random: sshd: uninitialized urandom read (32 bytes read, 123 bits of entropy available) ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 Read of size 8 at addr ffff8801d338aab8 by task syzkaller141200/3331 CPU: 1 PID: 3331 Comm: syzkaller141200 Not tainted 4.4.112-g52c02cf #23 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 f43db18087f3a6e8 ffff8800b3c37850 ffffffff81d056fd ffffea00074ce280 ffff8801d338aab8 0000000000000000 ffff8801d338aab8 0000000000000000 ffff8800b3c37888 ffffffff814fd953 ffff8801d338aab8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [] _raw_spin_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:159 [] remove_wait_queue+0x14/0x40 kernel/sched/wait.c:49 [] ep_remove_wait_queue fs/eventpoll.c:530 [inline] [] ep_unregister_pollwait.isra.6+0xa8/0x220 fs/eventpoll.c:548 [] ep_free+0x93/0x1c0 fs/eventpoll.c:765 [] ep_eventpoll_release+0x44/0x60 fs/eventpoll.c:797 [] __fput+0x233/0x6d0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x104/0x180 kernel/task_work.c:115 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x871/0x2a20 kernel/exit.c:755 [] do_group_exit+0x108/0x320 kernel/exit.c:885 [] SYSC_exit_group kernel/exit.c:896 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:894 [] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline] [] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 3331: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kmem_cache_alloc_trace+0x100/0x2b0 mm/slub.c:2642 [] kmalloc include/linux/slab.h:476 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] binder_get_thread+0x181/0x7a0 drivers/android/binder.c:4452 [] binder_poll+0x4a/0x210 drivers/android/binder.c:4555 [] ep_item_poll fs/eventpoll.c:806 [inline] [] ep_insert fs/eventpoll.c:1319 [inline] [] SYSC_epoll_ctl fs/eventpoll.c:1934 [inline] [] SyS_epoll_ctl+0x10b1/0x2050 fs/eventpoll.c:1833 [] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline] [] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457 [] sysenter_flags_fixed+0xd/0x17 Freed by task 3331: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xfc/0x300 mm/slub.c:3749 [] binder_free_thread drivers/android/binder.c:4480 [inline] [] binder_thread_dec_tmpref+0x1c1/0x250 drivers/android/binder.c:2036 [] binder_thread_release+0x27d/0x540 drivers/android/binder.c:4544 [] binder_ioctl+0xb94/0x12e0 drivers/android/binder.c:4760 [] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline] [] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544 [] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline] [] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457 [] sysenter_flags_fixed+0xd/0x17 The buggy address belongs to the object at ffff8801d338aa00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 184 bytes inside of 512-byte region [ffff8801d338aa00, ffff8801d338ac00) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessINFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 3320 Comm: getty Not tainted 4.4.112-g52c02cf #23 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8e8cca36c3e6cdc4 ffff8800b444fa30 ffffffff81d056fd ffffffff85152f20 0000000000000000 ffff8800b4958000 ffff8800b3241aa0 0000000000000000 ffff8800b444fa40 ffffffff8141a053 ffff8800b444fbe8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] register_lock_class.part.26+0x32/0x36 kernel/locking/lockdep.c:762 [] register_lock_class kernel/locking/lockdep.c:767 [inline] [] __lock_acquire+0x3a49/0x4b50 kernel/locking/lockdep.c:3101 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [] _raw_spin_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:159 [] force_sig_info+0x54/0x300 kernel/signal.c:1176 [] force_sig_info_fault.constprop.20+0x158/0x1c0 arch/x86/mm/fault.c:187 [ PTP clock support registered Advanced Linux Sound Architecture Driver Initialized. PCI: Using ACPI for IRQ routing NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 NetLabel: unlabeled traffic allowed by default amd_nb: Cannot enumerate AMD northbridges clocksource: Switched to clocksource kvm-clock pnp: PnP ACPI init pnp: PnP ACPI: found 7 devices clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns NET: Registered protocol family 2 TCP established hash table entries: 65536 (order: 7, 524288 bytes) TCP bind hash table entries: 65536 (order: 10, 4194304 bytes) TCP: Hash tables configured (established 65536 bind 65536) UDP hash table entries: 4096 (order: 7, 655360 bytes) UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes) NET: Registered protocol family 1 pci 0000:00:00.0: Limiting direct PCI/PCI transfers PCI-DMA: Using software bounce buffering for IO (SWIOTLB) software IO TLB [mem 0xbbffd000-0xbfffd000] (64MB) mapped at [ffff8800bbffd000-ffff8800bfffcfff] RAPL PMU detected, API unit is 2^-32 Joules, 3 fixed counters 10737418240 ms ovfl timer hw unit of domain pp0-core 2^-0 Joules hw unit of domain package 2^-0 Joules hw unit of domain dram 2^-16 Joules Scanning for low memory corruption every 60 seconds audit: initializing netlink subsys (disabled) audit: type=2000 audit(1516361918.197:1): initialized HugeTLB registered 2 MB page size, pre-allocated 0 pages VFS: Disk quotas dquot_6.6.0 VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) fuse init (API version 7.23) 9p: Installing v9fs 9p2000 file system support async_tx: api initialized (async) Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249) io scheduler noop registered io scheduler deadline registered io scheduler cfq registered (default) pci_hotplug: PCI Hot Plug PCI Core version: 0.5 input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: Sleep Button [SLPF] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11 virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 10 virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 [drm] Initialized drm 1.1.0 20060810 brd: module loaded loop: module loaded nbd: registered device at major 43 drbd: initialized. Version: 8.4.5 (api:1/proto:86-101) drbd: built-in drbd: registered as block device major 147 scsi host0: Virtio SCSI HBA scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6 tsc: Refined TSC clocksource calibration: 2299.797 MHz clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x212675491f4, max_idle_ns: 440795258396 ns st: Version 20101219, fixed bufsize 32768, s/g segs 256 osst :I: Tape driver with OnStream support version 0.99.4 osst :I: $Id: osst.c,v 1.73 2005/01/01 21:13:34 wriede Exp $ sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB) sd 0:0:1:0: [sda] 4096-byte physical blocks sd 0:0:1:0: Attached scsi generic sg0 type 0 SCSI Media Changer driver v0.25 tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky sd 0:0:1:0: [sda] Write Protect is off sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sda: sda1 e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI e100: Copyright(c) 1999-2006 Intel Corporation e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI e1000: Copyright (c) 1999-2006 Intel Corporation. e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k e1000e: Copyright(c) 1999 - 2015 Intel Corporation. sky2: driver version 1.30 sd 0:0:1:0: [sda] Attached SCSI disk PPP generic driver version 2.4.2 PPP BSD Compression module registered PPP Deflate Compression module registered PPP MPPE Compression module registered NET: Registered protocol family 24 usbcore: registered new interface driver asix usbcore: registered new interface driver ax88179_178a usbcore: registered new interface driver cdc_ether usbcore: registered new interface driver net1080 usbcore: registered new interface driver cdc_subset usbcore: registered new interface driver zaurus usbcore: registered new interface driver cdc_ncm ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ehci-pci: EHCI PCI platform driver ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver ohci-pci: OHCI PCI platform driver uhci_hcd: USB Universal Host Controller Interface driver usbcore: registered new interface driver usblp usbcore: registered new interface driver usb-storage i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 i8042: Warning: Keylock active serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 mousedev: PS/2 mouse device common for all mice usbcore: registered new interface driver xpad usbcore: registered new interface driver usb_acecad usbcore: registered new interface driver aiptek usbcore: registered new interface driver gtco usbcore: registered new interface driver hanwang usbcore: registered new interface driver kbtab rtc_cmos 00:00: RTC can wake from S4 rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0 rtc_cmos 00:00: alarms up to one day, 114 bytes nvram iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 softdog: Software Watchdog Timer: 0.08 initialized. soft_noboot=0 soft_margin=60 sec soft_panic=0 (nowayout=0) md: linear personality registered for level -1 md: raid0 personality registered for level 0 md: raid1 personality registered for level 1 md: raid10 personality registered for level 10 md: raid6 personality registered for level 6 md: raid5 personality registered for level 5 md: raid4 personality registered for level 4 md: multipath personality registered for level -4 md: faulty personality registered for level -5 device-mapper: uevent: version 1.0.3 device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com device-mapper: multipath: version 1.10.0 loaded device-mapper: multipath round-robin: version 1.0.0 loaded device-mapper: multipath queue-length: version 0.1.0 loaded device-mapper: multipath service-time: version 0.2.0 loaded device-mapper: raid: Loading target version 1.7.0 hidraw: raw HID events driver (C) Jiri Kosina usbcore: registered new interface driver usbhid usbhid: USB HID core driver ashmem: initialized oprofile: using timer interrupt. pktgen: Packet Generator for packet performance testing. Version: 2.75 GACT probability on Mirror/redirect action on Simple TC action Loaded netem: version 1.3 u32 classifier Actions configured Netfilter messages via NETLINK v0.30. nf_conntrack version 0.5.0 (65536 buckets, 262144 max) ctnetlink v0.93: registering with nfnetlink. input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input2 nf_tables: (c) 2007-2009 Patrick McHardy xt_time: kernel timezone is -0000 IPVS: Registered protocols (TCP, UDP, AH, ESP) IPVS: Connection hash table configured (size=4096, memory=64Kbytes) IPVS: Creating netns size=2552 id=0 IPVS: ipvs loaded. IPVS: [rr] scheduler registered. IPVS: [wrr] scheduler registered. IPVS: [lc] scheduler registered. IPVS: [wlc] scheduler registered. IPVS: [lblc] scheduler registered. IPVS: [lblcr] scheduler registered. IPVS: [dh] scheduler registered. IPVS: [sh] scheduler registered. IPVS: [sed] scheduler registered. IPVS: [nq] scheduler registered. ipip: IPv4 over IPv4 tunneling driver ip_tables: (C) 2000-2006 Netfilter Core Team arp_tables: (C) 2002 David S. Miller Initializing XFRM netlink socket NET: Registered protocol family 10 mip6: Mobile IPv6 ip6_tables: (C) 2000-2006 Netfilter Core Team sit: IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 NET: Registered protocol family 15 l2tp_core: L2TP core driver, V2.0 l2tp_ppp: PPPoL2TP kernel driver, V2.0 9pnet: Installing 9P2000 support Key type dns_resolver registered microcode: CPU0 sig=0x306f0, pf=0x1, revision=0x1 microcode: CPU1 sig=0x306f0, pf=0x1, revision=0x1 microcode: Microcode Update Driver: v2.01 , Peter Oruba AVX2 version of gcm_enc/dec engaged. AES CTR mode by8 optimization enabled registered taskstats version 1 Btrfs loaded Magic number: 2:144:631 console [netcon0] enabled netconsole: network logging started ALSA device list: No soundcards found. md: Waiting for all devices to be available before autodetect md: If you don't use raid, use raid=noautodetect md: Autodetecting RAID arrays. md: Scanned 0 and added 0 devices. md: autorun ... md: ... autorun DONE. EXT4-fs (sda1): couldn't mount as ext3 due to feature incompatibilities EXT4-fs (sda1): INFO: recovery required on readonly filesystem EXT4-fs (sda1): write access will be enabled during recovery