[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.790456] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.616678] random: sshd: uninitialized urandom read (32 bytes read) [ 18.871605] random: sshd: uninitialized urandom read (32 bytes read) [ 19.577842] random: sshd: uninitialized urandom read (32 bytes read) [ 25.980911] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.25' (ECDSA) to the list of known hosts. [ 31.629632] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.723362] FAULT_INJECTION: forcing a failure. [ 31.723362] name failslab, interval 1, probability 0, space 0, times 1 [ 31.734631] CPU: 1 PID: 4473 Comm: syz-executor500 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 31.743108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.753341] Call Trace: [ 31.755976] dump_stack+0x1c9/0x2b4 [ 31.759616] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.764795] should_fail.cold.4+0xa/0x11 [ 31.768841] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 31.773944] ? mm_fault_error+0x380/0x380 [ 31.778087] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.783705] ? tcp_push+0x8c0/0x8c0 [ 31.787317] ? do_page_fault+0xf6/0x8c0 [ 31.791278] ? vmalloc_sync_all+0x30/0x30 [ 31.795412] ? sk_busy_loop_end+0x1c0/0x1c0 [ 31.799715] ? trace_hardirqs_on+0x10/0x10 [ 31.803936] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.809457] ? alloc_pages_current+0x114/0x210 [ 31.814018] ? lock_acquire+0x1e4/0x540 [ 31.817985] ? fs_reclaim_acquire+0x20/0x20 [ 31.822293] ? lock_downgrade+0x8f0/0x8f0 [ 31.826429] ? lock_acquire+0x1e4/0x540 [ 31.830390] ? check_same_owner+0x340/0x340 [ 31.834691] ? check_same_owner+0x340/0x340 [ 31.839007] ? rcu_note_context_switch+0x730/0x730 [ 31.843922] __should_failslab+0x124/0x180 [ 31.848156] should_failslab+0x9/0x14 [ 31.851948] __kmalloc+0x2c8/0x760 [ 31.855471] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 31.860487] ? _copy_from_iter+0x39d/0x1090 [ 31.864806] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 31.869813] ? tls_push_record+0x10d/0x1400 [ 31.874128] ? __check_object_size+0x9d/0x5f2 [ 31.878614] tls_push_record+0x10d/0x1400 [ 31.882748] ? _copy_from_iter_nocache+0x1050/0x1050 [ 31.887852] ? __local_bh_enable_ip+0x161/0x230 [ 31.892508] tls_sw_sendmsg+0x9e6/0x12c0 [ 31.896550] ? lock_release+0xa30/0xa30 [ 31.900508] ? tls_sw_push_pending_record+0x30/0x30 [ 31.905504] ? lock_downgrade+0x8f0/0x8f0 [ 31.909633] ? __sanitizer_cov_trace_cmp8+0x7/0x20 [ 31.914572] ? lock_release+0xa30/0xa30 [ 31.918559] ? __check_object_size+0x9d/0x5f2 [ 31.923042] inet_sendmsg+0x1a1/0x690 [ 31.926824] ? ipip_gro_receive+0x100/0x100 [ 31.931134] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.936813] ? security_socket_sendmsg+0x94/0xc0 [ 31.941559] ? ipip_gro_receive+0x100/0x100 [ 31.945867] sock_sendmsg+0xd5/0x120 [ 31.949566] __sys_sendto+0x3d7/0x670 [ 31.953350] ? __ia32_sys_getpeername+0xb0/0xb0 [ 31.958009] ? vfs_write+0x2f3/0x560 [ 31.961707] ? lock_downgrade+0x8f0/0x8f0 [ 31.965840] ? lock_release+0xa30/0xa30 [ 31.970062] ? fsnotify_first_mark+0x350/0x350 [ 31.974622] ? __fsnotify_parent+0xcc/0x420 [ 31.978924] ? fsnotify+0x14e0/0x14e0 [ 31.982717] ? __sb_end_write+0xac/0xe0 [ 31.986677] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.992196] ? ksys_write+0x1ae/0x260 [ 31.995989] ? __ia32_sys_read+0xb0/0xb0 [ 32.000043] ? syscall_slow_exit_work+0x500/0x500 [ 32.004907] __x64_sys_sendto+0xe1/0x1a0 [ 32.008953] do_syscall_64+0x1b9/0x820 [ 32.012822] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.017733] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.022645] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 32.027794] ? prepare_exit_to_usermode+0x291/0x3b0 [ 32.032798] ? perf_trace_sys_enter+0xb10/0xb10 [ 32.037465] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.042300] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.047475] RIP: 0033:0x440669 [ 32.050654] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.069778] RSP: 002b:00007ffd05d37378 EFLAGS: 00000216 ORIG_RAX: 000000000000002c [ 32.077472] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440669 [ 32.084736] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000004 [ 32.092083] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c [ 32.099344] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000005 [ 32.106595] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 32.114866] ================================================================== [ 32.122261] BUG: KASAN: use-after-free in tls_push_record+0x1091/0x1400 [ 32.129085] Write of size 1 at addr ffff8801b8140000 by task syz-executor500/4473 [ 32.136679] [ 32.138292] CPU: 1 PID: 4473 Comm: syz-executor500 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 32.146768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.156109] Call Trace: [ 32.158705] dump_stack+0x1c9/0x2b4 [ 32.162329] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.167601] ? printk+0xa7/0xcf [ 32.170884] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.175642] ? tls_push_record+0x1091/0x1400 [ 32.180061] print_address_description+0x6c/0x20b [ 32.184914] ? tls_push_record+0x1091/0x1400 [ 32.189339] kasan_report.cold.7+0x242/0x30d [ 32.193761] __asan_report_store1_noabort+0x17/0x20 [ 32.198790] tls_push_record+0x1091/0x1400 [ 32.203039] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.207632] ? lock_sock_nested+0x9f/0x120 [ 32.211868] tls_sw_push_pending_record+0x22/0x30 [ 32.216704] tls_sk_proto_close+0x74c/0xae0 [ 32.221010] ? lock_acquire+0x1e4/0x540 [ 32.225235] ? tcp_check_oom+0x530/0x530 [ 32.229288] ? lock_downgrade+0x8f0/0x8f0 [ 32.233550] ? tls_write_space+0x360/0x360 [ 32.237772] ? kasan_check_read+0x11/0x20 [ 32.241905] ? rcu_note_context_switch+0x730/0x730 [ 32.246821] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.252343] ? ipv6_sock_ac_close+0x356/0x490 [ 32.256824] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.262343] ? ipv6_sock_mc_close+0x162/0x1d0 [ 32.266821] ? ip_mc_drop_socket+0x20f/0x270 [ 32.271211] ? down_write+0x8f/0x130 [ 32.274919] inet_release+0x104/0x1f0 [ 32.278703] inet6_release+0x50/0x70 [ 32.282403] __sock_release+0xd7/0x260 [ 32.286276] ? __sock_release+0x260/0x260 [ 32.290490] sock_close+0x19/0x20 [ 32.293927] __fput+0x35d/0x930 [ 32.297186] ? fput+0x1a0/0x1a0 [ 32.300450] ? check_same_owner+0x340/0x340 [ 32.304753] ? kasan_check_write+0x14/0x20 [ 32.308969] ? do_raw_spin_lock+0xc1/0x200 [ 32.313193] ____fput+0x15/0x20 [ 32.316469] task_work_run+0x1ec/0x2a0 [ 32.320341] ? task_work_cancel+0x250/0x250 [ 32.324648] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.330165] ? switch_task_namespaces+0xa2/0xd0 [ 32.334814] do_exit+0x1b08/0x2750 [ 32.338336] ? mm_update_next_owner+0x9a0/0x9a0 [ 32.342988] ? finish_task_switch+0x1d3/0x870 [ 32.347467] ? lock_downgrade+0x8f0/0x8f0 [ 32.351606] ? finish_task_switch+0x18a/0x870 [ 32.356086] ? kasan_check_read+0x11/0x20 [ 32.360219] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.364636] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.369250] ? compat_start_thread+0x80/0x80 [ 32.373682] ? kasan_check_write+0x14/0x20 [ 32.377941] ? finish_task_switch+0x2ca/0x870 [ 32.382453] ? preempt_notifier_register+0x200/0x200 [ 32.387564] ? lock_downgrade+0x8f0/0x8f0 [ 32.391693] ? lock_repin_lock+0x430/0x430 [ 32.395921] ? kasan_check_write+0x14/0x20 [ 32.400161] ? __sched_text_start+0x8/0x8 [ 32.404298] ? security_socket_sendmsg+0x94/0xc0 [ 32.409036] ? ipip_gro_receive+0x100/0x100 [ 32.413342] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.418866] ? sock_sendmsg+0x5a/0x120 [ 32.422734] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.428252] ? __sys_sendto+0x475/0x670 [ 32.432221] ? __ia32_sys_getpeername+0xb0/0xb0 [ 32.436871] ? vfs_write+0x2f3/0x560 [ 32.440566] ? lock_downgrade+0x8f0/0x8f0 [ 32.444696] ? lock_release+0xa30/0xa30 [ 32.448653] ? schedule+0xfb/0x450 [ 32.452172] ? fsnotify+0x14e0/0x14e0 [ 32.455956] ? __schedule+0x1ed0/0x1ed0 [ 32.459912] ? __sb_end_write+0xac/0xe0 [ 32.463885] do_group_exit+0x177/0x440 [ 32.467756] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.473274] ? __ia32_sys_exit+0x50/0x50 [ 32.477330] ? syscall_slow_exit_work+0x500/0x500 [ 32.482153] __x64_sys_exit_group+0x3e/0x50 [ 32.486455] do_syscall_64+0x1b9/0x820 [ 32.490325] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.495240] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.500158] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 32.505162] ? prepare_exit_to_usermode+0x291/0x3b0 [ 32.510163] ? perf_trace_sys_enter+0xb10/0xb10 [ 32.514815] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.519645] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.524817] RIP: 0033:0x43f328 [ 32.527985] Code: Bad RIP value. [ 32.531352] RSP: 002b:00007ffd05d373b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.539046] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f328 [ 32.546296] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 32.553545] RBP: 00000000004bf408 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 32.560794] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 32.568045] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 32.575298] [ 32.576904] The buggy address belongs to the page: [ 32.581815] page:ffffea0006e05000 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 32.590198] flags: 0x2fffc0000000000() [ 32.594072] raw: 02fffc0000000000 ffffea0006ac5608 ffff88021fffac18 0000000000000000 [ 32.601936] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 32.609800] page dumped because: kasan: bad access detected [ 32.615486] [ 32.617094] Memory state around the buggy address: [ 32.622002] ffff8801b813ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.629341] ffff8801b813ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.636680] >ffff8801b8140000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.644028] ^ [ 32.647374] ffff8801b8140080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.654712] ffff8801b8140100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.662046] ================================================================== [ 32.669596] Kernel panic - not syncing: panic_on_warn set ... [ 32.669596] [ 32.676958] CPU: 1 PID: 4473 Comm: syz-executor500 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 32.687023] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.696365] Call Trace: [ 32.698946] dump_stack+0x1c9/0x2b4 [ 32.702560] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.707740] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.712482] panic+0x238/0x4e7 [ 32.715655] ? add_taint.cold.5+0x16/0x16 [ 32.719787] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.724177] ? tls_push_record+0x1091/0x1400 [ 32.728589] kasan_end_report+0x47/0x4f [ 32.732544] kasan_report.cold.7+0x76/0x30d [ 32.736858] __asan_report_store1_noabort+0x17/0x20 [ 32.741884] tls_push_record+0x1091/0x1400 [ 32.746111] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.750689] ? lock_sock_nested+0x9f/0x120 [ 32.754921] tls_sw_push_pending_record+0x22/0x30 [ 32.759743] tls_sk_proto_close+0x74c/0xae0 [ 32.764048] ? lock_acquire+0x1e4/0x540 [ 32.768003] ? tcp_check_oom+0x530/0x530 [ 32.772044] ? lock_downgrade+0x8f0/0x8f0 [ 32.776174] ? tls_write_space+0x360/0x360 [ 32.780400] ? kasan_check_read+0x11/0x20 [ 32.784527] ? rcu_note_context_switch+0x730/0x730 [ 32.789437] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.794955] ? ipv6_sock_ac_close+0x356/0x490 [ 32.799430] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.804961] ? ipv6_sock_mc_close+0x162/0x1d0 [ 32.809438] ? ip_mc_drop_socket+0x20f/0x270 [ 32.813920] ? down_write+0x8f/0x130 [ 32.817616] inet_release+0x104/0x1f0 [ 32.821407] inet6_release+0x50/0x70 [ 32.825104] __sock_release+0xd7/0x260 [ 32.828976] ? __sock_release+0x260/0x260 [ 32.833116] sock_close+0x19/0x20 [ 32.836562] __fput+0x35d/0x930 [ 32.839831] ? fput+0x1a0/0x1a0 [ 32.843095] ? check_same_owner+0x340/0x340 [ 32.847403] ? kasan_check_write+0x14/0x20 [ 32.851621] ? do_raw_spin_lock+0xc1/0x200 [ 32.855947] ____fput+0x15/0x20 [ 32.859417] task_work_run+0x1ec/0x2a0 [ 32.863332] ? task_work_cancel+0x250/0x250 [ 32.867664] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.873198] ? switch_task_namespaces+0xa2/0xd0 [ 32.877877] do_exit+0x1b08/0x2750 [ 32.881410] ? mm_update_next_owner+0x9a0/0x9a0 [ 32.886075] ? finish_task_switch+0x1d3/0x870 [ 32.890560] ? lock_downgrade+0x8f0/0x8f0 [ 32.894698] ? finish_task_switch+0x18a/0x870 [ 32.899192] ? kasan_check_read+0x11/0x20 [ 32.903323] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.907727] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.912309] ? compat_start_thread+0x80/0x80 [ 32.916709] ? kasan_check_write+0x14/0x20 [ 32.920927] ? finish_task_switch+0x2ca/0x870 [ 32.925415] ? preempt_notifier_register+0x200/0x200 [ 32.930515] ? lock_downgrade+0x8f0/0x8f0 [ 32.934665] ? lock_repin_lock+0x430/0x430 [ 32.938892] ? kasan_check_write+0x14/0x20 [ 32.943117] ? __sched_text_start+0x8/0x8 [ 32.947248] ? security_socket_sendmsg+0x94/0xc0 [ 32.951984] ? ipip_gro_receive+0x100/0x100 [ 32.956307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.961838] ? sock_sendmsg+0x5a/0x120 [ 32.965705] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.971221] ? __sys_sendto+0x475/0x670 [ 32.975186] ? __ia32_sys_getpeername+0xb0/0xb0 [ 32.979836] ? vfs_write+0x2f3/0x560 [ 32.983543] ? lock_downgrade+0x8f0/0x8f0 [ 32.987690] ? lock_release+0xa30/0xa30 [ 32.991660] ? schedule+0xfb/0x450 [ 32.996668] ? fsnotify+0x14e0/0x14e0 [ 33.000454] ? __schedule+0x1ed0/0x1ed0 [ 33.004426] ? __sb_end_write+0xac/0xe0 [ 33.008396] do_group_exit+0x177/0x440 [ 33.012271] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.017792] ? __ia32_sys_exit+0x50/0x50 [ 33.021837] ? syscall_slow_exit_work+0x500/0x500 [ 33.026675] __x64_sys_exit_group+0x3e/0x50 [ 33.030978] do_syscall_64+0x1b9/0x820 [ 33.034858] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.039777] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.044688] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 33.049685] ? prepare_exit_to_usermode+0x291/0x3b0 [ 33.054682] ? perf_trace_sys_enter+0xb10/0xb10 [ 33.059346] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.064171] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.069339] RIP: 0033:0x43f328 [ 33.072505] Code: Bad RIP value. [ 33.075862] RSP: 002b:00007ffd05d373b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 33.083561] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f328 [ 33.090875] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 33.098123] RBP: 00000000004bf408 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 33.105382] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 33.112639] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 33.120362] Dumping ftrace buffer: [ 33.123881] (ftrace buffer empty) [ 33.127576] Kernel Offset: disabled [ 33.131182] Rebooting in 86400 seconds..