[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.407642] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.718670] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 26.070115] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.063142] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) [ 27.242277] random: sshd: uninitialized urandom read (32 bytes read, 121 bits of entropy available) Warning: Permanently added '10.128.15.226' (ECDSA) to the list of known hosts. [ 32.661653] random: sshd: uninitialized urandom read (32 bytes read, 128 bits of entropy available) executing program [ 32.761778] ================================================================== [ 32.769168] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 32.775802] Read of size 8 at addr ffff8800b50b7238 by task syzkaller812774/4054 [ 32.783299] [ 32.784899] CPU: 1 PID: 4054 Comm: syzkaller812774 Not tainted 4.4.114-gfe09418 #3 [ 32.792569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.801890] 0000000000000000 c49227ee52973b9f ffff8801d8aaf8f0 ffffffff81d02e6d [ 32.809849] ffffea0002d42d80 ffff8800b50b7238 0000000000000000 ffff8800b50b7238 [ 32.817812] 0000000000000000 ffff8801d8aaf928 ffffffff814fd6f3 ffff8800b50b7238 [ 32.825778] Call Trace: [ 32.828335] [] dump_stack+0xc1/0x124 [ 32.833664] [] print_address_description+0x73/0x260 [ 32.840296] [] kasan_report+0x285/0x370 [ 32.845887] [] ? __lock_acquire+0x387e/0x4b50 [ 32.851998] [] __asan_report_load8_noabort+0x14/0x20 [ 32.858716] [] __lock_acquire+0x387e/0x4b50 [ 32.864653] [] ? __lock_acquire+0xb5f/0x4b50 [ 32.870679] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.877657] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 32.884638] [] ? mark_held_locks+0xaf/0x100 [ 32.890574] [] lock_acquire+0x15e/0x460 [ 32.896167] [] ? remove_wait_queue+0x14/0x40 [ 32.902193] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 32.908478] [] ? remove_wait_queue+0x14/0x40 [ 32.914502] [] remove_wait_queue+0x14/0x40 [ 32.920352] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 32.927331] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 32.934568] [] ? ep_free+0x1c0/0x1c0 [ 32.939898] [] ep_free+0x93/0x1c0 [ 32.944965] [] ? ep_free+0x1c0/0x1c0 [ 32.950294] [] ep_eventpoll_release+0x44/0x60 [ 32.956408] [] __fput+0x233/0x6d0 [ 32.961476] [] ____fput+0x15/0x20 [ 32.966547] [] task_work_run+0x104/0x180 [ 32.972228] [] do_exit+0x82a/0x2a10 [ 32.977474] [] ? binder_ioctl_write_read.isra.55+0xbc0/0xbc0 [ 32.984889] [] ? release_task+0x1240/0x1240 [ 32.990829] [] ? SyS_epoll_create+0x190/0x190 [ 32.996943] [] do_group_exit+0x108/0x320 [ 33.002623] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 33.009083] [] SyS_exit_group+0x1d/0x20 [ 33.014678] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 33.021221] [ 33.022817] Allocated by task 4054: [ 33.026414] [] save_stack_trace+0x26/0x50 [ 33.032299] [] save_stack+0x43/0xd0 [ 33.037671] [] kasan_kmalloc+0xad/0xe0 [ 33.043297] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 33.049874] [] binder_get_thread+0x15d/0x750 [ 33.056027] [] binder_poll+0x4a/0x210 [ 33.061568] [] SyS_epoll_ctl+0x10b1/0x2040 [ 33.067541] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 33.074213] [ 33.075809] Freed by task 4054: [ 33.079053] [] save_stack_trace+0x26/0x50 [ 33.084935] [] save_stack+0x43/0xd0 [ 33.090295] [] kasan_slab_free+0x72/0xc0 [ 33.096089] [] kfree+0xfc/0x300 [ 33.101103] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 33.107858] [] binder_thread_release+0x27d/0x540 [ 33.114348] [] binder_ioctl+0xb94/0x12e0 [ 33.120143] [] do_vfs_ioctl+0x7aa/0xee0 [ 33.125850] [] SyS_ioctl+0x8f/0xc0 [ 33.131126] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 33.137794] [ 33.139392] The buggy address belongs to the object at ffff8800b50b7180 [ 33.139392] which belongs to the cache kmalloc-512 of size 512 [ 33.152023] The buggy address is located 184 bytes inside of [ 33.152023] 512-byte region [ffff8800b50b7180, ffff8800b50b7380) [ 33.163864] The buggy address belongs to the page: [ 33.172075] ------------[ cut here ]------------ [ 33.176855] WARNING: CPU: 0 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x17d/0x220() [ 33.185515] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: tick_sched_timer+0x0/0x120 [ 33.196195] Kernel panic - not syncing: panic_on_warn set ... [ 33.196195] [ 33.203557] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.114-gfe09418 #3 [ 33.210470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.219812] 0000000000000000 07696b002fb639b7 ffff8801db207ac8 ffffffff81d02e6d [ 33.227843] ffffffff83843a40 ffff8801db207ba0 ffffffff839fe8a0 0000000000000009 [ 33.235878] 0000000000000107 ffff8801db207b90 ffffffff8141a1da 0000000041b58ab3 [ 33.243901] Call Trace: [ 33.246468] [] dump_stack+0xc1/0x124 [ 33.252572] [] panic+0x1aa/0x388 [ 33.257580] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 33.264509] [] ? warn_slowpath_common+0x10a/0x140 [ 33.271003] [] warn_slowpath_common+0x125/0x140 [ 33.277325] [] ? debug_print_object+0x17d/0x220 [ 33.283647] [] warn_slowpath_fmt+0xc1/0x110 [ 33.289620] [] ? warn_slowpath_common+0x140/0x140 [ 33.296114] [] ? ktime_add_safe+0xa0/0xa0 [ 33.301910] [] debug_print_object+0x17d/0x220 [ 33.308055] [] ? tick_sched_do_timer+0xa0/0xa0 [ 33.314290] [] debug_object_deactivate+0x25d/0x3c0 [ 33.320866] [] ? debug_object_activate+0x500/0x500 [ 33.327444] [] ? __lock_is_held+0xa1/0xf0 [ 33.333248] [] __hrtimer_run_queues+0x492/0xfe0 [ 33.339571] [] ? hrtimer_fixup_init+0x70/0x70 [ 33.345720] [] ? hrtimer_interrupt+0x131/0x440 [ 33.351960] [] hrtimer_interrupt+0x1a6/0x440 [ 33.358017] [] local_apic_timer_interrupt+0x6a/0xb0 [ 33.364688] [] smp_apic_timer_interrupt+0x76/0xa0 [ 33.371206] [] apic_timer_interrupt+0xa0/0xb0 [ 33.377336] [] ? native_safe_halt+0x6/0x10 [ 33.383968] [] default_idle+0x55/0x3c0 [ 33.389495] [] arch_cpu_idle+0xa/0x10 [ 33.394942] [] default_idle_call+0x48/0x70 [ 33.400811] [] cpu_startup_entry+0x5fd/0x8f0 [ 33.406855] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 33.413769] [] ? call_cpuidle+0xe0/0xe0 [ 33.419382] [] rest_init+0x189/0x190 [ 33.424735] [] start_kernel+0x6b9/0x6ee [ 33.430350] [] ? thread_stack_cache_init+0xb/0xb [ 33.436746] [] ? early_idt_handler_array+0x120/0x120 [ 33.443486] [] ? early_idt_handler_array+0x120/0x120 [ 33.450221] [] x86_64_start_reservations+0x2a/0x2c [ 33.456788] [] x86_64_start_kernel+0x140/0x163 [ 34.568427] Shutting down cpus with NMI [ 34.572824] Dumping ftrace buffer: [ 34.576652] (ftrace buffer empty) [ 34.580359] Kernel Offset: disabled [ 34.584083] Rebooting in 86400 seconds..