[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.169382] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller [ 24.455754] random: sshd: uninitialized urandom read (32 bytes read) login: [ 24.812857] random: sshd: uninitialized urandom read (32 bytes read) [ 25.379835] random: sshd: uninitialized urandom read (32 bytes read) [ 34.633221] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. [ 40.283989] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 40.392735] vhci_hcd: invalid port number 108 [ 40.397407] ================================================================== [ 40.404892] BUG: KASAN: use-after-free in vhci_hub_control+0x1b88/0x1bf0 [ 40.411730] Read of size 4 at addr ffff8801ce61f7bc by task syz-executor473/4680 [ 40.419245] [ 40.420866] CPU: 1 PID: 4680 Comm: syz-executor473 Not tainted 4.19.0-rc1+ #217 [ 40.428311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.437651] Call Trace: [ 40.440235] dump_stack+0x1c9/0x2b4 [ 40.443855] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.449030] ? printk+0xa7/0xcf [ 40.452314] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.457088] ? vhci_hub_control+0x1b88/0x1bf0 [ 40.461578] print_address_description+0x6c/0x20b [ 40.466407] ? vhci_hub_control+0x1b88/0x1bf0 [ 40.470889] kasan_report.cold.7+0x242/0x30d [ 40.475285] __asan_report_load4_noabort+0x14/0x20 [ 40.480220] vhci_hub_control+0x1b88/0x1bf0 [ 40.484548] ? vhci_hcd_probe+0x240/0x240 [ 40.488687] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.493701] ? __kmalloc+0x594/0x720 [ 40.497481] ? kasan_check_write+0x14/0x20 [ 40.501709] ? do_raw_spin_lock+0xc1/0x200 [ 40.505944] ? usb_hcd_submit_urb+0x70e/0x2160 [ 40.510548] usb_hcd_submit_urb+0x184a/0x2160 [ 40.515042] ? vhci_hcd_probe+0x240/0x240 [ 40.519204] ? usb_create_hcd+0x40/0x40 [ 40.523221] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.528591] ? __x64_sys_ioctl+0x73/0xb0 [ 40.532644] ? do_syscall_64+0x1b9/0x820 [ 40.536692] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.542051] ? find_held_lock+0x36/0x1c0 [ 40.546116] ? __lockdep_init_map+0x105/0x590 [ 40.550608] ? __lockdep_init_map+0x105/0x590 [ 40.555122] usb_submit_urb+0x895/0x14d0 [ 40.559178] ? rcu_is_watching+0x8c/0x150 [ 40.563362] usb_start_wait_urb+0x140/0x360 [ 40.567677] ? sg_clean+0x240/0x240 [ 40.571297] usb_control_msg+0x332/0x4e0 [ 40.575345] ? usb_start_wait_urb+0x360/0x360 [ 40.579828] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 40.585354] proc_control+0x99b/0xef0 [ 40.589186] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.594779] ? proc_bulk+0xaa0/0xaa0 [ 40.598490] usbdev_do_ioctl+0x1eb4/0x3b30 [ 40.602848] ? processcompl_compat+0x680/0x680 [ 40.607424] ? pmd_pfn+0x1c0/0x1c0 [ 40.610956] ? lock_downgrade+0x8f0/0x8f0 [ 40.615092] ? kasan_check_read+0x11/0x20 [ 40.619227] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.623639] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.628222] ? __pte_alloc_kernel+0x2e0/0x2e0 [ 40.632707] ? do_wp_page+0x87d/0x1800 [ 40.636596] ? finish_mkwrite_fault+0x540/0x540 [ 40.641509] ? lock_acquire+0x1e4/0x4f0 [ 40.645509] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 40.650185] ? lock_release+0x9f0/0x9f0 [ 40.654151] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.659691] ? kasan_check_write+0x14/0x20 [ 40.663935] ? do_raw_spin_lock+0xc1/0x200 [ 40.668266] ? __handle_mm_fault+0x945/0x4350 [ 40.672754] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 40.677700] ? graph_lock+0x170/0x170 [ 40.681489] ? graph_lock+0x170/0x170 [ 40.685282] ? find_held_lock+0x36/0x1c0 [ 40.689333] usbdev_ioctl+0x25/0x30 [ 40.692948] ? usbdev_compat_ioctl+0x30/0x30 [ 40.697344] do_vfs_ioctl+0x1de/0x1720 [ 40.701267] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.706797] ? ioctl_preallocate+0x300/0x300 [ 40.711210] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.716755] ? __fget_light+0x2f7/0x440 [ 40.720715] ? __handle_mm_fault+0x4350/0x4350 [ 40.725284] ? fget_raw+0x20/0x20 [ 40.728725] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.734245] ? __do_page_fault+0x449/0xe50 [ 40.738470] ? do_syscall_64+0x9a/0x820 [ 40.742434] ? do_syscall_64+0x9a/0x820 [ 40.746402] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.750988] ? security_file_ioctl+0x94/0xc0 [ 40.755516] ksys_ioctl+0xa9/0xd0 [ 40.758964] __x64_sys_ioctl+0x73/0xb0 [ 40.762863] do_syscall_64+0x1b9/0x820 [ 40.766742] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.772092] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.777005] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.781837] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 40.786842] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.791846] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.797371] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.802376] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.807392] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.812571] RIP: 0033:0x445cf9 [ 40.815749] Code: e8 0c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 40.834681] RSP: 002b:00007fff4cea17d8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 40.842391] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445cf9 [ 40.849687] RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000003 [ 40.856950] RBP: 0000000000000000 R08: 0000000000fb6880 R09: 0000000000000001 [ 40.864211] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000403060 [ 40.871470] R13: 00000000004030f0 R14: 0000000000000000 R15: 0000000000000000 [ 40.878838] [ 40.880462] The buggy address belongs to the page: [ 40.885438] page:ffffea00073987c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 40.893576] flags: 0x2fffc0000000000() [ 40.897449] raw: 02fffc0000000000 0000000000000000 ffffffff07390101 0000000000000000 [ 40.905323] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 40.913181] page dumped because: kasan: bad access detected [ 40.918879] [ 40.920497] Memory state around the buggy address: [ 40.925411] ffff8801ce61f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.932754] ffff8801ce61f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.940110] >ffff8801ce61f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.947448] ^ [ 40.952625] ffff8801ce61f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.959971] ffff8801ce61f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.967325] ================================================================== [ 40.974676] Disabling lock debugging due to kernel taint [ 40.980199] Kernel panic - not syncing: panic_on_warn set ... [ 40.980199] [ 40.987647] CPU: 1 PID: 4680 Comm: syz-executor473 Tainted: G B 4.19.0-rc1+ #217 [ 40.996467] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.005838] Call Trace: [ 41.008420] dump_stack+0x1c9/0x2b4 [ 41.012045] ? dump_stack_print_info.cold.2+0x52/0x52 [ 41.017220] ? lock_downgrade+0x8f0/0x8f0 [ 41.021349] panic+0x238/0x4e7 [ 41.024528] ? add_taint.cold.5+0x16/0x16 [ 41.028661] ? add_taint.cold.5+0x5/0x16 [ 41.032705] ? trace_hardirqs_off+0xaf/0x2b0 [ 41.037098] ? trace_hardirqs_off+0x77/0x2b0 [ 41.041518] ? vhci_hub_control+0x1b88/0x1bf0 [ 41.046000] kasan_end_report+0x47/0x4f [ 41.049969] kasan_report.cold.7+0x76/0x30d [ 41.054324] __asan_report_load4_noabort+0x14/0x20 [ 41.059247] vhci_hub_control+0x1b88/0x1bf0 [ 41.063564] ? vhci_hcd_probe+0x240/0x240 [ 41.067701] ? rcu_read_lock_sched_held+0x108/0x120 [ 41.072702] ? __kmalloc+0x594/0x720 [ 41.076403] ? kasan_check_write+0x14/0x20 [ 41.080636] ? do_raw_spin_lock+0xc1/0x200 [ 41.084859] ? usb_hcd_submit_urb+0x70e/0x2160 [ 41.089426] usb_hcd_submit_urb+0x184a/0x2160 [ 41.093935] ? vhci_hcd_probe+0x240/0x240 [ 41.098069] ? usb_create_hcd+0x40/0x40 [ 41.102030] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.107379] ? __x64_sys_ioctl+0x73/0xb0 [ 41.111503] ? do_syscall_64+0x1b9/0x820 [ 41.115566] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.120924] ? find_held_lock+0x36/0x1c0 [ 41.125100] ? __lockdep_init_map+0x105/0x590 [ 41.129585] ? __lockdep_init_map+0x105/0x590 [ 41.134071] usb_submit_urb+0x895/0x14d0 [ 41.138219] ? rcu_is_watching+0x8c/0x150 [ 41.142353] usb_start_wait_urb+0x140/0x360 [ 41.146798] ? sg_clean+0x240/0x240 [ 41.150559] usb_control_msg+0x332/0x4e0 [ 41.154607] ? usb_start_wait_urb+0x360/0x360 [ 41.159087] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 41.164619] proc_control+0x99b/0xef0 [ 41.168406] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.173928] ? proc_bulk+0xaa0/0xaa0 [ 41.177631] usbdev_do_ioctl+0x1eb4/0x3b30 [ 41.181849] ? processcompl_compat+0x680/0x680 [ 41.186484] ? pmd_pfn+0x1c0/0x1c0 [ 41.190015] ? lock_downgrade+0x8f0/0x8f0 [ 41.194148] ? kasan_check_read+0x11/0x20 [ 41.198286] ? do_raw_spin_unlock+0xa7/0x2f0 [ 41.202684] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 41.207251] ? __pte_alloc_kernel+0x2e0/0x2e0 [ 41.211730] ? do_wp_page+0x87d/0x1800 [ 41.215600] ? finish_mkwrite_fault+0x540/0x540 [ 41.220298] ? lock_acquire+0x1e4/0x4f0 [ 41.224263] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 41.228912] ? lock_release+0x9f0/0x9f0 [ 41.232871] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.238489] ? kasan_check_write+0x14/0x20 [ 41.242710] ? do_raw_spin_lock+0xc1/0x200 [ 41.246944] ? __handle_mm_fault+0x945/0x4350 [ 41.251431] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 41.256269] ? graph_lock+0x170/0x170 [ 41.260096] ? graph_lock+0x170/0x170 [ 41.263885] ? find_held_lock+0x36/0x1c0 [ 41.267995] usbdev_ioctl+0x25/0x30 [ 41.271616] ? usbdev_compat_ioctl+0x30/0x30 [ 41.276014] do_vfs_ioctl+0x1de/0x1720 [ 41.279888] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 41.285406] ? ioctl_preallocate+0x300/0x300 [ 41.289882] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.295414] ? __fget_light+0x2f7/0x440 [ 41.299374] ? __handle_mm_fault+0x4350/0x4350 [ 41.303939] ? fget_raw+0x20/0x20 [ 41.307380] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.313040] ? __do_page_fault+0x449/0xe50 [ 41.317442] ? do_syscall_64+0x9a/0x820 [ 41.321406] ? do_syscall_64+0x9a/0x820 [ 41.325361] ? lockdep_hardirqs_on+0x421/0x5c0 [ 41.329940] ? security_file_ioctl+0x94/0xc0 [ 41.334337] ksys_ioctl+0xa9/0xd0 [ 41.337821] __x64_sys_ioctl+0x73/0xb0 [ 41.341698] do_syscall_64+0x1b9/0x820 [ 41.345572] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.351023] ? syscall_return_slowpath+0x5e0/0x5e0 [ 41.355950] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.360785] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 41.366405] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.371512] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.377047] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.382050] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.386889] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.392112] RIP: 0033:0x445cf9 [ 41.395298] Code: e8 0c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db ce fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.414339] RSP: 002b:00007fff4cea17d8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 41.422029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445cf9 [ 41.429280] RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000003 [ 41.436609] RBP: 0000000000000000 R08: 0000000000fb6880 R09: 0000000000000001 [ 41.443870] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000403060 [ 41.451126] R13: 00000000004030f0 R14: 0000000000000000 R15: 0000000000000000 [ 41.458675] Dumping ftrace buffer: [ 41.462202] (ftrace buffer empty) [ 41.465896] Kernel Offset: disabled [ 41.469507] Rebooting in 86400 seconds..