[ 15.386608] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.682599] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 22.026297] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 22.796862] random: sshd: uninitialized urandom read (32 bytes read, 92 bits of entropy available) [ 38.446363] random: sshd: uninitialized urandom read (32 bytes read, 100 bits of entropy available) Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. [ 43.806141] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) executing program [ 43.897453] ================================================================== [ 43.904824] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 43.911452] Read of size 8 at addr ffff8801d090ad38 by task syzkaller553759/3321 [ 43.918944] [ 43.920536] CPU: 0 PID: 3321 Comm: syzkaller553759 Not tainted 4.4.111-gf851888 #23 [ 43.928288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.937602] 0000000000000000 4e6d726403523ae9 ffff8801cd63f8d0 ffffffff81d0507d [ 43.945545] ffffea0007424280 ffff8801d090ad38 0000000000000000 ffff8801d090ad38 [ 43.953493] 0000000000000000 ffff8801cd63f908 ffffffff814fd433 ffff8801d090ad38 [ 43.961430] Call Trace: [ 43.963990] [] dump_stack+0xc1/0x124 [ 43.969328] [] print_address_description+0x73/0x260 [ 43.975956] [] kasan_report+0x285/0x370 [ 43.981542] [] ? __lock_acquire+0x387e/0x4b50 [ 43.987648] [] __asan_report_load8_noabort+0x14/0x20 [ 43.994360] [] __lock_acquire+0x387e/0x4b50 [ 44.000292] [] ? __lock_acquire+0xb5f/0x4b50 [ 44.006312] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 44.013287] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 44.020259] [] ? mark_held_locks+0xaf/0x100 [ 44.026192] [] lock_acquire+0x15e/0x460 [ 44.031777] [] ? remove_wait_queue+0x14/0x40 [ 44.037797] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 44.044076] [] ? remove_wait_queue+0x14/0x40 [ 44.050101] [] remove_wait_queue+0x14/0x40 [ 44.055948] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 44.062920] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 44.070154] [] ? ep_free+0x1c0/0x1c0 [ 44.075478] [] ep_free+0x93/0x1c0 [ 44.080542] [] ? ep_free+0x1c0/0x1c0 [ 44.086394] [] ep_eventpoll_release+0x44/0x60 [ 44.092502] [] __fput+0x233/0x6d0 [ 44.097565] [] ____fput+0x15/0x20 [ 44.102633] [] task_work_run+0x104/0x180 [ 44.108308] [] do_exit+0x871/0x2a20 [ 44.113548] [] ? release_task+0x1240/0x1240 [ 44.119748] [] ? SyS_epoll_create+0x190/0x190 [ 44.125859] [] do_group_exit+0x108/0x320 [ 44.131533] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 44.137985] [] SyS_exit_group+0x1d/0x20 [ 44.143573] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 44.150466] [ 44.152073] Allocated by task 3321: [ 44.155663] [] save_stack_trace+0x26/0x50 [ 44.161538] [] save_stack+0x43/0xd0 [ 44.166895] [] kasan_kmalloc+0xad/0xe0 [ 44.172506] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 44.179074] [] binder_get_thread+0x181/0x7a0 [ 44.185209] [] binder_poll+0x4a/0x210 [ 44.190730] [] SyS_epoll_ctl+0x10b1/0x2050 [ 44.196688] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 44.203340] [ 44.204930] Freed by task 3321: [ 44.208171] [] save_stack_trace+0x26/0x50 [ 44.214040] [] save_stack+0x43/0xd0 [ 44.219393] [] kasan_slab_free+0x72/0xc0 [ 44.225175] [] kfree+0xfc/0x300 [ 44.230178] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 44.236916] [] binder_thread_release+0x27d/0x540 [ 44.243395] [] binder_ioctl+0xb94/0x12e0 [ 44.249179] [] do_vfs_ioctl+0x7aa/0xee0 [ 44.254874] [] SyS_ioctl+0x8f/0xc0 [ 44.260137] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 44.266790] [ 44.268381] The buggy address belongs to the object at ffff8801d090ac80 [ 44.268381] which belongs to the cache kmalloc-512 of size 512 [ 44.281004] The buggy address is located 184 bytes inside of [ 44.281004] 512-byte region [ffff8801d090ac80, ffff8801d090ae80) [ 44.292838] The buggy address belongs to the page: [ 45.627354] ------------[ cut here ]------------ [ 45.632114] kernel BUG at fs/jbd2/commit.c:437! [ 45.636745] invalid opcode: 0000 [#1] [ 45.639252] PANIC: double fault, error_code: 0x0 [ 45.639259] CPU: 0 PID: 3321 Comm: syzkaller553759 Not tainted 4.4.111-gf851888 #23 [ 45.639261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.639263] task: ffff8801d0e0af80 task.stack: ffff8801cd638000 [ 45.639265] RIP: 0010:[] [] dump_page_badflags+0x1a/0x250 [ 45.639276] RSP: 0018:ffff880100000000 EFLAGS: 00010086 [ 45.639279] RAX: ffff8801d0e0af80 RBX: ffffea0007424280 RCX: ffffffff8148f980 [ 45.639281] RDX: 0000000000000000 RSI: ffffffff838a83a0 RDI: ffffea0007424280 [ 45.639283] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000 [ 45.639285] R10: 0000000000000002 R11: fffffbfff0ad781e R12: 0000000000000000 [ 45.639287] R13: ffffffff838a83a0 R14: 0000000000000000 R15: 0000000000000000 [ 45.639290] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 45.639292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.639294] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670 [ 45.639299] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.639301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.639302] Stack: [ 45.639302] [ 45.639303] Call Trace: [ 45.639305] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 61 06 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 [ 45.639365] Kernel panic - not syncing: Machine halted. [ 45.792814] PREEMPT SMP KASAN [ 45.796518] Dumping ftrace buffer: [ 45.800021] (ftrace buffer empty) [ 45.803694] Modules linked in: [ 45.806960] CPU: 1 PID: 1613 Comm: jbd2/sda1-8 Not tainted 4.4.111-gf851888 #23 [ 45.814365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.823683] task: ffff8801d44b8000 task.stack: ffff8801d47f8000 [ 45.829698] RIP: 0010:[] [] jbd2_journal_commit_transaction+0x3a86/0x6520 [ 45.839915] RSP: 0018:ffff8801d47ff850 EFLAGS: 00010293 [ 45.845330] RAX: ffff8801d44b8000 RBX: 0000000000000000 RCX: ffffffff8181e6e6 [ 45.852561] RDX: 0000000000000000 RSI: ffff8801cd06000c RDI: ffff8801d47db330 [ 45.859792] RBP: ffff8801d47ffcf0 R08: 0000000000000001 R09: ffffffff850f0bb0 [ 45.867025] R10: 0000000000000001 R11: 00000000ffffea00 R12: ffff8801d47db8bc [ 45.874259] R13: 000000000000011a R14: ffff8801d47db328 R15: ffff8801d47db300 [ 45.881493] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 45.889684] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.895552] CR2: 000000000247c0e8 CR3: 00000001d40f8000 CR4: 0000000000160670 [ 45.903572] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 45.910805] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.918038] Stack: [ 45.920151] 0000000041b58ab3 ffffffff83fa9e68 ffffffff811fbe40 ffffffff81236f8f [ 45.928088] 0000000000000000 ffff8801da272d20 ffff8801d44b8000 ffff8801d44b8898 [ 45.936923] 0000000000000002 ffff8801d44b8000 0000000000000000 0000000000000000 [ 45.944864] Call Trace: [ 45.947418] [] ? update_sd_lb_stats+0x30a0/0x30a0 [ 45.953873] [] ? __lock_acquire+0xb5f/0x4b50 [ 45.959900] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 45.966880] [] ? journal_submit_commit_record.isra.15+0xb90/0xb90 [ 45.976026] [] ? debug_object_deactivate+0xf2/0x3c0 [ 45.982651] [] ? debug_object_deactivate+0x26d/0x3c0 [ 45.989365] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 45.996250] [] ? debug_object_deactivate+0x26d/0x3c0 [ 46.002962] [] ? __lock_is_held+0xa1/0xf0 [ 46.008720] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 46.015608] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 46.022407] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 46.029296] [] ? try_to_del_timer_sync+0x11a/0x180 [ 46.035838] [] ? detach_if_pending.part.28+0x590/0x590 [ 46.042724] [] ? del_timer_sync+0x11c/0x140 [ 46.048654] [] ? del_timer_sync+0x104/0x140 [ 46.054588] [] kjournald2+0x251/0x900 [ 46.059999] [] ? finish_task_switch+0x1e7/0x4e0 [ 46.066278] [] ? commit_timeout+0x20/0x20 [ 46.072041] [] ? prepare_to_wait_event+0x420/0x420 [ 46.078581] [] ? __kthread_parkme+0x164/0x230 [ 46.084686] [] kthread+0x268/0x300 [ 46.089836] [] ? commit_timeout+0x20/0x20 [ 46.095594] [] ? kthread_create_on_node+0x400/0x400 [ 46.102221] [] ? kthread_create_on_node+0x400/0x400 [ 46.108847] [] ret_from_fork+0x3f/0x70 [ 46.114345] [] ? kthread_create_on_node+0x400/0x400 [ 46.120968] Code: 84 90 ed ff ff 48 8b bc 24 f0 00 00 00 e8 c3 f3 cd ff e9 7e ed ff ff e8 a9 17 b4 ff e8 7e 49 7e ff e9 c9 d1 ff ff e8 9a 17 b4 ff <0f> 0b e8 93 17 b4 ff 48 8b 0d 0c 52 02 02 65 8b 05 1d 7a 7f 7e [ 46.147494] RIP [] jbd2_journal_commit_transaction+0x3a86/0x6520 [ 46.155365] RSP [ 46.158986] Dumping ftrace buffer: [ 46.162515] (ftrace buffer empty) [ 46.166190] Kernel Offset: disabled [ 46.169778] Rebooting in 86400 seconds..