[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.094119] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.820769] random: sshd: uninitialized urandom read (32 bytes read) [ 20.014218] random: sshd: uninitialized urandom read (32 bytes read) [ 20.767365] random: sshd: uninitialized urandom read (32 bytes read) [ 53.111227] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts. [ 58.711724] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 58.895410] ------------[ cut here ]------------ [ 58.900259] refcount_t: underflow; use-after-free. [ 58.905354] WARNING: CPU: 1 PID: 4459 at lib/refcount.c:187 refcount_sub_and_test+0x2e7/0x350 [ 58.914006] Kernel panic - not syncing: panic_on_warn set ... [ 58.914006] [ 58.921374] CPU: 1 PID: 4459 Comm: syz-executor912 Not tainted 4.18.0-rc3+ #129 [ 58.928830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.938169] Call Trace: [ 58.940749] dump_stack+0x1c9/0x2b4 executing program [ 58.944375] ? dump_stack_print_info.cold.2+0x52/0x52 [ 58.949554] panic+0x238/0x4e7 [ 58.952744] ? add_taint.cold.5+0x16/0x16 [ 58.956890] ? __warn.cold.8+0x148/0x1ba [ 58.960946] ? __warn.cold.8+0x117/0x1ba [ 58.965020] ? refcount_sub_and_test+0x2e7/0x350 [ 58.969764] __warn.cold.8+0x163/0x1ba [ 58.973664] ? refcount_sub_and_test+0x2e7/0x350 [ 58.978412] report_bug+0x252/0x2d0 [ 58.982406] do_error_trap+0x1fc/0x4d0 [ 58.986287] ? math_error+0x3e0/0x3e0 [ 58.990087] ? vprintk_default+0x28/0x30 executing program executing program [ 58.994135] ? vprintk_func+0x81/0xe7 [ 58.997927] ? printk+0xa7/0xcf [ 59.001194] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.006031] do_invalid_op+0x1b/0x20 [ 59.009735] invalid_op+0x14/0x20 [ 59.013372] RIP: 0010:refcount_sub_and_test+0x2e7/0x350 [ 59.018909] Code: 89 de e8 ec c0 1c fe 84 db 74 07 31 db e9 46 ff ff ff e8 0c c0 1c fe 48 c7 c7 20 42 1a 88 c6 05 d9 8f 3a 06 01 e8 d9 e2 e7 fd <0f> 0b 31 db e9 25 ff ff ff 48 8b bd 28 ff ff ff 89 85 34 ff ff ff [ 59.038575] RSP: 0018:ffff8801ab45f3b0 EFLAGS: 00010286 executing program executing program [ 59.043945] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 59.051205] RDX: 0000000000000000 RSI: ffffffff81631851 RDI: ffff8801ab45f088 [ 59.058482] RBP: ffff8801ab45f498 R08: ffff8801d95fa240 R09: fffffbfff11f1220 [ 59.065743] R10: fffffbfff11f1220 R11: ffffffff88f89103 R12: 00000000ffffffff [ 59.073013] R13: ffff8801ab45f470 R14: 0000000000000001 R15: 0000000000000000 [ 59.080298] ? vprintk_func+0x81/0xe7 [ 59.084117] ? refcount_inc_not_zero+0x2f0/0x2f0 [ 59.088879] ? do_raw_spin_trylock+0x1c0/0x1c0 executing program [ 59.093482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.099031] ? refcount_inc_not_zero+0x1e5/0x2f0 [ 59.103779] refcount_dec_and_test+0x1a/0x20 [ 59.108198] smap_release_sock+0x76/0x320 [ 59.112341] ? sock_map_alloc+0x410/0x410 [ 59.116481] ? __lockdep_init_map+0x105/0x590 [ 59.120973] __sock_map_ctx_update_elem.isra.20+0x1032/0x1530 [ 59.126865] ? sock_map_delete_elem+0x500/0x500 [ 59.131543] ? save_stack+0xa9/0xd0 [ 59.135172] ? save_stack+0x43/0xd0 [ 59.138785] ? kasan_kmalloc+0xc4/0xe0 executing program executing program [ 59.144220] ? kmem_cache_alloc_trace+0x152/0x780 [ 59.149062] ? sock_hash_ctx_update_elem.isra.27+0x19d/0x1690 [ 59.154946] ? sock_hash_update_elem+0x157/0x2f0 [ 59.159708] ? map_update_elem+0x5c4/0xc90 [ 59.163958] ? do_syscall_64+0x1b9/0x820 [ 59.168009] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.173380] ? futex_wait_setup+0x410/0x410 [ 59.177707] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 59.182760] ? lock_acquire+0x1e4/0x540 [ 59.186760] ? is_bpf_text_address+0xae/0x170 [ 59.191250] ? lock_downgrade+0x8f0/0x8f0 executing program [ 59.195402] ? kasan_unpoison_shadow+0x35/0x50 [ 59.199974] ? kasan_kmalloc+0xc4/0xe0 [ 59.203847] ? kmem_cache_alloc_trace+0x318/0x780 [ 59.208700] ? trace_hardirqs_on+0x10/0x10 [ 59.212934] sock_hash_ctx_update_elem.isra.27+0x7d7/0x1690 [ 59.218639] ? sock_map_free+0x530/0x530 [ 59.222693] ? save_stack+0xa9/0xd0 [ 59.226321] ? __fget+0x414/0x670 [ 59.229760] ? expand_files.part.8+0x9c0/0x9c0 [ 59.234341] ? lock_acquire+0x1e4/0x540 [ 59.238314] ? fs_reclaim_acquire+0x20/0x20 [ 59.242623] ? lock_acquire+0x1e4/0x540 executing program executing program [ 59.246605] sock_hash_update_elem+0x157/0x2f0 [ 59.252150] ? bpf_sock_hash_update+0x90/0x90 [ 59.256642] ? lock_release+0xa30/0xa30 [ 59.260602] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.266596] ? bpf_sock_hash_update+0x90/0x90 [ 59.271621] map_update_elem+0x5c4/0xc90 [ 59.275663] __x64_sys_bpf+0x32d/0x510 [ 59.279528] ? bpf_prog_get+0x20/0x20 [ 59.283331] do_syscall_64+0x1b9/0x820 [ 59.287207] ? finish_task_switch+0x1d3/0x890 [ 59.291701] ? syscall_return_slowpath+0x5e0/0x5e0 executing program [ 59.296612] ? syscall_return_slowpath+0x31d/0x5e0 [ 59.301520] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 59.306519] ? prepare_exit_to_usermode+0x291/0x3b0 [ 59.311515] ? perf_trace_sys_enter+0xb10/0xb10 [ 59.316172] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.321002] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 59.326184] RIP: 0033:0x445939 [ 59.329369] Code: e8 8c be 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.348701] RSP: 002b:00007f5104d9adb8 EFLAGS: 00000297 ORIG_RAX: 0000000000000141 [ 59.356402] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000445939 [ 59.363663] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002 [ 59.371116] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 59.378379] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000000 [ 59.385635] R13: 00007ffeb9ba82ef R14: 00007f5104d9b9c0 R15: 0000000000000005 [ 59.393460] Dumping ftrace buffer: [ 59.396986] (ftrace buffer empty) [ 59.400674] Kernel Offset: disabled [ 59.404283] Rebooting in 86400 seconds..