[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.405814] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.239330] random: sshd: uninitialized urandom read (32 bytes read) [ 20.538473] random: sshd: uninitialized urandom read (32 bytes read) [ 21.310162] random: sshd: uninitialized urandom read (32 bytes read) [ 21.472909] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. [ 26.994190] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.091616] ================================================================== [ 27.099113] BUG: KASAN: slab-out-of-bounds in process_preds+0x191f/0x19d0 [ 27.106038] Write of size 4 at addr ffff8801cf936070 by task syz-executor199/4488 [ 27.113650] [ 27.115269] CPU: 0 PID: 4488 Comm: syz-executor199 Not tainted 4.17.0-rc7+ #75 [ 27.122614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.131956] Call Trace: [ 27.134537] dump_stack+0x1b9/0x294 [ 27.138169] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.143345] ? printk+0x9e/0xba [ 27.146611] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.151357] ? kasan_check_write+0x14/0x20 [ 27.155580] print_address_description+0x6c/0x20b [ 27.160412] ? process_preds+0x191f/0x19d0 [ 27.164635] kasan_report.cold.7+0x242/0x2fe [ 27.169039] __asan_report_store4_noabort+0x17/0x20 [ 27.174055] process_preds+0x191f/0x19d0 [ 27.178143] ? parse_pred+0x28e0/0x28e0 [ 27.182121] ? create_filter_start.constprop.12+0x55/0x2b0 [ 27.187741] create_filter+0x155/0x270 [ 27.191623] ? process_preds+0x19d0/0x19d0 [ 27.195858] ftrace_profile_set_filter+0x130/0x2e0 [ 27.200777] ? ftrace_profile_free_filter+0x70/0x70 [ 27.205785] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.211309] ? memdup_user+0x6b/0xa0 [ 27.215017] perf_event_set_filter+0x248/0x1230 [ 27.219715] ? perf_tp_event+0xc30/0xc30 [ 27.223767] ? kasan_check_write+0x14/0x20 [ 27.227993] ? mutex_trylock+0x2a0/0x2a0 [ 27.232045] ? perf_pmu_unregister+0x530/0x530 [ 27.236645] ? perf_trace_lock_acquire+0x4f1/0x980 [ 27.241586] ? perf_trace_lock+0x900/0x900 [ 27.245816] ? graph_lock+0x170/0x170 [ 27.249606] ? lock_downgrade+0x8e0/0x8e0 [ 27.253753] ? kasan_check_read+0x11/0x20 [ 27.257890] ? rcu_is_watching+0x85/0x140 [ 27.262044] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.267242] _perf_ioctl+0x84c/0x15e0 [ 27.271031] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 27.276213] ? lock_downgrade+0x8e0/0x8e0 [ 27.280356] ? kasan_check_read+0x11/0x20 [ 27.284491] ? rcu_is_watching+0x85/0x140 [ 27.288637] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 27.293818] ? mark_held_locks+0xc9/0x160 [ 27.297964] ? mutex_lock_nested+0x16/0x20 [ 27.302189] ? mutex_lock_nested+0x16/0x20 [ 27.306416] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 27.311601] ? perf_event_read_event+0x430/0x430 [ 27.316347] ? __do_sys_perf_event_open+0x7b4/0x2fa0 [ 27.321449] perf_ioctl+0x59/0x80 [ 27.324891] ? _perf_ioctl+0x15e0/0x15e0 [ 27.328945] do_vfs_ioctl+0x1cf/0x16a0 [ 27.332827] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.338359] ? ioctl_preallocate+0x2e0/0x2e0 [ 27.342768] ? fget_raw+0x20/0x20 [ 27.346218] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.351754] ? __do_page_fault+0x441/0xe40 [ 27.355990] ? security_file_ioctl+0x94/0xc0 [ 27.360392] ksys_ioctl+0xa9/0xd0 [ 27.363837] __x64_sys_ioctl+0x73/0xb0 [ 27.367715] do_syscall_64+0x1b1/0x800 [ 27.371590] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.376507] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.381429] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 27.386786] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.391623] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.396799] RIP: 0033:0x43fdb9 [ 27.399972] RSP: 002b:00007ffcf0ee9bd8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 27.409057] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 27.416313] RDX: 0000000020000280 RSI: 0000000040082406 RDI: 0000000000000003 [ 27.423576] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 27.430830] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 27.438096] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 27.445370] [ 27.446983] Allocated by task 1: [ 27.450346] save_stack+0x43/0xd0 [ 27.453793] kasan_kmalloc+0xc4/0xe0 [ 27.457491] kmem_cache_alloc_trace+0x152/0x780 [ 27.462154] virtscsi_target_alloc+0xcc/0x1d0 [ 27.466636] scsi_alloc_target+0x952/0xbe0 [ 27.470855] __scsi_scan_target+0x193/0xfe0 [ 27.475161] scsi_scan_channel.part.7+0x11f/0x190 [ 27.479988] scsi_scan_host_selected+0x2b9/0x3d0 [ 27.484727] do_scsi_scan_host+0x1ee/0x260 [ 27.488951] scsi_scan_host+0x4a2/0x590 [ 27.492914] virtscsi_probe+0xbe5/0xf04 [ 27.496888] virtio_dev_probe+0x592/0x942 [ 27.501104] driver_probe_device+0x69b/0x960 [ 27.505500] __driver_attach+0x1b2/0x1f0 [ 27.509547] bus_for_each_dev+0x151/0x1d0 [ 27.513697] driver_attach+0x3d/0x50 [ 27.517400] bus_add_driver+0x4b2/0x600 [ 27.521358] driver_register+0x1bf/0x320 [ 27.525404] register_virtio_driver+0x79/0xd0 [ 27.529889] init+0xa3/0x114 [ 27.532899] do_one_initcall+0x127/0x913 [ 27.536951] kernel_init_freeable+0x49b/0x58e [ 27.541438] kernel_init+0x11/0x1b3 [ 27.545062] ret_from_fork+0x3a/0x50 [ 27.548755] [ 27.550365] Freed by task 1: [ 27.553376] save_stack+0x43/0xd0 [ 27.556814] __kasan_slab_free+0x11a/0x170 [ 27.561035] kasan_slab_free+0xe/0x10 [ 27.564820] kfree+0xd9/0x260 [ 27.567915] virtscsi_target_destroy+0x37/0x50 [ 27.572484] scsi_target_destroy+0x1fa/0x560 [ 27.576877] scsi_target_reap+0xf8/0x140 [ 27.580924] __scsi_scan_target+0x221/0xfe0 [ 27.585233] scsi_scan_channel.part.7+0x11f/0x190 [ 27.590070] scsi_scan_host_selected+0x2b9/0x3d0 [ 27.594819] do_scsi_scan_host+0x1ee/0x260 [ 27.599040] scsi_scan_host+0x4a2/0x590 [ 27.602998] virtscsi_probe+0xbe5/0xf04 [ 27.606958] virtio_dev_probe+0x592/0x942 [ 27.611094] driver_probe_device+0x69b/0x960 [ 27.615487] __driver_attach+0x1b2/0x1f0 [ 27.619534] bus_for_each_dev+0x151/0x1d0 [ 27.623670] driver_attach+0x3d/0x50 [ 27.627369] bus_add_driver+0x4b2/0x600 [ 27.631329] driver_register+0x1bf/0x320 [ 27.635377] register_virtio_driver+0x79/0xd0 [ 27.639864] init+0xa3/0x114 [ 27.642871] do_one_initcall+0x127/0x913 [ 27.646922] kernel_init_freeable+0x49b/0x58e [ 27.651404] kernel_init+0x11/0x1b3 [ 27.655021] ret_from_fork+0x3a/0x50 [ 27.658714] [ 27.660327] The buggy address belongs to the object at ffff8801cf936000 [ 27.660327] which belongs to the cache kmalloc-64 of size 64 [ 27.672799] The buggy address is located 48 bytes to the right of [ 27.672799] 64-byte region [ffff8801cf936000, ffff8801cf936040) [ 27.685009] The buggy address belongs to the page: [ 27.689932] page:ffffea00073e4d80 count:1 mapcount:0 mapping:ffff8801cf936000 index:0x0 [ 27.698072] flags: 0x2fffc0000000100(slab) [ 27.702307] raw: 02fffc0000000100 ffff8801cf936000 0000000000000000 0000000100000020 [ 27.710173] raw: ffffea00073c8820 ffffea00073e9da0 ffff8801da800340 0000000000000000 [ 27.718040] page dumped because: kasan: bad access detected [ 27.723742] [ 27.725351] Memory state around the buggy address: [ 27.730278] ffff8801cf935f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.737623] ffff8801cf935f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.744977] >ffff8801cf936000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.752330] ^ [ 27.759342] ffff8801cf936080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 27.766691] ffff8801cf936100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 27.774043] ================================================================== [ 27.781396] Disabling lock debugging due to kernel taint [ 27.787056] Kernel panic - not syncing: panic_on_warn set ... [ 27.787056] [ 27.794439] CPU: 0 PID: 4488 Comm: syz-executor199 Tainted: G B 4.17.0-rc7+ #75 [ 27.803188] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.812531] Call Trace: [ 27.815119] dump_stack+0x1b9/0x294 [ 27.818738] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.823919] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.828669] ? process_preds+0x1850/0x19d0 [ 27.832891] panic+0x22f/0x4de [ 27.836073] ? add_taint.cold.5+0x16/0x16 [ 27.840218] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.844611] ? do_raw_spin_unlock+0x9e/0x2e0 [ 27.849011] ? process_preds+0x191f/0x19d0 [ 27.853240] kasan_end_report+0x47/0x4f [ 27.857199] kasan_report.cold.7+0x76/0x2fe [ 27.861508] __asan_report_store4_noabort+0x17/0x20 [ 27.866509] process_preds+0x191f/0x19d0 [ 27.870563] ? parse_pred+0x28e0/0x28e0 [ 27.874536] ? create_filter_start.constprop.12+0x55/0x2b0 [ 27.880161] create_filter+0x155/0x270 [ 27.884050] ? process_preds+0x19d0/0x19d0 [ 27.888278] ftrace_profile_set_filter+0x130/0x2e0 [ 27.893194] ? ftrace_profile_free_filter+0x70/0x70 [ 27.898213] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.903741] ? memdup_user+0x6b/0xa0 [ 27.907453] perf_event_set_filter+0x248/0x1230 [ 27.912122] ? perf_tp_event+0xc30/0xc30 [ 27.916175] ? kasan_check_write+0x14/0x20 [ 27.920398] ? mutex_trylock+0x2a0/0x2a0 [ 27.924448] ? perf_pmu_unregister+0x530/0x530 [ 27.929029] ? perf_trace_lock_acquire+0x4f1/0x980 [ 27.933954] ? perf_trace_lock+0x900/0x900 [ 27.938177] ? graph_lock+0x170/0x170 [ 27.941964] ? lock_downgrade+0x8e0/0x8e0 [ 27.946103] ? kasan_check_read+0x11/0x20 [ 27.950237] ? rcu_is_watching+0x85/0x140 [ 27.954377] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.959576] _perf_ioctl+0x84c/0x15e0 [ 27.963369] ? __do_sys_perf_event_open+0x2fa0/0x2fa0 [ 27.968549] ? lock_downgrade+0x8e0/0x8e0 [ 27.972689] ? kasan_check_read+0x11/0x20 [ 27.976824] ? rcu_is_watching+0x85/0x140 [ 27.980958] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 27.986134] ? mark_held_locks+0xc9/0x160 [ 27.990273] ? mutex_lock_nested+0x16/0x20 [ 27.994493] ? mutex_lock_nested+0x16/0x20 [ 27.998716] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 28.003897] ? perf_event_read_event+0x430/0x430 [ 28.008667] ? __do_sys_perf_event_open+0x7b4/0x2fa0 [ 28.013767] perf_ioctl+0x59/0x80 [ 28.017211] ? _perf_ioctl+0x15e0/0x15e0 [ 28.021262] do_vfs_ioctl+0x1cf/0x16a0 [ 28.025140] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.030668] ? ioctl_preallocate+0x2e0/0x2e0 [ 28.035068] ? fget_raw+0x20/0x20 [ 28.038516] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.044057] ? __do_page_fault+0x441/0xe40 [ 28.048300] ? security_file_ioctl+0x94/0xc0 [ 28.052704] ksys_ioctl+0xa9/0xd0 [ 28.056149] __x64_sys_ioctl+0x73/0xb0 [ 28.060037] do_syscall_64+0x1b1/0x800 [ 28.063924] ? syscall_return_slowpath+0x5c0/0x5c0 [ 28.068840] ? syscall_return_slowpath+0x30f/0x5c0 [ 28.073764] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 28.079130] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.083976] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.089152] RIP: 0033:0x43fdb9 [ 28.092325] RSP: 002b:00007ffcf0ee9bd8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 28.100031] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 28.107292] RDX: 0000000020000280 RSI: 0000000040082406 RDI: 0000000000000003 [ 28.114547] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 28.121802] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 28.129068] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 28.136882] Dumping ftrace buffer: [ 28.140422] (ftrace buffer empty) [ 28.144115] Kernel Offset: disabled [ 28.147732] Rebooting in 86400 seconds..