[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.916219] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.429627] random: sshd: uninitialized urandom read (32 bytes read)
[   25.735336] random: sshd: uninitialized urandom read (32 bytes read)
[   26.260605] random: sshd: uninitialized urandom read (32 bytes read)
[   48.415944] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts.
[   53.941688] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   54.046924] FAULT_INJECTION: forcing a failure.
[   54.046924] name failslab, interval 1, probability 0, space 0, times 1
[   54.058280] CPU: 0 PID: 4419 Comm: syz-executor732 Not tainted 4.18.0+ #209
[   54.065369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.074706] Call Trace:
[   54.077288]  dump_stack+0x1c9/0x2b4
[   54.080908]  ? dump_stack_print_info.cold.2+0x52/0x52
[   54.086097]  should_fail.cold.4+0xa/0x11
[   54.090150]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[   54.095247]  ? mm_fault_error+0x380/0x380
[   54.099386]  ? graph_lock+0x170/0x170
[   54.103169]  ? graph_lock+0x170/0x170
[   54.106958]  ? graph_lock+0x170/0x170
[   54.110744]  ? lockdep_hardirqs_on+0x421/0x5c0
[   54.115309]  ? find_held_lock+0x36/0x1c0
[   54.119356]  ? __lock_is_held+0xb5/0x140
[   54.123493]  ? check_same_owner+0x340/0x340
[   54.127883]  ? check_same_owner+0x340/0x340
[   54.132198]  ? rcu_note_context_switch+0x680/0x680
[   54.137169]  __should_failslab+0x124/0x180
[   54.141399]  should_failslab+0x9/0x14
[   54.145184]  __kmalloc+0x2b2/0x720
[   54.148715]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   54.153718]  ? _copy_from_iter+0x39d/0x1090
[   54.158024]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   54.163047]  ? tls_push_record+0x10b/0x1400
[   54.167351]  ? __check_object_size+0xa3/0x5d7
[   54.171831]  tls_push_record+0x10b/0x1400
[   54.175974]  ? _copy_from_iter_nocache+0x1050/0x1050
[   54.181105]  ? __local_bh_enable_ip+0x161/0x230
[   54.185772]  tls_sw_sendmsg+0xc34/0x12b0
[   54.189927]  ? decrypt_skb_update+0x6a0/0x6a0
[   54.194419]  ? lock_downgrade+0x8f0/0x8f0
[   54.198554]  ? __sanitizer_cov_trace_const_cmp2+0x7/0x20
[   54.204054]  ? lock_release+0x9f0/0x9f0
[   54.208029]  ? __check_object_size+0xa3/0x5d7
[   54.212514]  inet_sendmsg+0x1a1/0x690
[   54.216303]  ? ipip_gro_receive+0x100/0x100
[   54.220617]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   54.226143]  ? security_socket_sendmsg+0x94/0xc0
[   54.230885]  ? ipip_gro_receive+0x100/0x100
[   54.235199]  sock_sendmsg+0xd5/0x120
[   54.238906]  __sys_sendto+0x3d7/0x670
[   54.242701]  ? __ia32_sys_getpeername+0xb0/0xb0
[   54.247356]  ? lock_downgrade+0x8f0/0x8f0
[   54.251500]  ? __lock_is_held+0xb5/0x140
[   54.255577]  ? __sb_end_write+0xac/0xe0
[   54.259544]  ? do_syscall_64+0x9a/0x820
[   54.263520]  ? do_syscall_64+0x9a/0x820
[   54.267504]  ? lockdep_hardirqs_on+0x421/0x5c0
[   54.272081]  ? trace_hardirqs_on+0xbd/0x2c0
[   54.276390]  ? __ia32_sys_read+0xb0/0xb0
[   54.280437]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.285787]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   54.290885]  __x64_sys_sendto+0xe1/0x1a0
[   54.294946]  do_syscall_64+0x1b9/0x820
[   54.298826]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   54.304188]  ? syscall_return_slowpath+0x5e0/0x5e0
[   54.309103]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.313930]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   54.318947]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   54.323960]  ? prepare_exit_to_usermode+0x291/0x3b0
[   54.328967]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.333802]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.338981] RIP: 0033:0x440539
[   54.342162] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   54.361047] RSP: 002b:00007fff0999e8b8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
[   54.368739] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440539
[   54.375990] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003
[   54.383249] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c
[   54.390504] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000004
[   54.397760] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
[   54.409382] ==================================================================
[   54.416807] BUG: KASAN: use-after-free in tls_push_record+0x10a9/0x1400
[   54.423546] Write of size 1 at addr ffff8801b4df0000 by task syz-executor732/4419
[   54.431142] 
[   54.432757] CPU: 1 PID: 4419 Comm: syz-executor732 Not tainted 4.18.0+ #209
[   54.439867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.449273] Call Trace:
[   54.451859]  dump_stack+0x1c9/0x2b4
[   54.455485]  ? dump_stack_print_info.cold.2+0x52/0x52
[   54.460671]  ? printk+0xa7/0xcf
[   54.463949]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   54.468694]  ? tls_push_record+0x10a9/0x1400
[   54.473090]  print_address_description+0x6c/0x20b
[   54.477919]  ? tls_push_record+0x10a9/0x1400
[   54.482330]  kasan_report.cold.7+0x242/0x30d
[   54.486731]  __asan_report_store1_noabort+0x17/0x20
[   54.491737]  tls_push_record+0x10a9/0x1400
[   54.496003]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   54.500586]  tls_sw_push_pending_record+0x22/0x30
[   54.505419]  tls_sk_proto_close+0x759/0xb90
[   54.509725]  ? lock_acquire+0x1e4/0x4f0
[   54.513751]  ? tcp_check_oom+0x530/0x530
[   54.517804]  ? tls_write_space+0x360/0x360
[   54.522026]  ? rcu_note_context_switch+0x680/0x680
[   54.526950]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.532487]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.538028]  ? ipv6_sock_ac_close+0x356/0x490
[   54.542521]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   54.548050]  ? ipv6_sock_mc_close+0x162/0x1d0
[   54.552635]  ? ip_mc_drop_socket+0x20f/0x270
[   54.557035]  ? down_write+0x8f/0x130
[   54.560741]  inet_release+0x104/0x1f0
[   54.564535]  inet6_release+0x50/0x70
[   54.568238]  __sock_release+0xd7/0x250
[   54.572290]  ? __sock_release+0x250/0x250
[   54.576430]  sock_close+0x19/0x20
[   54.579881]  __fput+0x36e/0x8c0
[   54.583156]  ? __alloc_file+0x400/0x400
[   54.587121]  ? check_same_owner+0x340/0x340
[   54.591485]  ? kasan_check_write+0x14/0x20
[   54.595728]  ? do_raw_spin_lock+0xc1/0x200
[   54.599967]  ____fput+0x15/0x20
[   54.603238]  task_work_run+0x1e8/0x2a0
[   54.607111]  ? task_work_cancel+0x240/0x240
[   54.611422]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   54.616951]  ? switch_task_namespaces+0xa2/0xd0
[   54.621608]  do_exit+0x1ae4/0x26e0
[   54.625137]  ? mm_update_next_owner+0x9a0/0x9a0
[   54.629800]  ? _raw_spin_unlock_irq+0x27/0x70
[   54.634325]  ? _raw_spin_unlock_irq+0x27/0x70
[   54.638811]  ? lockdep_hardirqs_on+0x421/0x5c0
[   54.643378]  ? trace_hardirqs_on+0xbd/0x2c0
[   54.647686]  ? kasan_check_read+0x11/0x20
[   54.651822]  ? finish_task_switch+0x1d3/0x870
[   54.656303]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   54.661395]  ? compat_start_thread+0x80/0x80
[   54.665812]  ? kasan_check_write+0x14/0x20
[   54.670044]  ? finish_task_switch+0x2ca/0x870
[   54.674531]  ? __switch_to_asm+0x40/0x70
[   54.678582]  ? preempt_notifier_register+0x200/0x200
[   54.683683]  ? __switch_to_asm+0x34/0x70
[   54.687735]  ? __switch_to_asm+0x34/0x70
[   54.691783]  ? __switch_to_asm+0x40/0x70
[   54.695833]  ? __switch_to_asm+0x34/0x70
[   54.699882]  ? __switch_to_asm+0x40/0x70
[   54.703928]  ? __switch_to_asm+0x34/0x70
[   54.707984]  ? __switch_to_asm+0x40/0x70
[   54.712144]  ? __switch_to_asm+0x34/0x70
[   54.716205]  ? __switch_to_asm+0x34/0x70
[   54.720252]  ? __switch_to_asm+0x40/0x70
[   54.724298]  ? __switch_to_asm+0x34/0x70
[   54.728405]  ? __switch_to_asm+0x40/0x70
[   54.732456]  ? __switch_to_asm+0x34/0x70
[   54.736518]  ? __switch_to_asm+0x40/0x70
[   54.740575]  ? __sched_text_start+0x8/0x8
[   54.744714]  ? security_socket_sendmsg+0x94/0xc0
[   54.749461]  ? ipip_gro_receive+0x100/0x100
[   54.753823]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.759351]  ? sock_sendmsg+0x5a/0x120
[   54.763230]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.768757]  ? __sys_sendto+0x475/0x670
[   54.772724]  ? __ia32_sys_getpeername+0xb0/0xb0
[   54.777390]  ? lock_downgrade+0x8f0/0x8f0
[   54.781544]  ? schedule+0xfb/0x450
[   54.785120]  ? __schedule+0x1df0/0x1df0
[   54.789081]  ? exit_to_usermode_loop+0x8c/0x380
[   54.793736]  ? exit_to_usermode_loop+0x8c/0x380
[   54.798395]  ? trace_hardirqs_off+0xb8/0x2b0
[   54.802788]  ? __sb_end_write+0xac/0xe0
[   54.806755]  ? do_syscall_64+0x6be/0x820
[   54.810801]  ? trace_hardirqs_on+0x2c0/0x2c0
[   54.815202]  do_group_exit+0x177/0x440
[   54.819079]  ? trace_hardirqs_on+0xbd/0x2c0
[   54.823388]  ? __ia32_sys_exit+0x50/0x50
[   54.827535]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   54.832669]  __x64_sys_exit_group+0x3e/0x50
[   54.836983]  do_syscall_64+0x1b9/0x820
[   54.840857]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   54.846208]  ? syscall_return_slowpath+0x5e0/0x5e0
[   54.851221]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.856139]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   54.861151]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   54.866156]  ? prepare_exit_to_usermode+0x291/0x3b0
[   54.871160]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.875992]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.881167] RIP: 0033:0x43f1f8
[   54.884347] Code: Bad RIP value.
[   54.887694] RSP: 002b:00007fff0999e8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   54.895388] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   54.902641] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   54.909945] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   54.917206] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   54.924463] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   54.931733] 
[   54.933341] The buggy address belongs to the page:
[   54.938255] page:ffffea0006d37c00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   54.946681] flags: 0x2fffc0000000000()
[   54.950561] raw: 02fffc0000000000 ffffea0006b44a08 ffffea0006d55208 0000000000000000
[   54.958428] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   54.966285] page dumped because: kasan: bad access detected
[   54.971972] 
[   54.973582] Memory state around the buggy address:
[   54.978500]  ffff8801b4deff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   54.985853]  ffff8801b4deff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   54.993196] >ffff8801b4df0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.000532]                    ^
[   55.003880]  ffff8801b4df0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.011219]  ffff8801b4df0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   55.018560] ==================================================================
[   55.025900] Disabling lock debugging due to kernel taint
[   55.031487] Kernel panic - not syncing: panic_on_warn set ...
[   55.031487] 
[   55.038864] CPU: 1 PID: 4419 Comm: syz-executor732 Tainted: G    B             4.18.0+ #209
[   55.047345] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.056679] Call Trace:
[   55.059258]  dump_stack+0x1c9/0x2b4
[   55.062871]  ? dump_stack_print_info.cold.2+0x52/0x52
[   55.068044]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   55.072790]  panic+0x238/0x4e7
[   55.075969]  ? add_taint.cold.5+0x16/0x16
[   55.080105]  ? trace_hardirqs_on+0x9a/0x2c0
[   55.084408]  ? trace_hardirqs_on+0xb4/0x2c0
[   55.088713]  ? trace_hardirqs_on+0xb4/0x2c0
[   55.093019]  ? trace_hardirqs_on+0x9a/0x2c0
[   55.097335]  ? tls_push_record+0x10a9/0x1400
[   55.101729]  kasan_end_report+0x47/0x4f
[   55.105697]  kasan_report.cold.7+0x76/0x30d
[   55.110018]  __asan_report_store1_noabort+0x17/0x20
[   55.115075]  tls_push_record+0x10a9/0x1400
[   55.119301]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   55.123871]  tls_sw_push_pending_record+0x22/0x30
[   55.128697]  tls_sk_proto_close+0x759/0xb90
[   55.133005]  ? lock_acquire+0x1e4/0x4f0
[   55.136971]  ? tcp_check_oom+0x530/0x530
[   55.141019]  ? tls_write_space+0x360/0x360
[   55.145247]  ? rcu_note_context_switch+0x680/0x680
[   55.150165]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.155686]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.161207]  ? ipv6_sock_ac_close+0x356/0x490
[   55.165686]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   55.171214]  ? ipv6_sock_mc_close+0x162/0x1d0
[   55.175696]  ? ip_mc_drop_socket+0x20f/0x270
[   55.180147]  ? down_write+0x8f/0x130
[   55.183854]  inet_release+0x104/0x1f0
[   55.187639]  inet6_release+0x50/0x70
[   55.191343]  __sock_release+0xd7/0x250
[   55.195217]  ? __sock_release+0x250/0x250
[   55.199346]  sock_close+0x19/0x20
[   55.202783]  __fput+0x36e/0x8c0
[   55.206073]  ? __alloc_file+0x400/0x400
[   55.210037]  ? check_same_owner+0x340/0x340
[   55.214341]  ? kasan_check_write+0x14/0x20
[   55.218559]  ? do_raw_spin_lock+0xc1/0x200
[   55.222848]  ____fput+0x15/0x20
[   55.226118]  task_work_run+0x1e8/0x2a0
[   55.229991]  ? task_work_cancel+0x240/0x240
[   55.234302]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   55.239896]  ? switch_task_namespaces+0xa2/0xd0
[   55.244617]  do_exit+0x1ae4/0x26e0
[   55.248148]  ? mm_update_next_owner+0x9a0/0x9a0
[   55.252805]  ? _raw_spin_unlock_irq+0x27/0x70
[   55.257286]  ? _raw_spin_unlock_irq+0x27/0x70
[   55.261765]  ? lockdep_hardirqs_on+0x421/0x5c0
[   55.266328]  ? trace_hardirqs_on+0xbd/0x2c0
[   55.270637]  ? kasan_check_read+0x11/0x20
[   55.274811]  ? finish_task_switch+0x1d3/0x870
[   55.279294]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   55.284383]  ? compat_start_thread+0x80/0x80
[   55.288783]  ? kasan_check_write+0x14/0x20
[   55.293004]  ? finish_task_switch+0x2ca/0x870
[   55.297496]  ? __switch_to_asm+0x40/0x70
[   55.301546]  ? preempt_notifier_register+0x200/0x200
[   55.306678]  ? __switch_to_asm+0x34/0x70
[   55.310733]  ? __switch_to_asm+0x34/0x70
[   55.314777]  ? __switch_to_asm+0x40/0x70
[   55.318867]  ? __switch_to_asm+0x34/0x70
[   55.322916]  ? __switch_to_asm+0x40/0x70
[   55.326972]  ? __switch_to_asm+0x34/0x70
[   55.331015]  ? __switch_to_asm+0x40/0x70
[   55.335062]  ? __switch_to_asm+0x34/0x70
[   55.339197]  ? __switch_to_asm+0x34/0x70
[   55.343241]  ? __switch_to_asm+0x40/0x70
[   55.347285]  ? __switch_to_asm+0x34/0x70
[   55.351331]  ? __switch_to_asm+0x40/0x70
[   55.355474]  ? __switch_to_asm+0x34/0x70
[   55.359540]  ? __switch_to_asm+0x40/0x70
[   55.363591]  ? __sched_text_start+0x8/0x8
[   55.367724]  ? security_socket_sendmsg+0x94/0xc0
[   55.372469]  ? ipip_gro_receive+0x100/0x100
[   55.377387]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.382908]  ? sock_sendmsg+0x5a/0x120
[   55.386780]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   55.392299]  ? __sys_sendto+0x475/0x670
[   55.396300]  ? __ia32_sys_getpeername+0xb0/0xb0
[   55.400966]  ? lock_downgrade+0x8f0/0x8f0
[   55.405103]  ? schedule+0xfb/0x450
[   55.408628]  ? __schedule+0x1df0/0x1df0
[   55.412586]  ? exit_to_usermode_loop+0x8c/0x380
[   55.417239]  ? exit_to_usermode_loop+0x8c/0x380
[   55.421893]  ? trace_hardirqs_off+0xb8/0x2b0
[   55.426286]  ? __sb_end_write+0xac/0xe0
[   55.430242]  ? do_syscall_64+0x6be/0x820
[   55.434380]  ? trace_hardirqs_on+0x2c0/0x2c0
[   55.438775]  do_group_exit+0x177/0x440
[   55.442644]  ? trace_hardirqs_on+0xbd/0x2c0
[   55.446957]  ? __ia32_sys_exit+0x50/0x50
[   55.451009]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   55.456099]  __x64_sys_exit_group+0x3e/0x50
[   55.460405]  do_syscall_64+0x1b9/0x820
[   55.464278]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   55.469629]  ? syscall_return_slowpath+0x5e0/0x5e0
[   55.474545]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   55.479369]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   55.484366]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   55.489369]  ? prepare_exit_to_usermode+0x291/0x3b0
[   55.494374]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   55.499246]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   55.504426] RIP: 0033:0x43f1f8
[   55.507605] Code: Bad RIP value.
[   55.510957] RSP: 002b:00007fff0999e8d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   55.518661] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f1f8
[   55.526001] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   55.533268] RBP: 00000000004bef68 R08: 00000000000000e7 R09: ffffffffffffffd0
[   55.540522] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   55.547884] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   55.555593] Dumping ftrace buffer:
[   55.559187]    (ftrace buffer empty)
[   55.562883] Kernel Offset: disabled
[   55.566529] Rebooting in 86400 seconds..