[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.629298] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.882703] random: sshd: uninitialized urandom read (32 bytes read)
[   25.134198] random: sshd: uninitialized urandom read (32 bytes read)
[   26.008498] random: sshd: uninitialized urandom read (32 bytes read)
[   26.172691] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.20' (ECDSA) to the list of known hosts.
[   31.602349] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.711722] FAULT_INJECTION: forcing a failure.
[   31.711722] name failslab, interval 1, probability 0, space 0, times 1
[   31.723098] CPU: 1 PID: 4571 Comm: syz-executor050 Not tainted 4.17.0+ #91
[   31.730118] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.739458] Call Trace:
[   31.742052]  dump_stack+0x1b9/0x294
[   31.745687]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.750887]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.756415]  ? __do_page_fault+0x441/0xe40
[   31.760645]  should_fail.cold.4+0xa/0x1a
[   31.764739]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[   31.769833]  ? tcp_push+0x8a0/0x8a0
[   31.773450]  ? graph_lock+0x170/0x170
[   31.777243]  ? graph_lock+0x170/0x170
[   31.781062]  ? graph_lock+0x170/0x170
[   31.784869]  ? vmalloc_sync_all+0x30/0x30
[   31.789010]  ? sk_busy_loop_end+0x1b0/0x1b0
[   31.793339]  ? debug_check_no_locks_freed+0x310/0x310
[   31.798518]  ? find_held_lock+0x36/0x1c0
[   31.802573]  ? __lock_is_held+0xb5/0x140
[   31.806644]  ? check_same_owner+0x320/0x320
[   31.810954]  ? check_same_owner+0x320/0x320
[   31.815263]  ? rcu_note_context_switch+0x710/0x710
[   31.820184]  __should_failslab+0x124/0x180
[   31.824406]  should_failslab+0x9/0x14
[   31.828194]  __kmalloc+0x2c8/0x760
[   31.831724]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   31.836730]  ? _copy_from_iter+0x395/0x1080
[   31.841051]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   31.846076]  ? tls_push_record+0x637/0x13e0
[   31.850394]  tls_push_record+0x637/0x13e0
[   31.854553]  tls_sw_sendmsg+0x9de/0x12b0
[   31.858604]  ? lock_release+0xa10/0xa10
[   31.862593]  ? tls_sw_push_pending_record+0x30/0x30
[   31.867601]  ? lock_downgrade+0x8e0/0x8e0
[   31.871736]  ? __sanitizer_cov_trace_cmp8+0x7/0x20
[   31.876655]  ? lock_release+0xa10/0xa10
[   31.880621]  ? __check_object_size+0x95/0x5d9
[   31.885112]  inet_sendmsg+0x19f/0x690
[   31.888903]  ? __might_sleep+0x95/0x190
[   31.892873]  ? ipip_gro_receive+0x100/0x100
[   31.897187]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.902714]  ? security_socket_sendmsg+0x94/0xc0
[   31.907470]  ? ipip_gro_receive+0x100/0x100
[   31.911786]  sock_sendmsg+0xd5/0x120
[   31.915500]  __sys_sendto+0x3d7/0x670
[   31.919300]  ? __ia32_sys_getpeername+0xb0/0xb0
[   31.923958]  ? lock_downgrade+0x8e0/0x8e0
[   31.928099]  ? __lock_is_held+0xb5/0x140
[   31.932156]  ? __sb_end_write+0xac/0xe0
[   31.936124]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.941663]  ? ksys_write+0x1a6/0x250
[   31.945479]  ? __ia32_sys_read+0xb0/0xb0
[   31.949542]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.954385]  __x64_sys_sendto+0xe1/0x1a0
[   31.958454]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.963465]  do_syscall_64+0x1b1/0x800
[   31.967352]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.972272]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.977208]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.982567]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.987422]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.992600] RIP: 0033:0x4406a9
[   31.995773] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.014952] RSP: 002b:00007ffd6dfe03c8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
[   32.022649] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406a9
[   32.029908] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003
[   32.037166] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c
[   32.044436] R10: 0000000000000040 R11: 0000000000000216 R12: 0000000000000005
[   32.051694] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
[   32.060915] ==================================================================
[   32.068441] BUG: KASAN: use-after-free in tls_push_record+0x1023/0x13e0
[   32.075183] Write of size 1 at addr ffff8801d93d8000 by task syz-executor050/4571
[   32.082784] 
[   32.084403] CPU: 1 PID: 4571 Comm: syz-executor050 Not tainted 4.17.0+ #91
[   32.091410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.100755] Call Trace:
[   32.103340]  dump_stack+0x1b9/0x294
[   32.106967]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.112153]  ? printk+0x9e/0xba
[   32.115424]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.120171]  ? kasan_check_write+0x14/0x20
[   32.124404]  print_address_description+0x6c/0x20b
[   32.129262]  ? tls_push_record+0x1023/0x13e0
[   32.133668]  kasan_report.cold.7+0x242/0x2fe
[   32.138075]  __asan_report_store1_noabort+0x17/0x20
[   32.143085]  tls_push_record+0x1023/0x13e0
[   32.147328]  ? __local_bh_enable_ip+0x161/0x230
[   32.152007]  tls_sw_push_pending_record+0x22/0x30
[   32.156855]  tls_push_pending_closed_record+0x10c/0x150
[   32.162216]  ? lock_sock_nested+0xe7/0x120
[   32.166450]  tls_sk_proto_close+0x8f2/0xad0
[   32.170768]  ? tcp_check_oom+0x520/0x520
[   32.174825]  ? kasan_check_read+0x11/0x20
[   32.178980]  ? rcu_report_qs_rnp+0x761/0x790
[   32.183390]  ? tls_write_space+0x340/0x340
[   32.187620]  ? kasan_check_read+0x11/0x20
[   32.191762]  ? rcu_is_watching+0x85/0x140
[   32.195903]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.201435]  ? ipv6_sock_ac_close+0x34e/0x480
[   32.205923]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.211450]  ? ipv6_sock_mc_close+0x161/0x1c0
[   32.215934]  ? ip_mc_drop_socket+0x20f/0x270
[   32.220332]  inet_release+0x104/0x1f0
[   32.224125]  inet6_release+0x50/0x70
[   32.227835]  sock_release+0x96/0x1b0
[   32.231543]  ? sock_alloc_file+0x4e0/0x4e0
[   32.235766]  sock_close+0x16/0x20
[   32.239205]  __fput+0x353/0x890
[   32.242489]  ? fput+0x1a0/0x1a0
[   32.245755]  ? check_same_owner+0x320/0x320
[   32.250066]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.254565]  ____fput+0x15/0x20
[   32.257840]  task_work_run+0x1e4/0x290
[   32.261731]  ? task_work_cancel+0x240/0x240
[   32.266054]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.271591]  ? switch_task_namespaces+0xa2/0xd0
[   32.276254]  do_exit+0x1aee/0x2730
[   32.279785]  ? mm_update_next_owner+0x980/0x980
[   32.284445]  ? lock_downgrade+0x8e0/0x8e0
[   32.288608]  ? finish_task_switch+0x182/0x840
[   32.293100]  ? kasan_check_read+0x11/0x20
[   32.297239]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.301637]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.306227]  ? compat_start_thread+0x80/0x80
[   32.310626]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.315111]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.320131]  ? kasan_check_write+0x14/0x20
[   32.324376]  ? finish_task_switch+0x28b/0x840
[   32.328884]  ? __schedule+0x809/0x1e30
[   32.332773]  ? __sched_text_start+0x8/0x8
[   32.336909]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.342441]  ? security_socket_sendmsg+0x94/0xc0
[   32.347202]  ? ipip_gro_receive+0x100/0x100
[   32.351514]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.357049]  ? sock_sendmsg+0x5a/0x120
[   32.360936]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.366465]  ? __sys_sendto+0x475/0x670
[   32.370429]  ? __ia32_sys_getpeername+0xb0/0xb0
[   32.375091]  ? lock_downgrade+0x8e0/0x8e0
[   32.379229]  ? schedule+0xef/0x430
[   32.382762]  ? __schedule+0x1e30/0x1e30
[   32.386741]  ? __sb_end_write+0xac/0xe0
[   32.390707]  ? exit_to_usermode_loop+0x87/0x310
[   32.395367]  do_group_exit+0x16f/0x430
[   32.400257]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.405789]  ? __ia32_sys_exit+0x50/0x50
[   32.409856]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   32.414689]  ? do_syscall_64+0x92/0x800
[   32.418650]  __x64_sys_exit_group+0x3e/0x50
[   32.422964]  do_syscall_64+0x1b1/0x800
[   32.426845]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.431768]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.436692]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.442066]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.446916]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.452095] RIP: 0033:0x43f368
[   32.455268] Code: Bad RIP value.
[   32.458629] RSP: 002b:00007ffd6dfe0408 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   32.466327] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f368
[   32.473585] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   32.480845] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0
[   32.488108] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   32.495373] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   32.502651] 
[   32.504270] The buggy address belongs to the page:
[   32.509197] page:ffffea000764f600 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
[   32.517592] flags: 0x2fffc0000000000()
[   32.521488] raw: 02fffc0000000000 ffffea0006b6c208 ffff88021fffac18 0000000000000000
[   32.529362] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
[   32.537231] page dumped because: kasan: bad access detected
[   32.542936] 
[   32.544565] Memory state around the buggy address:
[   32.549497]  ffff8801d93d7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.556877]  ffff8801d93d7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.564233] >ffff8801d93d8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.571587]                    ^
[   32.574970]  ffff8801d93d8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.582333]  ffff8801d93d8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.589688] ==================================================================
[   32.597051] Disabling lock debugging due to kernel taint
[   32.602750] Kernel panic - not syncing: panic_on_warn set ...
[   32.602750] 
[   32.610129] CPU: 1 PID: 4571 Comm: syz-executor050 Tainted: G    B             4.17.0+ #91
[   32.618532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.627888] Call Trace:
[   32.630481]  dump_stack+0x1b9/0x294
[   32.634114]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.639337]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.644094]  ? tls_push_record+0xfb0/0x13e0
[   32.648417]  panic+0x22f/0x4de
[   32.651619]  ? add_taint.cold.5+0x16/0x16
[   32.655781]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.660198]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.664612]  ? tls_push_record+0x1023/0x13e0
[   32.669048]  kasan_end_report+0x47/0x4f
[   32.673035]  kasan_report.cold.7+0x76/0x2fe
[   32.677384]  __asan_report_store1_noabort+0x17/0x20
[   32.682404]  tls_push_record+0x1023/0x13e0
[   32.686648]  ? __local_bh_enable_ip+0x161/0x230
[   32.691321]  tls_sw_push_pending_record+0x22/0x30
[   32.696164]  tls_push_pending_closed_record+0x10c/0x150
[   32.701527]  ? lock_sock_nested+0xe7/0x120
[   32.705759]  tls_sk_proto_close+0x8f2/0xad0
[   32.710094]  ? tcp_check_oom+0x520/0x520
[   32.714157]  ? kasan_check_read+0x11/0x20
[   32.718306]  ? rcu_report_qs_rnp+0x761/0x790
[   32.722713]  ? tls_write_space+0x340/0x340
[   32.726935]  ? kasan_check_read+0x11/0x20
[   32.731088]  ? rcu_is_watching+0x85/0x140
[   32.735228]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.740775]  ? ipv6_sock_ac_close+0x34e/0x480
[   32.745257]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.750781]  ? ipv6_sock_mc_close+0x161/0x1c0
[   32.755267]  ? ip_mc_drop_socket+0x20f/0x270
[   32.759660]  inet_release+0x104/0x1f0
[   32.763446]  inet6_release+0x50/0x70
[   32.767145]  sock_release+0x96/0x1b0
[   32.770842]  ? sock_alloc_file+0x4e0/0x4e0
[   32.775063]  sock_close+0x16/0x20
[   32.778499]  __fput+0x353/0x890
[   32.781774]  ? fput+0x1a0/0x1a0
[   32.785043]  ? check_same_owner+0x320/0x320
[   32.789356]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.793839]  ____fput+0x15/0x20
[   32.797133]  task_work_run+0x1e4/0x290
[   32.801026]  ? task_work_cancel+0x240/0x240
[   32.805338]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.810863]  ? switch_task_namespaces+0xa2/0xd0
[   32.815527]  do_exit+0x1aee/0x2730
[   32.819055]  ? mm_update_next_owner+0x980/0x980
[   32.823711]  ? lock_downgrade+0x8e0/0x8e0
[   32.827845]  ? finish_task_switch+0x182/0x840
[   32.832339]  ? kasan_check_read+0x11/0x20
[   32.836472]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.840865]  ? do_raw_spin_trylock+0x1b0/0x1b0
[   32.845433]  ? compat_start_thread+0x80/0x80
[   32.849831]  ? _raw_spin_unlock_irq+0x27/0x70
[   32.854312]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.859315]  ? kasan_check_write+0x14/0x20
[   32.863549]  ? finish_task_switch+0x28b/0x840
[   32.868054]  ? __schedule+0x809/0x1e30
[   32.871926]  ? __sched_text_start+0x8/0x8
[   32.876071]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.881599]  ? security_socket_sendmsg+0x94/0xc0
[   32.886343]  ? ipip_gro_receive+0x100/0x100
[   32.890653]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.896177]  ? sock_sendmsg+0x5a/0x120
[   32.900056]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.905583]  ? __sys_sendto+0x475/0x670
[   32.909543]  ? __ia32_sys_getpeername+0xb0/0xb0
[   32.914199]  ? lock_downgrade+0x8e0/0x8e0
[   32.918337]  ? schedule+0xef/0x430
[   32.921861]  ? __schedule+0x1e30/0x1e30
[   32.925823]  ? __sb_end_write+0xac/0xe0
[   32.929787]  ? exit_to_usermode_loop+0x87/0x310
[   32.934445]  do_group_exit+0x16f/0x430
[   32.938319]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.943865]  ? __ia32_sys_exit+0x50/0x50
[   32.947937]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   32.952789]  ? do_syscall_64+0x92/0x800
[   32.956761]  __x64_sys_exit_group+0x3e/0x50
[   32.961072]  do_syscall_64+0x1b1/0x800
[   32.964960]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.969886]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.974806]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.980168]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.985018]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.990202] RIP: 0033:0x43f368
[   32.993372] Code: Bad RIP value.
[   32.996732] RSP: 002b:00007ffd6dfe0408 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   33.004426] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f368
[   33.011703] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[   33.018961] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0
[   33.026227] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001
[   33.033486] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
[   33.041267] Dumping ftrace buffer:
[   33.044801]    (ftrace buffer empty)
[   33.048517] Kernel Offset: disabled
[   33.052147] Rebooting in 86400 seconds..