[....] Starting OpenBSD Secure Shell server: sshd[ 18.271318] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.018990] random: sshd: uninitialized urandom read (32 bytes read) [ 19.282743] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.132311] sshd (4453) used greatest stack depth: 17048 bytes left [ 20.149337] random: sshd: uninitialized urandom read (32 bytes read) [ 20.304397] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts. [ 25.727282] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 25.821802] ================================================================== [ 25.829291] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 [ 25.836660] Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466 [ 25.844289] [ 25.845917] CPU: 1 PID: 4466 Comm: syz-executor907 Not tainted 4.18.0-rc3+ #40 [ 25.853517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.862851] Call Trace: [ 25.865430] dump_stack+0x1c9/0x2b4 [ 25.869054] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.874240] ? printk+0xa7/0xcf [ 25.877507] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 25.882257] ? fscache_alloc_cookie+0x7a9/0x880 [ 25.886920] print_address_description+0x6c/0x20b [ 25.891754] ? fscache_alloc_cookie+0x7a9/0x880 [ 25.896418] kasan_report.cold.7+0x242/0x2fe [ 25.900816] __asan_report_load4_noabort+0x14/0x20 [ 25.905731] fscache_alloc_cookie+0x7a9/0x880 [ 25.910216] ? fscache_cookie_init_once+0x80/0x80 [ 25.915045] ? lock_downgrade+0x8f0/0x8f0 [ 25.919178] ? radix_tree_delete_item+0x188/0x310 [ 25.924026] ? kasan_check_read+0x11/0x20 [ 25.928158] ? do_raw_spin_unlock+0xa7/0x2f0 [ 25.932558] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 25.937171] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 25.942292] __fscache_acquire_cookie+0x230/0xb00 [ 25.947147] ? fscache_cookie_put+0x850/0x850 [ 25.951652] ? p9_client_attach+0x215/0x860 [ 25.955980] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 25.961084] ? debug_check_no_obj_freed+0x30b/0x595 [ 25.966096] ? p9_client_walk+0xab0/0xab0 [ 25.970252] ? trace_hardirqs_off+0xd/0x10 [ 25.974479] ? quarantine_put+0x10d/0x1b0 [ 25.978613] ? kfree+0x111/0x260 [ 25.981982] v9fs_cache_session_get_cookie+0xc4/0x270 [ 25.987162] v9fs_session_init+0x1013/0x1a80 [ 25.991559] ? v9fs_show_options+0x7e0/0x7e0 [ 25.995958] ? kasan_check_read+0x11/0x20 [ 26.000098] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.004505] ? kasan_check_read+0x11/0x20 [ 26.008656] ? rcu_is_watching+0x8c/0x150 [ 26.012798] ? rcu_pm_notify+0xc0/0xc0 [ 26.016676] ? v9fs_mount+0x61/0x900 [ 26.020380] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.025397] ? kmem_cache_alloc_trace+0x616/0x780 [ 26.030253] v9fs_mount+0x7c/0x900 [ 26.033785] mount_fs+0xae/0x328 [ 26.037141] vfs_kern_mount.part.34+0xdc/0x4e0 [ 26.041719] ? may_umount+0xb0/0xb0 [ 26.045351] ? _raw_read_unlock+0x22/0x30 [ 26.049482] ? __get_fs_type+0x97/0xc0 [ 26.053449] do_mount+0x581/0x30e0 [ 26.056989] ? copy_mount_string+0x40/0x40 [ 26.061221] ? copy_mount_options+0x5f/0x380 [ 26.065619] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.070639] ? kmem_cache_alloc_trace+0x616/0x780 [ 26.075481] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.081012] ? _copy_from_user+0xdf/0x150 [ 26.085160] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.090695] ? copy_mount_options+0x285/0x380 [ 26.095188] __ia32_compat_sys_mount+0x5d5/0x860 [ 26.099943] do_fast_syscall_32+0x34d/0xfb2 [ 26.104262] ? do_int80_syscall_32+0x890/0x890 [ 26.108850] ? do_syscall_64+0x497/0x820 [ 26.112904] ? syscall_slow_exit_work+0x500/0x500 [ 26.117757] ? syscall_return_slowpath+0x5e0/0x5e0 [ 26.122690] ? syscall_return_slowpath+0x31d/0x5e0 [ 26.127624] ? sysret32_from_system_call+0x5/0x46 [ 26.132468] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.137300] entry_SYSENTER_compat+0x70/0x7f [ 26.141693] RIP: 0023:0xf7f17cb9 [ 26.145038] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 26.164263] RSP: 002b:00000000ffafd7dc EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 26.171982] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000280 [ 26.179257] RDX: 00000000200002c0 RSI: 0000000000800000 RDI: 0000000020000340 [ 26.186515] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.193783] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.201045] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.208318] [ 26.209930] Allocated by task 4466: [ 26.213554] save_stack+0x43/0xd0 [ 26.217012] kasan_kmalloc+0xc4/0xe0 [ 26.220715] __kmalloc+0x14e/0x760 [ 26.224244] fscache_alloc_cookie+0x701/0x880 [ 26.228723] __fscache_acquire_cookie+0x230/0xb00 [ 26.233582] v9fs_cache_session_get_cookie+0xc4/0x270 [ 26.238759] v9fs_session_init+0x1013/0x1a80 [ 26.243152] v9fs_mount+0x7c/0x900 [ 26.246680] mount_fs+0xae/0x328 [ 26.250051] vfs_kern_mount.part.34+0xdc/0x4e0 [ 26.254621] do_mount+0x581/0x30e0 [ 26.258160] __ia32_compat_sys_mount+0x5d5/0x860 [ 26.262906] do_fast_syscall_32+0x34d/0xfb2 [ 26.267223] entry_SYSENTER_compat+0x70/0x7f [ 26.271625] [ 26.273237] Freed by task 1: [ 26.276244] save_stack+0x43/0xd0 [ 26.279682] __kasan_slab_free+0x11a/0x170 [ 26.283913] kasan_slab_free+0xe/0x10 [ 26.287711] kfree+0xd9/0x260 [ 26.290804] __kthread_create_on_node+0x34a/0x4c0 [ 26.295637] kthread_create_on_node+0xb1/0xe0 [ 26.300127] cryptomgr_notify+0x5ac/0xb90 [ 26.304272] notifier_call_chain+0x180/0x390 [ 26.308673] blocking_notifier_call_chain+0x147/0x190 [ 26.313860] crypto_probing_notify+0x26/0x80 [ 26.318273] crypto_wait_for_test+0x42/0xe0 [ 26.322595] crypto_register_alg+0xc0/0xe0 [ 26.326826] crypto_register_shash+0x35/0x50 [ 26.331222] crypto_register_shashes+0x5d/0xe0 [ 26.335802] sha512_ssse3_mod_init+0xc4/0x282 [ 26.340288] do_one_initcall+0x127/0x913 [ 26.344334] kernel_init_freeable+0x49b/0x58e [ 26.348819] kernel_init+0x11/0x1b3 [ 26.352433] ret_from_fork+0x3a/0x50 [ 26.356137] [ 26.357764] The buggy address belongs to the object at ffff8801d3cc8b80 [ 26.357764] which belongs to the cache kmalloc-64 of size 64 [ 26.370239] The buggy address is located 52 bytes inside of [ 26.370239] 64-byte region [ffff8801d3cc8b80, ffff8801d3cc8bc0) [ 26.381946] The buggy address belongs to the page: [ 26.386873] page:ffffea00074f3200 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0 [ 26.395006] flags: 0x2fffc0000000100(slab) [ 26.399249] raw: 02fffc0000000100 ffffea000750d208 ffffea00074b1f08 ffff8801da800340 [ 26.407119] raw: 0000000000000000 ffff8801d3cc8000 0000000100000020 0000000000000000 [ 26.414999] page dumped because: kasan: bad access detected [ 26.420695] [ 26.422306] Memory state around the buggy address: [ 26.427221] ffff8801d3cc8a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.434564] ffff8801d3cc8b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.441907] >ffff8801d3cc8b80: 00 00 00 00 00 00 07 fc fc fc fc fc fc fc fc fc [ 26.449248] ^ [ 26.454162] ffff8801d3cc8c00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 26.461505] ffff8801d3cc8c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.468852] ================================================================== [ 26.476191] Disabling lock debugging due to kernel taint [ 26.482049] Kernel panic - not syncing: panic_on_warn set ... [ 26.482049] [ 26.489435] CPU: 1 PID: 4466 Comm: syz-executor907 Tainted: G B 4.18.0-rc3+ #40 [ 26.498177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.507521] Call Trace: [ 26.510098] dump_stack+0x1c9/0x2b4 [ 26.513711] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.518883] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.523628] panic+0x238/0x4e7 [ 26.526804] ? add_taint.cold.5+0x16/0x16 [ 26.530938] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.535340] ? fscache_alloc_cookie+0x7a9/0x880 [ 26.539991] kasan_end_report+0x47/0x4f [ 26.543959] kasan_report.cold.7+0x76/0x2fe [ 26.548270] __asan_report_load4_noabort+0x14/0x20 [ 26.553191] fscache_alloc_cookie+0x7a9/0x880 [ 26.557670] ? fscache_cookie_init_once+0x80/0x80 [ 26.562500] ? lock_downgrade+0x8f0/0x8f0 [ 26.566651] ? radix_tree_delete_item+0x188/0x310 [ 26.571477] ? kasan_check_read+0x11/0x20 [ 26.575608] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.579997] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.584564] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 26.589649] __fscache_acquire_cookie+0x230/0xb00 [ 26.594472] ? fscache_cookie_put+0x850/0x850 [ 26.598952] ? p9_client_attach+0x215/0x860 [ 26.603257] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 26.608345] ? debug_check_no_obj_freed+0x30b/0x595 [ 26.613343] ? p9_client_walk+0xab0/0xab0 [ 26.617476] ? trace_hardirqs_off+0xd/0x10 [ 26.621693] ? quarantine_put+0x10d/0x1b0 [ 26.625824] ? kfree+0x111/0x260 [ 26.629176] v9fs_cache_session_get_cookie+0xc4/0x270 [ 26.634358] v9fs_session_init+0x1013/0x1a80 [ 26.638757] ? v9fs_show_options+0x7e0/0x7e0 [ 26.643157] ? kasan_check_read+0x11/0x20 [ 26.647293] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.651687] ? kasan_check_read+0x11/0x20 [ 26.655816] ? rcu_is_watching+0x8c/0x150 [ 26.659942] ? rcu_pm_notify+0xc0/0xc0 [ 26.663812] ? v9fs_mount+0x61/0x900 [ 26.667506] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.672504] ? kmem_cache_alloc_trace+0x616/0x780 [ 26.677329] v9fs_mount+0x7c/0x900 [ 26.680856] mount_fs+0xae/0x328 [ 26.684204] vfs_kern_mount.part.34+0xdc/0x4e0 [ 26.688768] ? may_umount+0xb0/0xb0 [ 26.692378] ? _raw_read_unlock+0x22/0x30 [ 26.696505] ? __get_fs_type+0x97/0xc0 [ 26.700389] do_mount+0x581/0x30e0 [ 26.703935] ? copy_mount_string+0x40/0x40 [ 26.708188] ? copy_mount_options+0x5f/0x380 [ 26.712579] ? rcu_read_lock_sched_held+0x108/0x120 [ 26.717585] ? kmem_cache_alloc_trace+0x616/0x780 [ 26.722419] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.727937] ? _copy_from_user+0xdf/0x150 [ 26.732068] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.737585] ? copy_mount_options+0x285/0x380 [ 26.742071] __ia32_compat_sys_mount+0x5d5/0x860 [ 26.746812] do_fast_syscall_32+0x34d/0xfb2 [ 26.751116] ? do_int80_syscall_32+0x890/0x890 [ 26.755676] ? do_syscall_64+0x497/0x820 [ 26.759716] ? syscall_slow_exit_work+0x500/0x500 [ 26.764537] ? syscall_return_slowpath+0x5e0/0x5e0 [ 26.769448] ? syscall_return_slowpath+0x31d/0x5e0 [ 26.774375] ? sysret32_from_system_call+0x5/0x46 [ 26.779221] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.784061] entry_SYSENTER_compat+0x70/0x7f [ 26.788451] RIP: 0023:0xf7f17cb9 [ 26.791800] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 26.810934] RSP: 002b:00000000ffafd7dc EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 26.818633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000280 [ 26.825891] RDX: 00000000200002c0 RSI: 0000000000800000 RDI: 0000000020000340 [ 26.833152] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 26.840413] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 26.847670] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 26.855422] Dumping ftrace buffer: [ 26.858941] (ftrace buffer empty) [ 26.862637] Kernel Offset: disabled [ 26.866245] Rebooting in 86400 seconds..