[ 16.570762] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.888237] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 20.126108] random: sshd: uninitialized urandom read (32 bytes read, 38 bits of entropy available) [ 20.856194] random: sshd: uninitialized urandom read (32 bytes read, 86 bits of entropy available) [ 21.116574] random: sshd: uninitialized urandom read (32 bytes read, 92 bits of entropy available) Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. [ 26.479215] random: sshd: uninitialized urandom read (32 bytes read, 98 bits of entropy available) executing program [ 26.579215] ================================================================== [ 26.586600] BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 [ 26.593232] Read of size 8 at addr ffff8800b45a79b8 by task syzkaller313966/3324 [ 26.600727] [ 26.602324] CPU: 0 PID: 3324 Comm: syzkaller313966 Not tainted 4.4.111-g7902639 #18 [ 26.610080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.619412] 0000000000000000 1325eac2e8036e02 ffff8800b4e5f850 ffffffff81d0509d [ 26.627367] ffffea0002d16980 ffff8800b45a79b8 0000000000000000 ffff8800b45a79b8 [ 26.635328] 0000000000000000 ffff8800b4e5f888 ffffffff814fd433 ffff8800b45a79b8 [ 26.643273] Call Trace: [ 26.645826] [] dump_stack+0xc1/0x124 [ 26.651155] [] print_address_description+0x73/0x260 [ 26.657785] [] kasan_report+0x285/0x370 [ 26.663391] [] ? __lock_acquire+0x387e/0x4b50 [ 26.669513] [] __asan_report_load8_noabort+0x14/0x20 [ 26.676232] [] __lock_acquire+0x387e/0x4b50 [ 26.682166] [] ? __lock_acquire+0xb5f/0x4b50 [ 26.688188] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.695170] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.701973] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.708950] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 26.715924] [] lock_acquire+0x15e/0x460 [ 26.721513] [] ? remove_wait_queue+0x14/0x40 [ 26.727535] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 26.733816] [] ? remove_wait_queue+0x14/0x40 [ 26.739838] [] remove_wait_queue+0x14/0x40 [ 26.745689] [] ep_unregister_pollwait.isra.6+0xa8/0x220 [ 26.752668] [] ? ep_unregister_pollwait.isra.6+0x114/0x220 [ 26.759914] [] ? ep_free+0x1c0/0x1c0 [ 26.765243] [] ep_free+0x93/0x1c0 [ 26.770311] [] ? ep_free+0x1c0/0x1c0 [ 26.775637] [] ep_eventpoll_release+0x44/0x60 [ 26.781756] [] __fput+0x233/0x6d0 [ 26.786846] [] ____fput+0x15/0x20 [ 26.791936] [] task_work_run+0x104/0x180 [ 26.797645] [] do_exit+0x871/0x2a20 [ 26.797653] [] ? handle_mm_fault+0x192d/0x3190 [ 26.797659] [] ? handle_mm_fault+0x3f2/0x3190 [ 26.797665] [] ? release_task+0x1240/0x1240 [ 26.797671] [] do_group_exit+0x108/0x320 [ 26.797676] [] SyS_exit_group+0x1d/0x20 [ 26.797681] [] ? do_group_exit+0x320/0x320 [ 26.797688] [] do_fast_syscall_32+0x314/0x890 [ 26.797696] [] sysenter_flags_fixed+0xd/0x17 [ 26.797698] [ 26.797702] Allocated by task 3324: [ 26.797712] [] save_stack_trace+0x26/0x50 [ 26.797721] [] save_stack+0x43/0xd0 [ 26.797728] [] kasan_kmalloc+0xad/0xe0 [ 26.797736] [] kmem_cache_alloc_trace+0x100/0x2b0 [ 26.797747] [] binder_get_thread+0x181/0x7a0 [ 26.797753] [] binder_poll+0x4a/0x210 [ 26.797763] [] SyS_epoll_ctl+0x10b1/0x2050 [ 26.797769] [] do_fast_syscall_32+0x314/0x890 [ 26.797780] [] sysenter_flags_fixed+0xd/0x17 [ 26.797782] [ 26.797784] Freed by task 3324: [ 26.797793] [] save_stack_trace+0x26/0x50 [ 26.797798] [] save_stack+0x43/0xd0 [ 26.797803] [] kasan_slab_free+0x72/0xc0 [ 26.797809] [] kfree+0xfc/0x300 [ 26.797816] [] binder_thread_dec_tmpref+0x1c1/0x250 [ 26.797822] [] binder_thread_release+0x27d/0x540 [ 26.797829] [] binder_ioctl+0xb94/0x12e0 [ 26.797838] [] compat_SyS_ioctl+0x28a/0x2540 [ 26.797844] [] do_fast_syscall_32+0x314/0x890 [ 26.797850] [] sysenter_flags_fixed+0xd/0x17 [ 26.797851] [ 26.797856] The buggy address belongs to the object at ffff8800b45a7900 [ 26.797856] which belongs to the cache kmalloc-512 of size 512 [ 26.797861] The buggy address is located 184 bytes inside of [ 26.797861] 512-byte region [ffff8800b45a7900, ffff8800b45a7b00) [ 26.797862] The buggy address belongs to the page: [ 27.005251] kasan: CONFIG_KASAN_INLINE enabled [ 27.005564] page:ffffea0002d16980 count:-30719 mapcount:-739378039 mapping:ffff8800b456b600 index:0xffff8801d2768700 [ 27.005567] flags: 0xffff8801d3edf700(owner_priv_1|arch_1|reserved|private_2|writeback|head|swapcache|mappedtodisk|swapbacked|unevictable|uncached|compound_lock) [ 27.005590] page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) [ 27.005607] ------------[ cut here ]------------ [ 27.005610] kernel BUG at include/linux/mm.h:460! [ 27.005614] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 27.005622] Dumping ftrace buffer: [ 27.005625] (ftrace buffer empty) [ 27.005627] Modules linked in: [ 27.005635] CPU: 0 PID: 3324 Comm: syzkaller313966 Not tainted 4.4.111-g7902639 #18 [ 27.005638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.005642] task: ffff8801d1fd97c0 task.stack: ffff8800b4e58000 [ 27.005645] RIP: 0010:[] [] dump_page_badflags+0x191/0x250 [ 27.005661] RSP: 0018:ffff88009b000040 EFLAGS: 00010082 [ 27.005665] RAX: ffff8801d1fd97c0 RBX: ffffea0002d16980 RCX: ffffffff8148f96c [ 27.005669] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801d1fda02c [ 27.005672] RBP: ffff88009b000070 R08: 0000000000000001 R09: 0000000000000000 [ 27.005675] R10: 0000000000000002 R11: fffffbfff0ad8dc9 R12: 0000000000000000 [ 27.005678] R13: ffffffff838a8360 R14: 0000000000000000 R15: 0000000000000000 [ 27.005684] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 27.005687] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 27.005691] CR2: 00000000080a27c0 CR3: 000000000420c000 CR4: 0000000000160670 [ 27.005696] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.005700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.005701] Stack: [ 27.005703] 0000000000000000 ffffea0002d16980 0000000000000000 ffffffff838a8360 [ 27.005711] 0000000000000000 0000000000000000 ffff88009b0000b0 ffffffff8148f991 [ 27.005718] 0000000000000000 ffffea0002d16980 0000000000000000 ffffffff838a8360 [ 27.005725] Call Trace: [ 27.005728] Code: 46 e8 14 05 ed ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 00 05 ed ff 31 d2 48 c7 c6 60 83 8a 83 48 89 df e8 6f fe ff ff <0f> 0b e8 d8 e0 06 00 e9 21 ff ff ff 89 4d d4 e8 cb e0 06 00 8b [ 27.005828] RIP [] dump_page_badflags+0x191/0x250 [ 27.005837] RSP [ 27.005842] ---[ end trace a013dcb7f1579663 ]--- [ 27.005845] Kernel panic - not syncing: Fatal exception [ 27.010009] Dumping ftrace buffer: [ 27.010011] (ftrace buffer empty) [ 27.010013] Kernel Offset: disabled [ 27.264186] Rebooting in 86400 seconds..