[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.788426] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.
[   21.024834] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
[   21.389738] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.354274] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available)
[   30.373867] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available)
Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts.
[   35.808891] random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available)
executing program
[   35.902911] ==================================================================
[   35.910281] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110
[   35.917260] Read of size 8 at addr ffff8801c906d140 by task syzkaller107088/3787
[   35.924769] 
[   35.926375] CPU: 0 PID: 3787 Comm: syzkaller107088 Not tainted 4.4.120-gd63fdf6 #28
[   35.934137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.943461]  0000000000000000 426c3d3dc18fc9e6 ffff8801ca057ab0 ffffffff81d0408d
[   35.951440]  ffffea0007241b40 ffff8801c906d140 0000000000000000 ffff8801c906d140
[   35.959405]  ffff8800bb8f2338 ffff8801ca057ae8 ffffffff814fe143 ffff8801c906d140
[   35.967374] Call Trace:
[   35.969933]  [<ffffffff81d0408d>] dump_stack+0xc1/0x124
[   35.975273]  [<ffffffff814fe143>] print_address_description+0x73/0x260
[   35.981906]  [<ffffffff814fe655>] kasan_report+0x285/0x370
[   35.987498]  [<ffffffff825b8439>] ? sg_remove_request+0xf9/0x110
[   35.993613]  [<ffffffff814fe7b4>] __asan_report_load8_noabort+0x14/0x20
[   36.000334]  [<ffffffff825b8439>] sg_remove_request+0xf9/0x110
[   36.006273]  [<ffffffff825b89b5>] sg_finish_rem_req+0x295/0x340
[   36.012300]  [<ffffffff825ba85b>] sg_read+0xa1b/0x1490
[   36.017557]  [<ffffffff825b9e40>] ? sg_proc_seq_show_debug+0xda0/0xda0
[   36.024192]  [<ffffffff814f71df>] ? new_slab+0x2df/0x3b0
[   36.029615]  [<ffffffff825b9e40>] ? sg_proc_seq_show_debug+0xda0/0xda0
[   36.036256]  [<ffffffff8151cf33>] __vfs_read+0x103/0x440
[   36.041960]  [<ffffffff81237410>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   36.048948]  [<ffffffff8151ce30>] ? vfs_iter_write+0x2d0/0x2d0
[   36.054889]  [<ffffffff815e984d>] ? fsnotify+0x5ad/0xee0
[   36.060321]  [<ffffffff815ea180>] ? fsnotify+0xee0/0xee0
[   36.065752]  [<ffffffff8123175b>] ? lockdep_init_map+0xeb/0x1690
[   36.071881]  [<ffffffff81b4d1e9>] ? avc_policy_seqno+0x9/0x20
[   36.077739]  [<ffffffff81b5e8b8>] ? selinux_file_permission+0x348/0x460
[   36.084458]  [<ffffffff81b440e9>] ? security_file_permission+0x89/0x1e0
[   36.091192]  [<ffffffff8151eac0>] ? rw_verify_area+0x100/0x2f0
[   36.097145]  [<ffffffff8151edd3>] vfs_read+0x123/0x3a0
[   36.102389]  [<ffffffff81521719>] SyS_read+0xd9/0x1b0
[   36.107543]  [<ffffffff81521640>] ? do_sendfile+0xd30/0xd30
[   36.113230]  [<ffffffff81003044>] ? lockdep_sys_exit_thunk+0x12/0x14
[   36.119689]  [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
[   36.126892] 
[   36.128493] Allocated by task 0:
[   36.131825] (stack is not available)
[   36.135505] 
[   36.137098] Freed by task 0:
[   36.140088] (stack is not available)
[   36.143771] 
[   36.145366] The buggy address belongs to the object at ffff8801c906d100
[   36.145366]  which belongs to the cache fasync_cache of size 96
[   36.157987] The buggy address is located 64 bytes inside of
[   36.157987]  96-byte region [ffff8801c906d100, ffff8801c906d160)
[   36.169660] The buggy address belongs to the page:
[   36.195883] kasan: CONFIG_KASAN_INLINE enabled
[   36.200291] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   36.213123] Dumping ftrace buffer:
[   36.216630]    (ftrace buffer empty)
[   36.220307] Modules linked in:
[   36.223583] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.120-gd63fdf6 #28
[   36.230561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.239883] task: ffff8801d9b49800 task.stack: ffff8801d9b58000
[   36.245904] RIP: 0010:[<ffffffff81d151cf>]  [<ffffffff81d151cf>] rb_insert_color+0x9f/0xcb0
[   36.255006] RSP: 0018:ffff8801db307d18  EFLAGS: 00010003
[   36.260423] RAX: 0a0508a8e82a0be9 RBX: ffffffff838a9060 RCX: ffffffff838a9060
[   36.267661] RDX: 1ffffffff071520d RSI: ffff8801db319710 RDI: ffff8801db319c40
[   36.274900] RBP: ffff8801db307d60 R08: ffffffff857d3748 R09: 0000000000000001
[   36.282135] R10: 0000000000000000 R11: 1ffff1003b660f62 R12: ffff8801c60dfdf8
[   36.289394] R13: 5028454741505f4e R14: ffff8801db319c40 R15: dffffc0000000000
[   36.296634] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   36.304826] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.310677] CR2: 00005617b09ce0d0 CR3: 00000000bb970000 CR4: 0000000000160670
[   36.317918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   36.325156] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   36.332392] Stack:
[   36.334509]  ffffffff842bdb60 ffff8801d9b4a0d0 0000000000000000 ffff8801db307d70
[   36.342471]  ffff8801db319c40 dffffc0000000000 0000000000000000 ffff8801db319710
[   36.350433]  ffff8801c60dfe00 ffff8801db307db0 ffffffff81d21967 ffff8801db319c58
[   36.358405] Call Trace:
[   36.360956]  <IRQ> 
[   36.362991]  [<ffffffff81d21967>] timerqueue_add+0x157/0x2a0
[   36.369056]  [<ffffffff812abc88>] enqueue_hrtimer+0x168/0x450
[   36.374909]  [<ffffffff812add52>] __hrtimer_run_queues+0x732/0xfe0
[   36.381195]  [<ffffffff812ad620>] ? hrtimer_fixup_init+0x70/0x70
[   36.387308]  [<ffffffff812afd91>] ? hrtimer_interrupt+0x131/0x440
[   36.393512]  [<ffffffff812afe06>] hrtimer_interrupt+0x1a6/0x440
[   36.399537]  [<ffffffff810b0dea>] local_apic_timer_interrupt+0x6a/0xb0
[   36.406172]  [<ffffffff837765b6>] smp_apic_timer_interrupt+0x76/0xa0
[   36.412632]  [<ffffffff83775510>] apic_timer_interrupt+0xa0/0xb0
[   36.418740]  <EOI> 
[   36.420773]  [<ffffffff810d0536>] ? native_safe_halt+0x6/0x10
[   36.426913]  [<ffffffff81236ded>] ? trace_hardirqs_on+0xd/0x10
[   36.432854]  [<ffffffff81027e85>] default_idle+0x55/0x3c0
[   36.438357]  [<ffffffff810293fa>] arch_cpu_idle+0xa/0x10
[   36.443775]  [<ffffffff81221468>] default_idle_call+0x48/0x70
[   36.449626]  [<ffffffff81221b6d>] cpu_startup_entry+0x5fd/0x8f0
[   36.455651]  [<ffffffff81221570>] ? call_cpuidle+0xe0/0xe0
[   36.461243]  [<ffffffff812cea22>] ? clockevents_register_device+0x122/0x230
[   36.468312]  [<ffffffff810adc64>] start_secondary+0x304/0x3e0
[   36.474170]  [<ffffffff810ad960>] ? set_cpu_sibling_map+0x1080/0x1080
[   36.480713] Code: 48 89 c2 48 c1 ea 03 42 80 3c 3a 00 0f 85 94 09 00 00 4c 8b 6b 08 4d 39 e5 0f 84 b0 01 00 00 4d 85 ed 74 1d 4c 89 e8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 95 09 00 00 41 f6 45 00 01 0f 84 20 03 00 
[   36.507373] RIP  [<ffffffff81d151cf>] rb_insert_color+0x9f/0xcb0
[   36.513717]  RSP <ffff8801db307d18>
[   36.517314] ---[ end trace 08bb48e76761f309 ]---
[   36.522042] Kernel panic - not syncing: Fatal exception in interrupt
[   37.581835] PANIC: double fault, error_code: 0x0