[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.454543] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.404562] random: sshd: uninitialized urandom read (32 bytes read)
[   23.746344] random: sshd: uninitialized urandom read (32 bytes read)
[   24.599879] random: sshd: uninitialized urandom read (32 bytes read)
[   24.751517] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
[   30.181084] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 02:31:48 parsed 1 programs
[   31.640681] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 02:31:50 executed programs: 0
[   32.832121] IPVS: ftp: loaded support on port[0] = 21
[   33.025680] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.032168] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.039584] device bridge_slave_0 entered promiscuous mode
[   33.057262] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.063637] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.070844] device bridge_slave_1 entered promiscuous mode
[   33.086584] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   33.102492] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   33.146898] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   33.164893] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   33.226703] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   33.234102] team0: Port device team_slave_0 added
[   33.248058] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   33.255241] team0: Port device team_slave_1 added
[   33.269646] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.287311] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.305197] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   33.322903] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.442458] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.449065] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.456139] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.462511] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.856835] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   33.862974] 8021q: adding VLAN 0 to HW filter on device bond0
[   33.904685] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   33.947321] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   33.955782] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   33.994210] 8021q: adding VLAN 0 to HW filter on device team0
[   34.585967] ==================================================================
[   34.593583] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   34.599729] Read of size 26214 at addr ffff8801d8af286d by task syz-executor0/4786
[   34.607415] 
[   34.609036] CPU: 0 PID: 4786 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[   34.616215] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.625559] Call Trace:
[   34.628137]  dump_stack+0x1c9/0x2b4
[   34.631759]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.636950]  ? printk+0xa7/0xcf
[   34.640212]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.644952]  ? pdu_read+0x90/0xd0
[   34.648390]  print_address_description+0x6c/0x20b
[   34.653263]  ? pdu_read+0x90/0xd0
[   34.656699]  kasan_report.cold.7+0x242/0x2fe
[   34.661093]  check_memory_region+0x13e/0x1b0
[   34.665486]  memcpy+0x23/0x50
[   34.668573]  pdu_read+0x90/0xd0
[   34.671837]  p9pdu_readf+0x579/0x2170
[   34.675624]  ? p9pdu_writef+0xe0/0xe0
[   34.679410]  ? __fget+0x414/0x670
[   34.682876]  ? rcu_is_watching+0x61/0x150
[   34.687011]  ? expand_files.part.8+0x9c0/0x9c0
[   34.691589]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.696611]  ? p9_fd_show_options+0x1c0/0x1c0
[   34.701094]  p9_client_create+0xde0/0x16c9
[   34.705315]  ? p9_client_read+0xc60/0xc60
[   34.709457]  ? find_held_lock+0x36/0x1c0
[   34.713509]  ? __lockdep_init_map+0x105/0x590
[   34.717995]  ? kasan_check_write+0x14/0x20
[   34.722226]  ? __init_rwsem+0x1cc/0x2a0
[   34.726189]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   34.731201]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.736199]  ? __kmalloc_track_caller+0x5f5/0x760
[   34.741032]  ? save_stack+0xa9/0xd0
[   34.744647]  ? save_stack+0x43/0xd0
[   34.748254]  ? kasan_kmalloc+0xc4/0xe0
[   34.752134]  ? memcpy+0x45/0x50
[   34.755401]  v9fs_session_init+0x21a/0x1a80
[   34.759719]  ? find_held_lock+0x36/0x1c0
[   34.763766]  ? v9fs_show_options+0x7e0/0x7e0
[   34.768159]  ? kasan_check_read+0x11/0x20
[   34.772304]  ? rcu_is_watching+0x8c/0x150
[   34.776442]  ? rcu_pm_notify+0xc0/0xc0
[   34.780313]  ? rcu_pm_notify+0xc0/0xc0
[   34.784185]  ? v9fs_mount+0x61/0x900
[   34.787885]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.792880]  ? kmem_cache_alloc_trace+0x616/0x780
[   34.797710]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   34.803234]  v9fs_mount+0x7c/0x900
[   34.806764]  mount_fs+0xae/0x328
[   34.810117]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.814690]  ? may_umount+0xb0/0xb0
[   34.818307]  ? _raw_read_unlock+0x22/0x30
[   34.822448]  ? __get_fs_type+0x97/0xc0
[   34.826318]  do_mount+0x581/0x30e0
[   34.829845]  ? copy_mount_string+0x40/0x40
[   34.834071]  ? copy_mount_options+0x5f/0x380
[   34.838462]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.843462]  ? kmem_cache_alloc_trace+0x616/0x780
[   34.848289]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.853811]  ? _copy_from_user+0xdf/0x150
[   34.857949]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.863467]  ? copy_mount_options+0x285/0x380
[   34.868307]  __ia32_compat_sys_mount+0x5d5/0x860
[   34.873060]  do_fast_syscall_32+0x34d/0xfb2
[   34.877376]  ? do_int80_syscall_32+0x890/0x890
[   34.881950]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.886691]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.892213]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.897138]  ? sysret32_from_system_call+0x5/0x46
[   34.901967]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.906804]  entry_SYSENTER_compat+0x70/0x7f
[   34.911195] RIP: 0023:0xf7f68cb9
[   34.914535] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.933710] RSP: 002b:00000000fff01b8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   34.941401] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000080
[   34.948653] RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000020000380
[   34.955924] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.963174] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   34.970435] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.977703] 
[   34.979311] Allocated by task 4786:
[   34.982927]  save_stack+0x43/0xd0
[   34.986363]  kasan_kmalloc+0xc4/0xe0
[   34.990064]  __kmalloc+0x14e/0x760
[   34.993597]  p9_fcall_alloc+0x1e/0x90
[   34.997382]  p9_client_prepare_req.part.8+0x754/0xcd0
[   35.002564]  p9_client_rpc+0x1bd/0x1400
[   35.006531]  p9_client_create+0xd09/0x16c9
[   35.010762]  v9fs_session_init+0x21a/0x1a80
[   35.015066]  v9fs_mount+0x7c/0x900
[   35.018716]  mount_fs+0xae/0x328
[   35.022066]  vfs_kern_mount.part.34+0xdc/0x4e0
[   35.026629]  do_mount+0x581/0x30e0
[   35.030152]  __ia32_compat_sys_mount+0x5d5/0x860
[   35.034891]  do_fast_syscall_32+0x34d/0xfb2
[   35.039195]  entry_SYSENTER_compat+0x70/0x7f
[   35.043591] 
[   35.045196] Freed by task 0:
[   35.048188] (stack is not available)
[   35.051874] 
[   35.053485] The buggy address belongs to the object at ffff8801d8af2840
[   35.053485]  which belongs to the cache kmalloc-16384 of size 16384
[   35.066471] The buggy address is located 45 bytes inside of
[   35.066471]  16384-byte region [ffff8801d8af2840, ffff8801d8af6840)
[   35.078409] The buggy address belongs to the page:
[   35.083322] page:ffffea000762bc00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   35.093334] flags: 0x2fffc0000008100(slab|head)
[   35.097989] raw: 02fffc0000008100 ffffea0006c98408 ffff8801da801c48 ffff8801da802200
[   35.105875] raw: 0000000000000000 ffff8801d8af2840 0000000100000001 0000000000000000
[   35.113743] page dumped because: kasan: bad access detected
[   35.119427] 
[   35.121035] Memory state around the buggy address:
[   35.125960]  ffff8801d8af4700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.133298]  ffff8801d8af4780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.140645] >ffff8801d8af4800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   35.147983]                                                        ^
[   35.154457]  ffff8801d8af4880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.161800]  ffff8801d8af4900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.169157] ==================================================================
[   35.176492] Disabling lock debugging due to kernel taint
[   35.182507] Kernel panic - not syncing: panic_on_warn set ...
[   35.182507] 
[   35.189887] CPU: 0 PID: 4786 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[   35.198455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.207797] Call Trace:
[   35.210403]  dump_stack+0x1c9/0x2b4
[   35.214037]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.219226]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.223967]  panic+0x238/0x4e7
[   35.227154]  ? add_taint.cold.5+0x16/0x16
[   35.231293]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.235683]  ? pdu_read+0x90/0xd0
[   35.239119]  kasan_end_report+0x47/0x4f
[   35.243097]  kasan_report.cold.7+0x76/0x2fe
[   35.247438]  check_memory_region+0x13e/0x1b0
[   35.251856]  memcpy+0x23/0x50
[   35.254948]  pdu_read+0x90/0xd0
[   35.258209]  p9pdu_readf+0x579/0x2170
[   35.262004]  ? p9pdu_writef+0xe0/0xe0
[   35.265795]  ? __fget+0x414/0x670
[   35.269234]  ? rcu_is_watching+0x61/0x150
[   35.273361]  ? expand_files.part.8+0x9c0/0x9c0
[   35.277926]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.282929]  ? p9_fd_show_options+0x1c0/0x1c0
[   35.287417]  p9_client_create+0xde0/0x16c9
[   35.291643]  ? p9_client_read+0xc60/0xc60
[   35.295783]  ? find_held_lock+0x36/0x1c0
[   35.299832]  ? __lockdep_init_map+0x105/0x590
[   35.304320]  ? kasan_check_write+0x14/0x20
[   35.308543]  ? __init_rwsem+0x1cc/0x2a0
[   35.312500]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   35.317510]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.322539]  ? __kmalloc_track_caller+0x5f5/0x760
[   35.327360]  ? save_stack+0xa9/0xd0
[   35.330967]  ? save_stack+0x43/0xd0
[   35.334573]  ? kasan_kmalloc+0xc4/0xe0
[   35.338450]  ? memcpy+0x45/0x50
[   35.341713]  v9fs_session_init+0x21a/0x1a80
[   35.346036]  ? find_held_lock+0x36/0x1c0
[   35.350089]  ? v9fs_show_options+0x7e0/0x7e0
[   35.354487]  ? kasan_check_read+0x11/0x20
[   35.358617]  ? rcu_is_watching+0x8c/0x150
[   35.362742]  ? rcu_pm_notify+0xc0/0xc0
[   35.366610]  ? rcu_pm_notify+0xc0/0xc0
[   35.370481]  ? v9fs_mount+0x61/0x900
[   35.374178]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.379194]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.384034]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   35.389557]  v9fs_mount+0x7c/0x900
[   35.393080]  mount_fs+0xae/0x328
[   35.396438]  vfs_kern_mount.part.34+0xdc/0x4e0
[   35.401018]  ? may_umount+0xb0/0xb0
[   35.404630]  ? _raw_read_unlock+0x22/0x30
[   35.408769]  ? __get_fs_type+0x97/0xc0
[   35.412643]  do_mount+0x581/0x30e0
[   35.416165]  ? copy_mount_string+0x40/0x40
[   35.420387]  ? copy_mount_options+0x5f/0x380
[   35.424809]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.429823]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.434649]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.440167]  ? _copy_from_user+0xdf/0x150
[   35.444298]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.449904]  ? copy_mount_options+0x285/0x380
[   35.454382]  __ia32_compat_sys_mount+0x5d5/0x860
[   35.459134]  do_fast_syscall_32+0x34d/0xfb2
[   35.463449]  ? do_int80_syscall_32+0x890/0x890
[   35.468037]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.472779]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.478307]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.483222]  ? sysret32_from_system_call+0x5/0x46
[   35.488049]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.492874]  entry_SYSENTER_compat+0x70/0x7f
[   35.497274] RIP: 0023:0xf7f68cb9
[   35.500613] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.519741] RSP: 002b:00000000fff01b8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   35.527432] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000080
[   35.534682] RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000020000380
[   35.541930] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.549179] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   35.556433] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.564108] Dumping ftrace buffer:
[   35.567626]    (ftrace buffer empty)
[   35.571313] Kernel Offset: disabled
[   35.574922] Rebooting in 86400 seconds..