[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 16.809731] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.258761] random: sshd: uninitialized urandom read (32 bytes read) [ 18.589760] random: sshd: uninitialized urandom read (32 bytes read) [ 19.269570] random: sshd: uninitialized urandom read (32 bytes read) [ 19.415255] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. [ 24.859203] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 24.945450] IPVS: ftp: loaded support on port[0] = 21 [ 24.972153] ================================================================== [ 24.979570] BUG: KASAN: slab-out-of-bounds in find_first_bit+0xf7/0x100 [ 24.986303] Read of size 8 at addr ffff8801d7548d50 by task syz-executor441/4505 [ 24.993834] [ 24.995448] CPU: 1 PID: 4505 Comm: syz-executor441 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 25.003914] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.013346] Call Trace: [ 25.015921] dump_stack+0x1c9/0x2b4 [ 25.019546] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.024719] ? printk+0xa7/0xcf [ 25.028002] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 25.032764] ? find_first_bit+0xf7/0x100 [ 25.036835] print_address_description+0x6c/0x20b [ 25.041663] ? find_first_bit+0xf7/0x100 [ 25.045705] kasan_report.cold.7+0x242/0x30d [ 25.050095] __asan_report_load8_noabort+0x14/0x20 [ 25.055019] find_first_bit+0xf7/0x100 [ 25.058896] shrink_slab+0x5d0/0xdb0 [ 25.062595] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.068115] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 25.073731] ? shrink_active_list+0x1830/0x1830 [ 25.078395] ? save_stack+0xa9/0xd0 [ 25.082016] ? save_stack+0x43/0xd0 [ 25.085630] ? kernfs_fop_open+0xa7f/0x1020 [ 25.089934] ? do_dentry_open+0xa7d/0x11c0 [ 25.094152] ? trace_hardirqs_on+0x10/0x10 [ 25.098373] shrink_node+0x429/0x16a0 [ 25.102172] ? shrink_node_memcg+0x18f0/0x18f0 [ 25.106739] ? kvm_clock_read+0x25/0x30 [ 25.110695] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 25.115695] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 25.120176] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 25.125177] do_try_to_free_pages+0x3e7/0x1290 [ 25.129751] ? shrink_node+0x16a0/0x16a0 [ 25.133795] ? check_same_owner+0x340/0x340 [ 25.138109] ? trace_hardirqs_on+0x10/0x10 [ 25.142330] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.147858] ? _parse_integer+0x13b/0x190 [ 25.151989] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.157511] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 25.162685] ? pointer_string+0x1b0/0x1b0 [ 25.166820] ? try_to_free_pages+0xb80/0xb80 [ 25.171220] ? memparse+0x171/0x1d0 [ 25.174839] ? get_options+0x380/0x380 [ 25.178719] ? kasan_kmalloc+0xc4/0xe0 [ 25.182603] ? __kmalloc+0x14e/0x760 [ 25.186309] ? kernfs_fop_write+0x33d/0x480 [ 25.190611] ? __vfs_write+0x117/0x9f0 [ 25.194476] ? vfs_write+0x1fc/0x560 [ 25.198169] ? ksys_write+0x101/0x260 [ 25.201962] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.207485] ? page_counter_memparse+0xb5/0x1e0 [ 25.212148] ? page_counter_set_low+0x180/0x180 [ 25.216799] ? cgroup_control+0x180/0x180 [ 25.220949] memory_high_write+0x283/0x310 [ 25.225179] ? mem_cgroup_css_released+0x140/0x140 [ 25.230100] ? lock_acquire+0x1e4/0x540 [ 25.234067] ? __might_fault+0x12b/0x1e0 [ 25.238116] cgroup_file_write+0x31f/0x840 [ 25.242335] ? mem_cgroup_css_released+0x140/0x140 [ 25.247246] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 25.252183] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 25.257103] kernfs_fop_write+0x2ba/0x480 [ 25.261234] __vfs_write+0x117/0x9f0 [ 25.264928] ? kernfs_fop_open+0x1020/0x1020 [ 25.269319] ? kernel_read+0x120/0x120 [ 25.273190] ? lock_release+0xa30/0xa30 [ 25.277143] ? check_same_owner+0x340/0x340 [ 25.281448] ? rcu_note_context_switch+0x730/0x730 [ 25.286363] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.291880] ? __sb_start_write+0x17f/0x300 [ 25.296192] vfs_write+0x1fc/0x560 [ 25.299711] ksys_write+0x101/0x260 [ 25.303319] ? __ia32_sys_read+0xb0/0xb0 [ 25.307364] __x64_sys_write+0x73/0xb0 [ 25.311235] do_syscall_64+0x1b9/0x820 [ 25.315116] ? syscall_return_slowpath+0x5e0/0x5e0 [ 25.320047] ? syscall_return_slowpath+0x31d/0x5e0 [ 25.324971] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 25.329967] ? prepare_exit_to_usermode+0x291/0x3b0 [ 25.334965] ? perf_trace_sys_enter+0xb10/0xb10 [ 25.339626] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.344457] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 25.349627] RIP: 0033:0x4419d9 [ 25.352792] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 25.371929] RSP: 002b:00007ffcd44b9a78 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 25.379630] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9 [ 25.386880] RDX: 000000000000006b RSI: 0000000020000740 RDI: 0000000000000004 [ 25.394129] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 25.401387] R10: 0000000000000006 R11: 0000000000000217 R12: 0000000000000000 [ 25.408646] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 25.415908] [ 25.417517] Allocated by task 4504: [ 25.421146] save_stack+0x43/0xd0 [ 25.424582] kasan_kmalloc+0xc4/0xe0 [ 25.428287] __kmalloc_node+0x47/0x70 [ 25.432089] kvmalloc_node+0x65/0xf0 [ 25.435807] mem_cgroup_css_online+0x169/0x3c0 [ 25.440383] online_css+0x10c/0x350 [ 25.443992] cgroup_apply_control_enable+0x777/0xe90 [ 25.449079] cgroup_mkdir+0x88a/0x1170 [ 25.452947] kernfs_iop_mkdir+0x159/0x1e0 [ 25.457074] vfs_mkdir+0x42e/0x6b0 [ 25.460597] do_mkdirat+0x27b/0x310 [ 25.464204] __x64_sys_mkdir+0x5c/0x80 [ 25.468075] do_syscall_64+0x1b9/0x820 [ 25.471944] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 25.477107] [ 25.478711] Freed by task 2873: [ 25.481976] save_stack+0x43/0xd0 [ 25.485415] __kasan_slab_free+0x11a/0x170 [ 25.489642] kasan_slab_free+0xe/0x10 [ 25.493825] kfree+0xd9/0x260 [ 25.496914] single_release+0x8f/0xb0 [ 25.500708] __fput+0x35d/0x930 [ 25.503966] ____fput+0x15/0x20 [ 25.507227] task_work_run+0x1ec/0x2a0 [ 25.511096] exit_to_usermode_loop+0x313/0x370 [ 25.515658] do_syscall_64+0x6be/0x820 [ 25.519525] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 25.524686] [ 25.526294] The buggy address belongs to the object at ffff8801d7548d40 [ 25.526294] which belongs to the cache kmalloc-32 of size 32 [ 25.538760] The buggy address is located 16 bytes inside of [ 25.538760] 32-byte region [ffff8801d7548d40, ffff8801d7548d60) [ 25.550447] The buggy address belongs to the page: [ 25.555358] page:ffffea00075d5200 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d7548fc1 [ 25.564782] flags: 0x2fffc0000000100(slab) [ 25.569031] raw: 02fffc0000000100 ffffea00075d5448 ffffea00075d3b08 ffff8801da8001c0 [ 25.576908] raw: ffff8801d7548fc1 ffff8801d7548000 0000000100000039 0000000000000000 [ 25.584764] page dumped because: kasan: bad access detected [ 25.590449] [ 25.592053] Memory state around the buggy address: [ 25.596978] ffff8801d7548c00: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 25.604318] ffff8801d7548c80: 00 05 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 25.611659] >ffff8801d7548d00: 00 07 fc fc fc fc fc fc 00 00 05 fc fc fc fc fc [ 25.618996] ^ [ 25.624958] ffff8801d7548d80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.632313] ffff8801d7548e00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.639664] ================================================================== [ 25.647098] Kernel panic - not syncing: panic_on_warn set ... [ 25.647098] [ 25.654469] CPU: 1 PID: 4505 Comm: syz-executor441 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 25.664330] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.673675] Call Trace: [ 25.676252] dump_stack+0x1c9/0x2b4 [ 25.679861] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.685037] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.689778] panic+0x238/0x4e7 [ 25.692955] ? add_taint.cold.5+0x16/0x16 [ 25.697109] ? do_raw_spin_unlock+0xa7/0x2f0 [ 25.701501] ? find_first_bit+0xf7/0x100 [ 25.705542] kasan_end_report+0x47/0x4f [ 25.709496] kasan_report.cold.7+0x76/0x30d [ 25.713801] __asan_report_load8_noabort+0x14/0x20 [ 25.718712] find_first_bit+0xf7/0x100 [ 25.722596] shrink_slab+0x5d0/0xdb0 [ 25.726296] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.731830] ? unregister_memcg_shrinker.isra.39+0x50/0x50 [ 25.737449] ? shrink_active_list+0x1830/0x1830 [ 25.742100] ? save_stack+0xa9/0xd0 [ 25.745709] ? save_stack+0x43/0xd0 [ 25.749321] ? kernfs_fop_open+0xa7f/0x1020 [ 25.753627] ? do_dentry_open+0xa7d/0x11c0 [ 25.757844] ? trace_hardirqs_on+0x10/0x10 [ 25.762064] shrink_node+0x429/0x16a0 [ 25.765856] ? shrink_node_memcg+0x18f0/0x18f0 [ 25.770429] ? kvm_clock_read+0x25/0x30 [ 25.774385] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 25.779395] ? ktime_get_raw_ts64+0x4f0/0x4f0 [ 25.783875] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 25.788873] do_try_to_free_pages+0x3e7/0x1290 [ 25.793453] ? shrink_node+0x16a0/0x16a0 [ 25.797516] ? check_same_owner+0x340/0x340 [ 25.801819] ? trace_hardirqs_on+0x10/0x10 [ 25.806043] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.811570] ? _parse_integer+0x13b/0x190 [ 25.815699] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.821221] try_to_free_mem_cgroup_pages+0x49d/0xc90 [ 25.826405] ? pointer_string+0x1b0/0x1b0 [ 25.830554] ? try_to_free_pages+0xb80/0xb80 [ 25.834948] ? memparse+0x171/0x1d0 [ 25.838558] ? get_options+0x380/0x380 [ 25.842428] ? kasan_kmalloc+0xc4/0xe0 [ 25.846297] ? __kmalloc+0x14e/0x760 [ 25.849989] ? kernfs_fop_write+0x33d/0x480 [ 25.854293] ? __vfs_write+0x117/0x9f0 [ 25.858169] ? vfs_write+0x1fc/0x560 [ 25.861860] ? ksys_write+0x101/0x260 [ 25.865646] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 25.871168] ? page_counter_memparse+0xb5/0x1e0 [ 25.875818] ? page_counter_set_low+0x180/0x180 [ 25.880470] ? cgroup_control+0x180/0x180 [ 25.884603] memory_high_write+0x283/0x310 [ 25.888818] ? mem_cgroup_css_released+0x140/0x140 [ 25.893741] ? lock_acquire+0x1e4/0x540 [ 25.897695] ? __might_fault+0x12b/0x1e0 [ 25.901740] cgroup_file_write+0x31f/0x840 [ 25.905967] ? mem_cgroup_css_released+0x140/0x140 [ 25.910877] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 25.915794] ? cgroup_migrate_add_task+0xcd0/0xcd0 [ 25.920705] kernfs_fop_write+0x2ba/0x480 [ 25.924835] __vfs_write+0x117/0x9f0 [ 25.928530] ? kernfs_fop_open+0x1020/0x1020 [ 25.932919] ? kernel_read+0x120/0x120 [ 25.936793] ? lock_release+0xa30/0xa30 [ 25.940748] ? check_same_owner+0x340/0x340 [ 25.945059] ? rcu_note_context_switch+0x730/0x730 [ 25.949972] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.955493] ? __sb_start_write+0x17f/0x300 [ 25.959794] vfs_write+0x1fc/0x560 [ 25.963323] ksys_write+0x101/0x260 [ 25.966933] ? __ia32_sys_read+0xb0/0xb0 [ 25.970987] __x64_sys_write+0x73/0xb0 [ 25.974861] do_syscall_64+0x1b9/0x820 [ 25.978743] ? syscall_return_slowpath+0x5e0/0x5e0 [ 25.983662] ? syscall_return_slowpath+0x31d/0x5e0 [ 25.988578] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 25.993594] ? prepare_exit_to_usermode+0x291/0x3b0 [ 25.998595] ? perf_trace_sys_enter+0xb10/0xb10 [ 26.003245] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.008088] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.013258] RIP: 0033:0x4419d9 [ 26.016425] Code: e8 ec b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 26.035547] RSP: 002b:00007ffcd44b9a78 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 26.043235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9 [ 26.050497] RDX: 000000000000006b RSI: 0000000020000740 RDI: 0000000000000004 [ 26.057755] RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006 [ 26.065008] R10: 0000000000000006 R11: 0000000000000217 R12: 0000000000000000 [ 26.072274] R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000 [ 26.080013] Dumping ftrace buffer: [ 26.083541] (ftrace buffer empty) [ 26.087229] Kernel Offset: disabled [ 26.090836] Rebooting in 86400 seconds..