[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.679206] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.513419] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 19.885447] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 20.745362] random: sshd: uninitialized urandom read (32 bytes read, 106 bits of entropy available) [ 20.917628] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available) Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts. [ 26.353368] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) executing program [ 26.460804] ================================================================== [ 26.468204] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 26.475189] Read of size 8 at addr ffff8801d3335140 by task syzkaller623262/3310 [ 26.482691] [ 26.484297] CPU: 1 PID: 3310 Comm: syzkaller623262 Not tainted 4.4.112-gca0ebb4 #29 [ 26.492058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.501386] 0000000000000000 41fc311189bfccda ffff8801d0a97ab0 ffffffff81d056fd [ 26.509358] ffffea00074ccd40 ffff8801d3335140 0000000000000000 ffff8801d3335140 [ 26.517327] ffff8801d187a338 ffff8801d0a97ae8 ffffffff814fd953 ffff8801d3335140 [ 26.525292] Call Trace: [ 26.527851] [] dump_stack+0xc1/0x124 [ 26.533186] [] print_address_description+0x73/0x260 [ 26.539821] [] kasan_report+0x285/0x370 [ 26.545415] [] ? sg_remove_request+0xf9/0x110 [ 26.551539] [] __asan_report_load8_noabort+0x14/0x20 [ 26.558271] [] sg_remove_request+0xf9/0x110 [ 26.564210] [] sg_finish_rem_req+0x295/0x340 [ 26.570242] [] sg_read+0xa21/0x1490 [ 26.575490] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 26.582128] [] ? new_slab+0x2df/0x3b0 [ 26.587552] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 26.594189] [] __vfs_read+0x103/0x440 [ 26.599610] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.606597] [] ? vfs_iter_write+0x2d0/0x2d0 [ 26.612540] [] ? fsnotify+0x5ad/0xee0 [ 26.617961] [] ? fsnotify+0xee0/0xee0 [ 26.623383] [] ? lockdep_init_map+0xeb/0x1690 [ 26.629505] [] ? avc_policy_seqno+0x9/0x20 [ 26.635360] [] ? selinux_file_permission+0x348/0x460 [ 26.642083] [] ? security_file_permission+0x89/0x1e0 [ 26.648805] [] ? rw_verify_area+0x100/0x2f0 [ 26.654746] [] vfs_read+0x123/0x3a0 [ 26.659992] [] SyS_read+0xd9/0x1b0 [ 26.665151] [] ? do_sendfile+0xd30/0xd30 [ 26.670832] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.677294] [] entry_SYSCALL_64_fastpath+0x16/0x92 [ 26.683839] [ 26.685439] Allocated by task 0: [ 26.688769] (stack is not available) [ 26.692448] [ 26.694044] Freed by task 0: [ 26.697029] (stack is not available) [ 26.700710] [ 26.702308] The buggy address belongs to the object at ffff8801d3335100 [ 26.702308] which belongs to the cache fasync_cache of size 96 [ 26.714933] The buggy address is located 64 bytes inside of [ 26.714933] 96-byte region [ffff8801d3335100, ffff8801d3335160) [ 26.726600] The buggy address belongs to the page: [ 26.869303] ------------[ cut here ]------------ [ 26.874135] WARNING: CPU: 0 PID: 3285 at kernel/locking/lockdep.c:3190 __lock_acquire+0x23b3/0x4b50() [ 26.883487] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS) [ 26.888672] Kernel panic - not syncing: panic_on_warn set ... [ 26.888672] [ 26.896332] CPU: 0 PID: 3285 Comm: getty Not tainted 4.4.112-gca0ebb4 #29 [ 26.903254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.912603] 0000000000000000 d67ee22f3f75c18b ffff8800b50873f0 ffffffff81d056fd [ 26.920674] ffffffff83843200 ffff8800b50874c8 ffffffff83854fe0 0000000000000009 [ 26.928725] 0000000000000c76 ffff8800b50874b8 ffffffff81419dca 0000000041b58ab3 [ 26.936769] Call Trace: [ 26.939355] [] dump_stack+0xc1/0x124 [ 26.944717] [] panic+0x1aa/0x388 [ 26.949737] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 26.956668] [] ? warn_slowpath_common+0x10a/0x140 [ 26.963167] [] warn_slowpath_common+0x125/0x140 [ 26.969488] [] ? __lock_acquire+0x23b3/0x4b50 [ 26.975644] [] warn_slowpath_fmt+0xc1/0x110 [ 26.981620] [] ? warn_slowpath_common+0x140/0x140 [ 26.988125] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.995143] [] __lock_acquire+0x23b3/0x4b50 [ 27.001129] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.008149] [] ? unmap_single_vma+0x30e/0x12d0 [ 27.014386] [] lock_acquire+0x15e/0x460 [ 27.020028] [] ? unlink_file_vma+0x75/0xb0 [ 27.025919] [] down_write+0x41/0xa0 [ 27.031204] [] ? unlink_file_vma+0x75/0xb0 [ 27.037101] [] unlink_file_vma+0x75/0xb0 [ 27.042820] [] free_pgtables+0xef/0x330 [ 27.048449] [] exit_mmap+0x1e3/0x3a0 [ 27.053818] [] ? SyS_remap_file_pages+0x960/0x960 [ 27.060321] [] ? __might_sleep+0x90/0x1a0 [ 27.066126] [] mmput+0xf8/0x2d0 [ 27.071069] [] do_exit+0x75b/0x2a20 [ 27.076357] [] ? __lock_is_held+0xa1/0xf0 [ 27.082155] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 27.089003] [] ? release_task+0x1240/0x1240 [ 27.094980] [] do_group_exit+0x108/0x320 [ 27.100694] [] get_signal+0x565/0x1660 [ 27.106239] [] do_signal+0x8b/0x1d40 [ 27.111611] [] ? spurious_fault+0x370/0x370 [ 27.117603] [] ? setup_sigcontext+0x780/0x780 [ 27.123758] [] ? __lock_is_held+0xa1/0xf0 [ 27.129568] [] ? __bad_area_nosemaphore+0x220/0x420 [ 27.136239] [] ? bad_area_access_error+0x53/0x80 [ 27.142656] [] ? exit_to_usermode_loop+0xec/0x170 [ 27.149284] [] exit_to_usermode_loop+0x122/0x170 [ 27.155698] [] prepare_exit_to_usermode+0xe3/0x100 [ 27.162286] [] retint_user+0x8/0x3c [ 28.298031] Shutting down cpus with NMI [ 28.302513] Dumping ftrace buffer: [ 28.306038] (ftrace buffer empty) [ 28.309716] Kernel Offset: disabled [ 28.313309] Rebooting in 86400 seconds..