[   16.849360] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.928716] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   20.160122] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   21.024604] random: sshd: uninitialized urandom read (32 bytes read, 104 bits of entropy available)
[   21.205410] random: sshd: uninitialized urandom read (32 bytes read, 107 bits of entropy available)
Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts.
[   26.629801] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available)
executing program
[   26.726432] ==================================================================
[   26.733832] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50
[   26.740466] Read of size 8 at addr ffff8801d2ef6838 by task syzkaller134813/3319
[   26.747970] 
[   26.749565] CPU: 0 PID: 3319 Comm: syzkaller134813 Not tainted 4.4.111-g7902639 #18
[   26.757332] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.766651]  0000000000000000 1bdd999f595b3ebb ffff8801d0c5f850 ffffffff81d0509d
[   26.774613]  ffffea00074bbd80 ffff8801d2ef6838 0000000000000000 ffff8801d2ef6838
[   26.782564]  0000000000000000 ffff8801d0c5f888 ffffffff814fd433 ffff8801d2ef6838
[   26.790522] Call Trace:
[   26.793079]  [<ffffffff81d0509d>] dump_stack+0xc1/0x124
[   26.798409]  [<ffffffff814fd433>] print_address_description+0x73/0x260
[   26.805039]  [<ffffffff814fd945>] kasan_report+0x285/0x370
[   26.810635]  [<ffffffff81239cae>] ? __lock_acquire+0x387e/0x4b50
[   26.816744]  [<ffffffff814fdaa4>] __asan_report_load8_noabort+0x14/0x20
[   26.823468]  [<ffffffff81239cae>] __lock_acquire+0x387e/0x4b50
[   26.829402]  [<ffffffff81236f8f>] ? __lock_acquire+0xb5f/0x4b50
[   26.835432]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   26.842411]  [<ffffffff81235bfb>] ? trace_hardirqs_on_caller+0x38b/0x590
[   26.849216]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   26.856196]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   26.863175]  [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460
[   26.868769]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   26.874793]  [<ffffffff8377546e>] _raw_spin_lock_irqsave+0x4e/0x70
[   26.881089]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   26.887201]  [<ffffffff8121f194>] remove_wait_queue+0x14/0x40
[   26.893054]  [<ffffffff815f6838>] ep_unregister_pollwait.isra.6+0xa8/0x220
[   26.900041]  [<ffffffff815f68a4>] ? ep_unregister_pollwait.isra.6+0x114/0x220
[   26.907279]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   26.912606]  [<ffffffff815f7563>] ep_free+0x93/0x1c0
[   26.917682]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   26.923011]  [<ffffffff815f76d4>] ep_eventpoll_release+0x44/0x60
[   26.929121]  [<ffffffff81522a73>] __fput+0x233/0x6d0
[   26.934194]  [<ffffffff81522f95>] ____fput+0x15/0x20
[   26.939264]  [<ffffffff8118bae4>] task_work_run+0x104/0x180
[   26.944940]  [<ffffffff81132eb1>] do_exit+0x871/0x2a20
[   26.950181]  [<ffffffff814a0e1d>] ? handle_mm_fault+0x192d/0x3190
[   26.956379]  [<ffffffff8149f8e2>] ? handle_mm_fault+0x3f2/0x3190
[   26.962496]  [<ffffffff81132640>] ? release_task+0x1240/0x1240
[   26.968434]  [<ffffffff81139328>] do_group_exit+0x108/0x320
[   26.974110]  [<ffffffff8113955d>] SyS_exit_group+0x1d/0x20
[   26.979698]  [<ffffffff81139540>] ? do_group_exit+0x320/0x320
[   26.985549]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   26.991661]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   26.997686] 
[   26.999285] Allocated by task 3319:
[   27.002873]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   27.008751]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   27.014107]  [<ffffffff814fc76d>] kasan_kmalloc+0xad/0xe0
[   27.019752]  [<ffffffff814f86e0>] kmem_cache_alloc_trace+0x100/0x2b0
[   27.026344]  [<ffffffff82c7ec51>] binder_get_thread+0x181/0x7a0
[   27.032483]  [<ffffffff82c7f2ba>] binder_poll+0x4a/0x210
[   27.038024]  [<ffffffff815fa6c1>] SyS_epoll_ctl+0x10b1/0x2050
[   27.043993]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   27.050215]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   27.056353] 
[   27.057946] Freed by task 3319:
[   27.061186]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   27.067073]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   27.072430]  [<ffffffff814fcdc2>] kasan_slab_free+0x72/0xc0
[   27.078230]  [<ffffffff814f984c>] kfree+0xfc/0x300
[   27.079765]  [<ffffffff82c781a1>] binder_thread_dec_tmpref+0x1c1/0x250
[   27.079780]  [<ffffffff82c78cdd>] binder_thread_release+0x27d/0x540
[   27.079787]  [<ffffffff82c93944>] binder_ioctl+0xb94/0x12e0
[   27.079796]  [<ffffffff8161e0ba>] compat_SyS_ioctl+0x28a/0x2540
[   27.079804]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   27.079811]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   27.079813] 
[   27.079818] The buggy address belongs to the object at ffff8801d2ef6780
[   27.079818]  which belongs to the cache kmalloc-512 of size 512
[   27.079823] The buggy address is located 184 bytes inside of
[   27.079823]  512-byte region [ffff8801d2ef6780, ffff8801d2ef6980)
[   27.079824] The buggy address belongs to the page:
[   27.084116] kasan: CONFIG_KASAN_INLINE enabled
[   27.084124] kasan: GPF could be caused by NULL-ptr deref or user memory access
[   27.084128] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[   27.084133] Dumping ftrace buffer:
[   27.084136]    (ftrace buffer empty)
[   27.084139] Modules linked in:
[   27.084146] CPU: 1 PID: 3297 Comm: getty Not tainted 4.4.111-g7902639 #18
[   27.084149] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.084153] task: ffff8801d209af80 task.stack: ffff8801d1898000
[   27.084166] RIP: 0010:[<ffffffff81d14e4e>]  [<ffffffff81d14e4e>] __rb_erase_color+0x17e/0x1460
[   27.084169] RSP: 0000:ffff8801d189f738  EFLAGS: 00010203
[   27.084173] RAX: 5028454741505f4e RBX: dffffc0000000000 RCX: ffff8801d896d388
[   27.084177] RDX: ffffffff8148af00 RSI: 0a0508a8e82a0be9 RDI: ffffffff838a8368
[   27.084180] RBP: ffff8801d189f788 R08: ffff8801d2017cf8 R09: ffffffff85142900
[   27.084184] R10: 0000000000000001 R11: 1ffff1003a313ed0 R12: ffff8801d2017cf0
[   27.084187] R13: ffffffff838a8360 R14: ffffed003b12da71 R15: 2862616c53656761
[   27.084192] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   27.084196] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   27.084199] CR2: 0000000000000000 CR3: 00000001d3324000 CR4: 0000000000160670
[   27.084207] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   27.084210] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   27.084212] Stack:
[   27.084226]  dffffc0000000000 ffff8801d209b7e8 ffff8801d2017cf8 ffff8801d896d388
[   27.084233]  ffffffff8148af00 ffff8801d3acea08 dffffc0000000000 000000000000001f
[   27.084240]  ffff8801d2017cf0 ffff8801d2017cf0 ffff8801d189f800 ffffffff8148c14a
[   27.084242] Call Trace:
[   27.084251]  [<ffffffff8148af00>] ? vmacache_find+0x290/0x290
[   27.084258]  [<ffffffff8148c14a>] vma_interval_tree_remove+0x88a/0xde0
[   27.084265]  [<ffffffff814a8155>] __remove_shared_vm_struct+0xb5/0xe0
[   27.084272]  [<ffffffff814aa1c3>] unlink_file_vma+0x83/0xb0
[   27.084278]  [<ffffffff81497e06>] free_pgtables+0x226/0x330
[   27.084283]  [<ffffffff814b3753>] exit_mmap+0x1e3/0x3a0
[   27.084289]  [<ffffffff814b3570>] ? SyS_remap_file_pages+0x960/0x960
[   27.084298]  [<ffffffff811a4e90>] ? __might_sleep+0x90/0x1a0
[   27.084304]  [<ffffffff81123428>] mmput+0xf8/0x2d0
[   27.084310]  [<ffffffff81132d9b>] do_exit+0x75b/0x2a20
[   27.084316]  [<ffffffff8122f161>] ? __lock_is_held+0xa1/0xf0
[   27.084323]  [<ffffffff81285103>] ? rcu_read_lock_sched_held+0x103/0x120
[   27.084329]  [<ffffffff81132640>] ? release_task+0x1240/0x1240
[   27.084336]  [<ffffffff81139328>] do_group_exit+0x108/0x320
[   27.084343]  [<ffffffff8115c825>] get_signal+0x565/0x1660
[   27.084352]  [<ffffffff8100e7fb>] do_signal+0x8b/0x1d40
[   27.084359]  [<ffffffff810d9fa0>] ? spurious_fault+0x370/0x370
[   27.084365]  [<ffffffff8100e770>] ? setup_sigcontext+0x780/0x780
[   27.084371]  [<ffffffff8122f161>] ? __lock_is_held+0xa1/0xf0
[   27.084377]  [<ffffffff810dbd60>] ? __bad_area_nosemaphore+0x220/0x420
[   27.084382]  [<ffffffff810dbff3>] ? bad_area+0x53/0x80
[   27.084388]  [<ffffffff810035cc>] ? exit_to_usermode_loop+0xec/0x170
[   27.084394]  [<ffffffff81003602>] exit_to_usermode_loop+0x122/0x170
[   27.084400]  [<ffffffff81006373>] prepare_exit_to_usermode+0xe3/0x100
[   27.084407]  [<ffffffff83776448>] retint_user+0x8/0x3c
[   27.084493] Code: 89 fd 4d 8b 7f 10 49 8d 7d 08 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 c1 0b 00 00 49 8b 45 08 48 85 c0 74 1a 48 89 c6 48 c1 ee 03 <80> 3c 1e 00 0f 85 7a 0b 00 00 f6 00 01 0f 84 1a 03 00 00 4d 85 
[   27.084501] RIP  [<ffffffff81d14e4e>] __rb_erase_color+0x17e/0x1460
[   27.084503]  RSP <ffff8801d189f738>
[   27.084509] ---[ end trace c4fb81db1ed73439 ]---
[   27.084513] Kernel panic - not syncing: Fatal exception
[   28.210367] Shutting down cpus with NMI
[   28.211277] Dumping ftrace buffer:
[   28.211280]    (ftrace buffer empty)
[   28.211283] Kernel Offset: disabled
[   28.644686] Rebooting in 86400 seconds..