[ 29.241934] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 29.822807] random: sshd: uninitialized urandom read (32 bytes read) [ 30.147088] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.668155] random: sshd: uninitialized urandom read (32 bytes read) [ 30.856015] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. [ 36.397540] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.525592] kauditd_printk_skb: 10 callbacks suppressed [ 36.525602] audit: type=1400 audit(1569262336.964:36): avc: denied { map } for pid=6856 comm="syz-executor351" path="/root/syz-executor351349758" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 36.568266] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 36.590490] ================================================================== [ 36.598051] BUG: KASAN: use-after-free in padata_parallel_worker+0x313/0x3b0 [ 36.605235] Write of size 8 at addr ffff888089d697d8 by task kworker/0:2/3150 [ 36.612504] [ 36.614117] CPU: 0 PID: 3150 Comm: kworker/0:2 Not tainted 4.14.146 #0 [ 36.620760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.630193] Workqueue: pencrypt padata_parallel_worker [ 36.635452] Call Trace: [ 36.638033] dump_stack+0x138/0x197 [ 36.641642] ? padata_parallel_worker+0x313/0x3b0 [ 36.646475] print_address_description.cold+0x7c/0x1dc [ 36.651733] ? padata_parallel_worker+0x313/0x3b0 [ 36.656554] kasan_report.cold+0xa9/0x2af [ 36.660686] __asan_report_store8_noabort+0x17/0x20 [ 36.665682] padata_parallel_worker+0x313/0x3b0 [ 36.670687] ? check_preemption_disabled+0x3c/0x250 [ 36.675692] ? padata_sysfs_store+0xa0/0xa0 [ 36.680087] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 36.685538] process_one_work+0x863/0x1600 [ 36.690636] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 36.695829] worker_thread+0x5d9/0x1050 [ 36.699802] kthread+0x319/0x430 [ 36.703184] ? process_one_work+0x1600/0x1600 [ 36.707678] ? kthread_create_on_node+0xd0/0xd0 [ 36.712342] ret_from_fork+0x24/0x30 [ 36.716042] [ 36.717651] Allocated by task 6856: [ 36.721259] save_stack_trace+0x16/0x20 [ 36.725222] save_stack+0x45/0xd0 [ 36.728665] kasan_kmalloc+0xce/0xf0 [ 36.732369] __kmalloc+0x15d/0x7a0 [ 36.735889] tls_push_record+0x10a/0x1210 [ 36.740018] tls_sw_sendmsg+0x9e8/0x1020 [ 36.745536] inet_sendmsg+0x122/0x500 [ 36.749317] sock_sendmsg+0xce/0x110 [ 36.753189] SYSC_sendto+0x206/0x310 [ 36.756887] SyS_sendto+0x40/0x50 [ 36.760335] do_syscall_64+0x1e8/0x640 [ 36.764210] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.769378] [ 36.770988] Freed by task 6856: [ 36.774271] save_stack_trace+0x16/0x20 [ 36.778225] save_stack+0x45/0xd0 [ 36.781750] kasan_slab_free+0x75/0xc0 [ 36.786280] kfree+0xcc/0x270 [ 36.789365] tls_push_record+0xc03/0x1210 [ 36.794110] tls_sw_sendmsg+0x9e8/0x1020 [ 36.798156] inet_sendmsg+0x122/0x500 [ 36.801935] sock_sendmsg+0xce/0x110 [ 36.805699] SYSC_sendto+0x206/0x310 [ 36.809390] SyS_sendto+0x40/0x50 [ 36.813786] do_syscall_64+0x1e8/0x640 [ 36.817655] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.822845] [ 36.824454] The buggy address belongs to the object at ffff888089d69780 [ 36.824454] which belongs to the cache kmalloc-256 of size 256 [ 36.837480] The buggy address is located 88 bytes inside of [ 36.837480] 256-byte region [ffff888089d69780, ffff888089d69880) [ 36.851009] The buggy address belongs to the page: [ 36.856883] page:ffffea0002275a40 count:1 mapcount:0 mapping:ffff888089d69000 index:0xffff888089d69dc0 [ 36.866312] flags: 0x1fffc0000000100(slab) [ 36.870531] raw: 01fffc0000000100 ffff888089d69000 ffff888089d69dc0 0000000100000008 [ 36.878654] raw: ffffea0002212c20 ffffea0002291160 ffff8880aa8007c0 0000000000000000 [ 36.886513] page dumped because: kasan: bad access detected [ 36.892217] [ 36.893828] Memory state around the buggy address: [ 36.898739] ffff888089d69680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.906089] ffff888089d69700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.913514] >ffff888089d69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.920867] ^ [ 36.927212] ffff888089d69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.934563] ffff888089d69880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.941901] ================================================================== [ 36.949250] Disabling lock debugging due to kernel taint [ 36.954737] Kernel panic - not syncing: panic_on_warn set ... [ 36.954737] [ 36.962100] CPU: 0 PID: 3150 Comm: kworker/0:2 Tainted: G B 4.14.146 #0 [ 36.969972] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.980414] Workqueue: pencrypt padata_parallel_worker [ 36.985942] Call Trace: [ 36.988603] dump_stack+0x138/0x197 [ 36.992227] ? padata_parallel_worker+0x313/0x3b0 [ 36.997047] panic+0x1f2/0x426 [ 37.000217] ? add_taint.cold+0x16/0x16 [ 37.004178] kasan_end_report+0x47/0x4f [ 37.008142] kasan_report.cold+0x130/0x2af [ 37.012368] __asan_report_store8_noabort+0x17/0x20 [ 37.017381] padata_parallel_worker+0x313/0x3b0 [ 37.022037] ? check_preemption_disabled+0x3c/0x250 [ 37.027038] ? padata_sysfs_store+0xa0/0xa0 [ 37.031338] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 37.036767] process_one_work+0x863/0x1600 [ 37.040982] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 37.045629] worker_thread+0x5d9/0x1050 [ 37.049590] kthread+0x319/0x430 [ 37.052954] ? process_one_work+0x1600/0x1600 [ 37.057425] ? kthread_create_on_node+0xd0/0xd0 [ 37.062119] ret_from_fork+0x24/0x30 [ 37.067420] Kernel Offset: disabled [ 37.071045] Rebooting in 86400 seconds..