[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.293783] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.796303] random: sshd: uninitialized urandom read (32 bytes read)
[   23.165344] random: sshd: uninitialized urandom read (32 bytes read)
[   23.882423] random: sshd: uninitialized urandom read (32 bytes read)
[   24.049466] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts.
[   29.560078] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.656153] ==================================================================
[   29.663601] BUG: KASAN: slab-out-of-bounds in process_preds+0x1958/0x19b0
[   29.670511] Write of size 4 at addr ffff8801d311bdf0 by task syz-executor656/4538
[   29.678195] 
[   29.679810] CPU: 1 PID: 4538 Comm: syz-executor656 Not tainted 4.17.0-rc2+ #22
[   29.687150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.696486] Call Trace:
[   29.699063]  dump_stack+0x1b9/0x294
[   29.702678]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.707938]  ? printk+0x9e/0xba
[   29.711204]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.715972]  ? kasan_check_write+0x14/0x20
[   29.720193]  print_address_description+0x6c/0x20b
[   29.725025]  ? process_preds+0x1958/0x19b0
[   29.729251]  kasan_report.cold.7+0x242/0x2fe
[   29.733650]  __asan_report_store4_noabort+0x17/0x20
[   29.738652]  process_preds+0x1958/0x19b0
[   29.742712]  ? create_filter_start.constprop.12+0xfb/0x2b0
[   29.748330]  ? parse_pred+0x28e0/0x28e0
[   29.752295]  ? create_filter_start.constprop.12+0x55/0x2b0
[   29.758173]  create_filter+0x155/0x270
[   29.762053]  ? process_preds+0x19b0/0x19b0
[   29.766284]  ftrace_profile_set_filter+0x130/0x2e0
[   29.771203]  ? ftrace_profile_free_filter+0x70/0x70
[   29.776206]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.781729]  ? memdup_user+0x6b/0xa0
[   29.785433]  perf_event_set_filter+0x248/0x1230
[   29.790094]  ? perf_tp_event+0xc30/0xc30
[   29.794171]  ? mutex_trylock+0x2a0/0x2a0
[   29.798251]  ? perf_pmu_unregister+0x530/0x530
[   29.803011]  ? perf_trace_lock_acquire+0x4f1/0x980
[   29.807935]  ? perf_trace_lock+0x900/0x900
[   29.812156]  ? perf_tp_event+0xc30/0xc30
[   29.816204]  ? graph_lock+0x170/0x170
[   29.819989]  ? memset+0x31/0x40
[   29.823262]  ? perf_trace_lock_acquire+0x4f1/0x980
[   29.828175]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   29.833360]  _perf_ioctl+0x84c/0x15e0
[   29.837148]  ? __do_sys_perf_event_open+0x2fa0/0x2fa0
[   29.842327]  ? lock_downgrade+0x8e0/0x8e0
[   29.846465]  ? kasan_check_read+0x11/0x20
[   29.850600]  ? rcu_is_watching+0x85/0x140
[   29.854736]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   29.859921]  ? mutex_lock_nested+0x16/0x20
[   29.864142]  ? mutex_lock_nested+0x16/0x20
[   29.868371]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   29.873549]  ? perf_event_read_event+0x430/0x430
[   29.878303]  ? find_held_lock+0x36/0x1c0
[   29.882372]  perf_ioctl+0x59/0x80
[   29.885815]  ? _perf_ioctl+0x15e0/0x15e0
[   29.889859]  do_vfs_ioctl+0x1cf/0x16a0
[   29.893730]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   29.899252]  ? ioctl_preallocate+0x2e0/0x2e0
[   29.903652]  ? fget_raw+0x20/0x20
[   29.907098]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.912624]  ? __do_page_fault+0x441/0xe40
[   29.916864]  ? mm_fault_error+0x380/0x380
[   29.921001]  ? security_file_ioctl+0x94/0xc0
[   29.925395]  ksys_ioctl+0xa9/0xd0
[   29.928835]  __x64_sys_ioctl+0x73/0xb0
[   29.932712]  do_syscall_64+0x1b1/0x800
[   29.936591]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   29.941430]  ? syscall_return_slowpath+0x5c0/0x5c0
[   29.946360]  ? syscall_return_slowpath+0x30f/0x5c0
[   29.951289]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.956811]  ? retint_user+0x18/0x18
[   29.960524]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.965358]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.970626] RIP: 0033:0x43fda9
[   29.973798] RSP: 002b:00007ffdf8aca458 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   29.981506] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
[   29.988762] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003
[   29.996018] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.003270] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016d0
[   30.010529] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000
[   30.017794] 
[   30.019405] Allocated by task 1:
[   30.022768]  save_stack+0x43/0xd0
[   30.026203]  kasan_kmalloc+0xc4/0xe0
[   30.029898]  kmem_cache_alloc_trace+0x152/0x780
[   30.034550]  __kthread_create_on_node+0x127/0x4c0
[   30.039379]  kthread_create_on_node+0xa8/0xd0
[   30.043858]  cryptomgr_notify+0x5ac/0xb90
[   30.047991]  notifier_call_chain+0x178/0x380
[   30.052382]  blocking_notifier_call_chain+0x139/0x170
[   30.057556]  crypto_probing_notify+0x26/0x80
[   30.061949]  crypto_wait_for_test+0x42/0xe0
[   30.066252]  crypto_register_alg+0xc0/0xe0
[   30.070476]  crypto_register_shash+0x35/0x50
[   30.074869]  crc32_mod_init+0x15/0x17
[   30.078656]  do_one_initcall+0x127/0x913
[   30.082706]  kernel_init_freeable+0x49b/0x58e
[   30.087186]  kernel_init+0x11/0x1b3
[   30.090798]  ret_from_fork+0x3a/0x50
[   30.094489] 
[   30.096099] Freed by task 1:
[   30.099101]  save_stack+0x43/0xd0
[   30.102538]  __kasan_slab_free+0x11a/0x170
[   30.106929]  kasan_slab_free+0xe/0x10
[   30.110713]  kfree+0xd9/0x260
[   30.113889]  __kthread_create_on_node+0x34a/0x4c0
[   30.118715]  kthread_create_on_node+0xa8/0xd0
[   30.123194]  cryptomgr_notify+0x5ac/0xb90
[   30.127325]  notifier_call_chain+0x178/0x380
[   30.131719]  blocking_notifier_call_chain+0x139/0x170
[   30.136905]  crypto_probing_notify+0x26/0x80
[   30.141300]  crypto_wait_for_test+0x42/0xe0
[   30.145605]  crypto_register_alg+0xc0/0xe0
[   30.149831]  crypto_register_shash+0x35/0x50
[   30.154221]  crc32_mod_init+0x15/0x17
[   30.158005]  do_one_initcall+0x127/0x913
[   30.162050]  kernel_init_freeable+0x49b/0x58e
[   30.166544]  kernel_init+0x11/0x1b3
[   30.170166]  ret_from_fork+0x3a/0x50
[   30.173860] 
[   30.175472] The buggy address belongs to the object at ffff8801d311bd80
[   30.175472]  which belongs to the cache kmalloc-64 of size 64
[   30.187938] The buggy address is located 48 bytes to the right of
[   30.187938]  64-byte region [ffff8801d311bd80, ffff8801d311bdc0)
[   30.200145] The buggy address belongs to the page:
[   30.205057] page:ffffea00074c46c0 count:1 mapcount:0 mapping:ffff8801d311b000 index:0x0
[   30.213191] flags: 0x2fffc0000000100(slab)
[   30.217410] raw: 02fffc0000000100 ffff8801d311b000 0000000000000000 0000000100000020
[   30.225366] raw: ffffea00074a5520 ffff8801da801348 ffff8801da800340 0000000000000000
[   30.233748] page dumped because: kasan: bad access detected
[   30.239446] 
[   30.241056] Memory state around the buggy address:
[   30.245967]  ffff8801d311bc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.253308]  ffff8801d311bd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.260658] >ffff8801d311bd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.267995]                                                              ^
[   30.274994]  ffff8801d311be00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   30.282510]  ffff8801d311be80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   30.289849] ==================================================================
[   30.297191] Disabling lock debugging due to kernel taint
[   30.302760] Kernel panic - not syncing: panic_on_warn set ...
[   30.302760] 
[   30.310124] CPU: 1 PID: 4538 Comm: syz-executor656 Tainted: G    B             4.17.0-rc2+ #22
[   30.318855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.328193] Call Trace:
[   30.330771]  dump_stack+0x1b9/0x294
[   30.334386]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.339561]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.344305]  ? process_preds+0x1910/0x19b0
[   30.348521]  panic+0x22f/0x4de
[   30.351699]  ? add_taint.cold.5+0x16/0x16
[   30.355837]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.363102]  ? do_raw_spin_unlock+0x9e/0x2e0
[   30.367502]  ? process_preds+0x1958/0x19b0
[   30.371736]  kasan_end_report+0x47/0x4f
[   30.375717]  kasan_report.cold.7+0x76/0x2fe
[   30.380031]  __asan_report_store4_noabort+0x17/0x20
[   30.385033]  process_preds+0x1958/0x19b0
[   30.389093]  ? create_filter_start.constprop.12+0xfb/0x2b0
[   30.394710]  ? parse_pred+0x28e0/0x28e0
[   30.398685]  ? create_filter_start.constprop.12+0x55/0x2b0
[   30.404318]  create_filter+0x155/0x270
[   30.408452]  ? process_preds+0x19b0/0x19b0
[   30.412688]  ftrace_profile_set_filter+0x130/0x2e0
[   30.417613]  ? ftrace_profile_free_filter+0x70/0x70
[   30.422627]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.428148]  ? memdup_user+0x6b/0xa0
[   30.431851]  perf_event_set_filter+0x248/0x1230
[   30.436505]  ? perf_tp_event+0xc30/0xc30
[   30.440560]  ? mutex_trylock+0x2a0/0x2a0
[   30.444792]  ? perf_pmu_unregister+0x530/0x530
[   30.449366]  ? perf_trace_lock_acquire+0x4f1/0x980
[   30.454281]  ? perf_trace_lock+0x900/0x900
[   30.458501]  ? perf_tp_event+0xc30/0xc30
[   30.462548]  ? graph_lock+0x170/0x170
[   30.466337]  ? memset+0x31/0x40
[   30.469609]  ? perf_trace_lock_acquire+0x4f1/0x980
[   30.474525]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.479702]  _perf_ioctl+0x84c/0x15e0
[   30.483490]  ? __do_sys_perf_event_open+0x2fa0/0x2fa0
[   30.488666]  ? lock_downgrade+0x8e0/0x8e0
[   30.492802]  ? kasan_check_read+0x11/0x20
[   30.496929]  ? rcu_is_watching+0x85/0x140
[   30.501059]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   30.506240]  ? mutex_lock_nested+0x16/0x20
[   30.510467]  ? mutex_lock_nested+0x16/0x20
[   30.514691]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   30.519878]  ? perf_event_read_event+0x430/0x430
[   30.524621]  ? find_held_lock+0x36/0x1c0
[   30.528673]  perf_ioctl+0x59/0x80
[   30.532110]  ? _perf_ioctl+0x15e0/0x15e0
[   30.536160]  do_vfs_ioctl+0x1cf/0x16a0
[   30.540040]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.545563]  ? ioctl_preallocate+0x2e0/0x2e0
[   30.549956]  ? fget_raw+0x20/0x20
[   30.553485]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.559011]  ? __do_page_fault+0x441/0xe40
[   30.563231]  ? mm_fault_error+0x380/0x380
[   30.567375]  ? security_file_ioctl+0x94/0xc0
[   30.571771]  ksys_ioctl+0xa9/0xd0
[   30.575210]  __x64_sys_ioctl+0x73/0xb0
[   30.579625]  do_syscall_64+0x1b1/0x800
[   30.583493]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   30.589105]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.594020]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.598945]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.604471]  ? retint_user+0x18/0x18
[   30.608170]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.612999]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.618172] RIP: 0033:0x43fda9
[   30.621342] RSP: 002b:00007ffdf8aca458 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   30.629042] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
[   30.636295] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003
[   30.643554] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   30.650805] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016d0
[   30.658063] R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000
[   30.665758] Dumping ftrace buffer:
[   30.669297]    (ftrace buffer empty)
[   30.672991] Kernel Offset: disabled
[   30.676609] Rebooting in 86400 seconds..