[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.391303] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.353230] random: sshd: uninitialized urandom read (32 bytes read) [ 18.665252] random: sshd: uninitialized urandom read (32 bytes read) [ 19.428871] random: sshd: uninitialized urandom read (32 bytes read) [ 37.926500] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. [ 43.319741] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 43.401135] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 43.655033] ================================================================== [ 43.662642] BUG: KASAN: stack-out-of-bounds in __handle_mm_fault+0x3aa3/0x4460 [ 43.667556] ------------[ cut here ]------------ [ 43.669979] Read of size 8 at addr ffff8801bc61c010 by task syz-executor300/4452 [ 43.669986] [ 43.674748] do_IRQ(): syz-executor300 has overflown the kernel stack (cur:ffff8801be608000,sp:ffff8801ba769dd8,irq stk top-bottom:ffff8801daf00080-ffff8801daf08000,exception stk top-bottom:fffffe0000038080-fffffe0000042000,ip:lock_release+0x4f5/0xa30) [ 43.682250] CPU: 0 PID: 4452 Comm: syz-executor300 Not tainted 4.18.0-rc3+ #58 [ 43.683869] WARNING: CPU: 1 PID: 4519 at arch/x86/kernel/irq_64.c:63 handle_irq+0x1fb/0x2e7 [ 43.706200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.713536] Kernel panic - not syncing: panic_on_warn set ... [ 43.713536] [ 43.721994] Call Trace: [ 43.741233] dump_stack+0x1c9/0x2b4 [ 43.744882] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.750050] ? printk+0xa7/0xcf [ 43.753305] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 43.758041] ? __handle_mm_fault+0x3aa3/0x4460 [ 43.762604] print_address_description+0x6c/0x20b [ 43.767424] ? __handle_mm_fault+0x3aa3/0x4460 [ 43.771984] kasan_report.cold.7+0x242/0x2fe [ 43.776371] __asan_report_load8_noabort+0x14/0x20 [ 43.781277] __handle_mm_fault+0x3aa3/0x4460 [ 43.785682] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 43.790502] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 43.795065] ? kasan_check_write+0x14/0x20 [ 43.799275] ? do_raw_spin_lock+0xc1/0x200 [ 43.803489] ? lock_acquire+0x1e4/0x540 [ 43.807448] ? handle_mm_fault+0x417/0xc80 [ 43.811663] ? lock_downgrade+0x8f0/0x8f0 [ 43.815787] ? lock_release+0xa30/0xa30 [ 43.819741] ? lock_release+0xa30/0xa30 [ 43.823699] ? do_raw_spin_lock+0xc1/0x200 [ 43.827913] ? mem_cgroup_from_task+0xcb/0x1f0 [ 43.832476] ? percpu_ref_tryget_live+0x310/0x310 [ 43.837303] handle_mm_fault+0x53e/0xc80 [ 43.841342] ? __handle_mm_fault+0x4460/0x4460 [ 43.845901] ? find_vma+0x34/0x190 [ 43.849421] __do_page_fault+0x620/0xe50 [ 43.853462] ? clock_was_set_work+0x30/0x30 [ 43.857764] ? mm_fault_error+0x380/0x380 [ 43.861886] ? __x64_sys_nanosleep+0x1f8/0x280 [ 43.866445] ? hrtimer_nanosleep+0x620/0x620 [ 43.870836] do_page_fault+0xf6/0x8c0 [ 43.874611] ? vmalloc_sync_all+0x30/0x30 [ 43.878738] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.884252] ? do_syscall_64+0x497/0x820 [ 43.888292] ? syscall_return_slowpath+0x5e0/0x5e0 [ 43.893199] ? syscall_return_slowpath+0x31d/0x5e0 [ 43.898106] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 43.903098] ? prepare_exit_to_usermode+0x291/0x3b0 [ 43.908093] ? page_fault+0x8/0x30 [ 43.911611] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.916438] ? page_fault+0x8/0x30 [ 43.919957] page_fault+0x1e/0x30 [ 43.923389] RIP: 0033:0x4762d0 [ 43.926558] Code: Bad RIP value. [ 43.929912] RSP: 002b:00007ffe1c597258 EFLAGS: 00010246 [ 43.935252] RAX: 0000000000000000 RBX: 0000000000000030 RCX: 00000000004762d0 [ 43.942501] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe1c597260 [ 43.949746] RBP: 0000000000000030 R08: 0000000000000001 R09: 0000000000f4b940 [ 43.956991] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a [ 43.964248] R13: 000000000000aa6a R14: 0000000000000000 R15: 0000000000000000 [ 43.971496] [ 43.971511] CPU: 1 PID: 4519 Comm: syz-executor300 Not tainted 4.18.0-rc3+ #58 [ 43.973101] The buggy address belongs to the page: [ 43.980456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.985360] page:ffffea0006f18700 count:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 43.994680] Call Trace: [ 44.002800] [ 44.005361] flags: 0x2fffc0000000000() [ 44.007500] dump_stack+0x1c9/0x2b4 [ 44.011355] raw: 02fffc0000000000 dead000000000100 0000000000000000 0000000000000000 [ 44.014968] ? dump_stack_print_info.cold.2+0x52/0x52 [ 44.022823] raw: 0000000000000000 ffff8801cd6259a0 00000001ffffffff 0000000000000000 [ 44.027991] panic+0x238/0x4e7 [ 44.035838] page dumped because: kasan: bad access detected [ 44.039019] ? add_taint.cold.5+0x16/0x16 [ 44.044700] [ 44.048830] ? __warn.cold.8+0x148/0x1ba [ 44.050426] Memory state around the buggy address: [ 44.054467] ? __warn.cold.8+0x117/0x1ba [ 44.059361] ffff8801bc61bf00: f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 [ 44.063430] ? handle_irq+0x1fb/0x2e7 [ 44.070760] ffff8801bc61bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.074540] __warn.cold.8+0x163/0x1ba [ 44.081883] >ffff8801bc61c000: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 [ 44.085769] ? handle_irq+0x1fb/0x2e7 [ 44.093092] ^ [ 44.093100] ffff8801bc61c080: f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 [ 44.096882] report_bug+0x252/0x2d0 [ 44.100740] ffff8801bc61c100: f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 [ 44.108083] do_error_trap+0x1fc/0x4d0 [ 44.111682] ================================================================== [ 44.119024] ? rcu_idle_enter+0x480/0x480 [ 44.122938] kasan: CONFIG_KASAN_INLINE enabled [ 44.130217] ? math_error+0x3e0/0x3e0 [ 44.130229] ? vprintk_default+0x28/0x30 [ 44.134354] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 44.138918] ? printk+0xa7/0xcf [ 44.138931] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.142721] general protection fault: 0000 [#1] SMP KASAN [ 44.146769] do_invalid_op+0x1b/0x20 [ 44.154107] CPU: 0 PID: 4452 Comm: syz-executor300 Tainted: G B 4.18.0-rc3+ #58 [ 44.157361] invalid_op+0x14/0x20 [ 44.162171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.167688] RIP: 0010:handle_irq+0x1fb/0x2e7 [ 44.171377] RIP: 0010:pmd_trans_migrating+0x13f/0x250 [ 44.180084] Code: 00 [ 44.183550] Code: [ 44.192879] 00 ff [ 44.197279] ff [ 44.202447] b6 [ 44.204838] 48 b8 [ 44.207072] 80 00 [ 44.209202] 00 [ 44.211069] 00 00 [ 44.212935] 00 00 [ 44.215082] 48 [ 44.217203] 00 00 [ 44.219079] c7 [ 44.221197] ea ff [ 44.223327] c7 [ 44.225186] ff 4c [ 44.227313] 80 bc [ 44.229175] 21 f3 [ 44.231310] e4 87 [ 44.233182] 48 c1 [ 44.235308] 41 54 [ 44.237435] eb 06 [ 44.239572] 41 [ 44.241688] 48 01 [ 44.243814] 55 65 [ 44.245947] c3 48 [ 44.248070] 48 8b [ 44.249933] b8 00 [ 44.252054] 04 25 [ 44.254183] 00 [ 44.256300] 40 ee [ 44.258426] 00 00 [ 44.260549] 01 00 [ 44.262675] 00 fc [ 44.264544] 48 [ 44.266661] ff df [ 44.268789] 05 [ 44.270905] 48 8d [ 44.273033] 68 06 [ 44.274903] 7b [ 44.277034] 00 [ 44.278902] 08 [ 44.281020] 00 48 [ 44.283143] 48 89 [ 44.285016] 89 c6 [ 44.286884] fa [ 44.288742] e8 85 [ 44.290870] 48 c1 [ 44.293093] b3 [ 44.295221] ea 03 [ 44.297103] 1c [ 44.299222] <80> 3c [ 44.301354] 00 <0f> [ 44.303218] 02 00 [ 44.305345] 0b [ 44.307200] 0f 85 [ 44.309497] 48 83 [ 44.311807] e1 00 [ 44.313934] c4 [ 44.315794] 00 00 [ 44.317918] 18 e9 [ 44.320042] 4d 8d [ 44.322168] 3f ff [ 44.324031] 75 c0 [ 44.326156] ff ff [ 44.328280] 4c 8b [ 44.330409] 48 [ 44.332529] 7b 08 [ 44.334665] 89 75 [ 44.337145] 48 [ 44.339277] e0 [ 44.341153] b8 [ 44.343272] e8 41 [ 44.345408] 00 00 [ 44.347283] ba 8f [ 44.351013] 00 48 [ 44.353143] RSP: 0000:ffff8801ad4b7538 EFLAGS: 00010202 [ 44.355278] 8b [ 44.357407] RAX: dffffc0000000000 RBX: 000029fffe228000 RCX: ffffffff81bb92f6 [ 44.357416] RDX: 0000053fffc45001 RSI: ffffffff81bb9316 RDI: 000029fffe228008 [ 44.359531] RSP: 0018:ffff8801daf07f58 EFLAGS: 00010082 [ 44.364880] RBP: ffff8801ad4b7600 R08: ffff8801ad556040 R09: ffffed0039ac4b34 [ 44.364889] R10: ffffed0039ac4b34 R11: ffff8801cd6259a3 R12: 1ffff10035a96ea7 [ 44.366746] RAX: 0000000000000000 RBX: ffff8801ce23e900 RCX: 0000000000000000 [ 44.366755] RDX: 0000000000010000 RSI: ffffffff81631851 RDI: 0000000000000001 [ 44.374002] R13: ffff8801ad4b75d8 R14: ffffffff88beff90 R15: 0000000000000000 [ 44.381250] RBP: ffff8801daf07fb0 R08: ffff8801d8d4c780 R09: ffffed003b5e3ec2 [ 44.386588] FS: 0000000000f4b940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 [ 44.393843] R10: ffffed003b5e3ec2 R11: ffff8801daf1f617 R12: fffffe0000042000 [ 44.401086] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.401095] CR2: 00000000004762a6 CR3: 00000001c69b0000 CR4: 00000000001406f0 [ 44.408346] R13: fffffe0000038080 R14: 0000000000000026 R15: 0000000000000000 [ 44.415599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 44.422861] ? vprintk_func+0x81/0xe7 [ 44.430096] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 44.438315] ? handle_irq+0x1fb/0x2e7 [ 44.445558] Call Trace: [ 44.451439] ? lock_release+0x4f5/0xa30 [ 44.458692] ? __x32_compat_sys_move_pages+0x240/0x240 [ 44.465937] ? rcu_irq_enter+0xd8/0x110 [ 44.473188] ? netconsole_netdev_event+0x280/0x280 [ 44.476971] do_IRQ+0x78/0x190 [ 44.484218] ? kasan_check_write+0x14/0x20 [ 44.487990] common_interrupt+0xf/0xf [ 44.490552] ? do_raw_spin_lock+0xc1/0x200 [ 44.494505] [ 44.499760] do_huge_pmd_numa_page+0x3d3/0x1c30 [ 44.530805] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.536323] ? irq_work_claim+0xac/0xd0 [ 44.540277] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.545795] ? follow_trans_huge_pmd+0x10f0/0x10f0 [ 44.550703] ? do_raw_spin_lock+0xc1/0x200 [ 44.554928] ? vprintk_emit+0x3f2/0xdf0 [ 44.558879] ? wake_up_klogd+0x110/0x110 [ 44.562923] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 44.567919] ? print_hex_dump+0x140/0x1c0 [ 44.572051] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.576787] ? retint_kernel+0x10/0x10 [ 44.580653] ? __handle_mm_fault+0x3aa3/0x4460 [ 44.585214] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.589611] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 44.594688] ? pmd_val+0x88/0x100 [ 44.598119] ? add_mm_counter_fast+0xd0/0xd0 [ 44.602504] ? kasan_report.cold.7+0x76/0x2fe [ 44.606977] __handle_mm_fault+0x1b82/0x4460 [ 44.611374] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 44.616195] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 44.620764] ? kasan_check_write+0x14/0x20 [ 44.624976] ? do_raw_spin_lock+0xc1/0x200 [ 44.629191] ? lock_acquire+0x1e4/0x540 [ 44.633145] ? handle_mm_fault+0x417/0xc80 [ 44.637446] ? lock_downgrade+0x8f0/0x8f0 [ 44.641572] ? lock_release+0xa30/0xa30 [ 44.645526] ? lock_release+0xa30/0xa30 [ 44.649477] ? do_raw_spin_lock+0xc1/0x200 [ 44.653688] ? mem_cgroup_from_task+0xcb/0x1f0 [ 44.658246] ? percpu_ref_tryget_live+0x310/0x310 [ 44.663068] handle_mm_fault+0x53e/0xc80 [ 44.667109] ? __handle_mm_fault+0x4460/0x4460 [ 44.671666] ? find_vma+0x34/0x190 [ 44.675185] __do_page_fault+0x620/0xe50 [ 44.679223] ? clock_was_set_work+0x30/0x30 [ 44.683524] ? mm_fault_error+0x380/0x380 [ 44.687996] ? __x64_sys_nanosleep+0x1f8/0x280 [ 44.692555] ? hrtimer_nanosleep+0x620/0x620 [ 44.696941] do_page_fault+0xf6/0x8c0 [ 44.700721] ? vmalloc_sync_all+0x30/0x30 [ 44.704847] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.710361] ? do_syscall_64+0x497/0x820 [ 44.714404] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.719320] ? syscall_return_slowpath+0x31d/0x5e0 [ 44.724228] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 44.729228] ? prepare_exit_to_usermode+0x291/0x3b0 [ 44.734222] ? page_fault+0x8/0x30 [ 44.737742] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.742561] ? page_fault+0x8/0x30 [ 44.746095] page_fault+0x1e/0x30 [ 44.749524] RIP: 0033:0x4762d0 [ 44.752696] Code: Bad RIP value. [ 44.756051] RSP: 002b:00007ffe1c597258 EFLAGS: 00010246 [ 44.761392] RAX: 0000000000000000 RBX: 0000000000000030 RCX: 00000000004762d0 [ 44.768650] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffe1c597260 [ 44.775896] RBP: 0000000000000030 R08: 0000000000000001 R09: 0000000000f4b940 [ 44.783141] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a [ 44.790411] R13: 000000000000aa6a R14: 0000000000000000 R15: 0000000000000000 [ 44.797660] Modules linked in: [ 44.800832] Dumping ftrace buffer: [ 44.804344] (ftrace buffer empty) [ 44.808390] Dumping ftrace buffer: [ 44.811933] (ftrace buffer empty) [ 44.815619] Kernel Offset: disabled [ 44.819242] Rebooting in 86400 seconds..