[ 16.366183] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.686804] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 21.122590] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 21.933407] random: sshd: uninitialized urandom read (32 bytes read, 89 bits of entropy available) [ 22.100692] random: sshd: uninitialized urandom read (32 bytes read, 93 bits of entropy available) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 27.465544] random: sshd: uninitialized urandom read (32 bytes read, 101 bits of entropy available) executing program [ 27.566628] ================================================================== [ 27.574001] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 27.580986] Read of size 8 at addr ffff8801d1949140 by task syzkaller351815/3315 [ 27.588478] [ 27.590074] CPU: 1 PID: 3315 Comm: syzkaller351815 Not tainted 4.4.111-g3301b55 #17 [ 27.597830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.607149] 0000000000000000 e36d9f82bf298c76 ffff8800b5b7fa40 ffffffff81d0509d [ 27.615098] ffffea0007465240 ffff8801d1949140 0000000000000000 ffff8801d1949140 [ 27.623066] ffff8801d0b08238 ffff8800b5b7fa78 ffffffff814fd433 ffff8801d1949140 [ 27.631029] Call Trace: [ 27.633585] [] dump_stack+0xc1/0x124 [ 27.638914] [] print_address_description+0x73/0x260 [ 27.645544] [] kasan_report+0x285/0x370 [ 27.651144] [] ? sg_remove_request+0xf9/0x110 [ 27.657257] [] __asan_report_load8_noabort+0x14/0x20 [ 27.663974] [] sg_remove_request+0xf9/0x110 [ 27.669909] [] sg_finish_rem_req+0x295/0x340 [ 27.675931] [] sg_read+0xa21/0x1490 [ 27.681173] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 27.687806] [] ? __raw_spin_lock_init+0x1c/0x100 [ 27.694176] [] ? lockdep_init_map+0xeb/0x1690 [ 27.700286] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 27.706925] [] __vfs_read+0x103/0x440 [ 27.712338] [] ? vfs_iter_write+0x2d0/0x2d0 [ 27.718275] [] ? fsnotify+0x5ad/0xee0 [ 27.723693] [] ? fsnotify+0xee0/0xee0 [ 27.729107] [] ? avc_policy_seqno+0x9/0x20 [ 27.734957] [] ? selinux_file_permission+0x348/0x460 [ 27.741675] [] ? security_file_permission+0x89/0x1e0 [ 27.748391] [] ? rw_verify_area+0x100/0x2f0 [ 27.754326] [] vfs_read+0x123/0x3a0 [ 27.759564] [] SyS_read+0xd9/0x1b0 [ 27.764718] [] ? do_sendfile+0xd30/0xd30 [ 27.770392] [] ? vmacache_update+0xfe/0x130 [ 27.776327] [] ? do_fast_syscall_32+0xd7/0x890 [ 27.782520] [] ? do_sendfile+0xd30/0xd30 [ 27.788192] [] do_fast_syscall_32+0x314/0x890 [ 27.794301] [] sysenter_flags_fixed+0xd/0x17 [ 27.800318] [ 27.801910] Allocated by task 0: [ 27.805235] (stack is not available) [ 27.808907] [ 27.810497] Freed by task 0: [ 27.813477] (stack is not available) [ 27.817149] [ 27.818740] The buggy address belongs to the object at ffff8801d1949100 [ 27.818740] which belongs to the cache fasync_cache of size 96 [ 27.831357] The buggy address is located 64 bytes inside of [ 27.831357] 96-byte region [ffff8801d1949100, ffff8801d1949160) [ 27.843020] The buggy address belongs to the page: [ 27.852767] page:ffffea0007465240 count:1 mapcount:-2145386463 mapping: (null) index:0x0 [ 27.852775] kasan: CONFIG_KASAN_INLINE enabled [ 27.852780] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 27.852784] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 27.852789] Dumping ftrace buffer: [ 27.852792] (ftrace buffer empty) [ 27.852795] Modules linked in: [ 27.852802] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.111-g3301b55 #17 [ 27.852805] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.852808] task: ffffffff84217840 task.stack: ffffffff84200000 [ 27.852821] RIP: 0010:[] [] rb_insert_color+0x1d0/0xcb0 [ 27.852824] RSP: 0018:ffff8801db207d18 EFLAGS: 00010806 [ 27.852828] RAX: ffff8801db219c40 RBX: ffffea0007465240 RCX: 1000000000000012 [ 27.852832] RDX: dffffc0000000000 RSI: ffff8801db219710 RDI: ffffea0007465250 [ 27.852835] RBP: ffff8801db207d60 R08: ffffffff85807f08 R09: 0000000000000001 [ 27.852845] R10: 0000000000000000 R11: 1ffff1003b640f62 R12: 8000000000000090 [ 27.852848] R13: 8000000000000080 R14: 8000000000000080 R15: ffff8801db219c48 [ 27.852853] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 27.852857] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.852860] CR2: 0000558fe20540f0 CR3: 00000000b4108000 CR4: 0000000000160670 [ 27.852866] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.852869] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.852870] Stack: [ 27.852877] ffffffff842bcb20 ffffffff842180b0 0000000000000000 ffff8801db207d70 [ 27.852884] ffff8801db219c40 dffffc0000000000 0000000000000000 ffff8801db219710 [ 27.852891] ffff8800b4affe00 ffff8801db207db0 ffffffff81d22967 ffff8801db219c58 [ 27.852892] Call Trace: [ 27.852903] [ 27.852904] [] timerqueue_add+0x157/0x2a0 [ 27.852913] [] enqueue_hrtimer+0x168/0x450 [ 27.852919] [] __hrtimer_run_queues+0x732/0xfe0 [ 27.852926] [] ? hrtimer_fixup_init+0x70/0x70 [ 27.852932] [] ? hrtimer_interrupt+0x131/0x440 [ 27.852938] [] hrtimer_interrupt+0x1a6/0x440 [ 27.852947] [] local_apic_timer_interrupt+0x6a/0xb0 [ 27.852954] [] smp_apic_timer_interrupt+0x76/0xa0 [ 27.852961] [] apic_timer_interrupt+0xa0/0xb0 [ 27.852970] [ 27.852970] [] ? native_safe_halt+0x6/0x10 [ 27.852976] [] default_idle+0x55/0x3c0 [ 27.852982] [] arch_cpu_idle+0xa/0x10 [ 27.852989] [] default_idle_call+0x48/0x70 [ 27.852995] [] cpu_startup_entry+0x605/0x820 [ 27.853001] [] ? call_cpuidle+0xe0/0xe0 [ 27.853008] [] rest_init+0x189/0x190 [ 27.853015] [] start_kernel+0x6b9/0x6ee [ 27.853020] [] ? thread_stack_cache_init+0xb/0xb [ 27.853026] [] ? early_idt_handler_array+0x120/0x120 [ 27.853031] [] ? early_idt_handler_array+0x120/0x120 [ 27.853037] [] x86_64_start_reservations+0x2a/0x2c [ 27.853042] [] x86_64_start_kernel+0x140/0x163 [ 27.853125] Code: 48 c1 e9 03 80 3c 11 00 0f 85 83 06 00 00 4d 85 ed 48 89 03 74 5b 4d 8d 65 10 48 ba 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 11 00 0f 85 19 07 00 00 49 3b 5d 10 0f 84 eb 04 00 00 49 [ 27.853131] RIP [] rb_insert_color+0x1d0/0xcb0 [ 27.853133] RSP [ 27.853138] ---[ end trace 6c62c427bacbcac1 ]--- [ 27.853141] Kernel panic - not syncing: Fatal exception in interrupt [ 28.202994] flags: 0xffff8801db219c40(active|reserved|private|private_2|swapcache|mappedtodisk|uncached) [ 28.213516] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 28.219562] ------------[ cut here ]------------ [ 28.224297] kernel BUG at include/linux/mm.h:460! [ 28.229122] invalid opcode: 0000 [#2] PREEMPT SMP KASAN [ 28.234908] Dumping ftrace buffer: [ 28.238412] (ftrace buffer empty) [ 28.242089] Modules linked in: [ 28.245367] CPU: 1 PID: 3315 Comm: syzkaller351815 Tainted: G D 4.4.111-g3301b55 #17 [ 28.254341] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.263670] task: ffff8801d0d02f80 task.stack: ffff8800b5b78000 [ 28.269693] RIP: 0010:[] [] dump_page_badflags+0x191/0x250 [ 28.278622] RSP: 0018:ffff8800b42f4d30 EFLAGS: 00010082 [ 28.284044] RAX: ffff8801d0d02f80 RBX: ffffea0007465240 RCX: ffffffff8148f96c [ 28.291284] RDX: 0000000000000000 RSI: ffffffff839fd920 RDI: ffff8801d0d037ec [ 28.298528] RBP: ffff8800b42f4d60 R08: 0000000000000001 R09: 0000000000000000 [ 28.305774] R10: 0000000000000002 R11: fffffbfff0ad7820 R12: 0000000000000000 [ 28.313013] R13: ffffffff838a83a0 R14: 0000000000000000 R15: 0000000000000000 [ 28.320252] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:000000000a0db840 [ 28.328446] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 28.334307] CR2: 0000000020c7e000 CR3: 00000001d3052000 CR4: 0000000000160670 [ 28.341546] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.348784] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.356020] Stack: [ 28.358135] 0000000000000000 ffffea0007465240 0000000000000000 ffffffff838a83a0 [ 28.366096] 0000000000000000 0000000000000000 ffff8800b42f4da0 ffffffff8148f991 [ 28.374049] 0000000000000000 ffffea0007465240 0000000000000000 ffffffff838a83a0 [ 28.382006] Call Trace: [ 28.384555] [ 28.386582] Code: 46 e8 14 05 ed ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 00 05 ed ff 31 d2 48 c7 c6 a0 83 8a 83 48 89 df e8 6f fe ff ff <0f> 0b e8 d8 e0 06 00 e9 21 ff ff ff 89 4d d4 e8 cb e0 06 00 8b [ 28.413390] RIP [] dump_page_badflags+0x191/0x250 [ 28.419968] RSP [ 28.423563] ---[ end trace 6c62c427bacbcac2 ]--- [ 28.967822] Shutting down cpus with NMI [ 28.972209] Dumping ftrace buffer: [ 28.975715] (ftrace buffer empty) [ 28.979392] Kernel Offset: disabled [ 28.982984] Rebooting in 86400 seconds..