[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.748014] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.750674] random: sshd: uninitialized urandom read (32 bytes read)
[   28.154032] random: sshd: uninitialized urandom read (32 bytes read)
[   28.694520] random: sshd: uninitialized urandom read (32 bytes read)
[   28.870000] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
[   34.591203] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   34.689517] vhci_hcd: invalid port number 132
[   34.694239] ==================================================================
[   34.701792] BUG: KASAN: slab-out-of-bounds in vhci_hub_control+0x1b88/0x1bf0
[   34.708968] Read of size 4 at addr ffff8801ce679ebc by task syz-executor050/4632
[   34.716479] 
[   34.718107] CPU: 1 PID: 4632 Comm: syz-executor050 Not tainted 4.19.0-rc1-next-20180831+ #53
[   34.726661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.735995] Call Trace:
[   34.738577]  dump_stack+0x1c9/0x2b4
[   34.742191]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.747480]  ? printk+0xa7/0xcf
[   34.750887]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.755641]  ? vhci_hub_control+0x1b88/0x1bf0
[   34.760126]  print_address_description+0x6c/0x20b
[   34.764955]  ? vhci_hub_control+0x1b88/0x1bf0
[   34.769436]  kasan_report.cold.7+0x242/0x30d
[   34.773834]  __asan_report_load4_noabort+0x14/0x20
[   34.778755]  vhci_hub_control+0x1b88/0x1bf0
[   34.783066]  ? vhci_hcd_probe+0x240/0x240
[   34.787224]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.792431]  ? __kmalloc+0x594/0x720
[   34.796141]  ? kasan_check_write+0x14/0x20
[   34.800375]  ? do_raw_spin_lock+0xc1/0x200
[   34.804597]  ? usb_hcd_submit_urb+0x70e/0x2160
[   34.809187]  usb_hcd_submit_urb+0x184a/0x2160
[   34.813683]  ? vhci_hcd_probe+0x240/0x240
[   34.817821]  ? usb_create_hcd+0x40/0x40
[   34.821782]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.827133]  ? __x64_sys_ioctl+0x73/0xb0
[   34.831189]  ? do_syscall_64+0x1b9/0x820
[   34.835338]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.840695]  ? find_held_lock+0x36/0x1c0
[   34.844743]  ? __lockdep_init_map+0x105/0x590
[   34.849241]  ? __lockdep_init_map+0x105/0x590
[   34.853747]  usb_submit_urb+0x895/0x14d0
[   34.857799]  ? rcu_is_watching+0x8c/0x150
[   34.861946]  usb_start_wait_urb+0x140/0x360
[   34.866325]  ? sg_clean+0x240/0x240
[   34.869953]  usb_control_msg+0x332/0x4e0
[   34.874003]  ? usb_start_wait_urb+0x360/0x360
[   34.878488]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   34.884137]  proc_control+0x99b/0xef0
[   34.887929]  ? proc_bulk+0xaa0/0xaa0
[   34.891635]  ? lock_downgrade+0x8f0/0x8f0
[   34.895777]  usbdev_do_ioctl+0x1eb4/0x3b30
[   34.900012]  ? processcompl_compat+0x680/0x680
[   34.904583]  ? mntput_no_expire+0x1ea/0xc10
[   34.908895]  ? __lock_acquire+0x7fc/0x5020
[   34.913120]  ? graph_lock+0x170/0x170
[   34.916960]  ? dput.part.26+0x276/0x7a0
[   34.920929]  ? find_held_lock+0x36/0x1c0
[   34.924984]  ? lock_downgrade+0x8f0/0x8f0
[   34.929223]  ? kasan_check_read+0x11/0x20
[   34.933368]  ? rcu_is_watching+0x8c/0x150
[   34.937505]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.942166]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.946897]  ? is_bpf_text_address+0xd7/0x170
[   34.951521]  ? kernel_text_address+0x79/0xf0
[   34.955921]  ? __kernel_text_address+0xd/0x40
[   34.960410]  ? unwind_get_return_address+0x61/0xa0
[   34.965342]  ? __save_stack_trace+0x8d/0xf0
[   34.969668]  ? save_stack+0xa9/0xd0
[   34.973400]  ? save_stack+0x43/0xd0
[   34.977017]  ? __kasan_slab_free+0x11a/0x170
[   34.981659]  ? kasan_slab_free+0xe/0x10
[   34.985621]  ? kmem_cache_free+0x86/0x280
[   34.989755]  ? putname+0xf2/0x130
[   34.993212]  ? do_sys_open+0x569/0x720
[   34.997104]  ? __x64_sys_open+0x7e/0xc0
[   35.001068]  ? do_syscall_64+0x1b9/0x820
[   35.005132]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.010720]  ? trace_hardirqs_off+0xb8/0x2b0
[   35.015257]  ? kasan_check_read+0x11/0x20
[   35.019614]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.024011]  ? trace_hardirqs_on+0x2c0/0x2c0
[   35.028407]  ? kasan_check_write+0x14/0x20
[   35.032640]  ? trace_hardirqs_off+0xb8/0x2b0
[   35.037036]  usbdev_ioctl+0x25/0x30
[   35.040718]  ? usbdev_compat_ioctl+0x30/0x30
[   35.045120]  do_vfs_ioctl+0x1de/0x1720
[   35.048988]  ? kasan_check_read+0x11/0x20
[   35.053121]  ? rcu_is_watching+0x8c/0x150
[   35.057250]  ? trace_hardirqs_on+0xbd/0x2c0
[   35.061557]  ? ioctl_preallocate+0x300/0x300
[   35.065958]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.071480]  ? __fget_light+0x2f7/0x440
[   35.075433]  ? putname+0xf2/0x130
[   35.078900]  ? fget_raw+0x20/0x20
[   35.082457]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.087458]  ? kmem_cache_free+0x246/0x280
[   35.091681]  ? do_syscall_64+0x9a/0x820
[   35.096199]  ? do_syscall_64+0x9a/0x820
[   35.100160]  ? lockdep_hardirqs_on+0x421/0x5c0
[   35.104778]  ? security_file_ioctl+0x94/0xc0
[   35.109182]  ksys_ioctl+0xa9/0xd0
[   35.112622]  __x64_sys_ioctl+0x73/0xb0
[   35.116603]  do_syscall_64+0x1b9/0x820
[   35.120485]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   35.125834]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.130747]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.135634]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   35.140643]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   35.145644]  ? prepare_exit_to_usermode+0x291/0x3b0
[   35.150648]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.155514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.160690] RIP: 0033:0x443d89
[   35.163877] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   35.182774] RSP: 002b:00007ffda7ae4d48 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   35.190510] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d89
[   35.197786] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003
[   35.205050] RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
[   35.212314] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000401a90
[   35.219566] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   35.226911] 
[   35.228523] Allocated by task 1:
[   35.231877]  save_stack+0x43/0xd0
[   35.235313]  kasan_kmalloc+0xc4/0xe0
[   35.239011]  kmem_cache_alloc_trace+0x152/0x730
[   35.243667]  usb_create_ep_devs+0x51/0x290
[   35.247881]  create_intf_ep_devs+0x154/0x220
[   35.252350]  usb_set_configuration+0xf00/0x19f0
[   35.257013]  generic_probe+0xb6/0x110
[   35.260795]  usb_probe_device+0xaf/0x110
[   35.264836]  really_probe+0x5be/0x850
[   35.268616]  driver_probe_device+0x108/0x210
[   35.273005]  __device_attach_driver+0x25a/0x2d0
[   35.277658]  bus_for_each_drv+0x16b/0x1f0
[   35.281786]  __device_attach+0x2a1/0x430
[   35.285825]  device_initial_probe+0x1a/0x20
[   35.290267]  bus_probe_device+0x1fb/0x2a0
[   35.294404]  device_add+0x93e/0x17b0
[   35.298099]  usb_new_device+0x8ac/0x12b0
[   35.302143]  usb_add_hcd+0xb1f/0x1910
[   35.305929]  vhci_hcd_probe+0xfb/0x240
[   35.309797]  platform_drv_probe+0x96/0x160
[   35.314014]  really_probe+0x5be/0x850
[   35.317804]  driver_probe_device+0x108/0x210
[   35.322200]  __device_attach_driver+0x25a/0x2d0
[   35.326861]  bus_for_each_drv+0x16b/0x1f0
[   35.330987]  __device_attach+0x2a1/0x430
[   35.335048]  device_initial_probe+0x1a/0x20
[   35.339365]  bus_probe_device+0x1fb/0x2a0
[   35.343498]  device_add+0x93e/0x17b0
[   35.347192]  platform_device_add+0x36e/0x6f0
[   35.351588]  vhci_hcd_init+0x386/0x4e0
[   35.355462]  do_one_initcall+0x127/0x838
[   35.359505]  kernel_init_freeable+0x4bb/0x5ae
[   35.363981]  kernel_init+0x11/0x1b3
[   35.367589]  ret_from_fork+0x3a/0x50
[   35.371275] 
[   35.372881] Freed by task 0:
[   35.375872] (stack is not available)
[   35.379558] 
[   35.381167] The buggy address belongs to the object at ffff8801ce6793c0
[   35.381167]  which belongs to the cache kmalloc-2048 of size 2048
[   35.394046] The buggy address is located 764 bytes to the right of
[   35.394046]  2048-byte region [ffff8801ce6793c0, ffff8801ce679bc0)
[   35.406659] The buggy address belongs to the page:
[   35.411582] page:ffffea0007399e00 count:1 mapcount:0 mapping:ffff8801dac00c40 index:0x0 compound_mapcount: 0
[   35.421530] flags: 0x2fffc0000008100(slab|head)
[   35.426182] raw: 02fffc0000008100 ffffea000739a308 ffffea000739aa88 ffff8801dac00c40
[   35.434128] raw: 0000000000000000 ffff8801ce6782c0 0000000100000003 0000000000000000
[   35.441990] page dumped because: kasan: bad access detected
[   35.447676] 
[   35.449278] Memory state around the buggy address:
[   35.454187]  ffff8801ce679d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.461526]  ffff8801ce679e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.468864] >ffff8801ce679e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.476201]                                         ^
[   35.481369]  ffff8801ce679f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.488704]  ffff8801ce679f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.496043] ==================================================================
[   35.503383] Disabling lock debugging due to kernel taint
[   35.508814] Kernel panic - not syncing: panic_on_warn set ...
[   35.508814] 
[   35.516159] CPU: 1 PID: 4632 Comm: syz-executor050 Tainted: G    B             4.19.0-rc1-next-20180831+ #53
[   35.526097] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.535432] Call Trace:
[   35.538006]  dump_stack+0x1c9/0x2b4
[   35.541613]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.546785]  ? lock_downgrade+0x8f0/0x8f0
[   35.550925]  panic+0x238/0x4e7
[   35.554097]  ? add_taint.cold.5+0x16/0x16
[   35.558222]  ? add_taint.cold.5+0x5/0x16
[   35.562260]  ? trace_hardirqs_off+0xaf/0x2b0
[   35.566643]  ? trace_hardirqs_off+0x77/0x2b0
[   35.571032]  ? vhci_hub_control+0x1b88/0x1bf0
[   35.575504]  kasan_end_report+0x47/0x4f
[   35.579460]  kasan_report.cold.7+0x76/0x30d
[   35.583760]  __asan_report_load4_noabort+0x14/0x20
[   35.588668]  vhci_hub_control+0x1b88/0x1bf0
[   35.592966]  ? vhci_hcd_probe+0x240/0x240
[   35.597102]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.602123]  ? __kmalloc+0x594/0x720
[   35.605817]  ? kasan_check_write+0x14/0x20
[   35.610029]  ? do_raw_spin_lock+0xc1/0x200
[   35.614243]  ? usb_hcd_submit_urb+0x70e/0x2160
[   35.618883]  usb_hcd_submit_urb+0x184a/0x2160
[   35.623371]  ? vhci_hcd_probe+0x240/0x240
[   35.627502]  ? usb_create_hcd+0x40/0x40
[   35.631458]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.636810]  ? __x64_sys_ioctl+0x73/0xb0
[   35.640851]  ? do_syscall_64+0x1b9/0x820
[   35.644890]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.650230]  ? find_held_lock+0x36/0x1c0
[   35.654268]  ? __lockdep_init_map+0x105/0x590
[   35.658742]  ? __lockdep_init_map+0x105/0x590
[   35.663265]  usb_submit_urb+0x895/0x14d0
[   35.667305]  ? rcu_is_watching+0x8c/0x150
[   35.671433]  usb_start_wait_urb+0x140/0x360
[   35.675735]  ? sg_clean+0x240/0x240
[   35.679345]  usb_control_msg+0x332/0x4e0
[   35.683406]  ? usb_start_wait_urb+0x360/0x360
[   35.687936]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   35.693462]  proc_control+0x99b/0xef0
[   35.697245]  ? proc_bulk+0xaa0/0xaa0
[   35.700963]  ? lock_downgrade+0x8f0/0x8f0
[   35.705098]  usbdev_do_ioctl+0x1eb4/0x3b30
[   35.709313]  ? processcompl_compat+0x680/0x680
[   35.713880]  ? mntput_no_expire+0x1ea/0xc10
[   35.718186]  ? __lock_acquire+0x7fc/0x5020
[   35.722397]  ? graph_lock+0x170/0x170
[   35.726190]  ? dput.part.26+0x276/0x7a0
[   35.730146]  ? find_held_lock+0x36/0x1c0
[   35.734188]  ? lock_downgrade+0x8f0/0x8f0
[   35.738315]  ? kasan_check_read+0x11/0x20
[   35.742461]  ? rcu_is_watching+0x8c/0x150
[   35.746585]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   35.751232]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   35.755884]  ? is_bpf_text_address+0xd7/0x170
[   35.760360]  ? kernel_text_address+0x79/0xf0
[   35.764746]  ? __kernel_text_address+0xd/0x40
[   35.769221]  ? unwind_get_return_address+0x61/0xa0
[   35.774148]  ? __save_stack_trace+0x8d/0xf0
[   35.778452]  ? save_stack+0xa9/0xd0
[   35.782056]  ? save_stack+0x43/0xd0
[   35.785665]  ? __kasan_slab_free+0x11a/0x170
[   35.790058]  ? kasan_slab_free+0xe/0x10
[   35.794029]  ? kmem_cache_free+0x86/0x280
[   35.798199]  ? putname+0xf2/0x130
[   35.801630]  ? do_sys_open+0x569/0x720
[   35.805497]  ? __x64_sys_open+0x7e/0xc0
[   35.809449]  ? do_syscall_64+0x1b9/0x820
[   35.813489]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.818834]  ? trace_hardirqs_off+0xb8/0x2b0
[   35.823221]  ? kasan_check_read+0x11/0x20
[   35.827458]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.831848]  ? trace_hardirqs_on+0x2c0/0x2c0
[   35.836237]  ? kasan_check_write+0x14/0x20
[   35.840453]  ? trace_hardirqs_off+0xb8/0x2b0
[   35.844841]  usbdev_ioctl+0x25/0x30
[   35.848450]  ? usbdev_compat_ioctl+0x30/0x30
[   35.852836]  do_vfs_ioctl+0x1de/0x1720
[   35.856701]  ? kasan_check_read+0x11/0x20
[   35.860827]  ? rcu_is_watching+0x8c/0x150
[   35.864950]  ? trace_hardirqs_on+0xbd/0x2c0
[   35.869254]  ? ioctl_preallocate+0x300/0x300
[   35.873643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.879160]  ? __fget_light+0x2f7/0x440
[   35.883111]  ? putname+0xf2/0x130
[   35.886542]  ? fget_raw+0x20/0x20
[   35.890069]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.895091]  ? kmem_cache_free+0x246/0x280
[   35.899311]  ? do_syscall_64+0x9a/0x820
[   35.903674]  ? do_syscall_64+0x9a/0x820
[   35.907627]  ? lockdep_hardirqs_on+0x421/0x5c0
[   35.912190]  ? security_file_ioctl+0x94/0xc0
[   35.916576]  ksys_ioctl+0xa9/0xd0
[   35.920015]  __x64_sys_ioctl+0x73/0xb0
[   35.923888]  do_syscall_64+0x1b9/0x820
[   35.927758]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   35.933103]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.938017]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.942913]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   35.947926]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   35.952920]  ? prepare_exit_to_usermode+0x291/0x3b0
[   35.957915]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.962979]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.968151] RIP: 0033:0x443d89
[   35.971324] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   35.990323] RSP: 002b:00007ffda7ae4d48 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   35.998009] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d89
[   36.005258] RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003
[   36.012514] RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
[   36.019767] R10: 000000000000000f R11: 0000000000000213 R12: 0000000000401a90
[   36.027019] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000
[   36.034641] Dumping ftrace buffer:
[   36.038160]    (ftrace buffer empty)
[   36.041845] Kernel Offset: disabled
[   36.045455] Rebooting in 86400 seconds..