[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.542305] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   19.784717] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available)
[   19.970338] random: sshd: uninitialized urandom read (32 bytes read, 35 bits of entropy available)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.975770] random: sshd: uninitialized urandom read (32 bytes read, 88 bits of entropy available)
Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts.
[   26.760204] random: sshd: uninitialized urandom read (32 bytes read, 95 bits of entropy available)
2018/08/19 21:50:40 fuzzer started
[   27.742324] random: cc1: uninitialized urandom read (8 bytes read, 95 bits of entropy available)
2018/08/19 21:50:42 dialing manager at 10.128.0.26:36929
2018/08/19 21:50:43 syscalls: 1
2018/08/19 21:50:43 code coverage: enabled
2018/08/19 21:50:43 comparison tracing: CONFIG_KCOV_ENABLE_COMPARISONS is not enabled
2018/08/19 21:50:43 setuid sandbox: enabled
2018/08/19 21:50:43 namespace sandbox: enabled
2018/08/19 21:50:43 fault injection: CONFIG_FAULT_INJECTION is not enabled
2018/08/19 21:50:43 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2018/08/19 21:50:43 net packed injection: enabled
2018/08/19 21:50:43 net device setup: enabled
[   30.310136] random: nonblocking pool is initialized
21:51:15 executing program 0:

21:51:15 executing program 1:
r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup\x00', 0x200002, 0x0)
r1 = openat$cgroup_int(r0, &(0x7f0000000240)="696f2e6d617800e3c6a1bc1694706052fb71636dab87f6b67931756f4718d4c82a523684fbfb553c6430fbc7b94142e83351f1daed56ac269c9286207493b4a58dbdb53c1a90a355b97bba99df289a25ef0e4f35cdbfe70a13c32b283c02837c5330ed0f393ac8b5a0220078e91fe9d917882519e39d9d7c502cb52b84aa1c5a64b1666adec7f0d844af01018e958358b9f54ab00b0f43d38e9de11e3a217ca325d2404d1bf3fef194ff6c7e18ed", 0x2, 0x0)
r2 = openat$cgroup_ro(r0, &(0x7f0000000300)='io.stat\x00', 0x0, 0x0)
sendfile(r1, r2, 0x0, 0x4)

21:51:15 executing program 7:
perf_event_open(&(0x7f0000000180)={0x2, 0x70, 0x3e5}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = epoll_create1(0x0)
r1 = epoll_create1(0x0)
fcntl$lock(r1, 0x7, &(0x7f0000000000)={0x1})
unshare(0x400)
fcntl$lock(r0, 0x5, &(0x7f0000000180)={0x0, 0x2, 0x27ad})

21:51:15 executing program 4:
openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0)
ioctl$fiemap(0xffffffffffffffff, 0xc020660b, &(0x7f0000000100)=ANY=[])
r0 = socket$unix(0x1, 0x1, 0x0)
r1 = dup2(r0, r0)
write$P9_RLOCK(r1, &(0x7f0000000340)={0x8}, 0x8)

21:51:15 executing program 5:
openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0)
getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000080)={@multicast2, @dev}, &(0x7f00000000c0)=0xc)
r0 = socket$unix(0x1, 0x1, 0x0)
readv(r0, &(0x7f0000002940)=[{&(0x7f00000004c0)=""/200, 0xc8}], 0x1)

21:51:15 executing program 6:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000a8eff8)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
setsockopt$sock_int(r0, 0x1, 0x2000000000007, &(0x7f0000000200), 0x4)
sendmmsg$unix(r0, &(0x7f00000bd000), 0x80, 0x0)
r1 = memfd_create(&(0x7f0000000080)='dev ', 0x3)
write(r1, &(0x7f0000000040)="16", 0x1)
sendfile(r0, r1, &(0x7f0000000000), 0xffff)
fcntl$addseals(r1, 0x409, 0xa)
ioctl$FS_IOC_RESVSP(r1, 0x40305828, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x3})
r2 = gettid()
timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000000040))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x9}}, &(0x7f0000040000))
tkill(r2, 0x1000000000013)
write$tun(r1, &(0x7f0000000240)={@val, @val, @mpls={[], @llc={@llc={0x0, 0x0, '"'}}}}, 0x11)

21:51:15 executing program 2:
r0 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_inet_SIOCSIFBRDADDR(0xffffffffffffffff, 0x891a, &(0x7f0000000000)={'syzkaller1\x00', {0x2, 0x0, @dev}})
r1 = fcntl$dupfd(r0, 0x0, r0)
setsockopt$inet_tcp_TCP_ULP(r1, 0x6, 0x1f, &(0x7f0000000200)='tls\x00', 0x199)

21:51:15 executing program 3:
openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0)
getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000080)={@multicast2, @dev}, &(0x7f00000000c0)=0xc)
r0 = socket$unix(0x1, 0x1, 0x0)
r1 = dup2(r0, r0)
write$P9_ROPEN(r1, &(0x7f0000000240)={0x18}, 0x18)

[   62.111684] IPVS: Creating netns size=2552 id=1
[   62.216247] IPVS: Creating netns size=2552 id=2
[   62.276726] IPVS: Creating netns size=2552 id=3
[   62.379732] IPVS: Creating netns size=2552 id=4
[   62.513012] IPVS: Creating netns size=2552 id=5
[   62.681288] IPVS: Creating netns size=2552 id=6
[   62.894616] IPVS: Creating netns size=2552 id=7
[   63.186138] IPVS: Creating netns size=2552 id=8
[   63.221411] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   63.315839] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   63.402178] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   63.518131] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   63.855962] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   63.937383] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   63.984520] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   63.993316] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   64.012946] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   64.125664] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   64.375792] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   64.448197] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   64.459624] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   64.524576] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   64.541498] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   64.554059] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   64.617851] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   64.666159] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   64.705193] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   64.713421] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   64.726565] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   64.797075] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   64.959112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   64.968620] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   64.983951] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   65.062547] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   65.073387] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   65.087285] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   65.173858] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   65.233691] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   65.259066] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   65.278046] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   65.385344] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   65.399963] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   65.421043] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   65.437325] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   65.491357] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   65.569357] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   65.610654] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   65.699662] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   65.744912] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   65.754690] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   65.787153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   65.841018] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   65.863939] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   65.888528] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   65.919636] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   65.931828] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready
[   65.978671] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   65.988802] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   66.012463] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   66.044400] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready
[   66.115026] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   66.122794] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   66.286348] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   66.378644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   66.462647] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   66.488337] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready
[   66.542863] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   66.565921] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
[   66.614681] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   66.666675] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   66.711673] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   66.783613] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   70.088165] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   70.198773] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   70.455975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   70.565891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   70.596415] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   70.780323] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   70.873240] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   70.902494] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   70.936025] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   71.127463] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   71.140779] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   71.218608] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   71.257091] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   71.443946] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   71.502825] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   71.704035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
21:51:26 executing program 1:

21:51:26 executing program 1:
mount(&(0x7f0000000400)='./file0\x00', &(0x7f0000903000)='./file0\x00', &(0x7f00000003c0)='bdev\x00', 0x0, &(0x7f0000444000))
mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x0)
mprotect(&(0x7f0000562000/0x2000)=nil, 0x2000, 0x1)

[   72.813847] BUG: unable to handle kernel paging request at ffffeafffd410020
[   72.821267] IP: [<ffffffff8150e8f8>] __split_huge_page_pmd+0x2c8/0x820
[   72.828095] PGD 0 
[   72.830367] Oops: 0000 [#1] PREEMPT SMP KASAN
[   72.835395] Dumping ftrace buffer:
[   72.838924]    (ftrace buffer empty)
[   72.842621] Modules linked in:
[   72.845942] CPU: 1 PID: 5801 Comm: syz-executor1 Not tainted 4.4.150-g5541782 #19
[   72.853555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.862899] task: ffff8801bea8b000 task.stack: ffff8800a55a8000
[   72.868966] RIP: 0010:[<ffffffff8150e8f8>]  [<ffffffff8150e8f8>] __split_huge_page_pmd+0x2c8/0x820
[   72.878223] RSP: 0018:ffff8800a55af980  EFLAGS: 00010246
[   72.883665] RAX: 1ffffd5fffa82004 RBX: ffffeafffd410020 RCX: ffffc9000106e000
[   72.890926] RDX: 00000000000000ce RSI: ffffffff8150e8c0 RDI: 00003fff504001a0
[   72.898189] RBP: ffff8800a55afa88 R08: ffffffff8533b500 R09: 0000000000000000
[   72.905456] R10: 0000000000000001 R11: ffff8801bea8b000 R12: ffffeafffd410000
[   72.912747] R13: dffffc0000000000 R14: ffff8801cba7b810 R15: ffff8801cba7b810
[   72.920026] FS:  0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:00000000f577db40
[   72.928538] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   72.934412] CR2: ffffeafffd410020 CR3: 00000001d404b000 CR4: 00000000001606f0
[   72.941681] Stack:
[   72.943816]  ffffffff814b30fb ffffffff814b6f67 ffff8801bea8b920 fffffbfff0882602
[   72.951861]  ffff8801bea8b8d0 ffff8801bea8b8d8 ffff8801bea8b928 ffff8801d94a9370
21:51:26 executing program 0:
exit(0x0)
r0 = socket$unix(0x1, 0x1, 0x0)
recvmmsg(r0, &(0x7f0000002140)=[{{&(0x7f0000000240)=@pppol2tpv3={0x18, 0x1, {0x0, <r1=>0xffffffffffffffff, {0x2, 0x0, @multicast1}}}, 0x80, &(0x7f0000000340), 0x0, &(0x7f0000000380)}}], 0x1, 0x0, 0x0)
r2 = dup2(r0, r1)
ioctl$FIONREAD(r2, 0x541b, &(0x7f00000001c0))

[   72.959925]  1ffff10014ab5f40 ffff88024ba7b000 0000000000000000 0000000020600000
[   72.967979] Call Trace:
[   72.970573]  [<ffffffff814b30fb>] ? split_vma+0x5b/0x80
[   72.975927]  [<ffffffff814b6f67>] ? mprotect_fixup+0x6a7/0x8d0
[   72.981895]  [<ffffffff81231fe0>] ? debug_check_no_locks_freed+0x210/0x210
[   72.988902]  [<ffffffff8150e630>] ? __khugepaged_exit+0x300/0x300
[   72.995138]  [<ffffffff8148ba37>] ? vmacache_find+0x57/0x290
[   73.000934]  [<ffffffff815104aa>] split_huge_page_pmd_mm+0x7a/0x90
[   73.007252]  [<ffffffff81510691>] split_huge_page_address+0x1d1/0x220
[   73.013825]  [<ffffffff815108c6>] vma_adjust_trans_huge+0x1e6/0x2c0
[   73.020223]  [<ffffffff814ab4b0>] vma_adjust+0xd50/0x13d0
[   73.025757]  [<ffffffff81228ada>] ? up_write+0x1a/0x60
[   73.031032]  [<ffffffff814be6c1>] ? anon_vma_clone+0x321/0x4b0
[   73.037009]  [<ffffffff814abf92>] __split_vma.isra.40+0x462/0x750
[   73.043238]  [<ffffffff814b30fb>] split_vma+0x5b/0x80
[   73.048423]  [<ffffffff814b6f67>] mprotect_fixup+0x6a7/0x8d0
[   73.054215]  [<ffffffff814b68c0>] ? change_protection+0xfc0/0xfc0
[   73.060441]  [<ffffffff8127a477>] ? debug_lockdep_rcu_enabled+0x77/0x90
[   73.067188]  [<ffffffff81c69013>] ? file_map_prot_check+0x193/0x310
[   73.073603]  [<ffffffff81c76f37>] ? selinux_file_mprotect+0xf7/0x550
[   73.080114]  [<ffffffff8148ba37>] ? vmacache_find+0x57/0x290
[   73.085910]  [<ffffffff81c5362f>] ? security_file_mprotect+0x8f/0xc0
[   73.092400]  [<ffffffff814b7483>] SyS_mprotect+0x2f3/0x640
[   73.098032]  [<ffffffff814b7190>] ? mprotect_fixup+0x8d0/0x8d0
[   73.104010]  [<ffffffff81006b4b>] ? do_fast_syscall_32+0xdb/0x8b0
[   73.110238]  [<ffffffff814b7190>] ? mprotect_fixup+0x8d0/0x8d0
[   73.116205]  [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0
[   73.122347]  [<ffffffff838cca03>] sysenter_flags_fixed+0xd/0x1a
[   73.128402] Code: 48 c1 eb 06 48 01 d8 48 8d 58 20 48 89 85 68 ff ff ff 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 fd 04 00 00 4c 8b a5 68 ff ff ff <4d> 8b 74 24 20 41 f6 c6 01 0f 85 b1 03 00 00 e8 d4 5b e4 ff 49 
[   73.156296] RIP  [<ffffffff8150e8f8>] __split_huge_page_pmd+0x2c8/0x820
[   73.163191]  RSP <ffff8800a55af980>
[   73.166806] CR2: ffffeafffd410020
[   73.170257] ---[ end trace 36a178060f0a7f8f ]---
[   73.175020] Kernel panic - not syncing: Fatal exception
[   73.180721] Dumping ftrace buffer:
[   73.184262]    (ftrace buffer empty)
[   73.187947] Kernel Offset: disabled
[   73.191545] Rebooting in 86400 seconds..