[....] Starting OpenBSD Secure Shell server: sshd[ 28.565078] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.875354] random: sshd: uninitialized urandom read (32 bytes read) [ 32.125208] kauditd_printk_skb: 9 callbacks suppressed [ 32.125216] audit: type=1400 audit(1569435731.314:35): avc: denied { map } for pid=6813 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.174153] random: sshd: uninitialized urandom read (32 bytes read) [ 32.688428] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 38.396213] urandom_read: 1 callbacks suppressed [ 38.396218] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.522773] audit: type=1400 audit(1569435737.714:36): avc: denied { map } for pid=6826 comm="syz-executor020" path="/root/syz-executor020335670" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.559742] FAULT_INJECTION: forcing a failure. [ 38.559742] name failslab, interval 1, probability 0, space 0, times 1 [ 38.571429] CPU: 1 PID: 6826 Comm: syz-executor020 Not tainted 4.14.146 #0 [ 38.580092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.589633] Call Trace: [ 38.592230] dump_stack+0x138/0x197 [ 38.595853] should_fail.cold+0x10f/0x159 [ 38.599995] should_failslab+0xdb/0x130 [ 38.604046] __kmalloc+0x2f0/0x7a0 [ 38.607585] ? tls_push_record+0x10a/0x1210 [ 38.611902] tls_push_record+0x10a/0x1210 [ 38.616167] tls_sw_sendpage+0x434/0xb50 [ 38.620433] ? tls_sw_sendmsg+0x1020/0x1020 [ 38.624960] inet_sendpage+0x157/0x580 [ 38.628928] ? tls_sw_sendmsg+0x1020/0x1020 [ 38.633241] kernel_sendpage+0x92/0xf0 [ 38.637117] ? inet_sendmsg+0x500/0x500 [ 38.641121] sock_sendpage+0x8b/0xc0 [ 38.644822] ? kernel_sendpage+0xf0/0xf0 [ 38.648954] pipe_to_sendpage+0x242/0x340 [ 38.653088] ? direct_splice_actor+0x190/0x190 [ 38.657704] ? anon_pipe_buf_release+0x157/0x220 [ 38.662482] __splice_from_pipe+0x348/0x780 [ 38.666846] ? direct_splice_actor+0x190/0x190 [ 38.671421] ? direct_splice_actor+0x190/0x190 [ 38.675992] splice_from_pipe+0xf0/0x150 [ 38.680042] ? splice_shrink_spd+0xb0/0xb0 [ 38.684364] ? security_file_permission+0x89/0x1f0 [ 38.689280] generic_splice_sendpage+0x3c/0x50 [ 38.693848] ? splice_from_pipe+0x150/0x150 [ 38.698185] SyS_splice+0xd92/0x1430 [ 38.701958] ? __sb_end_write+0xc1/0x100 [ 38.706009] ? compat_SyS_vmsplice+0x250/0x250 [ 38.710790] ? do_syscall_64+0x53/0x640 [ 38.714792] ? compat_SyS_vmsplice+0x250/0x250 [ 38.719365] do_syscall_64+0x1e8/0x640 [ 38.723238] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.728092] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.733270] RIP: 0033:0x440679 [ 38.736453] RSP: 002b:00007ffcccb335f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 38.744340] RAX: ffffffffffffffda RBX: 00007ffcccb33610 RCX: 0000000000440679 [ 38.751613] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 38.758903] RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000 [ 38.766160] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60 [ 38.773420] R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000 [ 38.930393] ================================================================== [ 38.938063] BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x260/0x6b0 [ 38.945717] Read of size 4096 at addr ffff88808bacd000 by task syz-executor020/6826 [ 38.953503] [ 38.955123] CPU: 1 PID: 6826 Comm: syz-executor020 Not tainted 4.14.146 #0 [ 38.962131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.972082] Call Trace: [ 38.974715] dump_stack+0x138/0x197 [ 38.978331] ? scatterwalk_copychunks+0x260/0x6b0 [ 38.983162] print_address_description.cold+0x7c/0x1dc [ 38.988432] ? scatterwalk_copychunks+0x260/0x6b0 [ 38.993265] kasan_report.cold+0xa9/0x2af [ 38.997401] check_memory_region+0x123/0x190 [ 39.001827] memcpy+0x24/0x50 [ 39.004919] scatterwalk_copychunks+0x260/0x6b0 [ 39.009699] scatterwalk_map_and_copy+0x12f/0x1d0 [ 39.014561] ? scatterwalk_copychunks+0x6b0/0x6b0 [ 39.019419] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 39.024858] ? rcu_read_lock_sched_held+0x110/0x130 [ 39.029895] ? __kmalloc+0x376/0x7a0 [ 39.033597] ? gcmaes_encrypt.constprop.0+0x143/0xb90 [ 39.038776] gcmaes_encrypt.constprop.0+0x1d2/0xb90 [ 39.043780] ? __lock_is_held+0xb6/0x140 [ 39.047829] ? check_preemption_disabled+0x3c/0x250 [ 39.052835] generic_gcmaes_encrypt+0xf4/0x130 [ 39.057411] ? helper_rfc4106_encrypt+0x320/0x320 [ 39.062237] ? __kmalloc+0x376/0x7a0 [ 39.065938] gcmaes_wrapper_encrypt+0xef/0x150 [ 39.070507] tls_push_record+0x906/0x1210 [ 39.074644] tls_sw_sendpage+0x434/0xb50 [ 39.078690] ? tls_sw_sendmsg+0x1020/0x1020 [ 39.083001] inet_sendpage+0x157/0x580 [ 39.086876] ? tls_sw_sendmsg+0x1020/0x1020 [ 39.091185] kernel_sendpage+0x92/0xf0 [ 39.095057] ? inet_sendmsg+0x500/0x500 [ 39.099016] sock_sendpage+0x8b/0xc0 [ 39.102732] ? kernel_sendpage+0xf0/0xf0 [ 39.106799] pipe_to_sendpage+0x242/0x340 [ 39.110956] ? direct_splice_actor+0x190/0x190 [ 39.115867] ? anon_pipe_buf_release+0x157/0x220 [ 39.120619] __splice_from_pipe+0x348/0x780 [ 39.125142] ? direct_splice_actor+0x190/0x190 [ 39.129754] ? direct_splice_actor+0x190/0x190 [ 39.134449] splice_from_pipe+0xf0/0x150 [ 39.138510] ? splice_shrink_spd+0xb0/0xb0 [ 39.142738] ? security_file_permission+0x89/0x1f0 [ 39.148072] generic_splice_sendpage+0x3c/0x50 [ 39.152685] ? splice_from_pipe+0x150/0x150 [ 39.157028] SyS_splice+0xd92/0x1430 [ 39.160737] ? __sb_end_write+0xc1/0x100 [ 39.164794] ? compat_SyS_vmsplice+0x250/0x250 [ 39.169367] ? do_syscall_64+0x53/0x640 [ 39.173333] ? compat_SyS_vmsplice+0x250/0x250 [ 39.177901] do_syscall_64+0x1e8/0x640 [ 39.181861] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.186743] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.191921] RIP: 0033:0x440679 [ 39.195098] RSP: 002b:00007ffcccb335f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 39.202793] RAX: ffffffffffffffda RBX: 00007ffcccb33610 RCX: 0000000000440679 [ 39.210139] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 39.217399] RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000 [ 39.224783] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60 [ 39.232246] R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000 [ 39.239600] [ 39.241217] Allocated by task 3568: [ 39.244831] save_stack_trace+0x16/0x20 [ 39.248888] save_stack+0x45/0xd0 [ 39.252439] kasan_kmalloc+0xce/0xf0 [ 39.256138] kasan_slab_alloc+0xf/0x20 [ 39.260011] kmem_cache_alloc+0x12e/0x780 [ 39.264238] shmem_alloc_inode+0x1c/0x50 [ 39.268283] alloc_inode+0x64/0x180 [ 39.271940] new_inode_pseudo+0x19/0xf0 [ 39.275930] new_inode+0x1f/0x40 [ 39.279280] shmem_get_inode+0x75/0x750 [ 39.283259] shmem_mknod+0x5a/0x1d0 [ 39.286871] shmem_create+0x2b/0x40 [ 39.290576] lookup_open+0x11a6/0x1860 [ 39.294447] path_openat+0xfca/0x3f70 [ 39.298319] do_filp_open+0x18e/0x250 [ 39.302274] do_sys_open+0x2c5/0x430 [ 39.305978] SyS_open+0x2d/0x40 [ 39.309255] do_syscall_64+0x1e8/0x640 [ 39.313388] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.318704] [ 39.320317] Freed by task 0: [ 39.323357] (stack is not available) [ 39.327053] [ 39.328673] The buggy address belongs to the object at ffff88808bacd000 [ 39.328673] which belongs to the cache shmem_inode_cache of size 1200 [ 39.341921] The buggy address is located 0 bytes inside of [ 39.341921] 1200-byte region [ffff88808bacd000, ffff88808bacd4b0) [ 39.354424] The buggy address belongs to the page: [ 39.359349] page:ffffea00022eb340 count:1 mapcount:0 mapping:ffff88808bacd000 index:0xffff88808bacdffd [ 39.368788] flags: 0x1fffc0000000100(slab) [ 39.373011] raw: 01fffc0000000100 ffff88808bacd000 ffff88808bacdffd 0000000100000003 [ 39.381047] raw: ffffea00022e9120 ffffea00022d6ea0 ffff8880aa9e03c0 0000000000000000 [ 39.388980] page dumped because: kasan: bad access detected [ 39.394675] [ 39.396288] Memory state around the buggy address: [ 39.401202] ffff88808bacd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.408761] ffff88808bacd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.416102] >ffff88808bacd480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 39.423447] ^ [ 39.428368] ffff88808bacd500: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [ 39.435805] ffff88808bacd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.443146] ================================================================== [ 39.450528] Disabling lock debugging due to kernel taint [ 39.456556] Kernel panic - not syncing: panic_on_warn set ... [ 39.456556] [ 39.463918] CPU: 1 PID: 6826 Comm: syz-executor020 Tainted: G B 4.14.146 #0 [ 39.472132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.481473] Call Trace: [ 39.484055] dump_stack+0x138/0x197 [ 39.487664] ? scatterwalk_copychunks+0x260/0x6b0 [ 39.492495] panic+0x1f2/0x426 [ 39.496322] ? add_taint.cold+0x16/0x16 [ 39.500284] kasan_end_report+0x47/0x4f [ 39.504276] kasan_report.cold+0x130/0x2af [ 39.508621] check_memory_region+0x123/0x190 [ 39.513142] memcpy+0x24/0x50 [ 39.516233] scatterwalk_copychunks+0x260/0x6b0 [ 39.520891] scatterwalk_map_and_copy+0x12f/0x1d0 [ 39.525963] ? scatterwalk_copychunks+0x6b0/0x6b0 [ 39.530790] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 39.536227] ? rcu_read_lock_sched_held+0x110/0x130 [ 39.541230] ? __kmalloc+0x376/0x7a0 [ 39.544992] ? gcmaes_encrypt.constprop.0+0x143/0xb90 [ 39.550210] gcmaes_encrypt.constprop.0+0x1d2/0xb90 [ 39.555214] ? __lock_is_held+0xb6/0x140 [ 39.559260] ? check_preemption_disabled+0x3c/0x250 [ 39.564358] generic_gcmaes_encrypt+0xf4/0x130 [ 39.569057] ? helper_rfc4106_encrypt+0x320/0x320 [ 39.573975] ? __kmalloc+0x376/0x7a0 [ 39.577704] gcmaes_wrapper_encrypt+0xef/0x150 [ 39.582276] tls_push_record+0x906/0x1210 [ 39.586415] tls_sw_sendpage+0x434/0xb50 [ 39.590465] ? tls_sw_sendmsg+0x1020/0x1020 [ 39.594778] inet_sendpage+0x157/0x580 [ 39.598648] ? tls_sw_sendmsg+0x1020/0x1020 [ 39.602955] kernel_sendpage+0x92/0xf0 [ 39.606822] ? inet_sendmsg+0x500/0x500 [ 39.610871] sock_sendpage+0x8b/0xc0 [ 39.614584] ? kernel_sendpage+0xf0/0xf0 [ 39.618631] pipe_to_sendpage+0x242/0x340 [ 39.622785] ? direct_splice_actor+0x190/0x190 [ 39.627350] ? anon_pipe_buf_release+0x157/0x220 [ 39.632095] __splice_from_pipe+0x348/0x780 [ 39.636442] ? direct_splice_actor+0x190/0x190 [ 39.641008] ? direct_splice_actor+0x190/0x190 [ 39.645663] splice_from_pipe+0xf0/0x150 [ 39.649767] ? splice_shrink_spd+0xb0/0xb0 [ 39.654283] ? security_file_permission+0x89/0x1f0 [ 39.659341] generic_splice_sendpage+0x3c/0x50 [ 39.664265] ? splice_from_pipe+0x150/0x150 [ 39.668589] SyS_splice+0xd92/0x1430 [ 39.672297] ? __sb_end_write+0xc1/0x100 [ 39.676347] ? compat_SyS_vmsplice+0x250/0x250 [ 39.680960] ? do_syscall_64+0x53/0x640 [ 39.684943] ? compat_SyS_vmsplice+0x250/0x250 [ 39.689553] do_syscall_64+0x1e8/0x640 [ 39.693429] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.698264] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.703490] RIP: 0033:0x440679 [ 39.706694] RSP: 002b:00007ffcccb335f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 39.714388] RAX: ffffffffffffffda RBX: 00007ffcccb33610 RCX: 0000000000440679 [ 39.721676] RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 [ 39.728932] RBP: 0000000000000005 R08: 0000000100000000 R09: 0000000000000000 [ 39.736190] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f60 [ 39.743520] R13: 0000000000401ff0 R14: 0000000000000000 R15: 0000000000000000 [ 39.752328] Kernel Offset: disabled [ 39.755954] Rebooting in 86400 seconds..