[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.642727] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.161205] random: sshd: uninitialized urandom read (32 bytes read)
[   19.440747] random: sshd: uninitialized urandom read (32 bytes read)
[   20.077740] random: sshd: uninitialized urandom read (32 bytes read)
[   20.212097] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.200' (ECDSA) to the list of known hosts.
[   25.851059] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   25.935708] IPVS: ftp: loaded support on port[0] = 21
[   25.961525] ==================================================================
[   25.968926] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100
[   25.975660] Read of size 8 at addr ffff8801d84a7c90 by task syz-executor014/4443
[   25.983176] 
[   25.984790] CPU: 1 PID: 4443 Comm: syz-executor014 Not tainted 4.18.0-rc3-next-20180706+ #1
[   25.993431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.002868] Call Trace:
[   26.005445]  dump_stack+0x1c9/0x2b4
[   26.009064]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.014243]  ? printk+0xa7/0xcf
[   26.017516]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   26.022261]  ? find_first_bit+0xf7/0x100
[   26.026320]  print_address_description+0x6c/0x20b
[   26.031143]  ? find_first_bit+0xf7/0x100
[   26.035185]  kasan_report.cold.7+0x242/0x30d
[   26.039683]  __asan_report_load8_noabort+0x14/0x20
[   26.044598]  find_first_bit+0xf7/0x100
[   26.048468]  shrink_slab+0x5d0/0xdb0
[   26.052173]  ? shrink_node_memcg+0xc91/0x18f0
[   26.058823]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   26.064436]  ? shrink_active_list+0x1830/0x1830
[   26.069096]  ? save_stack+0xa9/0xd0
[   26.072707]  ? save_stack+0x43/0xd0
[   26.076320]  ? kernfs_fop_open+0xa7f/0x1020
[   26.080633]  ? do_dentry_open+0xa7d/0x11c0
[   26.084856]  ? trace_hardirqs_on+0x10/0x10
[   26.089074]  ? trace_hardirqs_on+0x10/0x10
[   26.093293]  shrink_node+0x429/0x16a0
[   26.097078]  ? shrink_node_memcg+0x18f0/0x18f0
[   26.102000]  ? kvm_clock_read+0x25/0x30
[   26.105967]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   26.110971]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   26.115467]  ? kernfs_fop_open+0x570/0x1020
[   26.119774]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   26.124786]  do_try_to_free_pages+0x3e7/0x1290
[   26.129443]  ? shrink_node+0x16a0/0x16a0
[   26.133488]  ? lock_release+0xa30/0xa30
[   26.137531]  ? check_same_owner+0x340/0x340
[   26.141833]  ? trace_hardirqs_on+0x10/0x10
[   26.146054]  ? lock_downgrade+0x8f0/0x8f0
[   26.150193]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.155776]  ? _parse_integer+0x13b/0x190
[   26.159924]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   26.165445]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   26.170626]  ? pointer_string+0x1b0/0x1b0
[   26.174767]  ? __mutex_lock+0x6c4/0x1680
[   26.178811]  ? try_to_free_pages+0xb80/0xb80
[   26.183203]  ? memparse+0x171/0x1d0
[   26.186814]  ? get_options+0x380/0x380
[   26.190694]  ? kasan_kmalloc+0xc4/0xe0
[   26.194560]  ? __kmalloc+0x14e/0x760
[   26.198258]  ? kernfs_fop_write+0x33d/0x480
[   26.202559]  ? __vfs_write+0x117/0x9f0
[   26.206425]  ? vfs_write+0x1fc/0x560
[   26.210117]  ? ksys_pwrite64+0x181/0x1b0
[   26.214159]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   26.219680]  ? page_counter_memparse+0xb5/0x1e0
[   26.224329]  ? page_counter_set_low+0x180/0x180
[   26.228975]  ? cgroup_control+0x180/0x180
[   26.233117]  memory_high_write+0x283/0x310
[   26.237356]  ? mem_cgroup_css_released+0x140/0x140
[   26.242279]  ? lock_acquire+0x1e4/0x540
[   26.246238]  ? __might_fault+0x12b/0x1e0
[   26.250284]  cgroup_file_write+0x31f/0x840
[   26.254513]  ? mem_cgroup_css_released+0x140/0x140
[   26.259424]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   26.264343]  ? __might_fault+0x1a3/0x1e0
[   26.268397]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   26.273305]  kernfs_fop_write+0x2ba/0x480
[   26.277444]  __vfs_write+0x117/0x9f0
[   26.281138]  ? kernfs_fop_open+0x1020/0x1020
[   26.285528]  ? kernel_read+0x120/0x120
[   26.289397]  ? lock_release+0xa30/0xa30
[   26.293352]  ? check_same_owner+0x340/0x340
[   26.297652]  ? __fget_light+0x2f7/0x440
[   26.301609]  ? rcu_note_context_switch+0x730/0x730
[   26.306516]  ? fget_raw+0x20/0x20
[   26.309951]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.315468]  ? __sb_start_write+0x17f/0x300
[   26.319772]  vfs_write+0x1fc/0x560
[   26.323295]  ksys_pwrite64+0x181/0x1b0
[   26.327175]  ? __ia32_sys_pread64+0xf0/0xf0
[   26.331477]  ? __ia32_sys_read+0xb0/0xb0
[   26.335520]  __x64_sys_pwrite64+0x97/0xf0
[   26.339663]  do_syscall_64+0x1b9/0x820
[   26.343536]  ? syscall_return_slowpath+0x5e0/0x5e0
[   26.348447]  ? syscall_return_slowpath+0x31d/0x5e0
[   26.353706]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   26.358715]  ? prepare_exit_to_usermode+0x291/0x3b0
[   26.363714]  ? perf_trace_sys_enter+0xb10/0xb10
[   26.368362]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.373378]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.378560] RIP: 0033:0x4419d9
[   26.381742] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   26.400875] RSP: 002b:00007ffdb8f41e38 EFLAGS: 00000217 ORIG_RAX: 0000000000000012
[   26.408568] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9
[   26.415835] RDX: 0000000000000000 RSI: 0000000020002e40 RDI: 0000000000000004
[   26.423087] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006
[   26.430338] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
[   26.437589] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   26.444859] 
[   26.446466] Allocated by task 4442:
[   26.450083]  save_stack+0x43/0xd0
[   26.453555]  kasan_kmalloc+0xc4/0xe0
[   26.457521]  __kmalloc_node+0x47/0x70
[   26.461312]  kvmalloc_node+0x65/0xf0
[   26.465014]  mem_cgroup_css_online+0x169/0x3c0
[   26.469698]  online_css+0x10c/0x350
[   26.473307]  cgroup_apply_control_enable+0x777/0xe90
[   26.478388]  cgroup_mkdir+0x88a/0x1170
[   26.482255]  kernfs_iop_mkdir+0x159/0x1e0
[   26.486506]  vfs_mkdir+0x42e/0x6b0
[   26.490031]  do_mkdirat+0x27b/0x310
[   26.493643]  __x64_sys_mkdir+0x5c/0x80
[   26.497511]  do_syscall_64+0x1b9/0x820
[   26.501386]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.506550] 
[   26.508155] Freed by task 2797:
[   26.511419]  save_stack+0x43/0xd0
[   26.514864]  __kasan_slab_free+0x11a/0x170
[   26.519164]  kasan_slab_free+0xe/0x10
[   26.522963]  kfree+0xd9/0x260
[   26.526612]  single_release+0x8f/0xb0
[   26.530396]  __fput+0x35d/0x930
[   26.533659]  ____fput+0x15/0x20
[   26.536918]  task_work_run+0x1ec/0x2a0
[   26.540786]  exit_to_usermode_loop+0x313/0x370
[   26.545345]  do_syscall_64+0x6be/0x820
[   26.549214]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.554390] 
[   26.556003] The buggy address belongs to the object at ffff8801d84a7c80
[   26.556003]  which belongs to the cache kmalloc-32 of size 32
[   26.568575] The buggy address is located 16 bytes inside of
[   26.568575]  32-byte region [ffff8801d84a7c80, ffff8801d84a7ca0)
[   26.580259] The buggy address belongs to the page:
[   26.585181] page:ffffea00076129c0 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d84a7fc1
[   26.594607] flags: 0x2fffc0000000100(slab)
[   26.599267] raw: 02fffc0000000100 ffffea0007217788 ffffea000762cac8 ffff8801da8001c0
[   26.607131] raw: ffff8801d84a7fc1 ffff8801d84a7000 0000000100000030 0000000000000000
[   26.614986] page dumped because: kasan: bad access detected
[   26.620672] 
[   26.622276] Memory state around the buggy address:
[   26.627198]  ffff8801d84a7b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   26.634541]  ffff8801d84a7c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   26.641889] >ffff8801d84a7c80: 00 00 05 fc fc fc fc fc 00 07 fc fc fc fc fc fc
[   26.649237]                          ^
[   26.653104]  ffff8801d84a7d00: 00 07 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
[   26.660441]  ffff8801d84a7d80: 00 00 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
[   26.667780] ==================================================================
[   26.675250] Kernel panic - not syncing: panic_on_warn set ...
[   26.675250] 
[   26.682611] CPU: 1 PID: 4443 Comm: syz-executor014 Tainted: G    B             4.18.0-rc3-next-20180706+ #1
[   26.692470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.701810] Call Trace:
[   26.704399]  dump_stack+0x1c9/0x2b4
[   26.708016]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.713198]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.717938]  panic+0x238/0x4e7
[   26.721111]  ? add_taint.cold.5+0x16/0x16
[   26.725238]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.729626]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.734030]  ? find_first_bit+0xf7/0x100
[   26.738250]  kasan_end_report+0x47/0x4f
[   26.742218]  kasan_report.cold.7+0x76/0x30d
[   26.746521]  __asan_report_load8_noabort+0x14/0x20
[   26.751431]  find_first_bit+0xf7/0x100
[   26.755308]  shrink_slab+0x5d0/0xdb0
[   26.759017]  ? shrink_node_memcg+0xc91/0x18f0
[   26.763526]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   26.769140]  ? shrink_active_list+0x1830/0x1830
[   26.773793]  ? save_stack+0xa9/0xd0
[   26.777402]  ? save_stack+0x43/0xd0
[   26.781011]  ? kernfs_fop_open+0xa7f/0x1020
[   26.785338]  ? do_dentry_open+0xa7d/0x11c0
[   26.789562]  ? trace_hardirqs_on+0x10/0x10
[   26.793781]  ? trace_hardirqs_on+0x10/0x10
[   26.798000]  shrink_node+0x429/0x16a0
[   26.801801]  ? shrink_node_memcg+0x18f0/0x18f0
[   26.806451]  ? kvm_clock_read+0x25/0x30
[   26.810414]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   26.815411]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   26.819887]  ? kernfs_fop_open+0x570/0x1020
[   26.824193]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   26.829199]  do_try_to_free_pages+0x3e7/0x1290
[   26.833764]  ? shrink_node+0x16a0/0x16a0
[   26.837811]  ? lock_release+0xa30/0xa30
[   26.841775]  ? check_same_owner+0x340/0x340
[   26.846087]  ? trace_hardirqs_on+0x10/0x10
[   26.850310]  ? lock_downgrade+0x8f0/0x8f0
[   26.854442]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.859961]  ? _parse_integer+0x13b/0x190
[   26.864094]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   26.869614]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   26.874791]  ? pointer_string+0x1b0/0x1b0
[   26.878928]  ? __mutex_lock+0x6c4/0x1680
[   26.882978]  ? try_to_free_pages+0xb80/0xb80
[   26.887374]  ? memparse+0x171/0x1d0
[   26.890992]  ? get_options+0x380/0x380
[   26.894875]  ? kasan_kmalloc+0xc4/0xe0
[   26.898740]  ? __kmalloc+0x14e/0x760
[   26.902435]  ? kernfs_fop_write+0x33d/0x480
[   26.906776]  ? __vfs_write+0x117/0x9f0
[   26.910686]  ? vfs_write+0x1fc/0x560
[   26.914378]  ? ksys_pwrite64+0x181/0x1b0
[   26.918420]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   26.923947]  ? page_counter_memparse+0xb5/0x1e0
[   26.928597]  ? page_counter_set_low+0x180/0x180
[   26.933249]  ? cgroup_control+0x180/0x180
[   26.937387]  memory_high_write+0x283/0x310
[   26.941606]  ? mem_cgroup_css_released+0x140/0x140
[   26.946516]  ? lock_acquire+0x1e4/0x540
[   26.950479]  ? __might_fault+0x12b/0x1e0
[   26.954546]  cgroup_file_write+0x31f/0x840
[   26.958763]  ? mem_cgroup_css_released+0x140/0x140
[   26.963675]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   26.968603]  ? __might_fault+0x1a3/0x1e0
[   26.972657]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   26.977566]  kernfs_fop_write+0x2ba/0x480
[   26.981696]  __vfs_write+0x117/0x9f0
[   26.985401]  ? kernfs_fop_open+0x1020/0x1020
[   26.989793]  ? kernel_read+0x120/0x120
[   26.993661]  ? lock_release+0xa30/0xa30
[   26.997616]  ? check_same_owner+0x340/0x340
[   27.001919]  ? __fget_light+0x2f7/0x440
[   27.005875]  ? rcu_note_context_switch+0x730/0x730
[   27.010786]  ? fget_raw+0x20/0x20
[   27.014222]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.019741]  ? __sb_start_write+0x17f/0x300
[   27.024051]  vfs_write+0x1fc/0x560
[   27.027575]  ksys_pwrite64+0x181/0x1b0
[   27.031443]  ? __ia32_sys_pread64+0xf0/0xf0
[   27.035742]  ? __ia32_sys_read+0xb0/0xb0
[   27.039799]  __x64_sys_pwrite64+0x97/0xf0
[   27.043926]  do_syscall_64+0x1b9/0x820
[   27.047794]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.052704]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.057614]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   27.062614]  ? prepare_exit_to_usermode+0x291/0x3b0
[   27.067637]  ? perf_trace_sys_enter+0xb10/0xb10
[   27.072303]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.077149]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.082327] RIP: 0033:0x4419d9
[   27.085494] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.104646] RSP: 002b:00007ffdb8f41e38 EFLAGS: 00000217 ORIG_RAX: 0000000000000012
[   27.112337] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9
[   27.119680] RDX: 0000000000000000 RSI: 0000000020002e40 RDI: 0000000000000004
[   27.126951] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006
[   27.134223] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
[   27.141481] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   27.149310] Dumping ftrace buffer:
[   27.152842]    (ftrace buffer empty)
[   27.156531] Kernel Offset: disabled
[   27.160141] Rebooting in 86400 seconds..