[ 11.076451] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.967684] random: sshd: uninitialized urandom read (32 bytes read) [ 18.110680] audit: type=1400 audit(1567968530.496:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.160963] random: sshd: uninitialized urandom read (32 bytes read) [ 18.664552] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts. [ 24.299934] urandom_read: 1 callbacks suppressed [ 24.299940] random: sshd: uninitialized urandom read (32 bytes read) [ 24.403558] audit: type=1400 audit(1567968536.786:7): avc: denied { map } for pid=1776 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/09/08 18:48:56 parsed 1 programs [ 24.485846] audit: type=1400 audit(1567968536.866:8): avc: denied { map } for pid=1776 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=5044 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 25.021538] random: cc1: uninitialized urandom read (8 bytes read) 2019/09/08 18:48:58 executed programs: 0 [ 26.036019] audit: type=1400 audit(1567968538.416:9): avc: denied { map } for pid=1776 comm="syz-execprog" path="/root/syzkaller-shm584774965" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2019/09/08 18:49:03 executed programs: 86 [ 32.241668] ================================================================== [ 32.249095] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 [ 32.256460] Read of size 8 at addr ffff8881c432f860 by task syz-executor.0/3172 [ 32.263885] [ 32.265496] CPU: 0 PID: 3172 Comm: syz-executor.0 Not tainted 4.14.142+ #0 [ 32.272500] Call Trace: [ 32.275076] dump_stack+0xca/0x134 [ 32.278609] ? unwind_next_frame+0x169f/0x1810 [ 32.283174] ? unwind_next_frame+0x169f/0x1810 [ 32.287740] print_address_description+0x60/0x226 [ 32.292576] ? unwind_next_frame+0x169f/0x1810 [ 32.297138] ? unwind_next_frame+0x169f/0x1810 [ 32.301708] __kasan_report.cold+0x1a/0x41 [ 32.305921] ? unwind_next_frame+0x169f/0x1810 [ 32.310483] unwind_next_frame+0x169f/0x1810 [ 32.314871] ? retint_kernel+0x2d/0x2d [ 32.318735] ? perf_callchain_user+0x4a7/0xf80 [ 32.323297] ? deref_stack_reg+0xe0/0xe0 [ 32.327337] ? perf_callchain_user+0x2d1/0xf80 [ 32.331929] ? retint_kernel+0x2d/0x2d [ 32.335819] perf_callchain_kernel+0x3a0/0x540 [ 32.340396] ? perf_callchain_kernel+0x540/0x540 [ 32.345131] ? arch_perf_update_userpage+0x330/0x330 [ 32.350232] ? perf_callchain+0x147/0x190 [ 32.354361] ? futex_wait_setup+0x132/0x330 [ 32.358664] get_perf_callchain+0x2f5/0x770 [ 32.362982] ? put_callchain_buffers+0x60/0x60 [ 32.367542] ? perf_callchain+0x150/0x190 [ 32.371720] perf_callchain+0x147/0x190 [ 32.375703] perf_prepare_sample+0x6a8/0x1360 [ 32.380190] ? perf_output_sample+0x1700/0x1700 [ 32.384844] ? perf_prepare_sample+0x1360/0x1360 [ 32.389582] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 32.395277] perf_event_output_forward+0xdc/0x220 [ 32.400121] ? perf_prepare_sample+0x1360/0x1360 [ 32.404872] ? __perf_event_overflow+0x1cc/0x340 [ 32.409619] ? check_preemption_disabled+0x35/0x1f0 [ 32.414631] __perf_event_overflow+0x12d/0x340 [ 32.419194] perf_swevent_overflow+0x7a/0xf0 [ 32.423608] perf_swevent_event+0x112/0x270 [ 32.427909] perf_tp_event+0x633/0x7f0 [ 32.431779] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 32.437480] ? trace_hardirqs_on+0x10/0x10 [ 32.441695] ? __lock_acquire+0x5d7/0x4320 [ 32.445916] ? perf_trace_run_bpf_submit+0x113/0x170 [ 32.451000] ? check_preemption_disabled+0x35/0x1f0 [ 32.455998] perf_trace_run_bpf_submit+0x113/0x170 [ 32.460908] perf_trace_lock_acquire+0x341/0x4e0 [ 32.465648] ? HARDIRQ_verbose+0x10/0x10 [ 32.469687] ? retint_kernel+0x2d/0x2d [ 32.473555] ? get_futex_key+0x4c1/0xf90 [ 32.477610] lock_acquire+0x279/0x360 [ 32.481407] ? futex_wait_setup+0x132/0x330 [ 32.485709] _raw_spin_lock+0x2a/0x40 [ 32.489492] ? futex_wait_setup+0x132/0x330 [ 32.493792] futex_wait_setup+0x132/0x330 [ 32.497926] ? get_futex_key+0xf90/0xf90 [ 32.501968] futex_wait+0x1ad/0x570 [ 32.505575] ? futex_wait_setup+0x330/0x330 [ 32.509882] ? wake_up_q+0xea/0x150 [ 32.513489] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 32.518497] ? futex_wake+0x15b/0x440 [ 32.522286] do_futex+0x13f/0x1980 [ 32.525808] ? trace_hardirqs_on+0x10/0x10 [ 32.530025] ? perf_trace_lock_acquire+0x341/0x4e0 [ 32.534937] ? exit_robust_list+0x240/0x240 [ 32.539238] ? HARDIRQ_verbose+0x10/0x10 [ 32.543282] ? __might_fault+0x104/0x1b0 [ 32.547323] ? lock_downgrade+0x5d0/0x5d0 [ 32.551450] ? lock_acquire+0x12b/0x360 [ 32.555407] ? __might_fault+0xd4/0x1b0 [ 32.559361] ? __might_fault+0x177/0x1b0 [ 32.563410] ? _copy_to_user+0x82/0xd0 [ 32.567284] SyS_futex+0x1c5/0x2c3 [ 32.570807] ? do_futex+0x1980/0x1980 [ 32.574587] ? SyS_clock_gettime+0x7d/0xe0 [ 32.579843] ? do_clock_gettime+0xd0/0xd0 [ 32.583987] ? do_syscall_64+0x43/0x520 [ 32.587959] ? do_futex+0x1980/0x1980 [ 32.591741] do_syscall_64+0x19b/0x520 [ 32.595613] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.600786] RIP: 0033:0x4598e9 [ 32.603956] RSP: 002b:00007f2a671cccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 32.611645] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 32.618896] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 32.626159] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 32.633429] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 32.640686] R13: 00007fff456b383f R14: 00007f2a671cd9c0 R15: 000000000075bf2c [ 32.647950] [ 32.649557] The buggy address belongs to the page: [ 32.654469] page:ffffea000710cbc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 32.662589] flags: 0x4000000000000000() [ 32.666546] raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 32.674424] raw: 0000000000000000 ffffea000710cbe0 0000000000000000 0000000000000000 [ 32.682297] page dumped because: kasan: bad access detected [ 32.687985] [ 32.689591] Memory state around the buggy address: [ 32.694529] ffff8881c432f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.701869] ffff8881c432f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.709236] >ffff8881c432f800: 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 [ 32.716574] ^ [ 32.723047] ffff8881c432f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.730384] ffff8881c432f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.737719] ================================================================== [ 32.745053] Disabling lock debugging due to kernel taint [ 32.750480] Kernel panic - not syncing: panic_on_warn set ... [ 32.750480] [ 32.757822] CPU: 0 PID: 3172 Comm: syz-executor.0 Tainted: G B 4.14.142+ #0 [ 32.766047] Call Trace: [ 32.768627] dump_stack+0xca/0x134 [ 32.772163] panic+0x1ea/0x3d3 [ 32.775349] ? add_taint.cold+0x16/0x16 [ 32.779311] ? lock_downgrade+0x5d0/0x5d0 [ 32.783442] ? unwind_next_frame+0x169f/0x1810 [ 32.788027] end_report+0x43/0x49 [ 32.791460] ? unwind_next_frame+0x169f/0x1810 [ 32.796021] __kasan_report.cold+0xd/0x41 [ 32.800149] ? unwind_next_frame+0x169f/0x1810 [ 32.804710] unwind_next_frame+0x169f/0x1810 [ 32.809098] ? retint_kernel+0x2d/0x2d [ 32.812982] ? perf_callchain_user+0x4a7/0xf80 [ 32.818080] ? deref_stack_reg+0xe0/0xe0 [ 32.822142] ? perf_callchain_user+0x2d1/0xf80 [ 32.826702] ? retint_kernel+0x2d/0x2d [ 32.830577] perf_callchain_kernel+0x3a0/0x540 [ 32.835159] ? perf_callchain_kernel+0x540/0x540 [ 32.839893] ? arch_perf_update_userpage+0x330/0x330 [ 32.844975] ? perf_callchain+0x147/0x190 [ 32.849120] ? futex_wait_setup+0x132/0x330 [ 32.853455] get_perf_callchain+0x2f5/0x770 [ 32.857762] ? put_callchain_buffers+0x60/0x60 [ 32.862327] ? perf_callchain+0x150/0x190 [ 32.866483] perf_callchain+0x147/0x190 [ 32.870453] perf_prepare_sample+0x6a8/0x1360 [ 32.875031] ? perf_output_sample+0x1700/0x1700 [ 32.880211] ? perf_prepare_sample+0x1360/0x1360 [ 32.884962] ? perf_swevent_put_recursion_context+0x1a/0xa0 [ 32.890743] perf_event_output_forward+0xdc/0x220 [ 32.895571] ? perf_prepare_sample+0x1360/0x1360 [ 32.900314] ? __perf_event_overflow+0x1cc/0x340 [ 32.905055] ? check_preemption_disabled+0x35/0x1f0 [ 32.910067] __perf_event_overflow+0x12d/0x340 [ 32.914647] perf_swevent_overflow+0x7a/0xf0 [ 32.919035] perf_swevent_event+0x112/0x270 [ 32.923338] perf_tp_event+0x633/0x7f0 [ 32.927212] ? perf_swevent_put_recursion_context+0xa0/0xa0 [ 32.932955] ? trace_hardirqs_on+0x10/0x10 [ 32.937207] ? __lock_acquire+0x5d7/0x4320 [ 32.941443] ? perf_trace_run_bpf_submit+0x113/0x170 [ 32.946533] ? check_preemption_disabled+0x35/0x1f0 [ 32.951530] perf_trace_run_bpf_submit+0x113/0x170 [ 32.956444] perf_trace_lock_acquire+0x341/0x4e0 [ 32.961198] ? HARDIRQ_verbose+0x10/0x10 [ 32.965248] ? retint_kernel+0x2d/0x2d [ 32.969118] ? get_futex_key+0x4c1/0xf90 [ 32.973178] lock_acquire+0x279/0x360 [ 32.976960] ? futex_wait_setup+0x132/0x330 [ 32.981263] _raw_spin_lock+0x2a/0x40 [ 32.985045] ? futex_wait_setup+0x132/0x330 [ 32.989349] futex_wait_setup+0x132/0x330 [ 32.993491] ? get_futex_key+0xf90/0xf90 [ 32.997637] futex_wait+0x1ad/0x570 [ 33.001246] ? futex_wait_setup+0x330/0x330 [ 33.005546] ? wake_up_q+0xea/0x150 [ 33.009154] ? drop_futex_key_refs.isra.0+0x17/0xb0 [ 33.014148] ? futex_wake+0x15b/0x440 [ 33.017933] do_futex+0x13f/0x1980 [ 33.021490] ? trace_hardirqs_on+0x10/0x10 [ 33.025706] ? perf_trace_lock_acquire+0x341/0x4e0 [ 33.030717] ? exit_robust_list+0x240/0x240 [ 33.035016] ? HARDIRQ_verbose+0x10/0x10 [ 33.039061] ? __might_fault+0x104/0x1b0 [ 33.043102] ? lock_downgrade+0x5d0/0x5d0 [ 33.047240] ? lock_acquire+0x12b/0x360 [ 33.051194] ? __might_fault+0xd4/0x1b0 [ 33.055147] ? __might_fault+0x177/0x1b0 [ 33.059191] ? _copy_to_user+0x82/0xd0 [ 33.063063] SyS_futex+0x1c5/0x2c3 [ 33.066587] ? do_futex+0x1980/0x1980 [ 33.070371] ? SyS_clock_gettime+0x7d/0xe0 [ 33.074598] ? do_clock_gettime+0xd0/0xd0 [ 33.078750] ? do_syscall_64+0x43/0x520 [ 33.082735] ? do_futex+0x1980/0x1980 [ 33.086540] do_syscall_64+0x19b/0x520 [ 33.090434] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 33.095625] RIP: 0033:0x4598e9 [ 33.098806] RSP: 002b:00007f2a671cccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 33.106496] RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 00000000004598e9 [ 33.113759] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bf28 [ 33.121006] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 33.128262] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bf2c [ 33.135523] R13: 00007fff456b383f R14: 00007f2a671cd9c0 R15: 000000000075bf2c [ 33.143545] Kernel Offset: 0xb200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 33.154410] Rebooting in 86400 seconds..