[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.479648] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.375174] random: sshd: uninitialized urandom read (32 bytes read)
[   22.666909] random: sshd: uninitialized urandom read (32 bytes read)
[   23.427368] random: sshd: uninitialized urandom read (32 bytes read)
[   27.843343] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts.
[   33.352308] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.448370] IPVS: ftp: loaded support on port[0] = 21
[   33.480245] ==================================================================
[   33.487677] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100
[   33.494441] Read of size 8 at addr ffff8801d7faa950 by task syz-executor776/4463
[   33.501967] 
[   33.503614] CPU: 0 PID: 4463 Comm: syz-executor776 Not tainted 4.18.0-rc3-next-20180706+ #1
[   33.512108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.521467] Call Trace:
[   33.524076]  dump_stack+0x1c9/0x2b4
[   33.527714]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.532922]  ? printk+0xa7/0xcf
[   33.536256]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.541046]  ? find_first_bit+0xf7/0x100
[   33.545113]  print_address_description+0x6c/0x20b
[   33.549962]  ? find_first_bit+0xf7/0x100
[   33.554039]  kasan_report.cold.7+0x242/0x30d
[   33.558463]  __asan_report_load8_noabort+0x14/0x20
[   33.563394]  find_first_bit+0xf7/0x100
[   33.567303]  shrink_slab+0x5d0/0xdb0
[   33.571134]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.576683]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   33.582331]  ? shrink_active_list+0x1830/0x1830
[   33.587015]  ? page_add_new_anon_rmap+0x870/0x870
[   33.591873]  ? save_stack+0xa9/0xd0
[   33.595520]  ? save_stack+0x43/0xd0
[   33.599145]  ? kernfs_fop_open+0xa7f/0x1020
[   33.603467]  ? do_dentry_open+0xa7d/0x11c0
[   33.607713]  ? trace_hardirqs_on+0x10/0x10
[   33.611992]  shrink_node+0x429/0x16a0
[   33.615807]  ? shrink_node_memcg+0x18f0/0x18f0
[   33.620392]  ? kvm_clock_read+0x25/0x30
[   33.624381]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   33.629406]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   33.633913]  ? xa_set_tag+0x40/0x40
[   33.637553]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   33.642575]  do_try_to_free_pages+0x3e7/0x1290
[   33.647349]  ? shrink_node+0x16a0/0x16a0
[   33.651414]  ? check_same_owner+0x340/0x340
[   33.655743]  ? trace_hardirqs_on+0x10/0x10
[   33.660011]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.665559]  ? _parse_integer+0x13b/0x190
[   33.669719]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   33.674918]  ? pointer_string+0x1b0/0x1b0
[   33.679071]  ? try_to_free_pages+0xb80/0xb80
[   33.683483]  ? memparse+0x171/0x1d0
[   33.687136]  ? get_options+0x380/0x380
[   33.691111]  ? kasan_kmalloc+0xc4/0xe0
[   33.695027]  ? __kmalloc+0x14e/0x760
[   33.698755]  ? kernfs_fop_write+0x33d/0x480
[   33.703082]  ? __vfs_write+0x117/0x9f0
[   33.706976]  ? vfs_write+0x1fc/0x560
[   33.710683]  ? ksys_write+0x101/0x260
[   33.714480]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.720029]  ? page_counter_memparse+0xb5/0x1e0
[   33.724706]  ? page_counter_set_low+0x180/0x180
[   33.729378]  ? cgroup_control+0x180/0x180
[   33.733532]  memory_high_write+0x283/0x310
[   33.737778]  ? mem_cgroup_css_released+0x140/0x140
[   33.742716]  ? lock_acquire+0x1e4/0x540
[   33.746704]  ? __might_fault+0x12b/0x1e0
[   33.750772]  cgroup_file_write+0x31f/0x840
[   33.755027]  ? mem_cgroup_css_released+0x140/0x140
[   33.759973]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   33.764923]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   33.769859]  kernfs_fop_write+0x2ba/0x480
[   33.774046]  __vfs_write+0x117/0x9f0
[   33.777775]  ? kernfs_fop_open+0x1020/0x1020
[   33.782177]  ? kernel_read+0x120/0x120
[   33.786065]  ? lock_release+0xa30/0xa30
[   33.790041]  ? check_same_owner+0x340/0x340
[   33.794359]  ? rcu_note_context_switch+0x730/0x730
[   33.799295]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.804837]  ? __sb_start_write+0x17f/0x300
[   33.809164]  vfs_write+0x1fc/0x560
[   33.812714]  ksys_write+0x101/0x260
[   33.816361]  ? __ia32_sys_read+0xb0/0xb0
[   33.820419]  __x64_sys_write+0x73/0xb0
[   33.824310]  do_syscall_64+0x1b9/0x820
[   33.828194]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.833131]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.838071]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   33.843119]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.848676]  ? prepare_exit_to_usermode+0x291/0x3b0
[   33.853708]  ? perf_trace_sys_enter+0xb10/0xb10
[   33.858383]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.863248]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.868435] RIP: 0033:0x441a29
[   33.871611] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   33.890771] RSP: 002b:00007ffee7180808 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   33.898486] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441a29
[   33.905761] RDX: 0000000000000104 RSI: 0000000020000080 RDI: 0000000000000004
[   33.913286] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000006
[   33.920737] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[   33.928005] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   33.935287] 
[   33.936922] Allocated by task 4462:
[   33.940553]  save_stack+0x43/0xd0
[   33.944014]  kasan_kmalloc+0xc4/0xe0
[   33.947725]  __kmalloc_node+0x47/0x70
[   33.951530]  kvmalloc_node+0x65/0xf0
[   33.955246]  mem_cgroup_css_online+0x169/0x3c0
[   33.959823]  online_css+0x10c/0x350
[   33.963453]  cgroup_apply_control_enable+0x777/0xe90
[   33.968566]  cgroup_mkdir+0x88a/0x1170
[   33.972487]  kernfs_iop_mkdir+0x159/0x1e0
[   33.976638]  vfs_mkdir+0x42e/0x6b0
[   33.980193]  do_mkdirat+0x27b/0x310
[   33.983854]  __x64_sys_mkdir+0x5c/0x80
[   33.987754]  do_syscall_64+0x1b9/0x820
[   33.991658]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.996847] 
[   33.998558] Freed by task 2810:
[   34.001836]  save_stack+0x43/0xd0
[   34.005285]  __kasan_slab_free+0x11a/0x170
[   34.009521]  kasan_slab_free+0xe/0x10
[   34.013320]  kfree+0xd9/0x260
[   34.016409]  single_release+0x8f/0xb0
[   34.020213]  __fput+0x35d/0x930
[   34.023486]  ____fput+0x15/0x20
[   34.026779]  task_work_run+0x1ec/0x2a0
[   34.030659]  exit_to_usermode_loop+0x313/0x370
[   34.035231]  do_syscall_64+0x6be/0x820
[   34.039113]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.044297] 
[   34.045926] The buggy address belongs to the object at ffff8801d7faa940
[   34.045926]  which belongs to the cache kmalloc-32 of size 32
[   34.058522] The buggy address is located 16 bytes inside of
[   34.058522]  32-byte region [ffff8801d7faa940, ffff8801d7faa960)
[   34.070230] The buggy address belongs to the page:
[   34.075171] page:ffffea00075fea80 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7faafc1
[   34.084635] flags: 0x2fffc0000000100(slab)
[   34.088870] raw: 02fffc0000000100 ffffea00075f5948 ffffea00075f98c8 ffff8801da8001c0
[   34.096751] raw: ffff8801d7faafc1 ffff8801d7faa000 0000000100000024 0000000000000000
[   34.104617] page dumped because: kasan: bad access detected
[   34.110331] 
[   34.111951] Memory state around the buggy address:
[   34.116877]  ffff8801d7faa800: 00 00 01 fc fc fc fc fc 00 05 fc fc fc fc fc fc
[   34.124239]  ffff8801d7faa880: 00 03 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
[   34.131609] >ffff8801d7faa900: 00 03 fc fc fc fc fc fc 00 00 05 fc fc fc fc fc
[   34.139073]                                                  ^
[   34.145055]  ffff8801d7faa980: fb fb fb fb fc fc fc fc 00 03 fc fc fc fc fc fc
[   34.152423]  ffff8801d7faaa00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   34.159774] ==================================================================
[   34.167687] Kernel panic - not syncing: panic_on_warn set ...
[   34.167687] 
[   34.175076] CPU: 0 PID: 4463 Comm: syz-executor776 Tainted: G    B             4.18.0-rc3-next-20180706+ #1
[   34.184957] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.194314] Call Trace:
[   34.196924]  dump_stack+0x1c9/0x2b4
[   34.200552]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.205764]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.210548]  panic+0x238/0x4e7
[   34.213740]  ? add_taint.cold.5+0x16/0x16
[   34.217907]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.222347]  ? find_first_bit+0xf7/0x100
[   34.226430]  kasan_end_report+0x47/0x4f
[   34.230427]  kasan_report.cold.7+0x76/0x30d
[   34.234768]  __asan_report_load8_noabort+0x14/0x20
[   34.239714]  find_first_bit+0xf7/0x100
[   34.243614]  shrink_slab+0x5d0/0xdb0
[   34.247352]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.252928]  ? unregister_memcg_shrinker.isra.39+0x50/0x50
[   34.258581]  ? shrink_active_list+0x1830/0x1830
[   34.263252]  ? page_add_new_anon_rmap+0x870/0x870
[   34.268105]  ? save_stack+0xa9/0xd0
[   34.271757]  ? save_stack+0x43/0xd0
[   34.275385]  ? kernfs_fop_open+0xa7f/0x1020
[   34.279709]  ? do_dentry_open+0xa7d/0x11c0
[   34.283945]  ? trace_hardirqs_on+0x10/0x10
[   34.288191]  shrink_node+0x429/0x16a0
[   34.292026]  ? shrink_node_memcg+0x18f0/0x18f0
[   34.296632]  ? kvm_clock_read+0x25/0x30
[   34.300708]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   34.305739]  ? ktime_get_raw_ts64+0x4f0/0x4f0
[   34.310231]  ? xa_set_tag+0x40/0x40
[   34.313872]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[   34.318894]  do_try_to_free_pages+0x3e7/0x1290
[   34.323492]  ? shrink_node+0x16a0/0x16a0
[   34.327562]  ? check_same_owner+0x340/0x340
[   34.331898]  ? trace_hardirqs_on+0x10/0x10
[   34.336146]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.341685]  ? _parse_integer+0x13b/0x190
[   34.345835]  try_to_free_mem_cgroup_pages+0x49d/0xc90
[   34.351045]  ? pointer_string+0x1b0/0x1b0
[   34.355200]  ? try_to_free_pages+0xb80/0xb80
[   34.359616]  ? memparse+0x171/0x1d0
[   34.363243]  ? get_options+0x380/0x380
[   34.367137]  ? kasan_kmalloc+0xc4/0xe0
[   34.371024]  ? __kmalloc+0x14e/0x760
[   34.374733]  ? kernfs_fop_write+0x33d/0x480
[   34.379053]  ? __vfs_write+0x117/0x9f0
[   34.382953]  ? vfs_write+0x1fc/0x560
[   34.386659]  ? ksys_write+0x101/0x260
[   34.390456]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   34.395996]  ? page_counter_memparse+0xb5/0x1e0
[   34.400697]  ? page_counter_set_low+0x180/0x180
[   34.405365]  ? cgroup_control+0x180/0x180
[   34.409529]  memory_high_write+0x283/0x310
[   34.413771]  ? mem_cgroup_css_released+0x140/0x140
[   34.418719]  ? lock_acquire+0x1e4/0x540
[   34.422710]  ? __might_fault+0x12b/0x1e0
[   34.426879]  cgroup_file_write+0x31f/0x840
[   34.431128]  ? mem_cgroup_css_released+0x140/0x140
[   34.436075]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   34.441046]  ? cgroup_migrate_add_task+0xcd0/0xcd0
[   34.446127]  kernfs_fop_write+0x2ba/0x480
[   34.450297]  __vfs_write+0x117/0x9f0
[   34.454030]  ? kernfs_fop_open+0x1020/0x1020
[   34.458453]  ? kernel_read+0x120/0x120
[   34.462353]  ? lock_release+0xa30/0xa30
[   34.466347]  ? check_same_owner+0x340/0x340
[   34.470701]  ? rcu_note_context_switch+0x730/0x730
[   34.475669]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.481245]  ? __sb_start_write+0x17f/0x300
[   34.485583]  vfs_write+0x1fc/0x560
[   34.489127]  ksys_write+0x101/0x260
[   34.492744]  ? __ia32_sys_read+0xb0/0xb0
[   34.496811]  __x64_sys_write+0x73/0xb0
[   34.501128]  do_syscall_64+0x1b9/0x820
[   34.505007]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.510211]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.515141]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   34.520161]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.525703]  ? prepare_exit_to_usermode+0x291/0x3b0
[   34.530724]  ? perf_trace_sys_enter+0xb10/0xb10
[   34.535392]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.540246]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.545431] RIP: 0033:0x441a29
[   34.548608] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   34.567764] RSP: 002b:00007ffee7180808 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[   34.575477] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441a29
[   34.582748] RDX: 0000000000000104 RSI: 0000000020000080 RDI: 0000000000000004
[   34.590037] RBP: 0000000000000000 R08: 0000000000000012 R09: 0000000000000006
[   34.597321] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[   34.604581] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
[   34.612394] Dumping ftrace buffer:
[   34.616042]    (ftrace buffer empty)
[   34.619758] Kernel Offset: disabled
[   34.623378] Rebooting in 86400 seconds..