[ 16.444538] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.582987] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 20.976156] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 21.871936] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) [ 29.814312] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. [ 35.183334] random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) executing program [ 35.284271] ================================================================== [ 35.291665] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 35.298302] Read of size 8 at addr ffff8801d338aab8 by task syzkaller141200/3331 [ 35.305808] [ 35.307414] CPU: 1 PID: 3331 Comm: syzkaller141200 Not tainted 4.4.112-g52c02cf #23 [ 35.315176] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.324510] 0000000000000000 f43db18087f3a6e8 ffff8800b3c37850 ffffffff81d056fd [ 35.332484] ffffea00074ce280 ffff8801d338aab8 0000000000000000 ffff8801d338aab8 [ 35.340451] 0000000000000000 ffff8800b3c37888 ffffffff814fd953 ffff8801d338aab8 [ 35.348426] Call Trace: [ 35.350995] [] dump_stack+0xc1/0x124 [ 35.356334] [] print_address_description+0x73/0x260 [ 35.362970] [] kasan_report+0x285/0x370 [ 35.368569] [] ? __lock_acquire+0x387e/0x4b50 [ 35.374683] [] __asan_report_load8_noabort+0x14/0x20 [ 35.381405] [] __lock_acquire+0x387e/0x4b50 [ 35.387356] [] ? __lock_acquire+0xb5f/0x4b50 [ 35.393402] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.400387] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 35.407197] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.414183] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 35.421168] [] lock_acquire+0x15e/0x460 [ 35.426775] [] ? remove_wait_queue+0x14/0x40 [ 35.432807] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.439105] [] ? remove_wait_queue+0x14/0x40 [ 35.445134] [] remove_wait_queue+0x14/0x40 [ 35.450993] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 35.457975] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 35.465216] [] ? ep_free+0x1c0/0x1c0 [ 35.470550] [] ep_free+0x93/0x1c0 [ 35.475635] [] ? ep_free+0x1c0/0x1c0 [ 35.480972] [] ep_eventpoll_release+0x44/0x60 [ 35.487087] [] __fput+0x233/0x6d0 [ 35.492160] [] ____fput+0x15/0x20 [ 35.497240] [] task_work_run+0x104/0x180 [ 35.502921] [] do_exit+0x871/0x2a20 [ 35.508171] [] ? handle_mm_fault+0x192d/0x3190 [ 35.514370] [] ? handle_mm_fault+0x3f2/0x3190 [ 35.520484] [] ? release_task+0x1240/0x1240 [ 35.526428] [] do_group_exit+0x108/0x320 [ 35.532107] [] SyS_exit_group+0x1d/0x20 [ 35.537699] [] ? do_group_exit+0x320/0x320 [ 35.543556] [] do_fast_syscall_32+0x314/0x890 [ 35.549673] [] sysenter_flags_fixed+0xd/0x17 [ 35.555699] [ 35.557296] Allocated by task 3331: [ 35.560889] [] save_stack_trace+0x26/0x50 [ 35.566777] [] save_stack+0x43/0xd0 [ 35.572143] [] kasan_kmalloc+0xad/0xe0 [ 35.577767] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 35.584347] [] binder_get_thread+0x181/0x7a0 [ 35.590493] [] binder_poll+0x4a/0x210 [ 35.596030] [] SyS_epoll_ctl+0x10b1/0x2050 [ 35.602000] [] do_fast_syscall_32+0x314/0x890 [ 35.608238] [] sysenter_flags_fixed+0xd/0x17 [ 35.614389] [ 35.615986] Freed by task 3331: [ 35.619231] [] save_stack_trace+0x26/0x50 [ 35.625117] [] save_stack+0x43/0xd0 [ 35.630482] [] kasan_slab_free+0x72/0xc0 [ 35.636278] [] kfree+0xfc/0x300 [ 35.641295] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 35.648052] [] binder_thread_release+0x27d/0x540 [ 35.654544] [] binder_ioctl+0xb94/0x12e0 [ 35.660346] [] compat_SyS_ioctl+0x28a/0x2540 [ 35.666494] [] do_fast_syscall_32+0x314/0x890 [ 35.672737] [] sysenter_flags_fixed+0xd/0x17 [ 35.678883] [ 35.680481] The buggy address belongs to the object at ffff8801d338aa00 [ 35.680481] which belongs to the cache kmalloc-512 of size 512 [ 35.693115] The buggy address is located 184 bytes inside of [ 35.693115] 512-byte region [ffff8801d338aa00, ffff8801d338ac00) [ 35.704958] The buggy address belongs to the page: [ 36.706314] kasan: CONFIG_KASAN_INLINE enabled [ 36.710748] kasan: GPF could be caused by NULL-ptr deref or user memory accessINFO: trying to register non-static key. [ 36.722013] the code is fine but needs lockdep annotation. [ 36.727604] turning off the locking correctness validator. [ 36.733196] CPU: 0 PID: 3320 Comm: getty Not tainted 4.4.112-g52c02cf #23 [ 36.740101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.749424] 0000000000000000 8e8cca36c3e6cdc4 ffff8800b444fa30 ffffffff81d056fd [ 36.757397] ffffffff85152f20 0000000000000000 ffff8800b4958000 ffff8800b3241aa0 [ 36.765358] 0000000000000000 ffff8800b444fa40 ffffffff8141a053 ffff8800b444fbe8 [ 36.773318] Call Trace: [ 36.775884] [] dump_stack+0xc1/0x124 [ 36.781219] [] register_lock_class.part.26+0x32/0x36 [ 36.787959] [] __lock_acquire+0x3a49/0x4b50 [ 36.793901] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.800885] [] ? __lock_is_held+0xa1/0xf0 [ 36.806651] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.813635] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.820615] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 36.827610] [] lock_acquire+0x15e/0x460 [ 36.833206] [] ? force_sig_info+0x54/0x300 [ 36.839062] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 36.845351] [] ? force_sig_info+0x54/0x300 [ 36.851203] [] force_sig_info+0x54/0x300 [ 36.856883] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 36.863785] [] force_sig_info_fault.constprop.20+0x158/0x1c0 [ 36.871201] [ [ 3.950644] PTP clock support registered [ 3.953337] Advanced Linux Sound Architecture Driver Initialized. [ 3.954960] PCI: Using ACPI for IRQ routing [ 3.970142] NetLabel: Initializing [ 3.970745] NetLabel: domain hash size = 128 [ 3.971396] NetLabel: protocols = UNLABELED CIPSOv4 [ 3.972371] NetLabel: unlabeled traffic allowed by default [ 3.974841] amd_nb: Cannot enumerate AMD northbridges [ 3.975721] clocksource: Switched to clocksource kvm-clock [ 4.133934] pnp: PnP ACPI init [ 4.156999] pnp: PnP ACPI: found 7 devices [ 4.170295] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns [ 4.171885] NET: Registered protocol family 2 [ 4.174368] TCP established hash table entries: 65536 (order: 7, 524288 bytes) [ 4.176533] TCP bind hash table entries: 65536 (order: 10, 4194304 bytes) [ 4.183758] TCP: Hash tables configured (established 65536 bind 65536) [ 4.185520] UDP hash table entries: 4096 (order: 7, 655360 bytes) [ 4.187273] UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes) [ 4.190500] NET: Registered protocol family 1 [ 4.191235] pci 0000:00:00.0: Limiting direct PCI/PCI transfers [ 4.192952] PCI-DMA: Using software bounce buffering for IO (SWIOTLB) [ 4.193842] software IO TLB [mem 0xbbffd000-0xbfffd000] (64MB) mapped at [ffff8800bbffd000-ffff8800bfffcfff] [ 4.195801] RAPL PMU detected, API unit is 2^-32 Joules, 3 fixed counters 10737418240 ms ovfl timer [ 4.197065] hw unit of domain pp0-core 2^-0 Joules [ 4.197758] hw unit of domain package 2^-0 Joules [ 4.198443] hw unit of domain dram 2^-16 Joules [ 4.203857] Scanning for low memory corruption every 60 seconds [ 4.212421] audit: initializing netlink subsys (disabled) [ 4.213452] audit: type=2000 audit(1516361918.197:1): initialized [ 4.220568] HugeTLB registered 2 MB page size, pre-allocated 0 pages [ 4.348319] VFS: Disk quotas dquot_6.6.0 [ 4.350036] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) [ 4.371961] fuse init (API version 7.23) [ 4.375264] 9p: Installing v9fs 9p2000 file system support [ 4.391716] async_tx: api initialized (async) [ 4.393487] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249) [ 4.394820] io scheduler noop registered [ 4.395399] io scheduler deadline registered [ 4.397794] io scheduler cfq registered (default) [ 4.407301] pci_hotplug: PCI Hot Plug PCI Core version: 0.5 [ 4.410583] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 [ 4.411797] ACPI: Power Button [PWRF] [ 4.413490] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 [ 4.414554] ACPI: Sleep Button [SLPF] [ 4.437789] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11 [ 4.438715] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver [ 4.460194] ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 10 [ 4.461237] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver [ 4.467723] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled [ 4.490807] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A [ 4.517748] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A [ 4.543558] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A [ 4.568987] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A [ 4.577584] Non-volatile memory driver v1.3 [ 4.579806] Linux agpgart interface v0.103 [ 4.583044] [drm] Initialized drm 1.1.0 20060810 [ 4.680707] brd: module loaded [ 4.728459] loop: module loaded [ 4.761858] nbd: registered device at major 43 [ 4.897317] drbd: initialized. Version: 8.4.5 (api:1/proto:86-101) [ 4.898826] drbd: built-in [ 4.899497] drbd: registered as block device major 147 [ 4.925958] scsi host0: Virtio SCSI HBA [ 4.973706] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6 [ 5.186157] tsc: Refined TSC clocksource calibration: 2299.797 MHz [ 5.187952] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x212675491f4, max_idle_ns: 440795258396 ns [ 5.613961] st: Version 20101219, fixed bufsize 32768, s/g segs 256 [ 5.616348] osst :I: Tape driver with OnStream support version 0.99.4 [ 5.616348] osst :I: $Id: osst.c,v 1.73 2005/01/01 21:13:34 wriede Exp $ [ 5.624157] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB) [ 5.626737] sd 0:0:1:0: [sda] 4096-byte physical blocks [ 5.627829] sd 0:0:1:0: Attached scsi generic sg0 type 0 [ 5.628120] SCSI Media Changer driver v0.25 [ 5.630735] tun: Universal TUN/TAP device driver, 1.6 [ 5.632134] tun: (C) 1999-2004 Max Krasnyansky [ 5.634321] sd 0:0:1:0: [sda] Write Protect is off [ 5.639244] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 5.661035] sda: sda1 [ 5.670072] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI [ 5.671835] e100: Copyright(c) 1999-2006 Intel Corporation [ 5.674000] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI [ 5.676358] e1000: Copyright (c) 1999-2006 Intel Corporation. [ 5.678502] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k [ 5.680032] e1000e: Copyright(c) 1999 - 2015 Intel Corporation. [ 5.682084] sky2: driver version 1.30 [ 5.682300] sd 0:0:1:0: [sda] Attached SCSI disk [ 5.685522] PPP generic driver version 2.4.2 [ 5.687689] PPP BSD Compression module registered [ 5.688946] PPP Deflate Compression module registered [ 5.690362] PPP MPPE Compression module registered [ 5.691642] NET: Registered protocol family 24 [ 5.693168] usbcore: registered new interface driver asix [ 5.694832] usbcore: registered new interface driver ax88179_178a [ 5.696697] usbcore: registered new interface driver cdc_ether [ 5.698363] usbcore: registered new interface driver net1080 [ 5.700029] usbcore: registered new interface driver cdc_subset [ 5.701796] usbcore: registered new interface driver zaurus [ 5.703359] usbcore: registered new interface driver cdc_ncm [ 5.707345] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.709084] ehci-pci: EHCI PCI platform driver [ 5.710417] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 5.711982] ohci-pci: OHCI PCI platform driver [ 5.713407] uhci_hcd: USB Universal Host Controller Interface driver [ 5.717243] usbcore: registered new interface driver usblp [ 5.719033] usbcore: registered new interface driver usb-storage [ 5.721895] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 [ 5.725304] i8042: Warning: Keylock active [ 5.728831] serio: i8042 KBD port at 0x60,0x64 irq 1 [ 5.731238] serio: i8042 AUX port at 0x60,0x64 irq 12 [ 5.735164] mousedev: PS/2 mouse device common for all mice [ 5.740262] usbcore: registered new interface driver xpad [ 5.741920] usbcore: registered new interface driver usb_acecad [ 5.743728] usbcore: registered new interface driver aiptek [ 5.745295] usbcore: registered new interface driver gtco [ 5.747029] usbcore: registered new interface driver hanwang [ 5.748583] usbcore: registered new interface driver kbtab [ 5.752377] rtc_cmos 00:00: RTC can wake from S4 [ 5.755356] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0 [ 5.757340] rtc_cmos 00:00: alarms up to one day, 114 bytes nvram [ 5.760295] iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 [ 5.764504] softdog: Software Watchdog Timer: 0.08 initialized. soft_noboot=0 soft_margin=60 sec soft_panic=0 (nowayout=0) [ 5.767625] md: linear personality registered for level -1 [ 5.769088] md: raid0 personality registered for level 0 [ 5.770452] md: raid1 personality registered for level 1 [ 5.771860] md: raid10 personality registered for level 10 [ 5.774160] md: raid6 personality registered for level 6 [ 5.775592] md: raid5 personality registered for level 5 [ 5.776995] md: raid4 personality registered for level 4 [ 5.778413] md: multipath personality registered for level -4 [ 5.779961] md: faulty personality registered for level -5 [ 5.785094] device-mapper: uevent: version 1.0.3 [ 5.789644] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com [ 5.803564] device-mapper: multipath: version 1.10.0 loaded [ 5.805149] device-mapper: multipath round-robin: version 1.0.0 loaded [ 5.806896] device-mapper: multipath queue-length: version 0.1.0 loaded [ 5.808643] device-mapper: multipath service-time: version 0.2.0 loaded [ 5.812233] device-mapper: raid: Loading target version 1.7.0 [ 5.816635] hidraw: raw HID events driver (C) Jiri Kosina [ 5.847390] usbcore: registered new interface driver usbhid [ 5.848953] usbhid: USB HID core driver [ 5.852570] ashmem: initialized [ 5.905041] oprofile: using timer interrupt. [ 5.906486] pktgen: Packet Generator for packet performance testing. Version: 2.75 [ 5.919310] GACT probability on [ 5.920156] Mirror/redirect action on [ 5.921127] Simple TC action Loaded [ 5.925002] netem: version 1.3 [ 5.925923] u32 classifier [ 5.926595] Actions configured [ 5.927675] Netfilter messages via NETLINK v0.30. [ 5.929082] nf_conntrack version 0.5.0 (65536 buckets, 262144 max) [ 5.934185] ctnetlink v0.93: registering with nfnetlink. [ 5.937885] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input2 [ 5.938459] nf_tables: (c) 2007-2009 Patrick McHardy [ 5.947329] xt_time: kernel timezone is -0000 [ 5.949159] IPVS: Registered protocols (TCP, UDP, AH, ESP) [ 5.952058] IPVS: Connection hash table configured (size=4096, memory=64Kbytes) [ 5.954326] IPVS: Creating netns size=2552 id=0 [ 5.955498] IPVS: ipvs loaded. [ 5.956968] IPVS: [rr] scheduler registered. [ 5.958118] IPVS: [wrr] scheduler registered. [ 5.959276] IPVS: [lc] scheduler registered. [ 5.960417] IPVS: [wlc] scheduler registered. [ 5.961609] IPVS: [lblc] scheduler registered. [ 5.962818] IPVS: [lblcr] scheduler registered. [ 5.964050] IPVS: [dh] scheduler registered. [ 5.965062] IPVS: [sh] scheduler registered. [ 5.966228] IPVS: [sed] scheduler registered. [ 5.967431] IPVS: [nq] scheduler registered. [ 5.968683] ipip: IPv4 over IPv4 tunneling driver [ 5.974086] ip_tables: (C) 2000-2006 Netfilter Core Team [ 5.976879] arp_tables: (C) 2002 David S. Miller [ 5.978407] Initializing XFRM netlink socket [ 5.986421] NET: Registered protocol family 10 [ 6.005557] mip6: Mobile IPv6 [ 6.006561] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 6.009597] sit: IPv6 over IPv4 tunneling driver [ 6.014242] NET: Registered protocol family 17 [ 6.015554] NET: Registered protocol family 15 [ 6.017131] l2tp_core: L2TP core driver, V2.0 [ 6.018255] l2tp_ppp: PPPoL2TP kernel driver, V2.0 [ 6.019543] 9pnet: Installing 9P2000 support [ 6.021119] Key type dns_resolver registered [ 6.027799] microcode: CPU0 sig=0x306f0, pf=0x1, revision=0x1 [ 6.029271] microcode: CPU1 sig=0x306f0, pf=0x1, revision=0x1 [ 6.031467] microcode: Microcode Update Driver: v2.01 , Peter Oruba [ 6.033961] AVX2 version of gcm_enc/dec engaged. [ 6.035167] AES CTR mode by8 optimization enabled [ 6.044174] registered taskstats version 1 [ 6.076372] Btrfs loaded [ 6.079181] Magic number: 2:144:631 [ 6.080353] console [netcon0] enabled [ 6.081227] netconsole: network logging started [ 6.083455] ALSA device list: [ 6.084185] No soundcards found. [ 6.086787] md: Waiting for all devices to be available before autodetect [ 6.087710] md: If you don't use raid, use raid=noautodetect [ 6.105164] md: Autodetecting RAID arrays. [ 6.105928] md: Scanned 0 and added 0 devices. [ 6.106670] md: autorun ... [ 6.107417] md: ... autorun DONE. [ 6.137073] EXT4-fs (sda1): couldn't mount as ext3 due to feature incompatibilities [ 6.141124] EXT4-fs (sda1): INFO: recovery required on readonly filesystem [ 6.142120] EXT4-fs (sda1): write access will be enabled during recovery