driver_register+0x1bf/0x320 [ 29.432204] register_virtio_driver+0x79/0xd0 [ 29.436681] init+0xa3/0x114 [ 29.439681] do_one_initcall+0x127/0x913 [ 29.443736] kernel_init_freeable+0x49b/0x58e [ 29.448215] kernel_init+0x11/0x1b3 [ 29.451829] ret_from_fork+0x3a/0x50 [ 29.455518] [ 29.457127] Freed by task 0: [ 29.460119] (stack is not available) [ 29.463813] [ 29.465424] The buggy address belongs to the object at ffff8801d2142ee0 [ 29.465424] which belongs to the cache kernfs_node_cache of size 160 [ 29.478593] The buggy address is located 112 bytes to the right of [ 29.478593] 160-byte region [ffff8801d2142ee0, ffff8801d2142f80) [ 29.490968] The buggy address belongs to the page: [ 29.495880] page:ffffea0007485080 count:1 mapcount:0 mapping:ffff8801d2142000 index:0xffff8801d2142fee [ 29.505327] flags: 0x2fffc0000000100(slab) [ 29.509546] raw: 02fffc0000000100 ffff8801d2142000 ffff8801d2142fee 0000000100000012 [ 29.517419] raw: ffffea0007485060 ffffea000744e6e0 ffff8801da988640 0000000000000000 [ 29.525276] page dumped because: kasan: bad access detected [ 29.530962] [ 29.532563] Memory state around the buggy address: [ 29.537479] ffff8801d2142e80: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 [ 29.544826] ffff8801d2142f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.552172] >ffff8801d2142f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.559509] ^ [ 29.566504] ffff8801d2143000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 29.573844] ffff8801d2143080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.581195] ================================================================== [ 29.588534] Disabling lock debugging due to kernel taint [ 29.594088] Kernel panic - not syncing: panic_on_warn set ... [ 29.594088] [ 29.601464] CPU: 0 PID: 4510 Comm: syz-executor906 Tainted: G B 4.17.0-rc3+ #1 [ 29.610123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.619457] Call Trace: [ 29.622031] dump_stack+0x1b9/0x294 [ 29.625646] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.630819] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.635553] ? process_preds+0x1910/0x19d0 [ 29.639764] panic+0x22f/0x4de [ 29.642934] ? add_taint.cold.5+0x16/0x16 [ 29.647064] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.651450] ? do_raw_spin_unlock+0x9e/0x2e0 [ 29.655846] ? process_preds+0x191f/0x19d0 [ 29.660070] kasan_end_report+0x47/0x4f [ 29.664031] kasan_report.cold.7+0x76/0x2fe [ 29.668334] __asan_report_store4_noabort+0x17/0x20 [ 29.673329] process_preds+0x191f/0x19d0 [ 29.677372] ? parse_pred+0x28e0/0x28e0 [ 29.681325] ? create_filter_start.constprop.12+0x55/0x2b0 [ 29.686929] create_filter+0x155/0x270 [ 29.690799] ? process_preds+0x19d0/0x19d0 [ 29.695030] ftrace_profile_set_filter+0x130/0x2e0 [ 29.699943] ? ftrace_profile_free_filter+0x70/0x70 [ 29.704945] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.710470] ? memdup_user+0x6b/0xa0 [ 29.714173] perf_event_set_filter+0x248/0x1230 [ 29.718825] ? mutex_trylock+0x2a0/0x2a0 [ 29.722872] ? perf_pmu_unregister+0x530/0x530 [ 29.727453] ? __thp_get_unmapped_area+0x180/0x180 [ 29.732367] ? graph_lock+0x170/0x170 [ 29.736161] ? lock_downgrade+0x8e0/0x8e0 [ 29.740290] ? kasan_check_read+0x11/0x20 [ 29.744422] ? rcu_is_watching+0x85/0x140 [ 29.748550] ? __lock_is_held+0xb5/0x140 [ 29.752610] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.757792] _perf_ioctl+0x84c/0x15e0 [ 29.761575] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 29.766751] ? lock_downgrade+0x8e0/0x8e0 [ 29.770886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.776410] ? kasan_check_read+0x11/0x20 [ 29.780541] ? rcu_is_watching+0x85/0x140 [ 29.784679] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.789939] ? mutex_lock_nested+0x16/0x20 [ 29.794176] ? mutex_lock_nested+0x16/0x20 [ 29.798394] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 29.803567] ? perf_event_read_event+0x430/0x430 [ 29.808304] ? find_held_lock+0x36/0x1c0 [ 29.812350] perf_ioctl+0x59/0x80 [ 29.815785] ? _perf_ioctl+0x15e0/0x15e0 [ 29.819826] do_vfs_ioctl+0x1cf/0x16a0 [ 29.823695] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.829217] ? ioctl_preallocate+0x2e0/0x2e0 [ 29.833622] ? fget_raw+0x20/0x20 [ 29.837059] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.842579] ? __do_page_fault+0x441/0xe40 [ 29.846796] ? mm_fault_error+0x380/0x380 [ 29.850925] ? security_file_ioctl+0x94/0xc0 [ 29.855315] ksys_ioctl+0xa9/0xd0 [ 29.858750] __x64_sys_ioctl+0x73/0xb0 [ 29.862618] do_syscall_64+0x1b1/0x800 [ 29.866493] ? syscall_return_slowpath+0x5c0/0x5c0 [ 29.871402] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.876317] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.881837] ? retint_user+0x18/0x18 [ 29.885532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.890359] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.895530] RIP: 0033:0x43fdb9 [ 29.898700] RSP: 002b:00007fff4972e4f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 29.906403] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 29.913652] RDX: 0000000020000200 RSI: 0000000040082406 RDI: 0000000000000003 [ 29.920900] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 29.928149] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 29.935407] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 29.943184] Dumping ftrace buffer: [ 29.946702] (ftrace buffer empty) [ 29.950388] Kernel Offset: disabled [ 29.954002] Rebooting in 86400 seconds..