[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.893976] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.316254] random: sshd: uninitialized urandom read (32 bytes read) [ 24.644301] random: sshd: uninitialized urandom read (32 bytes read) [ 25.348550] random: sshd: uninitialized urandom read (32 bytes read) [ 25.509643] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. [ 30.967957] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.072328] ================================================================== [ 31.079826] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 31.086800] Write of size 4 at addr ffff8801cecf4970 by task syz-executor308/4537 [ 31.094413] [ 31.096043] CPU: 1 PID: 4537 Comm: syz-executor308 Not tainted 4.17.0-rc2+ #20 [ 31.103385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.112717] Call Trace: [ 31.115309] dump_stack+0x1b9/0x294 [ 31.118925] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.124102] ? printk+0x9e/0xba [ 31.127368] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.132127] ? kasan_check_write+0x14/0x20 [ 31.136355] print_address_description+0x6c/0x20b [ 31.141185] ? process_preds+0x191f/0x19d0 [ 31.145413] kasan_report.cold.7+0x242/0x2fe [ 31.149814] __asan_report_store4_noabort+0x17/0x20 [ 31.154813] process_preds+0x191f/0x19d0 [ 31.158869] ? parse_pred+0x28e0/0x28e0 [ 31.162843] ? create_filter_start.constprop.12+0x55/0x2b0 [ 31.168546] create_filter+0x155/0x270 [ 31.172421] ? process_preds+0x19d0/0x19d0 [ 31.176653] ftrace_profile_set_filter+0x130/0x2e0 [ 31.181572] ? ftrace_profile_free_filter+0x70/0x70 [ 31.186577] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.192101] ? memdup_user+0x6b/0xa0 [ 31.195816] perf_event_set_filter+0x248/0x1230 [ 31.200472] ? mutex_trylock+0x2a0/0x2a0 [ 31.204517] ? perf_pmu_unregister+0x530/0x530 [ 31.209083] ? __thp_get_unmapped_area+0x180/0x180 [ 31.213998] ? perf_trace_lock_acquire+0xe3/0x980 [ 31.218824] ? perf_trace_lock+0x900/0x900 [ 31.223059] ? graph_lock+0x170/0x170 [ 31.226937] ? lock_downgrade+0x8e0/0x8e0 [ 31.231069] ? perf_trace_lock_acquire+0xe3/0x980 [ 31.235894] ? rcu_is_watching+0x85/0x140 [ 31.240027] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.245201] _perf_ioctl+0x84c/0x15e0 [ 31.248985] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 31.254160] ? lock_downgrade+0x8e0/0x8e0 [ 31.258318] ? kasan_check_read+0x11/0x20 [ 31.262448] ? rcu_is_watching+0x85/0x140 [ 31.266593] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.271804] ? mutex_lock_nested+0x16/0x20 [ 31.276048] ? mutex_lock_nested+0x16/0x20 [ 31.280269] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.285469] ? perf_event_read_event+0x430/0x430 [ 31.290208] ? find_held_lock+0x36/0x1c0 [ 31.294259] perf_ioctl+0x59/0x80 [ 31.297696] ? _perf_ioctl+0x15e0/0x15e0 [ 31.301741] do_vfs_ioctl+0x1cf/0x16a0 [ 31.305614] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.311139] ? ioctl_preallocate+0x2e0/0x2e0 [ 31.315540] ? fget_raw+0x20/0x20 [ 31.319001] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.324530] ? __do_page_fault+0x441/0xe40 [ 31.328759] ? mm_fault_error+0x380/0x380 [ 31.332890] ? security_file_ioctl+0x94/0xc0 [ 31.337286] ksys_ioctl+0xa9/0xd0 [ 31.340726] __x64_sys_ioctl+0x73/0xb0 [ 31.344597] do_syscall_64+0x1b1/0x800 [ 31.348478] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.353396] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.358313] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.363837] ? retint_user+0x18/0x18 [ 31.367538] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.372368] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.377541] RIP: 0033:0x43fdb9 [ 31.380715] RSP: 002b:00007fff0d13b8f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 31.388425] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 31.395679] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 31.402938] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 31.410196] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 31.417449] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 31.424724] [ 31.426347] Allocated by task 1: [ 31.429724] save_stack+0x43/0xd0 [ 31.433165] kasan_kmalloc+0xc4/0xe0 [ 31.436881] kmem_cache_alloc_trace+0x152/0x780 [ 31.441553] virtscsi_target_alloc+0xcc/0x1d0 [ 31.446029] scsi_alloc_target+0x952/0xbe0 [ 31.450333] __scsi_scan_target+0x193/0xfe0 [ 31.454652] scsi_scan_channel.part.7+0x11f/0x190 [ 31.459478] scsi_scan_host_selected+0x2b9/0x3d0 [ 31.464304] do_scsi_scan_host+0x1ee/0x260 [ 31.468519] scsi_scan_host+0x4a2/0x590 [ 31.472508] virtscsi_probe+0xbe5/0xf04 [ 31.476640] virtio_dev_probe+0x592/0x942 [ 31.480769] driver_probe_device+0x69b/0x960 [ 31.485179] __driver_attach+0x1b2/0x1f0 [ 31.489253] bus_for_each_dev+0x151/0x1d0 [ 31.493388] driver_attach+0x3d/0x50 [ 31.497082] bus_add_driver+0x4b2/0x600 [ 31.501037] driver_register+0x1bf/0x320 [ 31.505083] register_virtio_driver+0x79/0xd0 [ 31.509560] init+0xa3/0x114 [ 31.512562] do_one_initcall+0x127/0x913 [ 31.516605] kernel_init_freeable+0x49b/0x58e [ 31.521079] kernel_init+0x11/0x1b3 [ 31.524688] ret_from_fork+0x3a/0x50 [ 31.528383] [ 31.529998] Freed by task 1: [ 31.533000] save_stack+0x43/0xd0 [ 31.536443] __kasan_slab_free+0x11a/0x170 [ 31.540662] kasan_slab_free+0xe/0x10 [ 31.544447] kfree+0xd9/0x260 [ 31.547538] virtscsi_target_destroy+0x37/0x50 [ 31.552109] scsi_target_destroy+0x1fa/0x560 [ 31.556501] scsi_target_reap+0xf8/0x140 [ 31.560544] __scsi_scan_target+0x221/0xfe0 [ 31.564849] scsi_scan_channel.part.7+0x11f/0x190 [ 31.569676] scsi_scan_host_selected+0x2b9/0x3d0 [ 31.574525] do_scsi_scan_host+0x1ee/0x260 [ 31.578751] scsi_scan_host+0x4a2/0x590 [ 31.582711] virtscsi_probe+0xbe5/0xf04 [ 31.586674] virtio_dev_probe+0x592/0x942 [ 31.590822] driver_probe_device+0x69b/0x960 [ 31.595211] __driver_attach+0x1b2/0x1f0 [ 31.599252] bus_for_each_dev+0x151/0x1d0 [ 31.603391] driver_attach+0x3d/0x50 [ 31.607091] bus_add_driver+0x4b2/0x600 [ 31.611132] driver_register+0x1bf/0x320 [ 31.615176] register_virtio_driver+0x79/0xd0 [ 31.619657] init+0xa3/0x114 [ 31.622670] do_one_initcall+0x127/0x913 [ 31.626722] kernel_init_freeable+0x49b/0x58e [ 31.631213] kernel_init+0x11/0x1b3 [ 31.634828] ret_from_fork+0x3a/0x50 [ 31.638519] [ 31.640147] The buggy address belongs to the object at ffff8801cecf4900 [ 31.640147] which belongs to the cache kmalloc-64 of size 64 [ 31.652616] The buggy address is located 48 bytes to the right of [ 31.652616] 64-byte region [ffff8801cecf4900, ffff8801cecf4940) [ 31.664819] The buggy address belongs to the page: [ 31.669733] page:ffffea00073b3d00 count:1 mapcount:0 mapping:ffff8801cecf4000 index:0x0 [ 31.677859] flags: 0x2fffc0000000100(slab) [ 31.682078] raw: 02fffc0000000100 ffff8801cecf4000 0000000000000000 0000000100000020 [ 31.690115] raw: ffffea0007406a20 ffffea00073a35a0 ffff8801da800340 0000000000000000 [ 31.697973] page dumped because: kasan: bad access detected [ 31.703658] [ 31.705265] Memory state around the buggy address: [ 31.710183] ffff8801cecf4800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.717525] ffff8801cecf4880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.724866] >ffff8801cecf4900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.732213] ^ [ 31.739210] ffff8801cecf4980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 31.746563] ffff8801cecf4a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.753908] ================================================================== [ 31.761247] Disabling lock debugging due to kernel taint [ 31.766813] Kernel panic - not syncing: panic_on_warn set ... [ 31.766813] [ 31.774172] CPU: 1 PID: 4537 Comm: syz-executor308 Tainted: G B 4.17.0-rc2+ #20 [ 31.782899] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.792233] Call Trace: [ 31.794816] dump_stack+0x1b9/0x294 [ 31.798428] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.803610] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.808356] ? process_preds+0x1890/0x19d0 [ 31.812581] panic+0x22f/0x4de [ 31.815758] ? add_taint.cold.5+0x16/0x16 [ 31.819892] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.824416] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.828812] ? process_preds+0x191f/0x19d0 [ 31.833031] kasan_end_report+0x47/0x4f [ 31.836989] kasan_report.cold.7+0x76/0x2fe [ 31.841294] __asan_report_store4_noabort+0x17/0x20 [ 31.846291] process_preds+0x191f/0x19d0 [ 31.850339] ? parse_pred+0x28e0/0x28e0 [ 31.854301] ? create_filter_start.constprop.12+0x55/0x2b0 [ 31.859914] create_filter+0x155/0x270 [ 31.863788] ? process_preds+0x19d0/0x19d0 [ 31.868009] ftrace_profile_set_filter+0x130/0x2e0 [ 31.872928] ? ftrace_profile_free_filter+0x70/0x70 [ 31.877926] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.883444] ? memdup_user+0x6b/0xa0 [ 31.887152] perf_event_set_filter+0x248/0x1230 [ 31.891805] ? mutex_trylock+0x2a0/0x2a0 [ 31.895843] ? perf_pmu_unregister+0x530/0x530 [ 31.900407] ? __thp_get_unmapped_area+0x180/0x180 [ 31.906012] ? perf_trace_lock_acquire+0xe3/0x980 [ 31.910842] ? perf_trace_lock+0x900/0x900 [ 31.915061] ? graph_lock+0x170/0x170 [ 31.918847] ? lock_downgrade+0x8e0/0x8e0 [ 31.922987] ? perf_trace_lock_acquire+0xe3/0x980 [ 31.927811] ? rcu_is_watching+0x85/0x140 [ 31.931948] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.937138] _perf_ioctl+0x84c/0x15e0 [ 31.940919] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 31.946092] ? lock_downgrade+0x8e0/0x8e0 [ 31.950223] ? kasan_check_read+0x11/0x20 [ 31.954353] ? rcu_is_watching+0x85/0x140 [ 31.958484] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.963669] ? mutex_lock_nested+0x16/0x20 [ 31.967887] ? mutex_lock_nested+0x16/0x20 [ 31.972106] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.977291] ? perf_event_read_event+0x430/0x430 [ 31.982028] ? find_held_lock+0x36/0x1c0 [ 31.986075] perf_ioctl+0x59/0x80 [ 31.989512] ? _perf_ioctl+0x15e0/0x15e0 [ 31.993558] do_vfs_ioctl+0x1cf/0x16a0 [ 31.997431] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.002954] ? ioctl_preallocate+0x2e0/0x2e0 [ 32.007354] ? fget_raw+0x20/0x20 [ 32.010795] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.016320] ? __do_page_fault+0x441/0xe40 [ 32.020540] ? mm_fault_error+0x380/0x380 [ 32.024673] ? security_file_ioctl+0x94/0xc0 [ 32.029065] ksys_ioctl+0xa9/0xd0 [ 32.032503] __x64_sys_ioctl+0x73/0xb0 [ 32.036374] do_syscall_64+0x1b1/0x800 [ 32.040245] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.045158] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.050083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.055601] ? retint_user+0x18/0x18 [ 32.059298] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.064129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.069299] RIP: 0033:0x43fdb9 [ 32.072482] RSP: 002b:00007fff0d13b8f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.080177] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.087448] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.094711] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.101960] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.109210] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.116905] Dumping ftrace buffer: [ 32.120436] (ftrace buffer empty) [ 32.124126] Kernel Offset: disabled [ 32.127739] Rebooting in 86400 seconds..