[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[[ 18.991766] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) 32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.880371] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.141448] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 23.048784] random: sshd: uninitialized urandom read (32 bytes read, 103 bits of entropy available) [ 23.213279] random: sshd: uninitialized urandom read (32 bytes read, 107 bits of entropy available) Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. [ 28.617843] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) executing program [ 28.726238] ================================================================== [ 28.733610] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 28.740591] Read of size 8 at addr ffff8800b0ab0140 by task syzkaller699022/3694 [ 28.748092] [ 28.749694] CPU: 1 PID: 3694 Comm: syzkaller699022 Not tainted 4.4.120-gd63fdf6 #28 [ 28.757450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.766772] 0000000000000000 1bd33f6702a4e651 ffff8801c9ccf9f0 ffffffff81d0408d [ 28.774749] ffffea0002c2ac00 ffff8800b0ab0140 0000000000000000 ffff8800b0ab0140 [ 28.782703] ffff8801ca434438 ffff8801c9ccfa28 ffffffff814fe143 ffff8800b0ab0140 [ 28.790664] Call Trace: [ 28.793222] [] dump_stack+0xc1/0x124 [ 28.798567] [] print_address_description+0x73/0x260 [ 28.805199] [] kasan_report+0x285/0x370 [ 28.810799] [] ? sg_remove_request+0xf9/0x110 [ 28.816921] [] __asan_report_load8_noabort+0x14/0x20 [ 28.823645] [] sg_remove_request+0xf9/0x110 [ 28.829581] [] sg_finish_rem_req+0x295/0x340 [ 28.835606] [] sg_read+0xa1b/0x1490 [ 28.840849] [] ? __check_object_size+0x154/0x35b [ 28.847220] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 28.853852] [] ? fsnotify+0xee0/0xee0 [ 28.859269] [] ? avc_policy_seqno+0x9/0x20 [ 28.865125] [] do_loop_readv_writev+0x141/0x1e0 [ 28.871418] [] ? security_file_permission+0x89/0x1e0 [ 28.878141] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 28.884784] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 28.891426] [] do_readv_writev+0x5dd/0x6e0 [ 28.897274] [] ? vfs_write+0x530/0x530 [ 28.902788] [] ? _raw_spin_unlock+0x2c/0x50 [ 28.908727] [] ? fasync_insert_entry+0x147/0x2e0 [ 28.915103] [] ? fasync_helper+0x7a/0xb0 [ 28.920782] [] ? ioctl_preallocate+0x1f0/0x1f0 [ 28.927069] [] ? do_sys_open+0x259/0x660 [ 28.932756] [] vfs_readv+0x78/0xb0 [ 28.937911] [] SyS_readv+0xd9/0x240 [ 28.943154] [] ? rw_copy_check_uvector+0x2b0/0x2b0 [ 28.949699] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 28.956165] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 28.962705] [ 28.964299] Allocated by task 0: [ 28.967632] (stack is not available) [ 28.971308] [ 28.972902] Freed by task 0: [ 28.975882] (stack is not available) [ 28.979557] [ 28.981155] The buggy address belongs to the object at ffff8800b0ab0100 [ 28.981155] which belongs to the cache fasync_cache of size 96 [ 28.993776] The buggy address is located 64 bytes inside of [ 28.993776] 96-byte region [ffff8800b0ab0100, ffff8800b0ab0160) [ 29.005448] The buggy address belongs to the page: [ 29.198754] BUG: unable to handle kernel paging request at fffffffdd2e2bc00 [ 29.206152] IP: [] cpuacct_charge+0x155/0x390 [ 29.212339] PGD 420f067 PUD 0 [ 29.215773] Oops: 0000 [#1] PREEMPT SMP KASAN [ 29.220763] Dumping ftrace buffer: [ 29.224284] (ftrace buffer empty) [ 29.227977] Modules linked in: [ 29.231283] CPU: 0 PID: 3670 Comm: getty Not tainted 4.4.120-gd63fdf6 #28 [ 29.238189] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.247532] task: ffff8801cb1eb000 task.stack: ffff8801cb408000 [ 29.253573] RIP: 0010:[] [] cpuacct_charge+0x155/0x390 [ 29.262195] RSP: 0018:ffff8801cb40f8e0 EFLAGS: 00010046 [ 29.267627] RAX: 1ffffffff0855007 RBX: 0000000000018528 RCX: ffffffff847eb980 [ 29.274881] RDX: fffffbffba5c5780 RSI: fffffffdd2e2bc00 RDI: ffffffff842a8038 [ 29.282135] RBP: ffff8801cb40f928 R08: 0000000000000001 R09: 0000000000000001 [ 29.289389] R10: 0000000000000000 R11: 1ffff10039681ee8 R12: ffffffff842a7f60 [ 29.296650] R13: dffffc0000000000 R14: 000000001c85e7f6 R15: ffffffffc9cc8050 [ 29.303910] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.312130] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.318003] CR2: fffffffdd2e2bc00 CR3: 000000000420c000 CR4: 0000000000160670 [ 29.325262] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.332518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.339773] Stack: [ 29.341913] ffffffff8122b480 ffff8801cb40f910 0000000000000046 0000000000000003 [ 29.349971] ffff8800af659860 ffffffff838444e0 000000001c85e7f6 ffff8800af6598b0 [ 29.358011] ffff8800af659800 ffff8801cb40f978 ffffffff811dcc77 ffff8801db31f4c0 [ 29.366056] Call Trace: [ 29.368638] [] ? cpuacct_charge+0x60/0x390 [ 29.374513] [] update_curr+0x2c7/0x6c0 [ 29.380040] [] enqueue_task_fair+0x313/0x2940 [ 29.386173] [] activate_task+0x148/0x270 [ 29.391875] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 [ 29.398965] [] try_to_wake_up+0x68d/0xf60 [ 29.404760] [] ? __lock_is_held+0xa1/0xf0 [ 29.410548] [] wake_up_state+0x10/0x20 [ 29.416075] [] signal_wake_up_state+0x44/0x70 [ 29.422211] [] complete_signal+0x2ed/0x700 [ 29.428086] [] ? __send_signal+0x53b/0x1330 [ 29.434047] [] __send_signal+0x90f/0x1330 [ 29.439838] [] ? __send_signal+0x452/0x1330 [ 29.445803] [] send_signal+0x4a/0xc0 [ 29.451161] [] do_notify_parent+0x9dc/0xd70 [ 29.457121] [] ? do_notify_parent+0x336/0xd70 [ 29.463252] [] ? send_sigqueue+0x830/0x830 [ 29.469126] [] ? do_exit+0x869/0x2a10 [ 29.474582] [] ? find_first_bit+0x8d/0xd0 [ 29.480368] [] do_exit+0x1f41/0x2a10 [ 29.485728] [] ? release_task+0x1240/0x1240 [ 29.491689] [] ? clock_was_set_work+0x30/0x30 [ 29.497819] [] ? do_nanosleep+0x1ab/0x580 [ 29.503608] [] ? retint_user+0x18/0x3c [ 29.509141] [] do_group_exit+0x108/0x320 [ 29.514839] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 29.521406] [] SyS_exit_group+0x1d/0x20 [ 29.527019] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 29.533578] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 [ 29.561055] RIP [] cpuacct_charge+0x155/0x390 [ 29.567324] RSP [ 29.570933] CR2: fffffffdd2e2bc00 [ 29.574372] ---[ end trace 2b53df936b6381a9 ]--- [ 29.579114] Kernel panic - not syncing: Fatal exception [ 30.650563] PANIC: double fault, error_code: 0x0 [ 30.655335] CPU: 1 PID: 3694 Comm: syzkaller699022 Tainted: G D 4.4.120-gd63fdf6 #28 [ 30.664313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.673637] task: ffff8800af659800 task.stack: ffff8801c9cc8000 [ 30.679662] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 30.688420] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 30.693840] RAX: ffff8800af659800 RBX: ffffea0002c2ac00 RCX: ffffffff814909b0 [ 30.701081] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea0002c2ac00 [ 30.708321] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 30.715561] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000