[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.985729] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.704478] random: sshd: uninitialized urandom read (32 bytes read) [ 25.023324] random: sshd: uninitialized urandom read (32 bytes read) [ 25.867905] random: sshd: uninitialized urandom read (32 bytes read) [ 26.027168] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 31.602471] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.701511] ================================================================== [ 31.709046] BUG: KASAN: slab-out-of-bounds in process_preds+0x3ecf/0x4160 [ 31.715960] Write of size 4 at addr ffff8801cf890ff0 by task syz-executor831/4570 [ 31.723557] [ 31.725181] CPU: 1 PID: 4570 Comm: syz-executor831 Not tainted 4.17.0+ #105 [ 31.732274] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.741609] Call Trace: [ 31.744208] dump_stack+0x1c9/0x2b4 [ 31.747825] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.753044] ? printk+0xa7/0xcf [ 31.756335] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.761083] ? process_preds+0x3ecf/0x4160 [ 31.765304] print_address_description+0x6c/0x20b [ 31.770134] ? process_preds+0x3ecf/0x4160 [ 31.774360] kasan_report.cold.7+0x242/0x2fe [ 31.778761] __asan_report_store4_noabort+0x17/0x20 [ 31.783760] process_preds+0x3ecf/0x4160 [ 31.787812] ? filter_parse_regex+0x2b0/0x2b0 [ 31.792308] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 31.797933] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.802956] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.807794] ? create_filter_start.constprop.14+0x55/0x2b0 [ 31.813400] create_filter+0x167/0x280 [ 31.817279] ? process_preds+0x4160/0x4160 [ 31.821606] ftrace_profile_set_filter+0x135/0x2f0 [ 31.826515] ? ftrace_profile_free_filter+0x70/0x70 [ 31.831520] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.837053] ? memdup_user+0x6b/0xa0 [ 31.840753] perf_event_set_filter+0x251/0x1260 [ 31.845414] ? mutex_trylock+0x2b0/0x2b0 [ 31.849462] ? __mutex_lock+0x7e8/0x1820 [ 31.853513] ? graph_lock+0x170/0x170 [ 31.857292] ? graph_lock+0x170/0x170 [ 31.861073] ? perf_pmu_unregister+0x540/0x540 [ 31.865639] ? mutex_trylock+0x2b0/0x2b0 [ 31.869703] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.875231] ? smp_call_function_single+0x2d6/0x5c0 [ 31.880254] ? find_held_lock+0x36/0x1c0 [ 31.884300] ? graph_lock+0x170/0x170 [ 31.889658] ? lock_downgrade+0x8f0/0x8f0 [ 31.893804] _perf_ioctl+0x865/0x1600 [ 31.897606] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 31.902792] ? lock_downgrade+0x8f0/0x8f0 [ 31.906929] ? kasan_check_read+0x11/0x20 [ 31.911061] ? rcu_is_watching+0x8c/0x150 [ 31.915198] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 31.919594] ? mutex_lock_nested+0x16/0x20 [ 31.923813] ? mutex_lock_nested+0x16/0x20 [ 31.928051] ? perf_event_ctx_lock_nested+0x415/0x500 [ 31.933266] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 31.938275] ? perf_event_read_event+0x450/0x450 [ 31.943013] ? fd_install+0x4d/0x60 [ 31.946633] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 31.951722] perf_ioctl+0x59/0x80 [ 31.955161] ? _perf_ioctl+0x1600/0x1600 [ 31.959206] do_vfs_ioctl+0x1de/0x1720 [ 31.963080] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.968600] ? ioctl_preallocate+0x300/0x300 [ 31.972991] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.978508] ? __fget_light+0x2f7/0x440 [ 31.982464] ? fget_raw+0x20/0x20 [ 31.985902] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.991421] ? __do_page_fault+0x449/0xe50 [ 31.995649] ? mm_fault_error+0x380/0x380 [ 31.999782] ? security_file_ioctl+0x94/0xc0 [ 32.004173] ksys_ioctl+0xa9/0xd0 [ 32.007609] __x64_sys_ioctl+0x73/0xb0 [ 32.011477] do_syscall_64+0x1b9/0x820 [ 32.015346] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.020263] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.025180] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.030536] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.035373] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.040543] RIP: 0033:0x43fdb9 [ 32.043708] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.063402] RSP: 002b:00007ffe5d86d708 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.071096] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.078351] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.085602] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.092851] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.100104] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.107360] [ 32.108968] Allocated by task 4553: [ 32.112581] save_stack+0x43/0xd0 [ 32.116019] kasan_kmalloc+0xc4/0xe0 [ 32.119721] kasan_slab_alloc+0x12/0x20 [ 32.123688] kmem_cache_alloc+0x12e/0x760 [ 32.127817] __split_vma+0x122/0x810 [ 32.131521] split_vma+0xa3/0xe0 [ 32.134876] mprotect_fixup+0x568/0x700 [ 32.138828] do_mprotect_pkey+0x5d2/0xa60 [ 32.142955] __x64_sys_mprotect+0x78/0xb0 [ 32.147520] do_syscall_64+0x1b9/0x820 [ 32.151389] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.156550] [ 32.158159] Freed by task 4553: [ 32.161425] save_stack+0x43/0xd0 [ 32.164859] __kasan_slab_free+0x11a/0x170 [ 32.169071] kasan_slab_free+0xe/0x10 [ 32.172850] kmem_cache_free+0x86/0x2d0 [ 32.176807] remove_vma+0x164/0x1b0 [ 32.180415] exit_mmap+0x365/0x5b0 [ 32.183936] mmput+0x265/0x620 [ 32.187118] do_exit+0xea9/0x2750 [ 32.190552] do_group_exit+0x177/0x440 [ 32.194415] __x64_sys_exit_group+0x3e/0x50 [ 32.198718] do_syscall_64+0x1b9/0x820 [ 32.202600] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.207764] [ 32.209371] The buggy address belongs to the object at ffff8801cf890eb0 [ 32.209371] which belongs to the cache vm_area_struct of size 200 [ 32.222271] The buggy address is located 120 bytes to the right of [ 32.222271] 200-byte region [ffff8801cf890eb0, ffff8801cf890f78) [ 32.234644] The buggy address belongs to the page: [ 32.239554] page:ffffea00073e2400 count:1 mapcount:0 mapping:ffff8801da97b840 index:0x0 [ 32.247678] flags: 0x2fffc0000000100(slab) [ 32.251897] raw: 02fffc0000000100 ffffea0006a47108 ffffea00074058c8 ffff8801da97b840 [ 32.259758] raw: 0000000000000000 ffff8801cf890040 000000010000000f 0000000000000000 [ 32.267614] page dumped because: kasan: bad access detected [ 32.273300] [ 32.274907] Memory state around the buggy address: [ 32.279816] ffff8801cf890e80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb [ 32.287155] ffff8801cf890f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 32.294499] >ffff8801cf890f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.301836] ^ [ 32.308845] ffff8801cf891000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 32.316181] ffff8801cf891080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.323524] ================================================================== [ 32.331119] Disabling lock debugging due to kernel taint [ 32.336703] Kernel panic - not syncing: panic_on_warn set ... [ 32.336703] [ 32.344082] CPU: 1 PID: 4570 Comm: syz-executor831 Tainted: G B 4.17.0+ #105 [ 32.352561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.361896] Call Trace: [ 32.364472] dump_stack+0x1c9/0x2b4 [ 32.368087] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.373256] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.377996] panic+0x238/0x4e7 [ 32.381172] ? add_taint.cold.5+0x16/0x16 [ 32.385299] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.389688] ? process_preds+0x3ecf/0x4160 [ 32.393904] kasan_end_report+0x47/0x4f [ 32.397944] kasan_report.cold.7+0x76/0x2fe [ 32.402263] __asan_report_store4_noabort+0x17/0x20 [ 32.407263] process_preds+0x3ecf/0x4160 [ 32.411310] ? filter_parse_regex+0x2b0/0x2b0 [ 32.415814] ? create_filter_start.constprop.14+0xfb/0x2b0 [ 32.421427] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.426423] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.431250] ? create_filter_start.constprop.14+0x55/0x2b0 [ 32.436852] create_filter+0x167/0x280 [ 32.440719] ? process_preds+0x4160/0x4160 [ 32.444945] ftrace_profile_set_filter+0x135/0x2f0 [ 32.449860] ? ftrace_profile_free_filter+0x70/0x70 [ 32.454858] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.460376] ? memdup_user+0x6b/0xa0 [ 32.464070] perf_event_set_filter+0x251/0x1260 [ 32.468731] ? mutex_trylock+0x2b0/0x2b0 [ 32.472769] ? __mutex_lock+0x7e8/0x1820 [ 32.476811] ? graph_lock+0x170/0x170 [ 32.480589] ? graph_lock+0x170/0x170 [ 32.484368] ? perf_pmu_unregister+0x540/0x540 [ 32.488932] ? mutex_trylock+0x2b0/0x2b0 [ 32.492973] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.498490] ? smp_call_function_single+0x2d6/0x5c0 [ 32.503496] ? find_held_lock+0x36/0x1c0 [ 32.507547] ? graph_lock+0x170/0x170 [ 32.511332] ? lock_downgrade+0x8f0/0x8f0 [ 32.515462] _perf_ioctl+0x865/0x1600 [ 32.519243] ? __do_sys_perf_event_open+0x30f0/0x30f0 [ 32.524416] ? lock_downgrade+0x8f0/0x8f0 [ 32.528545] ? kasan_check_read+0x11/0x20 [ 32.532672] ? rcu_is_watching+0x8c/0x150 [ 32.536807] ? rcu_report_qs_rnp+0x7a0/0x7a0 [ 32.541210] ? mutex_lock_nested+0x16/0x20 [ 32.545423] ? mutex_lock_nested+0x16/0x20 [ 32.549646] ? perf_event_ctx_lock_nested+0x415/0x500 [ 32.554825] ? trace_hardirqs_on_caller+0x371/0x5c0 [ 32.559826] ? perf_event_read_event+0x450/0x450 [ 32.564562] ? fd_install+0x4d/0x60 [ 32.568169] ? __do_sys_perf_event_open+0x7c7/0x30f0 [ 32.573251] perf_ioctl+0x59/0x80 [ 32.576683] ? _perf_ioctl+0x1600/0x1600 [ 32.580723] do_vfs_ioctl+0x1de/0x1720 [ 32.584596] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.590112] ? ioctl_preallocate+0x300/0x300 [ 32.594496] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.600027] ? __fget_light+0x2f7/0x440 [ 32.603987] ? fget_raw+0x20/0x20 [ 32.607430] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.612953] ? __do_page_fault+0x449/0xe50 [ 32.617164] ? mm_fault_error+0x380/0x380 [ 32.621294] ? security_file_ioctl+0x94/0xc0 [ 32.625681] ksys_ioctl+0xa9/0xd0 [ 32.629118] __x64_sys_ioctl+0x73/0xb0 [ 32.632990] do_syscall_64+0x1b9/0x820 [ 32.636859] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.641769] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.646683] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.652031] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.656855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.662029] RIP: 0033:0x43fdb9 [ 32.665200] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 [ 32.684315] RSP: 002b:00007ffe5d86d708 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.692017] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.699279] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.706537] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.713793] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.721047] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.728812] Dumping ftrace buffer: [ 32.732330] (ftrace buffer empty) [ 32.736020] Kernel Offset: disabled [ 32.739630] Rebooting in 86400 seconds..