[....] Starting OpenBSD Secure Shell server: sshd[ 19.752286] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.772682] random: sshd: uninitialized urandom read (32 bytes read) [ 23.198582] random: sshd: uninitialized urandom read (32 bytes read) [ 24.006423] random: sshd: uninitialized urandom read (32 bytes read) [ 24.148169] sshd (4487) used greatest stack depth: 16712 bytes left [ 24.167482] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. [ 29.687075] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.785176] ================================================================== [ 29.792677] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 29.799714] Write of size 4 at addr ffff8801cf2797f0 by task syz-executor979/4497 [ 29.807317] [ 29.808933] CPU: 1 PID: 4497 Comm: syz-executor979 Not tainted 4.17.0-rc4+ #39 [ 29.816275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.825712] Call Trace: [ 29.828297] dump_stack+0x1b9/0x294 [ 29.831910] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.837089] ? printk+0x9e/0xba [ 29.840355] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.845120] ? kasan_check_write+0x14/0x20 [ 29.849340] print_address_description+0x6c/0x20b [ 29.854171] ? process_preds+0x191f/0x19d0 [ 29.858409] kasan_report.cold.7+0x242/0x2fe [ 29.862817] __asan_report_store4_noabort+0x17/0x20 [ 29.867817] process_preds+0x191f/0x19d0 [ 29.871877] ? parse_pred+0x28e0/0x28e0 [ 29.875850] ? create_filter_start.constprop.12+0x55/0x2b0 [ 29.881462] create_filter+0x155/0x270 [ 29.885336] ? process_preds+0x19d0/0x19d0 [ 29.889557] ftrace_profile_set_filter+0x130/0x2e0 [ 29.894488] ? ftrace_profile_free_filter+0x70/0x70 [ 29.899490] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.905013] ? memdup_user+0x6b/0xa0 [ 29.908715] perf_event_set_filter+0x248/0x1230 [ 29.913374] ? mutex_trylock+0x2a0/0x2a0 [ 29.917434] ? perf_pmu_unregister+0x530/0x530 [ 29.922037] ? __thp_get_unmapped_area+0x180/0x180 [ 29.926962] ? graph_lock+0x170/0x170 [ 29.930746] ? lock_downgrade+0x8e0/0x8e0 [ 29.934882] ? kasan_check_read+0x11/0x20 [ 29.939012] ? rcu_is_watching+0x85/0x140 [ 29.943145] ? __lock_is_held+0xb5/0x140 [ 29.947192] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.952370] _perf_ioctl+0x84c/0x15e0 [ 29.956157] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 29.961347] ? lock_downgrade+0x8e0/0x8e0 [ 29.965481] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.971015] ? kasan_check_read+0x11/0x20 [ 29.975149] ? rcu_is_watching+0x85/0x140 [ 29.979281] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 29.984457] ? mutex_lock_nested+0x16/0x20 [ 29.988673] ? mutex_lock_nested+0x16/0x20 [ 29.992896] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 29.998083] ? perf_event_read_event+0x430/0x430 [ 30.002829] ? find_held_lock+0x36/0x1c0 [ 30.006880] perf_ioctl+0x59/0x80 [ 30.010320] ? _perf_ioctl+0x15e0/0x15e0 [ 30.014364] do_vfs_ioctl+0x1cf/0x16a0 [ 30.018250] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.023806] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.028205] ? fget_raw+0x20/0x20 [ 30.031657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.037179] ? __do_page_fault+0x441/0xe40 [ 30.041399] ? mm_fault_error+0x380/0x380 [ 30.045530] ? security_file_ioctl+0x94/0xc0 [ 30.049923] ksys_ioctl+0xa9/0xd0 [ 30.053362] __x64_sys_ioctl+0x73/0xb0 [ 30.057236] do_syscall_64+0x1b1/0x800 [ 30.061109] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.066025] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.070944] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.076478] ? retint_user+0x18/0x18 [ 30.080188] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.085722] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.090921] RIP: 0033:0x43fdb9 [ 30.094104] RSP: 002b:00007ffd08fe8c48 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.101824] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 30.109099] RDX: 0000000020000200 RSI: 0000000040082406 RDI: 0000000000000003 [ 30.116373] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 30.123631] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 30.131004] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 30.138270] [ 30.139881] Allocated by task 1: [ 30.143238] save_stack+0x43/0xd0 [ 30.146688] kasan_kmalloc+0xc4/0xe0 [ 30.150392] __kmalloc+0x14e/0x760 [ 30.153927] kobject_get_path+0xc2/0x1a0 [ 30.158013] kobject_uevent_env+0x234/0xea0 [ 30.162361] kobject_uevent+0x1f/0x30 [ 30.166156] net_rx_queue_update_kobjects+0x493/0x610 [ 30.171351] netdev_register_kobject+0x276/0x380 [ 30.176101] register_netdevice+0x997/0x11c0 [ 30.180497] bond_create+0xf5/0x157 [ 30.184105] bonding_init+0x1666/0x16ff [ 30.188065] do_one_initcall+0x127/0x913 [ 30.192119] kernel_init_freeable+0x49b/0x58e [ 30.196595] kernel_init+0x11/0x1b3 [ 30.200207] ret_from_fork+0x3a/0x50 [ 30.203897] [ 30.205505] Freed by task 1: [ 30.208508] save_stack+0x43/0xd0 [ 30.211944] __kasan_slab_free+0x11a/0x170 [ 30.216163] kasan_slab_free+0xe/0x10 [ 30.219960] kfree+0xd9/0x260 [ 30.223147] kobject_uevent_env+0x275/0xea0 [ 30.227454] kobject_uevent+0x1f/0x30 [ 30.231244] net_rx_queue_update_kobjects+0x493/0x610 [ 30.236428] netdev_register_kobject+0x276/0x380 [ 30.241175] register_netdevice+0x997/0x11c0 [ 30.245586] bond_create+0xf5/0x157 [ 30.249206] bonding_init+0x1666/0x16ff [ 30.253169] do_one_initcall+0x127/0x913 [ 30.257216] kernel_init_freeable+0x49b/0x58e [ 30.261695] kernel_init+0x11/0x1b3 [ 30.265315] ret_from_fork+0x3a/0x50 [ 30.269007] [ 30.270622] The buggy address belongs to the object at ffff8801cf279780 [ 30.270622] which belongs to the cache kmalloc-64 of size 64 [ 30.283096] The buggy address is located 48 bytes to the right of [ 30.283096] 64-byte region [ffff8801cf279780, ffff8801cf2797c0) [ 30.295321] The buggy address belongs to the page: [ 30.300252] page:ffffea00073c9e40 count:1 mapcount:0 mapping:ffff8801cf279000 index:0xffff8801cf279f80 [ 30.309681] flags: 0x2fffc0000000100(slab) [ 30.313908] raw: 02fffc0000000100 ffff8801cf279000 ffff8801cf279f80 0000000100000019 [ 30.321780] raw: ffffea00073b3ca0 ffffea00073de120 ffff8801da800340 0000000000000000 [ 30.329666] page dumped because: kasan: bad access detected [ 30.335374] [ 30.336988] Memory state around the buggy address: [ 30.341928] ffff8801cf279680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.349281] ffff8801cf279700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.357414] >ffff8801cf279780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.364784] ^ [ 30.371790] ffff8801cf279800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 30.379134] ffff8801cf279880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 30.386477] ================================================================== [ 30.393816] Disabling lock debugging due to kernel taint [ 30.399385] Kernel panic - not syncing: panic_on_warn set ... [ 30.399385] [ 30.407265] CPU: 1 PID: 4497 Comm: syz-executor979 Tainted: G B 4.17.0-rc4+ #39 [ 30.416081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.425415] Call Trace: [ 30.427989] dump_stack+0x1b9/0x294 [ 30.431610] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.436803] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.441543] ? process_preds+0x1880/0x19d0 [ 30.445761] panic+0x22f/0x4de [ 30.448934] ? add_taint.cold.5+0x16/0x16 [ 30.453084] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.457485] ? do_raw_spin_unlock+0x9e/0x2e0 [ 30.462321] ? process_preds+0x191f/0x19d0 [ 30.466541] kasan_end_report+0x47/0x4f [ 30.470500] kasan_report.cold.7+0x76/0x2fe [ 30.474833] __asan_report_store4_noabort+0x17/0x20 [ 30.479854] process_preds+0x191f/0x19d0 [ 30.483916] ? parse_pred+0x28e0/0x28e0 [ 30.488739] ? create_filter_start.constprop.12+0x55/0x2b0 [ 30.494360] create_filter+0x155/0x270 [ 30.498244] ? process_preds+0x19d0/0x19d0 [ 30.502467] ftrace_profile_set_filter+0x130/0x2e0 [ 30.507384] ? ftrace_profile_free_filter+0x70/0x70 [ 30.512658] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.518189] ? memdup_user+0x6b/0xa0 [ 30.522149] perf_event_set_filter+0x248/0x1230 [ 30.526804] ? mutex_trylock+0x2a0/0x2a0 [ 30.531381] ? perf_pmu_unregister+0x530/0x530 [ 30.535948] ? __thp_get_unmapped_area+0x180/0x180 [ 30.540879] ? graph_lock+0x170/0x170 [ 30.544666] ? lock_downgrade+0x8e0/0x8e0 [ 30.548801] ? kasan_check_read+0x11/0x20 [ 30.552942] ? rcu_is_watching+0x85/0x140 [ 30.557073] ? __lock_is_held+0xb5/0x140 [ 30.561218] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.566580] _perf_ioctl+0x84c/0x15e0 [ 30.570453] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 30.575626] ? lock_downgrade+0x8e0/0x8e0 [ 30.579936] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.585458] ? kasan_check_read+0x11/0x20 [ 30.589771] ? rcu_is_watching+0x85/0x140 [ 30.594090] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 30.599351] ? mutex_lock_nested+0x16/0x20 [ 30.603577] ? mutex_lock_nested+0x16/0x20 [ 30.607813] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 30.612990] ? perf_event_read_event+0x430/0x430 [ 30.617743] ? find_held_lock+0x36/0x1c0 [ 30.621791] perf_ioctl+0x59/0x80 [ 30.625228] ? _perf_ioctl+0x15e0/0x15e0 [ 30.629279] do_vfs_ioctl+0x1cf/0x16a0 [ 30.633148] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.638668] ? ioctl_preallocate+0x2e0/0x2e0 [ 30.644019] ? fget_raw+0x20/0x20 [ 30.647454] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.653007] ? __do_page_fault+0x441/0xe40 [ 30.657236] ? mm_fault_error+0x380/0x380 [ 30.661372] ? security_file_ioctl+0x94/0xc0 [ 30.665769] ksys_ioctl+0xa9/0xd0 [ 30.669216] __x64_sys_ioctl+0x73/0xb0 [ 30.673088] do_syscall_64+0x1b1/0x800 [ 30.677310] ? syscall_return_slowpath+0x5c0/0x5c0 [ 30.682232] ? syscall_return_slowpath+0x30f/0x5c0 [ 30.687329] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.692940] ? retint_user+0x18/0x18 [ 30.696642] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.701471] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.706642] RIP: 0033:0x43fdb9 [ 30.709817] RSP: 002b:00007ffd08fe8c48 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 30.717510] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 30.724763] RDX: 0000000020000200 RSI: 0000000040082406 RDI: 0000000000000003 [ 30.732017] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 30.739268] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 30.746519] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 30.754206] Dumping ftrace buffer: [ 30.757726] (ftrace buffer empty) [ 30.761425] Kernel Offset: disabled [ 30.765034] Rebooting in 86400 seconds..