[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.496668] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 21.644152] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.876941] random: sshd: uninitialized urandom read (32 bytes read) [ 22.725493] random: sshd: uninitialized urandom read (32 bytes read) [ 22.886300] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. [ 28.431395] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/11 04:01:42 parsed 1 programs [ 30.284210] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/11 04:01:44 executed programs: 0 [ 31.651226] IPVS: ftp: loaded support on port[0] = 21 [ 31.871783] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.878497] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.886441] device bridge_slave_0 entered promiscuous mode [ 31.904447] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.911086] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.918265] device bridge_slave_1 entered promiscuous mode [ 31.936132] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.953205] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.003831] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.023262] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.095171] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.102872] team0: Port device team_slave_0 added [ 32.120109] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.127602] team0: Port device team_slave_1 added [ 32.143738] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.162858] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.181106] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.199817] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.332127] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.338614] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.345717] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.352091] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.853563] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.859911] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.867767] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.918058] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.964859] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 32.971150] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 32.978476] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.023406] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.315855] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 33.712408] ================================================================== [ 33.720062] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 33.726221] Read of size 26214 at addr ffff8801cf05256d by task syz-executor0/4837 [ 33.733926] [ 33.735542] CPU: 0 PID: 4837 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #43 [ 33.742718] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.752061] Call Trace: [ 33.754641] dump_stack+0x1c9/0x2b4 [ 33.758259] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.763434] ? printk+0xa7/0xcf [ 33.766707] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.771459] ? pdu_read+0x90/0xd0 [ 33.774895] print_address_description+0x6c/0x20b [ 33.779725] ? pdu_read+0x90/0xd0 [ 33.783159] kasan_report.cold.7+0x242/0x2fe [ 33.787554] check_memory_region+0x13e/0x1b0 [ 33.791950] memcpy+0x23/0x50 [ 33.795173] pdu_read+0x90/0xd0 [ 33.798516] p9pdu_readf+0x579/0x2170 [ 33.802370] ? p9pdu_writef+0xe0/0xe0 [ 33.806199] ? __fget+0x414/0x670 [ 33.809671] ? rcu_is_watching+0x61/0x150 [ 33.813843] ? expand_files.part.8+0x9c0/0x9c0 [ 33.818424] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.823434] ? p9_fd_show_options+0x1c0/0x1c0 [ 33.828100] p9_client_create+0xde0/0x16c9 [ 33.832326] ? p9_client_read+0xc60/0xc60 [ 33.836467] ? find_held_lock+0x36/0x1c0 [ 33.840537] ? __lockdep_init_map+0x105/0x590 [ 33.845119] ? kasan_check_write+0x14/0x20 [ 33.849358] ? __init_rwsem+0x1cc/0x2a0 [ 33.853359] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 33.858405] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.863452] ? __kmalloc_track_caller+0x5f5/0x760 [ 33.868327] ? save_stack+0xa9/0xd0 [ 33.872135] ? save_stack+0x43/0xd0 [ 33.875874] ? kasan_kmalloc+0xc4/0xe0 [ 33.879796] ? memcpy+0x45/0x50 [ 33.883103] v9fs_session_init+0x21a/0x1a80 [ 33.887889] ? find_held_lock+0x36/0x1c0 [ 33.891998] ? v9fs_show_options+0x7e0/0x7e0 [ 33.896469] ? kasan_check_read+0x11/0x20 [ 33.900645] ? rcu_is_watching+0x8c/0x150 [ 33.904835] ? rcu_pm_notify+0xc0/0xc0 [ 33.908753] ? rcu_pm_notify+0xc0/0xc0 [ 33.912645] ? v9fs_mount+0x61/0x900 [ 33.916357] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.921395] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.926294] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.931897] v9fs_mount+0x7c/0x900 [ 33.935468] mount_fs+0xae/0x328 [ 33.938864] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.943563] ? may_umount+0xb0/0xb0 [ 33.947223] ? _raw_read_unlock+0x22/0x30 [ 33.951359] ? __get_fs_type+0x97/0xc0 [ 33.955236] do_mount+0x581/0x30e0 [ 33.958765] ? copy_mount_string+0x40/0x40 [ 33.962997] ? copy_mount_options+0x5f/0x380 [ 33.967438] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.972638] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.977684] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.983341] ? _copy_from_user+0xdf/0x150 [ 33.987503] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.993076] ? copy_mount_options+0x285/0x380 [ 33.997608] __ia32_compat_sys_mount+0x5d5/0x860 [ 34.002661] do_fast_syscall_32+0x34d/0xfb2 [ 34.007038] ? do_int80_syscall_32+0x890/0x890 [ 34.011661] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.016447] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.021987] ? syscall_return_slowpath+0x31d/0x5e0 [ 34.026931] ? sysret32_from_system_call+0x5/0x46 [ 34.031768] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.036621] entry_SYSENTER_compat+0x70/0x7f [ 34.041050] RIP: 0023:0xf7f5dcb9 [ 34.044412] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.063627] RSP: 002b:00000000ff967cbc EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 34.071350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 34.078673] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 34.085964] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.093253] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.100541] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.107938] [ 34.109597] Allocated by task 4837: [ 34.113431] save_stack+0x43/0xd0 [ 34.116920] kasan_kmalloc+0xc4/0xe0 [ 34.120663] __kmalloc+0x14e/0x760 [ 34.124196] p9_fcall_alloc+0x1e/0x90 [ 34.128050] p9_client_prepare_req.part.8+0x754/0xcd0 [ 34.133281] p9_client_rpc+0x1bd/0x1400 [ 34.137245] p9_client_create+0xd09/0x16c9 [ 34.141471] v9fs_session_init+0x21a/0x1a80 [ 34.145782] v9fs_mount+0x7c/0x900 [ 34.149309] mount_fs+0xae/0x328 [ 34.152659] vfs_kern_mount.part.34+0xdc/0x4e0 [ 34.157228] do_mount+0x581/0x30e0 [ 34.160763] __ia32_compat_sys_mount+0x5d5/0x860 [ 34.165526] do_fast_syscall_32+0x34d/0xfb2 [ 34.169877] entry_SYSENTER_compat+0x70/0x7f [ 34.174294] [ 34.175914] Freed by task 0: [ 34.178937] (stack is not available) [ 34.182773] [ 34.184405] The buggy address belongs to the object at ffff8801cf052540 [ 34.184405] which belongs to the cache kmalloc-16384 of size 16384 [ 34.197506] The buggy address is located 45 bytes inside of [ 34.197506] 16384-byte region [ffff8801cf052540, ffff8801cf056540) [ 34.209572] The buggy address belongs to the page: [ 34.214511] page:ffffea00073c1400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 34.224931] flags: 0x2fffc0000008100(slab|head) [ 34.229644] raw: 02fffc0000008100 ffffea0006a53408 ffff8801da801c48 ffff8801da802200 [ 34.237548] raw: 0000000000000000 ffff8801cf052540 0000000100000001 0000000000000000 [ 34.245432] page dumped because: kasan: bad access detected [ 34.251140] [ 34.252763] Memory state around the buggy address: [ 34.257799] ffff8801cf054400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.265164] ffff8801cf054480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.272524] >ffff8801cf054500: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 34.280074] ^ [ 34.286634] ffff8801cf054580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.294033] ffff8801cf054600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.301513] ================================================================== [ 34.308988] Disabling lock debugging due to kernel taint [ 34.315009] Kernel panic - not syncing: panic_on_warn set ... [ 34.315009] [ 34.322418] CPU: 0 PID: 4837 Comm: syz-executor0 Tainted: G B 4.18.0-rc4+ #43 [ 34.331007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.340370] Call Trace: [ 34.343037] dump_stack+0x1c9/0x2b4 [ 34.346785] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.352011] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.356796] panic+0x238/0x4e7 [ 34.360035] ? add_taint.cold.5+0x16/0x16 [ 34.364222] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.368634] ? pdu_read+0x90/0xd0 [ 34.372088] kasan_end_report+0x47/0x4f [ 34.376109] kasan_report.cold.7+0x76/0x2fe [ 34.380460] check_memory_region+0x13e/0x1b0 [ 34.384891] memcpy+0x23/0x50 [ 34.388049] pdu_read+0x90/0xd0 [ 34.391363] p9pdu_readf+0x579/0x2170 [ 34.395295] ? p9pdu_writef+0xe0/0xe0 [ 34.399105] ? __fget+0x414/0x670 [ 34.402571] ? rcu_is_watching+0x61/0x150 [ 34.406737] ? expand_files.part.8+0x9c0/0x9c0 [ 34.411494] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.416507] ? p9_fd_show_options+0x1c0/0x1c0 [ 34.421049] p9_client_create+0xde0/0x16c9 [ 34.425459] ? p9_client_read+0xc60/0xc60 [ 34.429602] ? find_held_lock+0x36/0x1c0 [ 34.433682] ? __lockdep_init_map+0x105/0x590 [ 34.438190] ? kasan_check_write+0x14/0x20 [ 34.443055] ? __init_rwsem+0x1cc/0x2a0 [ 34.447066] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 34.452281] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.457301] ? __kmalloc_track_caller+0x5f5/0x760 [ 34.462154] ? save_stack+0xa9/0xd0 [ 34.465798] ? save_stack+0x43/0xd0 [ 34.469425] ? kasan_kmalloc+0xc4/0xe0 [ 34.473321] ? memcpy+0x45/0x50 [ 34.476611] v9fs_session_init+0x21a/0x1a80 [ 34.480978] ? find_held_lock+0x36/0x1c0 [ 34.485072] ? v9fs_show_options+0x7e0/0x7e0 [ 34.489501] ? kasan_check_read+0x11/0x20 [ 34.493647] ? rcu_is_watching+0x8c/0x150 [ 34.497807] ? rcu_pm_notify+0xc0/0xc0 [ 34.501796] ? rcu_pm_notify+0xc0/0xc0 [ 34.505716] ? v9fs_mount+0x61/0x900 [ 34.509781] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.515332] ? kmem_cache_alloc_trace+0x616/0x780 [ 34.520197] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.525745] v9fs_mount+0x7c/0x900 [ 34.529282] mount_fs+0xae/0x328 [ 34.532661] vfs_kern_mount.part.34+0xdc/0x4e0 [ 34.537262] ? may_umount+0xb0/0xb0 [ 34.540900] ? _raw_read_unlock+0x22/0x30 [ 34.545220] ? __get_fs_type+0x97/0xc0 [ 34.549127] do_mount+0x581/0x30e0 [ 34.552693] ? copy_mount_string+0x40/0x40 [ 34.556986] ? copy_mount_options+0x5f/0x380 [ 34.561434] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.566495] ? kmem_cache_alloc_trace+0x616/0x780 [ 34.571647] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.577224] ? _copy_from_user+0xdf/0x150 [ 34.581501] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.587231] ? copy_mount_options+0x285/0x380 [ 34.592033] __ia32_compat_sys_mount+0x5d5/0x860 [ 34.597030] do_fast_syscall_32+0x34d/0xfb2 [ 34.601417] ? do_int80_syscall_32+0x890/0x890 [ 34.606138] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.612020] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.617801] ? syscall_return_slowpath+0x31d/0x5e0 [ 34.622739] ? sysret32_from_system_call+0x5/0x46 [ 34.627575] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.632423] entry_SYSENTER_compat+0x70/0x7f [ 34.636820] RIP: 0023:0xf7f5dcb9 [ 34.640181] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.659777] RSP: 002b:00000000ff967cbc EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 34.667499] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 34.674779] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 34.682838] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.690115] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.697420] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.705452] Dumping ftrace buffer: [ 34.709009] (ftrace buffer empty) [ 34.712990] Kernel Offset: disabled [ 34.716624] Rebooting in 86400 seconds..