[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.470302] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.232781] random: sshd: uninitialized urandom read (32 bytes read) [ 20.547112] random: sshd: uninitialized urandom read (32 bytes read) [ 20.991852] random: sshd: uninitialized urandom read (32 bytes read) [ 23.739166] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. [ 29.187310] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.274857] ================================================================== [ 29.282272] BUG: KASAN: use-after-free in preempt_notifier_register+0x1ec/0x200 [ 29.289707] Write of size 8 at addr ffff8801ac490050 by task syz-executor201/4333 [ 29.297305] [ 29.298919] CPU: 0 PID: 4333 Comm: syz-executor201 Not tainted 4.18.0-rc8-next-20180807+ #33 [ 29.307534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.316887] Call Trace: [ 29.319467] dump_stack+0x1c9/0x2b4 [ 29.323098] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.328378] ? printk+0xa7/0xcf [ 29.331648] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.336393] ? preempt_notifier_register+0x1ec/0x200 [ 29.341485] print_address_description+0x6c/0x20b [ 29.346318] ? preempt_notifier_register+0x1ec/0x200 [ 29.351488] kasan_report.cold.7+0x242/0x30d [ 29.355910] __asan_report_store8_noabort+0x17/0x20 [ 29.360919] preempt_notifier_register+0x1ec/0x200 [ 29.365838] ? preempt_notifier_dec+0x20/0x20 [ 29.370421] ? __kasan_slab_free+0x131/0x170 [ 29.374821] vcpu_load+0x27/0x40 [ 29.378176] vmx_free_vcpu+0x194/0x300 [ 29.382055] kvm_arch_destroy_vm+0x365/0x7c0 [ 29.386451] ? kasan_check_read+0x13/0x20 [ 29.390582] ? kvm_arch_sync_events+0x30/0x30 [ 29.395064] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.400585] ? mmu_notifier_unregister+0x474/0x600 [ 29.405500] ? debug_check_no_obj_freed+0x30b/0x595 [ 29.410503] ? __mmu_notifier_register+0x30/0x30 [ 29.415243] ? __free_pages+0x10a/0x190 [ 29.419204] ? free_unref_page+0x9a0/0x9a0 [ 29.423429] kvm_put_kvm+0x73f/0x1060 [ 29.427222] ? kvm_write_guest_cached+0x40/0x40 [ 29.431878] ? lock_acquire+0x1e4/0x540 [ 29.435840] ? kvm_irqfd_release+0xd1/0x120 [ 29.440146] ? lock_downgrade+0x8f0/0x8f0 [ 29.444282] ? kasan_check_write+0x14/0x20 [ 29.448505] ? do_raw_spin_lock+0xc1/0x200 [ 29.452731] ? kvm_irqfd_release+0xdd/0x120 [ 29.457046] ? kvm_put_kvm+0x1060/0x1060 [ 29.461094] kvm_vm_release+0x42/0x50 [ 29.464880] __fput+0x376/0x8a0 [ 29.468150] ? __alloc_file+0x400/0x400 [ 29.472110] ? check_same_owner+0x340/0x340 [ 29.476422] ? kasan_check_write+0x14/0x20 [ 29.480655] ? do_raw_spin_lock+0xc1/0x200 [ 29.484888] ____fput+0x15/0x20 [ 29.488151] task_work_run+0x1e8/0x2a0 [ 29.492027] ? task_work_cancel+0x240/0x240 [ 29.496351] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.501871] ? switch_task_namespaces+0xa2/0xd0 [ 29.506524] do_exit+0x1b25/0x2760 [ 29.510110] ? mm_update_next_owner+0x9a0/0x9a0 [ 29.514771] ? kfree+0x15e/0x260 [ 29.518122] ? kvm_vcpu_ioctl+0x2ba/0x1300 [ 29.522350] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 29.528053] ? is_bpf_text_address+0xd7/0x170 [ 29.532537] ? kernel_text_address+0x79/0xf0 [ 29.537047] ? __kernel_text_address+0xd/0x40 [ 29.541531] ? unwind_get_return_address+0x61/0xa0 [ 29.546451] ? __save_stack_trace+0x8d/0xf0 [ 29.550763] ? save_stack+0xa9/0xd0 [ 29.554373] ? save_stack+0x43/0xd0 [ 29.557983] ? __kasan_slab_free+0x11a/0x170 [ 29.562372] ? kasan_slab_free+0xe/0x10 [ 29.566379] ? putname+0xf2/0x130 [ 29.569831] ? __x64_sys_openat+0x9d/0x100 [ 29.574054] ? do_syscall_64+0x1b9/0x820 [ 29.578168] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.583548] ? kasan_check_read+0x11/0x20 [ 29.587680] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.592128] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 29.596703] ? initcall_blacklisted+0x9a/0x1e0 [ 29.601270] ? do_raw_spin_lock+0xc1/0x200 [ 29.605489] ? trace_hardirqs_off+0xd/0x10 [ 29.609716] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 29.614808] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 29.620510] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.626037] ? do_vfs_ioctl+0x201/0x1720 [ 29.630088] ? ioctl_preallocate+0x300/0x300 [ 29.634485] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.640011] ? __fget_light+0x2f7/0x440 [ 29.643973] ? fget_raw+0x20/0x20 [ 29.647488] ? trace_hardirqs_on+0xd/0x10 [ 29.651631] ? kmem_cache_free+0x22e/0x2d0 [ 29.655905] ? putname+0xf7/0x130 [ 29.659352] do_group_exit+0x177/0x440 [ 29.663221] ? __ia32_sys_exit+0x50/0x50 [ 29.667279] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.672804] ? ksys_ioctl+0x81/0xd0 [ 29.676420] __x64_sys_exit_group+0x3e/0x50 [ 29.680732] do_syscall_64+0x1b9/0x820 [ 29.684602] ? syscall_slow_exit_work+0x500/0x500 [ 29.689493] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.694413] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.699328] ? prepare_exit_to_usermode+0x291/0x3b0 [ 29.704369] ? perf_trace_sys_enter+0xb10/0xb10 [ 29.709024] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.713856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.719036] RIP: 0033:0x43ece8 [ 29.722388] Code: Bad RIP value. [ 29.725778] RSP: 002b:00007ffd3f933c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 29.733475] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ece8 [ 29.740733] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 29.747985] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 29.755296] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 29.762552] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 29.769805] [ 29.771416] Allocated by task 4333: [ 29.775026] save_stack+0x43/0xd0 [ 29.778463] kasan_kmalloc+0xc4/0xe0 [ 29.782229] kasan_slab_alloc+0x12/0x20 [ 29.786196] kmem_cache_alloc+0x12e/0x760 [ 29.790332] vmx_create_vcpu+0xcf/0x28b0 [ 29.794372] kvm_arch_vcpu_create+0xe5/0x220 [ 29.798762] kvm_vm_ioctl+0x488/0x1d80 [ 29.802637] do_vfs_ioctl+0x1de/0x1720 [ 29.806512] ksys_ioctl+0xa9/0xd0 [ 29.810035] __x64_sys_ioctl+0x73/0xb0 [ 29.813906] do_syscall_64+0x1b9/0x820 [ 29.817780] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.822946] [ 29.824559] Freed by task 4333: [ 29.827866] save_stack+0x43/0xd0 [ 29.831310] __kasan_slab_free+0x11a/0x170 [ 29.835531] kasan_slab_free+0xe/0x10 [ 29.839356] kmem_cache_free+0x86/0x2d0 [ 29.843318] vmx_free_vcpu+0x26b/0x300 [ 29.847185] kvm_arch_destroy_vm+0x365/0x7c0 [ 29.851574] kvm_put_kvm+0x73f/0x1060 [ 29.855357] kvm_vm_release+0x42/0x50 [ 29.859144] __fput+0x376/0x8a0 [ 29.862405] ____fput+0x15/0x20 [ 29.865668] task_work_run+0x1e8/0x2a0 [ 29.869544] do_exit+0x1b25/0x2760 [ 29.873068] do_group_exit+0x177/0x440 [ 29.877038] __x64_sys_exit_group+0x3e/0x50 [ 29.881345] do_syscall_64+0x1b9/0x820 [ 29.885219] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.890384] [ 29.891997] The buggy address belongs to the object at ffff8801ac490040 [ 29.891997] which belongs to the cache kvm_vcpu of size 23808 [ 29.904586] The buggy address is located 16 bytes inside of [ 29.904586] 23808-byte region [ffff8801ac490040, ffff8801ac495d40) [ 29.916531] The buggy address belongs to the page: [ 29.921443] page:ffffea0006b12400 count:1 mapcount:0 mapping:ffff8801d5297a80 index:0x0 compound_mapcount: 0 [ 29.931395] flags: 0x2fffc0000008100(slab|head) [ 29.936090] raw: 02fffc0000008100 ffff8801d528f448 ffffea0006b2aa08 ffff8801d5297a80 [ 29.943959] raw: 0000000000000000 ffff8801ac490040 0000000100000001 0000000000000000 [ 29.951818] page dumped because: kasan: bad access detected [ 29.957683] [ 29.959329] Memory state around the buggy address: [ 29.964246] ffff8801ac48ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.971592] ffff8801ac48ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.978939] >ffff8801ac490000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 29.986342] ^ [ 29.992298] ffff8801ac490080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.999673] ffff8801ac490100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.007051] ================================================================== [ 30.014485] Kernel panic - not syncing: panic_on_warn set ... [ 30.014485] [ 30.021866] CPU: 0 PID: 4333 Comm: syz-executor201 Tainted: G B 4.18.0-rc8-next-20180807+ #33 [ 30.031824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.041162] Call Trace: [ 30.043739] dump_stack+0x1c9/0x2b4 [ 30.047350] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.053064] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.057856] panic+0x238/0x4e7 [ 30.061037] ? add_taint.cold.5+0x16/0x16 [ 30.065175] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.069608] ? preempt_notifier_register+0x1ec/0x200 [ 30.074720] kasan_end_report+0x47/0x4f [ 30.078690] kasan_report.cold.7+0x76/0x30d [ 30.083012] __asan_report_store8_noabort+0x17/0x20 [ 30.088011] preempt_notifier_register+0x1ec/0x200 [ 30.092923] ? preempt_notifier_dec+0x20/0x20 [ 30.097410] ? __kasan_slab_free+0x131/0x170 [ 30.101810] vcpu_load+0x27/0x40 [ 30.105165] vmx_free_vcpu+0x194/0x300 [ 30.109038] kvm_arch_destroy_vm+0x365/0x7c0 [ 30.113432] ? kasan_check_read+0x13/0x20 [ 30.117569] ? kvm_arch_sync_events+0x30/0x30 [ 30.122049] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.127568] ? mmu_notifier_unregister+0x474/0x600 [ 30.132526] ? debug_check_no_obj_freed+0x30b/0x595 [ 30.137537] ? __mmu_notifier_register+0x30/0x30 [ 30.142283] ? __free_pages+0x10a/0x190 [ 30.146246] ? free_unref_page+0x9a0/0x9a0 [ 30.150470] kvm_put_kvm+0x73f/0x1060 [ 30.154262] ? kvm_write_guest_cached+0x40/0x40 [ 30.158918] ? lock_acquire+0x1e4/0x540 [ 30.162878] ? kvm_irqfd_release+0xd1/0x120 [ 30.167182] ? lock_downgrade+0x8f0/0x8f0 [ 30.171315] ? kasan_check_write+0x14/0x20 [ 30.175613] ? do_raw_spin_lock+0xc1/0x200 [ 30.179893] ? kvm_irqfd_release+0xdd/0x120 [ 30.184210] ? kvm_put_kvm+0x1060/0x1060 [ 30.188303] kvm_vm_release+0x42/0x50 [ 30.192098] __fput+0x376/0x8a0 [ 30.195369] ? __alloc_file+0x400/0x400 [ 30.199328] ? check_same_owner+0x340/0x340 [ 30.203638] ? kasan_check_write+0x14/0x20 [ 30.207863] ? do_raw_spin_lock+0xc1/0x200 [ 30.212085] ____fput+0x15/0x20 [ 30.215352] task_work_run+0x1e8/0x2a0 [ 30.219229] ? task_work_cancel+0x240/0x240 [ 30.223537] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.229056] ? switch_task_namespaces+0xa2/0xd0 [ 30.233717] do_exit+0x1b25/0x2760 [ 30.237244] ? mm_update_next_owner+0x9a0/0x9a0 [ 30.241897] ? kfree+0x15e/0x260 [ 30.245299] ? kvm_vcpu_ioctl+0x2ba/0x1300 [ 30.249529] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 30.255232] ? is_bpf_text_address+0xd7/0x170 [ 30.259725] ? kernel_text_address+0x79/0xf0 [ 30.264127] ? __kernel_text_address+0xd/0x40 [ 30.268613] ? unwind_get_return_address+0x61/0xa0 [ 30.273536] ? __save_stack_trace+0x8d/0xf0 [ 30.277851] ? save_stack+0xa9/0xd0 [ 30.281463] ? save_stack+0x43/0xd0 [ 30.285117] ? __kasan_slab_free+0x11a/0x170 [ 30.289555] ? kasan_slab_free+0xe/0x10 [ 30.293521] ? putname+0xf2/0x130 [ 30.296970] ? __x64_sys_openat+0x9d/0x100 [ 30.301258] ? do_syscall_64+0x1b9/0x820 [ 30.305327] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.310685] ? kasan_check_read+0x11/0x20 [ 30.314825] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.319221] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.323795] ? initcall_blacklisted+0x9a/0x1e0 [ 30.328361] ? do_raw_spin_lock+0xc1/0x200 [ 30.332588] ? trace_hardirqs_off+0xd/0x10 [ 30.336816] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.341906] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 30.347602] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.353135] ? do_vfs_ioctl+0x201/0x1720 [ 30.357182] ? ioctl_preallocate+0x300/0x300 [ 30.361575] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.367095] ? __fget_light+0x2f7/0x440 [ 30.371057] ? fget_raw+0x20/0x20 [ 30.374497] ? trace_hardirqs_on+0xd/0x10 [ 30.378642] ? kmem_cache_free+0x22e/0x2d0 [ 30.382875] ? putname+0xf7/0x130 [ 30.386324] do_group_exit+0x177/0x440 [ 30.390208] ? __ia32_sys_exit+0x50/0x50 [ 30.394262] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.399782] ? ksys_ioctl+0x81/0xd0 [ 30.403395] __x64_sys_exit_group+0x3e/0x50 [ 30.407700] do_syscall_64+0x1b9/0x820 [ 30.411569] ? syscall_slow_exit_work+0x500/0x500 [ 30.416394] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.421313] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.426231] ? prepare_exit_to_usermode+0x291/0x3b0 [ 30.431237] ? perf_trace_sys_enter+0xb10/0xb10 [ 30.435891] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.440720] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.445895] RIP: 0033:0x43ece8 [ 30.449071] Code: Bad RIP value. [ 30.452414] RSP: 002b:00007ffd3f933c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 30.460116] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ece8 [ 30.467370] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 30.474632] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 30.481897] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 30.489149] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 30.496735] Dumping ftrace buffer: [ 30.500264] (ftrace buffer empty) [ 30.503953] Kernel Offset: disabled [ 30.507557] Rebooting in 86400 seconds..