[ 16.277993] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.946554] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 18.196817] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 18.971939] random: sshd: uninitialized urandom read (32 bytes read, 81 bits of entropy available) [ 19.162956] random: sshd: uninitialized urandom read (32 bytes read, 89 bits of entropy available) Warning: Permanently added '10.128.15.218' (ECDSA) to the list of known hosts. [ 24.583135] random: sshd: uninitialized urandom read (32 bytes read, 99 bits of entropy available) executing program [ 24.677122] ================================================================== [ 24.684529] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 24.691510] Read of size 8 at addr ffff8801d38cd140 by task syzkaller204114/3308 [ 24.699007] [ 24.700604] CPU: 1 PID: 3308 Comm: syzkaller204114 Not tainted 4.4.111-g3301b55 #24 [ 24.708361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.717680] 0000000000000000 ae0e640a0fb02897 ffff8801d0c8fab0 ffffffff81d0509d [ 24.725625] ffffea00074e3340 ffff8801d38cd140 0000000000000000 ffff8801d38cd140 [ 24.733590] ffff8800b46e4438 ffff8801d0c8fae8 ffffffff814fd433 ffff8801d38cd140 [ 24.741541] Call Trace: [ 24.744098] [] dump_stack+0xc1/0x124 [ 24.749428] [] print_address_description+0x73/0x260 [ 24.756057] [] kasan_report+0x285/0x370 [ 24.761650] [] ? sg_remove_request+0xf9/0x110 [ 24.767759] [] __asan_report_load8_noabort+0x14/0x20 [ 24.774474] [] sg_remove_request+0xf9/0x110 [ 24.780409] [] sg_finish_rem_req+0x295/0x340 [ 24.786431] [] sg_read+0xa21/0x1490 [ 24.791673] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 24.798313] [] ? new_slab+0x2df/0x3b0 [ 24.803735] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 24.810375] [] __vfs_read+0x103/0x440 [ 24.815790] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 24.822767] [] ? vfs_iter_write+0x2d0/0x2d0 [ 24.828704] [] ? fsnotify+0x5ad/0xee0 [ 24.834118] [] ? fsnotify+0xee0/0xee0 [ 24.839541] [] ? lockdep_init_map+0xeb/0x1690 [ 24.845654] [] ? avc_policy_seqno+0x9/0x20 [ 24.851503] [] ? selinux_file_permission+0x348/0x460 [ 24.858265] [] ? security_file_permission+0x89/0x1e0 [ 24.864982] [] ? rw_verify_area+0x100/0x2f0 [ 24.870918] [] vfs_read+0x123/0x3a0 [ 24.876157] [] SyS_read+0xd9/0x1b0 [ 24.881309] [] ? do_sendfile+0xd30/0xd30 [ 24.886988] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 24.893447] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 24.899988] [ 24.901582] Allocated by task 0: [ 24.904909] (stack is not available) [ 24.908583] [ 24.910175] Freed by task 0: [ 24.913163] (stack is not available) [ 24.916839] [ 24.918432] The buggy address belongs to the object at ffff8801d38cd100 [ 24.918432] which belongs to the cache fasync_cache of size 96 [ 24.931053] The buggy address is located 64 bytes inside of [ 24.931053] 96-byte region [ffff8801d38cd100, ffff8801d38cd160) [ 24.942725] The buggy address belongs to the page: [ 26.425249] PANIC: double fault, error_code: 0x0 [ 26.430027] CPU: 1 PID: 3308 Comm: Not tainted 4.4.111-g3301b55 #24 [ 26.436491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.443467] BUG: spinlock bad magic on CPU#0, init/1 [ 26.443477] lock: 0xffff8801ceda8580, .magic: 00000000, .owner: ‘ùHÿÿÿÿø/0, .owner_cpu: 0 [ 26.443483] CPU: 0 PID: 1 Comm: init Not tainted 4.4.111-g3301b55 #24 [ 26.443485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.443494] 0000000000000000 97486a22f1aaedb5 ffff8801da3176b8 ffffffff81d0509d [ 26.443501] ffff8801ceda8580 ffff8801ceda85d0 ffff8801da308000 ffff8801da317960 [ 26.443508] ffff8801da317990 ffff8801da3176f8 ffffffff81245acd ffff880100000000 [ 26.443510] Call Trace: [ 26.443525] [] dump_stack+0xc1/0x124 [ 26.443534] [] spin_dump+0x14d/0x280 [ 26.443541] [] do_raw_spin_lock+0x228/0x2c0 [ 26.443549] [] _raw_spin_lock_irqsave+0x56/0x70 [ 26.443557] [] ? remove_wait_queue+0x14/0x40 [ 26.443563] [] remove_wait_queue+0x14/0x40 [ 26.443572] [] poll_freewait+0xd2/0x250 [ 26.443578] [] do_select+0x1003/0x13f0 [ 26.443584] [] ? do_select+0xc5/0x13f0 [ 26.443591] [] ? poll_select_set_timeout+0x110/0x110 [ 26.443597] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443607] [] ? save_stack+0xa3/0xd0 [ 26.443616] [] ? save_stack_trace+0x26/0x50 [ 26.443622] [] ? set_fd_set.part.0+0x60/0x60 [ 26.443627] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443633] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 26.443639] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.443645] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.443650] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443656] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443664] [] ? __might_fault+0xe4/0x1d0 [ 26.443672] [] ? check_stack_object+0x68/0x140 [ 26.443679] [] ? __check_object_size+0x154/0x35b [ 26.443685] [] core_sys_select+0x3d8/0x740 [ 26.443690] [] ? core_sys_select+0xa2/0x740 [ 26.443696] [] ? do_select+0x13f0/0x13f0 [ 26.443705] [] ? kvm_clock_read+0x23/0x40 [ 26.443711] [] ? kvm_clock_get_cycles+0x9/0x10 [ 26.443718] [] ? ktime_get_ts64+0x1ea/0x2d0 [ 26.443724] [] ? poll_select_set_timeout+0xa6/0x110 [ 26.443730] [] ? timespec_add_safe+0x116/0x160 [ 26.443736] [] SyS_select+0x14a/0x1d0 [ 26.443742] [] ? core_sys_select+0x740/0x740 [ 26.443749] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.443755] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 26.443758] ------------[ cut here ]------------ [ 26.443767] WARNING: CPU: 0 PID: 1 at lib/list_debug.c:59 __list_del_entry+0x14f/0x1d0() [ 26.443770] list_del corruption. prev->next should be ffff8801da3179b8, but was ffffffff838a83a0 [ 26.443773] Kernel panic - not syncing: panic_on_warn set ... [ 26.443773] [ 26.443778] CPU: 0 PID: 1 Comm: init Not tainted 4.4.111-g3301b55 #24 [ 26.443781] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.443788] 0000000000000000 97486a22f1aaedb5 ffff8801da317528 ffffffff81d0509d [ 26.443794] ffffffff83842f60 ffff8801da317600 ffffffff839fdaa0 0000000000000009 [ 26.443801] 000000000000003b ffff8801da3175f0 ffffffff81419a3a 0000000041b58ab3 [ 26.443802] Call Trace: [ 26.443808] [] dump_stack+0xc1/0x124 [ 26.443815] [] panic+0x1aa/0x388 [ 26.443822] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 26.443830] [] ? warn_slowpath_common+0x10a/0x140 [ 26.443836] [] warn_slowpath_common+0x125/0x140 [ 26.443841] [] ? __list_del_entry+0x14f/0x1d0 [ 26.443846] [] warn_slowpath_fmt+0xc1/0x110 [ 26.443851] [] ? warn_slowpath_common+0x140/0x140 [ 26.443857] [] ? dump_stack+0x10f/0x124 [ 26.443863] [] ? spin_dump+0x14d/0x280 [ 26.443868] [] __list_del_entry+0x14f/0x1d0 [ 26.443873] [] list_del+0xd/0x70 [ 26.443879] [] remove_wait_queue+0x20/0x40 [ 26.443885] [] poll_freewait+0xd2/0x250 [ 26.443890] [] do_select+0x1003/0x13f0 [ 26.443896] [] ? do_select+0xc5/0x13f0 [ 26.443903] [] ? poll_select_set_timeout+0x110/0x110 [ 26.443908] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443914] [] ? save_stack+0xa3/0xd0 [ 26.443920] [] ? save_stack_trace+0x26/0x50 [ 26.443926] [] ? set_fd_set.part.0+0x60/0x60 [ 26.443931] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443937] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 26.443943] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.443949] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.443954] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443960] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.443966] [] ? __might_fault+0xe4/0x1d0 [ 26.443972] [] ? check_stack_object+0x68/0x140 [ 26.443978] [] ? __check_object_size+0x154/0x35b [ 26.443984] [] core_sys_select+0x3d8/0x740 [ 26.443990] [] ? core_sys_select+0xa2/0x740 [ 26.443995] [] ? do_select+0x13f0/0x13f0 [ 26.444002] [] ? kvm_clock_read+0x23/0x40 [ 26.444008] [] ? kvm_clock_get_cycles+0x9/0x10 [ 26.444013] [] ? ktime_get_ts64+0x1ea/0x2d0 [ 26.444019] [] ? poll_select_set_timeout+0xa6/0x110 [ 26.444025] [] ? timespec_add_safe+0x116/0x160 [ 26.444031] [] SyS_select+0x14a/0x1d0 [ 26.444036] [] ? core_sys_select+0x740/0x740 [ 26.444042] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.444048] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 27.034499] task: ffff8801d0c24740 task.stack: (null) [ 27.040526] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 27.049282] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 27.054701] RAX: ffff8801d0c24740 RBX: ffffea00074e3340 RCX: ffffffff8148f980 [ 27.061939] RDX: 0000000000000000 RSI: ffffffff838a83a0 RDI: ffffea00074e3340 [ 27.069178] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 27.076417] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 27.083667] R13: ffffffff838a83a0 R14: 0000000000000000 R15: 0000000000000000 [ 27.090911] FS: 0000000000ce3880(0063) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 27.099109] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.104960] CR2: ffff8800fffffff8 CR3: 00000001d0e4c000 CR4: 0000000000160670 [ 27.112202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.119441] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.126678] Stack: [ 27.128795] [ 27.130391] Call Trace: [ 27.132942] [ 27.134970] Code: 00 e9 83 fd ff ff e8 a8 e2 06 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 61 06 [ 27.550241] Shutting down cpus with NMI [ 27.554679] Dumping ftrace buffer: [ 27.558189] (ftrace buffer empty) [ 27.561864] Kernel Offset: disabled [ 27.565463] Rebooting in 86400 seconds..