[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.641772] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.926046] random: sshd: uninitialized urandom read (32 bytes read)
[   25.198908] random: sshd: uninitialized urandom read (32 bytes read)
[   26.101606] random: sshd: uninitialized urandom read (32 bytes read)
[   66.566175] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts.
[   71.954295] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 03:22:44 parsed 1 programs
[   73.521608] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 03:22:46 executed programs: 0
[   74.521163] IPVS: ftp: loaded support on port[0] = 21
[   74.735395] bridge0: port 1(bridge_slave_0) entered blocking state
[   74.741941] bridge0: port 1(bridge_slave_0) entered disabled state
[   74.749408] device bridge_slave_0 entered promiscuous mode
[   74.766564] bridge0: port 2(bridge_slave_1) entered blocking state
[   74.773054] bridge0: port 2(bridge_slave_1) entered disabled state
[   74.780121] device bridge_slave_1 entered promiscuous mode
[   74.796879] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   74.813231] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   74.858056] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   74.876845] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   74.944687] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   74.953121] team0: Port device team_slave_0 added
[   74.969175] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   74.976423] team0: Port device team_slave_1 added
[   74.992238] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   75.009935] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   75.027320] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   75.045517] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   75.174663] bridge0: port 2(bridge_slave_1) entered blocking state
[   75.181186] bridge0: port 2(bridge_slave_1) entered forwarding state
[   75.188189] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.194571] bridge0: port 1(bridge_slave_0) entered forwarding state
[   75.645976] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   75.652107] 8021q: adding VLAN 0 to HW filter on device bond0
[   75.680734] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   75.700766] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   75.740592] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   75.746791] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   75.754922] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   75.793304] 8021q: adding VLAN 0 to HW filter on device team0
[   76.550346] ==================================================================
[   76.557954] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   76.564103] Read of size 65409 at addr ffff8801ce27b22d by task syz-executor0/4904
[   76.571786] 
[   76.573413] CPU: 1 PID: 4904 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[   76.580584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   76.589920] Call Trace:
[   76.592505]  dump_stack+0x1c9/0x2b4
[   76.596120]  ? dump_stack_print_info.cold.2+0x52/0x52
[   76.601313]  ? printk+0xa7/0xcf
[   76.604590]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   76.609350]  ? pdu_read+0x90/0xd0
[   76.612788]  print_address_description+0x6c/0x20b
[   76.617623]  ? pdu_read+0x90/0xd0
[   76.621069]  kasan_report.cold.7+0x242/0x2fe
[   76.625476]  check_memory_region+0x13e/0x1b0
[   76.629882]  memcpy+0x23/0x50
[   76.632972]  pdu_read+0x90/0xd0
[   76.636320]  p9pdu_readf+0x579/0x2170
[   76.640114]  ? p9pdu_writef+0xe0/0xe0
[   76.643906]  ? __fget+0x414/0x670
[   76.647343]  ? rcu_is_watching+0x61/0x150
[   76.651473]  ? expand_files.part.8+0x9c0/0x9c0
[   76.656050]  ? rcu_read_lock_sched_held+0x108/0x120
[   76.661090]  ? p9_fd_show_options+0x1c0/0x1c0
[   76.665587]  p9_client_create+0xde0/0x16c9
[   76.669809]  ? p9_client_read+0xc60/0xc60
[   76.673942]  ? find_held_lock+0x36/0x1c0
[   76.677993]  ? __lockdep_init_map+0x105/0x590
[   76.682481]  ? kasan_check_write+0x14/0x20
[   76.686708]  ? __init_rwsem+0x1cc/0x2a0
[   76.690689]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   76.695699]  ? rcu_read_lock_sched_held+0x108/0x120
[   76.700697]  ? __kmalloc_track_caller+0x5f5/0x760
[   76.705536]  ? save_stack+0xa9/0xd0
[   76.709158]  ? save_stack+0x43/0xd0
[   76.712776]  ? kasan_kmalloc+0xc4/0xe0
[   76.716655]  ? memcpy+0x45/0x50
[   76.719923]  v9fs_session_init+0x21a/0x1a80
[   76.724235]  ? find_held_lock+0x36/0x1c0
[   76.728287]  ? v9fs_show_options+0x7e0/0x7e0
[   76.732685]  ? kasan_check_read+0x11/0x20
[   76.736815]  ? rcu_is_watching+0x8c/0x150
[   76.740941]  ? rcu_pm_notify+0xc0/0xc0
[   76.744810]  ? rcu_pm_notify+0xc0/0xc0
[   76.748693]  ? v9fs_mount+0x61/0x900
[   76.752388]  ? rcu_read_lock_sched_held+0x108/0x120
[   76.757397]  ? kmem_cache_alloc_trace+0x616/0x780
[   76.762236]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   76.767767]  v9fs_mount+0x7c/0x900
[   76.771305]  mount_fs+0xae/0x328
[   76.774663]  vfs_kern_mount.part.34+0xdc/0x4e0
[   76.779234]  ? may_umount+0xb0/0xb0
[   76.782871]  ? _raw_read_unlock+0x22/0x30
[   76.787025]  ? __get_fs_type+0x97/0xc0
[   76.790904]  do_mount+0x581/0x30e0
[   76.794439]  ? copy_mount_string+0x40/0x40
[   76.798665]  ? retint_kernel+0x10/0x10
[   76.802542]  ? copy_mount_options+0x213/0x380
[   76.807027]  ? copy_mount_options+0x1a1/0x380
[   76.811510]  ? __sanitizer_cov_trace_pc+0x20/0x50
[   76.816341]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   76.821866]  ? copy_mount_options+0x285/0x380
[   76.826364]  __ia32_compat_sys_mount+0x5d5/0x860
[   76.831125]  do_fast_syscall_32+0x34d/0xfb2
[   76.835438]  ? do_int80_syscall_32+0x890/0x890
[   76.840008]  ? syscall_slow_exit_work+0x500/0x500
[   76.844854]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   76.850377]  ? syscall_return_slowpath+0x31d/0x5e0
[   76.855295]  ? sysret32_from_system_call+0x5/0x46
[   76.860126]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   76.864958]  entry_SYSENTER_compat+0x70/0x7f
[   76.869366] RIP: 0023:0xf7fa3cb9
[   76.872712] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   76.891942] RSP: 002b:00000000ffdcfb0c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   76.899640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000080
[   76.906893] RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000020000380
[   76.914162] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   76.921419] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   76.928684] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   76.935958] 
[   76.937572] Allocated by task 4904:
[   76.941190]  save_stack+0x43/0xd0
[   76.944640]  kasan_kmalloc+0xc4/0xe0
[   76.948349]  __kmalloc+0x14e/0x760
[   76.951885]  p9_fcall_alloc+0x1e/0x90
[   76.955672]  p9_client_prepare_req.part.8+0x754/0xcd0
[   76.960845]  p9_client_rpc+0x1bd/0x1400
[   76.964804]  p9_client_create+0xd09/0x16c9
[   76.969029]  v9fs_session_init+0x21a/0x1a80
[   76.973336]  v9fs_mount+0x7c/0x900
[   76.976863]  mount_fs+0xae/0x328
[   76.980213]  vfs_kern_mount.part.34+0xdc/0x4e0
[   76.984790]  do_mount+0x581/0x30e0
[   76.988319]  __ia32_compat_sys_mount+0x5d5/0x860
[   76.993060]  do_fast_syscall_32+0x34d/0xfb2
[   76.997378]  entry_SYSENTER_compat+0x70/0x7f
[   77.001778] 
[   77.003389] Freed by task 0:
[   77.006385] (stack is not available)
[   77.010089] 
[   77.011717] The buggy address belongs to the object at ffff8801ce27b200
[   77.011717]  which belongs to the cache kmalloc-16384 of size 16384
[   77.024704] The buggy address is located 45 bytes inside of
[   77.024704]  16384-byte region [ffff8801ce27b200, ffff8801ce27f200)
[   77.036660] The buggy address belongs to the page:
[   77.041573] page:ffffea0007389e00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   77.051538] flags: 0x2fffc0000008100(slab|head)
[   77.056195] raw: 02fffc0000008100 ffffea0007370808 ffff8801da801c48 ffff8801da802200
[   77.064066] raw: 0000000000000000 ffff8801ce27b200 0000000100000001 0000000000000000
[   77.071938] page dumped because: kasan: bad access detected
[   77.077639] 
[   77.079248] Memory state around the buggy address:
[   77.084173]  ffff8801ce27d100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   77.091517]  ffff8801ce27d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   77.098862] >ffff8801ce27d200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   77.106210]                                ^
[   77.110602]  ffff8801ce27d280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.117956]  ffff8801ce27d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.125305] ==================================================================
[   77.132646] Disabling lock debugging due to kernel taint
[   77.138493] Kernel panic - not syncing: panic_on_warn set ...
[   77.138493] 
[   77.145875] CPU: 1 PID: 4904 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[   77.154442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.163794] Call Trace:
[   77.166372]  dump_stack+0x1c9/0x2b4
[   77.169983]  ? dump_stack_print_info.cold.2+0x52/0x52
[   77.175171]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   77.179922]  panic+0x238/0x4e7
[   77.183099]  ? add_taint.cold.5+0x16/0x16
[   77.187231]  ? do_raw_spin_unlock+0xa7/0x2f0
[   77.191635]  ? pdu_read+0x90/0xd0
[   77.195072]  kasan_end_report+0x47/0x4f
[   77.199037]  kasan_report.cold.7+0x76/0x2fe
[   77.203350]  check_memory_region+0x13e/0x1b0
[   77.207758]  memcpy+0x23/0x50
[   77.210859]  pdu_read+0x90/0xd0
[   77.214120]  p9pdu_readf+0x579/0x2170
[   77.217904]  ? p9pdu_writef+0xe0/0xe0
[   77.221700]  ? __fget+0x414/0x670
[   77.225134]  ? rcu_is_watching+0x61/0x150
[   77.229274]  ? expand_files.part.8+0x9c0/0x9c0
[   77.233849]  ? rcu_read_lock_sched_held+0x108/0x120
[   77.238852]  ? p9_fd_show_options+0x1c0/0x1c0
[   77.243349]  p9_client_create+0xde0/0x16c9
[   77.247572]  ? p9_client_read+0xc60/0xc60
[   77.251704]  ? find_held_lock+0x36/0x1c0
[   77.255753]  ? __lockdep_init_map+0x105/0x590
[   77.260235]  ? kasan_check_write+0x14/0x20
[   77.264451]  ? __init_rwsem+0x1cc/0x2a0
[   77.268414]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   77.273423]  ? rcu_read_lock_sched_held+0x108/0x120
[   77.278423]  ? __kmalloc_track_caller+0x5f5/0x760
[   77.283253]  ? save_stack+0xa9/0xd0
[   77.286884]  ? save_stack+0x43/0xd0
[   77.290491]  ? kasan_kmalloc+0xc4/0xe0
[   77.294374]  ? memcpy+0x45/0x50
[   77.297660]  v9fs_session_init+0x21a/0x1a80
[   77.301977]  ? find_held_lock+0x36/0x1c0
[   77.306045]  ? v9fs_show_options+0x7e0/0x7e0
[   77.310453]  ? kasan_check_read+0x11/0x20
[   77.314583]  ? rcu_is_watching+0x8c/0x150
[   77.318711]  ? rcu_pm_notify+0xc0/0xc0
[   77.322587]  ? rcu_pm_notify+0xc0/0xc0
[   77.326461]  ? v9fs_mount+0x61/0x900
[   77.330159]  ? rcu_read_lock_sched_held+0x108/0x120
[   77.335158]  ? kmem_cache_alloc_trace+0x616/0x780
[   77.339983]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   77.345513]  v9fs_mount+0x7c/0x900
[   77.349045]  mount_fs+0xae/0x328
[   77.352416]  vfs_kern_mount.part.34+0xdc/0x4e0
[   77.356989]  ? may_umount+0xb0/0xb0
[   77.360614]  ? _raw_read_unlock+0x22/0x30
[   77.364742]  ? __get_fs_type+0x97/0xc0
[   77.368611]  do_mount+0x581/0x30e0
[   77.372136]  ? copy_mount_string+0x40/0x40
[   77.376355]  ? retint_kernel+0x10/0x10
[   77.380227]  ? copy_mount_options+0x213/0x380
[   77.384701]  ? copy_mount_options+0x1a1/0x380
[   77.389193]  ? __sanitizer_cov_trace_pc+0x20/0x50
[   77.394028]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.399552]  ? copy_mount_options+0x285/0x380
[   77.404039]  __ia32_compat_sys_mount+0x5d5/0x860
[   77.408782]  do_fast_syscall_32+0x34d/0xfb2
[   77.413090]  ? do_int80_syscall_32+0x890/0x890
[   77.417674]  ? syscall_slow_exit_work+0x500/0x500
[   77.422501]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   77.428036]  ? syscall_return_slowpath+0x31d/0x5e0
[   77.432952]  ? sysret32_from_system_call+0x5/0x46
[   77.437777]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   77.442625]  entry_SYSENTER_compat+0x70/0x7f
[   77.447037] RIP: 0023:0xf7fa3cb9
[   77.450398] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   77.469524] RSP: 002b:00000000ffdcfb0c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   77.477225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000080
[   77.484499] RDX: 00000000200000c0 RSI: 0000000000000000 RDI: 0000000020000380
[   77.491767] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   77.499027] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   77.506292] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   77.514110] Dumping ftrace buffer:
[   77.517635]    (ftrace buffer empty)
[   77.521335] Kernel Offset: disabled
[   77.524950] Rebooting in 86400 seconds..