[....] Starting OpenBSD Secure Shell server: sshd[ 13.141615] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.944043] random: sshd: uninitialized urandom read (32 bytes read) [ 18.289037] audit: type=1400 audit(1571537501.416:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.338175] random: sshd: uninitialized urandom read (32 bytes read) [ 18.897936] random: sshd: uninitialized urandom read (32 bytes read) [ 40.526522] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. [ 45.965534] random: sshd: uninitialized urandom read (32 bytes read) 2019/10/20 02:12:09 parsed 1 programs [ 46.063318] audit: type=1400 audit(1571537529.196:7): avc: denied { map } for pid=1800 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 46.143741] audit: type=1400 audit(1571537529.276:8): avc: denied { map } for pid=1800 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 46.645935] random: cc1: uninitialized urandom read (8 bytes read) 2019/10/20 02:12:10 executed programs: 0 [ 47.839434] audit: type=1400 audit(1571537530.966:9): avc: denied { map } for pid=1800 comm="syz-execprog" path="/root/syzkaller-shm490835014" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/10/20 02:12:15 executed programs: 98 [ 52.874121] ================================================================== [ 52.881541] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 52.888901] Read of size 8 at addr ffff8881d31bf860 by task syz-executor.4/3013 [ 52.896395] [ 52.898026] CPU: 1 PID: 3013 Comm: syz-executor.4 Not tainted 4.14.150+ #0 [ 52.905206] Call Trace: [ 52.907797] dump_stack+0xca/0x134 [ 52.911335] ? unwind_next_frame+0x169f/0x1810 [ 52.915921] ? unwind_next_frame+0x169f/0x1810 [ 52.920503] print_address_description+0x60/0x226 [ 52.925343] ? unwind_next_frame+0x169f/0x1810 [ 52.930119] ? unwind_next_frame+0x169f/0x1810 [ 52.934703] __kasan_report.cold+0x1a/0x41 [ 52.938938] ? unwind_next_frame+0x169f/0x1810 [ 52.943523] unwind_next_frame+0x169f/0x1810 [ 52.947934] ? retint_kernel+0x2d/0x2d [ 52.951820] ? unwind_get_return_address+0x51/0x90 [ 52.956749] ? deref_stack_reg+0xe0/0xe0 [ 52.960812] ? retint_kernel+0x2d/0x2d [ 52.964788] perf_callchain_kernel+0x3a0/0x540 [ 52.969373] ? arch_perf_update_userpage+0x330/0x330 [ 52.974477] ? perf_callchain+0x147/0x190 [ 52.979646] ? futex_wait_setup+0x132/0x330 [ 52.983981] get_perf_callchain+0x2f5/0x770 [ 52.988340] ? put_callchain_buffers+0x60/0x60 [ 52.992926] ? kvm_clock_read+0x1f/0x30 [ 52.996904] ? kvm_sched_clock_read+0x5/0x10 [ 53.001318] ? sched_clock+0x5/0x10 [ 53.004975] ? sched_clock_cpu+0x31/0x1c0 [ 53.009124] perf_callchain+0x147/0x190 [ 53.013242] perf_prepare_sample+0x6a8/0x1360 [ 53.017745] ? perf_output_sample+0x1700/0x1700 [ 53.022417] ? perf_prepare_sample+0x1360/0x1360 [ 53.027444] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 53.033505] perf_event_output_forward+0xdc/0x220 [ 53.038349] ? perf_prepare_sample+0x1360/0x1360 [ 53.043110] ? __perf_event_overflow+0x1cc/0x340 [ 53.047868] ? check_preemption_disabled+0x35/0x1f0 [ 53.052891] __perf_event_overflow+0x12d/0x340 [ 53.057483] perf_swevent_overflow+0x7a/0xf0 [ 53.062072] perf_swevent_event+0x112/0x270 [ 53.066402] perf_tp_event+0x633/0x7f0 [ 53.070397] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 53.076102] ? perf_trace_run_bpf_submit+0x113/0x170 [ 53.081189] ? trace_hardirqs_on+0x10/0x10 [ 53.085929] ? __lock_acquire+0x5d7/0x4320 [ 53.090160] ? perf_trace_run_bpf_submit+0x113/0x170 [ 53.095257] ? check_preemption_disabled+0x35/0x1f0 [ 53.100263] perf_trace_run_bpf_submit+0x113/0x170 [ 53.105173] perf_trace_lock_acquire+0x341/0x4e0 [ 53.109907] ? HARDIRQ_verbose+0x10/0x10 [ 53.113945] ? retint_kernel+0x2d/0x2d [ 53.117810] ? get_futex_key+0x4c1/0xf90 [ 53.121850] lock_acquire+0x279/0x360 [ 53.125713] ? futex_wait_setup+0x132/0x330 [ 53.130032] _raw_spin_lock+0x2a/0x40 [ 53.134419] ? futex_wait_setup+0x132/0x330 [ 53.138803] futex_wait_setup+0x132/0x330 [ 53.142929] ? futex_wake+0x440/0x440 [ 53.146720] futex_wait+0x1ad/0x570 [ 53.150338] ? futex_wait_setup+0x330/0x330 [ 53.154752] ? wake_up_q+0xea/0x150 [ 53.158362] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 53.163370] ? futex_wake+0x15b/0x440 [ 53.167163] do_futex+0x13f/0x1980 [ 53.170680] ? trace_hardirqs_on+0x10/0x10 [ 53.174908] ? perf_trace_lock_acquire+0x341/0x4e0 [ 53.179857] ? exit_robust_list+0x240/0x240 [ 53.184154] ? HARDIRQ_verbose+0x10/0x10 [ 53.188194] ? __might_fault+0x104/0x1b0 [ 53.192240] ? lock_downgrade+0x630/0x630 [ 53.196371] ? lock_acquire+0x12b/0x360 [ 53.200333] ? __might_fault+0xd4/0x1b0 [ 53.204287] ? __might_fault+0x177/0x1b0 [ 53.208356] ? _copy_to_user+0x82/0xd0 [ 53.212223] SyS_futex+0x1c5/0x2c3 [ 53.215750] ? do_futex+0x1980/0x1980 [ 53.219543] ? SyS_clock_gettime+0x7d/0xe0 [ 53.223758] ? do_clock_gettime+0xd0/0xd0 [ 53.227898] ? do_syscall_64+0x43/0x520 [ 53.231850] ? do_futex+0x1980/0x1980 [ 53.235629] do_syscall_64+0x19b/0x520 [ 53.239500] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.244681] RIP: 0033:0x459a59 [ 53.247861] RSP: 002b:00007f9890fe5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 53.255549] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459a59 [ 53.262797] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 53.270047] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 53.277586] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 53.284834] R13: 00007ffea9a9c4af R14: 00007f9890fe69c0 R15: 000000000075bf2c [ 53.292521] [ 53.294127] The buggy address belongs to the page: [ 53.299037] page:ffffea00074c6fc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 53.307171] flags: 0x4000000000000000() [ 53.311124] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 53.319002] raw: 0000000000000000 ffffea00074c6fe0 0000000000000000 0000000000000000 [ 53.326860] page dumped because: kasan: bad access detected [ 53.332547] [ 53.334154] Memory state around the buggy address: [ 53.339072] ffff8881d31bf700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.346422] ffff8881d31bf780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.353765] >ffff8881d31bf800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 53.361103] ^ [ 53.368180] ffff8881d31bf880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.375516] ffff8881d31bf900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.383892] ================================================================== [ 53.391235] Disabling lock debugging due to kernel taint [ 53.396678] Kernel panic - not syncing: panic_on_warn set ... [ 53.396678] [ 53.404153] CPU: 1 PID: 3013 Comm: syz-executor.4 Tainted: G B 4.14.150+ #0 [ 53.412525] Call Trace: [ 53.415111] dump_stack+0xca/0x134 [ 53.418642] panic+0x1f1/0x3da [ 53.421829] ? add_taint.cold+0x16/0x16 [ 53.425804] ? lock_downgrade+0x630/0x630 [ 53.429971] ? unwind_next_frame+0x169f/0x1810 [ 53.434551] end_report+0x43/0x49 [ 53.437993] ? unwind_next_frame+0x169f/0x1810 [ 53.442565] __kasan_report.cold+0xd/0x41 [ 53.446702] ? unwind_next_frame+0x169f/0x1810 [ 53.451267] unwind_next_frame+0x169f/0x1810 [ 53.455656] ? retint_kernel+0x2d/0x2d [ 53.459546] ? unwind_get_return_address+0x51/0x90 [ 53.464467] ? deref_stack_reg+0xe0/0xe0 [ 53.468508] ? retint_kernel+0x2d/0x2d [ 53.472385] perf_callchain_kernel+0x3a0/0x540 [ 53.476961] ? arch_perf_update_userpage+0x330/0x330 [ 53.482067] ? perf_callchain+0x147/0x190 [ 53.486293] ? futex_wait_setup+0x132/0x330 [ 53.490609] get_perf_callchain+0x2f5/0x770 [ 53.494917] ? put_callchain_buffers+0x60/0x60 [ 53.499499] ? kvm_clock_read+0x1f/0x30 [ 53.503450] ? kvm_sched_clock_read+0x5/0x10 [ 53.507837] ? sched_clock+0x5/0x10 [ 53.511444] ? sched_clock_cpu+0x31/0x1c0 [ 53.515583] perf_callchain+0x147/0x190 [ 53.519535] perf_prepare_sample+0x6a8/0x1360 [ 53.524017] ? perf_output_sample+0x1700/0x1700 [ 53.528676] ? perf_prepare_sample+0x1360/0x1360 [ 53.533412] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 53.539102] perf_event_output_forward+0xdc/0x220 [ 53.543927] ? perf_prepare_sample+0x1360/0x1360 [ 53.548673] ? __perf_event_overflow+0x1cc/0x340 [ 53.553433] ? check_preemption_disabled+0x35/0x1f0 [ 53.558432] __perf_event_overflow+0x12d/0x340 [ 53.563042] perf_swevent_overflow+0x7a/0xf0 [ 53.567434] perf_swevent_event+0x112/0x270 [ 53.571737] perf_tp_event+0x633/0x7f0 [ 53.575607] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 53.581302] ? perf_trace_run_bpf_submit+0x113/0x170 [ 53.586385] ? trace_hardirqs_on+0x10/0x10 [ 53.590598] ? __lock_acquire+0x5d7/0x4320 [ 53.594922] ? perf_trace_run_bpf_submit+0x113/0x170 [ 53.600044] ? check_preemption_disabled+0x35/0x1f0 [ 53.605053] perf_trace_run_bpf_submit+0x113/0x170 [ 53.609964] perf_trace_lock_acquire+0x341/0x4e0 [ 53.614698] ? HARDIRQ_verbose+0x10/0x10 [ 53.618738] ? retint_kernel+0x2d/0x2d [ 53.622606] ? get_futex_key+0x4c1/0xf90 [ 53.626735] lock_acquire+0x279/0x360 [ 53.630516] ? futex_wait_setup+0x132/0x330 [ 53.634816] _raw_spin_lock+0x2a/0x40 [ 53.638621] ? futex_wait_setup+0x132/0x330 [ 53.642922] futex_wait_setup+0x132/0x330 [ 53.647048] ? futex_wake+0x440/0x440 [ 53.650829] futex_wait+0x1ad/0x570 [ 53.654438] ? futex_wait_setup+0x330/0x330 [ 53.658842] ? wake_up_q+0xea/0x150 [ 53.662447] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 53.667442] ? futex_wake+0x15b/0x440 [ 53.671231] do_futex+0x13f/0x1980 [ 53.674750] ? trace_hardirqs_on+0x10/0x10 [ 53.678968] ? perf_trace_lock_acquire+0x341/0x4e0 [ 53.683908] ? exit_robust_list+0x240/0x240 [ 53.688212] ? HARDIRQ_verbose+0x10/0x10 [ 53.692253] ? __might_fault+0x104/0x1b0 [ 53.696293] ? lock_downgrade+0x630/0x630 [ 53.700417] ? lock_acquire+0x12b/0x360 [ 53.704387] ? __might_fault+0xd4/0x1b0 [ 53.708341] ? __might_fault+0x177/0x1b0 [ 53.712402] ? _copy_to_user+0x82/0xd0 [ 53.716289] SyS_futex+0x1c5/0x2c3 [ 53.719812] ? do_futex+0x1980/0x1980 [ 53.723624] ? SyS_clock_gettime+0x7d/0xe0 [ 53.727851] ? do_clock_gettime+0xd0/0xd0 [ 53.732675] ? do_syscall_64+0x43/0x520 [ 53.736628] ? do_futex+0x1980/0x1980 [ 53.740407] do_syscall_64+0x19b/0x520 [ 53.744275] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.749443] RIP: 0033:0x459a59 [ 53.752622] RSP: 002b:00007f9890fe5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 53.760312] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 0000000000459a59 [ 53.767569] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 53.774857] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 53.782118] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 53.789377] R13: 00007ffea9a9c4af R14: 00007f9890fe69c0 R15: 000000000075bf2c [ 53.797522] Kernel Offset: 0xb000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 53.808356] Rebooting in 86400 seconds..