[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.962841] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.724261] random: sshd: uninitialized urandom read (32 bytes read) [ 24.068888] random: sshd: uninitialized urandom read (32 bytes read) [ 24.810416] random: sshd: uninitialized urandom read (32 bytes read) [ 24.967901] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. [ 30.792597] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.885264] ================================================================== [ 30.892722] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 30.899637] Write of size 4 at addr ffff8801d31c15f0 by task syz-executor481/4507 [ 30.907239] [ 30.908858] CPU: 1 PID: 4507 Comm: syz-executor481 Not tainted 4.17.0-rc3+ #31 [ 30.916200] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.925540] Call Trace: [ 30.928126] dump_stack+0x1b9/0x294 [ 30.931752] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.936927] ? printk+0x9e/0xba [ 30.940197] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.944947] ? kasan_check_write+0x14/0x20 [ 30.949178] print_address_description+0x6c/0x20b [ 30.954009] ? process_preds+0x191f/0x19d0 [ 30.958229] kasan_report.cold.7+0x242/0x2fe [ 30.962639] __asan_report_store4_noabort+0x17/0x20 [ 30.967643] process_preds+0x191f/0x19d0 [ 30.971702] ? parse_pred+0x28e0/0x28e0 [ 30.975662] ? create_filter_start.constprop.12+0x55/0x2b0 [ 30.981282] create_filter+0x155/0x270 [ 30.985167] ? process_preds+0x19d0/0x19d0 [ 30.989398] ftrace_profile_set_filter+0x130/0x2e0 [ 30.994316] ? ftrace_profile_free_filter+0x70/0x70 [ 30.999327] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.004853] ? memdup_user+0x6b/0xa0 [ 31.008575] perf_event_set_filter+0x248/0x1230 [ 31.013230] ? perf_tp_event+0xc30/0xc30 [ 31.017287] ? mutex_trylock+0x2a0/0x2a0 [ 31.021336] ? perf_pmu_unregister+0x530/0x530 [ 31.025910] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.030834] ? perf_trace_lock+0x900/0x900 [ 31.035055] ? perf_tp_event+0xc30/0xc30 [ 31.039106] ? graph_lock+0x170/0x170 [ 31.042892] ? memset+0x31/0x40 [ 31.046182] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.051102] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.056284] _perf_ioctl+0x84c/0x15e0 [ 31.060079] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 31.065277] ? lock_downgrade+0x8e0/0x8e0 [ 31.069420] ? kasan_check_read+0x11/0x20 [ 31.073552] ? rcu_is_watching+0x85/0x140 [ 31.077695] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.082885] ? mutex_lock_nested+0x16/0x20 [ 31.087107] ? mutex_lock_nested+0x16/0x20 [ 31.091330] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.096509] ? perf_event_read_event+0x430/0x430 [ 31.101251] ? find_held_lock+0x36/0x1c0 [ 31.105311] perf_ioctl+0x59/0x80 [ 31.108759] ? _perf_ioctl+0x15e0/0x15e0 [ 31.112815] do_vfs_ioctl+0x1cf/0x16a0 [ 31.116688] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.122222] ? ioctl_preallocate+0x2e0/0x2e0 [ 31.126624] ? fget_raw+0x20/0x20 [ 31.130080] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.135603] ? __do_page_fault+0x441/0xe40 [ 31.139834] ? mm_fault_error+0x380/0x380 [ 31.143978] ? security_file_ioctl+0x94/0xc0 [ 31.148390] ksys_ioctl+0xa9/0xd0 [ 31.151838] __x64_sys_ioctl+0x73/0xb0 [ 31.155719] do_syscall_64+0x1b1/0x800 [ 31.159600] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.164531] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.169463] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.174994] ? retint_user+0x18/0x18 [ 31.178704] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.183543] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.188738] RIP: 0033:0x43fda9 [ 31.191913] RSP: 002b:00007ffca5023f18 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.199614] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 31.206877] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.214163] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.221475] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016d0 [ 31.228764] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 31.236103] [ 31.237745] Allocated by task 1: [ 31.241132] save_stack+0x43/0xd0 [ 31.244607] kasan_kmalloc+0xc4/0xe0 [ 31.248308] kmem_cache_alloc_trace+0x152/0x780 [ 31.252963] __kthread_create_on_node+0x127/0x4c0 [ 31.257791] kthread_create_on_node+0xa8/0xd0 [ 31.262273] cryptomgr_notify+0x5ac/0xb90 [ 31.266429] notifier_call_chain+0x178/0x380 [ 31.270861] blocking_notifier_call_chain+0x139/0x170 [ 31.276068] crypto_probing_notify+0x26/0x80 [ 31.280493] crypto_wait_for_test+0x42/0xe0 [ 31.284838] crypto_register_alg+0xc0/0xe0 [ 31.289117] crypto_register_rngs+0x157/0x230 [ 31.293629] drbg_init+0x13a/0x17a [ 31.297194] do_one_initcall+0x127/0x913 [ 31.301276] kernel_init_freeable+0x49b/0x58e [ 31.305793] kernel_init+0x11/0x1b3 [ 31.309441] ret_from_fork+0x3a/0x50 [ 31.313166] [ 31.314804] Freed by task 1: [ 31.317833] save_stack+0x43/0xd0 [ 31.321380] __kasan_slab_free+0x11a/0x170 [ 31.325602] kasan_slab_free+0xe/0x10 [ 31.329389] kfree+0xd9/0x260 [ 31.332482] __kthread_create_on_node+0x34a/0x4c0 [ 31.337309] kthread_create_on_node+0xa8/0xd0 [ 31.341790] cryptomgr_notify+0x5ac/0xb90 [ 31.345923] notifier_call_chain+0x178/0x380 [ 31.350319] blocking_notifier_call_chain+0x139/0x170 [ 31.355492] crypto_probing_notify+0x26/0x80 [ 31.359895] crypto_wait_for_test+0x42/0xe0 [ 31.364200] crypto_register_alg+0xc0/0xe0 [ 31.368416] crypto_register_rngs+0x157/0x230 [ 31.372893] drbg_init+0x13a/0x17a [ 31.376416] do_one_initcall+0x127/0x913 [ 31.380468] kernel_init_freeable+0x49b/0x58e [ 31.384952] kernel_init+0x11/0x1b3 [ 31.388572] ret_from_fork+0x3a/0x50 [ 31.392268] [ 31.393890] The buggy address belongs to the object at ffff8801d31c1580 [ 31.393890] which belongs to the cache kmalloc-64 of size 64 [ 31.406369] The buggy address is located 48 bytes to the right of [ 31.406369] 64-byte region [ffff8801d31c1580, ffff8801d31c15c0) [ 31.418589] The buggy address belongs to the page: [ 31.423516] page:ffffea00074c7040 count:1 mapcount:0 mapping:ffff8801d31c1000 index:0xffff8801d31c1400 [ 31.433052] flags: 0x2fffc0000000100(slab) [ 31.437285] raw: 02fffc0000000100 ffff8801d31c1000 ffff8801d31c1400 000000010000001a [ 31.445152] raw: ffffea000749d2a0 ffff8801da801338 ffff8801da800340 0000000000000000 [ 31.453019] page dumped because: kasan: bad access detected [ 31.458711] [ 31.460321] Memory state around the buggy address: [ 31.465236] ffff8801d31c1480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.472581] ffff8801d31c1500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.479932] >ffff8801d31c1580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.487278] ^ [ 31.494280] ffff8801d31c1600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 31.501624] ffff8801d31c1680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.508963] ================================================================== [ 31.516311] Disabling lock debugging due to kernel taint [ 31.521879] Kernel panic - not syncing: panic_on_warn set ... [ 31.521879] [ 31.529238] CPU: 1 PID: 4507 Comm: syz-executor481 Tainted: G B 4.17.0-rc3+ #31 [ 31.537970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.547306] Call Trace: [ 31.549883] dump_stack+0x1b9/0x294 [ 31.553498] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.558683] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.563522] ? process_preds+0x1870/0x19d0 [ 31.567746] panic+0x22f/0x4de [ 31.570934] ? add_taint.cold.5+0x16/0x16 [ 31.575069] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.579736] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.584136] ? process_preds+0x191f/0x19d0 [ 31.588363] kasan_end_report+0x47/0x4f [ 31.592334] kasan_report.cold.7+0x76/0x2fe [ 31.596651] __asan_report_store4_noabort+0x17/0x20 [ 31.601657] process_preds+0x191f/0x19d0 [ 31.605720] ? parse_pred+0x28e0/0x28e0 [ 31.609706] ? create_filter_start.constprop.12+0x55/0x2b0 [ 31.615323] create_filter+0x155/0x270 [ 31.619204] ? process_preds+0x19d0/0x19d0 [ 31.623438] ftrace_profile_set_filter+0x130/0x2e0 [ 31.628368] ? ftrace_profile_free_filter+0x70/0x70 [ 31.633375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.638899] ? memdup_user+0x6b/0xa0 [ 31.642609] perf_event_set_filter+0x248/0x1230 [ 31.647266] ? perf_tp_event+0xc30/0xc30 [ 31.651317] ? mutex_trylock+0x2a0/0x2a0 [ 31.655363] ? perf_pmu_unregister+0x530/0x530 [ 31.659940] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.664863] ? perf_trace_lock+0x900/0x900 [ 31.669087] ? perf_tp_event+0xc30/0xc30 [ 31.673141] ? graph_lock+0x170/0x170 [ 31.676931] ? memset+0x31/0x40 [ 31.680208] ? perf_trace_lock_acquire+0x4f1/0x980 [ 31.685128] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.690314] _perf_ioctl+0x84c/0x15e0 [ 31.694105] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 31.699289] ? lock_downgrade+0x8e0/0x8e0 [ 31.703433] ? kasan_check_read+0x11/0x20 [ 31.707571] ? rcu_is_watching+0x85/0x140 [ 31.711703] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.716883] ? mutex_lock_nested+0x16/0x20 [ 31.721101] ? mutex_lock_nested+0x16/0x20 [ 31.725330] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.730511] ? perf_event_read_event+0x430/0x430 [ 31.735255] ? find_held_lock+0x36/0x1c0 [ 31.739311] perf_ioctl+0x59/0x80 [ 31.742753] ? _perf_ioctl+0x15e0/0x15e0 [ 31.746798] do_vfs_ioctl+0x1cf/0x16a0 [ 31.750673] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.756201] ? ioctl_preallocate+0x2e0/0x2e0 [ 31.760610] ? fget_raw+0x20/0x20 [ 31.764090] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.769611] ? __do_page_fault+0x441/0xe40 [ 31.773852] ? mm_fault_error+0x380/0x380 [ 31.777996] ? security_file_ioctl+0x94/0xc0 [ 31.782395] ksys_ioctl+0xa9/0xd0 [ 31.785838] __x64_sys_ioctl+0x73/0xb0 [ 31.789714] do_syscall_64+0x1b1/0x800 [ 31.793590] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.798511] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.803427] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.808949] ? retint_user+0x18/0x18 [ 31.812660] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.817491] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.822677] RIP: 0033:0x43fda9 [ 31.825848] RSP: 002b:00007ffca5023f18 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.833539] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 [ 31.840792] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.848043] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.855295] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016d0 [ 31.862564] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 [ 31.870322] Dumping ftrace buffer: [ 31.873847] (ftrace buffer empty) [ 31.877557] Kernel Offset: disabled [ 31.881208] Rebooting in 86400 seconds..