[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.384727] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.389733] random: sshd: uninitialized urandom read (32 bytes read)
[   20.717987] random: sshd: uninitialized urandom read (32 bytes read)
[   21.429363] random: sshd: uninitialized urandom read (32 bytes read)
[   21.563658] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts.
[   27.006009] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.103530] IPVS: ftp: loaded support on port[0] = 21
[   27.129689] ==================================================================
[   27.137086] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100
[   27.143930] Read of size 8 at addr ffff8801d7065b90 by task syz-executor003/4455
[   27.151439] 
[   27.153056] CPU: 1 PID: 4455 Comm: syz-executor003 Not tainted 4.18.0-rc3-next-20180706+ #1
[   27.161527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.170859] Call Trace:
[   27.173442]  dump_stack+0x1c9/0x2b4
[   27.177063]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.182232]  ? printk+0xa7/0xcf
[   27.185500]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.190237]  ? find_first_bit+0xf7/0x100
[   27.194276]  print_address_description+0x6c/0x20b
[   27.199111]  ? find_first_bit+0xf7/0x100
[   27.203151]  kasan_report.cold.7+0x242/0x30d
[   27.207539]  __asan_report_load8_noabort+0x14/0x20
[   27.212447]  find_first_bit+0xf7/0x100
[   27.216316]  shrink_slab+0x5d0/0xdb0
[   27.220014]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.225542]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   27.231145]  ? shrink_active_list+0x1830/0x1830
[   27.235796]  ? page_add_new_anon_rmap+0x870/0x870
[   27.240618]  ? save_stack+0xa9/0xd0
[   27.244225]  ? save_stack+0x43/0xd0
[   27.247831]  ? kernfs_fop_open+0xa7f/0x1020
[   27.252148]  ? do_dentry_open+0xa7d/0x11c0
[   27.256361]  ? trace_hardirqs_on+0x10/0x10
[   27.260576]  shrink_node+0x429/0x16a0
[   27.264360]  ? shrink_node_memcg+0x18f0/0x18f0
[   27.268923]  ? kvm_clock_read+0x25/0x30
[   27.272878]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   27.277875]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   27.282347]  ? xa_set_tag+0x40/0x40
[   27.285973]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   27.290974]  do_try_to_free_pages+0x3e7/0x1290
[   27.295539]  ? shrink_node+0x16a0/0x16a0
[   27.299582]  ? check_same_owner+0x340/0x340
[   27.303882]  ? trace_hardirqs_on+0x10/0x10
[   27.308095]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.313620]  ? _parse_integer+0x13b/0x190
[   27.317750]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   27.322921]  ? pointer_string+0x1b0/0x1b0
[   27.327053]  ? try_to_free_pages+0xb80/0xb80
[   27.331444]  ? memparse+0x171/0x1d0
[   27.335059]  ? get_options+0x380/0x380
[   27.338928]  ? kasan_kmalloc+0xc4/0xe0
[   27.342795]  ? __kmalloc+0x14e/0x760
[   27.346494]  ? kernfs_fop_write+0x33d/0x480
[   27.350792]  ? __vfs_write+0x117/0x9f0
[   27.354667]  ? vfs_write+0x1fc/0x560
[   27.358379]  ? ksys_write+0x101/0x260
[   27.362162]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.367689]  ? page_counter_memparse+0xb5/0x1e0
[   27.372338]  ? page_counter_set_low+0x180/0x180
[   27.376985]  ? cgroup_control+0x180/0x180
[   27.381114]  memory_high_write+0x283/0x310
[   27.385339]  ? mem_cgroup_css_released+0x140/0x140
[   27.390246]  ? lock_acquire+0x1e4/0x540
[   27.394200]  ? __might_fault+0x12b/0x1e0
[   27.398245]  cgroup_file_write+0x31f/0x840
[   27.402464]  ? mem_cgroup_css_released+0x140/0x140
[   27.407373]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   27.412287]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   27.417194]  kernfs_fop_write+0x2ba/0x480
[   27.421333]  __vfs_write+0x117/0x9f0
[   27.425032]  ? kernfs_fop_open+0x1020/0x1020
[   27.429425]  ? kernel_read+0x120/0x120
[   27.433298]  ? lock_release+0xa30/0xa30
[   27.437251]  ? check_same_owner+0x340/0x340
[   27.441549]  ? rcu_note_context_switch+0x730/0x730
[   27.446463]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.452077]  ? __sb_start_write+0x17f/0x300
[   27.456377]  vfs_write+0x1fc/0x560
[   27.459898]  ksys_write+0x101/0x260
[   27.463512]  ? __ia32_sys_read+0xb0/0xb0
[   27.467554]  __x64_sys_write+0x73/0xb0
[   27.471429]  do_syscall_64+0x1b9/0x820
[   27.475300]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.480214]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.485124]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   27.490120]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.495637]  ? prepare_exit_to_usermode+0x291/0x3b0
[   27.500631]  ? perf_trace_sys_enter+0xb10/0xb10
[   27.505279]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.510100]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.515269] RIP: 0033:0x441a29
[   27.518430] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.537555] RSP: 002b:00007ffe25ba3f48 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
[   27.545242] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441a29
[   27.552502] RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000004
[   27.559761] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000006
[   27.567011] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[   27.574267] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   27.581524] 
[   27.583132] Allocated by task 4454:
[   27.586741]  save_stack+0x43/0xd0
[   27.590184]  kasan_kmalloc+0xc4/0xe0
[   27.593876]  __kmalloc_node+0x47/0x70
[   27.597656]  kvmalloc_node+0x65/0xf0
[   27.601351]  mem_cgroup_css_online+0x169/0x3c0
[   27.605925]  online_css+0x10c/0x350
[   27.609533]  cgroup_apply_control_enable+0x777/0xe90
[   27.614626]  cgroup_mkdir+0x88a/0x1170
[   27.618497]  kernfs_iop_mkdir+0x159/0x1e0
[   27.622631]  vfs_mkdir+0x42e/0x6b0
[   27.626148]  do_mkdirat+0x27b/0x310
[   27.629763]  __x64_sys_mkdir+0x5c/0x80
[   27.633633]  do_syscall_64+0x1b9/0x820
[   27.637511]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.642681] 
[   27.644287] Freed by task 1:
[   27.647288]  save_stack+0x43/0xd0
[   27.650723]  __kasan_slab_free+0x11a/0x170
[   27.654937]  kasan_slab_free+0xe/0x10
[   27.658717]  kfree+0xd9/0x260
[   27.661800]  acpi_ns_get_node_unlocked+0x2b9/0x309
[   27.666708]  acpi_ns_get_node+0x4d/0x6b
[   27.670658]  acpi_get_handle+0x15b/0x263
[   27.674701]  acpi_has_method+0x70/0xb0
[   27.678577]  acpi_device_setup_files+0x3aa/0x830
[   27.683311]  acpi_device_add+0x8b7/0x1260
[   27.687441]  acpi_add_single_object+0xaa7/0x1e90
[   27.692177]  acpi_bus_check_add+0x61c/0xb60
[   27.696475]  acpi_ns_walk_namespace+0x224/0x400
[   27.701122]  acpi_walk_namespace+0xf2/0x12c
[   27.705420]  acpi_bus_scan+0x146/0x170
[   27.709304]  acpi_scan_init+0x403/0x8fe
[   27.713259]  acpi_init+0x941/0xa19
[   27.716786]  do_one_initcall+0x127/0x913
[   27.720840]  kernel_init_freeable+0x49b/0x58e
[   27.725315]  kernel_init+0x11/0x1b3
[   27.728918]  ret_from_fork+0x3a/0x50
[   27.732603] 
[   27.734220] The buggy address belongs to the object at ffff8801d7065b80
[   27.734220]  which belongs to the cache kmalloc-32 of size 32
[   27.746693] The buggy address is located 16 bytes inside of
[   27.746693]  32-byte region [ffff8801d7065b80, ffff8801d7065ba0)
[   27.758380] The buggy address belongs to the page:
[   27.763305] page:ffffea00075c1940 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7065fc1
[   27.772728] flags: 0x2fffc0000000100(slab)
[   27.776943] raw: 02fffc0000000100 ffffea00075c1848 ffffea00075c2bc8 ffff8801da8001c0
[   27.784804] raw: ffff8801d7065fc1 ffff8801d7065000 000000010000003f 0000000000000000
[   27.792658] page dumped because: kasan: bad access detected
[   27.798345] 
[   27.799951] Memory state around the buggy address:
[   27.804856]  ffff8801d7065a80: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc
[   27.812192]  ffff8801d7065b00: 00 03 fc fc fc fc fc fc 00 07 fc fc fc fc fc fc
[   27.819530] >ffff8801d7065b80: 00 00 05 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   27.826863]                          ^
[   27.830742]  ffff8801d7065c00: 00 00 00 fc fc fc fc fc 00 02 fc fc fc fc fc fc
[   27.838080]  ffff8801d7065c80: 00 02 fc fc fc fc fc fc 00 02 fc fc fc fc fc fc
[   27.845411] ==================================================================
[   27.852848] Kernel panic - not syncing: panic_on_warn set ...
[   27.852848] 
[   27.860222] CPU: 1 PID: 4455 Comm: syz-executor003 Tainted: G    B             4.18.0-rc3-next-20180706+ #1
[   27.870079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.879411] Call Trace:
[   27.881987]  dump_stack+0x1c9/0x2b4
[   27.885598]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.890769]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.895507]  panic+0x238/0x4e7
[   27.898681]  ? add_taint.cold.5+0x16/0x16
[   27.902811]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.907199]  ? find_first_bit+0xf7/0x100
[   27.911239]  kasan_end_report+0x47/0x4f
[   27.915189]  kasan_report.cold.7+0x76/0x30d
[   27.921757]  __asan_report_load8_noabort+0x14/0x20
[   27.926666]  find_first_bit+0xf7/0x100
[   27.930534]  shrink_slab+0x5d0/0xdb0
[   27.934229]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   27.939756]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   27.945360]  ? shrink_active_list+0x1830/0x1830
[   27.950013]  ? page_add_new_anon_rmap+0x870/0x870
[   27.954844]  ? save_stack+0xa9/0xd0
[   27.958448]  ? save_stack+0x43/0xd0
[   27.962060]  ? kernfs_fop_open+0xa7f/0x1020
[   27.966361]  ? do_dentry_open+0xa7d/0x11c0
[   27.970576]  ? trace_hardirqs_on+0x10/0x10
[   27.974802]  shrink_node+0x429/0x16a0
[   27.978591]  ? shrink_node_memcg+0x18f0/0x18f0
[   27.983150]  ? kvm_clock_read+0x25/0x30
[   27.987114]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   27.992111]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   27.996594]  ? xa_set_tag+0x40/0x40
[   28.000201]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   28.005198]  do_try_to_free_pages+0x3e7/0x1290
[   28.009774]  ? shrink_node+0x16a0/0x16a0
[   28.013816]  ? check_same_owner+0x340/0x340
[   28.018120]  ? trace_hardirqs_on+0x10/0x10
[   28.022343]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.027857]  ? _parse_integer+0x13b/0x190
[   28.031988]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   28.037160]  ? pointer_string+0x1b0/0x1b0
[   28.041289]  ? try_to_free_pages+0xb80/0xb80
[   28.045680]  ? memparse+0x171/0x1d0
[   28.049286]  ? get_options+0x380/0x380
[   28.053151]  ? kasan_kmalloc+0xc4/0xe0
[   28.057025]  ? __kmalloc+0x14e/0x760
[   28.060723]  ? kernfs_fop_write+0x33d/0x480
[   28.065030]  ? __vfs_write+0x117/0x9f0
[   28.068898]  ? vfs_write+0x1fc/0x560
[   28.072590]  ? ksys_write+0x101/0x260
[   28.076373]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   28.081895]  ? page_counter_memparse+0xb5/0x1e0
[   28.086543]  ? page_counter_set_low+0x180/0x180
[   28.091192]  ? cgroup_control+0x180/0x180
[   28.095332]  memory_high_write+0x283/0x310
[   28.099547]  ? mem_cgroup_css_released+0x140/0x140
[   28.104461]  ? lock_acquire+0x1e4/0x540
[   28.108420]  ? __might_fault+0x12b/0x1e0
[   28.112461]  cgroup_file_write+0x31f/0x840
[   28.116688]  ? mem_cgroup_css_released+0x140/0x140
[   28.121603]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   28.126520]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   28.131430]  kernfs_fop_write+0x2ba/0x480
[   28.135557]  __vfs_write+0x117/0x9f0
[   28.139251]  ? kernfs_fop_open+0x1020/0x1020
[   28.143637]  ? kernel_read+0x120/0x120
[   28.147513]  ? lock_release+0xa30/0xa30
[   28.151467]  ? check_same_owner+0x340/0x340
[   28.155778]  ? rcu_note_context_switch+0x730/0x730
[   28.160691]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.166216]  ? __sb_start_write+0x17f/0x300
[   28.170518]  vfs_write+0x1fc/0x560
[   28.174046]  ksys_write+0x101/0x260
[   28.177657]  ? __ia32_sys_read+0xb0/0xb0
[   28.181700]  __x64_sys_write+0x73/0xb0
[   28.185574]  do_syscall_64+0x1b9/0x820
[   28.189440]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.194370]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.199293]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   28.204287]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.209803]  ? prepare_exit_to_usermode+0x291/0x3b0
[   28.214801]  ? perf_trace_sys_enter+0xb10/0xb10
[   28.219462]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.224287]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.229456] RIP: 0033:0x441a29
[   28.232619] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   28.251750] RSP: 002b:00007ffe25ba3f48 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
[   28.259446] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441a29
[   28.266696] RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000004
[   28.273954] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000006
[   28.281201] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[   28.288448] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   28.296947] Dumping ftrace buffer:
[   28.300500]    (ftrace buffer empty)
[   28.304186] Kernel Offset: disabled
[   28.307798] Rebooting in 86400 seconds..