[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.719107] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.090850] random: sshd: uninitialized urandom read (32 bytes read) [ 19.381787] random: sshd: uninitialized urandom read (32 bytes read) [ 20.067144] random: sshd: uninitialized urandom read (32 bytes read) [ 20.202067] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. [ 25.612887] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 25.702358] FAULT_INJECTION: forcing a failure. [ 25.702358] name failslab, interval 1, probability 0, space 0, times 1 [ 25.713638] CPU: 1 PID: 4450 Comm: syz-executor920 Not tainted 4.18.0-rc3+ #111 [ 25.721068] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.730402] Call Trace: [ 25.733581] dump_stack+0x1c9/0x2b4 [ 25.737206] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.742393] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.747916] ? __do_page_fault+0x449/0xe50 [ 25.752154] should_fail.cold.4+0xa/0x1a [ 25.756198] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 25.761285] ? tcp_push+0x8c0/0x8c0 [ 25.764898] ? do_page_fault+0xf6/0x8c0 [ 25.768856] ? vmalloc_sync_all+0x30/0x30 [ 25.772985] ? sk_busy_loop_end+0x1c0/0x1c0 [ 25.777292] ? trace_hardirqs_on+0x10/0x10 [ 25.781511] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 25.787047] ? alloc_pages_current+0x114/0x210 [ 25.791627] ? lock_acquire+0x1e4/0x540 [ 25.795590] ? fs_reclaim_acquire+0x20/0x20 [ 25.799898] ? lock_downgrade+0x8f0/0x8f0 [ 25.804038] ? lock_acquire+0x1e4/0x540 [ 25.808021] ? check_same_owner+0x340/0x340 [ 25.812350] ? check_same_owner+0x340/0x340 [ 25.816682] ? rcu_note_context_switch+0x730/0x730 [ 25.821611] __should_failslab+0x124/0x180 [ 25.825831] should_failslab+0x9/0x14 [ 25.829611] __kmalloc+0x2c8/0x760 [ 25.833145] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 25.838154] ? _copy_from_iter+0x39d/0x1090 [ 25.842472] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 25.847478] ? tls_push_record+0x10d/0x1400 [ 25.851781] ? __check_object_size+0x9d/0x5f2 [ 25.856271] tls_push_record+0x10d/0x1400 [ 25.860407] ? _copy_from_iter_nocache+0x1050/0x1050 [ 25.865506] ? __local_bh_enable_ip+0x161/0x230 [ 25.870170] tls_sw_sendmsg+0x9e6/0x12c0 [ 25.874509] ? lock_release+0xa30/0xa30 [ 25.879385] ? tls_sw_push_pending_record+0x30/0x30 [ 25.884401] ? lock_downgrade+0x8f0/0x8f0 [ 25.888539] ? __sanitizer_cov_trace_pc+0x47/0x50 [ 25.893377] ? lock_release+0xa30/0xa30 [ 25.897351] ? __check_object_size+0x9d/0x5f2 [ 25.901843] inet_sendmsg+0x1a1/0x690 [ 25.905624] ? ipip_gro_receive+0x100/0x100 [ 25.909945] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 25.915469] ? security_socket_sendmsg+0x94/0xc0 [ 25.920221] ? ipip_gro_receive+0x100/0x100 [ 25.924528] sock_sendmsg+0xd5/0x120 [ 25.928236] __sys_sendto+0x3d7/0x670 [ 25.932016] ? __ia32_sys_getpeername+0xb0/0xb0 [ 25.936691] ? vfs_write+0x2ee/0x560 [ 25.940391] ? lock_downgrade+0x8f0/0x8f0 [ 25.944519] ? lock_release+0xa30/0xa30 [ 25.948475] ? fsnotify_first_mark+0x350/0x350 [ 25.953038] ? __fsnotify_parent+0xcc/0x420 [ 25.957429] ? fsnotify+0x14e0/0x14e0 [ 25.961247] ? __sb_end_write+0xac/0xe0 [ 25.965242] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.970798] ? ksys_write+0x1ae/0x260 [ 25.974620] ? __ia32_sys_read+0xb0/0xb0 [ 25.978708] ? syscall_slow_exit_work+0x500/0x500 [ 25.983586] __x64_sys_sendto+0xe1/0x1a0 [ 25.987672] do_syscall_64+0x1b9/0x820 [ 25.991583] ? syscall_slow_exit_work+0x500/0x500 [ 25.996444] ? syscall_return_slowpath+0x5e0/0x5e0 [ 26.001373] ? syscall_return_slowpath+0x31d/0x5e0 [ 26.006311] ? prepare_exit_to_usermode+0x291/0x3b0 [ 26.011344] ? perf_trace_sys_enter+0xb10/0xb10 [ 26.016000] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.020839] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.026012] RIP: 0033:0x440699 [ 26.029181] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 26.048305] RSP: 002b:00007fff70ff81f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 26.056000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440699 [ 26.063251] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000004 [ 26.070501] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c [ 26.077763] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000005 [ 26.085015] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 26.093641] ================================================================== [ 26.101035] BUG: KASAN: use-after-free in tls_push_record+0x1091/0x1400 [ 26.107777] Write of size 1 at addr ffff8801cb078000 by task syz-executor920/4450 [ 26.115372] [ 26.116985] CPU: 0 PID: 4450 Comm: syz-executor920 Not tainted 4.18.0-rc3+ #111 [ 26.124405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.133741] Call Trace: [ 26.136310] dump_stack+0x1c9/0x2b4 [ 26.139926] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.145108] ? printk+0xa7/0xcf [ 26.148382] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 26.153116] ? tls_push_record+0x1091/0x1400 [ 26.157505] print_address_description+0x6c/0x20b [ 26.162485] ? tls_push_record+0x1091/0x1400 [ 26.166882] kasan_report.cold.7+0x242/0x2fe [ 26.171359] __asan_report_store1_noabort+0x17/0x20 [ 26.176363] tls_push_record+0x1091/0x1400 [ 26.180578] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.185576] ? lock_sock_nested+0x9f/0x120 [ 26.189969] tls_sw_push_pending_record+0x22/0x30 [ 26.194797] tls_sk_proto_close+0x74c/0xae0 [ 26.199114] ? lock_acquire+0x1e4/0x540 [ 26.203077] ? tcp_check_oom+0x530/0x530 [ 26.207125] ? lock_downgrade+0x8f0/0x8f0 [ 26.211251] ? tls_write_space+0x360/0x360 [ 26.215479] ? kasan_check_read+0x11/0x20 [ 26.219632] ? rcu_note_context_switch+0x730/0x730 [ 26.224544] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.230061] ? ipv6_sock_ac_close+0x356/0x490 [ 26.234554] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.240159] ? ipv6_sock_mc_close+0x162/0x1d0 [ 26.244633] ? ip_mc_drop_socket+0x20f/0x270 [ 26.249035] ? down_write+0x8f/0x130 [ 26.252741] inet_release+0x104/0x1f0 [ 26.256522] inet6_release+0x50/0x70 [ 26.260221] __sock_release+0xd7/0x260 [ 26.264106] ? __sock_release+0x260/0x260 [ 26.268249] sock_close+0x19/0x20 [ 26.271699] __fput+0x355/0x8b0 [ 26.274974] ? fput+0x1a0/0x1a0 [ 26.278247] ? check_same_owner+0x340/0x340 [ 26.282549] ? kasan_check_write+0x14/0x20 [ 26.286767] ? do_raw_spin_lock+0xc1/0x200 [ 26.290984] ____fput+0x15/0x20 [ 26.294244] task_work_run+0x1ec/0x2a0 [ 26.298114] ? task_work_cancel+0x250/0x250 [ 26.302430] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.307948] ? switch_task_namespaces+0xa2/0xd0 [ 26.312604] do_exit+0x1b08/0x2750 [ 26.316149] ? mm_update_next_owner+0x9a0/0x9a0 [ 26.320805] ? finish_task_switch+0x1d3/0x890 [ 26.325283] ? lock_downgrade+0x8f0/0x8f0 [ 26.329413] ? finish_task_switch+0x18a/0x890 [ 26.333916] ? kasan_check_read+0x11/0x20 [ 26.338063] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.342454] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.347042] ? compat_start_thread+0x80/0x80 [ 26.351449] ? kasan_check_write+0x14/0x20 [ 26.355662] ? finish_task_switch+0x2ca/0x890 [ 26.360140] ? preempt_notifier_register+0x200/0x200 [ 26.365314] ? lock_downgrade+0x8f0/0x8f0 [ 26.369450] ? lock_repin_lock+0x430/0x430 [ 26.373673] ? kasan_check_write+0x14/0x20 [ 26.377893] ? __sched_text_start+0x8/0x8 [ 26.382024] ? security_socket_sendmsg+0x94/0xc0 [ 26.386758] ? ipip_gro_receive+0x100/0x100 [ 26.391070] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.396588] ? sock_sendmsg+0x5a/0x120 [ 26.400453] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.405981] ? __sys_sendto+0x475/0x670 [ 26.409935] ? __ia32_sys_getpeername+0xb0/0xb0 [ 26.414583] ? vfs_write+0x2ee/0x560 [ 26.418275] ? lock_downgrade+0x8f0/0x8f0 [ 26.422404] ? lock_release+0xa30/0xa30 [ 26.426367] ? schedule+0xfb/0x450 [ 26.429886] ? fsnotify+0x14e0/0x14e0 [ 26.433668] ? __schedule+0x1ed0/0x1ed0 [ 26.437636] ? __sb_end_write+0xac/0xe0 [ 26.441688] do_group_exit+0x177/0x440 [ 26.445555] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.451078] ? __ia32_sys_exit+0x50/0x50 [ 26.455130] ? syscall_slow_exit_work+0x500/0x500 [ 26.459961] __x64_sys_exit_group+0x3e/0x50 [ 26.464263] do_syscall_64+0x1b9/0x820 [ 26.468131] ? syscall_slow_exit_work+0x500/0x500 [ 26.473304] ? syscall_return_slowpath+0x5e0/0x5e0 [ 26.478218] ? syscall_return_slowpath+0x31d/0x5e0 [ 26.483143] ? prepare_exit_to_usermode+0x291/0x3b0 [ 26.488139] ? perf_trace_sys_enter+0xb10/0xb10 [ 26.492789] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.497617] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.502785] RIP: 0033:0x43f358 [ 26.505952] Code: Bad RIP value. [ 26.509306] RSP: 002b:00007fff70ff8238 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.517002] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f358 [ 26.524250] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 26.531508] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 26.538759] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 26.546020] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 26.553281] [ 26.554882] The buggy address belongs to the page: [ 26.559797] page:ffffea00072c1e00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 26.568178] flags: 0x2fffc0000000000() [ 26.572062] raw: 02fffc0000000000 ffffea0006d50808 ffffea00072c2008 0000000000000000 [ 26.579929] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 26.587784] page dumped because: kasan: bad access detected [ 26.593466] [ 26.595077] Memory state around the buggy address: [ 26.599985] ffff8801cb077f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.607332] ffff8801cb077f80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 26.614669] >ffff8801cb078000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.622000] ^ [ 26.625352] ffff8801cb078080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.632698] ffff8801cb078100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.640041] ================================================================== [ 26.647576] Kernel panic - not syncing: panic_on_warn set ... [ 26.647576] [ 26.654928] CPU: 0 PID: 4450 Comm: syz-executor920 Tainted: G B 4.18.0-rc3+ #111 [ 26.663742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.673263] Call Trace: [ 26.675832] dump_stack+0x1c9/0x2b4 [ 26.679450] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.684621] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.689356] panic+0x238/0x4e7 [ 26.692528] ? add_taint.cold.5+0x16/0x16 [ 26.696656] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.701045] ? tls_push_record+0x1091/0x1400 [ 26.705433] kasan_end_report+0x47/0x4f [ 26.709386] kasan_report.cold.7+0x76/0x2fe [ 26.713684] __asan_report_store1_noabort+0x17/0x20 [ 26.718678] tls_push_record+0x1091/0x1400 [ 26.722891] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.727463] ? lock_sock_nested+0x9f/0x120 [ 26.731682] tls_sw_push_pending_record+0x22/0x30 [ 26.736506] tls_sk_proto_close+0x74c/0xae0 [ 26.740815] ? lock_acquire+0x1e4/0x540 [ 26.744774] ? tcp_check_oom+0x530/0x530 [ 26.748814] ? lock_downgrade+0x8f0/0x8f0 [ 26.753051] ? tls_write_space+0x360/0x360 [ 26.757265] ? kasan_check_read+0x11/0x20 [ 26.761743] ? rcu_note_context_switch+0x730/0x730 [ 26.766655] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.772173] ? ipv6_sock_ac_close+0x356/0x490 [ 26.776657] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.782178] ? ipv6_sock_mc_close+0x162/0x1d0 [ 26.786652] ? ip_mc_drop_socket+0x20f/0x270 [ 26.791129] ? down_write+0x8f/0x130 [ 26.794822] inet_release+0x104/0x1f0 [ 26.798620] inet6_release+0x50/0x70 [ 26.802311] __sock_release+0xd7/0x260 [ 26.806177] ? __sock_release+0x260/0x260 [ 26.810299] sock_close+0x19/0x20 [ 26.813732] __fput+0x355/0x8b0 [ 26.816989] ? fput+0x1a0/0x1a0 [ 26.820246] ? check_same_owner+0x340/0x340 [ 26.824546] ? kasan_check_write+0x14/0x20 [ 26.828760] ? do_raw_spin_lock+0xc1/0x200 [ 26.832974] ____fput+0x15/0x20 [ 26.836246] task_work_run+0x1ec/0x2a0 [ 26.840114] ? task_work_cancel+0x250/0x250 [ 26.844414] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.849929] ? switch_task_namespaces+0xa2/0xd0 [ 26.854577] do_exit+0x1b08/0x2750 [ 26.858100] ? mm_update_next_owner+0x9a0/0x9a0 [ 26.862750] ? finish_task_switch+0x1d3/0x890 [ 26.867234] ? lock_downgrade+0x8f0/0x8f0 [ 26.871370] ? finish_task_switch+0x18a/0x890 [ 26.875845] ? kasan_check_read+0x11/0x20 [ 26.879973] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.884364] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.888936] ? compat_start_thread+0x80/0x80 [ 26.893330] ? kasan_check_write+0x14/0x20 [ 26.897543] ? finish_task_switch+0x2ca/0x890 [ 26.902033] ? preempt_notifier_register+0x200/0x200 [ 26.907120] ? lock_downgrade+0x8f0/0x8f0 [ 26.911265] ? lock_repin_lock+0x430/0x430 [ 26.915496] ? kasan_check_write+0x14/0x20 [ 26.919716] ? __sched_text_start+0x8/0x8 [ 26.923857] ? security_socket_sendmsg+0x94/0xc0 [ 26.928594] ? ipip_gro_receive+0x100/0x100 [ 26.932908] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.938599] ? sock_sendmsg+0x5a/0x120 [ 26.942752] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.948621] ? __sys_sendto+0x475/0x670 [ 26.952587] ? __ia32_sys_getpeername+0xb0/0xb0 [ 26.957236] ? vfs_write+0x2ee/0x560 [ 26.960930] ? lock_downgrade+0x8f0/0x8f0 [ 26.965060] ? lock_release+0xa30/0xa30 [ 26.969020] ? schedule+0xfb/0x450 [ 26.972538] ? fsnotify+0x14e0/0x14e0 [ 26.976319] ? __schedule+0x1ed0/0x1ed0 [ 26.980289] ? __sb_end_write+0xac/0xe0 [ 26.984522] do_group_exit+0x177/0x440 [ 26.988397] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.994197] ? __ia32_sys_exit+0x50/0x50 [ 26.998241] ? syscall_slow_exit_work+0x500/0x500 [ 27.003077] __x64_sys_exit_group+0x3e/0x50 [ 27.007381] do_syscall_64+0x1b9/0x820 [ 27.011254] ? syscall_slow_exit_work+0x500/0x500 [ 27.016261] ? syscall_return_slowpath+0x5e0/0x5e0 [ 27.021171] ? syscall_return_slowpath+0x31d/0x5e0 [ 27.026089] ? prepare_exit_to_usermode+0x291/0x3b0 [ 27.031088] ? perf_trace_sys_enter+0xb10/0xb10 [ 27.035745] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.040570] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.045750] RIP: 0033:0x43f358 [ 27.048924] Code: Bad RIP value. [ 27.052277] RSP: 002b:00007fff70ff8238 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 27.059964] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f358 [ 27.067229] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 27.074563] RBP: 00000000004bf448 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 27.081983] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 27.089236] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 27.096931] Dumping ftrace buffer: [ 27.100447] (ftrace buffer empty) [ 27.104145] Kernel Offset: disabled [ 27.107751] Rebooting in 86400 seconds..