[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.462868] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.316925] random: sshd: uninitialized urandom read (32 bytes read)
[   20.634526] random: sshd: uninitialized urandom read (32 bytes read)
[   21.441684] random: sshd: uninitialized urandom read (32 bytes read)
[   21.600683] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
[   27.116450] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.210524] ==================================================================
[   27.217992] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0
[   27.224914] Write of size 4 at addr ffff8801d3d02ff0 by task syz-executor120/4499
[   27.232508] 
[   27.234120] CPU: 1 PID: 4499 Comm: syz-executor120 Not tainted 4.17.0+ #39
[   27.241108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.250441] Call Trace:
[   27.253015]  dump_stack+0x1b9/0x294
[   27.256635]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.261806]  ? printk+0x9e/0xba
[   27.265077]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.269821]  ? kasan_check_write+0x14/0x20
[   27.274036]  print_address_description+0x6c/0x20b
[   27.278860]  ? process_preds+0x191f/0x19d0
[   27.283093]  kasan_report.cold.7+0x242/0x2fe
[   27.287505]  __asan_report_store4_noabort+0x17/0x20
[   27.292510]  process_preds+0x191f/0x19d0
[   27.296564]  ? parse_pred+0x28e0/0x28e0
[   27.300525]  ? create_filter_start.constprop.14+0x55/0x2b0
[   27.306140]  create_filter+0x155/0x270
[   27.310009]  ? process_preds+0x19d0/0x19d0
[   27.314241]  ftrace_profile_set_filter+0x130/0x2e0
[   27.319152]  ? ftrace_profile_free_filter+0x70/0x70
[   27.324156]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.329688]  ? memdup_user+0x6b/0xa0
[   27.333395]  perf_event_set_filter+0x22e/0x1230
[   27.338055]  ? mutex_trylock+0x2a0/0x2a0
[   27.342109]  ? graph_lock+0x170/0x170
[   27.345897]  ? graph_lock+0x170/0x170
[   27.349687]  ? debug_mutex_init+0x2d/0x60
[   27.353818]  ? perf_pmu_unregister+0x530/0x530
[   27.358383]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.363905]  ? graph_lock+0x170/0x170
[   27.367688]  ? lock_downgrade+0x8e0/0x8e0
[   27.371830]  ? kasan_check_read+0x11/0x20
[   27.375971]  ? rcu_is_watching+0x85/0x140
[   27.380108]  ? __lock_is_held+0xb5/0x140
[   27.384153]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   27.389328]  _perf_ioctl+0x84c/0x15e0
[   27.393110]  ? __do_sys_perf_event_open+0x30c0/0x30c0
[   27.398283]  ? lock_downgrade+0x8e0/0x8e0
[   27.402412]  ? get_unused_fd_flags+0x190/0x190
[   27.406979]  ? kasan_check_read+0x11/0x20
[   27.411124]  ? rcu_is_watching+0x85/0x140
[   27.415255]  ? rcu_report_qs_rnp+0x790/0x790
[   27.419644]  ? mark_held_locks+0xc9/0x160
[   27.423778]  ? mutex_lock_nested+0x16/0x20
[   27.427995]  ? mutex_lock_nested+0x16/0x20
[   27.432213]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   27.437385]  ? perf_event_read_event+0x430/0x430
[   27.442135]  ? __do_sys_perf_event_open+0x7b6/0x30c0
[   27.447221]  perf_ioctl+0x59/0x80
[   27.450656]  ? _perf_ioctl+0x15e0/0x15e0
[   27.454699]  do_vfs_ioctl+0x1cf/0x16f0
[   27.458572]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.464088]  ? ioctl_preallocate+0x2e0/0x2e0
[   27.468478]  ? fget_raw+0x20/0x20
[   27.471914]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.477430]  ? __do_page_fault+0x441/0xe40
[   27.481650]  ? security_file_ioctl+0x94/0xc0
[   27.486040]  ksys_ioctl+0xa9/0xd0
[   27.489486]  __x64_sys_ioctl+0x73/0xb0
[   27.493364]  do_syscall_64+0x1b1/0x800
[   27.497234]  ? syscall_return_slowpath+0x5c0/0x5c0
[   27.502153]  ? syscall_return_slowpath+0x30f/0x5c0
[   27.507067]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   27.512413]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.517249]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.522420] RIP: 0033:0x43fdb9
[   27.525588] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   27.544775] RSP: 002b:00007fffe723e228 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   27.552483] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9
[   27.559732] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003
[   27.566979] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   27.574237] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0
[   27.581485] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
[   27.588739] 
[   27.590348] Allocated by task 3037:
[   27.593968]  save_stack+0x43/0xd0
[   27.597401]  kasan_kmalloc+0xc4/0xe0
[   27.601092]  kmem_cache_alloc_trace+0x152/0x780
[   27.605741]  alloc_pipe_info+0x16d/0x580
[   27.609780]  create_pipe_files+0xd0/0x940
[   27.613905]  __do_pipe_flags+0x45/0x250
[   27.617857]  do_pipe2+0x95/0x2f0
[   27.621209]  __x64_sys_pipe+0x33/0x40
[   27.624990]  do_syscall_64+0x1b1/0x800
[   27.628858]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.634025] 
[   27.635640] Freed by task 3039:
[   27.638901]  save_stack+0x43/0xd0
[   27.642337]  __kasan_slab_free+0x11a/0x170
[   27.646581]  kasan_slab_free+0xe/0x10
[   27.650367]  kfree+0xd9/0x260
[   27.653450]  free_pipe_info+0x253/0x300
[   27.657403]  put_pipe_info+0xd0/0xf0
[   27.661106]  pipe_release+0x1de/0x270
[   27.664889]  __fput+0x353/0x890
[   27.668156]  ____fput+0x15/0x20
[   27.671421]  task_work_run+0x1e4/0x290
[   27.675297]  do_exit+0x1aee/0x2730
[   27.678817]  do_group_exit+0x16f/0x430
[   27.682682]  __x64_sys_exit_group+0x3e/0x50
[   27.686984]  do_syscall_64+0x1b1/0x800
[   27.690852]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.696013] 
[   27.697631] The buggy address belongs to the object at ffff8801d3d02cc0
[   27.697631]  which belongs to the cache kmalloc-512 of size 512
[   27.710265] The buggy address is located 304 bytes to the right of
[   27.710265]  512-byte region [ffff8801d3d02cc0, ffff8801d3d02ec0)
[   27.722636] The buggy address belongs to the page:
[   27.727553] page:ffffea00074f4080 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   27.735675] flags: 0x2fffc0000000100(slab)
[   27.739893] raw: 02fffc0000000100 ffffea00074f4048 ffffea00074f4108 ffff8801da800940
[   27.747757] raw: 0000000000000000 ffff8801d3d02040 0000000100000006 0000000000000000
[   27.755613] page dumped because: kasan: bad access detected
[   27.761296] 
[   27.762902] Memory state around the buggy address:
[   27.767812]  ffff8801d3d02e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   27.775149]  ffff8801d3d02f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.782492] >ffff8801d3d02f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.789837]                                                              ^
[   27.796831]  ffff8801d3d03000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   27.804171]  ffff8801d3d03080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   27.811510] ==================================================================
[   27.818842] Disabling lock debugging due to kernel taint
[   27.824355] Kernel panic - not syncing: panic_on_warn set ...
[   27.824355] 
[   27.831724] CPU: 1 PID: 4499 Comm: syz-executor120 Tainted: G    B             4.17.0+ #39
[   27.840121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.849456] Call Trace:
[   27.852146]  dump_stack+0x1b9/0x294
[   27.855765]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.860935]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.865669]  ? process_preds+0x1850/0x19d0
[   27.869883]  panic+0x22f/0x4de
[   27.873054]  ? add_taint.cold.5+0x16/0x16
[   27.877182]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.881576]  ? do_raw_spin_unlock+0x9e/0x2e0
[   27.885965]  ? process_preds+0x191f/0x19d0
[   27.890177]  kasan_end_report+0x47/0x4f
[   27.894139]  kasan_report.cold.7+0x76/0x2fe
[   27.898442]  __asan_report_store4_noabort+0x17/0x20
[   27.903435]  process_preds+0x191f/0x19d0
[   27.907479]  ? parse_pred+0x28e0/0x28e0
[   27.911432]  ? create_filter_start.constprop.14+0x55/0x2b0
[   27.917039]  create_filter+0x155/0x270
[   27.920909]  ? process_preds+0x19d0/0x19d0
[   27.925123]  ftrace_profile_set_filter+0x130/0x2e0
[   27.930035]  ? ftrace_profile_free_filter+0x70/0x70
[   27.935037]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.940560]  ? memdup_user+0x6b/0xa0
[   27.944255]  perf_event_set_filter+0x22e/0x1230
[   27.948926]  ? mutex_trylock+0x2a0/0x2a0
[   27.952968]  ? graph_lock+0x170/0x170
[   27.956748]  ? graph_lock+0x170/0x170
[   27.960531]  ? debug_mutex_init+0x2d/0x60
[   27.964663]  ? perf_pmu_unregister+0x530/0x530
[   27.969237]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.974765]  ? graph_lock+0x170/0x170
[   27.978544]  ? lock_downgrade+0x8e0/0x8e0
[   27.982674]  ? kasan_check_read+0x11/0x20
[   27.986803]  ? rcu_is_watching+0x85/0x140
[   27.990931]  ? __lock_is_held+0xb5/0x140
[   27.994972]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   28.000153]  _perf_ioctl+0x84c/0x15e0
[   28.003933]  ? __do_sys_perf_event_open+0x30c0/0x30c0
[   28.009116]  ? lock_downgrade+0x8e0/0x8e0
[   28.013244]  ? get_unused_fd_flags+0x190/0x190
[   28.017813]  ? kasan_check_read+0x11/0x20
[   28.021940]  ? rcu_is_watching+0x85/0x140
[   28.026067]  ? rcu_report_qs_rnp+0x790/0x790
[   28.030456]  ? mark_held_locks+0xc9/0x160
[   28.034586]  ? mutex_lock_nested+0x16/0x20
[   28.038799]  ? mutex_lock_nested+0x16/0x20
[   28.043017]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   28.048192]  ? perf_event_read_event+0x430/0x430
[   28.052927]  ? __do_sys_perf_event_open+0x7b6/0x30c0
[   28.058013]  perf_ioctl+0x59/0x80
[   28.061451]  ? _perf_ioctl+0x15e0/0x15e0
[   28.065492]  do_vfs_ioctl+0x1cf/0x16f0
[   28.069358]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   28.074880]  ? ioctl_preallocate+0x2e0/0x2e0
[   28.079278]  ? fget_raw+0x20/0x20
[   28.082722]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.088244]  ? __do_page_fault+0x441/0xe40
[   28.092468]  ? security_file_ioctl+0x94/0xc0
[   28.096858]  ksys_ioctl+0xa9/0xd0
[   28.100292]  __x64_sys_ioctl+0x73/0xb0
[   28.104161]  do_syscall_64+0x1b1/0x800
[   28.108040]  ? syscall_return_slowpath+0x5c0/0x5c0
[   28.112955]  ? syscall_return_slowpath+0x30f/0x5c0
[   28.117866]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   28.123213]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.128042]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.133211] RIP: 0033:0x43fdb9
[   28.136375] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   28.155494] RSP: 002b:00007fffe723e228 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   28.163181] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9
[   28.170429] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003
[   28.177677] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   28.184926] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0
[   28.192171] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
[   28.199860] Dumping ftrace buffer:
[   28.203379]    (ftrace buffer empty)
[   28.207076] Kernel Offset: disabled
[   28.210682] Rebooting in 86400 seconds..