[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   14.166908] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.736081] random: sshd: uninitialized urandom read (32 bytes read)
[   19.001832] random: sshd: uninitialized urandom read (32 bytes read)
[   19.721534] random: sshd: uninitialized urandom read (32 bytes read)
[   29.339725] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   34.736009] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   34.827244] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   34.846512] ==================================================================
[   34.853887] BUG: KASAN: slab-out-of-bounds in do_raw_spin_lock+0x1c0/0x200
[   34.860885] Read of size 4 at addr ffff8801ad719df4 by task syz-executor197/4286
[   34.868399] 
[   34.870011] CPU: 0 PID: 4286 Comm: syz-executor197 Not tainted 4.18.0-rc6+ #140
[   34.877433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.886770] Call Trace:
[   34.889369]  dump_stack+0x1c9/0x2b4
[   34.892979]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.898161]  ? printk+0xa7/0xcf
[   34.901431]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.906165]  ? do_raw_spin_lock+0x1c0/0x200
[   34.910467]  print_address_description+0x6c/0x20b
[   34.915286]  ? do_raw_spin_lock+0x1c0/0x200
[   34.919598]  kasan_report.cold.7+0x242/0x2fe
[   34.923997]  __asan_report_load4_noabort+0x14/0x20
[   34.928903]  do_raw_spin_lock+0x1c0/0x200
[   34.933031]  _raw_spin_lock_bh+0x39/0x40
[   34.937072]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   34.942933]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   34.948640]  ? smap_data_ready+0x320/0x320
[   34.952865]  ? remove_wait_queue+0x360/0x360
[   34.957253]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.961642]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.966215]  ? lock_acquire+0x1e4/0x540
[   34.970264]  ? lock_acquire+0x1e4/0x540
[   34.974215]  ? sock_hash_update_elem+0x130/0x510
[   34.978949]  ? lock_release+0xa30/0xa30
[   34.982909]  ? kasan_check_read+0x11/0x20
[   34.987034]  ? lock_release+0xa30/0xa30
[   34.990995]  ? finish_wait+0x430/0x430
[   34.994861]  ? kasan_check_write+0x14/0x20
[   34.999078]  ? lock_sock_nested+0x9f/0x120
[   35.003289]  ? trace_hardirqs_on+0xd/0x10
[   35.007417]  ? __local_bh_enable_ip+0x161/0x230
[   35.012087]  sock_hash_update_elem+0x1e2/0x510
[   35.016650]  ? bpf_sock_hash_update+0x90/0x90
[   35.021143]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.026658]  ? _copy_from_user+0xdf/0x150
[   35.030785]  ? bpf_sock_hash_update+0x90/0x90
[   35.035257]  map_update_elem+0x72d/0xcb0
[   35.039299]  __x64_sys_bpf+0x32d/0x510
[   35.043165]  ? bpf_prog_get+0x20/0x20
[   35.046946]  ? ksys_ioctl+0x81/0xd0
[   35.050563]  do_syscall_64+0x1b9/0x820
[   35.054428]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.059338]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.064247]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   35.069251]  ? prepare_exit_to_usermode+0x291/0x3b0
[   35.074246]  ? perf_trace_sys_enter+0xb10/0xb10
[   35.078893]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.083716]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.088893] RIP: 0033:0x440449
[   35.092056] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   35.111169] RSP: 002b:00007fff74d8a318 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   35.118853] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   35.126111] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   35.133367] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   35.140622] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   35.147867] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   35.155130] 
[   35.157079] Allocated by task 4286:
[   35.160698]  save_stack+0x43/0xd0
[   35.164128]  kasan_kmalloc+0xc4/0xe0
[   35.167833]  kasan_slab_alloc+0x12/0x20
[   35.171795]  kmem_cache_alloc+0x12e/0x760
[   35.175924]  kcm_ioctl+0xd10/0x1930
[   35.179531]  sock_do_ioctl+0xe4/0x3e0
[   35.183308]  sock_ioctl+0x30d/0x680
[   35.186910]  do_vfs_ioctl+0x1de/0x1720
[   35.190772]  ksys_ioctl+0xa9/0xd0
[   35.194211]  __x64_sys_ioctl+0x73/0xb0
[   35.198075]  do_syscall_64+0x1b9/0x820
[   35.201941]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.207103] 
[   35.208713] Freed by task 0:
[   35.211704] (stack is not available)
[   35.215389] 
[   35.216998] The buggy address belongs to the object at ffff8801ad719bc0
[   35.216998]  which belongs to the cache kcm_psock_cache of size 544
[   35.229977] The buggy address is located 20 bytes to the right of
[   35.229977]  544-byte region [ffff8801ad719bc0, ffff8801ad719de0)
[   35.242258] The buggy address belongs to the page:
[   35.247163] page:ffffea0006b5c600 count:1 mapcount:0 mapping:ffff8801cde371c0 index:0x0 compound_mapcount: 0
[   35.257118] flags: 0x2fffc0000008100(slab|head)
[   35.261767] raw: 02fffc0000008100 ffff8801cd8bad48 ffff8801cd8bad48 ffff8801cde371c0
[   35.269636] raw: 0000000000000000 ffff8801ad718040 000000010000000b 0000000000000000
[   35.277492] page dumped because: kasan: bad access detected
[   35.283173] 
[   35.284774] Memory state around the buggy address:
[   35.289685]  ffff8801ad719c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.297018]  ffff8801ad719d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.304360] >ffff8801ad719d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   35.311692]                                                              ^
[   35.318678]  ffff8801ad719e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.326012]  ffff8801ad719e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.333344] ==================================================================
[   35.340722] Kernel panic - not syncing: panic_on_warn set ...
[   35.340722] 
[   35.348068] CPU: 0 PID: 4286 Comm: syz-executor197 Tainted: G    B             4.18.0-rc6+ #140
[   35.356890] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.366221] Call Trace:
[   35.368801]  dump_stack+0x1c9/0x2b4
[   35.372405]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.377586]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.382323]  panic+0x238/0x4e7
[   35.385495]  ? add_taint.cold.5+0x16/0x16
[   35.389718]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.394103]  ? do_raw_spin_lock+0x1c0/0x200
[   35.398405]  kasan_end_report+0x47/0x4f
[   35.402359]  kasan_report.cold.7+0x76/0x2fe
[   35.406662]  __asan_report_load4_noabort+0x14/0x20
[   35.411576]  do_raw_spin_lock+0x1c0/0x200
[   35.415704]  _raw_spin_lock_bh+0x39/0x40
[   35.419744]  ? sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   35.425609]  sock_hash_ctx_update_elem.isra.26+0xbef/0x14d0
[   35.431310]  ? smap_data_ready+0x320/0x320
[   35.435522]  ? remove_wait_queue+0x360/0x360
[   35.439908]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.444305]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   35.448870]  ? lock_acquire+0x1e4/0x540
[   35.452850]  ? lock_acquire+0x1e4/0x540
[   35.456817]  ? sock_hash_update_elem+0x130/0x510
[   35.461554]  ? lock_release+0xa30/0xa30
[   35.465516]  ? kasan_check_read+0x11/0x20
[   35.469662]  ? lock_release+0xa30/0xa30
[   35.473617]  ? finish_wait+0x430/0x430
[   35.477487]  ? kasan_check_write+0x14/0x20
[   35.481708]  ? lock_sock_nested+0x9f/0x120
[   35.485937]  ? trace_hardirqs_on+0xd/0x10
[   35.490066]  ? __local_bh_enable_ip+0x161/0x230
[   35.494719]  sock_hash_update_elem+0x1e2/0x510
[   35.499283]  ? bpf_sock_hash_update+0x90/0x90
[   35.503763]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.509291]  ? _copy_from_user+0xdf/0x150
[   35.513418]  ? bpf_sock_hash_update+0x90/0x90
[   35.517890]  map_update_elem+0x72d/0xcb0
[   35.521930]  __x64_sys_bpf+0x32d/0x510
[   35.525805]  ? bpf_prog_get+0x20/0x20
[   35.529594]  ? ksys_ioctl+0x81/0xd0
[   35.533215]  do_syscall_64+0x1b9/0x820
[   35.537088]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.542008]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.546920]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   35.551922]  ? prepare_exit_to_usermode+0x291/0x3b0
[   35.556921]  ? perf_trace_sys_enter+0xb10/0xb10
[   35.561681]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.566513]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.571686] RIP: 0033:0x440449
[   35.574863] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   35.593984] RSP: 002b:00007fff74d8a318 EFLAGS: 00000203 ORIG_RAX: 0000000000000141
[   35.601681] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440449
[   35.608938] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   35.616185] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   35.623433] R10: 00000000004002c8 R11: 0000000000000203 R12: 0000000000401cd0
[   35.630680] R13: 0000000000401d60 R14: 0000000000000000 R15: 0000000000000000
[   35.638353] Dumping ftrace buffer:
[   35.641877]    (ftrace buffer empty)
[   35.645576] Kernel Offset: disabled
[   35.649196] Rebooting in 86400 seconds..