[   15.873698] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.238726] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   21.594035] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available)
[   22.465948] random: sshd: uninitialized urandom read (32 bytes read, 105 bits of entropy available)
[   22.631180] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available)
Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts.
[   28.029522] random: sshd: uninitialized urandom read (32 bytes read, 115 bits of entropy available)
executing program
[   28.130368] ==================================================================
[   28.137754] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50
[   28.144390] Read of size 8 at addr ffff8800b4d18fb8 by task syzkaller742144/3306
[   28.151897] 
[   28.153493] CPU: 0 PID: 3306 Comm: syzkaller742144 Not tainted 4.4.111-g1849cd3 #19
[   28.161259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.170583]  0000000000000000 c2cbea685eb613e3 ffff8801d14b7850 ffffffff81d0509d
[   28.178553]  ffffea0002d34600 ffff8800b4d18fb8 0000000000000000 ffff8800b4d18fb8
[   28.186528]  0000000000000000 ffff8801d14b7888 ffffffff814fd433 ffff8800b4d18fb8
[   28.194493] Call Trace:
[   28.197052]  [<ffffffff81d0509d>] dump_stack+0xc1/0x124
[   28.202385]  [<ffffffff814fd433>] print_address_description+0x73/0x260
[   28.209016]  [<ffffffff814fd945>] kasan_report+0x285/0x370
[   28.214614]  [<ffffffff81239cae>] ? __lock_acquire+0x387e/0x4b50
[   28.220733]  [<ffffffff814fdaa4>] __asan_report_load8_noabort+0x14/0x20
[   28.227462]  [<ffffffff81239cae>] __lock_acquire+0x387e/0x4b50
[   28.233406]  [<ffffffff81236f8f>] ? __lock_acquire+0xb5f/0x4b50
[   28.239434]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.246412]  [<ffffffff81235bfb>] ? trace_hardirqs_on_caller+0x38b/0x590
[   28.253217]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.260197]  [<ffffffff81236430>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.267178]  [<ffffffff8123c7ee>] lock_acquire+0x15e/0x460
[   28.272771]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   28.278795]  [<ffffffff8377546e>] _raw_spin_lock_irqsave+0x4e/0x70
[   28.285079]  [<ffffffff8121f194>] ? remove_wait_queue+0x14/0x40
[   28.291114]  [<ffffffff8121f194>] remove_wait_queue+0x14/0x40
[   28.296967]  [<ffffffff815f6838>] ep_unregister_pollwait.isra.6+0xa8/0x220
[   28.303946]  [<ffffffff815f68a4>] ? ep_unregister_pollwait.isra.6+0x114/0x220
[   28.311186]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   28.316514]  [<ffffffff815f7563>] ep_free+0x93/0x1c0
[   28.321592]  [<ffffffff815f7690>] ? ep_free+0x1c0/0x1c0
[   28.326922]  [<ffffffff815f76d4>] ep_eventpoll_release+0x44/0x60
[   28.333039]  [<ffffffff81522a73>] __fput+0x233/0x6d0
[   28.338107]  [<ffffffff81522f95>] ____fput+0x15/0x20
[   28.343188]  [<ffffffff8118bae4>] task_work_run+0x104/0x180
[   28.348872]  [<ffffffff81132eb1>] do_exit+0x871/0x2a20
[   28.354117]  [<ffffffff814a0e1d>] ? handle_mm_fault+0x192d/0x3190
[   28.360313]  [<ffffffff8149f8e2>] ? handle_mm_fault+0x3f2/0x3190
[   28.366424]  [<ffffffff81132640>] ? release_task+0x1240/0x1240
[   28.372362]  [<ffffffff81139328>] do_group_exit+0x108/0x320
[   28.378041]  [<ffffffff8113955d>] SyS_exit_group+0x1d/0x20
[   28.383631]  [<ffffffff81139540>] ? do_group_exit+0x320/0x320
[   28.389483]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.395614]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   28.401646] 
[   28.403239] Allocated by task 3306:
[   28.406830]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   28.412708]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   28.418069]  [<ffffffff814fc76d>] kasan_kmalloc+0xad/0xe0
[   28.423685]  [<ffffffff814f86e0>] kmem_cache_alloc_trace+0x100/0x2b0
[   28.430266]  [<ffffffff82c7ec51>] binder_get_thread+0x181/0x7a0
[   28.436410]  [<ffffffff82c7f2ba>] binder_poll+0x4a/0x210
[   28.441941]  [<ffffffff815fa6c1>] SyS_epoll_ctl+0x10b1/0x2050
[   28.447905]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.454138]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   28.460281] 
[   28.461875] Freed by task 3306:
[   28.465123]  [<ffffffff81035d26>] save_stack_trace+0x26/0x50
[   28.471002]  [<ffffffff814fc4a3>] save_stack+0x43/0xd0
[   28.476370]  [<ffffffff814fcdc2>] kasan_slab_free+0x72/0xc0
[   28.482160]  [<ffffffff814f984c>] kfree+0xfc/0x300
[   28.487168]  [<ffffffff82c781a1>] binder_thread_dec_tmpref+0x1c1/0x250
[   28.493923]  [<ffffffff82c78cdd>] binder_thread_release+0x27d/0x540
[   28.500434]  [<ffffffff82c93944>] binder_ioctl+0xb94/0x12e0
[   28.506226]  [<ffffffff8161e0ba>] compat_SyS_ioctl+0x28a/0x2540
[   28.512367]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.518592]  [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17
[   28.524737] 
[   28.526331] The buggy address belongs to the object at ffff8800b4d18f00
[   28.526331]  which belongs to the cache kmalloc-512 of size 512
[   28.538953] The buggy address is located 184 bytes inside of
[   28.538953]  512-byte region [ffff8800b4d18f00, ffff8800b4d19100)
[   28.550792] The buggy address belongs to the page:
[   29.290259] kasan: CONFIG_KASAN_INLINE enabled
[   29.294716] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
[   29.307825] Dumping ftrace buffer:
[   29.311347]    (ftrace buffer empty)
[   29.315052] Modules linked in:
[   29.318368] CPU: 1 PID: 189 Comm: kworker/1:1 Not tainted 4.4.111-g1849cd3 #19
[   29.325719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.335079] Workqueue: events reg_todo
[   29.339092] task: ffff8801d94e0000 task.stack: ffff8801d9498000
[   29.345138] RIP: 0010:[<ffffffff81dae0df>]  [<ffffffff81dae0df>] depot_save_stack+0x15f/0x640
[   29.353943] RSP: 0018:ffff8801d949f608  EFLAGS: 00010293
[   29.359381] RAX: ffff8801d94e0000 RBX: 000000008d2933a5 RCX: ffffffff81dae0df
[   29.366647] RDX: 0000000000000000 RSI: 00000000024000c0 RDI: ffff8801d949f670
[   29.373927] RBP: ffff8801d949f660 R08: ffff8801d949f670 R09: 0000000000000000
[   29.381194] R10: 0000000000000000 R11: 1ffff1003b293efe R12: 3d5952544e554f43
[   29.388462] R13: 00000000000933a5 R14: 0000000000000070 R15: ffff8801d949f6f4
[   29.395727] FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   29.404048] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.409925] CR2: 000055a0e8cf1100 CR3: 00000000b549c000 CR4: 0000000000160670
[   29.417190] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.424456] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.431716] Stack:
[   29.433854]  00000000024000c0 ffff8801d949f670 ffff8801d949f688 ffff88010000000e
[   29.441892]  0000000000000000 7ec9044c7e507755 00000000024000c0 ffff8801d1697d60
[   29.449918]  00000000024000c0 ffff8801d1697d60 ffff8801da384640 ffff8801d949f890
[   29.457948] Call Trace:
[   29.460526]  [<ffffffff814fc503>] save_stack+0xa3/0xd0
[   29.465801]  [<ffffffff81035d26>] ? save_stack_trace+0x26/0x50
[   29.471778]  [<ffffffff814fc4a3>] ? save_stack+0x43/0xd0
[   29.477227]  [<ffffffff814fc76d>] ? kasan_kmalloc+0xad/0xe0
[   29.482938]  [<ffffffff814fcd42>] ? kasan_slab_alloc+0x12/0x20
[   29.488912]  [<ffffffff814f840a>] ? kmem_cache_alloc+0xba/0x290
[   29.494969]  [<ffffffff82e08a46>] ? __alloc_skb+0xe6/0x600
[   29.500597]  [<ffffffff81d0e316>] ? kobject_uevent_env+0x576/0xb40
[   29.506919]  [<ffffffff834829e9>] ? call_crda+0x129/0x200
[   29.512486]  [<ffffffff8348759e>] ? reg_process_hint+0x31e/0xbe0
[   29.518634]  [<ffffffff83488ef2>] ? reg_todo+0x182/0x6e0
[   29.524079]  [<ffffffff8117fe37>] ? process_one_work+0x7d7/0x16e0
[   29.530313]  [<ffffffff81180e1f>] ? worker_thread+0xdf/0xfe0
[   29.536109]  [<ffffffff811908e8>] ? kthread+0x268/0x300
[   29.541473]  [<ffffffff83775c9f>] ? ret_from_fork+0x3f/0x70
[   29.547184]  [<ffffffff81d232de>] ? put_dec+0x2e/0xd0
[   29.552371]  [<ffffffff81236f8f>] ? __lock_acquire+0xb5f/0x4b50
[   29.558438]  [<ffffffff81d2a4b0>] ? dentry_name.isra.13+0x720/0x720
[   29.564844]  [<ffffffff8122f161>] ? __lock_is_held+0xa1/0xf0
[   29.570667]  [<ffffffff814fc5f5>] ? kasan_unpoison_shadow+0x35/0x50
[   29.577074]  [<ffffffff814fc76d>] kasan_kmalloc+0xad/0xe0
[   29.582607]  [<ffffffff82e08a46>] ? __alloc_skb+0xe6/0x600
[   29.588229]  [<ffffffff814fcd42>] kasan_slab_alloc+0x12/0x20
[   29.594034]  [<ffffffff814f840a>] kmem_cache_alloc+0xba/0x290
[   29.599918]  [<ffffffff82e08a46>] __alloc_skb+0xe6/0x600
[   29.605364]  [<ffffffff82e08960>] ? netdev_alloc_frag+0xd0/0xd0
[   29.611418]  [<ffffffff82f844a1>] ? netlink_has_listeners+0x211/0x350
[   29.618007]  [<ffffffff81d0e316>] kobject_uevent_env+0x576/0xb40
[   29.624155]  [<ffffffff834829e9>] call_crda+0x129/0x200
[   29.629516]  [<ffffffff834828c0>] ? get_cfg80211_regdom+0x70/0x70
[   29.635747]  [<ffffffff82e81ca9>] ? rtnl_is_locked+0x9/0x20
[   29.641460]  [<ffffffff8346fe0c>] ? cfg80211_rdev_by_wiphy_idx+0xec/0x140
[   29.648385]  [<ffffffff8348759e>] reg_process_hint+0x31e/0xbe0
[   29.655587]  [<ffffffff83488ef2>] reg_todo+0x182/0x6e0
[   29.660864]  [<ffffffff8122f161>] ? __lock_is_held+0xa1/0xf0
[   29.666665]  [<ffffffff8117fe37>] process_one_work+0x7d7/0x16e0
[   29.672723]  [<ffffffff8117fd57>] ? process_one_work+0x6f7/0x16e0
[   29.678956]  [<ffffffff8117f660>] ? pwq_dec_nr_in_flight+0x280/0x280
[   29.685454]  [<ffffffff81180fc4>] ? worker_thread+0x284/0xfe0
[   29.691340]  [<ffffffff81180e1f>] worker_thread+0xdf/0xfe0
[   29.696963]  [<ffffffff8376645d>] ? __schedule+0xa9d/0x1c70
[   29.702674]  [<ffffffff837676c4>] ? preempt_schedule+0x24/0x30
[   29.708642]  [<ffffffff81003058>] ? ___preempt_schedule+0x12/0x14
[   29.714876]  [<ffffffff811908e8>] kthread+0x268/0x300
[   29.720069]  [<ffffffff811d9816>] ? trace_sched_contrib_scale_f.constprop.91+0xd6/0x2f0
[   29.728210]  [<ffffffff81180d40>] ? process_one_work+0x16e0/0x16e0
[   29.734546]  [<ffffffff81190680>] ? kthread_create_on_node+0x400/0x400
[   29.741223]  [<ffffffff81190680>] ? kthread_create_on_node+0x400/0x400
[   29.747893]  [<ffffffff83775c9f>] ret_from_fork+0x3f/0x70
[   29.753438]  [<ffffffff81190680>] ? kthread_create_on_node+0x400/0x400
[   29.760096] Code: 00 00 e8 c5 1d 5b ff 48 63 45 c0 48 c1 e0 03 49 89 c6 eb 12 e8 b3 1d 5b ff 4d 8b 24 24 4d 85 e4 0f 84 f8 00 00 00 e8 a1 1d 5b ff <41> 39 5c 24 08 75 e2 e8 95 1d 5b ff 8b 45 c0 41 3b 44 24 0c 75 
[   29.787350] RIP  [<ffffffff81dae0df>] depot_save_stack+0x15f/0x640
[   29.793785]  RSP <ffff8801d949f608>
[   29.797548] ---[ end trace dc49d65c55c6c29d ]---
[   29.802371] Kernel panic - not syncing: Fatal exception
[   30.165228] PANIC: double fault, error_code: 0x0
[   30.170008] CPU: 0 PID: 3306 Comm: syzkaller742144 Tainted: G      D         4.4.111-g1849cd3 #19
[   30.178987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.188321] task: ffff8800b486df00 task.stack: ffff8801d14b0000
[   30.194345] RIP: 0010:[<ffffffff8148f81a>]  [<ffffffff8148f81a>] dump_page_badflags+0x1a/0x250
[   30.203188] RSP: 0018:ffff880100000000  EFLAGS: 00010086
[   30.208605] RAX: ffff8800b486df00 RBX: ffffea0002d34600 RCX: ffffffff8148f980
[   30.215846] RDX: 0000000000000000 RSI: ffffffff838a8360 RDI: ffffea0002d34600
[   30.223086] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000
[   30.230325] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000
[   30.237565] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000
[   30.244807] FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   30.253012] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   30.258880] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670
[   30.266122] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.273362] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.280600] Stack:
[   30.282715] 
[   30.284311] Call Trace:
[   30.286865]  <UNK> 
[   30.288893] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 <e8> 61 06 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 
[   30.922882] Shutting down cpus with NMI
[   30.927293] Dumping ftrace buffer:
[   30.930806]    (ftrace buffer empty)
[   30.934482] Kernel Offset: disabled
[   30.938082] Rebooting in 86400 seconds..