[ 16.314112] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.471942] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 21.834229] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 22.651718] random: sshd: uninitialized urandom read (32 bytes read, 100 bits of entropy available) [ 22.820379] random: sshd: uninitialized urandom read (32 bytes read, 105 bits of entropy available) Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. [ 28.292138] random: sshd: uninitialized urandom read (32 bytes read, 113 bits of entropy available) executing program [ 28.397024] ================================================================== [ 28.404409] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 [ 28.411389] Read of size 8 at addr ffff8801d13cd140 by task syzkaller372133/3314 [ 28.418885] [ 28.420481] CPU: 0 PID: 3314 Comm: syzkaller372133 Not tainted 4.4.111-g3301b55 #17 [ 28.428236] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.437554] 0000000000000000 1d91482e275aa639 ffff8801d067fa40 ffffffff81d0509d [ 28.445507] ffffea000744f340 ffff8801d13cd140 0000000000000000 ffff8801d13cd140 [ 28.453451] ffff8801d1374438 ffff8801d067fa78 ffffffff814fd433 ffff8801d13cd140 [ 28.461400] Call Trace: [ 28.463962] [] dump_stack+0xc1/0x124 [ 28.469294] [] print_address_description+0x73/0x260 [ 28.475925] [] kasan_report+0x285/0x370 [ 28.481526] [] ? sg_remove_request+0xf9/0x110 [ 28.487635] [] __asan_report_load8_noabort+0x14/0x20 [ 28.494351] [] sg_remove_request+0xf9/0x110 [ 28.500286] [] sg_finish_rem_req+0x295/0x340 [ 28.506322] [] sg_read+0xa21/0x1490 [ 28.511564] [] ? sg_fasync+0x8d/0xb0 [ 28.516894] [] ? compat_SyS_open+0x2a/0x40 [ 28.522750] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 28.529381] [] ? debug_check_no_obj_freed+0x166/0x9b0 [ 28.536184] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 28.543075] [] ? sg_proc_seq_show_debug+0xd30/0xd30 [ 28.549706] [] __vfs_read+0x103/0x440 [ 28.555119] [] ? vfs_iter_write+0x2d0/0x2d0 [ 28.561053] [] ? fsnotify+0x5ad/0xee0 [ 28.566466] [] ? fsnotify+0xee0/0xee0 [ 28.571887] [] ? compat_SyS_ioctl+0x117/0x2540 [ 28.578090] [] ? avc_policy_seqno+0x9/0x20 [ 28.583947] [] ? selinux_file_permission+0x348/0x460 [ 28.590664] [] ? security_file_permission+0x89/0x1e0 [ 28.597389] [] ? rw_verify_area+0x100/0x2f0 [ 28.603345] [] vfs_read+0x123/0x3a0 [ 28.608601] [] SyS_read+0xd9/0x1b0 [ 28.613755] [] ? do_sendfile+0xd30/0xd30 [ 28.619444] [] ? vmacache_update+0xfe/0x130 [ 28.625393] [] ? do_fast_syscall_32+0xd7/0x890 [ 28.631595] [] ? do_sendfile+0xd30/0xd30 [ 28.637276] [] do_fast_syscall_32+0x314/0x890 [ 28.643400] [] sysenter_flags_fixed+0xd/0x17 [ 28.649424] [ 28.651020] Allocated by task 0: [ 28.654351] (stack is not available) [ 28.658026] [ 28.659618] Freed by task 0: [ 28.662598] (stack is not available) [ 28.666272] [ 28.667865] The buggy address belongs to the object at ffff8801d13cd100 [ 28.667865] which belongs to the cache fasync_cache of size 96 [ 28.680487] The buggy address is located 64 bytes inside of [ 28.680487] 96-byte region [ffff8801d13cd100, ffff8801d13cd160) [ 28.692153] The buggy address belongs to the page: [ 28.807329] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [ 28.814981] BUG: unable to handle kernel paging request at ffff8801cf04e060 [ 28.822334] IP: [] 0xffff8801cf04e060 [ 28.827825] PGD 60e8067 PUD 80000001c00000e3 [ 28.832593] Oops: 0011 [#1] PREEMPT SMP KASAN [ 28.837578] Dumping ftrace buffer: [ 28.841100] (ftrace buffer empty) [ 28.844793] Modules linked in: [ 28.848095] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.111-g3301b55 #17 [ 28.855088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.864437] task: ffff8801da3a97c0 task.stack: ffff8801da3b8000 [ 28.870485] RIP: 0010:[] [] 0xffff8801cf04e060 [ 28.878399] RSP: 0018:ffff8801db307340 EFLAGS: 00010246 [ 28.883837] RAX: dffffc0000000000 RBX: 1ffff1003b660e6d RCX: ffffffff82e973af [ 28.891100] RDX: 1ffff920000d8804 RSI: ffffc900006c4028 RDI: ffff8801d066f500 [ 28.898360] RBP: ffff8801db3073f0 R08: 0000000000000001 R09: 0000000000000000 [ 28.905620] R10: 0000000000000000 R11: 1ffff1003b660e34 R12: ffff8801d066f500 [ 28.912949] R13: 0000000000000000 R14: ffffc900006c4000 R15: ffff8801db3073c8 [ 28.920209] FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 [ 28.928433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 28.934311] CR2: ffff8801cf04e060 CR3: 00000001d0896000 CR4: 0000000000160670 [ 28.941573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 28.948830] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 28.956092] Stack: [ 28.958231] ffffffff82e973d9 ffffffff82e97288 ffff8801da3a97c0 ffffc900006c4002 [ 28.966265] 0000000100000003 0000000041b58ab3 ffffffff83ffe13e ffffffff82e97190 [ 28.974292] ffff88021fffd057 ffff88021fffd05b ffff88021fffd04f ffffed0043fffa0b [ 28.982311] Call Trace: [ 28.984883] [ 28.986948] [] ? sk_filter_trim_cap+0x249/0x6d0 [ 28.993566] [] ? sk_filter_trim_cap+0xf8/0x6d0 [ 28.999799] [] ? bpf_skb_set_tunnel_key+0x2e0/0x2e0 [ 29.006462] [] sock_queue_rcv_skb+0xa7/0xb70 [ 29.013787] [] ? strlcpy+0x9a/0x120 [ 29.019065] [] packet_rcv_spkt+0x3b3/0x4c0 [ 29.024954] [] ? packet_rcv_fanout+0x620/0x620 [ 29.031183] [] dev_hard_start_xmit+0x62b/0x1220 [ 29.037502] [] ? dev_hard_start_xmit+0xa6/0x1220 [ 29.043912] [] sch_direct_xmit+0x2c1/0x760 [ 29.049808] [] ? dev_deactivate_queue.constprop.34+0x150/0x150 [ 29.057426] [] __dev_queue_xmit+0x1368/0x1a70 [ 29.063575] [] ? __dev_queue_xmit+0x1a6/0x1a70 [ 29.069804] [] ? netdev_pick_tx+0x310/0x310 [ 29.075770] [] ? mark_held_locks+0xaf/0x100 [ 29.081739] [] ? ip_finish_output2+0xa64/0x1060 [ 29.088055] [] dev_queue_xmit+0x17/0x20 [ 29.093671] [] ip_finish_output2+0xbe8/0x1060 [ 29.099806] [] ? ip_finish_output+0x784/0xb00 [ 29.105952] [] ? dst_output+0x150/0x150 [ 29.111576] [] ? __lock_is_held+0xa1/0xf0 [ 29.117379] [] ip_finish_output+0x784/0xb00 [ 29.123343] [] ip_output+0x1cf/0x4c0 [ 29.128704] [] ? ip_mc_output+0x980/0x980 [ 29.134498] [] ? ip_fragment.constprop.49+0x200/0x200 [ 29.141337] [] ip_local_out+0x95/0x170 [ 29.146874] [] ip_queue_xmit+0x87b/0x16c0 [ 29.152669] [] ? ip_queue_xmit+0x3f/0x16c0 [ 29.158553] [] ? __tcp_v4_send_check+0x1bf/0x350 [ 29.164961] [] tcp_transmit_skb+0x17a8/0x2ce0 [ 29.171105] [] ? bictcp_cong_avoid+0xee0/0xee0 [ 29.177334] [] ? __tcp_select_window+0x520/0x520 [ 29.183738] [] ? ipip_gro_complete+0x100/0x100 [ 29.189966] [] ? kvm_clock_read+0x23/0x40 [ 29.195756] [] ? kvm_clock_get_cycles+0x9/0x10 [ 29.201984] [] __tcp_retransmit_skb+0x47f/0x17b0 [ 29.208410] [] tcp_retransmit_skb+0x23/0x2c0 [ 29.214465] [] tcp_retransmit_timer+0xa60/0x1f10 [ 29.220871] [] tcp_write_timer_handler+0x21e/0x6d0 [ 29.227463] [] tcp_write_timer+0xa1/0xd0 [ 29.233181] [] call_timer_fn+0x18b/0x860 [ 29.238893] [] ? call_timer_fn+0xdc/0x860 [ 29.244698] [] ? tcp_write_timer_handler+0x6d0/0x6d0 [ 29.251449] [] ? process_timeout+0x20/0x20 [ 29.257420] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 29.263734] [] ? tcp_write_timer_handler+0x6d0/0x6d0 [ 29.270480] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 29.277310] [] ? tcp_write_timer_handler+0x6d0/0x6d0 [ 29.284057] [] run_timer_softirq+0x604/0xbb0 [ 29.290109] [] ? msleep+0xe0/0xe0 [ 29.295212] [] __do_softirq+0x24d/0xa59 [ 29.300833] [] irq_exit+0x119/0x140 [ 29.306109] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 29.312598] [] apic_timer_interrupt+0xa0/0xb0 [ 29.318729] [ 29.320801] [] ? native_safe_halt+0x6/0x10 [ 29.326984] [] ? trace_hardirqs_on+0xd/0x10 [ 29.332954] [] default_idle+0x55/0x3c0 [ 29.338485] [] arch_cpu_idle+0xa/0x10 [ 29.343944] [] default_idle_call+0x48/0x70 [ 29.349826] [] cpu_startup_entry+0x605/0x820 [ 29.355881] [] ? call_cpuidle+0xe0/0xe0 [ 29.361495] [] ? clockevents_register_device+0x122/0x230 [ 29.368587] [] start_secondary+0x304/0x3e0 [ 29.374558] [] ? set_cpu_sibling_map+0x1040/0x1040 [ 29.381128] Code: 00 00 00 40 f3 44 07 00 ea ff ff 00 00 00 00 00 00 00 00 a0 83 8a 83 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 04 cf 01 88 ff ff 91 f9 48 81 ff ff ff ff 54 00 00 00 0f [ 29.408543] RIP [] 0xffff8801cf04e060 [ 29.414106] RSP [ 29.417719] CR2: ffff8801cf04e060 [ 29.421156] ---[ end trace 99185c85790f3ddc ]--- [ 29.425896] Kernel panic - not syncing: Fatal exception in interrupt [ 30.511676] PANIC: double fault, error_code: 0x0 [ 30.516457] CPU: 0 PID: 3314 Comm: syzkaller372133 Tainted: G D 4.4.111-g3301b55 #17 [ 30.525433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.534756] task: ffff8801d10417c0 task.stack: ffff8801d0678000 [ 30.540785] RIP: 0010:[] [] dump_page_badflags+0x12/0x250