[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.279634] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.177247] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.524703] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 22.310888] random: sshd: uninitialized urandom read (32 bytes read, 96 bits of entropy available) [ 34.819617] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. [ 40.208783] random: sshd: uninitialized urandom read (32 bytes read, 114 bits of entropy available) executing program [ 40.299123] ================================================================== [ 40.306515] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 40.313497] Read of size 8 at addr ffff8801d1df4140 by task syzkaller382263/3325 [ 40.320994] [ 40.322594] CPU: 0 PID: 3325 Comm: syzkaller382263 Not tainted 4.4.111-g3301b55 #24 [ 40.330362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.339683] 0000000000000000 f69e5953fe26df0e ffff8801d1f2fab0 ffffffff81d0509d [ 40.347629] ffffea0007477d00 ffff8801d1df4140 0000000000000000 ffff8801d1df4140 [ 40.355575] ffff8801d125c438 ffff8801d1f2fae8 ffffffff814fd433 ffff8801d1df4140 [ 40.363532] Call Trace: [ 40.366110] [] dump_stack+0xc1/0x124 [ 40.371440] [] print_address_description+0x73/0x260 [ 40.378073] [] kasan_report+0x285/0x370 [ 40.383664] [] ? sg_remove_request+0xf9/0x110 [ 40.389774] [] __asan_report_load8_noabort+0x14/0x20 [ 40.396499] [] sg_remove_request+0xf9/0x110 [ 40.402445] [] sg_finish_rem_req+0x295/0x340 [ 40.408467] [] sg_read+0xa21/0x1490 [ 40.413712] [] ? new_slab+0x24f/0x3b0 [ 40.419129] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 40.425768] [] ? __raw_spin_lock_init+0x1c/0x100 [ 40.432138] [] ? lockdep_init_map+0xeb/0x1690 [ 40.438251] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 40.444893] [] __vfs_read+0x103/0x440 [ 40.450316] [] ? vfs_iter_write+0x2d0/0x2d0 [ 40.456262] [] ? fsnotify+0x5ad/0xee0 [ 40.461679] [] ? fsnotify+0xee0/0xee0 [ 40.467097] [] ? fasync_helper+0x7a/0xb0 [ 40.472777] [] ? avc_policy_seqno+0x9/0x20 [ 40.478629] [] ? selinux_file_permission+0x348/0x460 [ 40.485354] [] ? security_file_permission+0x89/0x1e0 [ 40.492079] [] ? rw_verify_area+0x100/0x2f0 [ 40.498016] [] vfs_read+0x123/0x3a0 [ 40.503263] [] SyS_read+0xd9/0x1b0 [ 40.508419] [] ? do_sendfile+0xd30/0xd30 [ 40.514102] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 40.520577] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 40.527126] [ 40.528720] Allocated by task 0: [ 40.532046] (stack is not available) [ 40.535735] [ 40.537327] Freed by task 0: [ 40.540305] (stack is not available) [ 40.543980] [ 40.545573] The buggy address belongs to the object at ffff8801d1df4100 [ 40.545573] which belongs to the cache fasync_cache of size 96 [ 40.558197] The buggy address is located 64 bytes inside of [ 40.558197] 96-byte region [ffff8801d1df4100, ffff8801d1df4160) [ 40.569869] The buggy address belongs to the page: [ 40.581159] ------------[ cut here ]------------ [ 40.585926] WARNING: CPU: 1 PID: 0 at lib/list_debug.c:59 __list_del_entry+0x14f/0x1d0() [ 40.594119] list_del corruption. prev->next should be ffff8801d1d247c8, but was ffff8801d1d24850 [ 40.603094] Kernel panic - not syncing: panic_on_warn set ... [ 40.603094] [ 40.610423] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.111-g3301b55 #24 [ 40.617484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.626889] 0000000000000000 57a78308be5a364d ffff8801db307970 ffffffff81d0509d [ 40.634837] ffffffff83842f60 ffff8801db307a48 ffffffff839fdaa0 0000000000000009 [ 40.642822] 000000000000003b ffff8801db307a38 ffffffff81419a3a 0000000041b58ab3 [ 40.650781] Call Trace: [ 40.653328] [] dump_stack+0xc1/0x124 [ 40.659389] [] panic+0x1aa/0x388 [ 40.664376] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 40.671268] [] ? warn_slowpath_common+0x10a/0x140 [ 40.677733] [] warn_slowpath_common+0x125/0x140 [ 40.684015] [] ? __list_del_entry+0x14f/0x1d0 [ 40.690123] [] warn_slowpath_fmt+0xc1/0x110 [ 40.696064] [] ? warn_slowpath_common+0x140/0x140 [ 40.702519] [] __list_del_entry+0x14f/0x1d0 [ 40.708456] [] load_balance+0xc2a/0x2c90 [ 40.714130] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 40.721107] [] ? find_busiest_group+0x1310/0x1310 [ 40.727564] [] rebalance_domains+0x5f8/0xb00 [ 40.733585] [] ? rebalance_domains+0xcb/0xb00 [ 40.739693] [] ? pick_next_task_fair+0x2220/0x2220 [ 40.746245] [] ? run_timer_softirq+0x5a7/0xbb0 [ 40.752440] [] ? check_preemption_disabled+0x3b/0x200 [ 40.759251] [] run_rebalance_domains+0x336/0x4e0 [ 40.765626] [] ? check_preemption_disabled+0x3b/0x200 [ 40.772433] [] __do_softirq+0x24d/0xa59 [ 40.778023] [] irq_exit+0x119/0x140 [ 40.783266] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 40.789728] [] apic_timer_interrupt+0xa0/0xb0 [ 40.795833] [] ? native_safe_halt+0x6/0x10 [ 40.802410] [] ? trace_hardirqs_on+0xd/0x10 [ 40.808349] [] default_idle+0x55/0x3c0 [ 40.813855] [] arch_cpu_idle+0xa/0x10 [ 40.819269] [] default_idle_call+0x48/0x70 [ 40.825117] [] cpu_startup_entry+0x605/0x820 [ 40.831137] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 40.837941] [] ? call_cpuidle+0xe0/0xe0 [ 40.843532] [] ? clockevents_register_device+0x122/0x230 [ 40.850598] [] start_secondary+0x304/0x3e0 [ 40.856456] [] ? set_cpu_sibling_map+0x1040/0x1040 [ 41.923388] Shutting down cpus with NMI [ 41.928073] Dumping ftrace buffer: [ 41.931860] (ftrace buffer empty) [ 41.935541] Kernel Offset: disabled [ 41.939279] Rebooting in 86400 seconds..