[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.497704] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.805641] random: sshd: uninitialized urandom read (32 bytes read) [ 23.116604] random: sshd: uninitialized urandom read (32 bytes read) [ 23.989557] random: sshd: uninitialized urandom read (32 bytes read) [ 24.153593] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 29.620182] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 29.713466] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 29.739513] ================================================================== [ 29.746990] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 29.753131] Read of size 41608 at addr ffff8801b31c04ad by task syz-executor005/4577 [ 29.760989] [ 29.762608] CPU: 0 PID: 4577 Comm: syz-executor005 Not tainted 4.18.0-rc4+ #138 [ 29.770047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.779391] Call Trace: [ 29.781977] dump_stack+0x1c9/0x2b4 [ 29.785602] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.790798] ? printk+0xa7/0xcf [ 29.794072] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.798825] ? pdu_read+0x90/0xd0 [ 29.802274] print_address_description+0x6c/0x20b [ 29.807099] ? pdu_read+0x90/0xd0 [ 29.810541] kasan_report.cold.7+0x242/0x2fe [ 29.814934] check_memory_region+0x13e/0x1b0 [ 29.819339] memcpy+0x23/0x50 [ 29.822434] pdu_read+0x90/0xd0 [ 29.825700] p9pdu_readf+0x579/0x2170 [ 29.829490] ? p9pdu_writef+0xe0/0xe0 [ 29.833274] ? __fget+0x414/0x670 [ 29.836717] ? rcu_is_watching+0x61/0x150 [ 29.840850] ? expand_files.part.8+0x9c0/0x9c0 [ 29.845431] ? rcu_read_lock_sched_held+0x108/0x120 [ 29.850439] ? p9_fd_show_options+0x1c0/0x1c0 [ 29.854924] p9_client_create+0xde0/0x16c9 [ 29.859158] ? p9_client_read+0xc60/0xc60 [ 29.863294] ? find_held_lock+0x36/0x1c0 [ 29.867352] ? __lockdep_init_map+0x105/0x590 [ 29.871840] ? kasan_check_write+0x14/0x20 [ 29.876058] ? __init_rwsem+0x1cc/0x2a0 [ 29.880038] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 29.885049] ? rcu_read_lock_sched_held+0x108/0x120 [ 29.890055] ? __kmalloc_track_caller+0x5f5/0x760 [ 29.894884] ? save_stack+0xa9/0xd0 [ 29.898509] ? save_stack+0x43/0xd0 [ 29.902128] ? kasan_kmalloc+0xc4/0xe0 [ 29.906000] ? kmem_cache_alloc_trace+0x152/0x780 [ 29.910837] ? memcpy+0x45/0x50 [ 29.914113] v9fs_session_init+0x21a/0x1a80 [ 29.918422] ? find_held_lock+0x36/0x1c0 [ 29.922474] ? v9fs_show_options+0x7e0/0x7e0 [ 29.926879] ? kasan_check_read+0x11/0x20 [ 29.931015] ? rcu_is_watching+0x8c/0x150 [ 29.935157] ? rcu_pm_notify+0xc0/0xc0 [ 29.939045] ? v9fs_mount+0x61/0x900 [ 29.942752] ? rcu_read_lock_sched_held+0x108/0x120 [ 29.947764] ? kmem_cache_alloc_trace+0x616/0x780 [ 29.952605] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 29.958138] v9fs_mount+0x7c/0x900 [ 29.961677] mount_fs+0xae/0x328 [ 29.965039] vfs_kern_mount.part.34+0xdc/0x4e0 [ 29.969608] ? may_umount+0xb0/0xb0 [ 29.973220] ? _raw_read_unlock+0x22/0x30 [ 29.977351] ? __get_fs_type+0x97/0xc0 [ 29.981224] do_mount+0x581/0x30e0 [ 29.984751] ? copy_mount_string+0x40/0x40 [ 29.988983] ? copy_mount_options+0x5f/0x380 [ 29.993382] ? rcu_read_lock_sched_held+0x108/0x120 [ 29.998396] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.003231] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.008767] ? _copy_from_user+0xdf/0x150 [ 30.012929] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.018454] ? copy_mount_options+0x285/0x380 [ 30.022938] ksys_mount+0x12d/0x140 [ 30.026564] __x64_sys_mount+0xbe/0x150 [ 30.030529] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.035547] do_syscall_64+0x1b9/0x820 [ 30.039433] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.044354] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.049299] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.054830] ? retint_user+0x18/0x18 [ 30.058551] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.063401] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.068675] RIP: 0033:0x440959 [ 30.071845] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.091047] RSP: 002b:00007ffde89125a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.098762] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.106033] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.113288] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.120547] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000740f [ 30.127810] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.135072] [ 30.136690] Allocated by task 4577: [ 30.140307] save_stack+0x43/0xd0 [ 30.143746] kasan_kmalloc+0xc4/0xe0 [ 30.147457] __kmalloc+0x14e/0x760 [ 30.150998] p9_fcall_alloc+0x1e/0x90 [ 30.154801] p9_client_prepare_req.part.8+0x754/0xcd0 [ 30.159974] p9_client_rpc+0x1bd/0x1400 [ 30.163932] p9_client_create+0xd09/0x16c9 [ 30.168149] v9fs_session_init+0x21a/0x1a80 [ 30.172461] v9fs_mount+0x7c/0x900 [ 30.175992] mount_fs+0xae/0x328 [ 30.179351] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.183921] do_mount+0x581/0x30e0 [ 30.187449] ksys_mount+0x12d/0x140 [ 30.191069] __x64_sys_mount+0xbe/0x150 [ 30.195036] do_syscall_64+0x1b9/0x820 [ 30.198916] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.204089] [ 30.205708] Freed by task 0: [ 30.208728] (stack is not available) [ 30.212429] [ 30.214046] The buggy address belongs to the object at ffff8801b31c0480 [ 30.214046] which belongs to the cache kmalloc-16384 of size 16384 [ 30.227046] The buggy address is located 45 bytes inside of [ 30.227046] 16384-byte region [ffff8801b31c0480, ffff8801b31c4480) [ 30.239006] The buggy address belongs to the page: [ 30.243936] page:ffffea0006cc7000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 30.253895] flags: 0x2fffc0000008100(slab|head) [ 30.258551] raw: 02fffc0000008100 ffffea0006cb2c08 ffff8801da801c48 ffff8801da802200 [ 30.266434] raw: 0000000000000000 ffff8801b31c0480 0000000100000001 0000000000000000 [ 30.274308] page dumped because: kasan: bad access detected [ 30.279999] [ 30.281616] Memory state around the buggy address: [ 30.286537] ffff8801b31c2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.293897] ffff8801b31c2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.301242] >ffff8801b31c2480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 30.308588] ^ [ 30.312993] ffff8801b31c2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.320354] ffff8801b31c2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.327701] ================================================================== [ 30.335046] Disabling lock debugging due to kernel taint [ 30.340579] Kernel panic - not syncing: panic_on_warn set ... [ 30.340579] [ 30.347954] CPU: 0 PID: 4577 Comm: syz-executor005 Tainted: G B 4.18.0-rc4+ #138 [ 30.356875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.366221] Call Trace: [ 30.368800] dump_stack+0x1c9/0x2b4 [ 30.372423] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.377612] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.382362] panic+0x238/0x4e7 [ 30.385634] ? add_taint.cold.5+0x16/0x16 [ 30.389765] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.394172] ? pdu_read+0x90/0xd0 [ 30.397611] kasan_end_report+0x47/0x4f [ 30.401576] kasan_report.cold.7+0x76/0x2fe [ 30.405882] check_memory_region+0x13e/0x1b0 [ 30.410272] memcpy+0x23/0x50 [ 30.413372] pdu_read+0x90/0xd0 [ 30.416645] p9pdu_readf+0x579/0x2170 [ 30.420439] ? p9pdu_writef+0xe0/0xe0 [ 30.424227] ? __fget+0x414/0x670 [ 30.427671] ? rcu_is_watching+0x61/0x150 [ 30.431802] ? expand_files.part.8+0x9c0/0x9c0 [ 30.436374] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.441390] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.445881] p9_client_create+0xde0/0x16c9 [ 30.450113] ? p9_client_read+0xc60/0xc60 [ 30.454247] ? find_held_lock+0x36/0x1c0 [ 30.458295] ? __lockdep_init_map+0x105/0x590 [ 30.462795] ? kasan_check_write+0x14/0x20 [ 30.467019] ? __init_rwsem+0x1cc/0x2a0 [ 30.470978] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.475976] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.480972] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.485795] ? save_stack+0xa9/0xd0 [ 30.489413] ? save_stack+0x43/0xd0 [ 30.493035] ? kasan_kmalloc+0xc4/0xe0 [ 30.496916] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.501742] ? memcpy+0x45/0x50 [ 30.505009] v9fs_session_init+0x21a/0x1a80 [ 30.509335] ? find_held_lock+0x36/0x1c0 [ 30.513394] ? v9fs_show_options+0x7e0/0x7e0 [ 30.517788] ? kasan_check_read+0x11/0x20 [ 30.521918] ? rcu_is_watching+0x8c/0x150 [ 30.526054] ? rcu_pm_notify+0xc0/0xc0 [ 30.529935] ? v9fs_mount+0x61/0x900 [ 30.533634] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.538638] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.543476] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.549000] v9fs_mount+0x7c/0x900 [ 30.552535] mount_fs+0xae/0x328 [ 30.555897] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.560465] ? may_umount+0xb0/0xb0 [ 30.564084] ? _raw_read_unlock+0x22/0x30 [ 30.568232] ? __get_fs_type+0x97/0xc0 [ 30.572116] do_mount+0x581/0x30e0 [ 30.575656] ? copy_mount_string+0x40/0x40 [ 30.579873] ? copy_mount_options+0x5f/0x380 [ 30.584281] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.589287] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.594136] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.599654] ? _copy_from_user+0xdf/0x150 [ 30.603795] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.609316] ? copy_mount_options+0x285/0x380 [ 30.613795] ksys_mount+0x12d/0x140 [ 30.617407] __x64_sys_mount+0xbe/0x150 [ 30.621368] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.626368] do_syscall_64+0x1b9/0x820 [ 30.630254] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.635191] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.640122] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.645675] ? retint_user+0x18/0x18 [ 30.649414] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.654268] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.659445] RIP: 0033:0x440959 [ 30.662625] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.681779] RSP: 002b:00007ffde89125a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.689481] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.696735] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.703988] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.711260] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000740f [ 30.718530] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.726385] Dumping ftrace buffer: [ 30.729916] (ftrace buffer empty) [ 30.733614] Kernel Offset: disabled [ 30.737218] Rebooting in 86400 seconds..