[ 15.381528] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.495715] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.858212] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.685574] random: sshd: uninitialized urandom read (32 bytes read, 95 bits of entropy available) [ 22.896340] random: sshd: uninitialized urandom read (32 bytes read, 100 bits of entropy available) Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 28.311690] random: sshd: uninitialized urandom read (32 bytes read, 109 bits of entropy available) executing program executing program [ 28.415952] ================================================================== [ 28.423352] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 28.430333] Read of size 8 at addr ffff8801d283f240 by task syzkaller130200/3315 [ 28.437831] [ 28.439432] CPU: 1 PID: 3315 Comm: syzkaller130200 Not tainted 4.4.113-g202e079 #1 [ 28.447105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.456429] 0000000000000000 a62814c7d0b61e57 ffff8801d0627ab0 ffffffff81d0278d [ 28.464389] ffffea00074a0fc0 ffff8801d283f240 0000000000000000 ffff8801d283f240 [ 28.472356] ffff8801d0590238 ffff8801d0627ae8 ffffffff814fd053 ffff8801d283f240 [ 28.480327] Call Trace: [ 28.482890] [] dump_stack+0xc1/0x124 [ 28.488229] [] print_address_description+0x73/0x260 [ 28.494868] [] kasan_report+0x285/0x370 [ 28.500468] [] ? sg_remove_request+0xf9/0x110 [ 28.506580] [] __asan_report_load8_noabort+0x14/0x20 [ 28.513300] [] sg_remove_request+0xf9/0x110 [ 28.519238] [] sg_finish_rem_req+0x295/0x340 [ 28.525265] [] sg_read+0xa1b/0x1490 [ 28.530508] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 28.537142] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.544126] [] ? sg_proc_seq_show_debug+0xda0/0xda0 [ 28.550763] [] __vfs_read+0x103/0x440 [ 28.556186] [] ? vfs_iter_write+0x2d0/0x2d0 [ 28.562126] [] ? fsnotify+0x5ad/0xee0 [ 28.567540] [] ? fsnotify+0xee0/0xee0 [ 28.572959] [] ? avc_policy_seqno+0x9/0x20 [ 28.578810] [] ? selinux_file_permission+0x348/0x460 [ 28.585530] [] ? security_file_permission+0x89/0x1e0 [ 28.592257] [] ? rw_verify_area+0x100/0x2f0 [ 28.598195] [] vfs_read+0x123/0x3a0 [ 28.603438] [] SyS_read+0xd9/0x1b0 [ 28.608595] [] ? do_sendfile+0xd30/0xd30 [ 28.614274] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 28.620735] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 28.627278] [ 28.628876] Allocated by task 0: [ 28.632207] (stack is not available) [ 28.635883] [ 28.637477] Freed by task 0: [ 28.640466] (stack is not available) [ 28.644143] [ 28.645738] The buggy address belongs to the object at ffff8801d283f200 [ 28.645738] which belongs to the cache fasync_cache of size 96 [ 28.658366] The buggy address is located 64 bytes inside of [ 28.658366] 96-byte region [ffff8801d283f200, ffff8801d283f260) [ 28.670033] The buggy address belongs to the page: [ 29.737077] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c4 [ 29.745357] IP: [] qlist_free_all+0x2e/0xc0 [ 29.751373] PGD 80000001d3f03067 PUD 1d2b4f067 PMD 0 [ 29.756952] Oops: 0000 [#1] PREEMPT SMP KASAN [ 29.761972] Dumping ftrace buffer: [ 29.765497] (ftrace buffer empty) [ 29.769199] Modules linked in: [ 29.772532] CPU: 0 PID: 3159 Comm: rsyslogd Not tainted 4.4.113-g202e079 #1 [ 29.779620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.788967] task: ffff8801d31b5f00 task.stack: ffff8800b6f70000 [ 29.795017] RIP: 0010:[] [] qlist_free_all+0x2e/0xc0 [ 29.803480] RSP: 0018:ffff8800b6f77c50 EFLAGS: 00010246 [ 29.808922] RAX: ffffea00000e2a00 RBX: 0000000000000000 RCX: ffffea00000e2a1f [ 29.816185] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: 0000000000000000 [ 29.823460] RBP: ffff8800b6f77c78 R08: ffff8801d05a9f78 R09: 00000001802e002d [ 29.830727] R10: ffffea0007416a40 R11: 0000000000000000 R12: ffffffff838a8de0 [ 29.837997] R13: ffff8800b6f77c90 R14: ffffffff814fd8ee R15: 0000000080000000 [ 29.845265] FS: 00007f249c022700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 29.853487] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.859369] CR2: 00000000000000c4 CR3: 00000001d2a2c000 CR4: 0000000000160670 [ 29.866639] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 29.873904] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 29.881169] Stack: [ 29.883307] 0000000000000000 ffff8800b6f77c90 00000000024000c0 ffff8800b081e4d8 [ 29.891360] ffff8801da263140 ffff8800b6f77cc0 ffffffff814fdd8f ffffffff814fdc92 [ 29.899401] ffff8800b47fa200 ffff8800b3e0e600 0000000000100408 b369440afd2b99b6 [ 29.907441] Call Trace: [ 29.910024] [] quarantine_reduce+0x18f/0x1d0 [ 29.916076] [] ? quarantine_reduce+0x92/0x1d0 [ 29.922230] [] kasan_kmalloc+0xca/0xe0 [ 29.927764] [] ? __split_vma.isra.40+0x171/0x750 [ 29.934168] [] kasan_slab_alloc+0x12/0x20 [ 29.939966] [] kmem_cache_alloc+0xba/0x290 [ 29.945851] [] __split_vma.isra.40+0x171/0x750 [ 29.952083] [] ? quarantine_put+0xab/0x180 [ 29.957964] [] split_vma+0x5b/0x80 [ 29.963153] [] mprotect_fixup+0x4d7/0x600 [ 29.968945] [] ? vmacache_find+0x57/0x290 [ 29.974740] [] SyS_mprotect+0x304/0x660 [ 29.980364] [] ? mprotect_fixup+0x600/0x600 [ 29.986340] [] ? up_write+0x1a/0x60 [ 29.991621] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 29.998116] [] entry_SYSCALL_64_fastpath+0x1c/0x98 [ 30.004685] Code: e5 41 57 41 56 41 55 41 54 53 48 89 f3 48 8b 37 48 85 f6 0f 84 8e 00 00 00 49 89 fd 49 c7 c6 ee d8 4f 81 41 bf 00 00 00 80 eb 1d <48> 63 87 c4 00 00 00 4c 89 f2 4c 8b 26 48 29 c6 e8 9d d3 ff ff [ 30.032265] RIP [] qlist_free_all+0x2e/0xc0 [ 30.038368] RSP [ 30.041981] CR2: 00000000000000c4 [ 30.045779] ---[ end trace 61f7749b3d7e7cd8 ]--- [ 30.050538] Kernel panic - not syncing: Fatal exception [ 30.430099] PANIC: double fault, error_code: 0x0 [ 30.434876] CPU: 1 PID: 3315 Comm: syzkaller130200 Tainted: G D 4.4.113-g202e079 #1 [ 30.443769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.453096] task: ffff8800b4e9af80 task.stack: ffff8801d0620000 [ 30.459122] RIP: 0010:[] [] dump_page_badflags+0x8/0x250 [ 30.467881] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 30.473301] RAX: ffff8800b4e9af80 RBX: ffffea00074a0fc0 RCX: ffffffff8148f8d0 [ 30.480542] RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: ffffea00074a0fc0 [ 30.487796] RBP: ffff880100000010 R08: 0000000000000001 R09: 0000000000000000 [ 30.495040] R10: 0000000000000002 R11: fffffbfff0ad7e26 R12: 0000000000000000 [ 30.502286] R13: ffffffff838a8de0 R14: 0000000000000000 R15: 0000000000000000 [ 30.509537] FS: 00007f6c9213a700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 30.517734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 30.523587] CR2: ffff8800fffffff8 CR3: 00000000b6f3c000 CR4: 0000000000160670 [ 30.530829] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 30.538074] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 30.545322] Stack: [ 30.547440] [ 30.549039] Call Trace: [ 30.551591] [ 30.553623] Code: 00 e9 83 fd ff ff e8 78 df 06 00 e9 50 fd ff ff e8 6e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 49 89 f5 41 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 b1 04 [ 31.171164] Shutting down cpus with NMI [ 31.175579] Dumping ftrace buffer: [ 31.179087] (ftrace buffer empty) [ 31.182765] Kernel Offset: disabled [ 31.186359] Rebooting in 86400 seconds..