[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.338351] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.375501] random: sshd: uninitialized urandom read (32 bytes read) [ 21.735792] random: sshd: uninitialized urandom read (32 bytes read) [ 22.659747] random: sshd: uninitialized urandom read (32 bytes read) [ 22.825242] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.44' (ECDSA) to the list of known hosts. [ 28.256075] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.346218] ================================================================== [ 28.353667] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 [ 28.361013] Read of size 4 at addr ffff8801cd537a34 by task syz-executor392/4538 [ 28.368534] [ 28.370151] CPU: 1 PID: 4538 Comm: syz-executor392 Not tainted 4.18.0-rc3+ #137 [ 28.377603] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.386939] Call Trace: [ 28.389529] dump_stack+0x1c9/0x2b4 [ 28.393145] ? dump_stack_print_info.cold.2+0x52/0x52 [ 28.398317] ? printk+0xa7/0xcf [ 28.401580] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 28.406339] ? fscache_alloc_cookie+0x7a9/0x880 [ 28.410995] print_address_description+0x6c/0x20b [ 28.415832] ? fscache_alloc_cookie+0x7a9/0x880 [ 28.420481] kasan_report.cold.7+0x242/0x2fe [ 28.424874] __asan_report_load4_noabort+0x14/0x20 [ 28.429786] fscache_alloc_cookie+0x7a9/0x880 [ 28.434270] ? fscache_cookie_init_once+0x80/0x80 [ 28.439093] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.443834] ? retint_kernel+0x10/0x10 [ 28.447721] __fscache_acquire_cookie+0x230/0xb00 [ 28.452548] ? fscache_cookie_put+0x850/0x850 [ 28.457028] ? p9_client_attach+0x215/0x860 [ 28.461346] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 28.466433] ? debug_check_no_obj_freed+0x30b/0x595 [ 28.471441] ? p9_client_walk+0xab0/0xab0 [ 28.475577] ? trace_hardirqs_off+0xd/0x10 [ 28.479790] ? quarantine_put+0x10d/0x1b0 [ 28.483931] ? kfree+0x111/0x260 [ 28.487290] v9fs_cache_session_get_cookie+0xc4/0x270 [ 28.492464] v9fs_session_init+0x1013/0x1a80 [ 28.496862] ? v9fs_show_options+0x7e0/0x7e0 [ 28.501253] ? kasan_check_read+0x11/0x20 [ 28.505385] ? do_raw_spin_unlock+0xa7/0x2f0 [ 28.509777] ? rcu_is_watching+0x8c/0x150 [ 28.513920] ? rcu_pm_notify+0xc0/0xc0 [ 28.517796] ? v9fs_mount+0x61/0x900 [ 28.521494] ? rcu_read_lock_sched_held+0x108/0x120 [ 28.526497] v9fs_mount+0x7c/0x900 [ 28.530031] mount_fs+0xae/0x328 [ 28.533392] vfs_kern_mount.part.34+0xdc/0x4e0 [ 28.537957] ? may_umount+0xb0/0xb0 [ 28.541568] ? _raw_read_unlock+0x22/0x30 [ 28.545697] ? __get_fs_type+0x97/0xc0 [ 28.549579] do_mount+0x581/0x30e0 [ 28.553109] ? copy_mount_string+0x40/0x40 [ 28.557331] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.562082] ? retint_kernel+0x10/0x10 [ 28.565956] ? copy_mount_options+0x1e3/0x380 [ 28.570432] ? copy_mount_options+0x1f0/0x380 [ 28.574907] ? copy_mount_options+0x1fa/0x380 [ 28.579385] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.584902] ? copy_mount_options+0x285/0x380 [ 28.589394] ksys_mount+0x12d/0x140 [ 28.593006] __x64_sys_mount+0xbe/0x150 [ 28.596982] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.601980] do_syscall_64+0x1b9/0x820 [ 28.605851] ? syscall_return_slowpath+0x5e0/0x5e0 [ 28.610762] ? syscall_return_slowpath+0x31d/0x5e0 [ 28.615675] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 28.621204] ? retint_user+0x18/0x18 [ 28.624914] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.629746] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.634917] RIP: 0033:0x440309 [ 28.638090] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 28.657267] RSP: 002b:00007ffcbd84e258 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 28.664968] RAX: ffffffffffffffda RBX: 6761746568636163 RCX: 0000000000440309 [ 28.672222] RDX: 00000000200002c0 RSI: 0000000020000280 RDI: 0000000000000000 [ 28.679472] RBP: 00000000006ca018 R08: 0000000020000340 R09: 00000000004002c8 [ 28.686726] R10: 0000000000800000 R11: 0000000000000202 R12: 0000000000401b90 [ 28.693988] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 28.701249] [ 28.702863] Allocated by task 4538: [ 28.706474] save_stack+0x43/0xd0 [ 28.709908] kasan_kmalloc+0xc4/0xe0 [ 28.713620] __kmalloc+0x14e/0x760 [ 28.717145] fscache_alloc_cookie+0x701/0x880 [ 28.721620] __fscache_acquire_cookie+0x230/0xb00 [ 28.726447] v9fs_cache_session_get_cookie+0xc4/0x270 [ 28.731630] v9fs_session_init+0x1013/0x1a80 [ 28.736019] v9fs_mount+0x7c/0x900 [ 28.739541] mount_fs+0xae/0x328 [ 28.742889] vfs_kern_mount.part.34+0xdc/0x4e0 [ 28.747468] do_mount+0x581/0x30e0 [ 28.750990] ksys_mount+0x12d/0x140 [ 28.754598] __x64_sys_mount+0xbe/0x150 [ 28.758555] do_syscall_64+0x1b9/0x820 [ 28.762430] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 28.767596] [ 28.769200] Freed by task 1: [ 28.772204] save_stack+0x43/0xd0 [ 28.775640] __kasan_slab_free+0x11a/0x170 [ 28.779855] kasan_slab_free+0xe/0x10 [ 28.783638] kfree+0xd9/0x260 [ 28.786726] kobject_uevent_env+0x275/0x1110 [ 28.791127] kobject_uevent+0x1f/0x30 [ 28.794921] device_add+0x95d/0x16f0 [ 28.798612] device_create_groups_vargs+0x1ff/0x270 [ 28.803611] device_create+0xdb/0x110 [ 28.807395] sound_insert_unit.constprop.2+0x695/0x870 [ 28.812666] register_sound_special_device+0xf4/0x2e0 [ 28.817838] snd_register_oss_device+0x317/0x4e0 [ 28.822585] register_oss_dsp+0x4b/0x160 [ 28.826626] snd_pcm_oss_register_minor+0x225/0x9a0 [ 28.831621] snd_pcm_dev_register+0x746/0xc50 [ 28.836099] __snd_device_register.part.0+0x65/0xd0 [ 28.841099] snd_device_register_all+0x96/0x110 [ 28.845765] snd_card_register+0x10c/0x6f0 [ 28.849995] snd_dummy_probe+0xe73/0x1270 [ 28.854130] platform_drv_probe+0x96/0x160 [ 28.858349] driver_probe_device+0x6ad/0x970 [ 28.862738] __device_attach_driver+0x25a/0x2d0 [ 28.867401] bus_for_each_drv+0x16b/0x1f0 [ 28.871526] __device_attach+0x2a1/0x430 [ 28.875567] device_initial_probe+0x1a/0x20 [ 28.879870] bus_probe_device+0x1fb/0x2a0 [ 28.883998] device_add+0x965/0x16f0 [ 28.887694] platform_device_add+0x36e/0x6f0 [ 28.892086] platform_device_register_full+0x360/0x4f0 [ 28.897349] alsa_card_dummy_init+0x2a3/0x3d5 [ 28.901827] do_one_initcall+0x127/0x913 [ 28.905870] kernel_init_freeable+0x49b/0x58e [ 28.910348] kernel_init+0x11/0x1b3 [ 28.913957] ret_from_fork+0x3a/0x50 [ 28.917658] [ 28.919269] The buggy address belongs to the object at ffff8801cd537a00 [ 28.919269] which belongs to the cache kmalloc-64 of size 64 [ 28.931743] The buggy address is located 52 bytes inside of [ 28.931743] 64-byte region [ffff8801cd537a00, ffff8801cd537a40) [ 28.943420] The buggy address belongs to the page: [ 28.948348] page:ffffea0007354dc0 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0 [ 28.956469] flags: 0x2fffc0000000100(slab) [ 28.960693] raw: 02fffc0000000100 ffffea0007363748 ffffea0007358748 ffff8801da800340 [ 28.968561] raw: 0000000000000000 ffff8801cd537000 0000000100000020 0000000000000000 [ 28.976417] page dumped because: kasan: bad access detected [ 28.982102] [ 28.983705] Memory state around the buggy address: [ 28.988612] ffff8801cd537900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.995956] ffff8801cd537980: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 29.003295] >ffff8801cd537a00: 00 00 00 00 00 00 07 fc fc fc fc fc fc fc fc fc [ 29.010642] ^ [ 29.015549] ffff8801cd537a80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 29.022897] ffff8801cd537b00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 29.030231] ================================================================== [ 29.037567] Disabling lock debugging due to kernel taint [ 29.043452] Kernel panic - not syncing: panic_on_warn set ... [ 29.043452] [ 29.050826] CPU: 1 PID: 4538 Comm: syz-executor392 Tainted: G B 4.18.0-rc3+ #137 [ 29.059668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.069003] Call Trace: [ 29.071583] dump_stack+0x1c9/0x2b4 [ 29.075202] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.080374] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.085113] panic+0x238/0x4e7 [ 29.088286] ? add_taint.cold.5+0x16/0x16 [ 29.092414] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.096803] ? fscache_alloc_cookie+0x7a9/0x880 [ 29.101451] kasan_end_report+0x47/0x4f [ 29.105407] kasan_report.cold.7+0x76/0x2fe [ 29.109707] __asan_report_load4_noabort+0x14/0x20 [ 29.114629] fscache_alloc_cookie+0x7a9/0x880 [ 29.119104] ? fscache_cookie_init_once+0x80/0x80 [ 29.123927] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.128665] ? retint_kernel+0x10/0x10 [ 29.132534] __fscache_acquire_cookie+0x230/0xb00 [ 29.137354] ? fscache_cookie_put+0x850/0x850 [ 29.141831] ? p9_client_attach+0x215/0x860 [ 29.146142] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 29.151227] ? debug_check_no_obj_freed+0x30b/0x595 [ 29.156222] ? p9_client_walk+0xab0/0xab0 [ 29.160349] ? trace_hardirqs_off+0xd/0x10 [ 29.164560] ? quarantine_put+0x10d/0x1b0 [ 29.168697] ? kfree+0x111/0x260 [ 29.172047] v9fs_cache_session_get_cookie+0xc4/0x270 [ 29.177214] v9fs_session_init+0x1013/0x1a80 [ 29.181618] ? v9fs_show_options+0x7e0/0x7e0 [ 29.186013] ? kasan_check_read+0x11/0x20 [ 29.190147] ? do_raw_spin_unlock+0xa7/0x2f0 [ 29.194536] ? rcu_is_watching+0x8c/0x150 [ 29.198674] ? rcu_pm_notify+0xc0/0xc0 [ 29.202541] ? v9fs_mount+0x61/0x900 [ 29.206236] ? rcu_read_lock_sched_held+0x108/0x120 [ 29.211232] v9fs_mount+0x7c/0x900 [ 29.214757] mount_fs+0xae/0x328 [ 29.218104] vfs_kern_mount.part.34+0xdc/0x4e0 [ 29.222678] ? may_umount+0xb0/0xb0 [ 29.226287] ? _raw_read_unlock+0x22/0x30 [ 29.230418] ? __get_fs_type+0x97/0xc0 [ 29.234286] do_mount+0x581/0x30e0 [ 29.237810] ? copy_mount_string+0x40/0x40 [ 29.242035] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.246777] ? retint_kernel+0x10/0x10 [ 29.250644] ? copy_mount_options+0x1e3/0x380 [ 29.255120] ? copy_mount_options+0x1f0/0x380 [ 29.259596] ? copy_mount_options+0x1fa/0x380 [ 29.264072] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.269599] ? copy_mount_options+0x285/0x380 [ 29.274077] ksys_mount+0x12d/0x140 [ 29.277685] __x64_sys_mount+0xbe/0x150 [ 29.281639] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.286650] do_syscall_64+0x1b9/0x820 [ 29.290517] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.295426] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.300335] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.305865] ? retint_user+0x18/0x18 [ 29.309558] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.314381] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.319551] RIP: 0033:0x440309 [ 29.322719] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.341841] RSP: 002b:00007ffcbd84e258 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 29.349533] RAX: ffffffffffffffda RBX: 6761746568636163 RCX: 0000000000440309 [ 29.356784] RDX: 00000000200002c0 RSI: 0000000020000280 RDI: 0000000000000000 [ 29.364037] RBP: 00000000006ca018 R08: 0000000020000340 R09: 00000000004002c8 [ 29.371308] R10: 0000000000800000 R11: 0000000000000202 R12: 0000000000401b90 [ 29.378566] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 29.386333] Dumping ftrace buffer: [ 29.389853] (ftrace buffer empty) [ 29.393542] Kernel Offset: disabled [ 29.397145] Rebooting in 86400 seconds..