[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.165202] random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.160262] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 26.512709] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.451625] random: sshd: uninitialized urandom read (32 bytes read, 112 bits of entropy available) [ 27.628673] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 33.053537] random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available) executing program [ 33.151005] ================================================================== [ 33.158411] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 33.165403] Read of size 8 at addr ffff8801c9e06140 by task syzkaller531084/4011 [ 33.172904] [ 33.174505] CPU: 0 PID: 4011 Comm: syzkaller531084 Not tainted 4.4.114-gfe09418 #3 [ 33.182179] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.191504] 0000000000000000 b3cf1cb40951aabd ffff8801cd34f9f0 ffffffff81d02e6d [ 33.199474] ffffea0007278180 ffff8801c9e06140 0000000000000000 ffff8801c9e06140 [ 33.207450] ffff8800ba90a338 ffff8801cd34fa28 ffffffff814fd6f3 ffff8801c9e06140 [ 33.215427] Call Trace: [ 33.217988] [] dump_stack+0xc1/0x124 [ 33.223326] [] print_address_description+0x73/0x260 [ 33.229963] [] kasan_report+0x285/0x370 [ 33.235560] [] ? sg_remove_request+0xf9/0x110 [ 33.241676] [] __asan_report_load8_noabort+0x14/0x20 [ 33.248402] [] sg_remove_request+0xf9/0x110 [ 33.254350] [] sg_finish_rem_req+0x295/0x340 [ 33.260382] [] sg_read+0xa1b/0x1490 [ 33.265631] [] ? __check_object_size+0x154/0x35b [ 33.272012] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 33.278646] [] ? fsnotify+0xee0/0xee0 [ 33.284075] [] ? avc_policy_seqno+0x9/0x20 [ 33.289934] [] do_loop_readv_writev+0x141/0x1e0 [ 33.296227] [] ? security_file_permission+0x89/0x1e0 [ 33.302952] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 33.309589] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 33.316224] [] do_readv_writev+0x5dd/0x6e0 [ 33.322076] [] ? vfs_write+0x530/0x530 [ 33.327586] [] ? handle_mm_fault+0xbf5/0x3190 [ 33.333715] [] ? _raw_spin_unlock+0x2c/0x50 [ 33.339664] [] ? handle_mm_fault+0x3f2/0x3190 [ 33.345782] [] ? fasync_insert_entry+0x147/0x2e0 [ 33.352157] [] vfs_readv+0x78/0xb0 [ 33.357317] [] SyS_readv+0xd9/0x240 [ 33.362562] [] ? rw_copy_check_uvector+0x2b0/0x2b0 [ 33.369126] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 33.375674] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 33.382224] [ 33.383824] Allocated by task 0: [ 33.387155] (stack is not available) [ 33.390833] [ 33.392429] Freed by task 0: [ 33.395411] (stack is not available) [ 33.399093] [ 33.400693] The buggy address belongs to the object at ffff8801c9e06100 [ 33.400693] which belongs to the cache fasync_cache of size 96 [ 33.413324] The buggy address is located 64 bytes inside of [ 33.413324] 96-byte region [ffff8801c9e06100, ffff8801c9e06160) [ 33.424995] The buggy address belongs to the page: [ 34.956951] PANIC: double fault, error_code: 0x0 [ 34.961727] CPU: 0 PID: 4011 Comm: syzkaller531084 Not tainted 4.4.114-gfe09418 #3 [ 34.969410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.978735] task: ffff8800baa38000 task.stack: ffff8801cd348000 [ 34.984763] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 34.993523] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 34.998940] RAX: ffff8800baa38000 RBX: ffffea0007278180 RCX: ffffffff8148ff60 [ 35.006180] RDX: 0000000000000000 RSI: ffffffff838a8e60 RDI: ffffea0007278180 [ 35.013427] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 35.020671] R10: 0000000000000002 R11: fffffbfff0ad7e2e R12: 0000000000000000 [ 35.027921] R13: ffffffff838a8e60 R14: 0000000000000000 R15: 0000000000000000 [ 35.035164] FS: 00000000020d9880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 35.043360] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.049213] CR2: ffff8800fffffff8 CR3: 00000001d8d18000 CR4: 0000000000160670 [ 35.056454] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 35.063697] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 35.070937] Stack: [ 35.073058] [ 35.074655] Call Trace: [ 35.077208] [ 35.079236] Code: 00 e9 83 fd ff ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 91 04 [ 35.106307] Kernel panic - not syncing: Machine halted. [ 35.111644] CPU: 0 PID: 4011 Comm: syzkaller531084 Not tainted 4.4.114-gfe09418 #3 [ 35.119324] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.128647] 0000000000000000 b3cf1cb40951aabd ffff8801db20ce38 ffffffff81d02e6d [ 35.136634] ffffffff838372a0 ffff8801db20cf10 ffffffff83808040 ffff880100000000 [ 35.144618] 0000000000000000 ffff8801db20cf00 ffffffff8141a1da 0000000041b58ab3 [ 35.152606] Call Trace: [ 35.155158] <#DF> [] dump_stack+0xc1/0x124 [ 35.161227] [] panic+0x1aa/0x388 [ 35.166212] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 35.173111] [] ? vprintk_emit+0x242/0x850 [ 35.178882] [] ? dump_page_badflags+0x1d/0x250 [ 35.185082] [] ? vprintk_emit+0x242/0x850 [ 35.190852] [] df_debug+0x2d/0x30 [ 35.195925] [] do_double_fault+0x10b/0x210 [ 35.201784] [] double_fault+0x2d/0x40 [ 35.207205] [] ? dump_page_badflags+0x180/0x250 [ 35.213493] [] ? dump_page_badflags+0x8/0x250 [ 35.219607] <> [ 35.223074] Dumping ftrace buffer: [ 35.226925] (ftrace buffer empty) [ 35.230609] Kernel Offset: disabled [ 35.234217] Rebooting in 86400 seconds..