[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.610885] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.753100] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.917899] random: sshd: uninitialized urandom read (32 bytes read) [ 20.868988] random: sshd: uninitialized urandom read (32 bytes read) [ 38.072939] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 43.584545] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.687699] FAULT_INJECTION: forcing a failure. [ 43.687699] name failslab, interval 1, probability 0, space 0, times 1 [ 43.699117] CPU: 0 PID: 4355 Comm: syz-executor504 Not tainted 4.18.0-rc7+ #172 [ 43.706554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.715887] Call Trace: [ 43.718485] dump_stack+0x1c9/0x2b4 [ 43.722101] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.727277] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.732798] ? __do_page_fault+0x449/0xe50 [ 43.737042] should_fail.cold.4+0xa/0x1a [ 43.741090] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 43.746178] ? graph_lock+0x170/0x170 [ 43.749966] ? graph_lock+0x170/0x170 [ 43.753750] ? graph_lock+0x170/0x170 [ 43.757532] ? vmalloc_sync_all+0x30/0x30 [ 43.761682] ? sk_busy_loop_end+0x1c0/0x1c0 [ 43.765985] ? trace_hardirqs_on+0x10/0x10 [ 43.770204] ? find_held_lock+0x36/0x1c0 [ 43.774248] ? __lock_is_held+0xb5/0x140 [ 43.778300] ? check_same_owner+0x340/0x340 [ 43.782619] ? check_same_owner+0x340/0x340 [ 43.786926] ? rcu_note_context_switch+0x730/0x730 [ 43.791845] __should_failslab+0x124/0x180 [ 43.796068] should_failslab+0x9/0x14 [ 43.799876] __kmalloc+0x2c8/0x760 [ 43.803413] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 43.808417] ? _copy_from_iter+0x39d/0x1090 [ 43.812720] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 43.817719] ? tls_push_record+0x10d/0x1400 [ 43.822040] ? __check_object_size+0x9d/0x5f2 [ 43.826519] tls_push_record+0x10d/0x1400 [ 43.830653] ? _copy_from_iter_nocache+0x1050/0x1050 [ 43.835741] ? __local_bh_enable_ip+0x161/0x230 [ 43.840406] tls_sw_sendmsg+0x9e2/0x12c0 [ 43.844453] ? lock_release+0xa30/0xa30 [ 43.848417] ? tls_sw_push_pending_record+0x30/0x30 [ 43.853414] ? lock_downgrade+0x8f0/0x8f0 [ 43.857544] ? __sanitizer_cov_trace_const_cmp1+0x17/0x20 [ 43.863066] ? lock_release+0xa30/0xa30 [ 43.867038] ? __check_object_size+0x9d/0x5f2 [ 43.871534] inet_sendmsg+0x1a1/0x690 [ 43.875323] ? ipip_gro_receive+0x100/0x100 [ 43.879630] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.885151] ? security_socket_sendmsg+0x94/0xc0 [ 43.889888] ? ipip_gro_receive+0x100/0x100 [ 43.894194] sock_sendmsg+0xd5/0x120 [ 43.897891] __sys_sendto+0x3d7/0x670 [ 43.901678] ? __ia32_sys_getpeername+0xb0/0xb0 [ 43.906331] ? lock_downgrade+0x8f0/0x8f0 [ 43.910481] ? __lock_is_held+0xb5/0x140 [ 43.914547] ? __sb_end_write+0xac/0xe0 [ 43.918511] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.924028] ? ksys_write+0x1ae/0x260 [ 43.927831] ? __ia32_sys_read+0xb0/0xb0 [ 43.931888] ? syscall_slow_exit_work+0x500/0x500 [ 43.936748] __x64_sys_sendto+0xe1/0x1a0 [ 43.940804] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.945827] do_syscall_64+0x1b9/0x820 [ 43.949700] ? syscall_return_slowpath+0x5e0/0x5e0 [ 43.954615] ? syscall_return_slowpath+0x31d/0x5e0 [ 43.959541] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 43.964905] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.969734] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.974907] RIP: 0033:0x440599 [ 43.978076] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.997260] RSP: 002b:00007fffb6d070f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 44.004954] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440599 [ 44.012207] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 44.019457] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c [ 44.026715] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000004 [ 44.033966] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 44.042662] ================================================================== [ 44.050110] BUG: KASAN: use-after-free in tls_push_record+0x1091/0x1400 [ 44.056857] Write of size 1 at addr ffff8801b4108000 by task syz-executor504/4355 [ 44.064465] [ 44.066080] CPU: 0 PID: 4355 Comm: syz-executor504 Not tainted 4.18.0-rc7+ #172 [ 44.073514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.082856] Call Trace: [ 44.085431] dump_stack+0x1c9/0x2b4 [ 44.089042] ? dump_stack_print_info.cold.2+0x52/0x52 [ 44.094218] ? printk+0xa7/0xcf [ 44.097486] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 44.102228] ? tls_push_record+0x1091/0x1400 [ 44.106620] print_address_description+0x6c/0x20b [ 44.111459] ? tls_push_record+0x1091/0x1400 [ 44.115853] kasan_report.cold.7+0x242/0x2fe [ 44.120251] __asan_report_store1_noabort+0x17/0x20 [ 44.125258] tls_push_record+0x1091/0x1400 [ 44.129483] ? lock_sock_nested+0x9f/0x120 [ 44.133705] tls_sw_push_pending_record+0x22/0x30 [ 44.138543] tls_sk_proto_close+0x74c/0xae0 [ 44.142854] ? lock_acquire+0x1e4/0x540 [ 44.146809] ? tcp_check_oom+0x530/0x530 [ 44.150863] ? tls_write_space+0x360/0x360 [ 44.155084] ? kasan_check_read+0x11/0x20 [ 44.159210] ? rcu_note_context_switch+0x730/0x730 [ 44.164124] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.169655] ? ipv6_sock_ac_close+0x356/0x490 [ 44.174144] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.179661] ? ipv6_sock_mc_close+0x162/0x1d0 [ 44.184140] ? ip_mc_drop_socket+0x20f/0x270 [ 44.188527] ? down_write+0x8f/0x130 [ 44.192221] inet_release+0x104/0x1f0 [ 44.196003] inet6_release+0x50/0x70 [ 44.199702] __sock_release+0xd7/0x260 [ 44.203574] ? __sock_release+0x260/0x260 [ 44.207705] sock_close+0x19/0x20 [ 44.211154] __fput+0x355/0x8b0 [ 44.214418] ? fput+0x1a0/0x1a0 [ 44.217678] ? check_same_owner+0x340/0x340 [ 44.221981] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.226461] ____fput+0x15/0x20 [ 44.229724] task_work_run+0x1ec/0x2a0 [ 44.233595] ? task_work_cancel+0x250/0x250 [ 44.237903] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.243422] ? switch_task_namespaces+0xa2/0xd0 [ 44.248085] do_exit+0x1b08/0x2750 [ 44.251623] ? mm_update_next_owner+0x9a0/0x9a0 [ 44.256276] ? lock_downgrade+0x8f0/0x8f0 [ 44.260420] ? finish_task_switch+0x18a/0x870 [ 44.264903] ? kasan_check_read+0x11/0x20 [ 44.269046] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.273442] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 44.278008] ? compat_start_thread+0x80/0x80 [ 44.282399] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.286879] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.291878] ? kasan_check_write+0x14/0x20 [ 44.296099] ? finish_task_switch+0x2ca/0x870 [ 44.300577] ? preempt_notifier_register+0x200/0x200 [ 44.305664] ? lock_repin_lock+0x430/0x430 [ 44.309901] ? __sched_text_start+0x8/0x8 [ 44.314033] ? security_socket_sendmsg+0x94/0xc0 [ 44.318771] ? ipip_gro_receive+0x100/0x100 [ 44.323077] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.328597] ? sock_sendmsg+0x5a/0x120 [ 44.332469] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.337990] ? __sys_sendto+0x475/0x670 [ 44.341948] ? __ia32_sys_getpeername+0xb0/0xb0 [ 44.346600] ? lock_downgrade+0x8f0/0x8f0 [ 44.350745] ? schedule+0xfb/0x450 [ 44.354271] ? __schedule+0x1ec0/0x1ec0 [ 44.358231] ? __sb_end_write+0xac/0xe0 [ 44.362207] do_group_exit+0x177/0x440 [ 44.366080] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.371611] ? __ia32_sys_exit+0x50/0x50 [ 44.375659] ? syscall_slow_exit_work+0x500/0x500 [ 44.380484] ? do_syscall_64+0x9a/0x820 [ 44.384441] __x64_sys_exit_group+0x3e/0x50 [ 44.388744] do_syscall_64+0x1b9/0x820 [ 44.392630] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.397556] ? syscall_return_slowpath+0x31d/0x5e0 [ 44.402484] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 44.407857] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.412688] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.417871] RIP: 0033:0x43f258 [ 44.421038] Code: Bad RIP value. [ 44.424394] RSP: 002b:00007fffb6d07118 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.432084] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f258 [ 44.439332] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 44.446582] RBP: 00000000004befc8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.453839] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 44.461609] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 44.468865] [ 44.470468] The buggy address belongs to the page: [ 44.475910] page:ffffea0006d04200 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 44.484303] flags: 0x2fffc0000000000() [ 44.488176] raw: 02fffc0000000000 ffffea0006d19808 ffff88021fffac18 0000000000000000 [ 44.496037] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 44.503894] page dumped because: kasan: bad access detected [ 44.509591] [ 44.511195] Memory state around the buggy address: [ 44.516115] ffff8801b4107f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.523455] ffff8801b4107f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.530805] >ffff8801b4108000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.538152] ^ [ 44.541508] ffff8801b4108080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.548863] ffff8801b4108100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.556198] ================================================================== [ 44.563542] Disabling lock debugging due to kernel taint [ 44.569093] Kernel panic - not syncing: panic_on_warn set ... [ 44.569093] [ 44.576448] CPU: 0 PID: 4355 Comm: syz-executor504 Tainted: G B 4.18.0-rc7+ #172 [ 44.585259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.594600] Call Trace: [ 44.597172] dump_stack+0x1c9/0x2b4 [ 44.600780] ? dump_stack_print_info.cold.2+0x52/0x52 [ 44.605966] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.610713] panic+0x238/0x4e7 [ 44.613887] ? add_taint.cold.5+0x16/0x16 [ 44.618019] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.622422] ? tls_push_record+0x1091/0x1400 [ 44.626824] kasan_end_report+0x47/0x4f [ 44.630794] kasan_report.cold.7+0x76/0x2fe [ 44.635117] __asan_report_store1_noabort+0x17/0x20 [ 44.640116] tls_push_record+0x1091/0x1400 [ 44.644331] ? lock_sock_nested+0x9f/0x120 [ 44.648548] tls_sw_push_pending_record+0x22/0x30 [ 44.653396] tls_sk_proto_close+0x74c/0xae0 [ 44.657697] ? lock_acquire+0x1e4/0x540 [ 44.661649] ? tcp_check_oom+0x530/0x530 [ 44.665688] ? tls_write_space+0x360/0x360 [ 44.669915] ? kasan_check_read+0x11/0x20 [ 44.674043] ? rcu_note_context_switch+0x730/0x730 [ 44.678967] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.684490] ? ipv6_sock_ac_close+0x356/0x490 [ 44.688971] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.694489] ? ipv6_sock_mc_close+0x162/0x1d0 [ 44.698966] ? ip_mc_drop_socket+0x20f/0x270 [ 44.703355] ? down_write+0x8f/0x130 [ 44.707050] inet_release+0x104/0x1f0 [ 44.710845] inet6_release+0x50/0x70 [ 44.714549] __sock_release+0xd7/0x260 [ 44.718776] ? __sock_release+0x260/0x260 [ 44.722925] sock_close+0x19/0x20 [ 44.726361] __fput+0x355/0x8b0 [ 44.729641] ? fput+0x1a0/0x1a0 [ 44.732902] ? check_same_owner+0x340/0x340 [ 44.737203] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.741678] ____fput+0x15/0x20 [ 44.744942] task_work_run+0x1ec/0x2a0 [ 44.748814] ? task_work_cancel+0x250/0x250 [ 44.753133] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.758649] ? switch_task_namespaces+0xa2/0xd0 [ 44.763300] do_exit+0x1b08/0x2750 [ 44.766832] ? mm_update_next_owner+0x9a0/0x9a0 [ 44.771493] ? lock_downgrade+0x8f0/0x8f0 [ 44.775626] ? finish_task_switch+0x18a/0x870 [ 44.780104] ? kasan_check_read+0x11/0x20 [ 44.784243] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.788633] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 44.793196] ? compat_start_thread+0x80/0x80 [ 44.797585] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.802061] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.807060] ? kasan_check_write+0x14/0x20 [ 44.811273] ? finish_task_switch+0x2ca/0x870 [ 44.815748] ? preempt_notifier_register+0x200/0x200 [ 44.820831] ? lock_repin_lock+0x430/0x430 [ 44.825054] ? __sched_text_start+0x8/0x8 [ 44.829180] ? security_socket_sendmsg+0x94/0xc0 [ 44.833916] ? ipip_gro_receive+0x100/0x100 [ 44.838227] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.843831] ? sock_sendmsg+0x5a/0x120 [ 44.847709] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.853239] ? __sys_sendto+0x475/0x670 [ 44.857193] ? __ia32_sys_getpeername+0xb0/0xb0 [ 44.861842] ? lock_downgrade+0x8f0/0x8f0 [ 44.865984] ? schedule+0xfb/0x450 [ 44.869506] ? __schedule+0x1ec0/0x1ec0 [ 44.873464] ? __sb_end_write+0xac/0xe0 [ 44.877421] do_group_exit+0x177/0x440 [ 44.881290] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.886807] ? __ia32_sys_exit+0x50/0x50 [ 44.890851] ? syscall_slow_exit_work+0x500/0x500 [ 44.895683] ? do_syscall_64+0x9a/0x820 [ 44.899637] __x64_sys_exit_group+0x3e/0x50 [ 44.903941] do_syscall_64+0x1b9/0x820 [ 44.907810] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.912721] ? syscall_return_slowpath+0x31d/0x5e0 [ 44.917632] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 44.922975] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.927815] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.932996] RIP: 0033:0x43f258 [ 44.936163] Code: Bad RIP value. [ 44.939516] RSP: 002b:00007fffb6d07118 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.947200] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f258 [ 44.954449] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 44.961695] RBP: 00000000004befc8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.968949] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 44.976211] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 44.983810] Dumping ftrace buffer: [ 44.987332] (ftrace buffer empty) [ 44.991022] Kernel Offset: disabled [ 44.994629] Rebooting in 86400 seconds..