[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.261875] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.930259] random: sshd: uninitialized urandom read (32 bytes read)
[   22.228431] random: sshd: uninitialized urandom read (32 bytes read)
[   23.094474] random: sshd: uninitialized urandom read (32 bytes read)
[   30.729801] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts.
[   36.164942] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   36.259885] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   36.282497] ==================================================================
[   36.289876] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3829/0x5020
[   36.296869] Read of size 8 at addr ffff8801af419e08 by task syz-executor315/4381
[   36.304374] 
[   36.305984] CPU: 0 PID: 4381 Comm: syz-executor315 Not tainted 4.18.0-rc6+ #31
[   36.313315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.322645] Call Trace:
[   36.325218]  dump_stack+0x1c9/0x2b4
[   36.328825]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.333992]  ? printk+0xa7/0xcf
[   36.337248]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   36.341982]  ? __lock_acquire+0x3829/0x5020
[   36.346285]  print_address_description+0x6c/0x20b
[   36.351106]  ? __lock_acquire+0x3829/0x5020
[   36.355402]  kasan_report.cold.7+0x242/0x2fe
[   36.359786]  __asan_report_load8_noabort+0x14/0x20
[   36.364692]  __lock_acquire+0x3829/0x5020
[   36.368816]  ? print_usage_bug+0xc0/0xc0
[   36.372855]  ? trace_hardirqs_on+0x10/0x10
[   36.377062]  ? lock_downgrade+0x8f0/0x8f0
[   36.381187]  ? mark_held_locks+0xc9/0x160
[   36.385319]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   36.389878]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   36.394960]  ? trace_hardirqs_on_caller+0x19e/0x5c0
[   36.399965]  ? trace_hardirqs_on+0xd/0x10
[   36.404089]  ? depot_save_stack+0x291/0x470
[   36.408390]  ? save_stack+0xa9/0xd0
[   36.411994]  ? save_stack+0x43/0xd0
[   36.415599]  ? kasan_kmalloc+0xc4/0xe0
[   36.419462]  ? __kmalloc_node+0x47/0x70
[   36.423425]  ? sock_hash_ctx_update_elem.isra.26+0xa86/0x14d0
[   36.429286]  ? sock_hash_update_elem+0x1e2/0x510
[   36.434027]  ? map_update_elem+0x72d/0xcb0
[   36.438238]  ? __x64_sys_bpf+0x32d/0x510
[   36.442285]  ? do_syscall_64+0x1b9/0x820
[   36.446325]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.451669]  ? graph_lock+0x170/0x170
[   36.455449]  ? print_usage_bug+0xc0/0xc0
[   36.459486]  ? graph_lock+0x170/0x170
[   36.463265]  lock_acquire+0x1e4/0x540
[   36.467060]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   36.472922]  ? lock_release+0xa30/0xa30
[   36.476892]  ? rcu_read_lock_sched_held+0x108/0x120
[   36.481885]  ? kmem_cache_alloc_node_trace+0x34e/0x770
[   36.487137]  ? kasan_unpoison_shadow+0x35/0x50
[   36.491692]  ? kasan_kmalloc+0xc4/0xe0
[   36.495559]  _raw_spin_lock_bh+0x31/0x40
[   36.499600]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   36.505460]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   36.511158]  ? smap_data_ready+0x320/0x320
[   36.515368]  ? print_usage_bug+0xc0/0xc0
[   36.519404]  ? find_held_lock+0x36/0x1c0
[   36.523452]  ? lock_acquire+0x1e4/0x540
[   36.527403]  ? lock_acquire+0x1e4/0x540
[   36.531354]  ? sock_hash_update_elem+0x130/0x510
[   36.536098]  ? kasan_check_read+0x11/0x20
[   36.540227]  ? rcu_is_watching+0x8c/0x150
[   36.544359]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   36.548746]  ? __local_bh_enable_ip+0x161/0x230
[   36.553391]  sock_hash_update_elem+0x1e2/0x510
[   36.557950]  ? bpf_sock_hash_update+0x90/0x90
[   36.562432]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.567945]  ? _copy_from_user+0xdf/0x150
[   36.572070]  ? bpf_sock_hash_update+0x90/0x90
[   36.576541]  map_update_elem+0x72d/0xcb0
[   36.580584]  __x64_sys_bpf+0x32d/0x510
[   36.584456]  ? bpf_prog_get+0x20/0x20
[   36.588236]  ? ksys_ioctl+0x81/0xd0
[   36.591852]  ? do_syscall_64+0x9a/0x820
[   36.595807]  do_syscall_64+0x1b9/0x820
[   36.599671]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.604580]  ? syscall_return_slowpath+0x31d/0x5e0
[   36.609488]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   36.614844]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.619673]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.624850] RIP: 0033:0x440449
[   36.628026] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   36.647196] RSP: 002b:00007fffc78dae98 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   36.654886] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   36.662142] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   36.669389] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   36.676644] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   36.683894] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   36.691140] 
[   36.692752] Allocated by task 4381:
[   36.696357]  save_stack+0x43/0xd0
[   36.699794]  kasan_kmalloc+0xc4/0xe0
[   36.703582]  kasan_slab_alloc+0x12/0x20
[   36.707531]  kmem_cache_alloc+0x12e/0x760
[   36.711656]  kcm_ioctl+0xd10/0x1930
[   36.715258]  sock_do_ioctl+0xe4/0x3e0
[   36.719032]  sock_ioctl+0x30d/0x680
[   36.722642]  do_vfs_ioctl+0x1de/0x1720
[   36.726503]  ksys_ioctl+0xa9/0xd0
[   36.729940]  __x64_sys_ioctl+0x73/0xb0
[   36.733802]  do_syscall_64+0x1b9/0x820
[   36.737666]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.742825] 
[   36.744425] Freed by task 0:
[   36.747411] (stack is not available)
[   36.751102] 
[   36.752704] The buggy address belongs to the object at ffff8801af419bc0
[   36.752704]  which belongs to the cache kcm_psock_cache of size 544
[   36.765683] The buggy address is located 40 bytes to the right of
[   36.765683]  544-byte region [ffff8801af419bc0, ffff8801af419de0)
[   36.777964] The buggy address belongs to the page:
[   36.782872] page:ffffea0006bd0600 count:1 mapcount:0 mapping:ffff8801cdefb7c0 index:0x0 compound_mapcount: 0
[   36.792814] flags: 0x2fffc0000008100(slab|head)
[   36.797462] raw: 02fffc0000008100 ffff8801cded6848 ffff8801cded6848 ffff8801cdefb7c0
[   36.805328] raw: 0000000000000000 ffff8801af418040 000000010000000b 0000000000000000
[   36.813197] page dumped because: kasan: bad access detected
[   36.818896] 
[   36.820495] Memory state around the buggy address:
[   36.825408]  ffff8801af419d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.832743]  ffff8801af419d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   36.840078] >ffff8801af419e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.847408]                       ^
[   36.851009]  ffff8801af419e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.858342]  ffff8801af419f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   36.865671] ==================================================================
[   36.873567] Disabling lock debugging due to kernel taint
[   36.878989] Kernel panic - not syncing: panic_on_warn set ...
[   36.878989] 
[   36.886337] CPU: 0 PID: 4381 Comm: syz-executor315 Tainted: G    B             4.18.0-rc6+ #31
[   36.895058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.904392] Call Trace:
[   36.906965]  dump_stack+0x1c9/0x2b4
[   36.910570]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.915737]  ? lock_downgrade+0x8f0/0x8f0
[   36.919862]  panic+0x238/0x4e7
[   36.923041]  ? add_taint.cold.5+0x16/0x16
[   36.927175]  ? add_taint.cold.5+0x5/0x16
[   36.931220]  ? do_raw_spin_unlock+0xa7/0x2f0
[   36.935607]  ? __lock_acquire+0x3829/0x5020
[   36.939905]  kasan_end_report+0x47/0x4f
[   36.943855]  kasan_report.cold.7+0x76/0x2fe
[   36.948155]  __asan_report_load8_noabort+0x14/0x20
[   36.953059]  __lock_acquire+0x3829/0x5020
[   36.957188]  ? print_usage_bug+0xc0/0xc0
[   36.961235]  ? trace_hardirqs_on+0x10/0x10
[   36.965446]  ? lock_downgrade+0x8f0/0x8f0
[   36.969573]  ? mark_held_locks+0xc9/0x160
[   36.973696]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   36.978277]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   36.983360]  ? trace_hardirqs_on_caller+0x19e/0x5c0
[   36.988351]  ? trace_hardirqs_on+0xd/0x10
[   36.992478]  ? depot_save_stack+0x291/0x470
[   36.996777]  ? save_stack+0xa9/0xd0
[   37.000389]  ? save_stack+0x43/0xd0
[   37.004008]  ? kasan_kmalloc+0xc4/0xe0
[   37.007881]  ? __kmalloc_node+0x47/0x70
[   37.011833]  ? sock_hash_ctx_update_elem.isra.26+0xa86/0x14d0
[   37.017692]  ? sock_hash_update_elem+0x1e2/0x510
[   37.022437]  ? map_update_elem+0x72d/0xcb0
[   37.026651]  ? __x64_sys_bpf+0x32d/0x510
[   37.030693]  ? do_syscall_64+0x1b9/0x820
[   37.034736]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.040089]  ? graph_lock+0x170/0x170
[   37.043874]  ? print_usage_bug+0xc0/0xc0
[   37.047919]  ? graph_lock+0x170/0x170
[   37.051699]  lock_acquire+0x1e4/0x540
[   37.055479]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   37.061360]  ? lock_release+0xa30/0xa30
[   37.065313]  ? rcu_read_lock_sched_held+0x108/0x120
[   37.070320]  ? kmem_cache_alloc_node_trace+0x34e/0x770
[   37.075575]  ? kasan_unpoison_shadow+0x35/0x50
[   37.080133]  ? kasan_kmalloc+0xc4/0xe0
[   37.083997]  _raw_spin_lock_bh+0x31/0x40
[   37.088045]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   37.093915]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   37.099602]  ? smap_data_ready+0x320/0x320
[   37.103815]  ? print_usage_bug+0xc0/0xc0
[   37.107859]  ? find_held_lock+0x36/0x1c0
[   37.111897]  ? lock_acquire+0x1e4/0x540
[   37.115865]  ? lock_acquire+0x1e4/0x540
[   37.119822]  ? sock_hash_update_elem+0x130/0x510
[   37.124557]  ? kasan_check_read+0x11/0x20
[   37.128681]  ? rcu_is_watching+0x8c/0x150
[   37.132802]  ? rcu_report_qs_rnp+0x7a0/0x7a0
[   37.137193]  ? __local_bh_enable_ip+0x161/0x230
[   37.141847]  sock_hash_update_elem+0x1e2/0x510
[   37.146413]  ? bpf_sock_hash_update+0x90/0x90
[   37.150889]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   37.156404]  ? _copy_from_user+0xdf/0x150
[   37.160529]  ? bpf_sock_hash_update+0x90/0x90
[   37.165013]  map_update_elem+0x72d/0xcb0
[   37.169056]  __x64_sys_bpf+0x32d/0x510
[   37.172932]  ? bpf_prog_get+0x20/0x20
[   37.176716]  ? ksys_ioctl+0x81/0xd0
[   37.180323]  ? do_syscall_64+0x9a/0x820
[   37.184289]  do_syscall_64+0x1b9/0x820
[   37.188159]  ? syscall_return_slowpath+0x5e0/0x5e0
[   37.193065]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.197973]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   37.203317]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.208146]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.213312] RIP: 0033:0x440449
[   37.216474] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   37.235568] RSP: 002b:00007fffc78dae98 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   37.243261] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   37.250512] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   37.257758] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   37.265002] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   37.272245] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   37.279902] Dumping ftrace buffer:
[   37.283418]    (ftrace buffer empty)
[   37.287105] Kernel Offset: disabled
[   37.290709] Rebooting in 86400 seconds..