[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.234205] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   19.363254] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.683498] random: sshd: uninitialized urandom read (32 bytes read)
[   20.491104] random: sshd: uninitialized urandom read (32 bytes read)
[   20.646936] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.28' (ECDSA) to the list of known hosts.
[   26.582912] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   26.681311] FAULT_INJECTION: forcing a failure.
[   26.681311] name failslab, interval 1, probability 0, space 0, times 1
[   26.692601] CPU: 0 PID: 4503 Comm: syz-executor461 Not tainted 4.17.0+ #83
[   26.699589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.708916] Call Trace:
[   26.711486]  dump_stack+0x1b9/0x294
[   26.715096]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.720270]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.725784]  ? __do_page_fault+0x441/0xe40
[   26.729999]  should_fail.cold.4+0xa/0x1a
[   26.734046]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[   26.739126]  ? tcp_push+0x8a0/0x8a0
[   26.742731]  ? graph_lock+0x170/0x170
[   26.746509]  ? graph_lock+0x170/0x170
[   26.750286]  ? graph_lock+0x170/0x170
[   26.754062]  ? vmalloc_sync_all+0x30/0x30
[   26.758187]  ? sk_busy_loop_end+0x1b0/0x1b0
[   26.762487]  ? debug_check_no_locks_freed+0x310/0x310
[   26.767655]  ? find_held_lock+0x36/0x1c0
[   26.771697]  ? __lock_is_held+0xb5/0x140
[   26.775740]  ? check_same_owner+0x320/0x320
[   26.780040]  ? check_same_owner+0x320/0x320
[   26.784341]  ? rcu_note_context_switch+0x710/0x710
[   26.789256]  __should_failslab+0x124/0x180
[   26.793482]  should_failslab+0x9/0x14
[   26.797265]  __kmalloc+0x2c8/0x760
[   26.800783]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   26.805779]  ? _copy_from_iter+0x395/0x1080
[   26.810076]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   26.815074]  ? tls_push_record+0x637/0x13e0
[   26.819377]  tls_push_record+0x637/0x13e0
[   26.823509]  tls_sw_sendmsg+0x9de/0x12b0
[   26.827558]  ? lock_release+0xa10/0xa10
[   26.831521]  ? tls_sw_push_pending_record+0x30/0x30
[   26.836516]  ? lock_downgrade+0x8e0/0x8e0
[   26.840642]  ? __sanitizer_cov_trace_const_cmp4+0x17/0x20
[   26.846157]  ? lock_release+0xa10/0xa10
[   26.850110]  ? __check_object_size+0x95/0x5d9
[   26.854584]  inet_sendmsg+0x19f/0x690
[   26.858363]  ? __might_sleep+0x95/0x190
[   26.862313]  ? ipip_gro_receive+0x100/0x100
[   26.866614]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   26.872139]  ? security_socket_sendmsg+0x94/0xc0
[   26.876871]  ? ipip_gro_receive+0x100/0x100
[   26.881171]  sock_sendmsg+0xd5/0x120
[   26.884864]  __sys_sendto+0x3d7/0x670
[   26.888645]  ? __ia32_sys_getpeername+0xb0/0xb0
[   26.893295]  ? lock_downgrade+0x8e0/0x8e0
[   26.897432]  ? __lock_is_held+0xb5/0x140
[   26.901477]  ? __sb_end_write+0xac/0xe0
[   26.905434]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.910948]  ? ksys_write+0x1a6/0x250
[   26.914729]  ? __ia32_sys_read+0xb0/0xb0
[   26.918769]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   26.923589]  __x64_sys_sendto+0xe1/0x1a0
[   26.927627]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.932620]  do_syscall_64+0x1b1/0x800
[   26.936485]  ? syscall_return_slowpath+0x5c0/0x5c0
[   26.941393]  ? syscall_return_slowpath+0x30f/0x5c0
[   26.946304]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   26.951647]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.956468]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.961634] RIP: 0033:0x4406a9
[   26.964798] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   26.983963] RSP: 002b:00007fff9c59f8c8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
[   26.991650] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406a9
[   26.998894] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003
[   27.006140] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c
[   27.013386] R10: 0000000000000040 R11: 0000000000000216 R12: 0000000000000005
[   27.020631] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
[   27.029951] ==================================================================
[   27.037448] BUG: KASAN: use-after-free in tls_push_record+0x1023/0x13e0
[   27.044189] Write of size 1 at addr ffff8801aef80000 by task syz-executor461/4503
[   27.051781] 
[   27.053390] CPU: 0 PID: 4503 Comm: syz-executor461 Not tainted 4.17.0+ #83
[   27.060374] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.069703] Call Trace:
[   27.072272]  dump_stack+0x1b9/0x294
[   27.075878]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.081048]  ? printk+0x9e/0xba
[   27.084307]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.089044]  ? kasan_check_write+0x14/0x20
[   27.093260]  print_address_description+0x6c/0x20b
[   27.098079]  ? tls_push_record+0x1023/0x13e0
[   27.102463]  kasan_report.cold.7+0x242/0x2fe
[   27.106850]  __asan_report_store1_noabort+0x17/0x20
[   27.111850]  tls_push_record+0x1023/0x13e0
[   27.116065]  ? __local_bh_enable_ip+0x161/0x230
[   27.120712]  tls_sw_push_pending_record+0x22/0x30
[   27.125531]  tls_push_pending_closed_record+0x10c/0x150
[   27.130871]  ? lock_sock_nested+0xe7/0x120
[   27.135086]  tls_sk_proto_close+0x8f2/0xad0
[   27.139388]  ? tcp_check_oom+0x520/0x520
[   27.143423]  ? kasan_check_read+0x11/0x20
[   27.147550]  ? rcu_is_watching+0x41/0x140
[   27.151676]  ? tls_write_space+0x340/0x340
[   27.155887]  ? kasan_check_read+0x11/0x20
[   27.160017]  ? rcu_is_watching+0x85/0x140
[   27.164150]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.169666]  ? ipv6_sock_ac_close+0x34e/0x480
[   27.174142]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.179654]  ? ipv6_sock_mc_close+0x161/0x1c0
[   27.184126]  ? ip_mc_drop_socket+0x20f/0x270
[   27.188512]  inet_release+0x104/0x1f0
[   27.192291]  inet6_release+0x50/0x70
[   27.195993]  sock_release+0x96/0x1b0
[   27.199691]  ? sock_alloc_file+0x4e0/0x4e0
[   27.203901]  sock_close+0x16/0x20
[   27.207331]  __fput+0x353/0x890
[   27.210588]  ? fput+0x1a0/0x1a0
[   27.213848]  ? check_same_owner+0x320/0x320
[   27.218150]  ? _raw_spin_unlock_irq+0x27/0x70
[   27.222624]  ____fput+0x15/0x20
[   27.225881]  task_work_run+0x1e4/0x290
[   27.229746]  ? task_work_cancel+0x240/0x240
[   27.234046]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.239559]  ? switch_task_namespaces+0xa2/0xd0
[   27.244203]  do_exit+0x1aee/0x2730
[   27.247726]  ? mm_update_next_owner+0x980/0x980
[   27.252374]  ? lock_downgrade+0x8e0/0x8e0
[   27.256499]  ? finish_task_switch+0x182/0x840
[   27.260972]  ? kasan_check_read+0x11/0x20
[   27.265095]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.269481]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   27.274046]  ? compat_start_thread+0x80/0x80
[   27.278436]  ? _raw_spin_unlock_irq+0x27/0x70
[   27.282912]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.287906]  ? kasan_check_write+0x14/0x20
[   27.292117]  ? finish_task_switch+0x28b/0x840
[   27.296599]  ? __schedule+0x809/0x1e30
[   27.300465]  ? __sched_text_start+0x8/0x8
[   27.304590]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.310104]  ? security_socket_sendmsg+0x94/0xc0
[   27.314836]  ? ipip_gro_receive+0x100/0x100
[   27.319134]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.324649]  ? sock_sendmsg+0x5a/0x120
[   27.328514]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.334035]  ? __sys_sendto+0x475/0x670
[   27.337990]  ? __ia32_sys_getpeername+0xb0/0xb0
[   27.342639]  ? lock_downgrade+0x8e0/0x8e0
[   27.346768]  ? schedule+0xef/0x430
[   27.350286]  ? __schedule+0x1e30/0x1e30
[   27.354241]  ? __sb_end_write+0xac/0xe0
[   27.358196]  ? exit_to_usermode_loop+0x87/0x310
[   27.362848]  do_group_exit+0x16f/0x430
[   27.366725]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.372240]  ? __ia32_sys_exit+0x50/0x50
[   27.376277]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   27.381098]  ? do_syscall_64+0x92/0x800
[   27.385049]  __x64_sys_exit_group+0x3e/0x50
[   27.389347]  do_syscall_64+0x1b1/0x800
[   27.393218]  ? syscall_return_slowpath+0x5c0/0x5c0
[   27.398124]  ? syscall_return_slowpath+0x30f/0x5c0
[   27.403039]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   27.408382]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.413208]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.418375] RIP: 0033:0x43f368
[   27.421538] Code: Bad RIP value.
[   27.424894] RSP: 002b:00007fff9c59f908 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   27.432581] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f368
[   27.439828] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   27.447075] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0
[   27.454321] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   27.461568] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   27.468818] 
[   27.470428] The buggy address belongs to the page:
[   27.475333] page:ffffea0006bbe000 count:0 mapcount:-127 mapping:0000000000000000 index:0x0
[   27.483717] flags: 0x2fffc0000000000()
[   27.487590] raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffff80
[   27.495453] raw: ffffea0006ba2820 ffffea0006bbec20 0000000000000003 0000000000000000
[   27.503306] page dumped because: kasan: bad access detected
[   27.508985] 
[   27.510587] Memory state around the buggy address:
[   27.515490]  ffff8801aef7ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.522823]  ffff8801aef7ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.530155] >ffff8801aef80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.537499]                    ^
[   27.540841]  ffff8801aef80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.548175]  ffff8801aef80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   27.555509] ==================================================================
[   27.562841] Disabling lock debugging due to kernel taint
[   27.568456] Kernel panic - not syncing: panic_on_warn set ...
[   27.568456] 
[   27.575826] CPU: 0 PID: 4503 Comm: syz-executor461 Tainted: G    B             4.17.0+ #83
[   27.584212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.593539] Call Trace:
[   27.596104]  dump_stack+0x1b9/0x294
[   27.599708]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.604878]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.609611]  ? tls_push_record+0xfb0/0x13e0
[   27.613909]  panic+0x22f/0x4de
[   27.617078]  ? add_taint.cold.5+0x16/0x16
[   27.621206]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.625601]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.629986]  ? tls_push_record+0x1023/0x13e0
[   27.634372]  kasan_end_report+0x47/0x4f
[   27.638320]  kasan_report.cold.7+0x76/0x2fe
[   27.642621]  __asan_report_store1_noabort+0x17/0x20
[   27.647610]  tls_push_record+0x1023/0x13e0
[   27.651829]  ? __local_bh_enable_ip+0x161/0x230
[   27.656473]  tls_sw_push_pending_record+0x22/0x30
[   27.661291]  tls_push_pending_closed_record+0x10c/0x150
[   27.666632]  ? lock_sock_nested+0xe7/0x120
[   27.670843]  tls_sk_proto_close+0x8f2/0xad0
[   27.675143]  ? tcp_check_oom+0x520/0x520
[   27.679183]  ? kasan_check_read+0x11/0x20
[   27.683311]  ? rcu_is_watching+0x41/0x140
[   27.687435]  ? tls_write_space+0x340/0x340
[   27.691647]  ? kasan_check_read+0x11/0x20
[   27.695772]  ? rcu_is_watching+0x85/0x140
[   27.699897]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.705413]  ? ipv6_sock_ac_close+0x34e/0x480
[   27.709885]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.715397]  ? ipv6_sock_mc_close+0x161/0x1c0
[   27.719869]  ? ip_mc_drop_socket+0x20f/0x270
[   27.724251]  inet_release+0x104/0x1f0
[   27.728033]  inet6_release+0x50/0x70
[   27.731725]  sock_release+0x96/0x1b0
[   27.735417]  ? sock_alloc_file+0x4e0/0x4e0
[   27.739629]  sock_close+0x16/0x20
[   27.743057]  __fput+0x353/0x890
[   27.746311]  ? fput+0x1a0/0x1a0
[   27.749566]  ? check_same_owner+0x320/0x320
[   27.753863]  ? _raw_spin_unlock_irq+0x27/0x70
[   27.758335]  ____fput+0x15/0x20
[   27.761591]  task_work_run+0x1e4/0x290
[   27.765457]  ? task_work_cancel+0x240/0x240
[   27.769753]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.775265]  ? switch_task_namespaces+0xa2/0xd0
[   27.779916]  do_exit+0x1aee/0x2730
[   27.783433]  ? mm_update_next_owner+0x980/0x980
[   27.788081]  ? lock_downgrade+0x8e0/0x8e0
[   27.792203]  ? finish_task_switch+0x182/0x840
[   27.796676]  ? kasan_check_read+0x11/0x20
[   27.800800]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.805184]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   27.809742]  ? compat_start_thread+0x80/0x80
[   27.814126]  ? _raw_spin_unlock_irq+0x27/0x70
[   27.818598]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.823590]  ? kasan_check_write+0x14/0x20
[   27.827799]  ? finish_task_switch+0x28b/0x840
[   27.832274]  ? __schedule+0x809/0x1e30
[   27.836136]  ? __sched_text_start+0x8/0x8
[   27.840262]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.845778]  ? security_socket_sendmsg+0x94/0xc0
[   27.850507]  ? ipip_gro_receive+0x100/0x100
[   27.854804]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.860314]  ? sock_sendmsg+0x5a/0x120
[   27.864181]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.869692]  ? __sys_sendto+0x475/0x670
[   27.873641]  ? __ia32_sys_getpeername+0xb0/0xb0
[   27.878287]  ? lock_downgrade+0x8e0/0x8e0
[   27.882411]  ? schedule+0xef/0x430
[   27.885925]  ? __schedule+0x1e30/0x1e30
[   27.889875]  ? __sb_end_write+0xac/0xe0
[   27.893829]  ? exit_to_usermode_loop+0x87/0x310
[   27.898474]  do_group_exit+0x16f/0x430
[   27.902336]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.907847]  ? __ia32_sys_exit+0x50/0x50
[   27.911885]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   27.916702]  ? do_syscall_64+0x92/0x800
[   27.920653]  __x64_sys_exit_group+0x3e/0x50
[   27.924949]  do_syscall_64+0x1b1/0x800
[   27.928811]  ? syscall_return_slowpath+0x5c0/0x5c0
[   27.933715]  ? syscall_return_slowpath+0x30f/0x5c0
[   27.938622]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   27.943962]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.948781]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.953944] RIP: 0033:0x43f368
[   27.957108] Code: Bad RIP value.
[   27.960456] RSP: 002b:00007fff9c59f908 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   27.968137] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f368
[   27.975384] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   27.982628] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0
[   27.989874] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   27.997117] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   28.004855] Dumping ftrace buffer:
[   28.008367]    (ftrace buffer empty)
[   28.012053] Kernel Offset: disabled
[   28.015653] Rebooting in 86400 seconds..