[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.051664] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.689662] random: sshd: uninitialized urandom read (32 bytes read) [ 22.043067] random: sshd: uninitialized urandom read (32 bytes read) [ 22.916711] random: sshd: uninitialized urandom read (32 bytes read) [ 47.972572] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. [ 53.371278] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 00:47:34 parsed 1 programs [ 55.422542] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 00:47:36 executed programs: 0 [ 56.778697] IPVS: ftp: loaded support on port[0] = 21 [ 56.920214] ip (4592) used greatest stack depth: 16680 bytes left [ 57.069164] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.075919] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.083882] device bridge_slave_0 entered promiscuous mode [ 57.104746] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.111362] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.118453] device bridge_slave_1 entered promiscuous mode [ 57.136467] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 57.153196] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 57.202847] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 57.222250] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 57.293765] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 57.301476] team0: Port device team_slave_0 added [ 57.317550] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 57.324999] team0: Port device team_slave_1 added [ 57.341380] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.359814] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.378573] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 57.396091] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 57.530606] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.537150] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.544224] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.550636] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.060100] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.112305] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.162472] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 58.168874] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 58.176729] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.221686] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.542800] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 58.563934] ================================================================== [ 58.571528] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 58.577690] Read of size 14848 at addr ffff8801d65196ed by task syz-executor0/4831 [ 58.585741] [ 58.587360] CPU: 0 PID: 4831 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 58.594531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.603883] Call Trace: [ 58.606735] dump_stack+0x1c9/0x2b4 [ 58.610448] ? dump_stack_print_info.cold.2+0x52/0x52 [ 58.615638] ? printk+0xa7/0xcf [ 58.618919] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.623679] ? pdu_read+0x90/0xd0 [ 58.627129] print_address_description+0x6c/0x20b [ 58.631979] ? pdu_read+0x90/0xd0 [ 58.635434] kasan_report.cold.7+0x242/0x2fe [ 58.639850] check_memory_region+0x13e/0x1b0 [ 58.644253] memcpy+0x23/0x50 [ 58.647353] pdu_read+0x90/0xd0 [ 58.650632] p9pdu_readf+0x579/0x2170 [ 58.654620] ? p9pdu_writef+0xe0/0xe0 [ 58.658413] ? __fget+0x414/0x670 [ 58.661880] ? rcu_is_watching+0x61/0x150 [ 58.666024] ? expand_files.part.8+0x9c0/0x9c0 [ 58.670609] ? finish_wait+0x430/0x430 [ 58.674512] ? rcu_read_lock_sched_held+0x108/0x120 [ 58.679550] ? p9_fd_show_options+0x1c0/0x1c0 [ 58.684055] p9_client_create+0xde0/0x16c9 [ 58.688300] ? p9_client_read+0xc60/0xc60 [ 58.692468] ? find_held_lock+0x36/0x1c0 [ 58.696530] ? __lockdep_init_map+0x105/0x590 [ 58.701036] ? kasan_check_write+0x14/0x20 [ 58.705268] ? __init_rwsem+0x1cc/0x2a0 [ 58.709434] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 58.714456] ? rcu_read_lock_sched_held+0x108/0x120 [ 58.719482] ? __kmalloc_track_caller+0x5f5/0x760 [ 58.724336] ? save_stack+0xa9/0xd0 [ 58.727960] ? save_stack+0x43/0xd0 [ 58.731578] ? kasan_kmalloc+0xc4/0xe0 [ 58.735629] ? memcpy+0x45/0x50 [ 58.738913] v9fs_session_init+0x21a/0x1a80 [ 58.743233] ? find_held_lock+0x36/0x1c0 [ 58.747306] ? v9fs_show_options+0x7e0/0x7e0 [ 58.751810] ? kasan_check_read+0x11/0x20 [ 58.755955] ? rcu_is_watching+0x8c/0x150 [ 58.760093] ? rcu_pm_notify+0xc0/0xc0 [ 58.764017] ? rcu_pm_notify+0xc0/0xc0 [ 58.767934] ? v9fs_mount+0x61/0x900 [ 58.771670] ? rcu_read_lock_sched_held+0x108/0x120 [ 58.776693] ? kmem_cache_alloc_trace+0x616/0x780 [ 58.781528] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 58.787063] v9fs_mount+0x7c/0x900 [ 58.790606] mount_fs+0xae/0x328 [ 58.793982] vfs_kern_mount.part.34+0xdc/0x4e0 [ 58.798563] ? may_umount+0xb0/0xb0 [ 58.802181] ? _raw_read_unlock+0x22/0x30 [ 58.806321] ? __get_fs_type+0x97/0xc0 [ 58.810211] do_mount+0x581/0x30e0 [ 58.813750] ? copy_mount_string+0x40/0x40 [ 58.818014] ? copy_mount_options+0x5f/0x380 [ 58.822439] ? rcu_read_lock_sched_held+0x108/0x120 [ 58.827464] ? kmem_cache_alloc_trace+0x616/0x780 [ 58.832304] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.837837] ? _copy_from_user+0xdf/0x150 [ 58.841986] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.847544] ? copy_mount_options+0x285/0x380 [ 58.852058] __ia32_compat_sys_mount+0x5d5/0x860 [ 58.856950] do_fast_syscall_32+0x34d/0xfb2 [ 58.861315] ? do_int80_syscall_32+0x890/0x890 [ 58.865895] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 58.870656] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.876196] ? syscall_return_slowpath+0x31d/0x5e0 [ 58.881144] ? sysret32_from_system_call+0x5/0x46 [ 58.886019] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.890878] entry_SYSENTER_compat+0x70/0x7f [ 58.895308] RIP: 0023:0xf7fdccb9 [ 58.898657] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 58.918378] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015 [ 58.926172] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 58.933461] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 58.940720] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 58.947981] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 58.955252] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 58.962534] [ 58.964152] Allocated by task 4831: [ 58.967784] save_stack+0x43/0xd0 [ 58.971227] kasan_kmalloc+0xc4/0xe0 [ 58.974926] __kmalloc+0x14e/0x760 [ 58.978456] p9_fcall_alloc+0x1e/0x90 [ 58.982249] p9_client_prepare_req.part.8+0x754/0xcd0 [ 58.987437] p9_client_rpc+0x1bd/0x1400 [ 58.991403] p9_client_create+0xd09/0x16c9 [ 58.995632] v9fs_session_init+0x21a/0x1a80 [ 58.999950] v9fs_mount+0x7c/0x900 [ 59.003477] mount_fs+0xae/0x328 [ 59.006851] vfs_kern_mount.part.34+0xdc/0x4e0 [ 59.011423] do_mount+0x581/0x30e0 [ 59.014966] __ia32_compat_sys_mount+0x5d5/0x860 [ 59.019730] do_fast_syscall_32+0x34d/0xfb2 [ 59.024056] entry_SYSENTER_compat+0x70/0x7f [ 59.028443] [ 59.030067] Freed by task 0: [ 59.033064] (stack is not available) [ 59.036761] [ 59.038377] The buggy address belongs to the object at ffff8801d65196c0 [ 59.038377] which belongs to the cache kmalloc-16384 of size 16384 [ 59.051397] The buggy address is located 45 bytes inside of [ 59.051397] 16384-byte region [ffff8801d65196c0, ffff8801d651d6c0) [ 59.063534] The buggy address belongs to the page: [ 59.068718] page:ffffea0007594600 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 59.078685] flags: 0x2fffc0000008100(slab|head) [ 59.083344] raw: 02fffc0000008100 ffffea00074a0c08 ffffea00074b6608 ffff8801da802200 [ 59.091226] raw: 0000000000000000 ffff8801d65196c0 0000000100000001 0000000000000000 [ 59.099087] page dumped because: kasan: bad access detected [ 59.104786] [ 59.106392] Memory state around the buggy address: [ 59.111311] ffff8801d651b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.118666] ffff8801d651b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.126274] >ffff8801d651b680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 59.133616] ^ [ 59.140108] ffff8801d651b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.147753] ffff8801d651b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.155119] ================================================================== [ 59.162462] Disabling lock debugging due to kernel taint [ 59.168130] Kernel panic - not syncing: panic_on_warn set ... [ 59.168130] [ 59.175511] CPU: 0 PID: 4831 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 59.184248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.193600] Call Trace: [ 59.196201] dump_stack+0x1c9/0x2b4 [ 59.199813] ? dump_stack_print_info.cold.2+0x52/0x52 [ 59.204999] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.209756] panic+0x238/0x4e7 [ 59.212934] ? add_taint.cold.5+0x16/0x16 [ 59.217073] ? do_raw_spin_unlock+0xa7/0x2f0 [ 59.221471] ? pdu_read+0x90/0xd0 [ 59.224922] kasan_end_report+0x47/0x4f [ 59.228885] kasan_report.cold.7+0x76/0x2fe [ 59.233201] check_memory_region+0x13e/0x1b0 [ 59.237608] memcpy+0x23/0x50 [ 59.240709] pdu_read+0x90/0xd0 [ 59.243974] p9pdu_readf+0x579/0x2170 [ 59.247769] ? p9pdu_writef+0xe0/0xe0 [ 59.251554] ? __fget+0x414/0x670 [ 59.255005] ? rcu_is_watching+0x61/0x150 [ 59.259166] ? expand_files.part.8+0x9c0/0x9c0 [ 59.263959] ? finish_wait+0x430/0x430 [ 59.267872] ? rcu_read_lock_sched_held+0x108/0x120 [ 59.272898] ? p9_fd_show_options+0x1c0/0x1c0 [ 59.277983] p9_client_create+0xde0/0x16c9 [ 59.282303] ? p9_client_read+0xc60/0xc60 [ 59.286464] ? find_held_lock+0x36/0x1c0 [ 59.290536] ? __lockdep_init_map+0x105/0x590 [ 59.295053] ? kasan_check_write+0x14/0x20 [ 59.299284] ? __init_rwsem+0x1cc/0x2a0 [ 59.303258] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 59.308274] ? rcu_read_lock_sched_held+0x108/0x120 [ 59.313294] ? __kmalloc_track_caller+0x5f5/0x760 [ 59.318147] ? save_stack+0xa9/0xd0 [ 59.321780] ? save_stack+0x43/0xd0 [ 59.325410] ? kasan_kmalloc+0xc4/0xe0 [ 59.329297] ? memcpy+0x45/0x50 [ 59.332592] v9fs_session_init+0x21a/0x1a80 [ 59.336917] ? find_held_lock+0x36/0x1c0 [ 59.341074] ? v9fs_show_options+0x7e0/0x7e0 [ 59.345474] ? kasan_check_read+0x11/0x20 [ 59.349614] ? rcu_is_watching+0x8c/0x150 [ 59.353765] ? rcu_pm_notify+0xc0/0xc0 [ 59.357664] ? rcu_pm_notify+0xc0/0xc0 [ 59.361543] ? v9fs_mount+0x61/0x900 [ 59.365247] ? rcu_read_lock_sched_held+0x108/0x120 [ 59.370264] ? kmem_cache_alloc_trace+0x616/0x780 [ 59.375113] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 59.380664] v9fs_mount+0x7c/0x900 [ 59.384215] mount_fs+0xae/0x328 [ 59.387571] vfs_kern_mount.part.34+0xdc/0x4e0 [ 59.392149] ? may_umount+0xb0/0xb0 [ 59.395781] ? _raw_read_unlock+0x22/0x30 [ 59.399915] ? __get_fs_type+0x97/0xc0 [ 59.403803] do_mount+0x581/0x30e0 [ 59.407330] ? copy_mount_string+0x40/0x40 [ 59.411569] ? copy_mount_options+0x5f/0x380 [ 59.415979] ? rcu_read_lock_sched_held+0x108/0x120 [ 59.420992] ? kmem_cache_alloc_trace+0x616/0x780 [ 59.425837] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 59.431365] ? _copy_from_user+0xdf/0x150 [ 59.435504] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.441046] ? copy_mount_options+0x285/0x380 [ 59.445533] __ia32_compat_sys_mount+0x5d5/0x860 [ 59.450295] do_fast_syscall_32+0x34d/0xfb2 [ 59.454622] ? do_int80_syscall_32+0x890/0x890 [ 59.459204] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 59.463958] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.469495] ? syscall_return_slowpath+0x31d/0x5e0 [ 59.474418] ? sysret32_from_system_call+0x5/0x46 [ 59.479266] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.484110] entry_SYSENTER_compat+0x70/0x7f [ 59.488512] RIP: 0023:0xf7fdccb9 [ 59.491864] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 59.511108] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015 [ 59.518819] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 59.526076] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 59.533344] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 59.540622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 59.547887] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 59.555652] Dumping ftrace buffer: [ 59.559180] (ftrace buffer empty) [ 59.562893] Kernel Offset: disabled [ 59.566507] Rebooting in 86400 seconds..