[   15.222099] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available)
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.626827] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[   21.988903] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available)
[   22.864220] random: sshd: uninitialized urandom read (32 bytes read, 106 bits of entropy available)
[   23.030856] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available)
Warning: Permanently added '10.128.15.213' (ECDSA) to the list of known hosts.
[   28.397264] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available)
executing program
[   28.493711] ==================================================================
[   28.501111] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50
[   28.507744] Read of size 8 at addr ffff8800b463eab8 by task syzkaller037249/3313
[   28.515243] 
[   28.516845] CPU: 0 PID: 3313 Comm: syzkaller037249 Not tainted 4.4.112-g52c02cf #23
[   28.524602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.533927]  0000000000000000 26face2f2f54bd9b ffff8801d08cf850 ffffffff81d056fd
[   28.541893]  ffffea0002d18f80 ffff8800b463eab8 0000000000000000 ffff8800b463eab8
[   28.549855]  0000000000000000 ffff8801d08cf888 ffffffff814fd953 ffff8800b463eab8
[   28.557818] Call Trace:
[   28.560414]  [<ffffffff81d056fd>] dump_stack+0xc1/0x124
[   28.565749]  [<ffffffff814fd953>] print_address_description+0x73/0x260
[   28.572384]  [<ffffffff814fde65>] kasan_report+0x285/0x370
[   28.577977]  [<ffffffff81239c7e>] ? __lock_acquire+0x387e/0x4b50
[   28.584089]  [<ffffffff814fdfc4>] __asan_report_load8_noabort+0x14/0x20
[   28.590827]  [<ffffffff81239c7e>] __lock_acquire+0x387e/0x4b50
[   28.596768]  [<ffffffff81236f5f>] ? __lock_acquire+0xb5f/0x4b50
[   28.602796]  [<ffffffff81236400>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.609775]  [<ffffffff81235bcb>] ? trace_hardirqs_on_caller+0x38b/0x590
[   28.616581]  [<ffffffff81236400>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.623560]  [<ffffffff81236400>] ? debug_check_no_locks_freed+0x2c0/0x2c0
[   28.630539]  [<ffffffff8123c7be>] lock_acquire+0x15e/0x460
[   28.636147]  [<ffffffff8121f164>] ? remove_wait_queue+0x14/0x40
[   28.642175]  [<ffffffff83775fce>] _raw_spin_lock_irqsave+0x4e/0x70
[   28.648466]  [<ffffffff8121f164>] ? remove_wait_queue+0x14/0x40
[   28.654494]  [<ffffffff8121f164>] remove_wait_queue+0x14/0x40
[   28.660349]  [<ffffffff815f6d58>] ep_unregister_pollwait.isra.6+0xa8/0x220
[   28.667334]  [<ffffffff815f6dc4>] ? ep_unregister_pollwait.isra.6+0x114/0x220
[   28.674576]  [<ffffffff815f7bb0>] ? ep_free+0x1c0/0x1c0
[   28.679908]  [<ffffffff815f7a83>] ep_free+0x93/0x1c0
[   28.684984]  [<ffffffff815f7bb0>] ? ep_free+0x1c0/0x1c0
[   28.690336]  [<ffffffff815f7bf4>] ep_eventpoll_release+0x44/0x60
[   28.696461]  [<ffffffff81522f93>] __fput+0x233/0x6d0
[   28.701534]  [<ffffffff815234b5>] ____fput+0x15/0x20
[   28.706608]  [<ffffffff8118bb54>] task_work_run+0x104/0x180
[   28.712288]  [<ffffffff81132f21>] do_exit+0x871/0x2a20
[   28.717549]  [<ffffffff814a133d>] ? handle_mm_fault+0x192d/0x3190
[   28.723755]  [<ffffffff8149fe02>] ? handle_mm_fault+0x3f2/0x3190
[   28.729871]  [<ffffffff811326b0>] ? release_task+0x1240/0x1240
[   28.735820]  [<ffffffff81139398>] do_group_exit+0x108/0x320
[   28.741501]  [<ffffffff811395cd>] SyS_exit_group+0x1d/0x20
[   28.747101]  [<ffffffff811395b0>] ? do_group_exit+0x320/0x320
[   28.752965]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.759079]  [<ffffffff83777d6a>] sysenter_flags_fixed+0xd/0x17
[   28.765103] 
[   28.766699] Allocated by task 3313:
[   28.770292]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   28.776177]  [<ffffffff814fc9c3>] save_stack+0x43/0xd0
[   28.781544]  [<ffffffff814fcc8d>] kasan_kmalloc+0xad/0xe0
[   28.787164]  [<ffffffff814f8c00>] kmem_cache_alloc_trace+0x100/0x2b0
[   28.793742]  [<ffffffff82c7f541>] binder_get_thread+0x181/0x7a0
[   28.799886]  [<ffffffff82c7fbaa>] binder_poll+0x4a/0x210
[   28.805593]  [<ffffffff815fabe1>] SyS_epoll_ctl+0x10b1/0x2050
[   28.811564]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.817789]  [<ffffffff83777d6a>] sysenter_flags_fixed+0xd/0x17
[   28.823934] 
[   28.825531] Freed by task 3313:
[   28.828774]  [<ffffffff81035df6>] save_stack_trace+0x26/0x50
[   28.834652]  [<ffffffff814fc9c3>] save_stack+0x43/0xd0
[   28.840011]  [<ffffffff814fd2e2>] kasan_slab_free+0x72/0xc0
[   28.845810]  [<ffffffff814f9d6c>] kfree+0xfc/0x300
[   28.850820]  [<ffffffff82c78a91>] binder_thread_dec_tmpref+0x1c1/0x250
[   28.857572]  [<ffffffff82c795cd>] binder_thread_release+0x27d/0x540
[   28.864062]  [<ffffffff82c94234>] binder_ioctl+0xb94/0x12e0
[   28.869858]  [<ffffffff8161e61a>] compat_SyS_ioctl+0x28a/0x2540
[   28.875998]  [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890
[   28.882224]  [<ffffffff83777d6a>] sysenter_flags_fixed+0xd/0x17
[   28.888366] 
[   28.889962] The buggy address belongs to the object at ffff8800b463ea00
[   28.889962]  which belongs to the cache kmalloc-512 of size 512
[   28.902585] The buggy address is located 184 bytes inside of
[   28.902585]  512-byte region [ffff8800b463ea00, ffff8800b463ec00)
[   28.914437] The buggy address belongs to the page:
[   30.349582] PANIC: double fault, error_code: 0x0
[   30.354364] CPU: 0 PID: 3313 Comm: syzkaller037249 Not tainted 4.4.112-g52c02cf #23
[   30.362124] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.371448] task: ffff8800b458af80 task.stack: ffff8801d08c8000
[   30.377470] RIP: 0010:[<ffffffff8148fd3a>]  [<ffffffff8148fd3a>] dump_page_badflags+0x1a/0x250
[   30.386311] RSP: 0018:ffff880100000000  EFLAGS: 00010086
[   30.391727] RAX: ffff8800b458af80 RBX: ffffea0002d18f80 RCX: ffffffff8148fea0
[   30.398963] RDX: 0000000000000000 RSI: ffffffff838a8620 RDI: ffffea0002d18f80
[   30.406203] RBP: ffff880100000030 R08: 0000000000000001 R09: 0000000000000000
[   30.413441] R10: 0000000000000002 R11: fffffbfff0ad7a1e R12: 0000000000000000
[   30.420680] R13: ffffffff838a8620 R14: 0000000000000000 R15: 0000000000000000
[   30.427920] FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
[   30.436125] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   30.441989] CR2: ffff8800fffffff8 CR3: 000000000420c000 CR4: 0000000000160670
[   30.449239] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.456478] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.463725] Stack:
[   30.465843] 
[   30.467440] Call Trace:
[   30.469991]  <UNK> 
[   30.472030] Code: e2 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 [   30.490187] SELinux:  Invalid class 65201
[   30.490320] ------------[ cut here ]------------
[   30.490323] kernel BUG at security/selinux/avc.c:119!
[   30.490327] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[   30.490336] Dumping ftrace buffer:
[   30.490340]    (ftrace buffer empty)
[   30.490342] Modules linked in:
[   30.490350] CPU: 1 PID: 1 Comm: init Not tainted 4.4.112-g52c02cf #23
[   30.490353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.490357] task: ffff8801da308000 task.stack: ffff8801da310000
[   30.490361] RIP: 0010:[<ffffffff81b49e5f>]  [<ffffffff81b49e5f>] avc_audit_pre_callback+0x25f/0x2b0
[   30.490379] RSP: 0018:ffff8801da317818  EFLAGS: 00010293
[   30.490382] RAX: ffff8801da308000 RBX: 000000000000feb1 RCX: ffffffff81b49e5f
[   30.490386] RDX: 0000000000000000 RSI: 000000000000000d RDI: ffff8801da317a98
[   30.490389] RBP: ffff8801da317850 R08: ffffed001678c007 R09: ffffed001678c007
[   30.490393] R10: 0000000000000001 R11: ffffed001678c006 R12: ffffffff839c6f40
[   30.490396] R13: 0000000000000010 R14: ffffffff81b49800 R15: ffffffff81b49c00
[   30.490401] FS:  00007fa9709497a0(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
[   30.490405] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.490408] CR2: 00000000019613e0 CR3: 00000001d41a6000 CR4: 0000000000160670
[   30.490414] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.490417] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   30.490418] Stack:
[   30.490421]  ffff8801d8428f00 0c1f826840f40e65 1ffff1003b462f10 ffff8801da317cc0
[   30.490429]  ffff8801d8428f00 ffffffff81b49800 ffffffff81b49c00 ffff8801da317a48
[   30.490437]  ffffffff81bad8f8 0000000000000000 ffff8801da308868 00000002842bca80
[   30.490444] Call Trace:
[   30.490452]  [<ffffffff81b49800>] ? securityfs_remove+0x260/0x260
[   30.490459]  [<ffffffff81b49c00>] ? avc_audit_post_callback+0x400/0x400
[   30.490469]  [<ffffffff81bad8f8>] common_lsm_audit+0x128/0x1a40
[   30.490476]  [<ffffffff81bad7d0>] ? ipv6_skb_to_auditdata+0xd80/0xd80
[   30.490485]  [<ffffffff837759b5>] ? _raw_spin_unlock_irqrestore+0x45/0x70
[   30.490494]  [<ffffffff81d68544>] ? debug_object_active_state+0x2b4/0x420
[   30.490500]  [<ffffffff81d68290>] ? debug_object_assert_init+0x360/0x360
[   30.490506]  [<ffffffff81d654fb>] ? check_preemption_disabled+0x3b/0x200
[   30.490514]  [<ffffffff8122de9d>] ? trace_hardirqs_off+0xd/0x10
[   30.490522]  [<ffffffff812931a3>] ? __call_rcu.constprop.69+0x223/0x930
[   30.490529]  [<ffffffff81b4b11e>] ? avc_update_node+0x8e/0xa40
[   30.490534]  [<ffffffff837759ca>] ? _raw_spin_unlock_irqrestore+0x5a/0x70
[   30.490541]  [<ffffffff81b4c621>] slow_avc_audit+0x181/0x210
[   30.490547]  [<ffffffff81b4c4a0>] ? avc_get_hash_stats+0x230/0x230
[   30.490555]  [<ffffffff81b4dde6>] ? avc_has_perm+0x296/0x500
[   30.490561]  [<ffffffff81b4df70>] avc_has_perm+0x420/0x500
[   30.490567]  [<ffffffff81b4db50>] ? avc_has_perm_noaudit+0x460/0x460
[   30.490576]  [<ffffffff81550695>] ? filename_lookup+0x245/0x3b0
[   30.490584]  [<ffffffff81b5f84c>] selinux_inode_getattr+0x23c/0x300
[   30.490590]  [<ffffffff81b5f610>] ? selinux_file_open+0x550/0x550
[   30.490596]  [<ffffffff81dade01>] ? strncpy_from_user+0x131/0x2c0
[   30.490603]  [<ffffffff81b4498c>] security_inode_getattr+0xec/0x140
[   30.490611]  [<ffffffff8152b0cc>] vfs_getattr+0x1c/0x50
[   30.490616]  [<ffffffff8152b251>] vfs_fstatat+0xe1/0x170
[   30.490622]  [<ffffffff8152b170>] ? vfs_fstat+0x70/0x70
[   30.490628]  [<ffffffff8152c416>] SYSC_newstat+0x86/0x100
[   30.490634]  [<ffffffff8152c390>] ? cp_new_stat+0x5c0/0x5c0
[   30.490643]  [<ffffffff810dc6e0>] ? __do_page_fault+0x380/0xa00
[   30.490650]  [<ffffffff83776f98>] ? retint_user+0x18/0x3c
[   30.490657]  [<ffffffff81235bcb>] ? trace_hardirqs_on_caller+0x38b/0x590
[   30.490664]  [<ffffffff81003017>] ? trace_hardirqs_on_thunk+0x17/0x19
[   30.490671]  [<ffffffff8152c83d>] SyS_newstat+0x1d/0x30
[   30.490677]  [<ffffffff837763d9>] entry_SYSCALL_64_fastpath+0x16/0x92
[   30.490678] Code: ea 48 c7 c6 c0 70 9c 83 e8 9f 01 7f ff eb ad e8 08 60 81 ff 48 8b 7d c8 48 c7 c6 00 70 9c 83 e8 88 01 7f ff eb ab e8 f1 5f 81 ff <0f> 0b e8 0a 41 9b ff e9 c2 fe ff ff 48 89 df e8 3d 41 9b ff e9 
[   30.490779] RIP  [<ffffffff81b49e5f>] avc_audit_pre_callback+0x25f/0x2b0
[   30.490787]  RSP <ffff8801da317818>
[   30.490794] ---[ end trace 18d293637c993a75 ]---
[   30.490798] Kernel panic - not syncing: Fatal exception

[   30.909975] ec 08 <e8> 11 01 ed ff 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 89 
[   31.597333] Shutting down cpus with NMI
[   31.601734] Dumping ftrace buffer:
[   31.605263]    (ftrace buffer empty)
[   31.608947] Kernel Offset: disabled
[   31.612542] Rebooting in 86400 seconds..