[....] Starting OpenBSD Secure Shell server: sshd[   17.859891] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.390135] random: sshd: uninitialized urandom read (32 bytes read)
[   23.798944] random: sshd: uninitialized urandom read (32 bytes read)
[   24.562420] sshd (4485) used greatest stack depth: 17080 bytes left
[   24.579555] random: sshd: uninitialized urandom read (32 bytes read)
[   34.334683] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts.
[   39.971124] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   40.068451] device lo entered promiscuous mode
executing program
[   40.139064] ------------[ cut here ]------------
[   40.143952] refcount_t: underflow; use-after-free.
[   40.149079] WARNING: CPU: 0 PID: 4505 at lib/refcount.c:187 refcount_sub_and_test+0x2d3/0x330
[   40.157726] Kernel panic - not syncing: panic_on_warn set ...
[   40.157726] 
[   40.165081] CPU: 0 PID: 4505 Comm: syz-executor540 Not tainted 4.17.0+ #39
[   40.172073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.181417] Call Trace:
[   40.183997]  dump_stack+0x1b9/0x294
[   40.187609]  ? dump_stack_print_info.cold.2+0x52/0x52
[   40.192784]  ? refcount_sub_and_test+0x290/0x330
[   40.197523]  panic+0x22f/0x4de
[   40.200699]  ? add_taint.cold.5+0x16/0x16
[   40.204832]  ? __warn.cold.8+0x148/0x1b3
[   40.208878]  ? __warn.cold.8+0x117/0x1b3
[   40.212920]  ? refcount_sub_and_test+0x2d3/0x330
[   40.217657]  __warn.cold.8+0x163/0x1b3
[   40.221535]  ? refcount_sub_and_test+0x2d3/0x330
[   40.226287]  report_bug+0x252/0x2d0
[   40.229908]  do_error_trap+0x1fc/0x4d0
[   40.233777]  ? do_raw_spin_unlock+0x9e/0x2e0
[   40.238167]  ? math_error+0x3f0/0x3f0
[   40.241960]  ? vprintk_default+0x28/0x30
[   40.246003]  ? vprintk_func+0x81/0xe7
[   40.249784]  ? printk+0x9e/0xba
[   40.253049]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.257877]  do_invalid_op+0x1b/0x20
[   40.261571]  invalid_op+0x14/0x20
[   40.265003] RIP: 0010:refcount_sub_and_test+0x2d3/0x330
[   40.270341] Code: 89 de e8 40 7e 21 fe 84 db 74 07 31 db e9 52 ff ff ff e8 60 7d 21 fe 48 c7 c7 20 4b 1a 88 c6 05 78 64 40 06 01 e8 8d 97 ed fd <0f> 0b 31 db e9 31 ff ff ff 48 8b bd 28 ff ff ff 89 85 34 ff ff ff 
[   40.290036] RSP: 0018:ffff8801b18b7800 EFLAGS: 00010282
[   40.295379] RAX: 0000000000000026 RBX: 0000000000000000 RCX: ffffffff8161907a
[   40.302627] RDX: 0000000000000000 RSI: ffffffff8161f371 RDI: ffff8801b18b74d8
[   40.309883] RBP: ffff8801b18b78e8 R08: ffff8801b24923c0 R09: 0000000000000006
[   40.317133] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffff
[   40.324381] R13: ffff8801b18b78c0 R14: 0000000000000001 R15: ffff8801b318f040
[   40.331638]  ? console_unlock+0x83a/0x10a0
[   40.335853]  ? vprintk_func+0x81/0xe7
[   40.339640]  ? refcount_inc_not_zero+0x2d0/0x2d0
[   40.344377]  ? graph_lock+0x170/0x170
[   40.348159]  ? debug_check_no_obj_freed+0x2ff/0x584
[   40.353158]  refcount_dec_and_test+0x1a/0x20
[   40.357551]  smap_release_sock+0x6e/0x2f0
[   40.361680]  ? free_htab_elem+0x40/0x40
[   40.365639]  sock_hash_ctx_update_elem.isra.24+0x896/0x1560
[   40.371333]  ? smap_read_sock_strparser+0xcb0/0xcb0
[   40.376331]  ? __fget+0x40c/0x650
[   40.379768]  ? expand_files.part.8+0x9a0/0x9a0
[   40.384334]  ? find_held_lock+0x36/0x1c0
[   40.388382]  ? fget+0x18/0x20
[   40.391481]  sock_hash_update_elem+0x14f/0x2d0
[   40.396041]  ? bpf_sock_hash_update+0x90/0x90
[   40.400517]  ? kasan_check_read+0x11/0x20
[   40.404647]  ? rcu_is_watching+0x85/0x140
[   40.408776]  ? rcu_report_qs_rnp+0x790/0x790
[   40.413169]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.418687]  ? _copy_from_user+0xdf/0x150
[   40.422822]  ? bpf_sock_hash_update+0x90/0x90
[   40.427298]  map_update_elem+0x5c4/0xc90
[   40.431343]  __x64_sys_bpf+0x32d/0x510
[   40.435211]  ? bpf_prog_get+0x20/0x20
[   40.438996]  ? ksys_ioctl+0x81/0xd0
[   40.442603]  ? do_syscall_64+0x92/0x800
[   40.446562]  do_syscall_64+0x1b1/0x800
[   40.450430]  ? syscall_return_slowpath+0x5c0/0x5c0
[   40.455341]  ? syscall_return_slowpath+0x30f/0x5c0
[   40.460255]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   40.465602]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.470427]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.475596] RIP: 0033:0x445a69
[   40.478761] Code: e8 3c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 51 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   40.497950] RSP: 002b:00007f90f7ac8db8 EFLAGS: 00000293 ORIG_RAX: 0000000000000141
[   40.505653] RAX: ffffffffffffffda RBX: 00000000006dac94 RCX: 0000000000445a69
[   40.512906] RDX: 0000000000000020 RSI: 0000000020000180 RDI: 0000000000000002
[   40.520155] RBP: 00000000006dac90 R08: 0000000000000000 R09: 0000000000000000
[   40.527406] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
[   40.534656] R13: 00007ffc108bd18f R14: 00007f90f7ac99c0 R15: 0000000000000001
[   40.542455] Dumping ftrace buffer:
[   40.546089]    (ftrace buffer empty)
[   40.549793] Kernel Offset: disabled
[   40.553415] Rebooting in 86400 seconds..