[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.030152] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.277757] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.615047] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.534911] random: sshd: uninitialized urandom read (32 bytes read, 102 bits of entropy available) [ 21.711471] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) Warning: Permanently added '10.128.15.229' (ECDSA) to the list of known hosts. [ 27.110539] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available) executing program [ 27.208824] ================================================================== [ 27.216227] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 27.223214] Read of size 8 at addr ffff8801d25a3140 by task syzkaller844979/3308 [ 27.230735] [ 27.230744] CPU: 1 PID: 3308 Comm: syzkaller844979 Not tainted 4.4.113-ge70c132 #34 [ 27.230747] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.230760] 0000000000000000 5eecf77f16fc3b54 ffff8801ccdd79f0 ffffffff81d0278d [ 27.230766] ffffea00074968c0 ffff8801d25a3140 0000000000000000 ffff8801d25a3140 [ 27.230774] ffff8800b4a2c438 ffff8801ccdd7a28 ffffffff814fd053 ffff8801d25a3140 [ 27.230775] Call Trace: [ 27.230787] [] dump_stack+0xc1/0x124 [ 27.230794] [] print_address_description+0x73/0x260 [ 27.230799] [] kasan_report+0x285/0x370 [ 27.230807] [] ? sg_remove_request+0xf9/0x110 [ 27.230813] [] __asan_report_load8_noabort+0x14/0x20 [ 27.230819] [] sg_remove_request+0xf9/0x110 [ 27.230825] [] sg_finish_rem_req+0x295/0x340 [ 27.230831] [] sg_read+0xa1b/0x1490 [ 27.230839] [] ? __check_object_size+0x154/0x35b [ 27.230846] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 27.230852] [] ? fsnotify+0xee0/0xee0 [ 27.230860] [] ? avc_policy_seqno+0x9/0x20 [ 27.230868] [] do_loop_readv_writev+0x141/0x1e0 [ 27.230874] [] ? security_file_permission+0x89/0x1e0 [ 27.230881] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 27.230887] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 27.230892] [] do_readv_writev+0x5dd/0x6e0 [ 27.230898] [] ? vfs_write+0x530/0x530 [ 27.230906] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.230912] [] ? lockdep_init_map+0xeb/0x1690 [ 27.230919] [] ? fasync_insert_entry+0x147/0x2e0 [ 27.230925] [] ? SyS_fcntl+0x66f/0xc40 [ 27.230931] [] ? SyS_fcntl+0x6bb/0xc40 [ 27.230936] [] vfs_readv+0x78/0xb0 [ 27.230941] [] SyS_readv+0xd9/0x240 [ 27.230947] [] ? rw_copy_check_uvector+0x2b0/0x2b0 [ 27.230954] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 27.230962] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 27.230964] [ 27.230967] Allocated by task 0: [ 27.230968] (stack is not available) [ 27.230969] [ 27.230971] Freed by task 0: [ 27.230972] (stack is not available) [ 27.230973] [ 27.230978] The buggy address belongs to the object at ffff8801d25a3100 [ 27.230978] which belongs to the cache fasync_cache of size 96 [ 27.230983] The buggy address is located 64 bytes inside of [ 27.230983] 96-byte region [ffff8801d25a3100, ffff8801d25a3160) [ 27.230984] The buggy address belongs to the page: [ 27.495982] kasan: CONFIG_KASAN_INLINE enabled [ 27.500467] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory access [ 27.511050] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 27.518101] Dumping ftrace buffer: [ 27.521626] (ftrace buffer empty) [ 27.525335] Modules linked in: [ 27.528660] CPU: 0 PID: 3309 Comm: init Not tainted 4.4.113-ge70c132 #34 [ 27.535493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.544845] task: ffff8800b5082f80 task.stack: ffff8801d0820000 [ 27.550895] RIP: 0010:[] [] load_new_mm_cr3+0x5b/0xa0 [ 27.559435] RSP: 0018:ffff8801d0827420 EFLAGS: 00010093 [ 27.564884] RAX: ffff8800b5082f80 RBX: 0000780000000000 RCX: ffffffff810f0d8e [ 27.572154] RDX: 0000000000000000 RSI: ffffffff839fe320 RDI: 0000780000000000 [ 27.579422] RBP: ffff8801d0827428 R08: ffffffff83844340 R09: 0000000000000001 [ 27.586690] R10: ffff8801d37d0274 R11: 0000000000000001 R12: ffff8801d0801e00 [ 27.593954] R13: 0000000000000000 R14: ffff8800b50833c0 R15: 0000000667274e49 [ 27.601225] FS: 00007fa3d859a7a0(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 27.609449] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.615325] CR2: 00007ffc0db10d28 CR3: 00000001d08b2000 CR4: 0000000000160670 [ 27.622593] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.629873] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.637134] Stack: [ 27.639275] ffff8801ccd74a00 ffff8801d0827478 ffffffff810ec97c ffff8801db21f4c0 [ 27.647322] ffff8800b50835c0 ccd88cfff7ebdbca ffff8801db21f4c0 ffff8801d0801e00 [ 27.655374] ffff8801ccd74a00 ffff8800b50833c0 0000000667274e49 ffff8801d0827500 [ 27.663417] Call Trace: [ 27.665998] [] switch_mm_irqs_off+0x6c/0xc30 [ 27.672054] [] __schedule+0x9ee/0x1c70 [ 27.677590] [] ? console_unlock+0x337/0xa00 [ 27.683583] [] preempt_schedule_common+0x22/0x60 [ 27.689990] [] preempt_schedule+0x25/0x30 [ 27.695788] [] ___preempt_schedule+0x12/0x14 [ 27.701862] [] ? vprintk_emit+0x7b2/0x850 [ 27.707672] [] ? vprintk_emit+0x7b7/0x850 [ 27.713473] [] vprintk+0x28/0x30 [ 27.718492] [] vprintk_default+0x1d/0x30 [ 27.724201] [] printk+0xb7/0xe2 [ 27.729137] [] ? pm_qos_get_value.part.4+0xb/0xb [ 27.735550] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.741632] [] ? __lock_acquire+0xb5f/0x4b50 [ 27.747694] [] ? kasan_die_handler+0x25/0x40 [ 27.753753] [] kasan_die_handler+0x31/0x40 [ 27.759652] [] notifier_call_chain+0x95/0x1b0 [ 27.765802] [] atomic_notifier_call_chain+0x7b/0x140 [ 27.772557] [] ? __atomic_notifier_call_chain+0x150/0x150 [ 27.779744] [] notify_die+0xdf/0x160 [ 27.785114] [] ? atomic_notifier_call_chain+0x140/0x140 [ 27.792124] [] ? __radix_tree_lookup+0x11d/0x2a0 [ 27.798533] [] ? search_exception_tables+0x31/0x40 [ 27.805112] [] do_general_protection+0x2f7/0x390 [ 27.811525] [] general_protection+0x28/0x30 [ 27.817503] [] ? __radix_tree_lookup+0x11d/0x2a0 [ 27.823910] [] ? __radix_tree_lookup+0xfa/0x2a0 [ 27.830229] [] radix_tree_lookup_slot+0x72/0xc0 [ 27.836545] [] ? __radix_tree_lookup+0x2a0/0x2a0 [ 27.842953] [] ? debug_smp_processor_id+0x1c/0x20 [ 27.849446] [] find_get_entry+0x8e/0x340 [ 27.855154] [] ? find_get_pages_tag+0x5f0/0x5f0 [ 27.861480] [] find_lock_entry+0x2b/0x110 [ 27.867282] [] shmem_getpage_gfp+0x142/0x11b0 [ 27.873432] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.880446] [] ? shmem_write_end+0x2f0/0x2f0 [ 27.886513] [] ? debug_check_no_obj_freed+0x166/0x9b0 [ 27.893356] [] shmem_file_read_iter+0x440/0x850 [ 27.899682] [] ? shmem_fault+0x650/0x650 [ 27.905395] [] ? dput.part.19+0x141/0x760 [ 27.911198] [] ? iov_iter_init+0xaf/0x1d0 [ 27.917002] [] __vfs_read+0x339/0x440 [ 27.922457] [] ? vfs_iter_write+0x2d0/0x2d0 [ 27.928433] [] ? fsnotify+0xee0/0xee0 [ 27.933888] [] ? avc_policy_seqno+0x9/0x20 [ 27.939776] [] ? selinux_file_permission+0x348/0x460 [ 27.946535] [] ? rw_verify_area+0x100/0x2f0 [ 27.952511] [] vfs_read+0x123/0x3a0 [ 27.957787] [] SyS_read+0xd9/0x1b0 [ 27.962985] [] ? do_sendfile+0xd30/0xd30 [ 27.968705] [] ? __close_fd+0x1b5/0x2b0 [ 27.974333] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 27.980831] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 27.987398] Code: 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1c 8b 05 91 fd 6f 03 85 c0 74 05 e8 18 50 00 00 48 89 df <0f> 22 df 0f 1f 40 00 5b 5d c3 e8 36 19 41 00 eb dd 48 c7 c7 10 [ 28.014872] RIP [] load_new_mm_cr3+0x5b/0xa0 [ 28.021060] RSP [ 28.024677] ---[ end trace 58014a07b45e92d0 ]--- [ 28.029419] Kernel panic - not syncing: Fatal exception [ 29.078294] PANIC: double fault, error_code: 0x0 [ 29.083089] CPU: 1 PID: 3308 Comm: syzkaller844979 Tainted: G D 4.4.113-ge70c132 #34 [ 29.092070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.101412] task: ffff8800b5085f00 task.stack: ffff8801ccdd0000 [ 29.107442] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 29.116213] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 29.121634] RAX: ffff8800b5085f00 RBX: ffffea00074968c0 RCX: ffffffff8148f8d0 [ 29.128875] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: ffffea00074968c0 [ 29.136117] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 29.143361] R10: 0000000000000002 R11: fffffbfff0ad92c6 R12: 0000000000000000 [ 29.150605] R13: ffffffff838a8de0 R14: 0000000000000000 R15: 0000000000000000