[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.807148] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   21.000762] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.269905] random: sshd: uninitialized urandom read (32 bytes read)
[   21.787536] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts.
[   27.403642] urandom_read: 1 callbacks suppressed
[   27.403648] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.511623] FAULT_INJECTION: forcing a failure.
[   27.511623] name failslab, interval 1, probability 0, space 0, times 1
[   27.523001] CPU: 1 PID: 4411 Comm: syz-executor116 Not tainted 4.18.0-rc7+ #177
[   27.530456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.539795] Call Trace:
[   27.542394]  dump_stack+0x1c9/0x2b4
[   27.546031]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.551228]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.556753]  ? __do_page_fault+0x449/0xe50
[   27.560982]  should_fail.cold.4+0xa/0x1a
[   27.565054]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[   27.570173]  ? graph_lock+0x170/0x170
[   27.573962]  ? graph_lock+0x170/0x170
[   27.578011]  ? graph_lock+0x170/0x170
[   27.581812]  ? vmalloc_sync_all+0x30/0x30
[   27.585945]  ? sk_busy_loop_end+0x1c0/0x1c0
[   27.590255]  ? trace_hardirqs_on+0x10/0x10
[   27.594484]  ? find_held_lock+0x36/0x1c0
[   27.598539]  ? __lock_is_held+0xb5/0x140
[   27.602596]  ? check_same_owner+0x340/0x340
[   27.606903]  ? check_same_owner+0x340/0x340
[   27.611215]  ? rcu_note_context_switch+0x730/0x730
[   27.616137]  __should_failslab+0x124/0x180
[   27.620376]  should_failslab+0x9/0x14
[   27.624167]  __kmalloc+0x2c8/0x760
[   27.627698]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   27.632706]  ? _copy_from_iter+0x39d/0x1090
[   27.637025]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   27.642053]  ? tls_push_record+0x10d/0x1400
[   27.646380]  ? __check_object_size+0x9d/0x5f2
[   27.650866]  tls_push_record+0x10d/0x1400
[   27.655008]  ? _copy_from_iter_nocache+0x1050/0x1050
[   27.660128]  ? __local_bh_enable_ip+0x161/0x230
[   27.664791]  tls_sw_sendmsg+0x9e2/0x12c0
[   27.668843]  ? lock_release+0xa30/0xa30
[   27.672816]  ? tls_sw_push_pending_record+0x30/0x30
[   27.677825]  ? lock_downgrade+0x8f0/0x8f0
[   27.681981]  ? __sanitizer_cov_trace_const_cmp1+0x17/0x20
[   27.687546]  ? lock_release+0xa30/0xa30
[   27.691541]  ? __check_object_size+0x9d/0x5f2
[   27.696046]  inet_sendmsg+0x1a1/0x690
[   27.699856]  ? ipip_gro_receive+0x100/0x100
[   27.704189]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.709730]  ? security_socket_sendmsg+0x94/0xc0
[   27.714488]  ? ipip_gro_receive+0x100/0x100
[   27.718808]  sock_sendmsg+0xd5/0x120
[   27.722512]  __sys_sendto+0x3d7/0x670
[   27.726311]  ? __ia32_sys_getpeername+0xb0/0xb0
[   27.730976]  ? lock_downgrade+0x8f0/0x8f0
[   27.735130]  ? __lock_is_held+0xb5/0x140
[   27.739191]  ? __sb_end_write+0xac/0xe0
[   27.743172]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.748710]  ? ksys_write+0x1ae/0x260
[   27.752504]  ? __ia32_sys_read+0xb0/0xb0
[   27.756561]  ? syscall_slow_exit_work+0x500/0x500
[   27.761398]  __x64_sys_sendto+0xe1/0x1a0
[   27.765466]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.770480]  do_syscall_64+0x1b9/0x820
[   27.774360]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.779287]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.784210]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   27.789572]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.794413]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.799622] RIP: 0033:0x440539
[   27.802796] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.821979] RSP: 002b:00007ffc9731e198 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   27.829696] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440539
[   27.836969] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003
[   27.844228] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c
[   27.851660] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000004
[   27.858919] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
[   27.868442] ==================================================================
[   27.875908] BUG: KASAN: use-after-free in tls_push_record+0x1091/0x1400
[   27.882644] Write of size 1 at addr ffff8801ac5c8000 by task syz-executor116/4411
[   27.890242] 
[   27.891856] CPU: 0 PID: 4411 Comm: syz-executor116 Not tainted 4.18.0-rc7+ #177
[   27.899279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.908617] Call Trace:
[   27.911193]  dump_stack+0x1c9/0x2b4
[   27.914804]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.919979]  ? printk+0xa7/0xcf
[   27.923244]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.927989]  ? tls_push_record+0x1091/0x1400
[   27.932399]  print_address_description+0x6c/0x20b
[   27.937226]  ? tls_push_record+0x1091/0x1400
[   27.941615]  kasan_report.cold.7+0x242/0x2fe
[   27.946070]  __asan_report_store1_noabort+0x17/0x20
[   27.951084]  tls_push_record+0x1091/0x1400
[   27.955306]  ? lock_sock_nested+0x9f/0x120
[   27.959527]  tls_sw_push_pending_record+0x22/0x30
[   27.964351]  tls_sk_proto_close+0x74c/0xae0
[   27.968657]  ? lock_acquire+0x1e4/0x540
[   27.972613]  ? tcp_check_oom+0x530/0x530
[   27.976657]  ? tls_write_space+0x360/0x360
[   27.980880]  ? kasan_check_read+0x11/0x20
[   27.985018]  ? rcu_note_context_switch+0x730/0x730
[   27.989954]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.995476]  ? ipv6_sock_ac_close+0x356/0x490
[   27.999963]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.005485]  ? ipv6_sock_mc_close+0x162/0x1d0
[   28.009970]  ? ip_mc_drop_socket+0x20f/0x270
[   28.014362]  ? down_write+0x8f/0x130
[   28.018065]  inet_release+0x104/0x1f0
[   28.021858]  inet6_release+0x50/0x70
[   28.025556]  __sock_release+0xd7/0x260
[   28.029430]  ? __sock_release+0x260/0x260
[   28.033573]  sock_close+0x19/0x20
[   28.037014]  __fput+0x355/0x8b0
[   28.040304]  ? fput+0x1a0/0x1a0
[   28.043566]  ? check_same_owner+0x340/0x340
[   28.047869]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.052350]  ____fput+0x15/0x20
[   28.055625]  task_work_run+0x1ec/0x2a0
[   28.059508]  ? task_work_cancel+0x250/0x250
[   28.063824]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   28.069352]  ? switch_task_namespaces+0xa2/0xd0
[   28.074028]  do_exit+0x1b08/0x2750
[   28.077579]  ? mm_update_next_owner+0x9a0/0x9a0
[   28.082235]  ? lock_downgrade+0x8f0/0x8f0
[   28.086376]  ? finish_task_switch+0x18a/0x870
[   28.090861]  ? kasan_check_read+0x11/0x20
[   28.094993]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.099416]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   28.103987]  ? compat_start_thread+0x80/0x80
[   28.108386]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.112870]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.118217]  ? trace_hardirqs_on+0xd/0x10
[   28.122352]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.126834]  ? finish_task_switch+0x1d3/0x870
[   28.131314]  ? finish_task_switch+0x18a/0x870
[   28.135804]  ? preempt_notifier_register+0x200/0x200
[   28.140903]  ? lock_repin_lock+0x430/0x430
[   28.145137]  ? __sched_text_start+0x8/0x8
[   28.149290]  ? security_socket_sendmsg+0x94/0xc0
[   28.154061]  ? ipip_gro_receive+0x100/0x100
[   28.158376]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.163903]  ? sock_sendmsg+0x5a/0x120
[   28.167780]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.173309]  ? __sys_sendto+0x475/0x670
[   28.177270]  ? __ia32_sys_getpeername+0xb0/0xb0
[   28.181932]  ? lock_downgrade+0x8f0/0x8f0
[   28.186077]  ? schedule+0xfb/0x450
[   28.189606]  ? __schedule+0x1ec0/0x1ec0
[   28.193569]  ? __sb_end_write+0xac/0xe0
[   28.197533]  do_group_exit+0x177/0x440
[   28.201410]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.206935]  ? __ia32_sys_exit+0x50/0x50
[   28.210982]  ? syscall_slow_exit_work+0x500/0x500
[   28.215819]  ? do_syscall_64+0x9a/0x820
[   28.219779]  __x64_sys_exit_group+0x3e/0x50
[   28.224088]  do_syscall_64+0x1b9/0x820
[   28.227959]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.232875]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.237801]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   28.243154]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.247983]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.253159] RIP: 0033:0x43f1f8
[   28.256325] Code: Bad RIP value.
[   28.259688] RSP: 002b:00007ffc9731e1b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   28.267395] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   28.274651] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   28.281905] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   28.289208] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   28.296464] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   28.303724] 
[   28.305358] The buggy address belongs to the page:
[   28.310277] page:ffffea0006b17200 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   28.318662] flags: 0x2fffc0000000000()
[   28.322532] raw: 02fffc0000000000 ffffea0006b11808 ffffea0006fdd008 0000000000000000
[   28.330418] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   28.338278] page dumped because: kasan: bad access detected
[   28.343964] 
[   28.345570] Memory state around the buggy address:
[   28.350491]  ffff8801ac5c7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.357834]  ffff8801ac5c7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.365176] >ffff8801ac5c8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.372515]                    ^
[   28.375862]  ffff8801ac5c8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.383209]  ffff8801ac5c8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.390547] ==================================================================
[   28.397883] Disabling lock debugging due to kernel taint
[   28.403569] Kernel panic - not syncing: panic_on_warn set ...
[   28.403569] 
[   28.410952] CPU: 0 PID: 4411 Comm: syz-executor116 Tainted: G    B             4.18.0-rc7+ #177
[   28.419779] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.429130] Call Trace:
[   28.431706]  dump_stack+0x1c9/0x2b4
[   28.435315]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.440489]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.445243]  panic+0x238/0x4e7
[   28.448420]  ? add_taint.cold.5+0x16/0x16
[   28.452552]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.456943]  ? tls_push_record+0x1091/0x1400
[   28.461332]  kasan_end_report+0x47/0x4f
[   28.465288]  kasan_report.cold.7+0x76/0x2fe
[   28.469596]  __asan_report_store1_noabort+0x17/0x20
[   28.474609]  tls_push_record+0x1091/0x1400
[   28.478827]  ? lock_sock_nested+0x9f/0x120
[   28.483053]  tls_sw_push_pending_record+0x22/0x30
[   28.487972]  tls_sk_proto_close+0x74c/0xae0
[   28.492275]  ? lock_acquire+0x1e4/0x540
[   28.496230]  ? tcp_check_oom+0x530/0x530
[   28.500271]  ? tls_write_space+0x360/0x360
[   28.504488]  ? kasan_check_read+0x11/0x20
[   28.508623]  ? rcu_note_context_switch+0x730/0x730
[   28.513540]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.519077]  ? ipv6_sock_ac_close+0x356/0x490
[   28.523560]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.529084]  ? ipv6_sock_mc_close+0x162/0x1d0
[   28.533578]  ? ip_mc_drop_socket+0x20f/0x270
[   28.537981]  ? down_write+0x8f/0x130
[   28.541682]  inet_release+0x104/0x1f0
[   28.545464]  inet6_release+0x50/0x70
[   28.549158]  __sock_release+0xd7/0x260
[   28.553039]  ? __sock_release+0x260/0x260
[   28.557183]  sock_close+0x19/0x20
[   28.560619]  __fput+0x355/0x8b0
[   28.563879]  ? fput+0x1a0/0x1a0
[   28.567146]  ? check_same_owner+0x340/0x340
[   28.571461]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.575944]  ____fput+0x15/0x20
[   28.579207]  task_work_run+0x1ec/0x2a0
[   28.583079]  ? task_work_cancel+0x250/0x250
[   28.587383]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   28.592921]  ? switch_task_namespaces+0xa2/0xd0
[   28.597574]  do_exit+0x1b08/0x2750
[   28.601111]  ? mm_update_next_owner+0x9a0/0x9a0
[   28.605765]  ? lock_downgrade+0x8f0/0x8f0
[   28.609894]  ? finish_task_switch+0x18a/0x870
[   28.614467]  ? kasan_check_read+0x11/0x20
[   28.618600]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.622995]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   28.627567]  ? compat_start_thread+0x80/0x80
[   28.631968]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.636456]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.641466]  ? trace_hardirqs_on+0xd/0x10
[   28.645595]  ? _raw_spin_unlock_irq+0x27/0x70
[   28.650082]  ? finish_task_switch+0x1d3/0x870
[   28.654558]  ? finish_task_switch+0x18a/0x870
[   28.659043]  ? preempt_notifier_register+0x200/0x200
[   28.664131]  ? lock_repin_lock+0x430/0x430
[   28.668352]  ? __sched_text_start+0x8/0x8
[   28.672486]  ? security_socket_sendmsg+0x94/0xc0
[   28.677222]  ? ipip_gro_receive+0x100/0x100
[   28.681536]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.687061]  ? sock_sendmsg+0x5a/0x120
[   28.690940]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.696480]  ? __sys_sendto+0x475/0x670
[   28.700439]  ? __ia32_sys_getpeername+0xb0/0xb0
[   28.705092]  ? lock_downgrade+0x8f0/0x8f0
[   28.709224]  ? schedule+0xfb/0x450
[   28.712748]  ? __schedule+0x1ec0/0x1ec0
[   28.716709]  ? __sb_end_write+0xac/0xe0
[   28.720669]  do_group_exit+0x177/0x440
[   28.724539]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.730075]  ? __ia32_sys_exit+0x50/0x50
[   28.734143]  ? syscall_slow_exit_work+0x500/0x500
[   28.738968]  ? do_syscall_64+0x9a/0x820
[   28.742926]  __x64_sys_exit_group+0x3e/0x50
[   28.747228]  do_syscall_64+0x1b9/0x820
[   28.751101]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.756030]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.760954]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   28.766302]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.771127]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.776307] RIP: 0033:0x43f1f8
[   28.779473] Code: Bad RIP value.
[   28.782826] RSP: 002b:00007ffc9731e1b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   28.790516] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   28.797767] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   28.805054] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   28.812308] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   28.819556] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   28.827201] Dumping ftrace buffer:
[   28.830724]    (ftrace buffer empty)
[   28.834410] Kernel Offset: disabled
[   28.838026] Rebooting in 86400 seconds..