[....] Starting OpenBSD Secure Shell server: sshd[ 15.826726] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 15.938283] random: sshd: uninitialized urandom read (32 bytes read) [ 16.171079] random: sshd: uninitialized urandom read (32 bytes read) [ 16.838780] random: sshd: uninitialized urandom read (32 bytes read) [ 16.980445] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. syzkaller login: [ 23.862558] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 23.950009] IPVS: ftp: loaded support on port[0] = 21 executing program [ 24.315375] syz-executor653 (4460) used greatest stack depth: 17040 bytes left [ 25.866161] ================================================================== [ 25.873569] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100 [ 25.880315] Read of size 8 at addr ffff8801d7b12310 by task kswapd0/1530 [ 25.887126] [ 25.888735] CPU: 0 PID: 1530 Comm: kswapd0 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 25.896518] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.905880] Call Trace: [ 25.908453] dump_stack+0x1c9/0x2b4 [ 25.912061] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.917229] ? printk+0xa7/0xcf [ 25.920485] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 25.925225] ? find_first_bit+0xf7/0x100 [ 25.929268] print_address_description+0x6c/0x20b [ 25.934089] ? find_first_bit+0xf7/0x100 [ 25.938127] kasan_report.cold.7+0x242/0x30d [ 25.942514] __asan_report_load8_noabort+0x14/0x20 [ 25.947428] find_first_bit+0xf7/0x100 [ 25.951297] shrink_slab+0x5d0/0xdb0 [ 25.954990] ? shrink_node_memcg+0xc91/0x18f0 [ 25.959482] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 25.965085] ? shrink_active_list+0x1830/0x1830 [ 25.969736] ? run_rebalance_domains+0x4c0/0x4c0 [ 25.974477] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.980000] shrink_node+0x429/0x16a0 [ 25.983784] ? shrink_node_memcg+0x18f0/0x18f0 [ 25.988341] ? zone_watermark_ok_safe+0x14b/0x3d0 [ 25.993161] ? lock_acquire+0x1e4/0x540 [ 25.997113] ? __alloc_pages_direct_compact+0x340/0x340 [ 26.002455] ? lock_release+0xa30/0xa30 [ 26.006409] ? __sched_text_start+0x8/0x8 [ 26.010537] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.016058] ? pgdat_balanced+0x118/0x150 [ 26.020191] balance_pgdat+0x7ca/0x1010 [ 26.024146] ? mem_cgroup_shrink_node+0xb20/0xb20 [ 26.028971] ? check_same_owner+0x340/0x340 [ 26.033272] ? rcu_note_context_switch+0x730/0x730 [ 26.038182] kswapd+0x82e/0x12f0 [ 26.041533] ? balance_pgdat+0x1010/0x1010 [ 26.045757] ? finish_wait+0x430/0x430 [ 26.051021] ? kasan_check_read+0x11/0x20 [ 26.055149] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.059549] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 26.064629] ? __kthread_parkme+0x58/0x1b0 [ 26.068844] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.073839] ? trace_hardirqs_on+0xd/0x10 [ 26.077967] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.083484] ? __kthread_parkme+0x106/0x1b0 [ 26.087783] kthread+0x345/0x410 [ 26.091123] ? balance_pgdat+0x1010/0x1010 [ 26.095331] ? kthread_bind+0x40/0x40 [ 26.099106] ret_from_fork+0x3a/0x50 [ 26.102796] [ 26.104406] Allocated by task 4459: [ 26.108009] save_stack+0x43/0xd0 [ 26.111439] kasan_kmalloc+0xc4/0xe0 [ 26.115132] __kmalloc_node+0x47/0x70 [ 26.119170] kvmalloc_node+0x65/0xf0 [ 26.122861] mem_cgroup_css_online+0x169/0x3c0 [ 26.127431] online_css+0x10c/0x350 [ 26.131040] cgroup_apply_control_enable+0x777/0xe90 [ 26.136119] cgroup_mkdir+0x88a/0x1170 [ 26.139992] kernfs_iop_mkdir+0x159/0x1e0 [ 26.144114] vfs_mkdir+0x42e/0x6b0 [ 26.147629] do_mkdirat+0x27b/0x310 [ 26.151230] __x64_sys_mkdir+0x5c/0x80 [ 26.155094] do_syscall_64+0x1b9/0x820 [ 26.158964] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.164122] [ 26.165725] Freed by task 2877: [ 26.168981] save_stack+0x43/0xd0 [ 26.172416] __kasan_slab_free+0x11a/0x170 [ 26.176630] kasan_slab_free+0xe/0x10 [ 26.180407] kfree+0xd9/0x260 [ 26.183490] single_release+0x8f/0xb0 [ 26.187267] __fput+0x35d/0x930 [ 26.190518] ____fput+0x15/0x20 [ 26.193777] task_work_run+0x1ec/0x2a0 [ 26.197644] exit_to_usermode_loop+0x313/0x370 [ 26.202204] do_syscall_64+0x6be/0x820 [ 26.206066] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.211225] [ 26.212826] The buggy address belongs to the object at ffff8801d7b12300 [ 26.212826] which belongs to the cache kmalloc-32 of size 32 [ 26.225281] The buggy address is located 16 bytes inside of [ 26.225281] 32-byte region [ffff8801d7b12300, ffff8801d7b12320) [ 26.236951] The buggy address belongs to the page: [ 26.241865] page:ffffea00075ec480 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7b12fc1 [ 26.251283] flags: 0x2fffc0000000100(slab) [ 26.255502] raw: 02fffc0000000100 ffffea00075c9088 ffffea0007336508 ffff8801da8001c0 [ 26.263360] raw: ffff8801d7b12fc1 ffff8801d7b12000 000000010000003e 0000000000000000 [ 26.271818] page dumped because: kasan: bad access detected [ 26.277496] [ 26.279097] Memory state around the buggy address: [ 26.284003] ffff8801d7b12200: 00 01 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 26.291344] ffff8801d7b12280: 00 07 fc fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 26.298678] >ffff8801d7b12300: 00 00 05 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.306009] ^ [ 26.309872] ffff8801d7b12380: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.317210] ffff8801d7b12400: 00 00 00 fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 26.324546] ================================================================== [ 26.331997] Kernel panic - not syncing: panic_on_warn set ... [ 26.331997] [ 26.339389] CPU: 0 PID: 1530 Comm: kswapd0 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 26.348562] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.357900] Call Trace: [ 26.360473] dump_stack+0x1c9/0x2b4 [ 26.364079] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.369247] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.373981] panic+0x238/0x4e7 [ 26.377155] ? add_taint.cold.5+0x16/0x16 [ 26.381287] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.385675] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.390064] ? find_first_bit+0xf7/0x100 [ 26.394105] kasan_end_report+0x47/0x4f [ 26.398058] kasan_report.cold.7+0x76/0x30d [ 26.402359] __asan_report_load8_noabort+0x14/0x20 [ 26.407273] find_first_bit+0xf7/0x100 [ 26.411156] shrink_slab+0x5d0/0xdb0 [ 26.414850] ? shrink_node_memcg+0xc91/0x18f0 [ 26.419325] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 26.424926] ? shrink_active_list+0x1830/0x1830 [ 26.429587] ? run_rebalance_domains+0x4c0/0x4c0 [ 26.434331] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 26.439856] shrink_node+0x429/0x16a0 [ 26.443650] ? shrink_node_memcg+0x18f0/0x18f0 [ 26.448211] ? zone_watermark_ok_safe+0x14b/0x3d0 [ 26.453036] ? lock_acquire+0x1e4/0x540 [ 26.456997] ? __alloc_pages_direct_compact+0x340/0x340 [ 26.462357] ? lock_release+0xa30/0xa30 [ 26.466319] ? __sched_text_start+0x8/0x8 [ 26.470447] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.475962] ? pgdat_balanced+0x118/0x150 [ 26.480089] balance_pgdat+0x7ca/0x1010 [ 26.484047] ? mem_cgroup_shrink_node+0xb20/0xb20 [ 26.488870] ? check_same_owner+0x340/0x340 [ 26.493172] ? rcu_note_context_switch+0x730/0x730 [ 26.498082] kswapd+0x82e/0x12f0 [ 26.501434] ? balance_pgdat+0x1010/0x1010 [ 26.505648] ? finish_wait+0x430/0x430 [ 26.509521] ? kasan_check_read+0x11/0x20 [ 26.513649] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.518042] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 26.523127] ? __kthread_parkme+0x58/0x1b0 [ 26.527345] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 26.532359] ? trace_hardirqs_on+0xd/0x10 [ 26.536487] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 26.542004] ? __kthread_parkme+0x106/0x1b0 [ 26.546317] kthread+0x345/0x410 [ 26.549669] ? balance_pgdat+0x1010/0x1010 [ 26.553891] ? kthread_bind+0x40/0x40 [ 26.557778] ret_from_fork+0x3a/0x50 [ 26.561932] Dumping ftrace buffer: [ 26.565456] (ftrace buffer empty) [ 26.570357] Kernel Offset: disabled [ 26.573969] Rebooting in 86400 seconds..