[ 16.968955] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.878149] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.262951] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.049778] random: sshd: uninitialized urandom read (32 bytes read, 79 bits of entropy available) [ 21.245380] random: sshd: uninitialized urandom read (32 bytes read, 85 bits of entropy available) Warning: Permanently added '10.128.15.224' (ECDSA) to the list of known hosts. [ 26.638642] random: sshd: uninitialized urandom read (32 bytes read, 90 bits of entropy available) executing program [ 26.749054] ================================================================== [ 26.756442] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 26.763075] Read of size 8 at addr ffff8800b46b2338 by task syzkaller583082/3321 [ 26.770571] [ 26.772168] CPU: 0 PID: 3321 Comm: syzkaller583082 Not tainted 4.4.111-g3301b55 #17 [ 26.779926] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.789251] 0000000000000000 f1f87106e841d2d9 ffff8801cfdaf850 ffffffff81d0509d [ 26.797203] ffffea0002d1ac80 ffff8800b46b2338 0000000000000000 ffff8800b46b2338 [ 26.805148] 0000000000000000 ffff8801cfdaf888 ffffffff814fd433 ffff8800b46b2338 [ 26.813098] Call Trace: [ 26.815656] [] dump_stack+0xc1/0x124 [ 26.820997] [] print_address_description+0x73/0x260 [ 26.827649] [] kasan_report+0x285/0x370 [ 26.833240] [] ? __lock_acquire+0x387e/0x4b50 [ 26.839357] [] __asan_report_load8_noabort+0x14/0x20 [ 26.846079] [] __lock_acquire+0x387e/0x4b50 [ 26.852032] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.858053] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.865032] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.871845] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.878832] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.885816] [] lock_acquire+0x15e/0x460 [ 26.891405] [] ? remove_wait_queue+0x14/0x40 [ 26.897433] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.903724] [] ? remove_wait_queue+0x14/0x40 [ 26.909752] [] remove_wait_queue+0x14/0x40 [ 26.915604] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 26.922582] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 26.929819] [] ? ep_free+0x1c0/0x1c0 [ 26.935153] [] ep_free+0x93/0x1c0 [ 26.940307] [] ? ep_free+0x1c0/0x1c0 [ 26.945632] [] ep_eventpoll_release+0x44/0x60 [ 26.951743] [] __fput+0x233/0x6d0 [ 26.956809] [] ____fput+0x15/0x20 [ 26.961885] [] task_work_run+0x104/0x180 [ 26.967561] [] do_exit+0x871/0x2a20 [ 26.972809] [] ? handle_mm_fault+0x192d/0x3190 [ 26.979006] [] ? handle_mm_fault+0x3f2/0x3190 [ 26.985122] [] ? release_task+0x1240/0x1240 [ 26.991059] [] do_group_exit+0x108/0x320 [ 26.996735] [] SyS_exit_group+0x1d/0x20 [ 27.002329] [] ? do_group_exit+0x320/0x320 [ 27.008183] [] do_fast_syscall_32+0x314/0x890 [ 27.014295] [] sysenter_flags_fixed+0xd/0x17 [ 27.020317] [ 27.021921] Allocated by task 3321: [ 27.025513] [] save_stack_trace+0x26/0x50 [ 27.031391] [] save_stack+0x43/0xd0 [ 27.036760] [] kasan_kmalloc+0xad/0xe0 [ 27.042377] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 27.048950] [] binder_get_thread+0x181/0x7a0 [ 27.055084] [] binder_poll+0x4a/0x210 [ 27.060611] [] SyS_epoll_ctl+0x10b1/0x2050 [ 27.066577] [] do_fast_syscall_32+0x314/0x890 [ 27.072805] [] sysenter_flags_fixed+0xd/0x17 [ 27.078943] [ 27.080535] Freed by task 3321: [ 27.083781] [] save_stack_trace+0x26/0x50 [ 27.089655] [] save_stack+0x43/0xd0 [ 27.095009] [] kasan_slab_free+0x72/0xc0 [ 27.100798] [] kfree+0xfc/0x300 [ 27.105897] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 27.112641] [] binder_thread_release+0x27d/0x540 [ 27.119123] [] binder_ioctl+0xb94/0x12e0 [ 27.124913] [] compat_SyS_ioctl+0x28a/0x2540 [ 27.131048] [] do_fast_syscall_32+0x314/0x890 [ 27.137280] [] sysenter_flags_fixed+0xd/0x17 [ 27.143419] [ 27.145013] The buggy address belongs to the object at ffff8800b46b2280 [ 27.145013] which belongs to the cache kmalloc-512 of size 512 [ 27.157640] The buggy address is located 184 bytes inside of [ 27.157640] 512-byte region [ffff8800b46b2280, ffff8800b46b2480) [ 27.169483] The buggy address belongs to the page: [ 27.221939] ------------[ cut here ]------------ [ 27.226717] WARNING: CPU: 1 PID: 1 at kernel/locking/lockdep.c:973 __bfs+0x2c4/0x5d0() [ 27.234746] Kernel panic - not syncing: panic_on_warn set ... [ 27.234746] [ 27.242078] CPU: 1 PID: 1 Comm: init Not tainted 4.4.111-g3301b55 #17 [ 27.248620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.257948] 0000000000000000 4bf8744c62a60176 ffff8801da317358 ffffffff81d0509d [ 27.265908] ffffffff83842f60 ffff8801da317430 ffffffff83854d40 0000000000000009 [ 27.273853] 00000000000003cd ffff8801da317420 ffffffff81419a3a 0000000041b58ab3 [ 27.281799] Call Trace: [ 27.284362] [] dump_stack+0xc1/0x124 [ 27.289707] [] panic+0x1aa/0x388 [ 27.294708] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 27.301614] [] ? pm_qos_get_value.part.4+0xb/0xb [ 27.307988] [] ? is_module_text_address+0x2a/0x50 [ 27.314446] [] ? warn_slowpath_common+0x10a/0x140 [ 27.320900] [] warn_slowpath_common+0x125/0x140 [ 27.327183] [] ? __bfs+0x2c4/0x5d0 [ 27.332336] [] warn_slowpath_null+0x29/0x30 [ 27.338269] [] __bfs+0x2c4/0x5d0 [ 27.343249] [] ? noop_count+0x40/0x40 [ 27.348661] [] check_usage_backwards+0x171/0x300 [ 27.355027] [] ? check_usage_forwards+0x310/0x310 [ 27.361492] [] ? dump_trace+0x14c/0x350 [ 27.367090] [] ? save_stack_trace+0x26/0x50 [ 27.373022] [] mark_lock+0x8b1/0xfd0 [ 27.378351] [] ? check_usage_forwards+0x310/0x310 [ 27.384814] [] __lock_acquire+0x10f0/0x4b50 [ 27.390747] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.397730] [] ? put_files_struct+0x20c/0x270 [ 27.403839] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.410815] [] ? mark_held_locks+0xaf/0x100 [ 27.416754] [] ? mutex_lock_nested+0x5d4/0x850 [ 27.422949] [] lock_acquire+0x15e/0x460 [ 27.428538] [] ? put_pipe_info+0x23/0xd0 [ 27.434212] [] ? __mutex_unlock_slowpath+0x1a0/0x300 [ 27.440928] [] _raw_spin_lock+0x36/0x50 [ 27.446516] [] ? put_pipe_info+0x23/0xd0 [ 27.452191] [] put_pipe_info+0x23/0xd0 [ 27.457710] [] pipe_release+0x1af/0x250 [ 27.463316] [] ? put_pipe_info+0xd0/0xd0 [ 27.468998] [] __fput+0x233/0x6d0 [ 27.474064] [] ____fput+0x15/0x20 [ 27.479133] [] task_work_run+0x104/0x180 [ 27.484809] [] do_exit+0x871/0x2a20 [ 27.490057] [] ? __lock_is_held+0xa1/0xf0 [ 27.495820] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 27.502623] [] ? kmem_cache_free+0x2a4/0x320 [ 27.508648] [] ? release_task+0x1240/0x1240 [ 27.514596] [] do_group_exit+0x108/0x320 [ 27.520277] [] get_signal+0x565/0x1660 [ 27.525775] [] ? __send_signal+0x452/0x1330 [ 27.531712] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.538517] [] do_signal+0x8b/0x1d40 [ 27.543843] [] ? setup_sigcontext+0x780/0x780 [ 27.549964] [] ? __bad_area_nosemaphore+0x3e/0x420 [ 27.556507] [] ? __bad_area_nosemaphore+0x220/0x420 [ 27.563406] [] ? exit_to_usermode_loop+0xec/0x170 [ 27.569860] [] exit_to_usermode_loop+0x122/0x170 [ 27.576228] [] prepare_exit_to_usermode+0xe3/0x100 [ 27.582771] [] retint_user+0x8/0x3c [ 28.647828] Shutting down cpus with NMI [ 28.652603] Dumping ftrace buffer: [ 28.656110] (ftrace buffer empty) [ 28.659785] Kernel Offset: disabled [ 28.663373] Rebooting in 86400 seconds..