[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.687944] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.696298] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.050207] random: sshd: uninitialized urandom read (32 bytes read) [ 21.875420] random: sshd: uninitialized urandom read (32 bytes read) [ 22.070445] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. [ 27.641591] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.758440] ================================================================== [ 27.765896] BUG: KASAN: slab-out-of-bounds in process_preds+0x3ecf/0x4160 [ 27.772802] Write of size 4 at addr ffff8801cdbcdf70 by task syz-executor235/4508 [ 27.780402] [ 27.782015] CPU: 0 PID: 4508 Comm: syz-executor235 Not tainted 4.17.0+ #105 [ 27.789092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.798424] Call Trace: [ 27.800991] dump_stack+0x1c9/0x2b4 [ 27.804603] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.809773] ? printk+0xa7/0xcf [ 27.813042] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.817788] ? process_preds+0x3ecf/0x4160 [ 27.822005] print_address_description+0x6c/0x20b [ 27.826829] ? process_preds+0x3ecf/0x4160 [ 27.831046] kasan_report.cold.7+0x242/0x2fe [ 27.835435] __asan_report_store4_noabort+0x17/0x20 [ 27.840427] process_preds+0x3ecf/0x4160 [ 27.844473] ? filter_parse_regex+0x2b0/0x2b0 [ 27.848951] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 27.854554] ? rcu_read_lock_sched_held+0x108/0x120 [ 27.859551] ? kmem_cache_alloc_trace+0x616/0x780 [ 27.864378] ? create_filter_start.constprop.14+0x55/0x2b0 [ 27.869984] create_filter+0x167/0x280 [ 27.873853] ? process_preds+0x4160/0x4160 [ 27.878070] ftrace_profile_set_filter+0x135/0x2f0 [ 27.882980] ? ftrace_profile_free_filter+0x70/0x70 [ 27.887977] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.893492] ? memdup_user+0x6b/0xa0 [ 27.897191] perf_event_set_filter+0x251/0x1260 [ 27.901841] ? mutex_trylock+0x2b0/0x2b0 [ 27.905881] ? __mutex_lock+0x7e8/0x1820 [ 27.909924] ? graph_lock+0x170/0x170 [ 27.913706] ? graph_lock+0x170/0x170 [ 27.917488] ? perf_pmu_unregister+0x540/0x540 [ 27.922064] ? mutex_trylock+0x2b0/0x2b0 [ 27.926106] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.931622] ? smp_call_function_single+0x2d6/0x5c0 [ 27.936621] ? find_held_lock+0x36/0x1c0 [ 27.940662] ? graph_lock+0x170/0x170 [ 27.944440] ? lock_downgrade+0x8f0/0x8f0 [ 27.948572] _perf_ioctl+0x865/0x1600 [ 27.952352] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 27.957524] ? lock_downgrade+0x8f0/0x8f0 [ 27.961662] ? kasan_check_read+0x11/0x20 [ 27.965789] ? rcu_is_watching+0x8c/0x150 [ 27.969914] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 27.974309] ? mutex_lock_nested+0x16/0x20 [ 27.978518] ? mutex_lock_nested+0x16/0x20 [ 27.982730] ? perf_event_ctx_lock_nested+0x415/0x500 [ 27.987901] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 27.992894] ? perf_event_read_event+0x450/0x450 [ 27.997648] ? fd_install+0x4d/0x60 [ 28.001255] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 28.006337] perf_ioctl+0x59/0x80 [ 28.009770] ? _perf_ioctl+0x1600/0x1600 [ 28.013810] do_vfs_ioctl+0x1de/0x1720 [ 28.017679] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.023197] ? ioctl_preallocate+0x300/0x300 [ 28.027582] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.033095] ? __fget_light+0x2f7/0x440 [ 28.037050] ? fget_raw+0x20/0x20 [ 28.040492] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.046013] ? __do_page_fault+0x449/0xe50 [ 28.050237] ? mm_fault_error+0x380/0x380 [ 28.054365] ? security_file_ioctl+0x94/0xc0 [ 28.058752] ksys_ioctl+0xa9/0xd0 [ 28.062187] __x64_sys_ioctl+0x73/0xb0 [ 28.066058] do_syscall_64+0x1b9/0x820 [ 28.069924] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.074833] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.079755] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.085108] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.089933] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.095101] RIP: 0033:0x43fdb9 [ 28.098265] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.117452] RSP: 002b:00007ffc3e6e5df8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 28.125147] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 28.132397] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 28.139647] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.146893] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 28.154142] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 28.161396] [ 28.163005] Allocated by task 19: [ 28.166451] save_stack+0x43/0xd0 [ 28.169882] kasan_kmalloc+0xc4/0xe0 [ 28.173578] kmem_cache_alloc_trace+0x152/0x780 [ 28.178233] __request_module+0x386/0xcdd [ 28.182359] snd_request_card+0x6b/0x80 [ 28.186313] snd_seq_client_use_ptr+0x3aa/0x3f0 [ 28.190960] snd_seq_ioctl_query_next_client+0xd8/0x160 [ 28.196302] snd_seq_kernel_client_ctl+0x15a/0x190 [ 28.201209] snd_seq_oss_midi_lookup_ports+0xf6/0x270 [ 28.206376] async_call_lookup_ports+0x14/0x20 [ 28.210937] process_one_work+0xc73/0x1ba0 [ 28.215150] worker_thread+0x189/0x13c0 [ 28.219098] kthread+0x345/0x410 [ 28.222440] ret_from_fork+0x3a/0x50 [ 28.226136] [ 28.227741] Freed by task 19: [ 28.230825] save_stack+0x43/0xd0 [ 28.234256] __kasan_slab_free+0x11a/0x170 [ 28.238472] kasan_slab_free+0xe/0x10 [ 28.242246] kfree+0xd9/0x260 [ 28.245329] free_modprobe_argv+0x74/0xa0 [ 28.249451] call_usermodehelper_exec+0x27a/0x500 [ 28.254271] __request_module+0x4ba/0xcdd [ 28.258399] snd_request_card+0x6b/0x80 [ 28.262353] snd_seq_client_use_ptr+0x3aa/0x3f0 [ 28.267000] snd_seq_ioctl_query_next_client+0xd8/0x160 [ 28.272345] snd_seq_kernel_client_ctl+0x15a/0x190 [ 28.277249] snd_seq_oss_midi_lookup_ports+0xf6/0x270 [ 28.282415] async_call_lookup_ports+0x14/0x20 [ 28.286976] process_one_work+0xc73/0x1ba0 [ 28.291189] worker_thread+0x189/0x13c0 [ 28.295140] kthread+0x345/0x410 [ 28.298483] ret_from_fork+0x3a/0x50 [ 28.302169] [ 28.303778] The buggy address belongs to the object at ffff8801cdbcdf00 [ 28.303778] which belongs to the cache kmalloc-64 of size 64 [ 28.316238] The buggy address is located 48 bytes to the right of [ 28.316238] 64-byte region [ffff8801cdbcdf00, ffff8801cdbcdf40) [ 28.328441] The buggy address belongs to the page: [ 28.333347] page:ffffea000736f340 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0 [ 28.341463] flags: 0x2fffc0000000100(slab) [ 28.345675] raw: 02fffc0000000100 ffffea000739d308 ffffea0007353e48 ffff8801da800340 [ 28.353533] raw: 0000000000000000 ffff8801cdbcd000 0000000100000020 0000000000000000 [ 28.361385] page dumped because: kasan: bad access detected [ 28.367065] [ 28.368666] Memory state around the buggy address: [ 28.373569] ffff8801cdbcde00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.380903] ffff8801cdbcde80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.388241] >ffff8801cdbcdf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.395577] ^ [ 28.402564] ffff8801cdbcdf80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 28.409899] ffff8801cdbce000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 28.417232] ================================================================== [ 28.424562] Disabling lock debugging due to kernel taint [ 28.430076] Kernel panic - not syncing: panic_on_warn set ... [ 28.430076] [ 28.437437] CPU: 0 PID: 4508 Comm: syz-executor235 Tainted: G B 4.17.0+ #105 [ 28.445910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.455241] Call Trace: [ 28.457812] dump_stack+0x1c9/0x2b4 [ 28.461417] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.466588] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.471336] panic+0x238/0x4e7 [ 28.474508] ? add_taint.cold.5+0x16/0x16 [ 28.478634] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.483027] ? process_preds+0x3ecf/0x4160 [ 28.487241] kasan_end_report+0x47/0x4f [ 28.491195] kasan_report.cold.7+0x76/0x2fe [ 28.495495] __asan_report_store4_noabort+0x17/0x20 [ 28.500486] process_preds+0x3ecf/0x4160 [ 28.504539] ? filter_parse_regex+0x2b0/0x2b0 [ 28.509014] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 28.514623] ? rcu_read_lock_sched_held+0x108/0x120 [ 28.519616] ? kmem_cache_alloc_trace+0x616/0x780 [ 28.524438] ? create_filter_start.constprop.14+0x55/0x2b0 [ 28.530037] create_filter+0x167/0x280 [ 28.533901] ? process_preds+0x4160/0x4160 [ 28.538125] ftrace_profile_set_filter+0x135/0x2f0 [ 28.543032] ? ftrace_profile_free_filter+0x70/0x70 [ 28.548031] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.553547] ? memdup_user+0x6b/0xa0 [ 28.557238] perf_event_set_filter+0x251/0x1260 [ 28.561905] ? mutex_trylock+0x2b0/0x2b0 [ 28.565941] ? __mutex_lock+0x7e8/0x1820 [ 28.569977] ? graph_lock+0x170/0x170 [ 28.573756] ? graph_lock+0x170/0x170 [ 28.577537] ? perf_pmu_unregister+0x540/0x540 [ 28.582100] ? mutex_trylock+0x2b0/0x2b0 [ 28.586138] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.591654] ? smp_call_function_single+0x2d6/0x5c0 [ 28.596648] ? find_held_lock+0x36/0x1c0 [ 28.600685] ? graph_lock+0x170/0x170 [ 28.604466] ? lock_downgrade+0x8f0/0x8f0 [ 28.608595] _perf_ioctl+0x865/0x1600 [ 28.612374] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 28.617540] ? lock_downgrade+0x8f0/0x8f0 [ 28.621667] ? kasan_check_read+0x11/0x20 [ 28.625791] ? rcu_is_watching+0x8c/0x150 [ 28.629915] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 28.634300] ? mutex_lock_nested+0x16/0x20 [ 28.638513] ? mutex_lock_nested+0x16/0x20 [ 28.642725] ? perf_event_ctx_lock_nested+0x415/0x500 [ 28.647894] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 28.652887] ? perf_event_read_event+0x450/0x450 [ 28.657621] ? fd_install+0x4d/0x60 [ 28.661224] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 28.666307] perf_ioctl+0x59/0x80 [ 28.669736] ? _perf_ioctl+0x1600/0x1600 [ 28.673775] do_vfs_ioctl+0x1de/0x1720 [ 28.677651] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.683164] ? ioctl_preallocate+0x300/0x300 [ 28.687548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.693063] ? __fget_light+0x2f7/0x440 [ 28.697021] ? fget_raw+0x20/0x20 [ 28.700455] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.706317] ? __do_page_fault+0x449/0xe50 [ 28.710531] ? mm_fault_error+0x380/0x380 [ 28.714663] ? security_file_ioctl+0x94/0xc0 [ 28.719055] ksys_ioctl+0xa9/0xd0 [ 28.722488] __x64_sys_ioctl+0x73/0xb0 [ 28.726355] do_syscall_64+0x1b9/0x820 [ 28.730218] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.735126] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.740037] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.745381] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.750203] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.755368] RIP: 0033:0x43fdb9 [ 28.758531] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.777736] RSP: 002b:00007ffc3e6e5df8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 28.785441] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 28.792688] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 28.799935] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.807182] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 28.814433] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 28.822346] Dumping ftrace buffer: [ 28.825873] (ftrace buffer empty) [ 28.829562] Kernel Offset: disabled [ 28.833190] Rebooting in 86400 seconds..