[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.545073] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.368318] random: sshd: uninitialized urandom read (32 bytes read) [ 22.688986] random: sshd: uninitialized urandom read (32 bytes read) [ 23.430933] random: sshd: uninitialized urandom read (32 bytes read) [ 23.583096] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 29.062913] random: sshd: uninitialized urandom read (32 bytes read) 2018/05/08 22:32:48 parsed 1 programs 2018/05/08 22:32:48 executed programs: 0 [ 29.631391] IPVS: ftp: loaded support on port[0] = 21 [ 29.690468] ================================================================== [ 29.697958] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 29.704878] Write of size 4 at addr ffff8801ce48ac70 by task syz-executor0/4543 [ 29.712307] [ 29.713926] CPU: 1 PID: 4543 Comm: syz-executor0 Not tainted 4.17.0-rc4+ #64 [ 29.721098] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.730457] Call Trace: [ 29.733046] dump_stack+0x1b9/0x294 [ 29.736667] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.741851] ? printk+0x9e/0xba [ 29.745136] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.749996] ? kasan_check_write+0x14/0x20 [ 29.754225] print_address_description+0x6c/0x20b [ 29.759083] ? process_preds+0x191f/0x19d0 [ 29.763316] kasan_report.cold.7+0x242/0x2fe [ 29.767717] __asan_report_store4_noabort+0x17/0x20 [ 29.772747] process_preds+0x191f/0x19d0 [ 29.776803] ? parse_pred+0x28e0/0x28e0 [ 29.780786] ? create_filter_start.constprop.12+0x55/0x2b0 [ 29.786401] create_filter+0x155/0x270 [ 29.790289] ? process_preds+0x19d0/0x19d0 [ 29.794516] ftrace_profile_set_filter+0x130/0x2e0 [ 29.799439] ? ftrace_profile_free_filter+0x70/0x70 [ 29.804465] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.809991] ? memdup_user+0x6b/0xa0 [ 29.813695] perf_event_set_filter+0x248/0x1230 [ 29.818353] ? perf_event_ctx_lock_nested+0x286/0x4e0 [ 29.823536] ? perf_pmu_unregister+0x530/0x530 [ 29.828112] ? exit_robust_list+0x290/0x290 [ 29.832425] ? kasan_check_read+0x11/0x20 [ 29.836563] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 29.841132] ? pud_val+0x80/0xf0 [ 29.844493] ? pmd_val+0xf0/0xf0 [ 29.847848] ? kasan_check_write+0x14/0x20 [ 29.852091] ? graph_lock+0x170/0x170 [ 29.855883] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.861427] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.866972] ? __handle_mm_fault+0x93a/0x4310 [ 29.871481] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.876668] _perf_ioctl+0x84c/0x15e0 [ 29.880459] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 29.885640] ? lock_downgrade+0x8e0/0x8e0 [ 29.889870] ? kasan_check_read+0x11/0x20 [ 29.894006] ? rcu_is_watching+0x85/0x140 [ 29.898143] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.903324] ? mutex_lock_nested+0x16/0x20 [ 29.907546] ? mutex_lock_nested+0x16/0x20 [ 29.911774] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 29.916962] ? perf_event_read_event+0x430/0x430 [ 29.921709] ? fget_raw+0x20/0x20 [ 29.925158] ? __handle_mm_fault+0x4310/0x4310 [ 29.929738] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 29.934663] perf_ioctl+0x59/0x80 [ 29.938120] perf_compat_ioctl+0x44/0x90 [ 29.942180] ? perf_ioctl+0x80/0x80 [ 29.945808] __ia32_compat_sys_ioctl+0x221/0x640 [ 29.950557] do_fast_syscall_32+0x345/0xf9b [ 29.954874] ? do_int80_syscall_32+0x880/0x880 [ 29.959454] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.964207] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.969740] ? syscall_return_slowpath+0x30f/0x5c0 [ 29.974665] ? sysret32_from_system_call+0x5/0x46 [ 29.979506] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.984351] entry_SYSENTER_compat+0x70/0x7f [ 29.988753] RIP: 0023:0xf7f24cb9 [ 29.992102] RSP: 002b:00000000ff8ec47c EFLAGS: 00000282 ORIG_RAX: 0000000000000036 [ 29.999800] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000040082406 [ 30.007061] RDX: 0000000020000200 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.014326] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.021585] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 30.028842] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.036109] [ 30.037741] Allocated by task 1: [ 30.041119] save_stack+0x43/0xd0 [ 30.044559] kasan_kmalloc+0xc4/0xe0 [ 30.048260] kmem_cache_alloc_trace+0x152/0x780 [ 30.052922] minstrel_alloc+0x51/0x650 [ 30.056800] minstrel_ht_alloc+0x42/0x50 [ 30.060869] ieee80211_init_rate_ctrl_alg+0x1fd/0x4f0 [ 30.066052] ieee80211_register_hw+0x16e9/0x35d0 [ 30.070804] mac80211_hwsim_new_radio+0x1d9b/0x3410 [ 30.075820] init_mac80211_hwsim+0x6ec/0x88f [ 30.080225] do_one_initcall+0x127/0x913 [ 30.084287] kernel_init_freeable+0x49b/0x58e [ 30.088776] kernel_init+0x11/0x1b3 [ 30.092394] ret_from_fork+0x3a/0x50 [ 30.096090] [ 30.097701] Freed by task 0: [ 30.100710] (stack is not available) [ 30.104410] [ 30.106030] The buggy address belongs to the object at ffff8801ce48ac00 [ 30.106030] which belongs to the cache kmalloc-64 of size 64 [ 30.118503] The buggy address is located 48 bytes to the right of [ 30.118503] 64-byte region [ffff8801ce48ac00, ffff8801ce48ac40) [ 30.130714] The buggy address belongs to the page: [ 30.135645] page:ffffea0007392280 count:1 mapcount:0 mapping:ffff8801ce48a000 index:0x0 [ 30.143776] flags: 0x2fffc0000000100(slab) [ 30.148009] raw: 02fffc0000000100 ffff8801ce48a000 0000000000000000 0000000100000020 [ 30.155883] raw: ffffea00073a9fe0 ffffea000739c3a0 ffff8801da800340 0000000000000000 [ 30.163746] page dumped because: kasan: bad access detected [ 30.169439] [ 30.171053] Memory state around the buggy address: [ 30.175977] ffff8801ce48ab00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.183324] ffff8801ce48ab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.190668] >ffff8801ce48ac00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 30.198023] ^ [ 30.205045] ffff8801ce48ac80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 30.212397] ffff8801ce48ad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.219748] ================================================================== [ 30.227097] Disabling lock debugging due to kernel taint [ 30.232604] Kernel panic - not syncing: panic_on_warn set ... [ 30.232604] [ 30.239981] CPU: 1 PID: 4543 Comm: syz-executor0 Tainted: G B 4.17.0-rc4+ #64 [ 30.248551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.257895] Call Trace: [ 30.260473] dump_stack+0x1b9/0x294 [ 30.264114] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.269296] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.274042] ? process_preds+0x1880/0x19d0 [ 30.278269] panic+0x22f/0x4de [ 30.281444] ? add_taint.cold.5+0x16/0x16 [ 30.285590] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.289987] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.294386] ? process_preds+0x191f/0x19d0 [ 30.298612] kasan_end_report+0x47/0x4f [ 30.302566] kasan_report.cold.7+0x76/0x2fe [ 30.306873] __asan_report_store4_noabort+0x17/0x20 [ 30.311881] process_preds+0x191f/0x19d0 [ 30.315938] ? parse_pred+0x28e0/0x28e0 [ 30.319895] ? create_filter_start.constprop.12+0x55/0x2b0 [ 30.325507] create_filter+0x155/0x270 [ 30.329384] ? process_preds+0x19d0/0x19d0 [ 30.333614] ftrace_profile_set_filter+0x130/0x2e0 [ 30.338546] ? ftrace_profile_free_filter+0x70/0x70 [ 30.343543] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.349064] ? memdup_user+0x6b/0xa0 [ 30.352762] perf_event_set_filter+0x248/0x1230 [ 30.357412] ? perf_event_ctx_lock_nested+0x286/0x4e0 [ 30.362585] ? perf_pmu_unregister+0x530/0x530 [ 30.367152] ? exit_robust_list+0x290/0x290 [ 30.371471] ? kasan_check_read+0x11/0x20 [ 30.375599] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 30.380179] ? pud_val+0x80/0xf0 [ 30.383529] ? pmd_val+0xf0/0xf0 [ 30.386879] ? kasan_check_write+0x14/0x20 [ 30.391102] ? graph_lock+0x170/0x170 [ 30.394887] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.400406] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.405926] ? __handle_mm_fault+0x93a/0x4310 [ 30.410410] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.415586] _perf_ioctl+0x84c/0x15e0 [ 30.419369] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 30.424542] ? lock_downgrade+0x8e0/0x8e0 [ 30.428676] ? kasan_check_read+0x11/0x20 [ 30.432809] ? rcu_is_watching+0x85/0x140 [ 30.436941] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.442126] ? mutex_lock_nested+0x16/0x20 [ 30.446343] ? mutex_lock_nested+0x16/0x20 [ 30.450560] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 30.455733] ? perf_event_read_event+0x430/0x430 [ 30.460470] ? fget_raw+0x20/0x20 [ 30.463907] ? __handle_mm_fault+0x4310/0x4310 [ 30.468479] ? __ia32_compat_sys_futex+0x3de/0x5e0 [ 30.473392] perf_ioctl+0x59/0x80 [ 30.476831] perf_compat_ioctl+0x44/0x90 [ 30.480875] ? perf_ioctl+0x80/0x80 [ 30.484489] __ia32_compat_sys_ioctl+0x221/0x640 [ 30.489241] do_fast_syscall_32+0x345/0xf9b [ 30.493555] ? do_int80_syscall_32+0x880/0x880 [ 30.498132] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.502883] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.508400] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.513311] ? sysret32_from_system_call+0x5/0x46 [ 30.518140] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.522965] entry_SYSENTER_compat+0x70/0x7f [ 30.527353] RIP: 0023:0xf7f24cb9 [ 30.530702] RSP: 002b:00000000ff8ec47c EFLAGS: 00000282 ORIG_RAX: 0000000000000036 [ 30.538390] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000040082406 [ 30.545641] RDX: 0000000020000200 RSI: 0000000000000000 RDI: 0000000000000000 [ 30.552894] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 30.560145] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 [ 30.567395] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.575119] Dumping ftrace buffer: [ 30.578653] (ftrace buffer empty) [ 30.582349] Kernel Offset: disabled [ 30.585972] Rebooting in 86400 seconds..