[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.750171] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.812973] random: sshd: uninitialized urandom read (32 bytes read) [ 21.182062] random: sshd: uninitialized urandom read (32 bytes read) [ 21.883336] random: sshd: uninitialized urandom read (32 bytes read) [ 22.043388] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts. [ 27.499541] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 27.590534] IPVS: ftp: loaded support on port[0] = 21 [ 27.620048] ================================================================== [ 27.627473] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100 [ 27.634216] Read of size 8 at addr ffff8801d7145990 by task syz-executor004/4460 [ 27.641729] [ 27.643358] CPU: 0 PID: 4460 Comm: syz-executor004 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 27.651845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.661198] Call Trace: [ 27.663778] dump_stack+0x1c9/0x2b4 [ 27.667396] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.672573] ? printk+0xa7/0xcf [ 27.675870] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 27.680636] ? find_first_bit+0xf7/0x100 [ 27.684690] print_address_description+0x6c/0x20b [ 27.689530] ? find_first_bit+0xf7/0x100 [ 27.693574] kasan_report.cold.7+0x242/0x30d [ 27.697967] __asan_report_load8_noabort+0x14/0x20 [ 27.702888] find_first_bit+0xf7/0x100 [ 27.706776] shrink_slab+0x5d0/0xdb0 [ 27.710563] ? shrink_node_memcg+0xc91/0x18f0 [ 27.715053] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 27.720675] ? shrink_active_list+0x1830/0x1830 [ 27.725340] shrink_node+0x429/0x16a0 [ 27.729160] ? shrink_node_memcg+0x18f0/0x18f0 [ 27.733742] ? kvm_clock_read+0x25/0x30 [ 27.737699] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 27.742702] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 27.747187] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 27.752193] do_try_to_free_pages+0x3e7/0x1290 [ 27.756782] ? shrink_node+0x16a0/0x16a0 [ 27.760850] ? lock_release+0xa30/0xa30 [ 27.764810] ? check_same_owner+0x340/0x340 [ 27.769120] ? lock_downgrade+0x8f0/0x8f0 [ 27.773354] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.778878] ? _parse_integer+0x13b/0x190 [ 27.783021] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.788582] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 27.793763] ? pointer_string+0x1b0/0x1b0 [ 27.797897] ? __mutex_lock+0x6c4/0x1680 [ 27.801948] ? try_to_free_pages+0xb80/0xb80 [ 27.806346] ? memparse+0x171/0x1d0 [ 27.809960] ? get_options+0x380/0x380 [ 27.813837] ? kasan_kmalloc+0xc4/0xe0 [ 27.817708] ? __kmalloc+0x14e/0x760 [ 27.821405] ? kernfs_fop_write+0x33d/0x480 [ 27.825872] ? __vfs_write+0x117/0x9f0 [ 27.829746] ? __kernel_write+0x10c/0x370 [ 27.833896] ? write_pipe_buf+0x181/0x240 [ 27.838031] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 27.843557] ? page_counter_memparse+0xb5/0x1e0 [ 27.848214] ? page_counter_set_low+0x180/0x180 [ 27.852888] ? cgroup_control+0x180/0x180 [ 27.857023] memory_high_write+0x283/0x310 [ 27.861261] ? mem_cgroup_css_released+0x140/0x140 [ 27.866186] ? lock_downgrade+0x8f0/0x8f0 [ 27.870320] ? lock_release+0xa30/0xa30 [ 27.874296] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 27.879474] cgroup_file_write+0x31f/0x840 [ 27.883700] ? mem_cgroup_css_released+0x140/0x140 [ 27.888631] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 27.893549] ? __kmalloc+0x315/0x760 [ 27.897246] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 27.902771] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 27.907694] kernfs_fop_write+0x2ba/0x480 [ 27.911839] __vfs_write+0x117/0x9f0 [ 27.915555] ? kernfs_fop_open+0x1020/0x1020 [ 27.919950] ? kernel_read+0x120/0x120 [ 27.923824] ? default_file_splice_read+0x864/0xb10 [ 27.928837] ? splice_direct_to_actor+0x6fc/0x8f0 [ 27.933665] ? do_splice_direct+0x2d4/0x420 [ 27.937981] ? do_sendfile+0x62a/0xe20 [ 27.941863] ? __x64_sys_sendfile64+0x15d/0x250 [ 27.946517] ? iter_file_splice_write+0x1010/0x1010 [ 27.951519] ? check_same_owner+0x340/0x340 [ 27.955825] ? rcu_note_context_switch+0x730/0x730 [ 27.960744] __kernel_write+0x10c/0x370 [ 27.964894] write_pipe_buf+0x181/0x240 [ 27.968859] ? do_splice_direct+0x420/0x420 [ 27.973168] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.978706] ? splice_from_pipe_next.part.9+0x296/0x340 [ 27.984071] ? __ia32_sys_membarrier+0x150/0x150 [ 27.988819] __splice_from_pipe+0x38e/0x7c0 [ 27.993146] ? do_splice_direct+0x420/0x420 [ 27.997458] splice_from_pipe+0x1ea/0x340 [ 28.001598] ? do_splice_direct+0x420/0x420 [ 28.005913] ? splice_shrink_spd+0xd0/0xd0 [ 28.010138] ? security_file_permission+0x1c2/0x230 [ 28.015144] default_file_splice_write+0x3c/0x90 [ 28.019898] ? generic_splice_sendpage+0x50/0x50 [ 28.024663] direct_splice_actor+0x128/0x190 [ 28.029060] splice_direct_to_actor+0x318/0x8f0 [ 28.033731] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.039257] ? pipe_to_sendpage+0x400/0x400 [ 28.043563] ? do_splice_to+0x190/0x190 [ 28.047531] ? security_file_permission+0x1c2/0x230 [ 28.052549] ? rw_verify_area+0x118/0x360 [ 28.056690] do_splice_direct+0x2d4/0x420 [ 28.060850] ? splice_direct_to_actor+0x8f0/0x8f0 [ 28.065684] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.071228] ? __sb_start_write+0x17f/0x300 [ 28.075552] do_sendfile+0x62a/0xe20 [ 28.079270] ? do_compat_pwritev64+0x1c0/0x1c0 [ 28.083847] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.089375] ? _copy_from_user+0xdf/0x150 [ 28.093520] __x64_sys_sendfile64+0x15d/0x250 [ 28.098010] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 28.102585] do_syscall_64+0x1b9/0x820 [ 28.106461] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.111380] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.116310] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 28.121316] ? prepare_exit_to_usermode+0x291/0x3b0 [ 28.126323] ? perf_trace_sys_enter+0xb10/0xb10 [ 28.131004] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.136129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.141315] RIP: 0033:0x4419e9 [ 28.144497] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 28.163634] RSP: 002b:00007ffdd9f42058 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 28.171331] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 28.178592] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 28.185851] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 28.193117] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 28.200376] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 28.207650] [ 28.209284] Allocated by task 4459: [ 28.212935] save_stack+0x43/0xd0 [ 28.216388] kasan_kmalloc+0xc4/0xe0 [ 28.220086] __kmalloc_node+0x47/0x70 [ 28.223876] kvmalloc_node+0x65/0xf0 [ 28.227593] mem_cgroup_css_online+0x169/0x3c0 [ 28.232160] online_css+0x10c/0x350 [ 28.235781] cgroup_apply_control_enable+0x777/0xe90 [ 28.240882] cgroup_mkdir+0x88a/0x1170 [ 28.244751] kernfs_iop_mkdir+0x159/0x1e0 [ 28.248883] vfs_mkdir+0x42e/0x6b0 [ 28.252408] do_mkdirat+0x27b/0x310 [ 28.256028] __x64_sys_mkdir+0x5c/0x80 [ 28.259926] do_syscall_64+0x1b9/0x820 [ 28.263811] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.268988] [ 28.270612] Freed by task 1: [ 28.273627] save_stack+0x43/0xd0 [ 28.277326] __kasan_slab_free+0x11a/0x170 [ 28.281557] kasan_slab_free+0xe/0x10 [ 28.285346] kfree+0xd9/0x260 [ 28.288435] acpi_ex_stop_trace_method+0x1bf/0x1cb [ 28.293366] acpi_ds_terminate_control_method+0x5ab/0x5bc [ 28.298887] acpi_ps_parse_aml+0x4af/0x86a [ 28.303109] acpi_ps_execute_method+0x521/0x597 [ 28.307763] acpi_ns_evaluate+0x717/0x9bc [ 28.311905] acpi_evaluate_object+0x48c/0x8cf [ 28.316387] acpi_evaluate_integer+0x129/0x280 [ 28.320952] acpi_bus_get_status_handle+0x26/0xa0 [ 28.325781] acpi_bus_check_add+0x3b5/0xb60 [ 28.330099] acpi_ns_walk_namespace+0x224/0x400 [ 28.334769] acpi_walk_namespace+0xf2/0x12c [ 28.339079] acpi_bus_scan+0x146/0x170 [ 28.342991] acpi_scan_init+0x403/0x8fe [ 28.346961] acpi_init+0x941/0xa19 [ 28.350493] do_one_initcall+0x127/0x913 [ 28.354560] kernel_init_freeable+0x49b/0x58e [ 28.359058] kernel_init+0x11/0x1b3 [ 28.362673] ret_from_fork+0x3a/0x50 [ 28.366379] [ 28.367993] The buggy address belongs to the object at ffff8801d7145980 [ 28.367993] which belongs to the cache kmalloc-32 of size 32 [ 28.380477] The buggy address is located 16 bytes inside of [ 28.380477] 32-byte region [ffff8801d7145980, ffff8801d71459a0) [ 28.392176] The buggy address belongs to the page: [ 28.397100] page:ffffea00075c5140 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7145fc1 [ 28.406532] flags: 0x2fffc0000000100(slab) [ 28.410760] raw: 02fffc0000000100 ffffea00075c37c8 ffffea00075c6808 ffff8801da8001c0 [ 28.418642] raw: ffff8801d7145fc1 ffff8801d7145000 000000010000003f 0000000000000000 [ 28.426526] page dumped because: kasan: bad access detected [ 28.432216] [ 28.433820] Memory state around the buggy address: [ 28.438732] ffff8801d7145880: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 28.446097] ffff8801d7145900: 00 03 fc fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.453445] >ffff8801d7145980: 00 00 05 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.460784] ^ [ 28.464668] ffff8801d7145a00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.472028] ffff8801d7145a80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.479387] ================================================================== [ 28.486855] Kernel panic - not syncing: panic_on_warn set ... [ 28.486855] [ 28.494234] CPU: 0 PID: 4460 Comm: syz-executor004 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 28.504107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.513462] Call Trace: [ 28.516049] dump_stack+0x1c9/0x2b4 [ 28.519667] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.524848] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.529604] panic+0x238/0x4e7 [ 28.532784] ? add_taint.cold.5+0x16/0x16 [ 28.536934] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.541343] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.545748] ? find_first_bit+0xf7/0x100 [ 28.549800] kasan_end_report+0x47/0x4f [ 28.553782] kasan_report.cold.7+0x76/0x30d [ 28.558131] __asan_report_load8_noabort+0x14/0x20 [ 28.563074] find_first_bit+0xf7/0x100 [ 28.566961] shrink_slab+0x5d0/0xdb0 [ 28.570663] ? shrink_node_memcg+0xc91/0x18f0 [ 28.575146] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 28.580759] ? shrink_active_list+0x1830/0x1830 [ 28.585440] shrink_node+0x429/0x16a0 [ 28.589267] ? shrink_node_memcg+0x18f0/0x18f0 [ 28.593849] ? kvm_clock_read+0x25/0x30 [ 28.597812] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.602947] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 28.607433] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 28.612443] do_try_to_free_pages+0x3e7/0x1290 [ 28.617045] ? shrink_node+0x16a0/0x16a0 [ 28.621112] ? lock_release+0xa30/0xa30 [ 28.625086] ? check_same_owner+0x340/0x340 [ 28.629394] ? lock_downgrade+0x8f0/0x8f0 [ 28.633532] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.639093] ? _parse_integer+0x13b/0x190 [ 28.643230] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.648770] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 28.653959] ? pointer_string+0x1b0/0x1b0 [ 28.658107] ? __mutex_lock+0x6c4/0x1680 [ 28.662175] ? try_to_free_pages+0xb80/0xb80 [ 28.666574] ? memparse+0x171/0x1d0 [ 28.670186] ? get_options+0x380/0x380 [ 28.674061] ? kasan_kmalloc+0xc4/0xe0 [ 28.677938] ? __kmalloc+0x14e/0x760 [ 28.682413] ? kernfs_fop_write+0x33d/0x480 [ 28.686727] ? __vfs_write+0x117/0x9f0 [ 28.690617] ? __kernel_write+0x10c/0x370 [ 28.694754] ? write_pipe_buf+0x181/0x240 [ 28.698891] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 28.704427] ? page_counter_memparse+0xb5/0x1e0 [ 28.709104] ? page_counter_set_low+0x180/0x180 [ 28.713778] ? cgroup_control+0x180/0x180 [ 28.717917] memory_high_write+0x283/0x310 [ 28.722147] ? mem_cgroup_css_released+0x140/0x140 [ 28.727062] ? lock_downgrade+0x8f0/0x8f0 [ 28.731202] ? lock_release+0xa30/0xa30 [ 28.735166] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 28.740348] cgroup_file_write+0x31f/0x840 [ 28.744574] ? mem_cgroup_css_released+0x140/0x140 [ 28.749498] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 28.754413] ? __kmalloc+0x315/0x760 [ 28.758125] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.763650] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 28.768563] kernfs_fop_write+0x2ba/0x480 [ 28.772698] __vfs_write+0x117/0x9f0 [ 28.776395] ? kernfs_fop_open+0x1020/0x1020 [ 28.780791] ? kernel_read+0x120/0x120 [ 28.784668] ? default_file_splice_read+0x864/0xb10 [ 28.789678] ? splice_direct_to_actor+0x6fc/0x8f0 [ 28.794515] ? do_splice_direct+0x2d4/0x420 [ 28.798846] ? do_sendfile+0x62a/0xe20 [ 28.802722] ? __x64_sys_sendfile64+0x15d/0x250 [ 28.807393] ? iter_file_splice_write+0x1010/0x1010 [ 28.812416] ? check_same_owner+0x340/0x340 [ 28.816725] ? rcu_note_context_switch+0x730/0x730 [ 28.821642] __kernel_write+0x10c/0x370 [ 28.825604] write_pipe_buf+0x181/0x240 [ 28.829578] ? do_splice_direct+0x420/0x420 [ 28.833884] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.839406] ? splice_from_pipe_next.part.9+0x296/0x340 [ 28.844777] ? __ia32_sys_membarrier+0x150/0x150 [ 28.849529] __splice_from_pipe+0x38e/0x7c0 [ 28.853845] ? do_splice_direct+0x420/0x420 [ 28.858160] splice_from_pipe+0x1ea/0x340 [ 28.862298] ? do_splice_direct+0x420/0x420 [ 28.866621] ? splice_shrink_spd+0xd0/0xd0 [ 28.870860] ? security_file_permission+0x1c2/0x230 [ 28.875863] default_file_splice_write+0x3c/0x90 [ 28.880617] ? generic_splice_sendpage+0x50/0x50 [ 28.885371] direct_splice_actor+0x128/0x190 [ 28.890038] splice_direct_to_actor+0x318/0x8f0 [ 28.894699] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.900247] ? pipe_to_sendpage+0x400/0x400 [ 28.904588] ? do_splice_to+0x190/0x190 [ 28.908559] ? security_file_permission+0x1c2/0x230 [ 28.913577] ? rw_verify_area+0x118/0x360 [ 28.917727] do_splice_direct+0x2d4/0x420 [ 28.921878] ? splice_direct_to_actor+0x8f0/0x8f0 [ 28.926750] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.932305] ? __sb_start_write+0x17f/0x300 [ 28.936627] do_sendfile+0x62a/0xe20 [ 28.940338] ? do_compat_pwritev64+0x1c0/0x1c0 [ 28.944919] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 28.950442] ? _copy_from_user+0xdf/0x150 [ 28.954587] __x64_sys_sendfile64+0x15d/0x250 [ 28.959077] ? __ia32_sys_sendfile+0x2a0/0x2a0 [ 28.963648] do_syscall_64+0x1b9/0x820 [ 28.967526] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.972453] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.977367] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 28.982388] ? prepare_exit_to_usermode+0x291/0x3b0 [ 28.987400] ? perf_trace_sys_enter+0xb10/0xb10 [ 28.992065] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.996907] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.002078] RIP: 0033:0x4419e9 [ 29.005248] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.024379] RSP: 002b:00007ffdd9f42058 EFLAGS: 00000217 ORIG_RAX: 0000000000000028 [ 29.032081] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419e9 [ 29.039348] RDX: 0000000020000040 RSI: 0000000000000004 RDI: 0000000000000004 [ 29.046614] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 29.053869] R10: 0000000000000001 R11: 0000000000000217 R12: 0000000000000000 [ 29.061139] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 29.068964] Dumping ftrace buffer: [ 29.072501] (ftrace buffer empty) [ 29.076203] Kernel Offset: disabled [ 29.079813] Rebooting in 86400 seconds..