random: sshd: uninitialized urandom read (32 bytes read, 95 bits of entropy available) ================================================================== BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130 Read of size 8 at addr ffff8800b5631140 by task syzkaller771773/3322 CPU: 1 PID: 3322 Comm: syzkaller771773 Not tainted 4.4.111-g7902639 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6e6e9991c49ed7db ffff8800b3c8fa40 ffffffff81d0509d ffffea0002d58c40 ffff8800b5631140 0000000000000000 ffff8800b5631140 ffff8800b4610238 ffff8800b3c8fa78 ffffffff814fd433 ffff8800b5631140 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] list_empty include/linux/list.h:189 [inline] [] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1848 [] sg_read+0xa21/0x1490 drivers/scsi/sg.c:538 [] __vfs_read+0x103/0x440 fs/read_write.c:432 [] vfs_read+0x123/0x3a0 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:562 [] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline] [] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8800b5631100 which belongs to the cache fasync_cache of size 96 The buggy address is located 64 bytes inside of 96-byte region [ffff8800b5631100, ffff8800b5631160) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 489 Comm: khugepaged Not tainted 4.4.111-g7902639 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d8c217c0 task.stack: ffff8801d93d8000 RIP: 0010:[] [] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline] RIP: 0010:[] [] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726 RSP: 0018:ffff8801d93df7d8 EFLAGS: 00010803 RAX: 0000000000000282 RBX: ffff88021fb37000 RCX: 0000000000000002 RDX: 1d2000dc1b1d0161 RSI: ffff8801d93df868 RDI: ffffffff8148f9a9 RBP: ffff8801d93df8d0 R08: 1ffffffff0291f35 R09: ffffffff850f1140 R10: dead000000000200 R11: 1ffff1003b27bec2 R12: ed04cee8ffffff45 R13: ffff88021fb36000 R14: e90006e0d8e80b0f R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055a91af9d120 CR3: 00000000b554c000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000000 ffffffff85183600 ffff8801d8c217c0 0000000000000000 1ffff1003b27bf09 ffffffff857630c0 ffff88021fb37000 ffff88021fb37000 ffff8801d93df860 ffffffff8123581f 0000000000004680 fffffbfff0aec618 Call Trace: [] free_pages_prepare+0x4a9/0xb30 mm/page_alloc.c:1049 [] free_hot_cold_page+0x3f/0x3a0 mm/page_alloc.c:2112 [] free_hot_cold_page_list+0x8f/0x3b0 mm/page_alloc.c:2160 [] release_pages+0x1f7/0x4f0 mm/swap.c:970 [] pagevec_lru_move_fn+0x1c5/0x250 mm/swap.c:443 [] __pagevec_lru_add mm/swap.c:1054 [inline] [] __lru_cache_add+0x187/0x240 mm/swap.c:637 [] lru_cache_add+0x44/0x90 mm/swap.c:674 [] putback_lru_page+0xa7/0x110 mm/vmscan.c:749 [] release_pte_page mm/huge_memory.c:2227 [inline] [] __collapse_huge_page_copy mm/huge_memory.c:2354 [inline] [] collapse_huge_page mm/huge_memory.c:2645 [inline] [] khugepaged_scan_pmd mm/huge_memory.c:2754 [inline] [] khugepaged_scan_mm_slot mm/huge_memory.c:2846 [inline] [] khugepaged_do_scan mm/huge_memory.c:2926 [inline] [] khugepaged+0x211f/0x2ac0 mm/huge_memory.c:2961 [] kthread+0x268/0x300 kernel/kthread.c:211 [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:494 Code: 48 c7 c6 40 ea 75 85 4c 8b 34 0e 4d 85 f6 0f 84 c5 03 00 00 49 ba 00 02 00 00 00 00 ad de 31 c9 48 8d 75 98 4c 89 f2 48 c1 ea 03 <42> 80 3c 3a 00 0f 85 f0 03 00 00 49 8d 7e 18 83 c1 01 49 8b 16 RIP [] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline] RIP [] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726 RSP ---[ end trace 13b76b9365b6ffd1 ]---