[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.298368] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.954203] random: sshd: uninitialized urandom read (32 bytes read) [ 22.350667] random: sshd: uninitialized urandom read (32 bytes read) [ 23.058235] random: sshd: uninitialized urandom read (32 bytes read) [ 34.215093] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. [ 39.603610] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.695327] FAULT_INJECTION: forcing a failure. [ 39.695327] name failslab, interval 1, probability 0, space 0, times 1 [ 39.706594] CPU: 0 PID: 4338 Comm: syz-executor925 Not tainted 4.18.0-rc7-next-20180801+ #29 [ 39.715146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.724479] Call Trace: [ 39.727057] dump_stack+0x1c9/0x2b4 [ 39.730666] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.735844] should_fail.cold.4+0xa/0x11 [ 39.739894] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 39.744979] ? mm_fault_error+0x380/0x380 [ 39.749110] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.754626] ? vmalloc_sync_all+0x30/0x30 [ 39.758754] ? sk_busy_loop_end+0x1c0/0x1c0 [ 39.763058] ? trace_hardirqs_on+0x10/0x10 [ 39.767281] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 39.772798] ? alloc_pages_current+0x114/0x210 [ 39.777361] ? lock_acquire+0x1e4/0x540 [ 39.781314] ? fs_reclaim_acquire+0x20/0x20 [ 39.785612] ? lock_downgrade+0x8f0/0x8f0 [ 39.789747] ? lock_acquire+0x1e4/0x540 [ 39.793701] ? check_same_owner+0x340/0x340 [ 39.797999] ? check_same_owner+0x340/0x340 [ 39.802298] ? rcu_note_context_switch+0x730/0x730 [ 39.807208] __should_failslab+0x124/0x180 [ 39.811423] should_failslab+0x9/0x14 [ 39.815201] __kmalloc+0x2c8/0x760 [ 39.818719] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 39.823714] ? _copy_from_iter+0x39d/0x1090 [ 39.828011] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 39.833016] ? tls_push_record+0x10b/0x1400 [ 39.837314] ? __check_object_size+0xa3/0x5d7 [ 39.841787] tls_push_record+0x10b/0x1400 [ 39.845917] ? _copy_from_iter_nocache+0x1050/0x1050 [ 39.850997] ? __local_bh_enable_ip+0x161/0x230 [ 39.855645] tls_sw_sendmsg+0xc34/0x12b0 [ 39.859689] ? tls_sw_push_pending_record+0x30/0x30 [ 39.864683] ? lock_downgrade+0x8f0/0x8f0 [ 39.868821] ? __sanitizer_cov_trace_cmp1+0x17/0x20 [ 39.873817] ? lock_release+0xa30/0xa30 [ 39.877769] ? __check_object_size+0xa3/0x5d7 [ 39.882245] inet_sendmsg+0x1a1/0x690 [ 39.886022] ? ipip_gro_receive+0x100/0x100 [ 39.890322] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.895838] ? security_socket_sendmsg+0x94/0xc0 [ 39.900572] ? ipip_gro_receive+0x100/0x100 [ 39.904873] sock_sendmsg+0xd5/0x120 [ 39.908566] __sys_sendto+0x3d7/0x670 [ 39.912346] ? __ia32_sys_getpeername+0xb0/0xb0 [ 39.916991] ? vfs_write+0x2f3/0x560 [ 39.920683] ? lock_downgrade+0x8f0/0x8f0 [ 39.924810] ? lock_release+0xa30/0xa30 [ 39.928762] ? fsnotify_first_mark+0x350/0x350 [ 39.933322] ? __fsnotify_parent+0xcc/0x420 [ 39.937619] ? fsnotify+0x14e0/0x14e0 [ 39.941403] ? __sb_end_write+0xac/0xe0 [ 39.945358] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.950869] ? ksys_write+0x1ae/0x260 [ 39.954647] ? __ia32_sys_read+0xb0/0xb0 [ 39.958688] ? syscall_slow_exit_work+0x500/0x500 [ 39.963509] __x64_sys_sendto+0xe1/0x1a0 [ 39.967549] do_syscall_64+0x1b9/0x820 [ 39.971415] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.976325] ? syscall_return_slowpath+0x31d/0x5e0 [ 39.981232] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.986226] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.991219] ? perf_trace_sys_enter+0xb10/0xb10 [ 39.995875] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.000698] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.005862] RIP: 0033:0x440599 [ 40.009036] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.027912] RSP: 002b:00007ffc641af208 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 40.035596] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440599 [ 40.042844] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 40.050092] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c [ 40.057338] R10: 0000000000000040 R11: 0000000000000216 R12: 0000000000000004 [ 40.064583] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 40.072983] ================================================================== [ 40.080342] BUG: KASAN: use-after-free in tls_push_record+0x10a9/0x1400 [ 40.087076] Write of size 1 at addr ffff8801abd10000 by task syz-executor925/4338 [ 40.094668] [ 40.096292] CPU: 0 PID: 4338 Comm: syz-executor925 Not tainted 4.18.0-rc7-next-20180801+ #29 [ 40.104841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.114170] Call Trace: [ 40.116741] dump_stack+0x1c9/0x2b4 [ 40.120357] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.125522] ? printk+0xa7/0xcf [ 40.128782] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.133513] ? tls_push_record+0x10a9/0x1400 [ 40.137900] print_address_description+0x6c/0x20b [ 40.142717] ? tls_push_record+0x10a9/0x1400 [ 40.147100] kasan_report.cold.7+0x242/0x30d [ 40.151485] __asan_report_store1_noabort+0x17/0x20 [ 40.156478] tls_push_record+0x10a9/0x1400 [ 40.160688] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.165249] ? lock_sock_nested+0x9f/0x120 [ 40.169461] tls_sw_push_pending_record+0x22/0x30 [ 40.174288] tls_sk_proto_close+0x759/0xb90 [ 40.178585] ? lock_acquire+0x1e4/0x540 [ 40.182536] ? tcp_check_oom+0x530/0x530 [ 40.186572] ? tls_write_space+0x360/0x360 [ 40.190807] ? rcu_note_context_switch+0x730/0x730 [ 40.195735] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.201281] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.206801] ? ipv6_sock_ac_close+0x356/0x490 [ 40.211271] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.216782] ? ipv6_sock_mc_close+0x162/0x1d0 [ 40.221253] ? ip_mc_drop_socket+0x20f/0x270 [ 40.225639] ? down_write+0x8f/0x130 [ 40.229328] inet_release+0x104/0x1f0 [ 40.233106] inet6_release+0x50/0x70 [ 40.236798] __sock_release+0xd7/0x250 [ 40.240660] ? __sock_release+0x250/0x250 [ 40.244781] sock_close+0x19/0x20 [ 40.248214] __fput+0x376/0x8a0 [ 40.251475] ? __alloc_file+0x400/0x400 [ 40.255427] ? check_same_owner+0x340/0x340 [ 40.259722] ? kasan_check_write+0x14/0x20 [ 40.263931] ? do_raw_spin_lock+0xc1/0x200 [ 40.268140] ____fput+0x15/0x20 [ 40.271394] task_work_run+0x1e8/0x2a0 [ 40.275255] ? task_work_cancel+0x240/0x240 [ 40.279553] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.285065] ? switch_task_namespaces+0xa2/0xd0 [ 40.289719] do_exit+0x1b25/0x2760 [ 40.293245] ? mm_update_next_owner+0x9a0/0x9a0 [ 40.297897] ? finish_task_switch+0x1d3/0x870 [ 40.302378] ? lock_downgrade+0x8f0/0x8f0 [ 40.306512] ? finish_task_switch+0x18a/0x870 [ 40.310999] ? kasan_check_read+0x11/0x20 [ 40.315133] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.319527] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.324098] ? compat_start_thread+0x80/0x80 [ 40.328501] ? kasan_check_write+0x14/0x20 [ 40.332727] ? finish_task_switch+0x2ca/0x870 [ 40.337210] ? __switch_to_asm+0x40/0x70 [ 40.341251] ? preempt_notifier_register+0x200/0x200 [ 40.346334] ? __switch_to_asm+0x34/0x70 [ 40.350374] ? __switch_to_asm+0x34/0x70 [ 40.354411] ? __switch_to_asm+0x40/0x70 [ 40.358453] ? __switch_to_asm+0x34/0x70 [ 40.362502] ? __switch_to_asm+0x40/0x70 [ 40.366551] ? __switch_to_asm+0x34/0x70 [ 40.370602] ? __switch_to_asm+0x40/0x70 [ 40.374656] ? __switch_to_asm+0x34/0x70 [ 40.378709] ? __switch_to_asm+0x34/0x70 [ 40.382760] ? __switch_to_asm+0x40/0x70 [ 40.386810] ? __switch_to_asm+0x34/0x70 [ 40.390856] ? __switch_to_asm+0x40/0x70 [ 40.394895] ? __switch_to_asm+0x34/0x70 [ 40.398933] ? __switch_to_asm+0x40/0x70 [ 40.402982] ? __sched_text_start+0x8/0x8 [ 40.407111] ? security_socket_sendmsg+0x94/0xc0 [ 40.411854] ? ipip_gro_receive+0x100/0x100 [ 40.416163] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.421688] ? sock_sendmsg+0x5a/0x120 [ 40.425570] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.431087] ? __sys_sendto+0x475/0x670 [ 40.435043] ? __ia32_sys_getpeername+0xb0/0xb0 [ 40.439702] ? vfs_write+0x2f3/0x560 [ 40.443406] ? lock_downgrade+0x8f0/0x8f0 [ 40.447539] ? lock_release+0xa30/0xa30 [ 40.451507] ? schedule+0xfb/0x450 [ 40.455034] ? fsnotify+0x14e0/0x14e0 [ 40.458812] ? __schedule+0x1ec0/0x1ec0 [ 40.462769] ? __sb_end_write+0xac/0xe0 [ 40.466724] do_group_exit+0x177/0x440 [ 40.470593] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.476110] ? __ia32_sys_exit+0x50/0x50 [ 40.480155] ? syscall_slow_exit_work+0x500/0x500 [ 40.484980] __x64_sys_exit_group+0x3e/0x50 [ 40.489284] do_syscall_64+0x1b9/0x820 [ 40.493150] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.498058] ? syscall_return_slowpath+0x31d/0x5e0 [ 40.502967] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.507965] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.512962] ? perf_trace_sys_enter+0xb10/0xb10 [ 40.517615] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.522443] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.527611] RIP: 0033:0x43f258 [ 40.530793] Code: Bad RIP value. [ 40.534143] RSP: 002b:00007ffc641af228 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.541830] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f258 [ 40.549076] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.556323] RBP: 00000000004befc8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.563571] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 40.570825] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 40.578080] [ 40.579685] The buggy address belongs to the page: [ 40.584599] page:ffffea0006af4400 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 40.592986] flags: 0x2fffc0000000000() [ 40.596853] raw: 02fffc0000000000 ffffea0006afc208 ffff88021fffac18 0000000000000000 [ 40.604718] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 40.612584] page dumped because: kasan: bad access detected [ 40.618273] [ 40.619877] Memory state around the buggy address: [ 40.624782] ffff8801abd0ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.632130] ffff8801abd0ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.639485] >ffff8801abd10000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.646843] ^ [ 40.650190] ffff8801abd10080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.657534] ffff8801abd10100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.664908] ================================================================== [ 40.672434] Kernel panic - not syncing: panic_on_warn set ... [ 40.672434] [ 40.679798] CPU: 0 PID: 4338 Comm: syz-executor925 Tainted: G B 4.18.0-rc7-next-20180801+ #29 [ 40.689750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.699086] Call Trace: [ 40.701667] dump_stack+0x1c9/0x2b4 [ 40.705283] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.710454] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.715198] panic+0x238/0x4e7 [ 40.718372] ? add_taint.cold.5+0x16/0x16 [ 40.722507] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.726903] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.731295] ? tls_push_record+0x10a9/0x1400 [ 40.735692] kasan_end_report+0x47/0x4f [ 40.739667] kasan_report.cold.7+0x76/0x30d [ 40.743977] __asan_report_store1_noabort+0x17/0x20 [ 40.748975] tls_push_record+0x10a9/0x1400 [ 40.753189] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.757762] ? lock_sock_nested+0x9f/0x120 [ 40.761980] tls_sw_push_pending_record+0x22/0x30 [ 40.766803] tls_sk_proto_close+0x759/0xb90 [ 40.771107] ? lock_acquire+0x1e4/0x540 [ 40.775062] ? tcp_check_oom+0x530/0x530 [ 40.779106] ? tls_write_space+0x360/0x360 [ 40.783323] ? rcu_note_context_switch+0x730/0x730 [ 40.788234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.793760] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.799285] ? ipv6_sock_ac_close+0x356/0x490 [ 40.803766] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.809291] ? ipv6_sock_mc_close+0x162/0x1d0 [ 40.813771] ? ip_mc_drop_socket+0x20f/0x270 [ 40.818162] ? down_write+0x8f/0x130 [ 40.821859] inet_release+0x104/0x1f0 [ 40.825652] inet6_release+0x50/0x70 [ 40.829351] __sock_release+0xd7/0x250 [ 40.833219] ? __sock_release+0x250/0x250 [ 40.837342] sock_close+0x19/0x20 [ 40.840775] __fput+0x376/0x8a0 [ 40.844038] ? __alloc_file+0x400/0x400 [ 40.847993] ? check_same_owner+0x340/0x340 [ 40.852293] ? kasan_check_write+0x14/0x20 [ 40.856510] ? do_raw_spin_lock+0xc1/0x200 [ 40.860725] ____fput+0x15/0x20 [ 40.863986] task_work_run+0x1e8/0x2a0 [ 40.867858] ? task_work_cancel+0x240/0x240 [ 40.872163] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.877683] ? switch_task_namespaces+0xa2/0xd0 [ 40.882338] do_exit+0x1b25/0x2760 [ 40.885858] ? mm_update_next_owner+0x9a0/0x9a0 [ 40.890506] ? finish_task_switch+0x1d3/0x870 [ 40.894984] ? lock_downgrade+0x8f0/0x8f0 [ 40.899109] ? finish_task_switch+0x18a/0x870 [ 40.903590] ? kasan_check_read+0x11/0x20 [ 40.907733] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.912125] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.916687] ? compat_start_thread+0x80/0x80 [ 40.921077] ? kasan_check_write+0x14/0x20 [ 40.925288] ? finish_task_switch+0x2ca/0x870 [ 40.929771] ? __switch_to_asm+0x40/0x70 [ 40.933816] ? preempt_notifier_register+0x200/0x200 [ 40.938901] ? __switch_to_asm+0x34/0x70 [ 40.942943] ? __switch_to_asm+0x34/0x70 [ 40.946980] ? __switch_to_asm+0x40/0x70 [ 40.951018] ? __switch_to_asm+0x34/0x70 [ 40.955057] ? __switch_to_asm+0x40/0x70 [ 40.959095] ? __switch_to_asm+0x34/0x70 [ 40.963135] ? __switch_to_asm+0x40/0x70 [ 40.967176] ? __switch_to_asm+0x34/0x70 [ 40.971214] ? __switch_to_asm+0x34/0x70 [ 40.975255] ? __switch_to_asm+0x40/0x70 [ 40.979292] ? __switch_to_asm+0x34/0x70 [ 40.983332] ? __switch_to_asm+0x40/0x70 [ 40.987370] ? __switch_to_asm+0x34/0x70 [ 40.991408] ? __switch_to_asm+0x40/0x70 [ 40.995459] ? __sched_text_start+0x8/0x8 [ 40.999603] ? security_socket_sendmsg+0x94/0xc0 [ 41.004344] ? ipip_gro_receive+0x100/0x100 [ 41.008645] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.014162] ? sock_sendmsg+0x5a/0x120 [ 41.018031] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.023554] ? __sys_sendto+0x475/0x670 [ 41.027520] ? __ia32_sys_getpeername+0xb0/0xb0 [ 41.032173] ? vfs_write+0x2f3/0x560 [ 41.035867] ? lock_downgrade+0x8f0/0x8f0 [ 41.040000] ? lock_release+0xa30/0xa30 [ 41.043953] ? schedule+0xfb/0x450 [ 41.047479] ? fsnotify+0x14e0/0x14e0 [ 41.051266] ? __schedule+0x1ec0/0x1ec0 [ 41.055225] ? __sb_end_write+0xac/0xe0 [ 41.059181] do_group_exit+0x177/0x440 [ 41.063050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.068574] ? __ia32_sys_exit+0x50/0x50 [ 41.072640] ? syscall_slow_exit_work+0x500/0x500 [ 41.077475] __x64_sys_exit_group+0x3e/0x50 [ 41.081783] do_syscall_64+0x1b9/0x820 [ 41.085669] ? syscall_return_slowpath+0x5e0/0x5e0 [ 41.090586] ? syscall_return_slowpath+0x31d/0x5e0 [ 41.095509] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.100522] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.105533] ? perf_trace_sys_enter+0xb10/0xb10 [ 41.110190] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.115017] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.120186] RIP: 0033:0x43f258 [ 41.123360] Code: Bad RIP value. [ 41.126702] RSP: 002b:00007ffc641af228 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.134389] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f258 [ 41.141641] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 41.148891] RBP: 00000000004befc8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.156138] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 41.163387] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 41.171071] Dumping ftrace buffer: [ 41.174591] (ftrace buffer empty) [ 41.178278] Kernel Offset: disabled [ 41.181890] Rebooting in 86400 seconds..