[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.095545] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.539917] random: sshd: uninitialized urandom read (32 bytes read) [ 21.834502] random: sshd: uninitialized urandom read (32 bytes read) [ 22.688182] random: sshd: uninitialized urandom read (32 bytes read) [ 25.127602] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. [ 30.645698] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/10 13:27:41 parsed 1 programs [ 32.720434] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/10 13:27:44 executed programs: 0 [ 33.863195] IPVS: ftp: loaded support on port[0] = 21 [ 34.097833] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.104362] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.112193] device bridge_slave_0 entered promiscuous mode [ 34.129533] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.135965] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.143304] device bridge_slave_1 entered promiscuous mode [ 34.161536] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 34.178626] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 34.224071] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.243469] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.315906] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.323655] team0: Port device team_slave_0 added [ 34.339480] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.346672] team0: Port device team_slave_1 added [ 34.363703] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.382758] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.401155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 34.420867] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.555340] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.561827] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.568934] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.575340] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.044688] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.095436] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.142974] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.149286] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.156911] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.199443] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.109399] ================================================================== [ 38.118880] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 38.125035] Read of size 60160 at addr ffff8801b3a89cad by task syz-executor0/5107 [ 38.132727] [ 38.134343] CPU: 0 PID: 5107 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #42 [ 38.141513] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.150868] Call Trace: [ 38.153461] dump_stack+0x1c9/0x2b4 [ 38.157079] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.162265] ? printk+0xa7/0xcf [ 38.165534] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 38.170284] ? pdu_read+0x90/0xd0 [ 38.173731] print_address_description+0x6c/0x20b [ 38.178581] ? pdu_read+0x90/0xd0 [ 38.182035] kasan_report.cold.7+0x242/0x2fe [ 38.186452] check_memory_region+0x13e/0x1b0 [ 38.190888] memcpy+0x23/0x50 [ 38.193995] pdu_read+0x90/0xd0 [ 38.197265] p9pdu_readf+0x579/0x2170 [ 38.201059] ? p9pdu_writef+0xe0/0xe0 [ 38.204848] ? __fget+0x414/0x670 [ 38.208304] ? rcu_is_watching+0x61/0x150 [ 38.212531] ? expand_files.part.8+0x9c0/0x9c0 [ 38.217106] ? finish_wait+0x430/0x430 [ 38.220992] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.226032] ? p9_fd_show_options+0x1c0/0x1c0 [ 38.230546] p9_client_create+0xde0/0x16c9 [ 38.234775] ? p9_client_read+0xc60/0xc60 [ 38.239000] ? find_held_lock+0x36/0x1c0 [ 38.243079] ? __lockdep_init_map+0x105/0x590 [ 38.247591] ? kasan_check_write+0x14/0x20 [ 38.251823] ? __init_rwsem+0x1cc/0x2a0 [ 38.255798] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 38.260803] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.265821] ? __kmalloc_track_caller+0x5f5/0x760 [ 38.270659] ? save_stack+0xa9/0xd0 [ 38.274283] ? save_stack+0x43/0xd0 [ 38.277896] ? kasan_kmalloc+0xc4/0xe0 [ 38.281771] ? memcpy+0x45/0x50 [ 38.285053] v9fs_session_init+0x21a/0x1a80 [ 38.289370] ? find_held_lock+0x36/0x1c0 [ 38.293456] ? v9fs_show_options+0x7e0/0x7e0 [ 38.297859] ? kasan_check_read+0x11/0x20 [ 38.302000] ? rcu_is_watching+0x8c/0x150 [ 38.306140] ? rcu_pm_notify+0xc0/0xc0 [ 38.310027] ? rcu_pm_notify+0xc0/0xc0 [ 38.313917] ? v9fs_mount+0x61/0x900 [ 38.317631] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.322649] ? kmem_cache_alloc_trace+0x616/0x780 [ 38.327489] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 38.333027] v9fs_mount+0x7c/0x900 [ 38.336570] mount_fs+0xae/0x328 [ 38.339931] vfs_kern_mount.part.34+0xdc/0x4e0 [ 38.344505] ? may_umount+0xb0/0xb0 [ 38.348140] ? _raw_read_unlock+0x22/0x30 [ 38.352295] ? __get_fs_type+0x97/0xc0 [ 38.356176] do_mount+0x581/0x30e0 [ 38.359711] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.364128] ? copy_mount_string+0x40/0x40 [ 38.368357] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.373365] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.378124] ? retint_kernel+0x10/0x10 [ 38.382017] ? copy_mount_options+0x1e3/0x380 [ 38.386617] ? copy_mount_options+0x1f0/0x380 [ 38.391111] ? copy_mount_options+0x202/0x380 [ 38.395606] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.401161] ? copy_mount_options+0x285/0x380 [ 38.405662] __ia32_compat_sys_mount+0x5d5/0x860 [ 38.410427] do_fast_syscall_32+0x34d/0xfb2 [ 38.414743] ? do_int80_syscall_32+0x890/0x890 [ 38.419326] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.424086] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.429625] ? syscall_return_slowpath+0x31d/0x5e0 [ 38.434557] ? sysret32_from_system_call+0x5/0x46 [ 38.439403] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.444240] entry_SYSENTER_compat+0x70/0x7f [ 38.448640] RIP: 0023:0xf7f88cb9 [ 38.451993] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 38.471191] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015 [ 38.478907] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 38.486264] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0 [ 38.493525] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 38.500881] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 38.508228] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.515497] [ 38.517113] Allocated by task 5107: [ 38.520748] save_stack+0x43/0xd0 [ 38.524197] kasan_kmalloc+0xc4/0xe0 [ 38.529040] __kmalloc+0x14e/0x760 [ 38.532579] p9_fcall_alloc+0x1e/0x90 [ 38.536367] p9_client_prepare_req.part.8+0x754/0xcd0 [ 38.541557] p9_client_rpc+0x1bd/0x1400 [ 38.545526] p9_client_create+0xd09/0x16c9 [ 38.549756] v9fs_session_init+0x21a/0x1a80 [ 38.554070] v9fs_mount+0x7c/0x900 [ 38.557596] mount_fs+0xae/0x328 [ 38.560946] vfs_kern_mount.part.34+0xdc/0x4e0 [ 38.565527] do_mount+0x581/0x30e0 [ 38.569063] __ia32_compat_sys_mount+0x5d5/0x860 [ 38.574728] do_fast_syscall_32+0x34d/0xfb2 [ 38.579050] entry_SYSENTER_compat+0x70/0x7f [ 38.583469] [ 38.585079] Freed by task 0: [ 38.588087] (stack is not available) [ 38.591782] [ 38.593410] The buggy address belongs to the object at ffff8801b3a89c80 [ 38.593410] which belongs to the cache kmalloc-16384 of size 16384 [ 38.606409] The buggy address is located 45 bytes inside of [ 38.606409] 16384-byte region [ffff8801b3a89c80, ffff8801b3a8dc80) [ 38.618360] The buggy address belongs to the page: [ 38.623286] page:ffffea0006cea200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 38.633260] flags: 0x2fffc0000008100(slab|head) [ 38.637922] raw: 02fffc0000008100 ffffea0006cea408 ffff8801da801c48 ffff8801da802200 [ 38.645796] raw: 0000000000000000 ffff8801b3a89c80 0000000100000001 0000000000000000 [ 38.653732] page dumped because: kasan: bad access detected [ 38.659426] [ 38.661044] Memory state around the buggy address: [ 38.665964] ffff8801b3a8bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.673486] ffff8801b3a8bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.680847] >ffff8801b3a8bc80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 38.688205] ^ [ 38.692604] ffff8801b3a8bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.699989] ffff8801b3a8bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.707335] ================================================================== [ 38.714685] Disabling lock debugging due to kernel taint [ 38.720893] Kernel panic - not syncing: panic_on_warn set ... [ 38.720893] [ 38.728452] CPU: 0 PID: 5107 Comm: syz-executor0 Tainted: G B 4.18.0-rc4+ #42 [ 38.737032] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.746378] Call Trace: [ 38.748960] dump_stack+0x1c9/0x2b4 [ 38.752575] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.757753] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.762636] panic+0x238/0x4e7 [ 38.765829] ? add_taint.cold.5+0x16/0x16 [ 38.769968] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.774360] ? pdu_read+0x90/0xd0 [ 38.777811] kasan_end_report+0x47/0x4f [ 38.781774] kasan_report.cold.7+0x76/0x2fe [ 38.786086] check_memory_region+0x13e/0x1b0 [ 38.790479] memcpy+0x23/0x50 [ 38.793570] pdu_read+0x90/0xd0 [ 38.796832] p9pdu_readf+0x579/0x2170 [ 38.800622] ? p9pdu_writef+0xe0/0xe0 [ 38.804406] ? __fget+0x414/0x670 [ 38.807846] ? rcu_is_watching+0x61/0x150 [ 38.811979] ? expand_files.part.8+0x9c0/0x9c0 [ 38.816549] ? finish_wait+0x430/0x430 [ 38.820422] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.825434] ? p9_fd_show_options+0x1c0/0x1c0 [ 38.829913] p9_client_create+0xde0/0x16c9 [ 38.834135] ? p9_client_read+0xc60/0xc60 [ 38.838266] ? find_held_lock+0x36/0x1c0 [ 38.842316] ? __lockdep_init_map+0x105/0x590 [ 38.846806] ? kasan_check_write+0x14/0x20 [ 38.851039] ? __init_rwsem+0x1cc/0x2a0 [ 38.855012] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 38.860038] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.865052] ? __kmalloc_track_caller+0x5f5/0x760 [ 38.869880] ? save_stack+0xa9/0xd0 [ 38.873496] ? save_stack+0x43/0xd0 [ 38.877117] ? kasan_kmalloc+0xc4/0xe0 [ 38.880996] ? memcpy+0x45/0x50 [ 38.884270] v9fs_session_init+0x21a/0x1a80 [ 38.888602] ? find_held_lock+0x36/0x1c0 [ 38.892656] ? v9fs_show_options+0x7e0/0x7e0 [ 38.897059] ? kasan_check_read+0x11/0x20 [ 38.901224] ? rcu_is_watching+0x8c/0x150 [ 38.905363] ? rcu_pm_notify+0xc0/0xc0 [ 38.909235] ? rcu_pm_notify+0xc0/0xc0 [ 38.913116] ? v9fs_mount+0x61/0x900 [ 38.916823] ? rcu_read_lock_sched_held+0x108/0x120 [ 38.921827] ? kmem_cache_alloc_trace+0x616/0x780 [ 38.926661] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 38.932193] v9fs_mount+0x7c/0x900 [ 38.935729] mount_fs+0xae/0x328 [ 38.939084] vfs_kern_mount.part.34+0xdc/0x4e0 [ 38.943653] ? may_umount+0xb0/0xb0 [ 38.947266] ? _raw_read_unlock+0x22/0x30 [ 38.951426] ? __get_fs_type+0x97/0xc0 [ 38.955561] do_mount+0x581/0x30e0 [ 38.959103] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.963499] ? copy_mount_string+0x40/0x40 [ 38.967722] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.972730] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 38.977480] ? retint_kernel+0x10/0x10 [ 38.981364] ? copy_mount_options+0x1e3/0x380 [ 38.986059] ? copy_mount_options+0x1f0/0x380 [ 38.990550] ? copy_mount_options+0x202/0x380 [ 38.995044] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.000576] ? copy_mount_options+0x285/0x380 [ 39.005065] __ia32_compat_sys_mount+0x5d5/0x860 [ 39.009823] do_fast_syscall_32+0x34d/0xfb2 [ 39.014157] ? do_int80_syscall_32+0x890/0x890 [ 39.018733] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.023497] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.029031] ? syscall_return_slowpath+0x31d/0x5e0 [ 39.033961] ? sysret32_from_system_call+0x5/0x46 [ 39.038800] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.043658] entry_SYSENTER_compat+0x70/0x7f [ 39.048057] RIP: 0023:0xf7f88cb9 [ 39.051429] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 39.070587] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015 [ 39.078285] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 39.087120] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0 [ 39.095316] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 39.103061] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 39.110362] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 39.118177] Dumping ftrace buffer: [ 39.121705] (ftrace buffer empty) [ 39.125445] Kernel Offset: disabled [ 39.129075] Rebooting in 86400 seconds..