[....] Starting OpenBSD Secure Shell server: sshd[   21.347161] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.930208] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   25.354388] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available)
[   26.441480] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available)
[   26.600200] random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available)
[   26.717413] random: nonblocking pool is initialized
Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts.
[   32.795529] binder: 3766:3767 ERROR: BC_REGISTER_LOOPER called without request
[   32.818077] binder: release 3766:3767 transaction 3 out, still active
[   32.825502] binder: release 3766:3767 transaction 2 in, still active
[   32.832042] binder: undelivered TRANSACTION_COMPLETE
[   32.837367] binder: 3766:3767 IncRefs 0 refcount change on invalid ref 3 ret -22
[   32.844968] binder: 3766:3767 BC_INCREFS_DONE u0000000000000000 node 1 cookie mismatch 0000000000000004 != 0000000000000000
[   32.856297] binder: 3766:3767 BC_FREE_BUFFER u0000000000000000 no match
[   32.863295] binder: 3766:3767 got transaction to invalid handle
[   32.869347] binder: 3766:3767 transaction failed 29201/-22, size 0-0 line 3011
[   32.879308] binder: undelivered TRANSACTION_ERROR: 29201
[   32.887439] binder: release 3766:3768 transaction 4 in, still active
[   32.892156] binder: 3769:3770 ERROR: BC_REGISTER_LOOPER called without request
[   32.901446] binder: send failed reply for transaction 4 to 3766:3768
[   32.908088] ==================================================================
[   32.913361] binder: release 3769:3770 transaction 8 out, still active
[   32.913366] binder: release 3769:3770 transaction 7 in, still active
[   32.913369] binder: undelivered TRANSACTION_COMPLETE
[   32.913458] binder: 3769:3770 IncRefs 0 refcount change on invalid ref 3 ret -22
[   32.913469] binder: 3769:3770 BC_INCREFS_DONE u0000000000000000 node 6 cookie mismatch 0000000000000004 != 0000000000000000
[   32.913476] binder: 3769:3770 BC_FREE_BUFFER u0000000000000000 no match
[   32.913481] binder: 3769:3770 got transaction to invalid handle
[   32.913487] binder: 3769:3770 transaction failed 29201/-22, size 0-0 line 3011
[   32.972456] BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0
[   32.979111] Read of size 8 at addr ffff8801d4fa5310 by task kworker/u4:3/404
[   32.986283] 
[   32.988340] CPU: 1 PID: 404 Comm: kworker/u4:3 Not tainted 4.4.125-g38f41ec #63
[   32.995767] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.005115] Workqueue: binder binder_deferred_func
[   33.010147]  0000000000000000 7476bc1b901d62ac ffff8800bb11fa58 ffffffff81d067bd
[   33.018163]  ffffea000753e940 ffff8801d4fa5310 0000000000000000 ffff8801d4fa5310
[   33.026173]  ffffed0016b348f9 ffff8800bb11fa90 ffffffff814fea83 ffff8801d4fa5310
[   33.034183] Call Trace:
[   33.036762]  [<ffffffff81d067bd>] dump_stack+0xc1/0x124
[   33.042109]  [<ffffffff814fea83>] print_address_description+0x73/0x260
[   33.048767]  [<ffffffff814fef95>] kasan_report+0x285/0x370
[   33.054375]  [<ffffffff81d66b16>] ? __list_del_entry+0x196/0x1d0
[   33.060506]  [<ffffffff814ff0f4>] __asan_report_load8_noabort+0x14/0x20
[   33.067245]  [<ffffffff81d66b16>] __list_del_entry+0x196/0x1d0
[   33.073208]  [<ffffffff82c7c34e>] binder_release_work+0x6e/0x260
[   33.079338]  [<ffffffff82c7bfee>] ? binder_send_failed_reply+0x1ce/0x380
[   33.086169]  [<ffffffff82c7c965>] binder_thread_release+0x425/0x600
[   33.092563]  [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10
[   33.098870]  [<ffffffff81230631>] ? __lock_is_held+0xa1/0xf0
[   33.104655]  [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0
[   33.110694]  [<ffffffff81180017>] ? process_one_work+0x6f7/0x16e0
[   33.116929]  [<ffffffff8117f920>] ? pwq_dec_nr_in_flight+0x280/0x280
[   33.123410]  [<ffffffff81181288>] ? worker_thread+0x288/0xfc0
[   33.129280]  [<ffffffff811810d9>] worker_thread+0xd9/0xfc0
[   33.134888]  [<ffffffff81003058>] ? ___preempt_schedule+0x12/0x14
[   33.141110]  [<ffffffff81190b48>] kthread+0x268/0x300
[   33.146289]  [<ffffffff81181000>] ? process_one_work+0x16e0/0x16e0
[   33.152597]  [<ffffffff811908e0>] ? kthread_create_on_node+0x400/0x400
[   33.159251]  [<ffffffff811908e0>] ? kthread_create_on_node+0x400/0x400
[   33.165907]  [<ffffffff83779d95>] ret_from_fork+0x55/0x80
[   33.171436]  [<ffffffff811908e0>] ? kthread_create_on_node+0x400/0x400
[   33.178085] 
[   33.179696] Allocated by task 3768:
[   33.183309]  [<ffffffff81035d76>] save_stack_trace+0x26/0x50
[   33.189215]  [<ffffffff814fdaf3>] save_stack+0x43/0xd0
[   33.194598]  [<ffffffff814fddbd>] kasan_kmalloc+0xad/0xe0
[   33.200237]  [<ffffffff814f9d40>] kmem_cache_alloc_trace+0x100/0x2b0
[   33.206834]  [<ffffffff82c8c72c>] binder_transaction+0x103c/0x7290
[   33.213270]  [<ffffffff82c9319f>] binder_thread_write+0x81f/0x33e0
[   33.219699]  [<ffffffff82c95f2f>] binder_ioctl_write_read.isra.55+0x1cf/0xbc0
[   33.227087]  [<ffffffff82c97570>] binder_ioctl+0xc50/0x12e0
[   33.232907]  [<ffffffff8155a71a>] do_vfs_ioctl+0x7aa/0xee0
[   33.238640]  [<ffffffff8155aedf>] SyS_ioctl+0x8f/0xc0
[   33.243944]  [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   33.250638] 
[   33.252253] Freed by task 404:
[   33.255424]  [<ffffffff81035d76>] save_stack_trace+0x26/0x50
[   33.261340]  [<ffffffff814fdaf3>] save_stack+0x43/0xd0
[   33.266761]  [<ffffffff814fe412>] kasan_slab_free+0x72/0xc0
[   33.272586]  [<ffffffff814faeac>] kfree+0xfc/0x300
[   33.277627]  [<ffffffff82c71aca>] binder_free_transaction+0x6a/0x90
[   33.284227]  [<ffffffff82c7bfe9>] binder_send_failed_reply+0x1c9/0x380
[   33.291057]  [<ffffffff82c7c953>] binder_thread_release+0x413/0x600
[   33.297573]  [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10
[   33.303998]  [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0
[   33.310166]  [<ffffffff811810d9>] worker_thread+0xd9/0xfc0
[   33.315898]  [<ffffffff81190b48>] kthread+0x268/0x300
[   33.321195]  [<ffffffff83779d95>] ret_from_fork+0x55/0x80
[   33.326840] 
[   33.328448] The buggy address belongs to the object at ffff8801d4fa5300
[   33.328448]  which belongs to the cache kmalloc-192 of size 192
[   33.341088] The buggy address is located 16 bytes inside of
[   33.341088]  192-byte region [ffff8801d4fa5300, ffff8801d4fa53c0)
[   33.352858] The buggy address belongs to the page:
[   33.379656] kasan: CONFIG_KASAN_INLINE enabled
[   33.384109] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   33.397063] Dumping ftrace buffer:
[   33.400594]    (ftrace buffer empty)
[   33.404297] Modules linked in:
[   33.407626] CPU: 0 PID: 3763 Comm: syzkaller363232 Not tainted 4.4.125-g38f41ec #63
[   33.415410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.424774] task: ffff8800adbc9800 task.stack: ffff8801d0f90000
[   33.430838] RIP: 0010:[<ffffffff81d24038>]  [<ffffffff81d24038>] timerqueue_add+0xb8/0x2a0
[   33.439415] RSP: 0018:ffff8801db207d70  EFLAGS: 00010806
[   33.444977] RAX: ffffed003b64338b RBX: ffff8801db219c40 RCX: ffffffff81d2401c
[   33.452252] RDX: 1d1a89b13fffffe7 RSI: ffff8801db219c40 RDI: e8d44d89ffffff39
[   33.459531] RBP: ffff8801db207db0 R08: ffffffff8580ef08 R09: 0000000000000001
[   33.466809] R10: 0000000000000000 R11: 1ffff1003b640f62 R12: dffffc0000000000
[   33.474093] R13: e8d44d89ffffff21 R14: 0000000768061480 R15: ffffffff81491309
[   33.481377] FS:  000000000199e880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   33.489720] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   33.495613] CR2: 00000000006e0194 CR3: 00000001c812e000 CR4: 0000000000160670
[   33.502910] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   33.510270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   33.517544] Stack:
[   33.519704]  ffff8801db219c58 ffff8801db219710 ffffed003b64338b ffff8801db219700
[   33.527831]  ffff8801db219c40 ffff8801db219640 0000000000000001 0000000000000000
[   33.535926]  ffff8801db207de8 ffffffff812ac208 ffff8801db219c40 0000000000000001
[   33.544018] Call Trace:
[   33.546612]  <IRQ> 
[   33.548681]  [<ffffffff812ac208>] enqueue_hrtimer+0x168/0x450
[   33.554946]  [<ffffffff812ae2d2>] __hrtimer_run_queues+0x732/0xfe0
[   33.561285]  [<ffffffff812adba0>] ? hrtimer_fixup_init+0x70/0x70
[   33.567442]  [<ffffffff812b0311>] ? hrtimer_interrupt+0x131/0x440
[   33.573693]  [<ffffffff812b0386>] hrtimer_interrupt+0x1a6/0x440
[   33.579776]  [<ffffffff810b0e5a>] local_apic_timer_interrupt+0x6a/0xb0
[   33.586457]  [<ffffffff8377c576>] smp_apic_timer_interrupt+0x76/0xa0
[   33.593237]  [<ffffffff8377b4d0>] apic_timer_interrupt+0xa0/0xb0
[   33.599388]  <EOI> 
[   33.601464]  [<ffffffff812e3dfe>] ? smp_call_function_single+0x13e/0x3b0
[   33.608623]  [<ffffffff812e3e05>] ? smp_call_function_single+0x145/0x3b0
[   33.615472]  [<ffffffff810ec5e0>] ? do_flush_tlb_all+0x30/0x30
[   33.621458]  [<ffffffff812e3cc0>] ? generic_exec_single+0x330/0x330
[   33.627885]  [<ffffffff810ec5e0>] ? do_flush_tlb_all+0x30/0x30
[   33.633876]  [<ffffffff81d4adfe>] ? find_next_bit+0x3e/0x50
[   33.639618]  [<ffffffff81d062d2>] ? cpumask_next_and+0x92/0xc0
[   33.645608]  [<ffffffff812e491d>] smp_call_function_many+0x47d/0x720
[   33.652124]  [<ffffffff81230631>] ? __lock_is_held+0xa1/0xf0
[   33.657969]  [<ffffffff810ec5e0>] ? do_flush_tlb_all+0x30/0x30
[   33.663956]  [<ffffffff810eda3e>] native_flush_tlb_others+0xfe/0x710
[   33.670464]  [<ffffffff81d4ad80>] ? _find_next_bit.part.0+0xe0/0x120
[   33.676975]  [<ffffffff810ed940>] ? switch_mm+0x70/0x70
[   33.682356]  [<ffffffff81d065e8>] ? cpumask_any_but+0x88/0xc0
[   33.688261]  [<ffffffff810ee153>] flush_tlb_mm_range+0x103/0x560
[   33.694424]  [<ffffffff8112a836>] copy_process+0x5266/0x6120
[   33.700239]  [<ffffffff811255d0>] ? __cleanup_sighand+0x50/0x50
[   33.706309]  [<ffffffff815828aa>] ? mntput_no_expire+0xca/0x680
[   33.712380]  [<ffffffff82ded950>] ? sock_release+0x1e0/0x1e0
[   33.718191]  [<ffffffff815828d6>] ? mntput_no_expire+0xf6/0x680
[   33.724259]  [<ffffffff815827e0>] ? mnt_get_count+0x190/0x190
[   33.730157]  [<ffffffff8156898d>] ? dput.part.19+0x16d/0x760
[   33.735974]  [<ffffffff8156884a>] ? dput.part.19+0x2a/0x760
[   33.741708]  [<ffffffff8112bb11>] _do_fork+0x151/0xe00
[   33.747001]  [<ffffffff8112b9c0>] ? fork_idle+0x270/0x270
[   33.752557]  [<ffffffff8118bd8a>] ? task_work_run+0x14a/0x180
[   33.758453]  [<ffffffff83779b22>] ? int_ret_from_sys_call+0x52/0xa3
[   33.764876]  [<ffffffff8112c897>] SyS_clone+0x37/0x50
[   33.770094]  [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e
[   33.776672] Code: 
[   33.778646] ------------[ cut here ]------------
[   33.783749] WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200()
[   33.793721] Kernel panic - not syncing: panic_on_warn set ...
[   33.793721] 
[   34.931559] Shutting down cpus with NMI
[   34.936724] Dumping ftrace buffer:
[   34.940262]    (ftrace buffer empty)
[   34.943970] Kernel Offset: disabled
[   34.947581] Rebooting in 86400 seconds..