[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.967561] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.090313] random: sshd: uninitialized urandom read (32 bytes read) [ 21.525272] random: sshd: uninitialized urandom read (32 bytes read) [ 22.202731] random: sshd: uninitialized urandom read (32 bytes read) [ 22.373594] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts. [ 27.810805] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.907602] IPVS: ftp: loaded support on port[0] = 21 [ 27.935653] ================================================================== [ 27.943077] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100 [ 27.949838] Read of size 8 at addr ffff8801d71a3b90 by task syz-executor028/4471 [ 27.957355] [ 27.958985] CPU: 1 PID: 4471 Comm: syz-executor028 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 27.967462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.976995] Call Trace: [ 27.979595] dump_stack+0x1c9/0x2b4 [ 27.983227] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.988426] ? printk+0xa7/0xcf [ 27.991704] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.996462] ? find_first_bit+0xf7/0x100 [ 28.000514] print_address_description+0x6c/0x20b [ 28.005360] ? find_first_bit+0xf7/0x100 [ 28.009412] kasan_report.cold.7+0x242/0x30d [ 28.013830] __asan_report_load8_noabort+0x14/0x20 [ 28.018769] find_first_bit+0xf7/0x100 [ 28.022651] shrink_slab+0x5d0/0xdb0 [ 28.026369] ? shrink_node_memcg+0xc91/0x18f0 [ 28.030877] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 28.036494] ? shrink_active_list+0x1830/0x1830 [ 28.041164] shrink_node+0x429/0x16a0 [ 28.044977] ? shrink_node_memcg+0x18f0/0x18f0 [ 28.049564] ? kvm_clock_read+0x25/0x30 [ 28.053528] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.058535] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 28.063045] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.068081] do_try_to_free_pages+0x3e7/0x1290 [ 28.072668] ? shrink_node+0x16a0/0x16a0 [ 28.076719] ? lock_release+0xa30/0xa30 [ 28.080686] ? check_same_owner+0x340/0x340 [ 28.085018] ? lock_downgrade+0x8f0/0x8f0 [ 28.089174] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.094699] ? _parse_integer+0x13b/0x190 [ 28.098834] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.104368] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 28.109552] ? pointer_string+0x1b0/0x1b0 [ 28.113688] ? __mutex_lock+0x6c4/0x1680 [ 28.117754] ? try_to_free_pages+0xb80/0xb80 [ 28.122168] ? memparse+0x171/0x1d0 [ 28.125821] ? get_options+0x380/0x380 [ 28.129701] ? kasan_kmalloc+0xc4/0xe0 [ 28.133598] ? __kmalloc+0x14e/0x760 [ 28.137300] ? kernfs_fop_write+0x33d/0x480 [ 28.141619] ? __vfs_write+0x117/0x9f0 [ 28.145497] ? __kernel_write+0x10c/0x370 [ 28.149641] ? write_pipe_buf+0x181/0x240 [ 28.153792] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.159345] ? page_counter_memparse+0xb5/0x1e0 [ 28.164018] ? page_counter_set_low+0x180/0x180 [ 28.168706] ? cgroup_control+0x180/0x180 [ 28.172880] memory_high_write+0x283/0x310 [ 28.177121] ? mem_cgroup_css_released+0x140/0x140 [ 28.182048] ? lock_downgrade+0x8f0/0x8f0 [ 28.186190] ? lock_release+0xa30/0xa30 [ 28.190157] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.195350] cgroup_file_write+0x31f/0x840 [ 28.199590] ? mem_cgroup_css_released+0x140/0x140 [ 28.204524] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 28.209542] ? __kmalloc+0x315/0x760 [ 28.213252] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.218799] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 28.223721] kernfs_fop_write+0x2ba/0x480 [ 28.227864] __vfs_write+0x117/0x9f0 [ 28.231568] ? kernfs_fop_open+0x1020/0x1020 [ 28.235980] ? kernel_read+0x120/0x120 [ 28.239873] ? default_file_splice_read+0x864/0xb10 [ 28.244977] ? splice_direct_to_actor+0x6fc/0x8f0 [ 28.249807] ? do_splice_direct+0x2d4/0x420 [ 28.254290] ? do_sendfile+0x62a/0xe20 [ 28.258163] ? __x64_sys_sendfile64+0x15d/0x250 [ 28.262822] ? iter_file_splice_write+0x1010/0x1010 [ 28.267837] ? check_same_owner+0x340/0x340 [ 28.272162] ? rcu_note_context_switch+0x730/0x730 [ 28.277101] __kernel_write+0x10c/0x370 [ 28.281088] write_pipe_buf+0x181/0x240 [ 28.285054] ? do_splice_direct+0x420/0x420 [ 28.289388] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.295030] ? splice_from_pipe_next.part.9+0x296/0x340 [ 28.300409] ? __ia32_sys_membarrier+0x150/0x150 [ 28.305187] __splice_from_pipe+0x38e/0x7c0 [ 28.309516] ? do_splice_direct+0x420/0x420 [ 28.313853] splice_from_pipe+0x1ea/0x340 [ 28.318003] ? do_splice_direct+0x420/0x420 [ 28.322324] ? splice_shrink_spd+0xd0/0xd0 [ 28.326580] ? security_file_permission+0x1c2/0x230 [ 28.331604] default_file_splice_write+0x3c/0x90 [ 28.336444] ? generic_splice_sendpage+0x50/0x50 [ 28.341203] direct_splice_actor+0x128/0x190 [ 28.345608] splice_direct_to_actor+0x318/0x8f0 [ 28.350287] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.355824] ? pipe_to_sendpage+0x400/0x400 [ 28.360152] ? do_splice_to+0x190/0x190 [ 28.364307] ? security_file_permission+0x1c2/0x230 [ 28.369317] ? rw_verify_area+0x118/0x360 [ 28.373458] do_splice_direct+0x2d4/0x420 [ 28.378917] ? splice_direct_to_actor+0x8f0/0x8f0 [ 28.383755] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.389293] ? __sb_start_write+0x17f/0x300 [ 28.393615] do_sendfile+0x62a/0xe20 [ 28.397325] ? do_compat_pwritev64+0x1c0/0x1c0 [ 28.401918] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.407463] ? _copy_from_user+0xdf/0x150 [ 28.411609] __x64_sys_sendfile64+0x15d/0x250 [ 28.416114] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 28.420689] do_syscall_64+0x1b9/0x820 [ 28.424568] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.429491] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.434421] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 28.439452] ? prepare_exit_to_usermode+0x291/0x3b0 [ 28.444463] ? perf_trace_sys_enter+0xb10/0xb10 [ 28.449138] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.454065] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.459374] RIP: 0033:0x4419e9 [ 28.462552] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 28.481732] RSP: 002b:00007ffefc7412c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 28.489444] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 28.496713] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 28.503991] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 28.511777] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 28.519124] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 28.526391] [ 28.528015] Allocated by task 4470: [ 28.531649] save_stack+0x43/0xd0 [ 28.535100] kasan_kmalloc+0xc4/0xe0 [ 28.538800] __kmalloc_node+0x47/0x70 [ 28.542602] kvmalloc_node+0x65/0xf0 [ 28.546318] mem_cgroup_css_online+0x169/0x3c0 [ 28.550888] online_css+0x10c/0x350 [ 28.554507] cgroup_apply_control_enable+0x777/0xe90 [ 28.559611] cgroup_mkdir+0x88a/0x1170 [ 28.563484] kernfs_iop_mkdir+0x159/0x1e0 [ 28.567619] vfs_mkdir+0x42e/0x6b0 [ 28.571145] do_mkdirat+0x27b/0x310 [ 28.574764] __x64_sys_mkdir+0x5c/0x80 [ 28.578648] do_syscall_64+0x1b9/0x820 [ 28.582537] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.587717] [ 28.589332] Freed by task 1: [ 28.592341] save_stack+0x43/0xd0 [ 28.595795] __kasan_slab_free+0x11a/0x170 [ 28.600026] kasan_slab_free+0xe/0x10 [ 28.603839] kfree+0xd9/0x260 [ 28.606932] acpi_ns_get_node_unlocked+0x2b9/0x309 [ 28.611846] acpi_ns_get_node+0x4d/0x6b [ 28.615826] acpi_get_handle+0x15b/0x263 [ 28.619873] acpi_has_method+0x70/0xb0 [ 28.623749] acpi_init_device_object+0xa66/0x1f80 [ 28.628582] acpi_add_single_object+0x1d2/0x1e90 [ 28.633341] acpi_bus_check_add+0x61c/0xb60 [ 28.637650] acpi_ns_walk_namespace+0x224/0x400 [ 28.642315] acpi_walk_namespace+0xf2/0x12c [ 28.646629] acpi_bus_scan+0x146/0x170 [ 28.650501] acpi_scan_init+0x403/0x8fe [ 28.654465] acpi_init+0x941/0xa19 [ 28.658167] do_one_initcall+0x127/0x913 [ 28.662217] kernel_init_freeable+0x49b/0x58e [ 28.666713] kernel_init+0x11/0x1b3 [ 28.670339] ret_from_fork+0x3a/0x50 [ 28.674039] [ 28.675671] The buggy address belongs to the object at ffff8801d71a3b80 [ 28.675671] which belongs to the cache kmalloc-32 of size 32 [ 28.688166] The buggy address is located 16 bytes inside of [ 28.688166] 32-byte region [ffff8801d71a3b80, ffff8801d71a3ba0) [ 28.699874] The buggy address belongs to the page: [ 28.704799] page:ffffea00075c68c0 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d71a3fc1 [ 28.714245] flags: 0x2fffc0000000100(slab) [ 28.718473] raw: 02fffc0000000100 ffffea00075c6548 ffffea00075c69c8 ffff8801da8001c0 [ 28.726367] raw: ffff8801d71a3fc1 ffff8801d71a3000 000000010000003f 0000000000000000 [ 28.734254] page dumped because: kasan: bad access detected [ 28.739958] [ 28.741571] Memory state around the buggy address: [ 28.746490] ffff8801d71a3a80: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 28.753839] ffff8801d71a3b00: 00 03 fc fc fc fc fc fc 00 07 fc fc fc fc fc fc [ 28.761192] >ffff8801d71a3b80: 00 00 05 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.768555] ^ [ 28.772446] ffff8801d71a3c00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.779793] ffff8801d71a3c80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.787146] ================================================================== [ 28.794600] Kernel panic - not syncing: panic_on_warn set ... [ 28.794600] [ 28.801991] CPU: 1 PID: 4471 Comm: syz-executor028 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 28.811871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.821222] Call Trace: [ 28.823822] dump_stack+0x1c9/0x2b4 [ 28.827462] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.832645] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.837424] panic+0x238/0x4e7 [ 28.840628] ? add_taint.cold.5+0x16/0x16 [ 28.844785] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.849219] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.853641] ? find_first_bit+0xf7/0x100 [ 28.857811] kasan_end_report+0x47/0x4f [ 28.861795] kasan_report.cold.7+0x76/0x30d [ 28.866112] __asan_report_load8_noabort+0x14/0x20 [ 28.871124] find_first_bit+0xf7/0x100 [ 28.875020] shrink_slab+0x5d0/0xdb0 [ 28.878735] ? shrink_node_memcg+0xc91/0x18f0 [ 28.883230] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 28.888850] ? shrink_active_list+0x1830/0x1830 [ 28.893518] shrink_node+0x429/0x16a0 [ 28.897337] ? shrink_node_memcg+0x18f0/0x18f0 [ 28.901912] ? kvm_clock_read+0x25/0x30 [ 28.905880] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.910910] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 28.915514] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.920525] do_try_to_free_pages+0x3e7/0x1290 [ 28.925111] ? shrink_node+0x16a0/0x16a0 [ 28.929278] ? lock_release+0xa30/0xa30 [ 28.933259] ? check_same_owner+0x340/0x340 [ 28.937584] ? lock_downgrade+0x8f0/0x8f0 [ 28.941740] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.947286] ? _parse_integer+0x13b/0x190 [ 28.951428] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.956973] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 28.962185] ? pointer_string+0x1b0/0x1b0 [ 28.966331] ? __mutex_lock+0x6c4/0x1680 [ 28.970399] ? try_to_free_pages+0xb80/0xb80 [ 28.974827] ? memparse+0x171/0x1d0 [ 28.978462] ? get_options+0x380/0x380 [ 28.982368] ? kasan_kmalloc+0xc4/0xe0 [ 28.986255] ? __kmalloc+0x14e/0x760 [ 28.989961] ? kernfs_fop_write+0x33d/0x480 [ 28.994276] ? __vfs_write+0x117/0x9f0 [ 28.998174] ? __kernel_write+0x10c/0x370 [ 29.002333] ? write_pipe_buf+0x181/0x240 [ 29.006491] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.012198] ? page_counter_memparse+0xb5/0x1e0 [ 29.016875] ? page_counter_set_low+0x180/0x180 [ 29.021566] ? cgroup_control+0x180/0x180 [ 29.025717] memory_high_write+0x283/0x310 [ 29.029957] ? mem_cgroup_css_released+0x140/0x140 [ 29.034880] ? lock_downgrade+0x8f0/0x8f0 [ 29.039046] ? lock_release+0xa30/0xa30 [ 29.043051] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.048257] cgroup_file_write+0x31f/0x840 [ 29.052491] ? mem_cgroup_css_released+0x140/0x140 [ 29.057413] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 29.062443] ? __kmalloc+0x315/0x760 [ 29.066168] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.071718] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 29.076642] kernfs_fop_write+0x2ba/0x480 [ 29.080823] __vfs_write+0x117/0x9f0 [ 29.084530] ? kernfs_fop_open+0x1020/0x1020 [ 29.088943] ? kernel_read+0x120/0x120 [ 29.092831] ? default_file_splice_read+0x864/0xb10 [ 29.097843] ? splice_direct_to_actor+0x6fc/0x8f0 [ 29.102682] ? do_splice_direct+0x2d4/0x420 [ 29.107009] ? do_sendfile+0x62a/0xe20 [ 29.110898] ? __x64_sys_sendfile64+0x15d/0x250 [ 29.115574] ? iter_file_splice_write+0x1010/0x1010 [ 29.120603] ? check_same_owner+0x340/0x340 [ 29.124924] ? rcu_note_context_switch+0x730/0x730 [ 29.129872] __kernel_write+0x10c/0x370 [ 29.133857] write_pipe_buf+0x181/0x240 [ 29.137837] ? do_splice_direct+0x420/0x420 [ 29.142171] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.147727] ? splice_from_pipe_next.part.9+0x296/0x340 [ 29.153089] ? __ia32_sys_membarrier+0x150/0x150 [ 29.157859] __splice_from_pipe+0x38e/0x7c0 [ 29.162192] ? do_splice_direct+0x420/0x420 [ 29.166526] splice_from_pipe+0x1ea/0x340 [ 29.170702] ? do_splice_direct+0x420/0x420 [ 29.175016] ? splice_shrink_spd+0xd0/0xd0 [ 29.179273] ? security_file_permission+0x1c2/0x230 [ 29.184298] default_file_splice_write+0x3c/0x90 [ 29.189061] ? generic_splice_sendpage+0x50/0x50 [ 29.193820] direct_splice_actor+0x128/0x190 [ 29.198238] splice_direct_to_actor+0x318/0x8f0 [ 29.202922] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.208478] ? pipe_to_sendpage+0x400/0x400 [ 29.212801] ? do_splice_to+0x190/0x190 [ 29.216776] ? security_file_permission+0x1c2/0x230 [ 29.221806] ? rw_verify_area+0x118/0x360 [ 29.225967] do_splice_direct+0x2d4/0x420 [ 29.230121] ? splice_direct_to_actor+0x8f0/0x8f0 [ 29.234979] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.240525] ? __sb_start_write+0x17f/0x300 [ 29.244864] do_sendfile+0x62a/0xe20 [ 29.248590] ? do_compat_pwritev64+0x1c0/0x1c0 [ 29.253175] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.258708] ? _copy_from_user+0xdf/0x150 [ 29.262865] __x64_sys_sendfile64+0x15d/0x250 [ 29.267366] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 29.271944] do_syscall_64+0x1b9/0x820 [ 29.275827] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.280771] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.287016] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 29.292075] ? prepare_exit_to_usermode+0x291/0x3b0 [ 29.297114] ? perf_trace_sys_enter+0xb10/0xb10 [ 29.301784] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.306635] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.311824] RIP: 0033:0x4419e9 [ 29.315008] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.334181] RSP: 002b:00007ffefc7412c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 29.342062] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 29.349338] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 29.356610] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 29.363890] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 29.371168] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 29.379668] Dumping ftrace buffer: [ 29.383240] (ftrace buffer empty) [ 29.386946] Kernel Offset: disabled [ 29.390574] Rebooting in 86400 seconds..