[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.000995] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.870517] random: sshd: uninitialized urandom read (32 bytes read) [ 28.145553] random: sshd: uninitialized urandom read (32 bytes read) [ 28.722224] random: sshd: uninitialized urandom read (32 bytes read) [ 33.894897] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. [ 39.538650] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.639344] vhci_hcd: invalid port number 132 [ 39.644137] ================================================================== [ 39.651573] BUG: KASAN: slab-out-of-bounds in vhci_hub_control+0x1b88/0x1bf0 [ 39.658751] Read of size 4 at addr ffff8801ce615ebc by task syz-executor741/4647 [ 39.666264] [ 39.667884] CPU: 1 PID: 4647 Comm: syz-executor741 Not tainted 4.19.0-rc1+ #217 [ 39.675311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.684676] Call Trace: [ 39.687290] dump_stack+0x1c9/0x2b4 [ 39.690917] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.696102] ? printk+0xa7/0xcf [ 39.699373] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.704122] ? vhci_hub_control+0x1b88/0x1bf0 [ 39.708625] print_address_description+0x6c/0x20b [ 39.713470] ? vhci_hub_control+0x1b88/0x1bf0 [ 39.717966] kasan_report.cold.7+0x242/0x30d [ 39.722370] __asan_report_load4_noabort+0x14/0x20 [ 39.727295] vhci_hub_control+0x1b88/0x1bf0 [ 39.731609] ? vhci_hcd_probe+0x240/0x240 [ 39.735751] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.740776] ? __kmalloc+0x594/0x720 [ 39.744480] ? kasan_check_write+0x14/0x20 [ 39.748702] ? do_raw_spin_lock+0xc1/0x200 [ 39.752923] ? usb_hcd_submit_urb+0x70e/0x2160 [ 39.757494] usb_hcd_submit_urb+0x184a/0x2160 [ 39.761980] ? vhci_hcd_probe+0x240/0x240 [ 39.766117] ? usb_create_hcd+0x40/0x40 [ 39.770079] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.775436] ? __x64_sys_ioctl+0x73/0xb0 [ 39.779486] ? do_syscall_64+0x1b9/0x820 [ 39.783538] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.788888] ? find_held_lock+0x36/0x1c0 [ 39.792939] ? __lockdep_init_map+0x105/0x590 [ 39.797419] ? __lockdep_init_map+0x105/0x590 [ 39.801909] usb_submit_urb+0x895/0x14d0 [ 39.805959] ? rcu_is_watching+0x8c/0x150 [ 39.810099] usb_start_wait_urb+0x140/0x360 [ 39.814426] ? sg_clean+0x240/0x240 [ 39.818056] usb_control_msg+0x332/0x4e0 [ 39.822102] ? usb_start_wait_urb+0x360/0x360 [ 39.826585] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 39.832115] proc_control+0x99b/0xef0 [ 39.835903] ? proc_bulk+0xaa0/0xaa0 [ 39.839608] usbdev_do_ioctl+0x1eb4/0x3b30 [ 39.843835] ? processcompl_compat+0x680/0x680 [ 39.848404] ? mark_held_locks+0x160/0x160 [ 39.852632] ? mark_held_locks+0x160/0x160 [ 39.856857] ? graph_lock+0x170/0x170 [ 39.860653] ? pick_next_task_fair+0x999/0x16e0 [ 39.865456] ? find_held_lock+0x36/0x1c0 [ 39.869619] ? _raw_spin_unlock_irq+0x27/0x70 [ 39.874106] ? _raw_spin_unlock_irq+0x27/0x70 [ 39.878638] ? graph_lock+0x170/0x170 [ 39.882504] ? trace_hardirqs_on+0xbd/0x2c0 [ 39.886820] ? kasan_check_read+0x11/0x20 [ 39.890960] ? finish_task_switch+0x1d3/0x870 [ 39.895444] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 39.900538] ? compat_start_thread+0x80/0x80 [ 39.904936] ? find_held_lock+0x36/0x1c0 [ 39.908989] ? lock_downgrade+0x8f0/0x8f0 [ 39.913124] ? __switch_to_asm+0x40/0x70 [ 39.917177] ? kasan_check_read+0x11/0x20 [ 39.921313] ? rcu_is_watching+0x8c/0x150 [ 39.925450] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 39.930125] ? __fget+0x4d5/0x740 [ 39.933575] ? ksys_dup3+0x690/0x690 [ 39.937276] ? trace_hardirqs_on+0x2c0/0x2c0 [ 39.941682] ? kasan_check_write+0x14/0x20 [ 39.945950] ? trace_hardirqs_off+0xb8/0x2b0 [ 39.950359] usbdev_ioctl+0x25/0x30 [ 39.953979] ? usbdev_compat_ioctl+0x30/0x30 [ 39.958380] do_vfs_ioctl+0x1de/0x1720 [ 39.962262] ? ioctl_preallocate+0x300/0x300 [ 39.966660] ? __fget_light+0x2f7/0x440 [ 39.970630] ? __schedule+0x1df0/0x1df0 [ 39.974593] ? fget_raw+0x20/0x20 [ 39.978079] ? trace_hardirqs_off+0xb8/0x2b0 [ 39.982482] ? do_syscall_64+0x6be/0x820 [ 39.986684] ? trace_hardirqs_on+0x2c0/0x2c0 [ 39.991087] ? __x64_sys_futex+0x47f/0x6a0 [ 39.995323] ? do_syscall_64+0x9a/0x820 [ 39.999332] ? do_syscall_64+0x9a/0x820 [ 40.003301] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.007882] ? security_file_ioctl+0x94/0xc0 [ 40.012284] ksys_ioctl+0xa9/0xd0 [ 40.015730] __x64_sys_ioctl+0x73/0xb0 [ 40.019614] do_syscall_64+0x1b9/0x820 [ 40.023601] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.028996] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.033919] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.038798] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.043902] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.048993] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.054009] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.058846] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.064025] RIP: 0033:0x449329 [ 40.067223] Code: e8 ac b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.086881] RSP: 002b:00007f8653ff9da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 40.094587] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000449329 [ 40.101844] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003 [ 40.109103] RBP: 00000000006dac20 R08: 00000000006dac2c R09: 0000000000000000 [ 40.116358] R10: 00007f8653ffa700 R11: 0000000000000246 R12: 00000000006dac2c [ 40.123615] R13: 2330302f6273752f R14: 7375622f7665642f R15: 00000000006dad2c [ 40.130880] [ 40.132497] Allocated by task 1: [ 40.135856] save_stack+0x43/0xd0 [ 40.139297] kasan_kmalloc+0xc4/0xe0 [ 40.142998] kmem_cache_alloc_trace+0x152/0x730 [ 40.147655] usb_set_configuration+0x10e9/0x19f0 [ 40.152405] generic_probe+0xb6/0x110 [ 40.156204] usb_probe_device+0xaf/0x110 [ 40.160255] really_probe+0x5be/0x850 [ 40.164045] driver_probe_device+0x108/0x210 [ 40.168448] __device_attach_driver+0x25a/0x2d0 [ 40.173105] bus_for_each_drv+0x16b/0x1f0 [ 40.177240] __device_attach+0x2a1/0x430 [ 40.181289] device_initial_probe+0x1a/0x20 [ 40.185602] bus_probe_device+0x1fb/0x2a0 [ 40.189738] device_add+0x93e/0x17b0 [ 40.193512] usb_new_device+0x8ac/0x12b0 [ 40.197564] usb_add_hcd+0xb1f/0x1910 [ 40.201357] vhci_hcd_probe+0xfb/0x240 [ 40.205337] platform_drv_probe+0x96/0x160 [ 40.209555] really_probe+0x5be/0x850 [ 40.213338] driver_probe_device+0x108/0x210 [ 40.217728] __device_attach_driver+0x25a/0x2d0 [ 40.222376] bus_for_each_drv+0x16b/0x1f0 [ 40.226587] __device_attach+0x2a1/0x430 [ 40.230637] device_initial_probe+0x1a/0x20 [ 40.234943] bus_probe_device+0x1fb/0x2a0 [ 40.239075] device_add+0x93e/0x17b0 [ 40.242770] platform_device_add+0x36e/0x6f0 [ 40.247166] vhci_hcd_init+0x386/0x4e0 [ 40.251041] do_one_initcall+0x127/0x838 [ 40.255089] kernel_init_freeable+0x4bb/0x5ae [ 40.259570] kernel_init+0x11/0x1b3 [ 40.263189] ret_from_fork+0x3a/0x50 [ 40.266882] [ 40.268489] Freed by task 0: [ 40.271483] (stack is not available) [ 40.275171] [ 40.276788] The buggy address belongs to the object at ffff8801ce615300 [ 40.276788] which belongs to the cache kmalloc-2048 of size 2048 [ 40.289605] The buggy address is located 956 bytes to the right of [ 40.289605] 2048-byte region [ffff8801ce615300, ffff8801ce615b00) [ 40.302074] The buggy address belongs to the page: [ 40.307102] page:ffffea0007398500 count:1 mapcount:0 mapping:ffff8801dac00c40 index:0x0 compound_mapcount: 0 [ 40.317057] flags: 0x2fffc0000008100(slab|head) [ 40.321712] raw: 02fffc0000008100 ffffea0007397988 ffffea0007398788 ffff8801dac00c40 [ 40.329659] raw: 0000000000000000 ffff8801ce614200 0000000100000003 0000000000000000 [ 40.337539] page dumped because: kasan: bad access detected [ 40.343231] [ 40.344840] Memory state around the buggy address: [ 40.349755] ffff8801ce615d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.357102] ffff8801ce615e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.364489] >ffff8801ce615e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.371842] ^ [ 40.377029] ffff8801ce615f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.384375] ffff8801ce615f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.391718] ================================================================== [ 40.399156] Disabling lock debugging due to kernel taint [ 40.404631] Kernel panic - not syncing: panic_on_warn set ... [ 40.404631] [ 40.411988] CPU: 1 PID: 4647 Comm: syz-executor741 Tainted: G B 4.19.0-rc1+ #217 [ 40.420813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.430151] Call Trace: [ 40.432730] dump_stack+0x1c9/0x2b4 [ 40.436346] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.441527] ? lock_downgrade+0x8f0/0x8f0 [ 40.445663] panic+0x238/0x4e7 [ 40.448845] ? add_taint.cold.5+0x16/0x16 [ 40.452993] ? add_taint.cold.5+0x5/0x16 [ 40.457041] ? trace_hardirqs_off+0xaf/0x2b0 [ 40.461434] ? trace_hardirqs_off+0x77/0x2b0 [ 40.465905] ? vhci_hub_control+0x1b88/0x1bf0 [ 40.470395] kasan_end_report+0x47/0x4f [ 40.474427] kasan_report.cold.7+0x76/0x30d [ 40.478746] __asan_report_load4_noabort+0x14/0x20 [ 40.483661] vhci_hub_control+0x1b88/0x1bf0 [ 40.487972] ? vhci_hcd_probe+0x240/0x240 [ 40.492113] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.497117] ? __kmalloc+0x594/0x720 [ 40.500814] ? kasan_check_write+0x14/0x20 [ 40.505038] ? do_raw_spin_lock+0xc1/0x200 [ 40.509340] ? usb_hcd_submit_urb+0x70e/0x2160 [ 40.513922] usb_hcd_submit_urb+0x184a/0x2160 [ 40.518411] ? vhci_hcd_probe+0x240/0x240 [ 40.522544] ? usb_create_hcd+0x40/0x40 [ 40.526507] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.531862] ? __x64_sys_ioctl+0x73/0xb0 [ 40.535914] ? do_syscall_64+0x1b9/0x820 [ 40.539957] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.545306] ? find_held_lock+0x36/0x1c0 [ 40.549350] ? __lockdep_init_map+0x105/0x590 [ 40.553875] ? __lockdep_init_map+0x105/0x590 [ 40.558361] usb_submit_urb+0x895/0x14d0 [ 40.562410] ? rcu_is_watching+0x8c/0x150 [ 40.566548] usb_start_wait_urb+0x140/0x360 [ 40.570851] ? sg_clean+0x240/0x240 [ 40.574466] usb_control_msg+0x332/0x4e0 [ 40.578509] ? usb_start_wait_urb+0x360/0x360 [ 40.582992] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 40.588521] proc_control+0x99b/0xef0 [ 40.592313] ? proc_bulk+0xaa0/0xaa0 [ 40.596024] usbdev_do_ioctl+0x1eb4/0x3b30 [ 40.600246] ? processcompl_compat+0x680/0x680 [ 40.604819] ? mark_held_locks+0x160/0x160 [ 40.609038] ? mark_held_locks+0x160/0x160 [ 40.613254] ? graph_lock+0x170/0x170 [ 40.617043] ? pick_next_task_fair+0x999/0x16e0 [ 40.621695] ? find_held_lock+0x36/0x1c0 [ 40.625743] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.630219] ? _raw_spin_unlock_irq+0x27/0x70 [ 40.634701] ? graph_lock+0x170/0x170 [ 40.638488] ? trace_hardirqs_on+0xbd/0x2c0 [ 40.642793] ? kasan_check_read+0x11/0x20 [ 40.646923] ? finish_task_switch+0x1d3/0x870 [ 40.651519] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 40.656606] ? compat_start_thread+0x80/0x80 [ 40.661001] ? find_held_lock+0x36/0x1c0 [ 40.665044] ? lock_downgrade+0x8f0/0x8f0 [ 40.669228] ? __switch_to_asm+0x40/0x70 [ 40.673283] ? kasan_check_read+0x11/0x20 [ 40.677530] ? rcu_is_watching+0x8c/0x150 [ 40.681682] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 40.686346] ? __fget+0x4d5/0x740 [ 40.689785] ? ksys_dup3+0x690/0x690 [ 40.693479] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.697887] ? kasan_check_write+0x14/0x20 [ 40.702108] ? trace_hardirqs_off+0xb8/0x2b0 [ 40.706506] usbdev_ioctl+0x25/0x30 [ 40.710116] ? usbdev_compat_ioctl+0x30/0x30 [ 40.714508] do_vfs_ioctl+0x1de/0x1720 [ 40.718432] ? ioctl_preallocate+0x300/0x300 [ 40.722828] ? __fget_light+0x2f7/0x440 [ 40.726785] ? __schedule+0x1df0/0x1df0 [ 40.730801] ? fget_raw+0x20/0x20 [ 40.734245] ? trace_hardirqs_off+0xb8/0x2b0 [ 40.738721] ? do_syscall_64+0x6be/0x820 [ 40.742869] ? trace_hardirqs_on+0x2c0/0x2c0 [ 40.747261] ? __x64_sys_futex+0x47f/0x6a0 [ 40.751475] ? do_syscall_64+0x9a/0x820 [ 40.755430] ? do_syscall_64+0x9a/0x820 [ 40.759395] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.764022] ? security_file_ioctl+0x94/0xc0 [ 40.768435] ksys_ioctl+0xa9/0xd0 [ 40.771959] __x64_sys_ioctl+0x73/0xb0 [ 40.775838] do_syscall_64+0x1b9/0x820 [ 40.779711] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.785112] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.790112] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.794943] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.799944] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.804945] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.809948] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.814788] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.819966] RIP: 0033:0x449329 [ 40.823143] Code: e8 ac b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.842043] RSP: 002b:00007f8653ff9da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 40.849746] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000449329 [ 40.857012] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003 [ 40.864289] RBP: 00000000006dac20 R08: 00000000006dac2c R09: 0000000000000000 [ 40.871553] R10: 00007f8653ffa700 R11: 0000000000000246 R12: 00000000006dac2c [ 40.878808] R13: 2330302f6273752f R14: 7375622f7665642f R15: 00000000006dad2c [ 40.886346] Dumping ftrace buffer: [ 40.889869] (ftrace buffer empty) [ 40.893559] Kernel Offset: disabled [ 40.897205] Rebooting in 86400 seconds..