[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.310073] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.603966] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 20.871455] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 21.827503] random: sshd: uninitialized urandom read (32 bytes read, 112 bits of entropy available) [ 37.450568] random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available) Warning: Permanently added '10.128.15.235' (ECDSA) to the list of known hosts. [ 42.865509] random: nonblocking pool is initialized executing program executing program executing program [ 42.987053] ================================================================== [ 42.994454] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 43.001440] Read of size 8 at addr ffff8801d1a0b1c0 by task syzkaller478028/3333 [ 43.008975] [ 43.010584] CPU: 1 PID: 3333 Comm: syzkaller478028 Not tainted 4.4.111-gc2f631b #20 [ 43.018349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.027687] 0000000000000000 6e486de963a4331c ffff8801d0887a40 ffffffff81d0513d [ 43.035662] ffffea00074682c0 ffff8801d1a0b1c0 0000000000000000 ffff8801d1a0b1c0 [ 43.043632] ffff8800b4314438 ffff8801d0887a78 ffffffff814fd433 ffff8801d1a0b1c0 [ 43.051616] Call Trace: [ 43.054179] [] dump_stack+0xc1/0x124 [ 43.059514] [] print_address_description+0x73/0x260 [ 43.066152] [] kasan_report+0x285/0x370 [ 43.071745] [] ? sg_remove_request+0xf9/0x110 [ 43.077862] [] __asan_report_load8_noabort+0x14/0x20 [ 43.084601] [] sg_remove_request+0xf9/0x110 [ 43.090545] [] sg_finish_rem_req+0x295/0x340 [ 43.096587] [] sg_read+0xa21/0x1490 [ 43.101835] [] ? do_futex+0x3e3/0x1670 [ 43.107358] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 43.114010] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 43.120995] [] ? vma_set_page_prot+0x10b/0x150 [ 43.127199] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 43.133852] [] __vfs_read+0x103/0x440 [ 43.139286] [] ? vfs_iter_write+0x2d0/0x2d0 [ 43.145229] [] ? fsnotify+0x5ad/0xee0 [ 43.150650] [] ? fsnotify+0xee0/0xee0 [ 43.156087] [] ? avc_policy_seqno+0x9/0x20 [ 43.161941] [] ? selinux_file_permission+0x348/0x460 [ 43.168665] [] ? security_file_permission+0x89/0x1e0 [ 43.175401] [] ? rw_verify_area+0x100/0x2f0 [ 43.181354] [] vfs_read+0x123/0x3a0 [ 43.186602] [] SyS_read+0xd9/0x1b0 [ 43.191789] [] ? do_sendfile+0xd30/0xd30 [ 43.197471] [] ? do_fast_syscall_32+0xd7/0x890 [ 43.203687] [] ? do_sendfile+0xd30/0xd30 [ 43.209366] [] do_fast_syscall_32+0x314/0x890 [ 43.215494] [] sysenter_flags_fixed+0xd/0x17 [ 43.221524] [ 43.223120] Allocated by task 0: [ 43.226453] (stack is not available) [ 43.230131] [ 43.231729] Freed by task 0: [ 43.234713] (stack is not available) [ 43.238392] [ 43.239991] The buggy address belongs to the object at ffff8801d1a0b180 [ 43.239991] which belongs to the cache fasync_cache of size 96 [ 43.252623] The buggy address is located 64 bytes inside of [ 43.252623] 96-byte region [ffff8801d1a0b180, ffff8801d1a0b1e0) [ 43.264306] The buggy address belongs to the page: [ 43.279779] kasan: CONFIG_KASAN_INLINE enabled[ 43.280174] page:ffffea00074682c0 count:1 mapcount:-2145386463 mapping: (null) index:0x0 [ 43.280177] flags: 0xffff8801db219c40(active|reserved|private|private_2|swapcache|mappedtodisk|uncached) [ 43.280187] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 43.280207] ------------[ cut here ]------------ [ 43.280209] kernel BUG at include/linux/mm.h:460! [ 43.280211] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 43.280217] Dumping ftrace buffer: [ 43.280220] (ftrace buffer empty) [ 43.280222] Modules linked in: [ 43.280228] CPU: 1 PID: 3333 Comm: syzkaller478028 Not tainted 4.4.111-gc2f631b #20 [ 43.280230] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.280232] task: ffff8801d0df2f80 task.stack: ffff8801d0880000 [ 43.280234] RIP: 0010:[] [] dump_page_badflags+0x191/0x250 [ 43.280246] RSP: 0018:ffff8801cd800030 EFLAGS: 00010082 [ 43.280249] RAX: ffff8801d0df2f80 RBX: ffffea00074682c0 RCX: ffffffff8148f96c [ 43.280251] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801d0df37ec [ 43.280253] RBP: ffff8801cd800060 R08: 0000000000000001 R09: 0000000000000000 [ 43.280255] R10: 0000000000000002 R11: fffffbfff0ad8d04 R12: 0000000000000000 [ 43.280257] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000 [ 43.280261] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000f77bdb40 [ 43.280263] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 43.280265] CR2: 000000002039a000 CR3: 00000000b5766000 CR4: 0000000000160670 [ 43.280269] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.280271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.280272] Stack: [ 43.280273] 0000000000000000 ffffea00074682c0 0000000000000000 ffffffff838a8360 [ 43.280278] 0000000000000000 0000000000000000 ffff8801cd8000a0 ffffffff8148f991 [ 43.280283] ffff8801d9857620 ffffea00074682c0 0000000000000000 ffffffff838a8360 [ 43.280287] Call Trace: [ 43.280289] Code: 46 e8 14 05 ed ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 00 05 ed ff 31 d2 48 c7 c6 60 83 8a 83 48 89 df e8 6f fe ff ff <0f> 0b e8 d8 e0 06 00 e9 21 ff ff ff 89 4d d4 e8 cb e0 06 00 8b [ 43.280348] RIP [] dump_page_badflags+0x191/0x250 [ 43.280354] RSP [ 43.280358] ---[ end trace d70b9f2f6d9d896a ]--- [ 43.280361] Kernel panic - not syncing: Fatal exception [ 43.521042] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN [ 43.533870] Dumping ftrace buffer: [ 43.537379] (ftrace buffer empty) [ 43.541059] Modules linked in: [ 43.544337] CPU: 0 PID: 3334 Comm: syzkaller478028 Tainted: G D 4.4.111-gc2f631b #20 [ 43.553314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.562639] task: ffff8800b5f7df00 task.stack: ffff8800b42b0000 [ 43.568664] RIP: 0010:[] [] rb_insert_color+0x1d0/0xcb0 [ 43.577341] RSP: 0018:ffff8801db207d18 EFLAGS: 00010806 [ 43.582760] RAX: ffff8801db219c40 RBX: ffffea00074682c0 RCX: 1000000000000012 [ 43.590001] RDX: dffffc0000000000 RSI: ffff8801db219710 RDI: ffffea00074682d0 [ 43.597239] RBP: ffff8801db207d60 R08: ffffffff85807f08 R09: 0000000000000001 [ 43.604479] R10: 0000000000000000 R11: 1ffff1003b640f62 R12: 8000000000000090 [ 43.611716] R13: 8000000000000080 R14: 8000000000000080 R15: ffff8801db219c48 [ 43.618957] FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f779cb40 [ 43.627163] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 43.633025] CR2: 00000000f779cdb0 CR3: 00000000b5766000 CR4: 0000000000160670 [ 43.640271] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.647525] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.654763] Stack: [ 43.656880] ffffffff842bcb20 ffff8800b5f7e770 0000000000000001 ffff8801db207d70 [ 43.664861] ffff8801db219c40 dffffc0000000000 0000000000000000 ffff8801db219710 [ 43.672843] ffff8801d012fe00 ffff8801db207db0 ffffffff81d22a07 ffff8801db219c58 [ 43.680830] Call Trace: [ 43.683379] [ 43.685416] [] timerqueue_add+0x157/0x2a0 [ 43.691473] [] enqueue_hrtimer+0x168/0x450 [ 43.697327] [] __hrtimer_run_queues+0x732/0xfe0 [ 43.703615] [] ? hrtimer_fixup_init+0x70/0x70 [ 43.709740] [] ? hrtimer_interrupt+0x131/0x440 [ 43.715952] [] hrtimer_interrupt+0x1a6/0x440 [ 43.721979] [] local_apic_timer_interrupt+0x6a/0xb0 [ 43.728618] [] smp_apic_timer_interrupt+0x76/0xa0 [ 43.735080] [] apic_timer_interrupt+0xa0/0xb0 [ 43.741192] [ 43.743232] [] ? smp_call_function_single+0x13e/0x3b0 [ 43.750343] [] ? __sanitizer_cov_trace_pc+0x26/0x50 [ 43.756979] [] smp_call_function_single+0x13e/0x3b0 [ 43.763616] [] ? do_fast_syscall_32+0x314/0x890 [ 43.769907] [] ? do_flush_tlb_all+0x30/0x30 [ 43.775851] [] ? generic_exec_single+0x330/0x330 [ 43.782226] [] ? do_flush_tlb_all+0x30/0x30 [ 43.788167] [] ? find_next_bit+0x3e/0x50 [ 43.793848] [] ? cpumask_next_and+0x92/0xc0 [ 43.799805] [] smp_call_function_many+0x481/0x710 [ 43.806277] [] ? __lock_is_held+0xa1/0xf0 [ 43.812046] [] ? do_flush_tlb_all+0x30/0x30 [ 43.817985] [] native_flush_tlb_others+0xfe/0x710 [ 43.824449] [] ? _find_next_bit.part.0+0xe0/0x120 [ 43.830909] [] ? switch_mm+0x70/0x70 [ 43.836242] [] ? cpumask_any_but+0x88/0xc0 [ 43.842094] [] flush_tlb_mm_range+0x103/0x560 [ 43.848208] [] tlb_flush_mmu_tlbonly+0x185/0x2f0 [ 43.854581] [] tlb_finish_mmu+0x1b/0xa0 [ 43.860172] [] unmap_region+0x250/0x330 [ 43.865764] [] ? __vma_link_file+0x160/0x160 [ 43.871799] [] ? vma_gap_callbacks_rotate+0x62/0x80 [ 43.878446] [] ? vma_compute_subtree_gap+0x200/0x200 [ 43.885168] [] ? vma_rb_erase+0x60a/0x9f0 [ 43.890937] [] do_munmap+0x70f/0xec0 [ 43.896279] [] mmap_region+0x423/0x1250 [ 43.901875] [] ? selinux_mmap_addr+0x1f/0xf0 [ 43.907902] [] do_mmap+0x4fd/0x9d0 [ 43.913062] [] vm_mmap_pgoff+0x16e/0x1c0 [ 43.918753] [] ? vma_is_stack_for_task+0xa0/0xa0 [ 43.925129] [] SyS_mmap_pgoff+0xd0/0x560 [ 43.930809] [] ? vm_stat_account+0x130/0x130 [ 43.936847] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 43.943136] [] ? do_fast_syscall_32+0xd7/0x890 [ 43.949337] [] ? vm_stat_account+0x130/0x130 [ 43.955363] [] do_fast_syscall_32+0x314/0x890 [ 43.961478] [] sysenter_flags_fixed+0xd/0x17 [ 43.967502] Code: 48 c1 e9 03 80 3c 11 00 0f 85 83 06 00 00 4d 85 ed 48 89 03 74 5b 4d 8d 65 10 48 ba 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 11 00 0f 85 19 07 00 00 49 3b 5d 10 0f 84 eb 04 00 00 49 [ 43.994131] RIP [] rb_insert_color+0x1d0/0xcb0 [ 44.000821] RSP [ 44.004419] ---[ end trace d70b9f2f6d9d896b ]--- [ 44.344312] Shutting down cpus with NMI [ 44.348701] Dumping ftrace buffer: [ 44.352235] (ftrace buffer empty) [ 44.355916] Kernel Offset: disabled [ 44.359512] Rebooting in 86400 seconds..