[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.462868] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.316925] random: sshd: uninitialized urandom read (32 bytes read) [ 20.634526] random: sshd: uninitialized urandom read (32 bytes read) [ 21.441684] random: sshd: uninitialized urandom read (32 bytes read) [ 21.600683] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. [ 27.116450] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.210524] ================================================================== [ 27.217992] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 27.224914] Write of size 4 at addr ffff8801d3d02ff0 by task syz-executor120/4499 [ 27.232508] [ 27.234120] CPU: 1 PID: 4499 Comm: syz-executor120 Not tainted 4.17.0+ #39 [ 27.241108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.250441] Call Trace: [ 27.253015] dump_stack+0x1b9/0x294 [ 27.256635] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.261806] ? printk+0x9e/0xba [ 27.265077] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.269821] ? kasan_check_write+0x14/0x20 [ 27.274036] print_address_description+0x6c/0x20b [ 27.278860] ? process_preds+0x191f/0x19d0 [ 27.283093] kasan_report.cold.7+0x242/0x2fe [ 27.287505] __asan_report_store4_noabort+0x17/0x20 [ 27.292510] process_preds+0x191f/0x19d0 [ 27.296564] ? parse_pred+0x28e0/0x28e0 [ 27.300525] ? create_filter_start.constprop.14+0x55/0x2b0 [ 27.306140] create_filter+0x155/0x270 [ 27.310009] ? process_preds+0x19d0/0x19d0 [ 27.314241] ftrace_profile_set_filter+0x130/0x2e0 [ 27.319152] ? ftrace_profile_free_filter+0x70/0x70 [ 27.324156] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.329688] ? memdup_user+0x6b/0xa0 [ 27.333395] perf_event_set_filter+0x22e/0x1230 [ 27.338055] ? mutex_trylock+0x2a0/0x2a0 [ 27.342109] ? graph_lock+0x170/0x170 [ 27.345897] ? graph_lock+0x170/0x170 [ 27.349687] ? debug_mutex_init+0x2d/0x60 [ 27.353818] ? perf_pmu_unregister+0x530/0x530 [ 27.358383] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.363905] ? graph_lock+0x170/0x170 [ 27.367688] ? lock_downgrade+0x8e0/0x8e0 [ 27.371830] ? kasan_check_read+0x11/0x20 [ 27.375971] ? rcu_is_watching+0x85/0x140 [ 27.380108] ? __lock_is_held+0xb5/0x140 [ 27.384153] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.389328] _perf_ioctl+0x84c/0x15e0 [ 27.393110] ? __do_sys_perf_event_open+0x30c0/0x30c0 [ 27.398283] ? lock_downgrade+0x8e0/0x8e0 [ 27.402412] ? get_unused_fd_flags+0x190/0x190 [ 27.406979] ? kasan_check_read+0x11/0x20 [ 27.411124] ? rcu_is_watching+0x85/0x140 [ 27.415255] ? rcu_report_qs_rnp+0x790/0x790 [ 27.419644] ? mark_held_locks+0xc9/0x160 [ 27.423778] ? mutex_lock_nested+0x16/0x20 [ 27.427995] ? mutex_lock_nested+0x16/0x20 [ 27.432213] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 27.437385] ? perf_event_read_event+0x430/0x430 [ 27.442135] ? __do_sys_perf_event_open+0x7b6/0x30c0 [ 27.447221] perf_ioctl+0x59/0x80 [ 27.450656] ? _perf_ioctl+0x15e0/0x15e0 [ 27.454699] do_vfs_ioctl+0x1cf/0x16f0 [ 27.458572] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.464088] ? ioctl_preallocate+0x2e0/0x2e0 [ 27.468478] ? fget_raw+0x20/0x20 [ 27.471914] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.477430] ? __do_page_fault+0x441/0xe40 [ 27.481650] ? security_file_ioctl+0x94/0xc0 [ 27.486040] ksys_ioctl+0xa9/0xd0 [ 27.489486] __x64_sys_ioctl+0x73/0xb0 [ 27.493364] do_syscall_64+0x1b1/0x800 [ 27.497234] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.502153] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.507067] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 27.512413] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.517249] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.522420] RIP: 0033:0x43fdb9 [ 27.525588] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 27.544775] RSP: 002b:00007fffe723e228 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 27.552483] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 27.559732] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 27.566979] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 27.574237] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 27.581485] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 27.588739] [ 27.590348] Allocated by task 3037: [ 27.593968] save_stack+0x43/0xd0 [ 27.597401] kasan_kmalloc+0xc4/0xe0 [ 27.601092] kmem_cache_alloc_trace+0x152/0x780 [ 27.605741] alloc_pipe_info+0x16d/0x580 [ 27.609780] create_pipe_files+0xd0/0x940 [ 27.613905] __do_pipe_flags+0x45/0x250 [ 27.617857] do_pipe2+0x95/0x2f0 [ 27.621209] __x64_sys_pipe+0x33/0x40 [ 27.624990] do_syscall_64+0x1b1/0x800 [ 27.628858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.634025] [ 27.635640] Freed by task 3039: [ 27.638901] save_stack+0x43/0xd0 [ 27.642337] __kasan_slab_free+0x11a/0x170 [ 27.646581] kasan_slab_free+0xe/0x10 [ 27.650367] kfree+0xd9/0x260 [ 27.653450] free_pipe_info+0x253/0x300 [ 27.657403] put_pipe_info+0xd0/0xf0 [ 27.661106] pipe_release+0x1de/0x270 [ 27.664889] __fput+0x353/0x890 [ 27.668156] ____fput+0x15/0x20 [ 27.671421] task_work_run+0x1e4/0x290 [ 27.675297] do_exit+0x1aee/0x2730 [ 27.678817] do_group_exit+0x16f/0x430 [ 27.682682] __x64_sys_exit_group+0x3e/0x50 [ 27.686984] do_syscall_64+0x1b1/0x800 [ 27.690852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.696013] [ 27.697631] The buggy address belongs to the object at ffff8801d3d02cc0 [ 27.697631] which belongs to the cache kmalloc-512 of size 512 [ 27.710265] The buggy address is located 304 bytes to the right of [ 27.710265] 512-byte region [ffff8801d3d02cc0, ffff8801d3d02ec0) [ 27.722636] The buggy address belongs to the page: [ 27.727553] page:ffffea00074f4080 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 27.735675] flags: 0x2fffc0000000100(slab) [ 27.739893] raw: 02fffc0000000100 ffffea00074f4048 ffffea00074f4108 ffff8801da800940 [ 27.747757] raw: 0000000000000000 ffff8801d3d02040 0000000100000006 0000000000000000 [ 27.755613] page dumped because: kasan: bad access detected [ 27.761296] [ 27.762902] Memory state around the buggy address: [ 27.767812] ffff8801d3d02e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.775149] ffff8801d3d02f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.782492] >ffff8801d3d02f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.789837] ^ [ 27.796831] ffff8801d3d03000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 27.804171] ffff8801d3d03080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 27.811510] ================================================================== [ 27.818842] Disabling lock debugging due to kernel taint [ 27.824355] Kernel panic - not syncing: panic_on_warn set ... [ 27.824355] [ 27.831724] CPU: 1 PID: 4499 Comm: syz-executor120 Tainted: G B 4.17.0+ #39 [ 27.840121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.849456] Call Trace: [ 27.852146] dump_stack+0x1b9/0x294 [ 27.855765] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.860935] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.865669] ? process_preds+0x1850/0x19d0 [ 27.869883] panic+0x22f/0x4de [ 27.873054] ? add_taint.cold.5+0x16/0x16 [ 27.877182] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.881576] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.885965] ? process_preds+0x191f/0x19d0 [ 27.890177] kasan_end_report+0x47/0x4f [ 27.894139] kasan_report.cold.7+0x76/0x2fe [ 27.898442] __asan_report_store4_noabort+0x17/0x20 [ 27.903435] process_preds+0x191f/0x19d0 [ 27.907479] ? parse_pred+0x28e0/0x28e0 [ 27.911432] ? create_filter_start.constprop.14+0x55/0x2b0 [ 27.917039] create_filter+0x155/0x270 [ 27.920909] ? process_preds+0x19d0/0x19d0 [ 27.925123] ftrace_profile_set_filter+0x130/0x2e0 [ 27.930035] ? ftrace_profile_free_filter+0x70/0x70 [ 27.935037] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.940560] ? memdup_user+0x6b/0xa0 [ 27.944255] perf_event_set_filter+0x22e/0x1230 [ 27.948926] ? mutex_trylock+0x2a0/0x2a0 [ 27.952968] ? graph_lock+0x170/0x170 [ 27.956748] ? graph_lock+0x170/0x170 [ 27.960531] ? debug_mutex_init+0x2d/0x60 [ 27.964663] ? perf_pmu_unregister+0x530/0x530 [ 27.969237] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.974765] ? graph_lock+0x170/0x170 [ 27.978544] ? lock_downgrade+0x8e0/0x8e0 [ 27.982674] ? kasan_check_read+0x11/0x20 [ 27.986803] ? rcu_is_watching+0x85/0x140 [ 27.990931] ? __lock_is_held+0xb5/0x140 [ 27.994972] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.000153] _perf_ioctl+0x84c/0x15e0 [ 28.003933] ? __do_sys_perf_event_open+0x30c0/0x30c0 [ 28.009116] ? lock_downgrade+0x8e0/0x8e0 [ 28.013244] ? get_unused_fd_flags+0x190/0x190 [ 28.017813] ? kasan_check_read+0x11/0x20 [ 28.021940] ? rcu_is_watching+0x85/0x140 [ 28.026067] ? rcu_report_qs_rnp+0x790/0x790 [ 28.030456] ? mark_held_locks+0xc9/0x160 [ 28.034586] ? mutex_lock_nested+0x16/0x20 [ 28.038799] ? mutex_lock_nested+0x16/0x20 [ 28.043017] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 28.048192] ? perf_event_read_event+0x430/0x430 [ 28.052927] ? __do_sys_perf_event_open+0x7b6/0x30c0 [ 28.058013] perf_ioctl+0x59/0x80 [ 28.061451] ? _perf_ioctl+0x15e0/0x15e0 [ 28.065492] do_vfs_ioctl+0x1cf/0x16f0 [ 28.069358] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.074880] ? ioctl_preallocate+0x2e0/0x2e0 [ 28.079278] ? fget_raw+0x20/0x20 [ 28.082722] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.088244] ? __do_page_fault+0x441/0xe40 [ 28.092468] ? security_file_ioctl+0x94/0xc0 [ 28.096858] ksys_ioctl+0xa9/0xd0 [ 28.100292] __x64_sys_ioctl+0x73/0xb0 [ 28.104161] do_syscall_64+0x1b1/0x800 [ 28.108040] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.112955] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.117866] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.123213] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.128042] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.133211] RIP: 0033:0x43fdb9 [ 28.136375] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 28.155494] RSP: 002b:00007fffe723e228 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 28.163181] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 28.170429] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 28.177677] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.184926] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 28.192171] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 28.199860] Dumping ftrace buffer: [ 28.203379] (ftrace buffer empty) [ 28.207076] Kernel Offset: disabled [ 28.210682] Rebooting in 86400 seconds..