[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.283925] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.501404] random: sshd: uninitialized urandom read (32 bytes read)
[   24.022853] random: sshd: uninitialized urandom read (32 bytes read)
[   24.768158] random: sshd: uninitialized urandom read (32 bytes read)
[   24.903700] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts.
[   30.334607] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.416845] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.436214] ==================================================================
[   30.443587] BUG: KASAN: slab-out-of-bounds in do_raw_spin_lock+0x1c0/0x200
[   30.450578] Read of size 4 at addr ffff8801acaffdf4 by task syz-executor060/4326
[   30.458096] 
[   30.459720] CPU: 1 PID: 4326 Comm: syz-executor060 Not tainted 4.18.0-rc6-next-20180725+ #18
[   30.468274] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.477617] Call Trace:
[   30.480191]  dump_stack+0x1c9/0x2b4
[   30.483801]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.488978]  ? printk+0xa7/0xcf
[   30.492236]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.496973]  ? do_raw_spin_lock+0x1c0/0x200
[   30.501276]  print_address_description+0x6c/0x20b
[   30.506106]  ? do_raw_spin_lock+0x1c0/0x200
[   30.510409]  kasan_report.cold.7+0x242/0x30d
[   30.514805]  __asan_report_load4_noabort+0x14/0x20
[   30.519714]  do_raw_spin_lock+0x1c0/0x200
[   30.523846]  _raw_spin_lock_bh+0x39/0x40
[   30.527890]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   30.533756]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   30.539453]  ? smap_data_ready+0x320/0x320
[   30.543673]  ? __fget+0x4d5/0x740
[   30.547129]  ? lock_acquire+0x1e4/0x540
[   30.551087]  ? lock_acquire+0x1e4/0x540
[   30.555044]  ? sock_hash_update_elem+0x130/0x510
[   30.559780]  ? lock_release+0xa30/0xa30
[   30.563742]  ? kasan_check_read+0x11/0x20
[   30.567873]  ? lock_release+0xa30/0xa30
[   30.571827]  ? kasan_check_write+0x14/0x20
[   30.576047]  ? lock_sock_nested+0x9f/0x120
[   30.580261]  ? trace_hardirqs_on+0xd/0x10
[   30.584390]  ? __local_bh_enable_ip+0x161/0x230
[   30.589046]  sock_hash_update_elem+0x1e2/0x510
[   30.593610]  ? bpf_sock_hash_update+0x90/0x90
[   30.598091]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.603608]  ? _copy_from_user+0xdf/0x150
[   30.607751]  ? bpf_sock_hash_update+0x90/0x90
[   30.612228]  map_update_elem+0x72d/0xcb0
[   30.616274]  __x64_sys_bpf+0x32d/0x510
[   30.620142]  ? bpf_prog_get+0x20/0x20
[   30.623925]  ? ksys_ioctl+0x81/0xd0
[   30.627536]  do_syscall_64+0x1b9/0x820
[   30.631407]  ? syscall_slow_exit_work+0x500/0x500
[   30.636230]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.641141]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.646052]  ? prepare_exit_to_usermode+0x291/0x3b0
[   30.651050]  ? perf_trace_sys_enter+0xb10/0xb10
[   30.655701]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.660527]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.665699] RIP: 0033:0x440449
[   30.668875] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   30.687759] RSP: 002b:00007fffde91b6b8 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   30.695461] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   30.702720] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   30.709970] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.717220] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   30.724477] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   30.731737] 
[   30.733342] Allocated by task 4326:
[   30.736952]  save_stack+0x43/0xd0
[   30.740394]  kasan_kmalloc+0xc4/0xe0
[   30.744087]  kasan_slab_alloc+0x12/0x20
[   30.748044]  kmem_cache_alloc+0x12e/0x760
[   30.752171]  kcm_ioctl+0xd10/0x1930
[   30.755782]  sock_do_ioctl+0xe4/0x3e0
[   30.759560]  sock_ioctl+0x30d/0x680
[   30.763178]  do_vfs_ioctl+0x1de/0x1720
[   30.767044]  ksys_ioctl+0xa9/0xd0
[   30.770475]  __x64_sys_ioctl+0x73/0xb0
[   30.774350]  do_syscall_64+0x1b9/0x820
[   30.778223]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.783388] 
[   30.784994] Freed by task 0:
[   30.787991] (stack is not available)
[   30.791685] 
[   30.793302] The buggy address belongs to the object at ffff8801acaffbc0
[   30.793302]  which belongs to the cache kcm_psock_cache of size 544
[   30.806288] The buggy address is located 20 bytes to the right of
[   30.806288]  544-byte region [ffff8801acaffbc0, ffff8801acaffde0)
[   30.818574] The buggy address belongs to the page:
[   30.823481] page:ffffea0006b2bf80 count:1 mapcount:0 mapping:ffff8801cdf60c80 index:0x0 compound_mapcount: 0
[   30.833430] flags: 0x2fffc0000008100(slab|head)
[   30.838086] raw: 02fffc0000008100 ffff8801cdf5cb48 ffff8801cdf5cb48 ffff8801cdf60c80
[   30.845951] raw: 0000000000000000 ffff8801acafe040 000000010000000b 0000000000000000
[   30.853809] page dumped because: kasan: bad access detected
[   30.859494] 
[   30.861107] Memory state around the buggy address:
[   30.866018]  ffff8801acaffc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.873354]  ffff8801acaffd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.880700] >ffff8801acaffd80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   30.888040]                                                              ^
[   30.895039]  ffff8801acaffe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.902377]  ffff8801acaffe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.909711] ==================================================================
[   30.917105] Kernel panic - not syncing: panic_on_warn set ...
[   30.917105] 
[   30.924464] CPU: 1 PID: 4326 Comm: syz-executor060 Tainted: G    B             4.18.0-rc6-next-20180725+ #18
[   30.934425] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.943766] Call Trace:
[   30.946363]  dump_stack+0x1c9/0x2b4
[   30.949971]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.955143]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.959882]  panic+0x238/0x4e7
[   30.963055]  ? add_taint.cold.5+0x16/0x16
[   30.967188]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.971578]  ? do_raw_spin_lock+0x1c0/0x200
[   30.975881]  kasan_end_report+0x47/0x4f
[   30.979843]  kasan_report.cold.7+0x76/0x30d
[   30.984154]  __asan_report_load4_noabort+0x14/0x20
[   30.989073]  do_raw_spin_lock+0x1c0/0x200
[   30.993207]  _raw_spin_lock_bh+0x39/0x40
[   30.997251]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   31.003116]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   31.008811]  ? smap_data_ready+0x320/0x320
[   31.013028]  ? __fget+0x4d5/0x740
[   31.016467]  ? lock_acquire+0x1e4/0x540
[   31.020422]  ? lock_acquire+0x1e4/0x540
[   31.024379]  ? sock_hash_update_elem+0x130/0x510
[   31.029115]  ? lock_release+0xa30/0xa30
[   31.033071]  ? kasan_check_read+0x11/0x20
[   31.037207]  ? lock_release+0xa30/0xa30
[   31.041162]  ? kasan_check_write+0x14/0x20
[   31.045381]  ? lock_sock_nested+0x9f/0x120
[   31.049608]  ? trace_hardirqs_on+0xd/0x10
[   31.053740]  ? __local_bh_enable_ip+0x161/0x230
[   31.058396]  sock_hash_update_elem+0x1e2/0x510
[   31.062967]  ? bpf_sock_hash_update+0x90/0x90
[   31.067468]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.072994]  ? _copy_from_user+0xdf/0x150
[   31.077127]  ? bpf_sock_hash_update+0x90/0x90
[   31.081602]  map_update_elem+0x72d/0xcb0
[   31.085646]  __x64_sys_bpf+0x32d/0x510
[   31.089517]  ? bpf_prog_get+0x20/0x20
[   31.093307]  ? ksys_ioctl+0x81/0xd0
[   31.096918]  do_syscall_64+0x1b9/0x820
[   31.100788]  ? syscall_slow_exit_work+0x500/0x500
[   31.105613]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.110523]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.115435]  ? prepare_exit_to_usermode+0x291/0x3b0
[   31.120433]  ? perf_trace_sys_enter+0xb10/0xb10
[   31.125090]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.129916]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.135087] RIP: 0033:0x440449
[   31.138263] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   31.157150] RSP: 002b:00007fffde91b6b8 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   31.165015] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   31.172283] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   31.179626] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   31.186882] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   31.194135] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   31.201776] Dumping ftrace buffer:
[   31.205302]    (ftrace buffer empty)
[   31.208992] Kernel Offset: disabled
[   31.212599] Rebooting in 86400 seconds..