[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.417048] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.634852] random: sshd: uninitialized urandom read (32 bytes read)
[   19.966844] random: sshd: uninitialized urandom read (32 bytes read)
[   20.695570] random: sshd: uninitialized urandom read (32 bytes read)
[   20.836809] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts.
[   26.288552] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.711078] ==================================================================
[   31.718646] BUG: KASAN: use-after-free in _copy_to_user+0xe9/0x110
[   31.724954] Read of size 924 at addr ffff8801a5fffff2 by task syz-executor554/4464
[   31.732632] 
[   31.734242] CPU: 0 PID: 4464 Comm: syz-executor554 Not tainted 4.18.0-rc3+ #48
[   31.741586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.750928] Call Trace:
[   31.753506]  dump_stack+0x1c9/0x2b4
[   31.757117]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.762292]  ? printk+0xa7/0xcf
[   31.765550]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.770290]  ? _copy_to_user+0xe9/0x110
[   31.774264]  print_address_description+0x6c/0x20b
[   31.779093]  ? _copy_to_user+0xe9/0x110
[   31.783046]  kasan_report.cold.7+0x242/0x2fe
[   31.787437]  check_memory_region+0x13e/0x1b0
[   31.791824]  kasan_check_read+0x11/0x20
[   31.795779]  _copy_to_user+0xe9/0x110
[   31.799560]  bpf_test_finish.isra.7+0xee/0x1f0
[   31.804124]  ? bpf_test_init.isra.8+0x100/0x100
[   31.808776]  ? bpf_test_run+0xc3/0x3b0
[   31.812649]  ? bpf_test_run+0xed/0x3b0
[   31.816521]  ? bpf_test_run+0x2fc/0x3b0
[   31.820500]  bpf_prog_test_run_skb+0x7d7/0xa30
[   31.825076]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   31.829909]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.835442]  ? __bpf_prog_get+0x9b/0x290
[   31.839500]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   31.844332]  bpf_prog_test_run+0x130/0x1a0
[   31.848549]  __x64_sys_bpf+0x3d8/0x510
[   31.852426]  ? bpf_prog_get+0x20/0x20
[   31.856212]  ? do_page_fault+0xf6/0x8c0
[   31.860170]  do_syscall_64+0x1b9/0x820
[   31.864052]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.868962]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.873871]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   31.878869]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.884389]  ? prepare_exit_to_usermode+0x291/0x3b0
[   31.889385]  ? perf_trace_sys_enter+0xb10/0xb10
[   31.894047]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.898873]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.904050] RIP: 0033:0x4408d9
[   31.907232] Code: e8 4c b2 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.926361] RSP: 002b:00007fff9ba401e8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   31.934051] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   31.941302] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
[   31.948569] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
[   31.956380] R10: 000000000075f880 R11: 0000000000000213 R12: 0000000000401da0
[   31.963632] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   31.970890] 
[   31.972491] The buggy address belongs to the page:
[   31.977410] page:ffffea000697ffc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   31.985531] flags: 0x2fffc0000000000()
[   31.989409] raw: 02fffc0000000000 ffffea000697ffc8 ffffea000697ffc8 0000000000000000
[   31.997273] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   32.005145] page dumped because: kasan: bad access detected
[   32.010828] 
[   32.012431] Memory state around the buggy address:
[   32.017341]  ffff8801a5fffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.024679]  ffff8801a5ffff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.032024] >ffff8801a5ffff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.039376]                                                              ^
[   32.046380]  ffff8801a6000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.053717]  ffff8801a6000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.061050] ==================================================================
[   32.068593] Kernel panic - not syncing: panic_on_warn set ...
[   32.068593] 
[   32.075968] CPU: 0 PID: 4464 Comm: syz-executor554 Tainted: G    B             4.18.0-rc3+ #48
[   32.084697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.094033] Call Trace:
[   32.096609]  dump_stack+0x1c9/0x2b4
[   32.100220]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.105393]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.110137]  panic+0x238/0x4e7
[   32.113309]  ? add_taint.cold.5+0x16/0x16
[   32.117439]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.121839]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.126246]  ? _copy_to_user+0xe9/0x110
[   32.130206]  kasan_end_report+0x47/0x4f
[   32.134175]  kasan_report.cold.7+0x76/0x2fe
[   32.138491]  check_memory_region+0x13e/0x1b0
[   32.142887]  kasan_check_read+0x11/0x20
[   32.146845]  _copy_to_user+0xe9/0x110
[   32.150633]  bpf_test_finish.isra.7+0xee/0x1f0
[   32.155200]  ? bpf_test_init.isra.8+0x100/0x100
[   32.159849]  ? bpf_test_run+0xc3/0x3b0
[   32.163714]  ? bpf_test_run+0xed/0x3b0
[   32.167583]  ? bpf_test_run+0x2fc/0x3b0
[   32.171541]  bpf_prog_test_run_skb+0x7d7/0xa30
[   32.176107]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   32.180965]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.186485]  ? __bpf_prog_get+0x9b/0x290
[   32.190529]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   32.195352]  bpf_prog_test_run+0x130/0x1a0
[   32.199569]  __x64_sys_bpf+0x3d8/0x510
[   32.203457]  ? bpf_prog_get+0x20/0x20
[   32.207242]  ? do_page_fault+0xf6/0x8c0
[   32.211199]  do_syscall_64+0x1b9/0x820
[   32.215069]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.219990]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.224919]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   32.229921]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.235443]  ? prepare_exit_to_usermode+0x291/0x3b0
[   32.240443]  ? perf_trace_sys_enter+0xb10/0xb10
[   32.245111]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.249959]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.255131] RIP: 0033:0x4408d9
[   32.258296] Code: e8 4c b2 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.277421] RSP: 002b:00007fff9ba401e8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   32.285119] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   32.292369] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
[   32.299633] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
[   32.306893] R10: 000000000075f880 R11: 0000000000000213 R12: 0000000000401da0
[   32.314144] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   32.321910] Dumping ftrace buffer:
[   32.325444]    (ftrace buffer empty)
[   32.329142] Kernel Offset: disabled
[   32.332750] Rebooting in 86400 seconds..