[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.476527] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.629178] random: sshd: uninitialized urandom read (32 bytes read) [ 26.044346] random: sshd: uninitialized urandom read (32 bytes read) [ 26.911293] random: sshd: uninitialized urandom read (32 bytes read) [ 27.075743] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. [ 32.625188] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.721656] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 32.742812] ================================================================== [ 32.750277] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 32.756410] Read of size 30720 at addr ffff8801d8d0042d by task syz-executor448/4548 [ 32.764281] [ 32.765902] CPU: 0 PID: 4548 Comm: syz-executor448 Not tainted 4.18.0-rc3+ #137 [ 32.773335] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.782683] Call Trace: [ 32.785276] dump_stack+0x1c9/0x2b4 [ 32.788892] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.794072] ? printk+0xa7/0xcf [ 32.797336] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.802083] ? pdu_read+0x90/0xd0 [ 32.805523] print_address_description+0x6c/0x20b [ 32.810381] ? pdu_read+0x90/0xd0 [ 32.813831] kasan_report.cold.7+0x242/0x2fe [ 32.818236] check_memory_region+0x13e/0x1b0 [ 32.822629] memcpy+0x23/0x50 [ 32.825728] pdu_read+0x90/0xd0 [ 32.828991] p9pdu_readf+0x579/0x2170 [ 32.832781] ? p9pdu_writef+0xe0/0xe0 [ 32.836565] ? __fget+0x414/0x670 [ 32.840004] ? rcu_is_watching+0x61/0x150 [ 32.844142] ? expand_files.part.8+0x9c0/0x9c0 [ 32.848712] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.853730] ? p9_fd_show_options+0x1c0/0x1c0 [ 32.858218] p9_client_create+0xde0/0x16c9 [ 32.862440] ? p9_client_read+0xc60/0xc60 [ 32.866601] ? find_held_lock+0x36/0x1c0 [ 32.870652] ? __lockdep_init_map+0x105/0x590 [ 32.875141] ? kasan_check_write+0x14/0x20 [ 32.879358] ? __init_rwsem+0x1cc/0x2a0 [ 32.883317] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 32.888319] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.893331] ? __kmalloc_track_caller+0x5f5/0x760 [ 32.898163] ? save_stack+0xa9/0xd0 [ 32.901772] ? save_stack+0x43/0xd0 [ 32.905386] ? kasan_kmalloc+0xc4/0xe0 [ 32.909254] ? kmem_cache_alloc_trace+0x152/0x780 [ 32.914089] ? memcpy+0x45/0x50 [ 32.917358] v9fs_session_init+0x21a/0x1a80 [ 32.921672] ? find_held_lock+0x36/0x1c0 [ 32.925726] ? v9fs_show_options+0x7e0/0x7e0 [ 32.930126] ? kasan_check_read+0x11/0x20 [ 32.934256] ? rcu_is_watching+0x8c/0x150 [ 32.938392] ? rcu_pm_notify+0xc0/0xc0 [ 32.942276] ? v9fs_mount+0x61/0x900 [ 32.945974] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.950976] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.955807] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.961337] v9fs_mount+0x7c/0x900 [ 32.964865] mount_fs+0xae/0x328 [ 32.968218] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.972779] ? may_umount+0xb0/0xb0 [ 32.976391] ? _raw_read_unlock+0x22/0x30 [ 32.980521] ? __get_fs_type+0x97/0xc0 [ 32.984392] do_mount+0x581/0x30e0 [ 32.987928] ? copy_mount_string+0x40/0x40 [ 32.992157] ? copy_mount_options+0x5f/0x380 [ 32.996559] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.001566] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.006411] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.011939] ? _copy_from_user+0xdf/0x150 [ 33.016082] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.021608] ? copy_mount_options+0x285/0x380 [ 33.026091] ksys_mount+0x12d/0x140 [ 33.029705] __x64_sys_mount+0xbe/0x150 [ 33.033676] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.038686] do_syscall_64+0x1b9/0x820 [ 33.042565] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.047480] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.052394] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.057936] ? retint_user+0x18/0x18 [ 33.061663] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.066493] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.071670] RIP: 0033:0x440209 [ 33.074847] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.094030] RSP: 002b:00007ffd6c3b7c58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 33.101728] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440209 [ 33.108979] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 33.116230] RBP: 0030656c69662f2e R08: 0000000020000180 R09: 00000000004002c8 [ 33.123480] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274 [ 33.130729] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 33.138003] [ 33.139613] Allocated by task 4548: [ 33.143225] save_stack+0x43/0xd0 [ 33.146659] kasan_kmalloc+0xc4/0xe0 [ 33.150354] __kmalloc+0x14e/0x760 [ 33.153895] p9_fcall_alloc+0x1e/0x90 [ 33.157674] p9_client_prepare_req.part.8+0x754/0xcd0 [ 33.162853] p9_client_rpc+0x1bd/0x1400 [ 33.166818] p9_client_create+0xd09/0x16c9 [ 33.171041] v9fs_session_init+0x21a/0x1a80 [ 33.175348] v9fs_mount+0x7c/0x900 [ 33.178870] mount_fs+0xae/0x328 [ 33.182220] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.186788] do_mount+0x581/0x30e0 [ 33.190317] ksys_mount+0x12d/0x140 [ 33.193925] __x64_sys_mount+0xbe/0x150 [ 33.197891] do_syscall_64+0x1b9/0x820 [ 33.201760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.206930] [ 33.208534] Freed by task 0: [ 33.211527] (stack is not available) [ 33.215219] [ 33.216829] The buggy address belongs to the object at ffff8801d8d00400 [ 33.216829] which belongs to the cache kmalloc-16384 of size 16384 [ 33.229826] The buggy address is located 45 bytes inside of [ 33.229826] 16384-byte region [ffff8801d8d00400, ffff8801d8d04400) [ 33.241784] The buggy address belongs to the page: [ 33.246716] page:ffffea0007634000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 33.256689] flags: 0x2fffc0000008100(slab|head) [ 33.261355] raw: 02fffc0000008100 ffffea000764f208 ffff8801da801c48 ffff8801da802200 [ 33.269220] raw: 0000000000000000 ffff8801d8d00400 0000000100000001 0000000000000000 [ 33.277083] page dumped because: kasan: bad access detected [ 33.282788] [ 33.284401] Memory state around the buggy address: [ 33.289312] ffff8801d8d02300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.296662] ffff8801d8d02380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.304436] >ffff8801d8d02400: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 33.311780] ^ [ 33.316175] ffff8801d8d02480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.323521] ffff8801d8d02500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.330862] ================================================================== [ 33.338217] Disabling lock debugging due to kernel taint [ 33.343799] Kernel panic - not syncing: panic_on_warn set ... [ 33.343799] [ 33.351183] CPU: 0 PID: 4548 Comm: syz-executor448 Tainted: G B 4.18.0-rc3+ #137 [ 33.360024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.369362] Call Trace: [ 33.371939] dump_stack+0x1c9/0x2b4 [ 33.375549] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.380720] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.385461] panic+0x238/0x4e7 [ 33.388640] ? add_taint.cold.5+0x16/0x16 [ 33.392770] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.397174] ? pdu_read+0x90/0xd0 [ 33.400607] kasan_end_report+0x47/0x4f [ 33.404659] kasan_report.cold.7+0x76/0x2fe [ 33.408983] check_memory_region+0x13e/0x1b0 [ 33.413387] memcpy+0x23/0x50 [ 33.416504] pdu_read+0x90/0xd0 [ 33.419765] p9pdu_readf+0x579/0x2170 [ 33.423554] ? p9pdu_writef+0xe0/0xe0 [ 33.427379] ? __fget+0x414/0x670 [ 33.430817] ? rcu_is_watching+0x61/0x150 [ 33.434968] ? expand_files.part.8+0x9c0/0x9c0 [ 33.439550] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.444570] ? p9_fd_show_options+0x1c0/0x1c0 [ 33.449058] p9_client_create+0xde0/0x16c9 [ 33.453285] ? p9_client_read+0xc60/0xc60 [ 33.457422] ? find_held_lock+0x36/0x1c0 [ 33.461556] ? __lockdep_init_map+0x105/0x590 [ 33.466038] ? kasan_check_write+0x14/0x20 [ 33.470253] ? __init_rwsem+0x1cc/0x2a0 [ 33.474213] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 33.479217] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.484229] ? __kmalloc_track_caller+0x5f5/0x760 [ 33.489054] ? save_stack+0xa9/0xd0 [ 33.492663] ? save_stack+0x43/0xd0 [ 33.496281] ? kasan_kmalloc+0xc4/0xe0 [ 33.500149] ? kmem_cache_alloc_trace+0x152/0x780 [ 33.505061] ? memcpy+0x45/0x50 [ 33.508338] v9fs_session_init+0x21a/0x1a80 [ 33.512663] ? find_held_lock+0x36/0x1c0 [ 33.516713] ? v9fs_show_options+0x7e0/0x7e0 [ 33.521112] ? kasan_check_read+0x11/0x20 [ 33.525239] ? rcu_is_watching+0x8c/0x150 [ 33.529364] ? rcu_pm_notify+0xc0/0xc0 [ 33.533235] ? v9fs_mount+0x61/0x900 [ 33.536933] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.541941] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.546774] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.552294] v9fs_mount+0x7c/0x900 [ 33.555830] mount_fs+0xae/0x328 [ 33.559177] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.563736] ? may_umount+0xb0/0xb0 [ 33.567346] ? _raw_read_unlock+0x22/0x30 [ 33.571487] ? __get_fs_type+0x97/0xc0 [ 33.575356] do_mount+0x581/0x30e0 [ 33.578875] ? copy_mount_string+0x40/0x40 [ 33.583091] ? copy_mount_options+0x5f/0x380 [ 33.587491] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.592493] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.597331] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.602857] ? _copy_from_user+0xdf/0x150 [ 33.606999] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.612537] ? copy_mount_options+0x285/0x380 [ 33.617102] ksys_mount+0x12d/0x140 [ 33.620712] __x64_sys_mount+0xbe/0x150 [ 33.624667] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.629667] do_syscall_64+0x1b9/0x820 [ 33.633543] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.638463] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.643384] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.648925] ? retint_user+0x18/0x18 [ 33.652627] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.657455] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.662622] RIP: 0033:0x440209 [ 33.665787] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.684912] RSP: 002b:00007ffd6c3b7c58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 33.692617] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440209 [ 33.699871] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 33.707120] RBP: 0030656c69662f2e R08: 0000000020000180 R09: 00000000004002c8 [ 33.714373] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274 [ 33.721632] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000 [ 33.729446] Dumping ftrace buffer: [ 33.732972] (ftrace buffer empty) [ 33.736660] Kernel Offset: disabled [ 33.740266] Rebooting in 86400 seconds..