[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.395878] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.564130] random: sshd: uninitialized urandom read (32 bytes read)
[   26.818298] random: sshd: uninitialized urandom read (32 bytes read)
[   27.349655] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts.
[   33.445929] urandom_read: 1 callbacks suppressed
[   33.445936] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.549353] vhci_hcd: invalid port number 108
[   33.554071] ==================================================================
[   33.561526] BUG: KASAN: use-after-free in vhci_hub_control+0x1b88/0x1bf0
[   33.568358] Read of size 4 at addr ffff8801ce64f7bc by task syz-executor957/4637
[   33.575888] 
[   33.577515] CPU: 1 PID: 4637 Comm: syz-executor957 Not tainted 4.19.0-rc1-next-20180831+ #53
[   33.586087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.595455] Call Trace:
[   33.598074]  dump_stack+0x1c9/0x2b4
[   33.601715]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.606918]  ? printk+0xa7/0xcf
[   33.610208]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.614977]  ? vhci_hub_control+0x1b88/0x1bf0
[   33.619486]  print_address_description+0x6c/0x20b
[   33.624336]  ? vhci_hub_control+0x1b88/0x1bf0
[   33.628878]  kasan_report.cold.7+0x242/0x30d
[   33.633303]  __asan_report_load4_noabort+0x14/0x20
[   33.638240]  vhci_hub_control+0x1b88/0x1bf0
[   33.642577]  ? vhci_hcd_probe+0x240/0x240
[   33.646751]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.651776]  ? __kmalloc+0x594/0x720
[   33.655497]  ? kasan_check_write+0x14/0x20
[   33.659732]  ? do_raw_spin_lock+0xc1/0x200
[   33.663974]  ? usb_hcd_submit_urb+0x70e/0x2160
[   33.668563]  usb_hcd_submit_urb+0x184a/0x2160
[   33.673068]  ? vhci_hcd_probe+0x240/0x240
[   33.677225]  ? usb_create_hcd+0x40/0x40
[   33.681202]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.686570]  ? __x64_sys_ioctl+0x73/0xb0
[   33.690636]  ? do_syscall_64+0x1b9/0x820
[   33.694704]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.700077]  ? find_held_lock+0x36/0x1c0
[   33.704145]  ? __lockdep_init_map+0x105/0x590
[   33.708640]  ? __lockdep_init_map+0x105/0x590
[   33.713146]  usb_submit_urb+0x895/0x14d0
[   33.717208]  ? rcu_is_watching+0x8c/0x150
[   33.721368]  usb_start_wait_urb+0x140/0x360
[   33.725692]  ? sg_clean+0x240/0x240
[   33.729338]  usb_control_msg+0x332/0x4e0
[   33.733404]  ? usb_start_wait_urb+0x360/0x360
[   33.737904]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   33.743455]  proc_control+0x99b/0xef0
[   33.747263]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.752804]  ? get_futex_value_locked+0xcb/0xf0
[   33.757480]  ? proc_bulk+0xaa0/0xaa0
[   33.761208]  usbdev_do_ioctl+0x1eb4/0x3b30
[   33.765451]  ? processcompl_compat+0x680/0x680
[   33.770036]  ? futex_wait+0x5d2/0xa20
[   33.773857]  ? mark_held_locks+0x160/0x160
[   33.778114]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   33.783316]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   33.788426]  ? futex_wake+0x304/0x760
[   33.792270]  ? lock_downgrade+0x8f0/0x8f0
[   33.796424]  ? graph_lock+0x170/0x170
[   33.800225]  ? do_futex+0x249/0x27d0
[   33.803941]  ? rcu_is_watching+0x8c/0x150
[   33.808090]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   33.812762]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   33.817435]  ? find_held_lock+0x36/0x1c0
[   33.821509]  ? lock_downgrade+0x8f0/0x8f0
[   33.825662]  ? kasan_check_read+0x11/0x20
[   33.829814]  ? rcu_is_watching+0x8c/0x150
[   33.833982]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   33.838665]  ? __fget+0x4d5/0x740
[   33.842136]  ? ksys_dup3+0x690/0x690
[   33.845851]  ? trace_hardirqs_on+0x2c0/0x2c0
[   33.850267]  ? kasan_check_write+0x14/0x20
[   33.854508]  ? trace_hardirqs_off+0xb8/0x2b0
[   33.858921]  usbdev_ioctl+0x25/0x30
[   33.862556]  ? usbdev_compat_ioctl+0x30/0x30
[   33.866968]  do_vfs_ioctl+0x1de/0x1720
[   33.870855]  ? kasan_check_read+0x11/0x20
[   33.875005]  ? rcu_is_watching+0x8c/0x150
[   33.879154]  ? trace_hardirqs_on+0xbd/0x2c0
[   33.883483]  ? ioctl_preallocate+0x300/0x300
[   33.887894]  ? __fget_light+0x2f7/0x440
[   33.891865]  ? putname+0xf2/0x130
[   33.895324]  ? fget_raw+0x20/0x20
[   33.898784]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.903811]  ? __x64_sys_futex+0x47f/0x6a0
[   33.908059]  ? do_syscall_64+0x9a/0x820
[   33.912041]  ? do_syscall_64+0x9a/0x820
[   33.916031]  ? lockdep_hardirqs_on+0x421/0x5c0
[   33.920629]  ? security_file_ioctl+0x94/0xc0
[   33.925046]  ksys_ioctl+0xa9/0xd0
[   33.928518]  __x64_sys_ioctl+0x73/0xb0
[   33.932440]  do_syscall_64+0x1b9/0x820
[   33.936334]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   33.941704]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.946636]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.951488]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   33.956515]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   33.961541]  ? prepare_exit_to_usermode+0x291/0x3b0
[   33.966567]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.971429]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.977092] RIP: 0033:0x4499b9
[   33.980289] Code: e8 ac b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   33.999197] RSP: 002b:00007ff86c825da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
[   34.006920] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 00000000004499b9
[   34.014209] RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000003
[   34.021483] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
[   34.028753] R10: 00000000006dbc4c R11: 0000000000000293 R12: 00000000006dbc4c
[   34.036021] R13: 73755f6567617375 R14: 2e74636361757063 R15: 00000000006dbd4c
[   34.043306] 
[   34.044946] Allocated by task 3674:
[   34.048578]  save_stack+0x43/0xd0
[   34.052044]  kasan_kmalloc+0xc4/0xe0
[   34.055777]  kasan_slab_alloc+0x12/0x20
[   34.059754]  kmem_cache_alloc+0x12e/0x710
[   34.063900]  getname_flags+0xd0/0x5a0
[   34.067699]  user_path_at_empty+0x2d/0x50
[   34.071849]  do_faccessat+0x252/0x7e0
[   34.075650]  __x64_sys_access+0x59/0x80
[   34.079628]  do_syscall_64+0x1b9/0x820
[   34.083523]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.088707] 
[   34.090347] Freed by task 3674:
[   34.093626]  save_stack+0x43/0xd0
[   34.097084]  __kasan_slab_free+0x11a/0x170
[   34.101325]  kasan_slab_free+0xe/0x10
[   34.105124]  kmem_cache_free+0x86/0x280
[   34.109094]  putname+0xf2/0x130
[   34.112371]  filename_lookup+0x397/0x510
[   34.116433]  user_path_at_empty+0x40/0x50
[   34.120580]  do_faccessat+0x252/0x7e0
[   34.124385]  __x64_sys_access+0x59/0x80
[   34.128361]  do_syscall_64+0x1b9/0x820
[   34.132247]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.137426] 
[   34.139060] The buggy address belongs to the object at ffff8801ce64ed00
[   34.139060]  which belongs to the cache names_cache of size 4096
[   34.151810] The buggy address is located 2748 bytes inside of
[   34.151810]  4096-byte region [ffff8801ce64ed00, ffff8801ce64fd00)
[   34.163945] The buggy address belongs to the page:
[   34.168883] page:ffffea0007399380 count:1 mapcount:0 mapping:ffff8801dad6fd80 index:0x0 compound_mapcount: 0
[   34.178862] flags: 0x2fffc0000008100(slab|head)
[   34.183542] raw: 02fffc0000008100 ffffea000740f588 ffffea0006d35608 ffff8801dad6fd80
[   34.191431] raw: 0000000000000000 ffff8801ce64ed00 0000000100000001 0000000000000000
[   34.199307] page dumped because: kasan: bad access detected
[   34.205013] 
[   34.206633] Memory state around the buggy address:
[   34.211559]  ffff8801ce64f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.218931]  ffff8801ce64f700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.226294] >ffff8801ce64f780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.233651]                                         ^
[   34.238843]  ffff8801ce64f800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.246207]  ffff8801ce64f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.253563] ==================================================================
[   34.260922] Disabling lock debugging due to kernel taint
[   34.266364] Kernel panic - not syncing: panic_on_warn set ...
[   34.266364] 
[   34.273733] CPU: 1 PID: 4637 Comm: syz-executor957 Tainted: G    B             4.19.0-rc1-next-20180831+ #53
[   34.283698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.293058] Call Trace:
[   34.295654]  dump_stack+0x1c9/0x2b4
[   34.299287]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.304472]  ? lock_downgrade+0x8f0/0x8f0
[   34.308620]  panic+0x238/0x4e7
[   34.311808]  ? add_taint.cold.5+0x16/0x16
[   34.315951]  ? add_taint.cold.5+0x5/0x16
[   34.320009]  ? trace_hardirqs_off+0xaf/0x2b0
[   34.324417]  ? trace_hardirqs_off+0x77/0x2b0
[   34.328832]  ? vhci_hub_control+0x1b88/0x1bf0
[   34.333335]  kasan_end_report+0x47/0x4f
[   34.337321]  kasan_report.cold.7+0x76/0x30d
[   34.341655]  __asan_report_load4_noabort+0x14/0x20
[   34.346591]  vhci_hub_control+0x1b88/0x1bf0
[   34.350917]  ? vhci_hcd_probe+0x240/0x240
[   34.355094]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.360113]  ? __kmalloc+0x594/0x720
[   34.363826]  ? kasan_check_write+0x14/0x20
[   34.368072]  ? do_raw_spin_lock+0xc1/0x200
[   34.372307]  ? usb_hcd_submit_urb+0x70e/0x2160
[   34.376894]  usb_hcd_submit_urb+0x184a/0x2160
[   34.381388]  ? vhci_hcd_probe+0x240/0x240
[   34.385538]  ? usb_create_hcd+0x40/0x40
[   34.389511]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.394872]  ? __x64_sys_ioctl+0x73/0xb0
[   34.398931]  ? do_syscall_64+0x1b9/0x820
[   34.402991]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.408352]  ? find_held_lock+0x36/0x1c0
[   34.412411]  ? __lockdep_init_map+0x105/0x590
[   34.416906]  ? __lockdep_init_map+0x105/0x590
[   34.421405]  usb_submit_urb+0x895/0x14d0
[   34.425464]  ? rcu_is_watching+0x8c/0x150
[   34.429622]  usb_start_wait_urb+0x140/0x360
[   34.433945]  ? sg_clean+0x240/0x240
[   34.437577]  usb_control_msg+0x332/0x4e0
[   34.441645]  ? usb_start_wait_urb+0x360/0x360
[   34.446158]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   34.451699]  proc_control+0x99b/0xef0
[   34.455502]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.461036]  ? get_futex_value_locked+0xcb/0xf0
[   34.465715]  ? proc_bulk+0xaa0/0xaa0
[   34.469436]  usbdev_do_ioctl+0x1eb4/0x3b30
[   34.473678]  ? processcompl_compat+0x680/0x680
[   34.478257]  ? futex_wait+0x5d2/0xa20
[   34.482071]  ? mark_held_locks+0x160/0x160
[   34.486311]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.491504]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   34.496613]  ? futex_wake+0x304/0x760
[   34.500428]  ? lock_downgrade+0x8f0/0x8f0
[   34.504574]  ? graph_lock+0x170/0x170
[   34.508380]  ? do_futex+0x249/0x27d0
[   34.512092]  ? rcu_is_watching+0x8c/0x150
[   34.516236]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.520901]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.525571]  ? find_held_lock+0x36/0x1c0
[   34.529640]  ? lock_downgrade+0x8f0/0x8f0
[   34.533908]  ? kasan_check_read+0x11/0x20
[   34.538062]  ? rcu_is_watching+0x8c/0x150
[   34.542209]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.546880]  ? __fget+0x4d5/0x740
[   34.550336]  ? ksys_dup3+0x690/0x690
[   34.554044]  ? trace_hardirqs_on+0x2c0/0x2c0
[   34.558462]  ? kasan_check_write+0x14/0x20
[   34.562695]  ? trace_hardirqs_off+0xb8/0x2b0
[   34.567119]  usbdev_ioctl+0x25/0x30
[   34.570749]  ? usbdev_compat_ioctl+0x30/0x30
[   34.575157]  do_vfs_ioctl+0x1de/0x1720
[   34.579059]  ? kasan_check_read+0x11/0x20
[   34.583207]  ? rcu_is_watching+0x8c/0x150
[   34.587351]  ? trace_hardirqs_on+0xbd/0x2c0
[   34.591674]  ? ioctl_preallocate+0x300/0x300
[   34.596091]  ? __fget_light+0x2f7/0x440
[   34.600071]  ? putname+0xf2/0x130
[   34.603525]  ? fget_raw+0x20/0x20
[   34.606979]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.611994]  ? __x64_sys_futex+0x47f/0x6a0
[   34.616226]  ? do_syscall_64+0x9a/0x820
[   34.620199]  ? do_syscall_64+0x9a/0x820
[   34.624171]  ? lockdep_hardirqs_on+0x421/0x5c0
[   34.628755]  ? security_file_ioctl+0x94/0xc0
[   34.633163]  ksys_ioctl+0xa9/0xd0
[   34.636626]  __x64_sys_ioctl+0x73/0xb0
[   34.640529]  do_syscall_64+0x1b9/0x820
[   34.644420]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   34.649787]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.654717]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.659558]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   34.664576]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   34.669604]  ? prepare_exit_to_usermode+0x291/0x3b0
[   34.674642]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.679490]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.684678] RIP: 0033:0x4499b9
[   34.687871] Code: e8 ac b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   34.706776] RSP: 002b:00007ff86c825da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
[   34.714494] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 00000000004499b9
[   34.721794] RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000003
[   34.729072] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
[   34.736344] R10: 00000000006dbc4c R11: 0000000000000293 R12: 00000000006dbc4c
[   34.743618] R13: 73755f6567617375 R14: 2e74636361757063 R15: 00000000006dbd4c
[   34.751266] Dumping ftrace buffer:
[   34.754794]    (ftrace buffer empty)
[   34.758498] Kernel Offset: disabled
[   34.762108] Rebooting in 86400 seconds..