[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.970794] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.563070] random: sshd: uninitialized urandom read (32 bytes read) [ 26.998697] random: sshd: uninitialized urandom read (32 bytes read) [ 27.617086] random: sshd: uninitialized urandom read (32 bytes read) [ 27.827031] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. [ 33.410692] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.560434] ================================================================== [ 33.567882] BUG: KASAN: use-after-free in tls_write_space+0x29d/0x2d0 [ 33.574446] Read of size 8 at addr ffff8801bf880070 by task syz-executor343/5324 [ 33.581956] [ 33.583569] CPU: 0 PID: 5324 Comm: syz-executor343 Not tainted 4.19.0-rc4+ #227 [ 33.590998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.600340] Call Trace: [ 33.602918] dump_stack+0x1c4/0x2b4 [ 33.606529] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.611722] ? printk+0xa7/0xcf [ 33.614990] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.619743] print_address_description.cold.8+0x9/0x1ff [ 33.625115] kasan_report.cold.9+0x242/0x309 [ 33.629531] ? tls_write_space+0x29d/0x2d0 [ 33.633766] __asan_report_load8_noabort+0x14/0x20 [ 33.638695] tls_write_space+0x29d/0x2d0 [ 33.642778] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 33.647998] do_tcp_setsockopt.isra.40+0x1371/0x2770 [ 33.653108] ? tcp_peek_len+0x2c0/0x2c0 [ 33.657130] ? _raw_spin_unlock_bh+0x30/0x40 [ 33.661565] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 33.667047] ? release_sock+0x1ec/0x2c0 [ 33.671048] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 33.675995] ? aa_sk_perm+0x218/0x8b0 [ 33.679812] ? fget_raw+0x20/0x20 [ 33.683259] ? release_sock+0x1ec/0x2c0 [ 33.687229] ? aa_af_perm+0x5a0/0x5a0 [ 33.691036] tcp_setsockopt+0xc1/0xe0 [ 33.694836] tls_setsockopt+0xaa/0x770 [ 33.698722] sock_common_setsockopt+0x9a/0xe0 [ 33.703220] __sys_setsockopt+0x1ba/0x3c0 [ 33.707393] ? kernel_accept+0x310/0x310 [ 33.711476] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.716068] ? trace_hardirqs_on+0xbd/0x310 [ 33.720394] ? __ia32_sys_fallocate+0xf0/0xf0 [ 33.724880] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.730231] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 33.735671] __x64_sys_setsockopt+0xbe/0x150 [ 33.740071] do_syscall_64+0x1b9/0x820 [ 33.743945] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.749299] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.754222] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.759059] ? trace_hardirqs_on_caller+0x310/0x310 [ 33.764088] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 33.769096] ? prepare_exit_to_usermode+0x291/0x3b0 [ 33.774103] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.778936] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.784123] RIP: 0033:0x440979 [ 33.787306] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.806196] RSP: 002b:00007ffdb31c8378 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 33.813891] RAX: ffffffffffffffda RBX: 00007ffdb31c8380 RCX: 0000000000440979 [ 33.821146] RDX: 0000000000000019 RSI: 0000000000000006 RDI: 0000000000000003 [ 33.828400] RBP: 0000000000000000 R08: 0000000000000004 R09: 00000000004009ae [ 33.835654] R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000402200 [ 33.842910] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 33.850170] [ 33.851809] Allocated by task 3898: [ 33.855421] save_stack+0x43/0xd0 [ 33.858857] kasan_kmalloc+0xc7/0xe0 [ 33.862561] kasan_slab_alloc+0x12/0x20 [ 33.866519] kmem_cache_alloc+0x12e/0x730 [ 33.870649] __anon_vma_prepare+0xc6/0x6c0 [ 33.874888] __handle_mm_fault+0x40e2/0x53e0 [ 33.879286] handle_mm_fault+0x54f/0xc70 [ 33.883333] __do_page_fault+0x67d/0xed0 [ 33.887378] do_page_fault+0xf2/0x7e0 [ 33.891168] page_fault+0x1e/0x30 [ 33.894599] [ 33.896206] Freed by task 3898: [ 33.899466] save_stack+0x43/0xd0 [ 33.902901] __kasan_slab_free+0x102/0x150 [ 33.907115] kasan_slab_free+0xe/0x10 [ 33.910900] kmem_cache_free+0x83/0x290 [ 33.914858] unlink_anon_vmas+0x5f0/0xa60 [ 33.918989] free_pgtables+0xe6/0x380 [ 33.922789] exit_mmap+0x2cd/0x590 [ 33.926316] mmput+0x247/0x610 [ 33.929496] do_exit+0xe6f/0x2610 [ 33.932938] do_group_exit+0x177/0x440 [ 33.936813] __x64_sys_exit_group+0x3e/0x50 [ 33.941117] do_syscall_64+0x1b9/0x820 [ 33.944992] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.950166] [ 33.951805] The buggy address belongs to the object at ffff8801bf880070 [ 33.951805] which belongs to the cache anon_vma_chain of size 80 [ 33.964631] The buggy address is located 0 bytes inside of [ 33.964631] 80-byte region [ffff8801bf880070, ffff8801bf8800c0) [ 33.976234] The buggy address belongs to the page: [ 33.981177] page:ffffea0006fe2000 count:1 mapcount:0 mapping:ffff8801da94c500 index:0x0 [ 33.989317] flags: 0x2fffc0000000100(slab) [ 33.993557] raw: 02fffc0000000100 ffffea0007080f08 ffffea00075cc1c8 ffff8801da94c500 [ 34.001440] raw: 0000000000000000 ffff8801bf880000 0000000100000024 0000000000000000 [ 34.009306] page dumped because: kasan: bad access detected [ 34.015081] [ 34.016687] Memory state around the buggy address: [ 34.021597] ffff8801bf87ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.028956] ffff8801bf87ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.036308] >ffff8801bf880000: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb [ 34.043652] ^ [ 34.050656] ffff8801bf880080: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 34.058010] ffff8801bf880100: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb [ 34.065367] ================================================================== [ 34.072727] Disabling lock debugging due to kernel taint [ 34.078750] Kernel panic - not syncing: panic_on_warn set ... [ 34.078750] [ 34.086162] CPU: 0 PID: 5324 Comm: syz-executor343 Tainted: G B 4.19.0-rc4+ #227 [ 34.094982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.104322] Call Trace: [ 34.106897] dump_stack+0x1c4/0x2b4 [ 34.110508] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.115684] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.120426] panic+0x238/0x4e7 [ 34.123600] ? add_taint.cold.5+0x16/0x16 [ 34.127730] ? preempt_schedule+0x4d/0x60 [ 34.131879] ? ___preempt_schedule+0x16/0x18 [ 34.136271] ? trace_hardirqs_on+0xb4/0x310 [ 34.140580] kasan_end_report+0x47/0x4f [ 34.144549] kasan_report.cold.9+0x76/0x309 [ 34.148856] ? tls_write_space+0x29d/0x2d0 [ 34.153074] __asan_report_load8_noabort+0x14/0x20 [ 34.157983] tls_write_space+0x29d/0x2d0 [ 34.162026] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.167218] do_tcp_setsockopt.isra.40+0x1371/0x2770 [ 34.172305] ? tcp_peek_len+0x2c0/0x2c0 [ 34.176290] ? _raw_spin_unlock_bh+0x30/0x40 [ 34.180684] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 34.186118] ? release_sock+0x1ec/0x2c0 [ 34.190079] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 34.195004] ? aa_sk_perm+0x218/0x8b0 [ 34.198792] ? fget_raw+0x20/0x20 [ 34.202228] ? release_sock+0x1ec/0x2c0 [ 34.206183] ? aa_af_perm+0x5a0/0x5a0 [ 34.209968] tcp_setsockopt+0xc1/0xe0 [ 34.213755] tls_setsockopt+0xaa/0x770 [ 34.217642] sock_common_setsockopt+0x9a/0xe0 [ 34.222123] __sys_setsockopt+0x1ba/0x3c0 [ 34.226256] ? kernel_accept+0x310/0x310 [ 34.230325] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.234892] ? trace_hardirqs_on+0xbd/0x310 [ 34.239195] ? __ia32_sys_fallocate+0xf0/0xf0 [ 34.243674] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.249033] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 34.254469] __x64_sys_setsockopt+0xbe/0x150 [ 34.258861] do_syscall_64+0x1b9/0x820 [ 34.262731] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.268078] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.272989] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.277814] ? trace_hardirqs_on_caller+0x310/0x310 [ 34.282816] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 34.287837] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.292855] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.297682] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.302853] RIP: 0033:0x440979 [ 34.306030] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 34.324929] RSP: 002b:00007ffdb31c8378 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 34.332628] RAX: ffffffffffffffda RBX: 00007ffdb31c8380 RCX: 0000000000440979 [ 34.339897] RDX: 0000000000000019 RSI: 0000000000000006 RDI: 0000000000000003 [ 34.347152] RBP: 0000000000000000 R08: 0000000000000004 R09: 00000000004009ae [ 34.354402] R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000402200 [ 34.361651] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 34.369796] Kernel Offset: disabled [ 34.373418] Rebooting in 86400 seconds..