[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.039671] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.239556] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.468808] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 23.338594] random: sshd: uninitialized urandom read (32 bytes read, 102 bits of entropy available) [ 44.412638] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available) Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. [ 49.923258] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) executing program [ 50.018281] ================================================================== [ 50.025850] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 50.032853] Read of size 8 at addr ffff8800b633a140 by task syzkaller835797/3324 [ 50.040356] [ 50.041961] CPU: 1 PID: 3324 Comm: syzkaller835797 Not tainted 4.4.111-gc2f631b #20 [ 50.049724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.059136] 0000000000000000 e48a30e942bc739d ffff8801d02c7970 ffffffff81d0513d [ 50.067111] ffffea0002d8ce80 ffff8800b633a140 0000000000000000 ffff8800b633a140 [ 50.075089] ffff8801d0360238 ffff8801d02c79a8 ffffffff814fd433 ffff8800b633a140 [ 50.083065] Call Trace: [ 50.085647] [] dump_stack+0xc1/0x124 [ 50.090985] [] print_address_description+0x73/0x260 [ 50.097623] [] kasan_report+0x285/0x370 [ 50.103221] [] ? sg_remove_request+0xf9/0x110 [ 50.109337] [] __asan_report_load8_noabort+0x14/0x20 [ 50.116061] [] sg_remove_request+0xf9/0x110 [ 50.122008] [] sg_finish_rem_req+0x295/0x340 [ 50.128038] [] sg_read+0xa21/0x1490 [ 50.133302] [] ? __kmalloc+0x124/0x320 [ 50.138816] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 50.145464] [] ? fsnotify+0xee0/0xee0 [ 50.150889] [] ? avc_policy_seqno+0x9/0x20 [ 50.156749] [] do_loop_readv_writev+0x141/0x1e0 [ 50.163050] [] ? security_file_permission+0x89/0x1e0 [ 50.169773] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 50.176408] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 50.183044] [] compat_do_readv_writev+0x5df/0x6e0 [ 50.189508] [] ? vfs_writev+0xb0/0xb0 [ 50.194929] [] ? _raw_spin_unlock+0x2c/0x50 [ 50.200873] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 50.207858] [] ? handle_mm_fault+0x3f2/0x3190 [ 50.213976] [] ? putname+0xee/0x130 [ 50.219231] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 50.226055] [] ? kmem_cache_free+0x2a4/0x320 [ 50.232087] [] compat_readv+0xd9/0x140 [ 50.237594] [] compat_SyS_readv+0xd8/0x1b0 [ 50.243448] [] ? SyS_pwritev+0x230/0x230 [ 50.249131] [] ? do_fast_syscall_32+0xd7/0x890 [ 50.255331] [] ? SyS_pwritev+0x230/0x230 [ 50.261015] [] do_fast_syscall_32+0x314/0x890 [ 50.267132] [] sysenter_flags_fixed+0xd/0x17 [ 50.273157] [ 50.274758] Allocated by task 0: [ 50.278090] (stack is not available) [ 50.281771] [ 50.283370] Freed by task 0: [ 50.286355] (stack is not available) [ 50.290044] [ 50.291642] The buggy address belongs to the object at ffff8800b633a100 [ 50.291642] which belongs to the cache fasync_cache of size 96 [ 50.304269] The buggy address is located 64 bytes inside of [ 50.304269] 96-byte region [ffff8800b633a100, ffff8800b633a160) [ 50.315946] The buggy address belongs to the page: [ 51.295827] BUG: spinlock bad magic on CPU#0, init/1 [ 51.300960] lock: 0xffff8801cf04f200, .magic: 00000000, .owner: ‘ùHÿÿÿÿ/0, .owner_cpu: 0 [ 51.309347] CPU: 0 PID: 1 Comm: init Not tainted 4.4.111-gc2f631b #20 [ 51.315898] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.325395] 0000000000000000 9624ee3e0a73ee50 ffff8801da3176b8 ffffffff81d0513d [ 51.333370] ffff8801cf04f200 ffff8801cf04f250 ffff8801da308000 ffff8801da317960 [ 51.341343] ffff8801da317990 ffff8801da3176f8 ffffffff81245acd ffff880100000000 [ 51.349310] Call Trace: [ 51.351877] [] dump_stack+0xc1/0x124 [ 51.357221] [] spin_dump+0x14d/0x280 [ 51.362554] [] do_raw_spin_lock+0x228/0x2c0 [ 51.368498] [] _raw_spin_lock_irqsave+0x56/0x70 [ 51.374791] [] ? remove_wait_queue+0x14/0x40 [ 51.380817] [] remove_wait_queue+0x14/0x40 [ 51.386675] [] poll_freewait+0xd2/0x250 [ 51.392269] [] do_select+0x1003/0x13f0 [ 51.397773] [] ? do_select+0xc5/0x13f0 [ 51.403279] [] ? poll_select_set_timeout+0x110/0x110 [ 51.410002] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.416041] [] ? save_stack+0xa3/0xd0 [ 51.423992] [] ? save_stack_trace+0x26/0x50 [ 51.429950] [] ? set_fd_set.part.0+0x60/0x60 [ 51.435986] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.442014] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 51.448907] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.455885] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.462869] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.468895] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.474926] [] ? __might_fault+0xe4/0x1d0 [ 51.480696] [] ? check_stack_object+0x68/0x140 [ 51.486897] [] ? __check_object_size+0x154/0x35b [ 51.493285] [] core_sys_select+0x3d8/0x740 [ 51.499143] [] ? core_sys_select+0xa2/0x740 [ 51.505086] [] ? do_select+0x13f0/0x13f0 [ 51.510774] [] ? kvm_clock_read+0x23/0x40 [ 51.516545] [] ? kvm_clock_get_cycles+0x9/0x10 [ 51.522752] [] ? ktime_get_ts64+0x1ea/0x2d0 [ 51.528698] [] ? poll_select_set_timeout+0xa6/0x110 [ 51.535356] [] ? timespec_add_safe+0x116/0x160 [ 51.541563] [] SyS_select+0x14a/0x1d0 [ 51.546988] [] ? core_sys_select+0x740/0x740 [ 51.553029] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 51.559497] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 51.566047] ------------[ cut here ]------------ [ 51.570780] WARNING: CPU: 0 PID: 1 at lib/list_debug.c:59 __list_del_entry+0x14f/0x1d0() [ 51.578976] list_del corruption. prev->next should be ffff8801da3179b8, but was ffffffff838a8360 [ 51.587883] Kernel panic - not syncing: panic_on_warn set ... [ 51.587883] [ 51.595222] CPU: 0 PID: 1 Comm: init Not tainted 4.4.111-gc2f631b #20 [ 51.601771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.611100] 0000000000000000 9624ee3e0a73ee50 ffff8801da317528 ffffffff81d0513d [ 51.619086] ffffffff83842f60 ffff8801da317600 ffffffff839fd9a0 0000000000000009 [ 51.627059] 000000000000003b ffff8801da3175f0 ffffffff81419a3a 0000000041b58ab3 [ 51.635035] Call Trace: [ 51.637602] [] dump_stack+0xc1/0x124 [ 51.642940] [] panic+0x1aa/0x388 [ 51.647939] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 51.654842] [] ? warn_slowpath_common+0x10a/0x140 [ 51.661307] [] warn_slowpath_common+0x125/0x140 [ 51.667612] [] ? __list_del_entry+0x14f/0x1d0 [ 51.673729] [] warn_slowpath_fmt+0xc1/0x110 [ 51.679682] [] ? warn_slowpath_common+0x140/0x140 [ 51.686146] [] ? dump_stack+0x10f/0x124 [ 51.691745] [] ? spin_dump+0x14d/0x280 [ 51.697266] [] __list_del_entry+0x14f/0x1d0 [ 51.703208] [] list_del+0xd/0x70 [ 51.706198] PANIC: double fault, error_code: 0x0 [ 51.706205] CPU: 1 PID: 3324 Comm: syzkaller835797 Not tainted 4.4.111-gc2f631b #20 [ 51.706207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.706210] task: ffff8801d0cbaf80 task.stack: ffff8801d02c0000 [ 51.706222] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 51.706225] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 51.706227] RAX: ffff8801d0cbaf80 RBX: ffffea0002d8ce80 RCX: ffffffff8148f980 [ 51.706230] RDX: 0000000000000000 RSI: ffffffff838a8360 RDI: ffffea0002d8ce80 [ 51.706232] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 51.706234] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 51.706236] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000 [ 51.706239] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000009e8b840 [ 51.706241] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 51.706243] CR2: ffff8800fffffff8 CR3: 00000001d1946000 CR4: 0000000000160670 [ 51.706248] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 51.706250] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 51.706252] Stack: [ 51.706252] [ 51.706253] Call Trace: [ 51.706255] [ 51.706305] Code: 00 e9 83 fd ff ff e8 a8 e2 06 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 61 06 [ 51.849443] [] remove_wait_queue+0x20/0x40 [ 51.855297] [] poll_freewait+0xd2/0x250 [ 51.860900] [] do_select+0x1003/0x13f0 [ 51.866404] [] ? do_select+0xc5/0x13f0 [ 51.871920] [] ? poll_select_set_timeout+0x110/0x110 [ 51.878641] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.884668] [] ? save_stack+0xa3/0xd0 [ 51.890088] [] ? save_stack_trace+0x26/0x50 [ 51.896027] [] ? set_fd_set.part.0+0x60/0x60 [ 51.902052] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.908079] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 51.914974] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.921959] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 51.928939] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.934963] [] ? __lock_acquire+0xb5f/0x4b50 [ 51.941006] [] ? __might_fault+0xe4/0x1d0 [ 51.946787] [] ? check_stack_object+0x68/0x140 [ 51.952986] [] ? __check_object_size+0x154/0x35b [ 51.959358] [] core_sys_select+0x3d8/0x740 [ 51.965218] [] ? core_sys_select+0xa2/0x740 [ 51.972298] [] ? do_select+0x13f0/0x13f0 [ 51.977989] [] ? kvm_clock_read+0x23/0x40 [ 51.983764] [] ? kvm_clock_get_cycles+0x9/0x10 [ 51.989963] [] ? ktime_get_ts64+0x1ea/0x2d0 [ 51.995911] [] ? poll_select_set_timeout+0xa6/0x110 [ 52.002544] [] ? timespec_add_safe+0x116/0x160 [ 52.008757] [] SyS_select+0x14a/0x1d0 [ 52.014186] [] ? core_sys_select+0x740/0x740 [ 52.020215] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 52.026677] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 53.110410] Shutting down cpus with NMI [ 53.114857] Dumping ftrace buffer: [ 53.118378] (ftrace buffer empty) [ 53.122058] Kernel Offset: disabled [ 53.125667] Rebooting in 86400 seconds..