[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.076936] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.696933] random: sshd: uninitialized urandom read (32 bytes read)
[   21.022361] random: sshd: uninitialized urandom read (32 bytes read)
[   21.770442] random: sshd: uninitialized urandom read (32 bytes read)
[   38.019841] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
[   43.448861] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   43.540154] ==================================================================
[   43.547606] BUG: KASAN: slab-out-of-bounds in process_preds+0x1958/0x19b0
[   43.554525] Write of size 4 at addr ffff8801cd9d34f0 by task syz-executor894/4375
[   43.562134] 
[   43.563755] CPU: 0 PID: 4375 Comm: syz-executor894 Not tainted 4.17.0-rc2+ #21
[   43.571102] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.580451] Call Trace:
[   43.583041]  dump_stack+0x1b9/0x294
[   43.586664]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.591849]  ? printk+0x9e/0xba
[   43.595122]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   43.599871]  ? kasan_check_write+0x14/0x20
[   43.604103]  print_address_description+0x6c/0x20b
[   43.608937]  ? process_preds+0x1958/0x19b0
[   43.613164]  kasan_report.cold.7+0x242/0x2fe
[   43.617571]  __asan_report_store4_noabort+0x17/0x20
[   43.622573]  process_preds+0x1958/0x19b0
[   43.626629]  ? create_filter_start.constprop.12+0xfb/0x2b0
[   43.632258]  ? parse_pred+0x28e0/0x28e0
[   43.636232]  ? create_filter_start.constprop.12+0x55/0x2b0
[   43.641852]  create_filter+0x155/0x270
[   43.645734]  ? process_preds+0x19b0/0x19b0
[   43.649976]  ftrace_profile_set_filter+0x130/0x2e0
[   43.654900]  ? ftrace_profile_free_filter+0x70/0x70
[   43.659908]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.665436]  ? memdup_user+0x6b/0xa0
[   43.669151]  perf_event_set_filter+0x248/0x1230
[   43.673811]  ? perf_tp_event+0xc30/0xc30
[   43.677870]  ? mutex_trylock+0x2a0/0x2a0
[   43.681924]  ? perf_pmu_unregister+0x530/0x530
[   43.686503]  ? perf_trace_lock_acquire+0x4f1/0x980
[   43.691436]  ? perf_trace_lock+0x900/0x900
[   43.695662]  ? perf_tp_event+0xc30/0xc30
[   43.699716]  ? graph_lock+0x170/0x170
[   43.703504]  ? memset+0x31/0x40
[   43.706790]  ? perf_trace_lock_acquire+0x4f1/0x980
[   43.711710]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   43.716895]  _perf_ioctl+0x84c/0x15e0
[   43.720689]  ? __do_sys_perf_event_open+0x2fa0/0x2fa0
[   43.725881]  ? lock_downgrade+0x8e0/0x8e0
[   43.730026]  ? kasan_check_read+0x11/0x20
[   43.734173]  ? rcu_is_watching+0x85/0x140
[   43.738311]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   43.743504]  ? mutex_lock_nested+0x16/0x20
[   43.747728]  ? mutex_lock_nested+0x16/0x20
[   43.751952]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   43.757140]  ? perf_event_read_event+0x430/0x430
[   43.761886]  ? find_held_lock+0x36/0x1c0
[   43.765957]  perf_ioctl+0x59/0x80
[   43.769402]  ? _perf_ioctl+0x15e0/0x15e0
[   43.773459]  do_vfs_ioctl+0x1cf/0x16a0
[   43.777338]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   43.782872]  ? ioctl_preallocate+0x2e0/0x2e0
[   43.787275]  ? fget_raw+0x20/0x20
[   43.790729]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.796255]  ? __do_page_fault+0x441/0xe40
[   43.800490]  ? mm_fault_error+0x380/0x380
[   43.804630]  ? security_file_ioctl+0x94/0xc0
[   43.809034]  ksys_ioctl+0xa9/0xd0
[   43.812488]  __x64_sys_ioctl+0x73/0xb0
[   43.816375]  do_syscall_64+0x1b1/0x800
[   43.820252]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   43.825087]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.830008]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.834931]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   43.840460]  ? retint_user+0x18/0x18
[   43.844173]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.849015]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.854193] RIP: 0033:0x43fdb9
[   43.857372] RSP: 002b:00007ffe3c7ea938 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   43.865075] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9
[   43.872340] RDX: 0000000020000000 RSI: 0000000040082406 RDI: 0000000000000003
[   43.879603] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   43.886864] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0
[   43.894121] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
[   43.901406] 
[   43.903022] Allocated by task 1:
[   43.906381]  save_stack+0x43/0xd0
[   43.909823]  kasan_kmalloc+0xc4/0xe0
[   43.913527]  __kmalloc_node+0x47/0x70
[   43.917322]  kvmalloc_node+0x6b/0x100
[   43.921112]  allocate_hook_entries_size+0x44/0x90
[   43.925941]  __nf_register_net_hook+0x8bc/0xc60
[   43.930596]  nf_register_net_hook+0x62/0x100
[   43.934991]  nf_register_net_hooks+0x68/0xe0
[   43.939389]  ip6t_register_table+0x2c7/0x3b0
[   43.943786]  ip6table_mangle_table_init.part.1+0x49/0x70
[   43.949226]  ip6table_mangle_init+0xc0/0xf6
[   43.953539]  do_one_initcall+0x127/0x913
[   43.957589]  kernel_init_freeable+0x49b/0x58e
[   43.962077]  kernel_init+0x11/0x1b3
[   43.965692]  ret_from_fork+0x3a/0x50
[   43.969394] 
[   43.971011] Freed by task 1:
[   43.974020]  save_stack+0x43/0xd0
[   43.977464]  __kasan_slab_free+0x11a/0x170
[   43.981686]  kasan_slab_free+0xe/0x10
[   43.985477]  kfree+0xd9/0x260
[   43.988578]  kvfree+0x61/0x70
[   43.991673]  __nf_hook_entries_free+0x31/0x40
[   43.996157]  rcu_process_callbacks+0x941/0x15f0
[   44.000815]  __do_softirq+0x2e0/0xaf5
[   44.004600] 
[   44.006217] The buggy address belongs to the object at ffff8801cd9d3480
[   44.006217]  which belongs to the cache kmalloc-64 of size 64
[   44.018689] The buggy address is located 48 bytes to the right of
[   44.018689]  64-byte region [ffff8801cd9d3480, ffff8801cd9d34c0)
[   44.030894] The buggy address belongs to the page:
[   44.035810] page:ffffea00073674c0 count:1 mapcount:0 mapping:ffff8801cd9d3000 index:0x0
[   44.043944] flags: 0x2fffc0000000100(slab)
[   44.048171] raw: 02fffc0000000100 ffff8801cd9d3000 0000000000000000 0000000100000020
[   44.056039] raw: ffffea00073758a0 ffffea000736e520 ffff8801da800340 0000000000000000
[   44.063902] page dumped because: kasan: bad access detected
[   44.069595] 
[   44.071209] Memory state around the buggy address:
[   44.076123]  ffff8801cd9d3380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   44.083466]  ffff8801cd9d3400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   44.090811] >ffff8801cd9d3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   44.098155]                                                              ^
[   44.105154]  ffff8801cd9d3500: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   44.112498]  ffff8801cd9d3580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   44.119838] ==================================================================
[   44.127181] Disabling lock debugging due to kernel taint
[   44.132812] Kernel panic - not syncing: panic_on_warn set ...
[   44.132812] 
[   44.140166] CPU: 0 PID: 4375 Comm: syz-executor894 Tainted: G    B             4.17.0-rc2+ #21
[   44.150981] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   44.160324] Call Trace:
[   44.162908]  dump_stack+0x1b9/0x294
[   44.166529]  ? dump_stack_print_info.cold.2+0x52/0x52
[   44.171710]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   44.176461]  ? process_preds+0x1910/0x19b0
[   44.180684]  panic+0x22f/0x4de
[   44.183864]  ? add_taint.cold.5+0x16/0x16
[   44.188007]  ? do_raw_spin_unlock+0x9e/0x2e0
[   44.192404]  ? do_raw_spin_unlock+0x9e/0x2e0
[   44.196805]  ? process_preds+0x1958/0x19b0
[   44.201029]  kasan_end_report+0x47/0x4f
[   44.204987]  kasan_report.cold.7+0x76/0x2fe
[   44.209302]  __asan_report_store4_noabort+0x17/0x20
[   44.214304]  process_preds+0x1958/0x19b0
[   44.218354]  ? create_filter_start.constprop.12+0xfb/0x2b0
[   44.223979]  ? parse_pred+0x28e0/0x28e0
[   44.227950]  ? create_filter_start.constprop.12+0x55/0x2b0
[   44.233563]  create_filter+0x155/0x270
[   44.237443]  ? process_preds+0x19b0/0x19b0
[   44.241679]  ftrace_profile_set_filter+0x130/0x2e0
[   44.246598]  ? ftrace_profile_free_filter+0x70/0x70
[   44.251604]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   44.257128]  ? memdup_user+0x6b/0xa0
[   44.260835]  perf_event_set_filter+0x248/0x1230
[   44.265491]  ? perf_tp_event+0xc30/0xc30
[   44.269545]  ? mutex_trylock+0x2a0/0x2a0
[   44.273596]  ? perf_pmu_unregister+0x530/0x530
[   44.278170]  ? perf_trace_lock_acquire+0x4f1/0x980
[   44.283098]  ? perf_trace_lock+0x900/0x900
[   44.287319]  ? perf_tp_event+0xc30/0xc30
[   44.291373]  ? graph_lock+0x170/0x170
[   44.295163]  ? memset+0x31/0x40
[   44.298447]  ? perf_trace_lock_acquire+0x4f1/0x980
[   44.303362]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   44.308542]  _perf_ioctl+0x84c/0x15e0
[   44.312334]  ? __do_sys_perf_event_open+0x2fa0/0x2fa0
[   44.317832]  ? lock_downgrade+0x8e0/0x8e0
[   44.321978]  ? kasan_check_read+0x11/0x20
[   44.326288]  ? rcu_is_watching+0x85/0x140
[   44.330426]  ? rcu_bh_force_quiescent_state+0x20/0x20
[   44.335611]  ? mutex_lock_nested+0x16/0x20
[   44.339832]  ? mutex_lock_nested+0x16/0x20
[   44.344057]  ? perf_event_ctx_lock_nested+0x40d/0x4e0
[   44.349239]  ? perf_event_read_event+0x430/0x430
[   44.353982]  ? find_held_lock+0x36/0x1c0
[   44.358046]  perf_ioctl+0x59/0x80
[   44.361485]  ? _perf_ioctl+0x15e0/0x15e0
[   44.365531]  do_vfs_ioctl+0x1cf/0x16a0
[   44.369417]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   44.374946]  ? ioctl_preallocate+0x2e0/0x2e0
[   44.379340]  ? fget_raw+0x20/0x20
[   44.382789]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.388311]  ? __do_page_fault+0x441/0xe40
[   44.392541]  ? mm_fault_error+0x380/0x380
[   44.396678]  ? security_file_ioctl+0x94/0xc0
[   44.401076]  ksys_ioctl+0xa9/0xd0
[   44.404533]  __x64_sys_ioctl+0x73/0xb0
[   44.408419]  do_syscall_64+0x1b1/0x800
[   44.412294]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   44.417132]  ? syscall_return_slowpath+0x5c0/0x5c0
[   44.422052]  ? syscall_return_slowpath+0x30f/0x5c0
[   44.426973]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   44.432496]  ? retint_user+0x18/0x18
[   44.436205]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.441043]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   44.446229] RIP: 0033:0x43fdb9
[   44.449406] RSP: 002b:00007ffe3c7ea938 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
[   44.457104] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9
[   44.464367] RDX: 0000000020000000 RSI: 0000000040082406 RDI: 0000000000000003
[   44.471626] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   44.478891] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0
[   44.486146] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
[   44.493853] Dumping ftrace buffer:
[   44.497376]    (ftrace buffer empty)
[   44.501076] Kernel Offset: disabled
[   44.504701] Rebooting in 86400 seconds..