[ 16.346480] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.321327] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 19.726373] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 20.659952] random: sshd: uninitialized urandom read (32 bytes read, 110 bits of entropy available) [ 20.824922] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available) Warning: Permanently added '10.128.15.207' (ECDSA) to the list of known hosts. [ 26.225765] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) executing program [ 26.330386] ================================================================== [ 26.337781] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 26.344769] Read of size 8 at addr ffff8801d0987140 by task syzkaller972061/3315 [ 26.352268] [ 26.353871] CPU: 1 PID: 3315 Comm: syzkaller972061 Not tainted 4.4.113-ge70c132 #34 [ 26.361632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.370967] 0000000000000000 a821a694a5719786 ffff8801cd2af9f0 ffffffff81d0278d [ 26.378941] ffffea00074261c0 ffff8801d0987140 0000000000000000 ffff8801d0987140 [ 26.386901] ffff8801d0c84438 ffff8801cd2afa28 ffffffff814fd053 ffff8801d0987140 [ 26.394866] Call Trace: [ 26.397427] [] dump_stack+0xc1/0x124 [ 26.402769] [] print_address_description+0x73/0x260 [ 26.409407] [] kasan_report+0x285/0x370 [ 26.415003] [] ? sg_remove_request+0xf9/0x110 [ 26.421116] [] __asan_report_load8_noabort+0x14/0x20 [ 26.427838] [] sg_remove_request+0xf9/0x110 [ 26.433778] [] sg_finish_rem_req+0x295/0x340 [ 26.439807] [] sg_read+0xa1b/0x1490 [ 26.445064] [] ? __check_object_size+0x154/0x35b [ 26.451439] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 26.458075] [] ? fsnotify+0xee0/0xee0 [ 26.463495] [] ? avc_policy_seqno+0x9/0x20 [ 26.469361] [] do_loop_readv_writev+0x141/0x1e0 [ 26.475651] [] ? security_file_permission+0x89/0x1e0 [ 26.482379] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 26.489015] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 26.496414] [] do_readv_writev+0x5dd/0x6e0 [ 26.502270] [] ? vfs_write+0x530/0x530 [ 26.507785] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.513728] [] ? do_huge_pmd_anonymous_page+0x3dd/0xa10 [ 26.520711] [] ? handle_mm_fault+0x3f2/0x3190 [ 26.526827] [] vfs_readv+0x78/0xb0 [ 26.532004] [] SyS_readv+0xd9/0x240 [ 26.537257] [] ? rw_copy_check_uvector+0x2b0/0x2b0 [ 26.543822] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 26.550370] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.556921] [ 26.558525] Allocated by task 0: [ 26.561865] (stack is not available) [ 26.565557] [ 26.567207] Freed by task 0: [ 26.567208] (stack is not available) [ 26.567210] [ 26.567215] The buggy address belongs to the object at ffff8801d0987100 [ 26.567215] which belongs to the cache fasync_cache of size 96 [ 26.567220] The buggy address is located 64 bytes inside of [ 26.567220] 96-byte region [ffff8801d0987100, ffff8801d0987160) [ 26.567222] The buggy address belongs to the page: [ 26.613937] BUG: unable to handle kernel paging request at fffffffdedd2b780 [ 26.621325] IP: [] cpuacct_charge+0x155/0x390 [ 26.627530] PGD 420f067 PUD 0 [ 26.630982] Oops: 0000 [#1] PREEMPT SMP KASAN [ 26.636027] Dumping ftrace buffer: [ 26.639559] (ftrace buffer empty) [ 26.643269] Modules linked in: [ 26.646594] CPU: 0 PID: 3168 Comm: rsyslogd Not tainted 4.4.113-ge70c132 #34 [ 26.653773] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.663125] task: ffff8800b6608000 task.stack: ffff8801d3620000 [ 26.669298] RIP: 0010:[] [] cpuacct_charge+0x155/0x390 [ 26.677936] RSP: 0018:ffff8801d36279c8 EFLAGS: 00010046 [ 26.683377] RAX: 1ffffffff0854fff RBX: 0000000000018528 RCX: ffffffff847eb500 [ 26.690646] RDX: fffffbffbdba56f0 RSI: fffffffdedd2b780 RDI: ffffffff842a7ff8 [ 26.697917] RBP: ffff8801d3627a10 R08: 0000000000000001 R09: 0000000000000001 [ 26.705187] R10: 0000000000000000 R11: 1ffff1003a6c4f04 R12: ffffffff842a7f20 [ 26.712452] R13: dffffc0000000000 R14: 0000000002cc2d61 R15: ffffffffcd2a8050 [ 26.719718] FS: 00007f3cf68d6700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 26.727946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.733826] CR2: fffffffdedd2b780 CR3: 00000001cfb50000 CR4: 0000000000160670 [ 26.741099] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.748372] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.755635] Stack: [ 26.757777] ffffffff8122a430 ffff8801d36279f8 0000000000000046 0000000000000003 [ 26.765852] ffff8801d1e79820 ffffffff83844340 0000000002cc2d61 ffff8801d1e79870 [ 26.773909] ffff8801d1e797c0 ffff8801d3627a60 ffffffff811dbea7 ffff8801db31f4c0 [ 26.781961] Call Trace: [ 26.784546] [] ? cpuacct_charge+0x60/0x390 [ 26.790429] [] update_curr+0x2c7/0x6c0 [ 26.795971] [] enqueue_task_fair+0x313/0x2940 [ 26.802120] [] activate_task+0x148/0x270 [ 26.807839] [] ttwu_do_activate.constprop.131+0xbf/0x1e0 [ 26.814944] [] try_to_wake_up+0x68d/0xf60 [ 26.820750] [] ? do_futex+0x11e0/0x15d0 [ 26.826379] [] wake_up_q+0xbe/0x130 [ 26.831656] [] do_futex+0xe83/0x15d0 [ 26.837028] [] ? exit_robust_list+0x240/0x240 [ 26.843183] [] ? proc_reg_write+0x170/0x170 [ 26.849163] [] ? __vfs_read+0x10b/0x440 [ 26.854787] [] ? fsnotify+0xee0/0xee0 [ 26.860243] [] ? __mutex_unlock_slowpath+0x208/0x3b0 [ 26.867006] [] SyS_futex+0x208/0x2c0 [ 26.872377] [] ? vfs_read+0x16a/0x3a0 [ 26.877851] [] ? do_futex+0x15d0/0x15d0 [ 26.883474] [] ? SyS_read+0x13d/0x1b0 [ 26.888947] [] ? do_sendfile+0xd30/0xd30 [ 26.894665] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 26.901160] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 26.907729] Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 9e 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 0a 02 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 cf 01 00 [ 26.935394] RIP [] cpuacct_charge+0x155/0x390 [ 26.941680] RSP [ 26.945301] CR2: fffffffdedd2b780 [ 26.948760] ---[ end trace d6675582bfecc880 ]--- [ 26.953511] Kernel panic - not syncing: Fatal exception [ 28.089187] Shutting down cpus with NMI [ 28.094246] Dumping ftrace buffer: [ 28.097766] (ftrace buffer empty) [ 28.101443] Kernel Offset: disabled [ 28.105037] Rebooting in 86400 seconds..