[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.159559] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.516239] random: sshd: uninitialized urandom read (32 bytes read)
[   24.866567] random: sshd: uninitialized urandom read (32 bytes read)
[   25.791462] random: sshd: uninitialized urandom read (32 bytes read)
[   25.959345] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
[   31.431237] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   36.767276] ==================================================================
[   36.775114] BUG: KASAN: use-after-free in _copy_to_user+0xe9/0x110
[   36.781424] Read of size 924 at addr ffff8801a93ffff2 by task syz-executor973/4558
[   36.789108] 
[   36.790721] CPU: 0 PID: 4558 Comm: syz-executor973 Not tainted 4.18.0-rc3+ #3
[   36.797975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.807318] Call Trace:
[   36.809903]  dump_stack+0x1c9/0x2b4
[   36.813515]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.818690]  ? printk+0xa7/0xcf
[   36.821957]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   36.826703]  ? _copy_to_user+0xe9/0x110
[   36.830670]  print_address_description+0x6c/0x20b
[   36.835533]  ? _copy_to_user+0xe9/0x110
[   36.839535]  kasan_report.cold.7+0x242/0x2fe
[   36.844004]  check_memory_region+0x13e/0x1b0
[   36.848439]  kasan_check_read+0x11/0x20
[   36.852408]  _copy_to_user+0xe9/0x110
[   36.856198]  bpf_test_finish.isra.7+0xee/0x1f0
[   36.860765]  ? bpf_test_init.isra.8+0x100/0x100
[   36.865432]  ? write_comp_data+0x22/0x70
[   36.869479]  ? bpf_test_run+0x2fc/0x3b0
[   36.873456]  bpf_prog_test_run_skb+0x7d7/0xa30
[   36.878043]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   36.882891]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.888429]  ? __bpf_prog_get+0x9b/0x290
[   36.892499]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   36.897339]  bpf_prog_test_run+0x130/0x1a0
[   36.901569]  __x64_sys_bpf+0x3d8/0x510
[   36.905452]  ? bpf_prog_get+0x20/0x20
[   36.909240]  ? do_syscall_64+0x9a/0x820
[   36.913197]  do_syscall_64+0x1b9/0x820
[   36.917068]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.921985]  ? syscall_return_slowpath+0x31d/0x5e0
[   36.926901]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.932426]  ? retint_user+0x18/0x18
[   36.936150]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.940996]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.946188] RIP: 0033:0x4408d9
[   36.949356] Code: e8 4c b2 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   36.968538] RSP: 002b:00007ffd5b0616b8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   36.976234] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   36.983490] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
[   36.990747] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
[   36.998006] R10: 0000000001aeb880 R11: 0000000000000213 R12: 0000000000401da0
[   37.005264] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   37.012531] 
[   37.014136] The buggy address belongs to the page:
[   37.019053] page:ffffea0006a4ffc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   37.027181] flags: 0x2fffc0000000000()
[   37.031051] raw: 02fffc0000000000 ffffea0006a4ffc8 ffffea0006a4ffc8 0000000000000000
[   37.038916] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   37.046773] page dumped because: kasan: bad access detected
[   37.052458] 
[   37.054071] Memory state around the buggy address:
[   37.058994]  ffff8801a93ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.066364]  ffff8801a93fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.073768] >ffff8801a93fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   37.081137]                                                              ^
[   37.088163]  ffff8801a9400000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.095536]  ffff8801a9400080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.102899] ==================================================================
[   37.110275] Disabling lock debugging due to kernel taint
[   37.115874] Kernel panic - not syncing: panic_on_warn set ...
[   37.115874] 
[   37.123262] CPU: 0 PID: 4558 Comm: syz-executor973 Tainted: G    B             4.18.0-rc3+ #3
[   37.131929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.141303] Call Trace:
[   37.143913]  dump_stack+0x1c9/0x2b4
[   37.147565]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.152784]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.157565]  panic+0x238/0x4e7
[   37.160783]  ? add_taint.cold.5+0x16/0x16
[   37.164964]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.169404]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.173845]  ? _copy_to_user+0xe9/0x110
[   37.177847]  kasan_end_report+0x47/0x4f
[   37.181857]  kasan_report.cold.7+0x76/0x2fe
[   37.186240]  check_memory_region+0x13e/0x1b0
[   37.190680]  kasan_check_read+0x11/0x20
[   37.194729]  _copy_to_user+0xe9/0x110
[   37.198571]  bpf_test_finish.isra.7+0xee/0x1f0
[   37.203179]  ? bpf_test_init.isra.8+0x100/0x100
[   37.207878]  ? write_comp_data+0x22/0x70
[   37.211968]  ? bpf_test_run+0x2fc/0x3b0
[   37.215971]  bpf_prog_test_run_skb+0x7d7/0xa30
[   37.220589]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   37.225468]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.231053]  ? __bpf_prog_get+0x9b/0x290
[   37.235151]  ? bpf_test_finish.isra.7+0x1f0/0x1f0
[   37.240014]  bpf_prog_test_run+0x130/0x1a0
[   37.244290]  __x64_sys_bpf+0x3d8/0x510
[   37.248198]  ? bpf_prog_get+0x20/0x20
[   37.252028]  ? do_syscall_64+0x9a/0x820
[   37.256079]  do_syscall_64+0x1b9/0x820
[   37.260000]  ? syscall_return_slowpath+0x5e0/0x5e0
[   37.264965]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.269930]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.275469]  ? retint_user+0x18/0x18
[   37.279166]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.284006]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.289192] RIP: 0033:0x4408d9
[   37.292367] Code: e8 4c b2 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   37.311484] RSP: 002b:00007ffd5b0616b8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
[   37.319171] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   37.326683] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 000000000000000a
[   37.333943] RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
[   37.341201] R10: 0000000001aeb880 R11: 0000000000000213 R12: 0000000000401da0
[   37.348451] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   37.356177] Dumping ftrace buffer:
[   37.359700]    (ftrace buffer empty)
[   37.363389] Kernel Offset: disabled
[   37.366998] Rebooting in 86400 seconds..