[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.796617] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.054693] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.098926] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) [ 21.293560] random: sshd: uninitialized urandom read (32 bytes read, 127 bits of entropy available) [ 21.406940] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program [ 26.831476] ================================================================== [ 26.838895] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 26.838901] Read of size 8 at addr ffff8801d178b2c0 by task syzkaller382858/3313 [ 26.838902] [ 26.838909] CPU: 1 PID: 3313 Comm: syzkaller382858 Not tainted 4.4.113-ge70c132 #34 [ 26.838912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.838924] 0000000000000000 ec482e645b647ad9 ffff8800b4677ab0 ffffffff81d0278d [ 26.838932] ffffea000745e2c0 ffff8801d178b2c0 0000000000000000 ffff8801d178b2c0 [ 26.838940] ffff8801cfcc8238 ffff8800b4677ae8 ffffffff814fd053 ffff8801d178b2c0 [ 26.838941] Call Trace: [ 26.838950] [] dump_stack+0xc1/0x124 [ 26.838957] [] print_address_description+0x73/0x260 [ 26.838962] [] kasan_report+0x285/0x370 [ 26.838969] [] ? sg_remove_request+0xf9/0x110 [ 26.838975] [] __asan_report_load8_noabort+0x14/0x20 [ 26.838981] [] sg_remove_request+0xf9/0x110 [ 26.838987] [] sg_finish_rem_req+0x295/0x340 [ 26.838993] [] sg_read+0xa1b/0x1490 [ 26.839000] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 26.839008] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.839014] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 26.839022] [] __vfs_read+0x103/0x440 [ 26.839029] [] ? vfs_iter_write+0x2d0/0x2d0 [ 26.839035] [] ? fsnotify+0x5ad/0xee0 [ 26.839040] [] ? fsnotify+0xee0/0xee0 [ 26.839049] [] ? avc_policy_seqno+0x9/0x20 [ 26.839055] [] ? selinux_file_permission+0x348/0x460 [ 26.839062] [] ? security_file_permission+0x89/0x1e0 [ 26.839068] [] ? rw_verify_area+0x100/0x2f0 [ 26.839075] [] vfs_read+0x123/0x3a0 [ 26.839080] [] SyS_read+0xd9/0x1b0 [ 26.839085] [] ? do_sendfile+0xd30/0xd30 [ 26.839092] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.839100] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.839102] [ 26.839105] Allocated by task 0: [ 26.839106] (stack is not available) [ 26.839107] [ 26.839109] Freed by task 0: [ 26.839110] (stack is not available) [ 26.839111] [ 26.839116] The buggy address belongs to the object at ffff8801d178b280 [ 26.839116] which belongs to the cache fasync_cache of size 96 [ 26.839121] The buggy address is located 64 bytes inside of [ 26.839121] 96-byte region [ffff8801d178b280, ffff8801d178b2e0) [ 26.839127] The buggy address belongs to the page: [ 26.853741] BUG: unable to handle kernel NULL pointer dereference at (null) [ 26.853745] IP: [< (null)>] (null) [ 26.853753] PGD 80000001d04d9067 PUD 1d0628067 PMD 0 [ 26.853760] Oops: 0010 [#1] PREEMPT SMP KASAN [ 26.853765] Dumping ftrace buffer: [ 26.853769] (ftrace buffer empty) [ 26.853772] Modules linked in: [ 26.853779] CPU: 0 PID: 3309 Comm: syzkaller382858 Not tainted 4.4.113-ge70c132 #34 [ 26.853782] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.853786] task: ffff8800b52bdf00 task.stack: ffff8801d1058000 [ 26.853791] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 26.853794] RSP: 0018:ffff8801d105fbc8 EFLAGS: 00010046 [ 26.853797] RAX: ffff8800b45c7a20 RBX: 0000000000000000 RCX: 0000000000000041 [ 26.853801] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8800b45c7a20 [ 26.853804] RBP: ffff8801d105fc10 R08: 0000000000000041 R09: ffffffff85111510 [ 26.853807] R10: 0000000000000001 R11: 1ffff1003a20bf4a R12: ffff8801d2f5eab8 [ 26.853813] R13: dffffc0000000000 R14: ffffffff838a8dc8 R15: 0000000000000041 [ 26.853818] FS: 00000000018c2880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 26.853822] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.853825] CR2: 0000000000000000 CR3: 00000001d0a60000 CR4: 0000000000160670 [ 26.853831] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.853834] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.853836] Stack: [ 26.853843] ffffffff8121e6e4 0000000000000041 0000000100000001 0000000100000001 [ 26.853849] ffff8801d2f5ea80 0000000000000001 0000000000000041 0000000000000001 [ 26.853856] 0000000000000292 ffff8801d105fc48 ffffffff8121f110 ffff8801d2f5ea00 [ 26.853857] Call Trace: [ 26.853871] [] ? __wake_up_common+0xb4/0x150 [ 26.853878] [] __wake_up_sync_key+0x40/0x60 [ 26.853886] [] pipe_write+0x662/0xd80 [ 26.853893] [] __vfs_write+0x33c/0x450 [ 26.853900] [] ? __vfs_read+0x440/0x440 [ 26.853909] [] ? selinux_file_permission+0x348/0x460 [ 26.853915] [] ? rw_verify_area+0x100/0x2f0 [ 26.853921] [] vfs_write+0x18a/0x530 [ 26.853926] [] SyS_write+0xd9/0x1b0 [ 26.853932] [] ? SyS_read+0x1b0/0x1b0 [ 26.853938] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.853946] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.853954] Code: Bad RIP value. [ 26.853958] RIP [< (null)>] (null) [ 26.853960] RSP [ 26.853961] CR2: 0000000000000000 [ 26.853968] ---[ end trace 683064a2a4c1d9b1 ]--- [ 26.853972] Kernel panic - not syncing: Fatal exception [ 27.988721] Shutting down cpus with NMI [ 27.989338] Dumping ftrace buffer: [ 27.989341] (ftrace buffer empty) [ 27.989344] Kernel Offset: disabled [ 28.504856] Rebooting in 86400 seconds..