random: sshd: uninitialized urandom read (32 bytes read, 126 bits of entropy available)
==================================================================
BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline]
BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130
Read of size 8 at addr ffff8801d129d140 by task syzkaller607658/3316

CPU: 1 PID: 3316 Comm: syzkaller607658 Not tainted 4.4.111-g1849cd3 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 08b5108fcdfc1d42 ffff8801d0cef970 ffffffff81d0509d
 ffffea000744a740 ffff8801d129d140 0000000000000000 ffff8801d129d140
 ffff8801d0454438 ffff8801d0cef9a8 ffffffff814fd433 ffff8801d129d140
Call Trace:
 [<ffffffff81d0509d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0509d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fd433>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fd945>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fd945>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814fdaa4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff825b9d09>] list_empty include/linux/list.h:189 [inline]
 [<ffffffff825b9d09>] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130
 [<ffffffff825ba285>] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1848
 [<ffffffff825bc0c1>] sg_read+0xa21/0x1490 drivers/scsi/sg.c:538
 [<ffffffff8151cc51>] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680
 [<ffffffff8151f7ef>] compat_do_readv_writev+0x5df/0x6e0 fs/read_write.c:984
 [<ffffffff8151f9c9>] compat_readv+0xd9/0x140 fs/read_write.c:1013
 [<ffffffff81521d58>] C_SYSC_readv fs/read_write.c:1033 [inline]
 [<ffffffff81521d58>] compat_SyS_readv+0xd8/0x1b0 fs/read_write.c:1022
 [<ffffffff81006d84>] do_syscall_32_irqs_on arch/x86/entry/common.c:390 [inline]
 [<ffffffff81006d84>] do_fast_syscall_32+0x314/0x890 arch/x86/entry/common.c:457
 [<ffffffff8377722a>] sysenter_flags_fixed+0xd/0x17

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801d129d100
 which belongs to the cache fasync_cache of size 96
The buggy address is located 64 bytes inside of
 96-byte region [ffff8801d129d100, ffff8801d129d160)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3294 Comm: getty Not tainted 4.4.111-g1849cd3 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8800b647af80 task.stack: ffff8800b66f0000
RIP: 0010:[<ffffffff81d681f8>]  [<ffffffff81d681f8>] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline]
RIP: 0010:[<ffffffff81d681f8>]  [<ffffffff81d681f8>] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726
RSP: 0018:ffff8800b66f7b60  EFLAGS: 00010007
RAX: 0000000000000292 RBX: ffff8801d2c47590 RCX: 0000000000000003
RDX: 09ebe8eaa84be9aa RSI: ffff8800b66f7bf0 RDI: ffffffff838a8378
RBP: ffff8800b66f7c58 R08: 1ffffffff071506f R09: ffffffff8512a880
R10: dead000000000200 R11: 1ffff10016cdef32 R12: 0000292965676170
R13: ffff8801d2c474d8 R14: 4f5f4755425f4d56 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d4c0d59110 CR3: 000000000420c000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 0000000000000079 ffff8800b66f7bf0 0000000000000003 0000000000000292
 1ffff10016cdef7a ffffffff857a3b00 ffff8801d2c48000 ffff8801d2c47590
 dead000000000200 4f5f4755425f4d56 00000000000450c0 fffffbfff0af4760
Call Trace:
 [<ffffffff814f94ec>] slab_free_hook mm/slub.c:1376 [inline]
 [<ffffffff814f94ec>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814f94ec>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814f94ec>] kmem_cache_free+0xbc/0x320 mm/slub.c:2881
 [<ffffffff81c896d2>] put_io_context+0x112/0x150 block/blk-ioc.c:154
 [<ffffffff81c899a4>] put_io_context_active+0x294/0x370 block/blk-ioc.c:196
 [<ffffffff81c89ae6>] exit_io_context+0x66/0x80 block/blk-ioc.c:210
 [<ffffffff81133a00>] do_exit+0x13c0/0x2a20 kernel/exit.c:800
 [<ffffffff81139328>] do_group_exit+0x108/0x320 kernel/exit.c:885
 [<ffffffff8113955d>] SYSC_exit_group kernel/exit.c:896 [inline]
 [<ffffffff8113955d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:894
 [<ffffffff83775899>] entry_SYSCALL_64_fastpath+0x16/0x92
Code: 48 c7 c6 40 ea 75 85 4c 8b 34 0e 4d 85 f6 0f 84 c5 03 00 00 49 ba 00 02 00 00 00 00 ad de 31 c9 48 8d 75 98 4c 89 f2 48 c1 ea 03 <42> 80 3c 3a 00 0f 85 f0 03 00 00 49 8d 7e 18 83 c1 01 49 8b 16 
RIP  [<ffffffff81d681f8>] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline]
RIP  [<ffffffff81d681f8>] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726
 RSP <ffff8800b66f7b60>
---[ end trace b6aeae0e1e6f5764 ]---