[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.096295] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.745834] random: sshd: uninitialized urandom read (32 bytes read)
[   24.966702] random: sshd: uninitialized urandom read (32 bytes read)
[   25.468806] random: sshd: uninitialized urandom read (32 bytes read)
[   27.484543] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
[   33.260028] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   34.341667] ==================================================================
[   34.349256] BUG: KASAN: use-after-free in finish_task_switch+0x544/0x870
[   34.356115] Read of size 8 at addr ffff8801c79482d8 by task syz-executor216/4445
[   34.363655] 
[   34.365302] CPU: 0 PID: 4445 Comm: syz-executor216 Not tainted 4.18.0-rc8-next-20180810+ #36
[   34.373893] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.383267] Call Trace:
[   34.385875]  dump_stack+0x1c9/0x2b4
[   34.389528]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.394747]  ? printk+0xa7/0xcf
[   34.398053]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.402835]  ? finish_task_switch+0x544/0x870
[   34.407354]  print_address_description+0x6c/0x20b
[   34.412643]  ? finish_task_switch+0x544/0x870
[   34.417160]  kasan_report.cold.7+0x242/0x30d
[   34.421594]  __asan_report_load8_noabort+0x14/0x20
[   34.426543]  finish_task_switch+0x544/0x870
[   34.430886]  ? __switch_to_asm+0x34/0x70
[   34.434973]  ? preempt_notifier_register+0x200/0x200
[   34.440092]  ? __switch_to_asm+0x34/0x70
[   34.444170]  ? __switch_to_asm+0x34/0x70
[   34.448250]  ? __switch_to_asm+0x40/0x70
[   34.452331]  ? __switch_to_asm+0x34/0x70
[   34.456411]  ? __switch_to_asm+0x40/0x70
[   34.460514]  ? __switch_to_asm+0x34/0x70
[   34.464588]  ? __switch_to_asm+0x40/0x70
[   34.468791]  ? __switch_to_asm+0x34/0x70
[   34.472871]  ? __switch_to_asm+0x34/0x70
[   34.476947]  ? __switch_to_asm+0x40/0x70
[   34.481023]  ? __switch_to_asm+0x34/0x70
[   34.485174]  ? __switch_to_asm+0x40/0x70
[   34.489252]  ? __switch_to_asm+0x34/0x70
[   34.493334]  ? __switch_to_asm+0x40/0x70
[   34.497421]  __schedule+0x884/0x1ec0
[   34.501182]  ? __sched_text_start+0x8/0x8
[   34.505357]  ? graph_lock+0x170/0x170
[   34.509176]  ? plist_check_list+0xa0/0xa0
[   34.513353]  ? __lock_acquire+0x7fc/0x5020
[   34.517631]  schedule+0xfb/0x450
[   34.521023]  ? lock_downgrade+0x8f0/0x8f0
[   34.525193]  ? __schedule+0x1ec0/0x1ec0
[   34.529189]  ? kasan_check_read+0x11/0x20
[   34.533357]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.537788]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.542391]  ? lock_acquire+0x1e4/0x540
[   34.546397]  futex_wait_queue_me+0x3f9/0x840
[   34.550823]  ? graph_lock+0x170/0x170
[   34.554642]  ? refill_pi_state_cache.part.8+0x320/0x320
[   34.560026]  ? kasan_check_write+0x14/0x20
[   34.564284]  ? do_raw_spin_lock+0xc1/0x200
[   34.568547]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.574110]  ? get_futex_value_locked+0xcb/0xf0
[   34.578807]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   34.583844]  ? futex_wait_setup+0x281/0x410
[   34.588186]  ? find_held_lock+0x36/0x1c0
[   34.592272]  ? futex_wake+0x760/0x760
[   34.596098]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.601311]  futex_wait+0x45b/0xa20
[   34.604969]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.609664]  ? futex_wait_setup+0x410/0x410
[   34.614012]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.619225]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.624850]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   34.630039]  ? futex_wake+0x304/0x760
[   34.633889]  ? save_stack+0xa9/0xd0
[   34.637539]  ? __kasan_slab_free+0x11a/0x170
[   34.641966]  ? kasan_slab_free+0xe/0x10
[   34.646066]  ? kmem_cache_free+0x86/0x2d0
[   34.650234]  ? putname+0xf2/0x130
[   34.653709]  ? filename_lookup+0x397/0x510
[   34.657976]  do_futex+0x336/0x27d0
[   34.661542]  ? kasan_check_read+0x11/0x20
[   34.665716]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.670155]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.674761]  ? kasan_check_write+0x14/0x20
[   34.679016]  ? do_raw_spin_lock+0xc1/0x200
[   34.683273]  ? exit_robust_list+0x290/0x290
[   34.687622]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   34.692756]  ? debug_check_no_obj_freed+0x30b/0x595
[   34.697801]  ? path_lookupat.isra.45+0x381/0xc00
[   34.702582]  ? kasan_check_read+0x11/0x20
[   34.706761]  ? rcu_is_watching+0x8c/0x150
[   34.710931]  ? rcu_pm_notify+0xc0/0xc0
[   34.714841]  ? putname+0xf2/0x130
[   34.718320]  ? putname+0xf2/0x130
[   34.721797]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.726840]  ? kmem_cache_free+0x25c/0x2d0
[   34.731096]  ? putname+0xf7/0x130
[   34.734574]  ? filename_lookup+0x39c/0x510
[   34.738827]  ? nd_jump_link+0x1d0/0x1d0
[   34.742835]  ? mpi_free.cold.1+0x19/0x19
[   34.746927]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.752502]  ? getname_flags+0x26e/0x5a0
[   34.756581]  ? user_path_at_empty+0x40/0x50
[   34.760924]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.766491]  ? do_linkat+0x3ec/0xaa0
[   34.770278]  __x64_sys_futex+0x472/0x6a0
[   34.774357]  ? do_futex+0x27d0/0x27d0
[   34.778174]  ? filp_open+0x80/0x80
[   34.781745]  ? do_syscall_64+0x9a/0x820
[   34.785747]  do_syscall_64+0x1b9/0x820
[   34.789645]  ? finish_task_switch+0x1d3/0x870
[   34.794153]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.799093]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.804036]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   34.809416]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.814270]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.819466] RIP: 0033:0x4468a9
[   34.822671] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   34.841582] RSP: 002b:00007f34d3e78da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   34.849296] RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 00000000004468a9
[   34.856571] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dbc88
[   34.863850] RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
[   34.871124] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc8c
[   34.878401] R13: 0030656c69662f2e R14: 6c75662f7665642f R15: 00000000006dbd6c
[   34.885686] 
[   34.887326] Allocated by task 4439:
[   34.890988]  save_stack+0x43/0xd0
[   34.894451]  kasan_kmalloc+0xc4/0xe0
[   34.898174]  kasan_slab_alloc+0x12/0x20
[   34.902160]  kmem_cache_alloc+0x12e/0x760
[   34.906318]  vmx_create_vcpu+0xcf/0x28b0
[   34.910386]  kvm_arch_vcpu_create+0xe5/0x220
[   34.914811]  kvm_vm_ioctl+0x488/0x1d80
[   34.918709]  do_vfs_ioctl+0x1de/0x1720
[   34.922611]  ksys_ioctl+0xa9/0xd0
[   34.926074]  __x64_sys_ioctl+0x73/0xb0
[   34.929977]  do_syscall_64+0x1b9/0x820
[   34.933876]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.939083] 
[   34.940728] Freed by task 4423:
[   34.944019]  save_stack+0x43/0xd0
[   34.947482]  __kasan_slab_free+0x11a/0x170
[   34.951733]  kasan_slab_free+0xe/0x10
[   34.955542]  kmem_cache_free+0x86/0x2d0
[   34.959528]  vmx_free_vcpu+0x26b/0x300
[   34.963425]  kvm_arch_destroy_vm+0x365/0x7c0
[   34.967850]  kvm_put_kvm+0x73f/0x1060
[   34.971672]  kvm_vcpu_release+0x7b/0xa0
[   34.975655]  __fput+0x376/0x8a0
[   34.978948]  ____fput+0x15/0x20
[   34.982242]  task_work_run+0x1e8/0x2a0
[   34.986144]  exit_to_usermode_loop+0x318/0x380
[   34.990743]  do_syscall_64+0x6be/0x820
[   34.994648]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.999843] 
[   35.001505] The buggy address belongs to the object at ffff8801c79482c0
[   35.001505]  which belongs to the cache kvm_vcpu of size 23808
[   35.014089] The buggy address is located 24 bytes inside of
[   35.014089]  23808-byte region [ffff8801c79482c0, ffff8801c794dfc0)
[   35.026058] The buggy address belongs to the page:
[   35.031000] page:ffffea00071e5200 count:1 mapcount:0 mapping:ffff8801d4c35a80 index:0x0 compound_mapcount: 0
executing program
[   35.040988] flags: 0x2fffc0000008100(slab|head)
[   35.045695] raw: 02fffc0000008100 ffffea000721fe08 ffffea0007364208 ffff8801d4c35a80
[   35.053601] raw: 0000000000000000 ffff8801c79482c0 0000000100000001 0000000000000000
[   35.061504] page dumped because: kasan: bad access detected
[   35.067274] 
[   35.068902] Memory state around the buggy address:
[   35.073846]  ffff8801c7948180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.081219]  ffff8801c7948200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.088587] >ffff8801c7948280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   35.095954]                                                     ^
[   35.102200]  ffff8801c7948300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.109576]  ffff8801c7948380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.116953] ==================================================================
[   35.124319] Disabling lock debugging due to kernel taint
[   35.129908] Kernel panic - not syncing: panic_on_warn set ...
[   35.129908] 
[   35.137306] CPU: 0 PID: 4445 Comm: syz-executor216 Tainted: G    B             4.18.0-rc8-next-20180810+ #36
[   35.147353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.156831] Call Trace:
[   35.159533]  dump_stack+0x1c9/0x2b4
[   35.163181]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.168392]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.173163]  panic+0x238/0x4e7
[   35.176384]  ? add_taint.cold.5+0x16/0x16
[   35.180560]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.184987]  ? finish_task_switch+0x544/0x870
[   35.189517]  kasan_end_report+0x47/0x4f
[   35.193525]  kasan_report.cold.7+0x76/0x30d
[   35.197984]  __asan_report_load8_noabort+0x14/0x20
[   35.202932]  finish_task_switch+0x544/0x870
[   35.207273]  ? __switch_to_asm+0x34/0x70
[   35.211349]  ? preempt_notifier_register+0x200/0x200
[   35.216491]  ? __switch_to_asm+0x34/0x70
[   35.220573]  ? __switch_to_asm+0x34/0x70
[   35.224657]  ? __switch_to_asm+0x40/0x70
[   35.228740]  ? __switch_to_asm+0x34/0x70
[   35.232820]  ? __switch_to_asm+0x40/0x70
[   35.236897]  ? __switch_to_asm+0x34/0x70
[   35.241059]  ? __switch_to_asm+0x40/0x70
[   35.245132]  ? __switch_to_asm+0x34/0x70
[   35.249207]  ? __switch_to_asm+0x34/0x70
[   35.253286]  ? __switch_to_asm+0x40/0x70
[   35.257365]  ? __switch_to_asm+0x34/0x70
[   35.261444]  ? __switch_to_asm+0x40/0x70
[   35.265546]  ? __switch_to_asm+0x34/0x70
[   35.269632]  ? __switch_to_asm+0x40/0x70
[   35.273728]  __schedule+0x884/0x1ec0
[   35.278028]  ? __sched_text_start+0x8/0x8
[   35.282196]  ? graph_lock+0x170/0x170
[   35.286014]  ? plist_check_list+0xa0/0xa0
[   35.290178]  ? __lock_acquire+0x7fc/0x5020
[   35.294439]  schedule+0xfb/0x450
[   35.297846]  ? lock_downgrade+0x8f0/0x8f0
[   35.302034]  ? __schedule+0x1ec0/0x1ec0
[   35.306029]  ? kasan_check_read+0x11/0x20
[   35.310193]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.314620]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   35.319216]  ? lock_acquire+0x1e4/0x540
[   35.323219]  futex_wait_queue_me+0x3f9/0x840
[   35.327649]  ? graph_lock+0x170/0x170
[   35.331498]  ? refill_pi_state_cache.part.8+0x320/0x320
[   35.336882]  ? kasan_check_write+0x14/0x20
[   35.341135]  ? do_raw_spin_lock+0xc1/0x200
[   35.345394]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.350943]  ? get_futex_value_locked+0xcb/0xf0
[   35.355631]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   35.360672]  ? futex_wait_setup+0x281/0x410
[   35.365011]  ? find_held_lock+0x36/0x1c0
[   35.369089]  ? futex_wake+0x760/0x760
[   35.372908]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   35.378113]  futex_wait+0x45b/0xa20
[   35.381759]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   35.386454]  ? futex_wait_setup+0x410/0x410
[   35.390816]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   35.396020]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   35.401579]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   35.406698]  ? futex_wake+0x304/0x760
[   35.410533]  ? save_stack+0xa9/0xd0
[   35.414174]  ? __kasan_slab_free+0x11a/0x170
[   35.418659]  ? kasan_slab_free+0xe/0x10
[   35.422785]  ? kmem_cache_free+0x86/0x2d0
[   35.426941]  ? putname+0xf2/0x130
[   35.430404]  ? filename_lookup+0x397/0x510
[   35.434652]  do_futex+0x336/0x27d0
[   35.438203]  ? kasan_check_read+0x11/0x20
[   35.442362]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.446786]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   35.451382]  ? kasan_check_write+0x14/0x20
[   35.455631]  ? do_raw_spin_lock+0xc1/0x200
[   35.459877]  ? exit_robust_list+0x290/0x290
[   35.464209]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   35.469331]  ? debug_check_no_obj_freed+0x30b/0x595
[   35.474356]  ? path_lookupat.isra.45+0x381/0xc00
[   35.479120]  ? kasan_check_read+0x11/0x20
[   35.483281]  ? rcu_is_watching+0x8c/0x150
[   35.487441]  ? rcu_pm_notify+0xc0/0xc0
[   35.491362]  ? putname+0xf2/0x130
[   35.494829]  ? putname+0xf2/0x130
[   35.498304]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.503334]  ? kmem_cache_free+0x25c/0x2d0
[   35.507583]  ? putname+0xf7/0x130
[   35.511048]  ? filename_lookup+0x39c/0x510
[   35.515290]  ? nd_jump_link+0x1d0/0x1d0
[   35.519283]  ? mpi_free.cold.1+0x19/0x19
[   35.523366]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.528912]  ? getname_flags+0x26e/0x5a0
[   35.532989]  ? user_path_at_empty+0x40/0x50
[   35.537331]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.542888]  ? do_linkat+0x3ec/0xaa0
[   35.546620]  __x64_sys_futex+0x472/0x6a0
[   35.550695]  ? do_futex+0x27d0/0x27d0
[   35.554518]  ? filp_open+0x80/0x80
[   35.558073]  ? do_syscall_64+0x9a/0x820
[   35.562063]  do_syscall_64+0x1b9/0x820
[   35.565964]  ? finish_task_switch+0x1d3/0x870
[   35.570493]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.575437]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.580488]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   35.585868]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.590732]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.595935] RIP: 0033:0x4468a9
[   35.599289] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   35.618207] RSP: 002b:00007f34d3e78da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[   35.625931] RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 00000000004468a9
[   35.633260] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000006dbc88
[   35.640541] RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
[   35.647903] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc8c
[   35.655185] R13: 0030656c69662f2e R14: 6c75662f7665642f R15: 00000000006dbd6c
[   35.663125] Dumping ftrace buffer:
[   35.666673]    (ftrace buffer empty)
[   35.670376] Kernel Offset: disabled
[   35.674118] Rebooting in 86400 seconds..