Starting mcstransd: [ 15.815304] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.333129] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 21.538385] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 22.630966] random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available) [ 25.560747] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. 2018/01/16 21:50:05 fuzzer started 2018/01/16 21:50:05 dialing manager at 10.128.0.26:41189 2018/01/16 21:50:09 kcov=true, comps=false 2018/01/16 21:50:09 executing program 0: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000188000)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r0, &(0x7f00006ec000-0x70)=[], 0x4924924924924f9, 0xc0) 2018/01/16 21:50:09 executing program 7: mmap(&(0x7f0000000000/0x2a000)=nil, 0x2a000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) bind$netlink(r0, &(0x7f0000011000-0xc)={0x10, 0x0, 0xffffffffffffffff, 0x120202}, 0xc) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER(0xffffffffffffff9c, 0x84, 0x7b, &(0x7f0000011000-0x8)={0x0, 0x0}, &(0x7f0000001000-0x4)=0x8) getsockname(r0, &(0x7f0000000000)=@pppol2tpv3in6={0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0xffffffffffffffff, 0x0, @loopback={0x0, 0x0}, 0x0}}}, &(0x7f000000b000-0x4)=0x3a) ioctl$sock_FIOGETOWN(r1, 0x400454d4, &(0x7f0000001000-0x4)=0x0) 2018/01/16 21:50:09 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f000000d000-0x8)='./file0\x00', 0x80040, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fcntl$setlease(r0, 0x400, 0x0) fcntl$setlease(r0, 0x400, 0x0) 2018/01/16 21:50:09 executing program 4: mmap(&(0x7f0000000000/0xb06000)=nil, 0xb06000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndtimer(&(0x7f0000215000-0xf)='/dev/snd/timer\x00', 0x0, 0x0) ioctl$SNDRV_TIMER_IOCTL_TREAD(r0, 0x40045402, &(0x7f000001e000-0x4)=0x9) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f00006c1000)={{0x100000001, 0x0, 0x0, 0x0, 0x0}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$SNDRV_TIMER_IOCTL_PARAMS(r0, 0x40505412, &(0x7f000001d000-0x50)={0x0, 0x1, 0x200, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$SNDRV_TIMER_IOCTL_SELECT(r0, 0x40345410, &(0x7f00009f3000-0x34)={{0x0, 0x3, 0x0, 0x0, 0x0}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) 2018/01/16 21:50:09 executing program 5: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x5, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, @perf_bp={&(0x7f0000000000)=0x0, 0x1}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x0, &(0x7f0000000000)=0x0, 0x4) 2018/01/16 21:50:09 executing program 6: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket(0x10, 0x803, 0x0) sendto(r0, &(0x7f0000cff000-0x12)="120000003200e79b01ffe8fffc1408000ae9", 0x12, 0x0, 0x0, 0x0) 2018/01/16 21:50:09 executing program 2: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000649000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = epoll_create(0x4000000010011) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000337000-0xc)={0x0, 0x0}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) 2018/01/16 21:50:09 executing program 3: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = fcntl$dupfd(r0, 0x406, r0) setsockopt$inet_sctp_SCTP_DELAYED_SACK(r1, 0x84, 0x10, &(0x7f0000001000-0x8)=@assoc_value={0x0, 0x2}, 0x8) [ 32.284172] IPVS: Creating netns size=2552 id=1 [ 32.349628] IPVS: Creating netns size=2552 id=2 [ 32.410574] IPVS: Creating netns size=2552 id=3 [ 32.493248] IPVS: Creating netns size=2552 id=4 [ 32.587192] IPVS: Creating netns size=2552 id=5 [ 32.687921] IPVS: Creating netns size=2552 id=6 [ 32.806668] IPVS: Creating netns size=2552 id=7 [ 32.975244] IPVS: Creating netns size=2552 id=8 2018/01/16 21:50:14 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) ioctl$sock_ifreq(r0, 0x89f0, &(0x7f00004aa000-0x28)={@common='bridge0\x00', @ifru_data=&(0x7f00008e8000-0x20)="1200000000000000000305fffe00eb00ecff0000a10000000449faf4e2007e23"}) 2018/01/16 21:50:14 executing program 1: syz_open_dev$sndseq(&(0x7f000005f000)='/dev/snd/seq\x00', 0x0, 0x0) 2018/01/16 21:50:14 executing program 1: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = fcntl$dupfd(r0, 0x0, r0) setsockopt$inet_sctp_SCTP_DELAYED_SACK(r1, 0x84, 0x10, &(0x7f0000001000-0x8)=@assoc_value={0x0, 0x2}, 0x8) 2018/01/16 21:50:14 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndseq(&(0x7f0000dcc000)='/dev/snd/seq\x00', 0x0, 0x0) read(r0, &(0x7f0000fb6000)=""/28, 0x1c) r1 = getpid() sched_setaffinity(r1, 0x8, &(0x7f000083b000-0x8)=0x5) ioctl$SNDRV_SEQ_IOCTL_CREATE_PORT(r0, 0xc0a85320, &(0x7f0000419000-0xb0)={{0x80, 0x0}, "0a4ceaa05d9a00000000000000039b3fd4cec307e8ef3d13eb790ec9c65abaf90d229db692542e5b78f8b29e0a27800f0000000000000009fb42f376589701a4", 0xa9824f69d1376637, 0x10800a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$SNDRV_SEQ_IOCTL_REMOVE_EVENTS(r0, 0x4040534e, &(0x7f00001a0000-0x17)={0x3, @tick=0x0, 0x0, {0x0, 0x0}, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000333000-0x4c)={0x0, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_INFO(r0, 0xc08c5335, &(0x7f0000120000)={0x0, 0x0, 0x0, 'queue1\x00', 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000fdc000-0x10)='/dev/sequencer2\x00', 0x0, 0x0) 2018/01/16 21:50:15 executing program 1: r0 = socket$inet6(0xa, 0x100000000000002, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x100000d, 0x32, 0xffffffffffffffff, 0x0) setsockopt$inet6_buf(r0, 0x29, 0x0, &(0x7f0000003000-0x26)="2ee9877d", 0x4) 2018/01/16 21:50:15 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000025c000)={0x2, 0x78, 0x3e3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff7fffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000000)=0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_open_procfs(0x0, &(0x7f0000e4f000)='ns/user\x00') 2018/01/16 21:50:15 executing program 1: mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_dev$sndseq(&(0x7f000005f000)='/dev/snd/seq\x00', 0x0, 0x0) 2018/01/16 21:50:15 executing program 1: mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) openat$ashmem(0xffffffffffffff9c, &(0x7f0000001000-0xc)='/dev/ashmem\x00', 0x0, 0x0) [ 37.924861] tc_dump_action: action bad kind [ 37.943239] tc_dump_action: action bad kind [ 38.118121] ================================================================== [ 38.125681] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 38.132317] Read of size 8 at addr ffff8801d08939b8 by task syz-executor2/5141 [ 38.139643] [ 38.141244] CPU: 1 PID: 5141 Comm: syz-executor2 Not tainted 4.4.111-gc2f631b #27 [ 38.148835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.158166] 0000000000000000 49526ceeb02ffaa4 ffff8801c5e7f580 ffffffff81d0513d [ 38.166129] ffffea0007422480 ffff8801d08939b8 0000000000000000 ffff8801d08939b8 [ 38.174099] 0000000000000000 ffff8801c5e7f5b8 ffffffff814fd433 ffff8801d08939b8 [ 38.182063] Call Trace: [ 38.184631] [] dump_stack+0xc1/0x124 [ 38.189962] [] print_address_description+0x73/0x260 [ 38.196594] [] kasan_report+0x285/0x370 [ 38.202187] [] ? __lock_acquire+0x387e/0x4b50 [ 38.208300] [] __asan_report_load8_noabort+0x14/0x20 [ 38.215022] [] __lock_acquire+0x387e/0x4b50 [ 38.220962] [] ? __lock_acquire+0xb5f/0x4b50 [ 38.226986] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.233966] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 38.240946] [] ? mark_held_locks+0xaf/0x100 [ 38.246884] [] lock_acquire+0x15e/0x460 [ 38.252475] [] ? remove_wait_queue+0x14/0x40 [ 38.258504] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 38.264788] [] ? remove_wait_queue+0x14/0x40 [ 38.270814] [] remove_wait_queue+0x14/0x40 [ 38.276666] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 38.283651] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 38.290898] [] ? ep_free+0x1c0/0x1c0 [ 38.296227] [] ep_free+0x93/0x1c0 [ 38.301295] [] ? ep_free+0x1c0/0x1c0 [ 38.306625] [] ep_eventpoll_release+0x44/0x60 [ 38.312752] [] __fput+0x233/0x6d0 [ 38.317822] [] ____fput+0x15/0x20 [ 38.322896] [] task_work_run+0x104/0x180 [ 38.328578] [] do_exit+0x871/0x2a20 [ 38.333823] [] ? release_task+0x1240/0x1240 [ 38.339762] [] ? recalc_sigpending+0x76/0xa0 [ 38.345796] [] do_group_exit+0x108/0x320 [ 38.351475] [] get_signal+0x565/0x1660 [ 38.356982] [] ? wp_page_copy.isra.72+0x6c6/0xad0 [ 38.363442] [] do_signal+0x8b/0x1d40 [ 38.368773] [] ? handle_mm_fault+0x3f2/0x3190 [ 38.374891] [] ? setup_sigcontext+0x780/0x780 [ 38.381004] [] ? SyS_epoll_ctl+0x230/0x2050 [ 38.386952] [] ? SyS_futex+0x210/0x2c0 [ 38.392463] [] ? exit_to_usermode_loop+0xec/0x170 [ 38.398923] [] exit_to_usermode_loop+0x122/0x170 [ 38.405293] [] syscall_return_slowpath+0x1b5/0x1f0 [ 38.411838] [] int_ret_from_sys_call+0x25/0xa3 [ 38.418038] [ 38.419635] Allocated by task 5140: [ 38.423225] [] save_stack_trace+0x26/0x50 [ 38.429109] [] save_stack+0x43/0xd0 [ 38.434467] [] kasan_kmalloc+0xad/0xe0 [ 38.440085] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 38.446662] [] binder_get_thread+0x181/0x7a0 [ 38.452807] [] binder_poll+0x4a/0x210 [ 38.458353] [] SyS_epoll_ctl+0x10b1/0x2050 [ 38.464323] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 38.470987] [ 38.472582] Freed by task 5140: [ 38.475824] [] save_stack_trace+0x26/0x50 [ 38.481703] [] save_stack+0x43/0xd0 [ 38.487063] [] kasan_slab_free+0x72/0xc0 [ 38.492858] [] kfree+0xfc/0x300 [ 38.497868] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 38.504617] [] binder_thread_release+0x27d/0x540 [ 38.511106] [] binder_ioctl+0xb94/0x12e0 [ 38.516902] [] do_vfs_ioctl+0x7aa/0xee0 [ 38.522631] [] SyS_ioctl+0x8f/0xc0 [ 38.527901] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 38.534565] [ 38.536161] The buggy address belongs to the object at ffff8801d0893900 [ 38.536161] which belongs to the cache kmalloc-512 of size 512 [ 38.548785] The buggy address is located 184 bytes inside of [ 38.548785] 512-byte region [ffff8801d0893900, ffff8801d0893b00) [ 38.560625] The buggy address belongs to the page: [ 39.986789] PANIC: double fault, error_code: 0x0 [ 39.991561] CPU: 1 PID: 5141 Comm: syz-executor2 Not tainted 4.4.111-gc2f631b #27 [ 39.999145] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.008469] task: ffff8801cfbe5f00 task.stack: ffff8801c5e78000 [ 40.014490] RIP: 0010:[] [] dump_page_badflags+0x12/0x250 [ 40.023338] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 40.028755] RAX: ffff8801cfbe5f00 RBX: ffffea0007422480 RCX: ffffffff8148f980 [ 40.035993] RDX: 0000000000000000 RSI: ffffffff838a8360 RDI: ffffea0007422480 [ 40.043231] RBP: ffff880100000020 R08: 0000000000000001 R09: 0000000000000000 [ 40.050469] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 40.057710] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000 [ 40.064949] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 40.073143] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 40.078993] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670 [ 40.086233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 40.093473] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 40.100708] Stack: [ 40.102822] [ 40.104417] Call Trace: [ 40.106967] [ 40.108993] Code: 00 e9 50 fd ff ff e8 9e e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 <53> 48 89 fb 48 83 ec 08 e8 61 06 ed ff 48 8d 7b 10 48 b8 00 00 [ 40.135817] Kernel panic - not syncing: Machine halted. [ 40.141145] CPU: 1 PID: 5141 Comm: syz-executor2 Not tainted 4.4.111-gc2f631b #27 [ 40.148732] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.158053] 0000000000000000 49526ceeb02ffaa4 ffff8801db30ce38 ffffffff81d0513d [ 40.166009] ffffffff838367c0 ffff8801db30cf10 ffffffff83808040 ffff880100000000 [ 40.173967] 0000000000000000 ffff8801db30cf00 ffffffff81419a3a 0000000041b58ab3 [ 40.181929] Call Trace: [ 40.184478] <#DF> [] dump_stack+0xc1/0x124 [ 40.190543] [] panic+0x1aa/0x388 [ 40.195526] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 40.202422] [] ? vprintk_emit+0x242/0x850 [ 40.208185] [] ? dump_page_badflags+0x27/0x250 [ 40.214381] [] ? vprintk_emit+0x242/0x850 [ 40.220149] [] df_debug+0x2d/0x30 [ 40.225219] [] do_double_fault+0x10b/0x210 [ 40.231070] [] double_fault+0x2d/0x40 [ 40.236490] [] ? dump_page_badflags+0x180/0x250 [ 40.242773] [] ? dump_page_badflags+0x12/0x250 [ 40.248967] <> [ 40.252358] Dumping ftrace buffer: [ 40.256162] (ftrace buffer empty) [ 40.259839] Kernel Offset: disabled [ 40.263434] Rebooting in 86400 seconds..