[ 15.563706] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.838418] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.138410] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 23.001253] random: sshd: uninitialized urandom read (32 bytes read, 106 bits of entropy available) [ 34.513435] random: sshd: uninitialized urandom read (32 bytes read, 114 bits of entropy available) Warning: Permanently added '10.128.0.11' (ECDSA) to the list of known hosts. [ 39.886456] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) executing program executing program executing program executing program executing program executing program executing program [ 40.013359] ================================================================== [ 40.020740] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 40.027807] Read of size 8 at addr ffff8801cd34c340 by task syzkaller684860/3328 [ 40.035305] [ 40.036902] CPU: 0 PID: 3328 Comm: syzkaller684860 Not tainted 4.4.111-gc2f631b #20 [ 40.044662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.053983] 0000000000000000 bc605937ca7bafe2 ffff8801d07af970 ffffffff81d0513d [ 40.061947] ffffea000734d300 ffff8801cd34c340 0000000000000000 ffff8801cd34c340 [ 40.069911] ffff8801d079c438 ffff8801d07af9a8 ffffffff814fd433 ffff8801cd34c340 [ 40.077876] Call Trace: [ 40.080436] [] dump_stack+0xc1/0x124 [ 40.086277] [] print_address_description+0x73/0x260 [ 40.092911] [] kasan_report+0x285/0x370 [ 40.098512] [] ? sg_remove_request+0xf9/0x110 [ 40.104625] [] __asan_report_load8_noabort+0x14/0x20 [ 40.111346] [] sg_remove_request+0xf9/0x110 [ 40.117292] [] sg_finish_rem_req+0x295/0x340 [ 40.123322] [] sg_read+0xa21/0x1490 [ 40.128584] [] ? __kmalloc+0x124/0x320 [ 40.134089] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 40.140724] [] ? fsnotify+0xee0/0xee0 [ 40.146146] [] ? avc_policy_seqno+0x9/0x20 [ 40.152007] [] do_loop_readv_writev+0x141/0x1e0 [ 40.158296] [] ? security_file_permission+0x89/0x1e0 [ 40.165016] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 40.171661] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 40.178294] [] compat_do_readv_writev+0x5df/0x6e0 [ 40.184758] [] ? vfs_writev+0xb0/0xb0 [ 40.190177] [] ? exit_robust_list+0x240/0x240 [ 40.196300] [] ? __fget+0x20b/0x3b0 [ 40.201543] [] ? __fget+0x232/0x3b0 [ 40.206789] [] ? __fget+0x47/0x3b0 [ 40.211947] [] compat_readv+0xd9/0x140 [ 40.217451] [] compat_SyS_readv+0xd8/0x1b0 [ 40.223313] [] ? SyS_pwritev+0x230/0x230 [ 40.228994] [] ? do_fast_syscall_32+0xd7/0x890 [ 40.235191] [] ? SyS_pwritev+0x230/0x230 [ 40.240869] [] do_fast_syscall_32+0x314/0x890 [ 40.246985] [] sysenter_flags_fixed+0xd/0x17 [ 40.253008] [ 40.254605] Allocated by task 0: [ 40.257939] (stack is not available) [ 40.261616] [ 40.263211] Freed by task 0: [ 40.266192] (stack is not available) [ 40.269877] [ 40.271476] The buggy address belongs to the object at ffff8801cd34c300 [ 40.271476] which belongs to the cache fasync_cache of size 96 [ 40.284104] The buggy address is located 64 bytes inside of [ 40.284104] 96-byte region [ffff8801cd34c300, ffff8801cd34c360) [ 40.295772] The buggy address belongs to the page: [ 40.307842] kasan: CONFIG_KASAN_INLINE enabled [ 40.312257] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN [ 40.325091] Dumping ftrace buffer: [ 40.328599] (ftrace buffer empty) [ 40.332282] Modules linked in: [ 40.335561] CPU: 1 PID: 3327 Comm: syzkaller684860 Not tainted 4.4.111-gc2f631b #20 [ 40.343339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.353314] task: ffff8800b5644740 task.stack: ffff8801d0a08000 [ 40.359340] RIP: 0010:[] [] rb_insert_color+0x9f/0xcb0 [ 40.367946] RSP: 0018:ffff8801db307d18 EFLAGS: 00010003 [ 40.373368] RAX: 0a0508a8e82a0be9 RBX: ffffffff838a8360 RCX: ffffffff838a8360 [ 40.380611] RDX: 1ffffffff071506d RSI: ffff8801db319710 RDI: ffff8801db319c40 [ 40.387948] RBP: ffff8801db307d60 R08: ffffffff857d0748 R09: 0000000000000001 [ 40.395188] R10: 0000000000000000 R11: 1ffff1003b660f62 R12: ffff8801d077fdf8 [ 40.403208] R13: 5028454741505f4e R14: ffff8801db319c40 R15: dffffc0000000000 [ 40.410449] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000f773bb40 [ 40.418653] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 40.424504] CR2: 000000002047cff7 CR3: 00000001d1b48000 CR4: 0000000000160670 [ 40.431760] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 40.439007] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 40.446248] Stack: [ 40.448367] ffffffff842bcb20 ffff8800b5644fb0 0000000000000001 ffff8801db307d70 [ 40.456327] ffff8801db319c40 dffffc0000000000 0000000000000000 ffff8801db319710 [ 40.464293] ffff8801d077fe00 ffff8801db307db0 ffffffff81d22a07 ffff8801db319c58 [ 40.472254] Call Trace: [ 40.474802] [ 40.476838] [] timerqueue_add+0x157/0x2a0 [ 40.482891] [] enqueue_hrtimer+0x168/0x450 [ 40.488744] [] __hrtimer_run_queues+0x732/0xfe0 [ 40.495047] [] ? hrtimer_fixup_init+0x70/0x70 [ 40.501164] [] ? hrtimer_interrupt+0x131/0x440 [ 40.507370] [] hrtimer_interrupt+0x1a6/0x440 [ 40.513402] [] local_apic_timer_interrupt+0x6a/0xb0 [ 40.520051] [] smp_apic_timer_interrupt+0x76/0xa0 [ 40.526514] [] apic_timer_interrupt+0xa0/0xb0 [ 40.532626] [ 40.534665] [] ? smp_call_function_single+0x13e/0x3b0 [ 40.541758] [] ? smp_call_function_single+0x140/0x3b0 [ 40.548571] [] ? smp_call_function_single+0x13e/0x3b0 [ 40.555381] [] ? do_fast_syscall_32+0x314/0x890 [ 40.562288] [] ? do_flush_tlb_all+0x30/0x30 [ 40.568316] [] ? generic_exec_single+0x330/0x330 [ 40.574699] [] ? do_flush_tlb_all+0x30/0x30 [ 40.580651] [] ? find_next_bit+0x3e/0x50 [ 40.586333] [] ? cpumask_next_and+0x92/0xc0 [ 40.592290] [] smp_call_function_many+0x481/0x710 [ 40.598776] [] ? __lock_is_held+0xa1/0xf0 [ 40.604574] [] ? do_flush_tlb_all+0x30/0x30 [ 40.610521] [] native_flush_tlb_others+0xfe/0x710 [ 40.616985] [] ? _find_next_bit.part.0+0xe0/0x120 [ 40.623456] [] ? switch_mm+0x70/0x70 [ 40.628802] [] ? cpumask_any_but+0x88/0xc0 [ 40.634654] [] flush_tlb_mm_range+0x103/0x560 [ 40.640769] [] tlb_flush_mmu_tlbonly+0x185/0x2f0 [ 40.647143] [] tlb_finish_mmu+0x1b/0xa0 [ 40.652745] [] unmap_region+0x250/0x330 [ 40.658338] [] ? __vma_link_file+0x160/0x160 [ 40.664366] [] ? putname+0xee/0x130 [ 40.669624] [] ? vma_compute_subtree_gap+0x190/0x200 [ 40.676440] [] ? vma_rb_erase+0x60a/0x9f0 [ 40.682293] [] do_munmap+0x70f/0xec0 [ 40.687642] [] mmap_region+0x423/0x1250 [ 40.693235] [] ? exit_robust_list+0x240/0x240 [ 40.699351] [] ? selinux_mmap_addr+0x1f/0xf0 [ 40.705379] [] do_mmap+0x4fd/0x9d0 [ 40.710539] [] vm_mmap_pgoff+0x16e/0x1c0 [ 40.716224] [] ? vma_is_stack_for_task+0xa0/0xa0 [ 40.722598] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 40.728715] [] SyS_mmap_pgoff+0xd0/0x560 [ 40.734393] [] ? vm_stat_account+0x130/0x130 [ 40.740423] [] ? vmacache_update+0xfe/0x130 [ 40.746366] [] ? __do_page_fault+0x380/0xa00 [ 40.752396] [] ? do_fast_syscall_32+0xd7/0x890 [ 40.758608] [] ? vm_stat_account+0x130/0x130 [ 40.764637] [] do_fast_syscall_32+0x314/0x890 [ 40.770775] [] sysenter_flags_fixed+0xd/0x17 [ 40.776815] Code: 48 89 c2 48 c1 ea 03 42 80 3c 3a 00 0f 85 94 09 00 00 4c 8b 6b 08 4d 39 e5 0f 84 b0 01 00 00 4d 85 ed 74 1d 4c 89 e8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 95 09 00 00 41 f6 45 00 01 0f 84 20 03 00 [ 40.803907] RIP [] rb_insert_color+0x9f/0xcb0 [ 40.810243] RSP [ 40.813849] ---[ end trace 10b782937b787297 ]--- [ 40.819182] Kernel panic - not syncing: Fatal exception in interrupt [ 41.799604] PANIC: double fault, error_code: 0x0 [ 41.804387] CPU: 0 PID: 3328 Comm: syzkaller684860 Tainted: G D 4.4.111-gc2f631b #20 [ 41.813362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.822685] task: ffff8800b4af5f00 task.stack: ffff8801d07a8000 [ 41.828706] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 41.837459] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 41.842881] RAX: ffff8800b4af5f00 RBX: ffffea000734d300 RCX: ffffffff8148f980 [ 41.850118] RDX: 0000000000000000 RSI: ffffffff838a8360 RDI: ffffea000734d300 [ 41.857355] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 41.864591] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 41.871830] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000