[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.177467] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.990209] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 22.250693] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 23.041490] random: sshd: uninitialized urandom read (32 bytes read, 90 bits of entropy available) [ 23.207487] random: sshd: uninitialized urandom read (32 bytes read, 96 bits of entropy available) Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. [ 28.583443] random: sshd: uninitialized urandom read (32 bytes read, 102 bits of entropy available) executing program [ 28.685066] ================================================================== [ 28.692476] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 28.699112] Read of size 8 at addr ffff8801d129b9b8 by task syzkaller077321/3316 [ 28.708259] [ 28.709867] CPU: 0 PID: 3316 Comm: syzkaller077321 Not tainted 4.4.112-gd96d95d #24 [ 28.717889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.727212] 0000000000000000 0fa0f40821b1e26e ffff8801d0b7f850 ffffffff81d054ed [ 28.735206] ffffea000744a680 ffff8801d129b9b8 0000000000000000 ffff8801d129b9b8 [ 28.743168] 0000000000000000 ffff8801d0b7f888 ffffffff814fd953 ffff8801d129b9b8 [ 28.751127] Call Trace: [ 28.753686] [] dump_stack+0xc1/0x124 [ 28.759019] [] print_address_description+0x73/0x260 [ 28.765651] [] kasan_report+0x285/0x370 [ 28.771251] [] ? __lock_acquire+0x387e/0x4b50 [ 28.777362] [] __asan_report_load8_noabort+0x14/0x20 [ 28.784082] [] __lock_acquire+0x387e/0x4b50 [ 28.790027] [] ? __lock_acquire+0xb5f/0x4b50 [ 28.796051] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.803037] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.809849] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.816830] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.823811] [] lock_acquire+0x15e/0x460 [ 28.829405] [] ? remove_wait_queue+0x14/0x40 [ 28.835437] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 28.841725] [] ? remove_wait_queue+0x14/0x40 [ 28.847754] [] remove_wait_queue+0x14/0x40 [ 28.853618] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 28.860607] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 28.867850] [] ? ep_free+0x1c0/0x1c0 [ 28.873180] [] ep_free+0x93/0x1c0 [ 28.878248] [] ? ep_free+0x1c0/0x1c0 [ 28.883582] [] ep_eventpoll_release+0x44/0x60 [ 28.889693] [] __fput+0x233/0x6d0 [ 28.894767] [] ____fput+0x15/0x20 [ 28.899841] [] task_work_run+0x104/0x180 [ 28.905519] [] do_exit+0x871/0x2a20 [ 28.910775] [] ? handle_mm_fault+0x192d/0x3190 [ 28.916973] [] ? handle_mm_fault+0x3f2/0x3190 [ 28.923084] [] ? release_task+0x1240/0x1240 [ 28.929022] [] do_group_exit+0x108/0x320 [ 28.934702] [] SyS_exit_group+0x1d/0x20 [ 28.940299] [] ? do_group_exit+0x320/0x320 [ 28.946152] [] do_fast_syscall_32+0x314/0x890 [ 28.952268] [] sysenter_flags_fixed+0xd/0x17 [ 28.958304] [ 28.959900] Allocated by task 3316: [ 28.964018] [] save_stack_trace+0x26/0x50 [ 28.969906] [] save_stack+0x43/0xd0 [ 28.975267] [] kasan_kmalloc+0xad/0xe0 [ 28.980889] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 28.987464] [] binder_get_thread+0x181/0x7a0 [ 28.993612] [] binder_poll+0x4a/0x210 [ 28.999149] [] SyS_epoll_ctl+0x10b1/0x2050 [ 29.005117] [] do_fast_syscall_32+0x314/0x890 [ 29.011348] [] sysenter_flags_fixed+0xd/0x17 [ 29.017493] [ 29.019092] Freed by task 3316: [ 29.022334] [] save_stack_trace+0x26/0x50 [ 29.028219] [] save_stack+0x43/0xd0 [ 29.033582] [] kasan_slab_free+0x72/0xc0 [ 29.039372] [] kfree+0xfc/0x300 [ 29.044393] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 29.051147] [] binder_thread_release+0x27d/0x540 [ 29.057639] [] binder_ioctl+0xb94/0x12e0 [ 29.063435] [] compat_SyS_ioctl+0x28a/0x2540 [ 29.069579] [] do_fast_syscall_32+0x314/0x890 [ 29.075828] [] sysenter_flags_fixed+0xd/0x17 [ 29.081981] [ 29.083579] The buggy address belongs to the object at ffff8801d129b900 [ 29.083579] which belongs to the cache kmalloc-512 of size 512 [ 29.096214] The buggy address is located 184 bytes inside of [ 29.096214] 512-byte region [ffff8801d129b900, ffff8801d129bb00) [ 29.108061] The buggy address belongs to the page: [ 29.123987] ------------[ cut here ]------------ [ 29.128787] WARNING: CPU: 1 PID: 0 at lib/debugobjects.c:263 debug_print_object+0x17d/0x220() [ 29.137447] ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: 0x8948fff8aa88e883 [ 29.147468] Kernel panic - not syncing: panic_on_warn set ... [ 29.147468] [ 29.154830] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.112-gd96d95d #24 [ 29.161832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.171179] 0000000000000000 47fe9db5b98260ce ffff8801db307ac8 ffffffff81d054ed [ 29.179249] ffffffff83843200 ffff8801db307ba0 ffffffff839fe0a0 0000000000000009 [ 29.187290] 0000000000000107 ffff8801db307b90 ffffffff81419dca 0000000041b58ab3 [ 29.195329] Call Trace: [ 29.197898] [] dump_stack+0xc1/0x124 [ 29.204371] [] panic+0x1aa/0x388 [ 29.209389] [] ? percpu_up_read.constprop.45+0xe1/0xe1 [ 29.216320] [] ? warn_slowpath_common+0x10a/0x140 [ 29.222813] [] warn_slowpath_common+0x125/0x140 [ 29.229140] [] ? debug_print_object+0x17d/0x220 [ 29.235461] [] warn_slowpath_fmt+0xc1/0x110 [ 29.241433] [] ? warn_slowpath_common+0x140/0x140 [ 29.247923] [] ? ktime_add_safe+0xa0/0xa0 [ 29.253723] [] debug_print_object+0x17d/0x220 [ 29.259868] [] debug_object_deactivate+0x25d/0x3c0 [ 29.266450] [] ? debug_object_activate+0x500/0x500 [ 29.273035] [] ? dump_page_badflags+0x190/0x250 [ 29.279359] [] ? __lock_is_held+0xa1/0xf0 [ 29.285162] [] ? dump_page_badflags+0x190/0x250 [ 29.292177] [] __hrtimer_run_queues+0x492/0xfe0 [ 29.298500] [] ? hrtimer_fixup_init+0x70/0x70 [ 29.304644] [] ? hrtimer_interrupt+0x131/0x440 [ 29.310879] [] hrtimer_interrupt+0x1a6/0x440 [ 29.316945] [] local_apic_timer_interrupt+0x6a/0xb0 [ 29.323619] [] smp_apic_timer_interrupt+0x76/0xa0 [ 29.330118] [] apic_timer_interrupt+0xa0/0xb0 [ 29.336259] [] ? native_safe_halt+0x6/0x10 [ 29.342903] [] ? trace_hardirqs_on+0xd/0x10 [ 29.348898] [] default_idle+0x55/0x3c0 [ 29.354441] [] arch_cpu_idle+0xa/0x10 [ 29.359895] [] default_idle_call+0x48/0x70 [ 29.365780] [] cpu_startup_entry+0x605/0x820 [ 29.371841] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 29.378684] [] ? call_cpuidle+0xe0/0xe0 [ 29.384315] [] ? clockevents_register_device+0x122/0x230 [ 29.391420] [] start_secondary+0x304/0x3e0 [ 29.397308] [] ? set_cpu_sibling_map+0x1040/0x1040 [ 30.517418] Shutting down cpus with NMI [ 30.522389] Dumping ftrace buffer: [ 30.526203] (ftrace buffer empty) [ 30.529885] Kernel Offset: disabled [ 30.533604] Rebooting in 86400 seconds..