[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.114148] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.413018] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 21.604700] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available) [ 22.525350] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. executing program [ 41.769599] ================================================================== [ 41.776974] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 41.783958] Read of size 8 at addr ffff8801d1ac7140 by task syzkaller597697/3788 [ 41.791455] [ 41.793055] CPU: 1 PID: 3788 Comm: syzkaller597697 Not tainted 4.4.120-gd63fdf6 #28 [ 41.800816] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.810145] 0000000000000000 7f53975a22bfaa91 ffff8801c648fab0 ffffffff81d0408d [ 41.818117] ffffea000746b1c0 ffff8801d1ac7140 0000000000000000 ffff8801d1ac7140 [ 41.826088] ffff8801d90e0238 ffff8801c648fae8 ffffffff814fe143 ffff8801d1ac7140 [ 41.834050] Call Trace: [ 41.836608] [] dump_stack+0xc1/0x124 [ 41.841948] [] print_address_description+0x73/0x260 [ 41.848591] [] kasan_report+0x285/0x370 [ 41.854189] [] ? sg_remove_request+0xf9/0x110 [ 41.860304] [] __asan_report_load8_noabort+0x14/0x20 [ 41.867021] [] sg_remove_request+0xf9/0x110 [ 41.872961] [] sg_finish_rem_req+0x295/0x340 [ 41.878983] [] sg_read+0xa1b/0x1490 [ 41.884229] [] ? new_slab+0x24f/0x3b0 [ 41.889661] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 41.896303] [] ? __raw_spin_lock_init+0x1c/0x100 [ 41.902674] [] ? lockdep_init_map+0xeb/0x1690 [ 41.908786] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 41.915419] [] __vfs_read+0x103/0x440 [ 41.920841] [] ? vfs_iter_write+0x2d0/0x2d0 [ 41.926783] [] ? fsnotify+0x5ad/0xee0 [ 41.932202] [] ? fsnotify+0xee0/0xee0 [ 41.937620] [] ? fasync_helper+0x7a/0xb0 [ 41.943303] [] ? avc_policy_seqno+0x9/0x20 [ 41.949159] [] ? selinux_file_permission+0x348/0x460 [ 41.955885] [] ? security_file_permission+0x89/0x1e0 [ 41.962608] [] ? rw_verify_area+0x100/0x2f0 [ 41.968549] [] vfs_read+0x123/0x3a0 [ 41.973791] [] SyS_read+0xd9/0x1b0 [ 41.978948] [] ? do_sendfile+0xd30/0xd30 [ 41.984625] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 41.991088] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 41.997631] [ 41.999226] Allocated by task 0: [ 42.002554] (stack is not available) [ 42.006232] [ 42.007833] Freed by task 0: [ 42.010815] (stack is not available) [ 42.014490] [ 42.016086] The buggy address belongs to the object at ffff8801d1ac7100 [ 42.016086] which belongs to the cache fasync_cache of size 96 [ 42.028708] The buggy address is located 64 bytes inside of [ 42.028708] 96-byte region [ffff8801d1ac7100, ffff8801d1ac7160) [ 42.040380] The buggy address belongs to the page: [ 42.183487] BUG: unable to handle kernel NULL pointer dereference at (null) [ 42.191701] IP: [< (null)>] (null) [ 42.196974] PGD 0 [ 42.199209] Oops: 0010 [#1] PREEMPT SMP KASAN [ 42.204152] Dumping ftrace buffer: [ 42.207659] (ftrace buffer empty) [ 42.211336] Modules linked in: [ 42.214623] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.120-gd63fdf6 #28 [ 42.221602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.230923] task: ffffffff84217840 task.stack: ffffffff84200000 [ 42.236970] RIP: 0010:[<0000000000000000>] [< (null)>] (null) [ 42.244672] RSP: 0018:ffff8801db207d18 EFLAGS: 00010206 [ 42.250086] RAX: 0000000000000000 RBX: ffff8801db207d68 RCX: ffffffff812a0eeb [ 42.257332] RDX: 0000000000000100 RSI: ffffffff842bdb60 RDI: ffff8801c5ec1b10 [ 42.264571] RBP: ffff8801db207df0 R08: 0000000000000001 R09: ffffffff85115770 [ 42.271810] R10: 0000000000000000 R11: 1ffff1003b640f70 R12: 1ffff1003b640fa9 [ 42.279048] R13: ffff8801c5ec1ab0 R14: 0000000000000101 R15: ffffffff838444e0 [ 42.286285] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 42.294478] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 42.300326] CR2: 0000000000000000 CR3: 00000000b3e9e000 CR4: 0000000000160670 [ 42.307567] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 42.314819] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 42.322075] Stack: [ 42.324193] ffffffff812a0efb ffffffff812a0e4c 0000000000000000 ffffffff842c35a0 [ 42.332148] ffff8801c5ec1b10 0000000000000000 0000000041b58ab3 ffffffff83faab59 [ 42.340108] ffffffff812a0d70 ffffffff84218110 ffff8801db207d68 ffffffff851bf540 [ 42.348066] Call Trace: [ 42.350615] [ 42.352649] [] ? call_timer_fn+0x18b/0x860 [ 42.358785] [] ? call_timer_fn+0xdc/0x860 [ 42.364549] [] ? process_timeout+0x20/0x20 [ 42.370405] [] ? dump_page_badflags+0x191/0x250 [ 42.376693] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 42.382989] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 42.389796] [] run_timer_softirq+0x604/0xbb0 [ 42.395822] [] ? kvm_clock_read+0x23/0x40 [ 42.401587] [] ? msleep+0xc0/0xc0 [ 42.406660] [] __do_softirq+0x227/0xa38 [ 42.412253] [] irq_exit+0x119/0x140 [ 42.417499] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 42.423965] [] apic_timer_interrupt+0xa0/0xb0 [ 42.430074] [ 42.432107] [] ? native_safe_halt+0x6/0x10 [ 42.438247] [] default_idle+0x55/0x3c0 [ 42.443751] [] arch_cpu_idle+0xa/0x10 [ 42.449168] [] default_idle_call+0x48/0x70 [ 42.455024] [] cpu_startup_entry+0x5fd/0x8f0 [ 42.461061] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 42.467954] [] ? call_cpuidle+0xe0/0xe0 [ 42.473547] [] rest_init+0x189/0x190 [ 42.478878] [] start_kernel+0x6b9/0x6ee [ 42.484470] [] ? thread_stack_cache_init+0xb/0xb [ 42.490847] [] ? early_idt_handler_array+0x120/0x120 [ 42.497571] [] ? early_idt_handler_array+0x120/0x120 [ 42.504291] [] x86_64_start_reservations+0x2a/0x2c [ 42.510838] [] x86_64_start_kernel+0x140/0x163 [ 42.517034] Code: Bad RIP value. [ 42.520690] RIP [< (null)>] (null) [ 42.526046] RSP [ 42.529638] CR2: 0000000000000000 [ 42.533058] ---[ end trace f5661e486833d103 ]--- [ 42.537788] Kernel panic - not syncing: Fatal exception in interrupt [ 43.473846] PANIC: double fault, error_code: 0x0 [ 43.478618] CPU: 1 PID: 3788 Comm: syzkaller597697 Tainted: G D 4.4.120-gd63fdf6 #28 [ 43.487596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.496917] task: ffff8801d96f4800 task.stack: ffff8801c6488000 [ 43.502941] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 43.511691] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 43.517105] RAX: ffff8801d96f4800 RBX: ffffea000746b1c0 RCX: ffffffff814909b0 [ 43.524347] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea000746b1c0 [ 43.531586] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 43.538829] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000 [ 43.546071] R13: ffffffff838a9060 R14: 0000000000000000 R15: 0000000000000000 [ 43.553315] FS: 0000000001112880(0063) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 43.561516] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.567372] CR2: ffff8800fffffff8 CR3: 00000001cbbb8000 CR4: 0000000000160670 [ 43.574612] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.581851] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.589088] Stack: [ 43.591204] [ 43.592802] Call Trace: [ 43.595364]