[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.107334] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.888250] random: sshd: uninitialized urandom read (32 bytes read) [ 22.322696] random: sshd: uninitialized urandom read (32 bytes read) [ 23.013795] random: sshd: uninitialized urandom read (32 bytes read) [ 23.167901] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 28.991871] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.084187] IPVS: ftp: loaded support on port[0] = 21 [ 29.111577] ================================================================== [ 29.119009] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100 [ 29.125753] Read of size 8 at addr ffff8801d740c710 by task syz-executor607/4493 [ 29.133277] [ 29.134899] CPU: 1 PID: 4493 Comm: syz-executor607 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 29.143382] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.152743] Call Trace: [ 29.155330] dump_stack+0x1c9/0x2b4 [ 29.158953] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.164130] ? printk+0xa7/0xcf [ 29.167414] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.172174] ? find_first_bit+0xf7/0x100 [ 29.176237] print_address_description+0x6c/0x20b [ 29.181083] ? find_first_bit+0xf7/0x100 [ 29.185142] kasan_report.cold.7+0x242/0x30d [ 29.189545] __asan_report_load8_noabort+0x14/0x20 [ 29.194482] find_first_bit+0xf7/0x100 [ 29.198371] shrink_slab+0x5d0/0xdb0 [ 29.202106] ? shrink_node_memcg+0xc91/0x18f0 [ 29.206641] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 29.212421] ? shrink_active_list+0x1830/0x1830 [ 29.217102] shrink_node+0x429/0x16a0 [ 29.220926] ? shrink_node_memcg+0x18f0/0x18f0 [ 29.225522] ? kvm_clock_read+0x25/0x30 [ 29.229502] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.234530] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 29.239035] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 29.244043] do_try_to_free_pages+0x3e7/0x1290 [ 29.248626] ? shrink_node+0x16a0/0x16a0 [ 29.252692] ? lock_release+0xa30/0xa30 [ 29.256664] ? check_same_owner+0x340/0x340 [ 29.260990] ? lock_downgrade+0x8f0/0x8f0 [ 29.265153] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.270701] ? _parse_integer+0x13b/0x190 [ 29.274859] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.280418] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 29.286058] ? pointer_string+0x1b0/0x1b0 [ 29.290228] ? __mutex_lock+0x6c4/0x1680 [ 29.294320] ? try_to_free_pages+0xb80/0xb80 [ 29.298759] ? memparse+0x171/0x1d0 [ 29.302420] ? get_options+0x380/0x380 [ 29.306331] ? kasan_kmalloc+0xc4/0xe0 [ 29.310239] ? __kmalloc+0x14e/0x760 [ 29.313970] ? kernfs_fop_write+0x33d/0x480 [ 29.318303] ? __vfs_write+0x117/0x9f0 [ 29.322200] ? __kernel_write+0x10c/0x370 [ 29.326362] ? write_pipe_buf+0x181/0x240 [ 29.330550] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.336105] ? page_counter_memparse+0xb5/0x1e0 [ 29.340786] ? page_counter_set_low+0x180/0x180 [ 29.345487] ? cgroup_control+0x180/0x180 [ 29.349637] memory_high_write+0x283/0x310 [ 29.353969] ? mem_cgroup_css_released+0x140/0x140 [ 29.358917] ? lock_downgrade+0x8f0/0x8f0 [ 29.363076] ? lock_release+0xa30/0xa30 [ 29.367072] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 29.372292] cgroup_file_write+0x31f/0x840 [ 29.376551] ? mem_cgroup_css_released+0x140/0x140 [ 29.381493] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 29.386417] ? __kmalloc+0x315/0x760 [ 29.390119] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.395645] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 29.400582] kernfs_fop_write+0x2ba/0x480 [ 29.404746] __vfs_write+0x117/0x9f0 [ 29.408465] ? kernfs_fop_open+0x1020/0x1020 [ 29.412875] ? kernel_read+0x120/0x120 [ 29.416764] ? default_file_splice_read+0x864/0xb10 [ 29.421774] ? splice_direct_to_actor+0x6fc/0x8f0 [ 29.426603] ? do_splice_direct+0x2d4/0x420 [ 29.430914] ? do_sendfile+0x62a/0xe20 [ 29.434785] ? __x64_sys_sendfile64+0x15d/0x250 [ 29.439466] ? iter_file_splice_write+0x1010/0x1010 [ 29.444473] ? check_same_owner+0x340/0x340 [ 29.448776] ? rcu_note_context_switch+0x730/0x730 [ 29.453708] __kernel_write+0x10c/0x370 [ 29.457693] write_pipe_buf+0x181/0x240 [ 29.461670] ? do_splice_direct+0x420/0x420 [ 29.465991] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.471536] ? splice_from_pipe_next.part.9+0x296/0x340 [ 29.476890] ? __ia32_sys_membarrier+0x150/0x150 [ 29.481649] __splice_from_pipe+0x38e/0x7c0 [ 29.485989] ? do_splice_direct+0x420/0x420 [ 29.490334] splice_from_pipe+0x1ea/0x340 [ 29.494509] ? do_splice_direct+0x420/0x420 [ 29.498844] ? splice_shrink_spd+0xd0/0xd0 [ 29.503090] ? security_file_permission+0x1c2/0x230 [ 29.508097] default_file_splice_write+0x3c/0x90 [ 29.512850] ? generic_splice_sendpage+0x50/0x50 [ 29.517591] direct_splice_actor+0x128/0x190 [ 29.521984] splice_direct_to_actor+0x318/0x8f0 [ 29.526658] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.532221] ? pipe_to_sendpage+0x400/0x400 [ 29.536530] ? do_splice_to+0x190/0x190 [ 29.540504] ? security_file_permission+0x1c2/0x230 [ 29.545514] ? rw_verify_area+0x118/0x360 [ 29.549666] do_splice_direct+0x2d4/0x420 [ 29.553798] ? splice_direct_to_actor+0x8f0/0x8f0 [ 29.558649] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.564173] ? __sb_start_write+0x17f/0x300 [ 29.568476] do_sendfile+0x62a/0xe20 [ 29.572172] ? do_compat_pwritev64+0x1c0/0x1c0 [ 29.576954] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 29.582490] ? _copy_from_user+0xdf/0x150 [ 29.586625] __x64_sys_sendfile64+0x15d/0x250 [ 29.591110] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 29.595675] do_syscall_64+0x1b9/0x820 [ 29.599544] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.604451] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.609368] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 29.614366] ? prepare_exit_to_usermode+0x291/0x3b0 [ 29.619368] ? perf_trace_sys_enter+0xb10/0xb10 [ 29.624025] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.628866] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.634038] RIP: 0033:0x4419e9 [ 29.637204] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.656329] RSP: 002b:00007ffdab463e68 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 29.664022] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 29.671276] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 29.678529] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 29.685782] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 29.693034] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 29.700297] [ 29.701912] Allocated by task 4492: [ 29.705530] save_stack+0x43/0xd0 [ 29.708963] kasan_kmalloc+0xc4/0xe0 [ 29.712653] __kmalloc_node+0x47/0x70 [ 29.716437] kvmalloc_node+0x65/0xf0 [ 29.720128] mem_cgroup_css_online+0x169/0x3c0 [ 29.724707] online_css+0x10c/0x350 [ 29.728312] cgroup_apply_control_enable+0x777/0xe90 [ 29.733395] cgroup_mkdir+0x88a/0x1170 [ 29.737270] kernfs_iop_mkdir+0x159/0x1e0 [ 29.741421] vfs_mkdir+0x42e/0x6b0 [ 29.744946] do_mkdirat+0x27b/0x310 [ 29.748555] __x64_sys_mkdir+0x5c/0x80 [ 29.752431] do_syscall_64+0x1b9/0x820 [ 29.756302] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.761465] [ 29.763068] Freed by task 2861: [ 29.766330] save_stack+0x43/0xd0 [ 29.769765] __kasan_slab_free+0x11a/0x170 [ 29.773983] kasan_slab_free+0xe/0x10 [ 29.777763] kfree+0xd9/0x260 [ 29.780850] single_release+0x8f/0xb0 [ 29.784631] __fput+0x35d/0x930 [ 29.787889] ____fput+0x15/0x20 [ 29.791149] task_work_run+0x1ec/0x2a0 [ 29.795032] exit_to_usermode_loop+0x313/0x370 [ 29.799607] do_syscall_64+0x6be/0x820 [ 29.803481] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.808643] [ 29.810247] The buggy address belongs to the object at ffff8801d740c700 [ 29.810247] which belongs to the cache kmalloc-32 of size 32 [ 29.822712] The buggy address is located 16 bytes inside of [ 29.822712] 32-byte region [ffff8801d740c700, ffff8801d740c720) [ 29.834584] The buggy address belongs to the page: [ 29.839510] page:ffffea00075d0300 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d740cfc1 [ 29.848931] flags: 0x2fffc0000000100(slab) [ 29.853145] raw: 02fffc0000000100 ffffea0006da1608 ffffea00075d3bc8 ffff8801da8001c0 [ 29.861004] raw: ffff8801d740cfc1 ffff8801d740c000 0000000100000027 0000000000000000 [ 29.868855] page dumped because: kasan: bad access detected [ 29.874535] [ 29.876136] Memory state around the buggy address: [ 29.881049] ffff8801d740c600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 29.888388] ffff8801d740c680: fb fb fb fb fc fc fc fc 00 07 fc fc fc fc fc fc [ 29.895726] >ffff8801d740c700: 00 00 05 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 29.903061] ^ [ 29.906936] ffff8801d740c780: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 29.914275] ffff8801d740c800: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 29.921607] ================================================================== [ 29.929193] Kernel panic - not syncing: panic_on_warn set ... [ 29.929193] [ 29.936557] CPU: 1 PID: 4493 Comm: syz-executor607 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 29.946413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.955751] Call Trace: [ 29.958322] dump_stack+0x1c9/0x2b4 [ 29.961930] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.967102] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.971843] panic+0x238/0x4e7 [ 29.975015] ? add_taint.cold.5+0x16/0x16 [ 29.979144] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.983527] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.987917] ? find_first_bit+0xf7/0x100 [ 29.991957] kasan_end_report+0x47/0x4f [ 29.995909] kasan_report.cold.7+0x76/0x30d [ 30.000215] __asan_report_load8_noabort+0x14/0x20 [ 30.005120] find_first_bit+0xf7/0x100 [ 30.008986] shrink_slab+0x5d0/0xdb0 [ 30.012675] ? shrink_node_memcg+0xc91/0x18f0 [ 30.017153] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 30.022762] ? shrink_active_list+0x1830/0x1830 [ 30.027418] shrink_node+0x429/0x16a0 [ 30.031205] ? shrink_node_memcg+0x18f0/0x18f0 [ 30.035768] ? kvm_clock_read+0x25/0x30 [ 30.039721] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.044720] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 30.049204] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.054219] do_try_to_free_pages+0x3e7/0x1290 [ 30.058803] ? shrink_node+0x16a0/0x16a0 [ 30.062862] ? lock_release+0xa30/0xa30 [ 30.066814] ? check_same_owner+0x340/0x340 [ 30.071112] ? lock_downgrade+0x8f0/0x8f0 [ 30.075244] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.080766] ? _parse_integer+0x13b/0x190 [ 30.084896] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.090422] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 30.095592] ? pointer_string+0x1b0/0x1b0 [ 30.099717] ? __mutex_lock+0x6c4/0x1680 [ 30.103758] ? try_to_free_pages+0xb80/0xb80 [ 30.108147] ? memparse+0x171/0x1d0 [ 30.111750] ? get_options+0x380/0x380 [ 30.115622] ? kasan_kmalloc+0xc4/0xe0 [ 30.119509] ? __kmalloc+0x14e/0x760 [ 30.123214] ? kernfs_fop_write+0x33d/0x480 [ 30.127513] ? __vfs_write+0x117/0x9f0 [ 30.131377] ? __kernel_write+0x10c/0x370 [ 30.135505] ? write_pipe_buf+0x181/0x240 [ 30.139634] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.145152] ? page_counter_memparse+0xb5/0x1e0 [ 30.149796] ? page_counter_set_low+0x180/0x180 [ 30.154442] ? cgroup_control+0x180/0x180 [ 30.158569] memory_high_write+0x283/0x310 [ 30.162790] ? mem_cgroup_css_released+0x140/0x140 [ 30.167711] ? lock_downgrade+0x8f0/0x8f0 [ 30.171838] ? lock_release+0xa30/0xa30 [ 30.175791] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 30.180962] cgroup_file_write+0x31f/0x840 [ 30.185298] ? mem_cgroup_css_released+0x140/0x140 [ 30.190206] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 30.195123] ? __kmalloc+0x315/0x760 [ 30.198819] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.204334] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 30.209279] kernfs_fop_write+0x2ba/0x480 [ 30.213406] __vfs_write+0x117/0x9f0 [ 30.217093] ? kernfs_fop_open+0x1020/0x1020 [ 30.222063] ? kernel_read+0x120/0x120 [ 30.225929] ? default_file_splice_read+0x864/0xb10 [ 30.230924] ? splice_direct_to_actor+0x6fc/0x8f0 [ 30.235742] ? do_splice_direct+0x2d4/0x420 [ 30.240042] ? do_sendfile+0x62a/0xe20 [ 30.243905] ? __x64_sys_sendfile64+0x15d/0x250 [ 30.248550] ? iter_file_splice_write+0x1010/0x1010 [ 30.253543] ? check_same_owner+0x340/0x340 [ 30.257845] ? rcu_note_context_switch+0x730/0x730 [ 30.262766] __kernel_write+0x10c/0x370 [ 30.266722] write_pipe_buf+0x181/0x240 [ 30.270675] ? do_splice_direct+0x420/0x420 [ 30.274977] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.280499] ? splice_from_pipe_next.part.9+0x296/0x340 [ 30.285839] ? __ia32_sys_membarrier+0x150/0x150 [ 30.290580] __splice_from_pipe+0x38e/0x7c0 [ 30.294880] ? do_splice_direct+0x420/0x420 [ 30.299180] splice_from_pipe+0x1ea/0x340 [ 30.303317] ? do_splice_direct+0x420/0x420 [ 30.307623] ? splice_shrink_spd+0xd0/0xd0 [ 30.311931] ? security_file_permission+0x1c2/0x230 [ 30.316925] default_file_splice_write+0x3c/0x90 [ 30.321658] ? generic_splice_sendpage+0x50/0x50 [ 30.326401] direct_splice_actor+0x128/0x190 [ 30.330826] splice_direct_to_actor+0x318/0x8f0 [ 30.335488] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.341008] ? pipe_to_sendpage+0x400/0x400 [ 30.345313] ? do_splice_to+0x190/0x190 [ 30.349266] ? security_file_permission+0x1c2/0x230 [ 30.354261] ? rw_verify_area+0x118/0x360 [ 30.358394] do_splice_direct+0x2d4/0x420 [ 30.362521] ? splice_direct_to_actor+0x8f0/0x8f0 [ 30.367340] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.372865] ? __sb_start_write+0x17f/0x300 [ 30.377166] do_sendfile+0x62a/0xe20 [ 30.380867] ? do_compat_pwritev64+0x1c0/0x1c0 [ 30.385428] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.390950] ? _copy_from_user+0xdf/0x150 [ 30.395078] __x64_sys_sendfile64+0x15d/0x250 [ 30.399552] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 30.404129] do_syscall_64+0x1b9/0x820 [ 30.408005] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.412932] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.417845] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 30.422840] ? prepare_exit_to_usermode+0x291/0x3b0 [ 30.427841] ? perf_trace_sys_enter+0xb10/0xb10 [ 30.432844] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.437670] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.442856] RIP: 0033:0x4419e9 [ 30.446023] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.465399] RSP: 002b:00007ffdab463e68 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 30.473090] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 30.480346] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 30.487601] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 30.494846] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 30.502178] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 30.509896] Dumping ftrace buffer: [ 30.513413] (ftrace buffer empty) [ 30.517103] Kernel Offset: disabled [ 30.520726] Rebooting in 86400 seconds..