[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.255081] random: sshd: uninitialized urandom read (32 bytes read) [ 36.637374] kauditd_printk_skb: 10 callbacks suppressed [ 36.637382] audit: type=1400 audit(1568053144.121:35): avc: denied { map } for pid=7013 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.692209] random: sshd: uninitialized urandom read (32 bytes read) [ 37.233889] random: sshd: uninitialized urandom read (32 bytes read) [ 37.416069] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. [ 42.885383] random: sshd: uninitialized urandom read (32 bytes read) [ 43.004767] audit: type=1400 audit(1568053150.491:36): avc: denied { map } for pid=7025 comm="syz-executor133" path="/root/syz-executor133608442" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.042081] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 43.065165] ================================================================== [ 43.072732] BUG: KASAN: use-after-free in padata_serial_worker+0x362/0x400 [ 43.079743] Write of size 8 at addr ffff8880990aab18 by task kworker/1:1/23 [ 43.086825] [ 43.088444] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.142 #0 [ 43.094914] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.104278] Workqueue: pencrypt padata_serial_worker [ 43.109378] Call Trace: [ 43.111953] dump_stack+0x138/0x197 [ 43.115567] ? padata_serial_worker+0x362/0x400 [ 43.120320] print_address_description.cold+0x7c/0x1dc [ 43.125592] ? padata_serial_worker+0x362/0x400 [ 43.130256] kasan_report.cold+0xa9/0x2af [ 43.134389] __asan_report_store8_noabort+0x17/0x20 [ 43.139478] padata_serial_worker+0x362/0x400 [ 43.143967] ? __lock_is_held+0xb6/0x140 [ 43.148108] ? check_preemption_disabled+0x3c/0x250 [ 43.153113] ? padata_parallel_worker+0x3b0/0x3b0 [ 43.157941] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.163400] process_one_work+0x863/0x1600 [ 43.167626] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 43.172306] worker_thread+0x5d9/0x1050 [ 43.176362] kthread+0x319/0x430 [ 43.179798] ? process_one_work+0x1600/0x1600 [ 43.184276] ? kthread_create_on_node+0xd0/0xd0 [ 43.188938] ret_from_fork+0x24/0x30 [ 43.192637] [ 43.194249] Allocated by task 7025: [ 43.197861] save_stack_trace+0x16/0x20 [ 43.201840] save_stack+0x45/0xd0 [ 43.205741] kasan_kmalloc+0xce/0xf0 [ 43.209440] __kmalloc+0x15d/0x7a0 [ 43.213030] tls_push_record+0x10a/0x1210 [ 43.217166] tls_sw_sendmsg+0x9e8/0x1020 [ 43.221239] inet_sendmsg+0x122/0x500 [ 43.225023] sock_sendmsg+0xce/0x110 [ 43.228720] SYSC_sendto+0x206/0x310 [ 43.232416] SyS_sendto+0x40/0x50 [ 43.235868] do_syscall_64+0x1e8/0x640 [ 43.240540] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.245722] [ 43.247333] Freed by task 7025: [ 43.250612] save_stack_trace+0x16/0x20 [ 43.254693] save_stack+0x45/0xd0 [ 43.258130] kasan_slab_free+0x75/0xc0 [ 43.262028] kfree+0xcc/0x270 [ 43.265138] tls_push_record+0xc03/0x1210 [ 43.269273] tls_sw_sendmsg+0x9e8/0x1020 [ 43.273323] inet_sendmsg+0x122/0x500 [ 43.277106] sock_sendmsg+0xce/0x110 [ 43.280811] SYSC_sendto+0x206/0x310 [ 43.284505] SyS_sendto+0x40/0x50 [ 43.287955] do_syscall_64+0x1e8/0x640 [ 43.291831] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.297098] [ 43.298710] The buggy address belongs to the object at ffff8880990aaac0 [ 43.298710] which belongs to the cache kmalloc-256 of size 256 [ 43.311349] The buggy address is located 88 bytes inside of [ 43.311349] 256-byte region [ffff8880990aaac0, ffff8880990aabc0) [ 43.323119] The buggy address belongs to the page: [ 43.328034] page:ffffea0002642a80 count:1 mapcount:0 mapping:ffff8880990aa0c0 index:0xffff8880990aad40 [ 43.337580] flags: 0x1fffc0000000100(slab) [ 43.341801] raw: 01fffc0000000100 ffff8880990aa0c0 ffff8880990aad40 0000000100000004 [ 43.349680] raw: ffffea00026604a0 ffffea0002795020 ffff8880aa8007c0 0000000000000000 [ 43.357542] page dumped because: kasan: bad access detected [ 43.363230] [ 43.364894] Memory state around the buggy address: [ 43.369809] ffff8880990aaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.377156] ffff8880990aaa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.384498] >ffff8880990aab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.391837] ^ [ 43.395984] ffff8880990aab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.403592] ffff8880990aac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.411038] ================================================================== [ 43.418513] Disabling lock debugging due to kernel taint [ 43.424048] Kernel panic - not syncing: panic_on_warn set ... [ 43.424048] [ 43.431406] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.142 #0 [ 43.439110] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.448464] Workqueue: pencrypt padata_serial_worker [ 43.453553] Call Trace: [ 43.456134] dump_stack+0x138/0x197 [ 43.459865] ? padata_serial_worker+0x362/0x400 [ 43.464517] panic+0x1f2/0x426 [ 43.467691] ? add_taint.cold+0x16/0x16 [ 43.471661] kasan_end_report+0x47/0x4f [ 43.475807] kasan_report.cold+0x130/0x2af [ 43.480028] __asan_report_store8_noabort+0x17/0x20 [ 43.485047] padata_serial_worker+0x362/0x400 [ 43.489544] ? __lock_is_held+0xb6/0x140 [ 43.493593] ? check_preemption_disabled+0x3c/0x250 [ 43.498606] ? padata_parallel_worker+0x3b0/0x3b0 [ 43.503453] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.508974] process_one_work+0x863/0x1600 [ 43.513212] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 43.517902] worker_thread+0x5d9/0x1050 [ 43.521862] kthread+0x319/0x430 [ 43.525309] ? process_one_work+0x1600/0x1600 [ 43.529790] ? kthread_create_on_node+0xd0/0xd0 [ 43.534448] ret_from_fork+0x24/0x30 [ 43.540499] Kernel Offset: disabled [ 43.544147] Rebooting in 86400 seconds..