[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.865732] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.532653] random: sshd: uninitialized urandom read (32 bytes read) [ 23.864167] random: sshd: uninitialized urandom read (32 bytes read) [ 24.729928] random: sshd: uninitialized urandom read (32 bytes read) [ 24.888772] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 30.356821] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 30.455681] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 30.482351] ================================================================== [ 30.489821] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 30.496238] Read of size 27306 at addr ffff8801b32384ad by task syz-executor009/4539 [ 30.504108] [ 30.505751] CPU: 0 PID: 4539 Comm: syz-executor009 Not tainted 4.18.0-rc4+ #144 [ 30.513186] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.522531] Call Trace: [ 30.525111] dump_stack+0x1c9/0x2b4 [ 30.528737] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.533915] ? printk+0xa7/0xcf [ 30.537184] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.541928] ? pdu_read+0x90/0xd0 [ 30.545365] print_address_description+0x6c/0x20b [ 30.550195] ? pdu_read+0x90/0xd0 [ 30.553634] kasan_report.cold.7+0x242/0x2fe [ 30.558045] check_memory_region+0x13e/0x1b0 [ 30.562462] memcpy+0x23/0x50 [ 30.565568] pdu_read+0x90/0xd0 [ 30.568838] p9pdu_readf+0x579/0x2170 [ 30.572628] ? p9pdu_writef+0xe0/0xe0 [ 30.576416] ? __fget+0x414/0x670 [ 30.579855] ? rcu_is_watching+0x61/0x150 [ 30.584009] ? expand_files.part.8+0x9c0/0x9c0 [ 30.588590] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.593603] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.598928] p9_client_create+0xde0/0x16c9 [ 30.603160] ? p9_client_read+0xc60/0xc60 [ 30.607294] ? find_held_lock+0x36/0x1c0 [ 30.611349] ? __lockdep_init_map+0x105/0x590 [ 30.615836] ? kasan_check_write+0x14/0x20 [ 30.620078] ? __init_rwsem+0x1cc/0x2a0 [ 30.624044] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.629053] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.634057] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.638895] ? save_stack+0xa9/0xd0 [ 30.642514] ? save_stack+0x43/0xd0 [ 30.646134] ? kasan_kmalloc+0xc4/0xe0 [ 30.650008] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.654857] ? memcpy+0x45/0x50 [ 30.658134] v9fs_session_init+0x21a/0x1a80 [ 30.662440] ? find_held_lock+0x36/0x1c0 [ 30.666493] ? v9fs_show_options+0x7e0/0x7e0 [ 30.670896] ? kasan_check_read+0x11/0x20 [ 30.675039] ? rcu_is_watching+0x8c/0x150 [ 30.679171] ? rcu_pm_notify+0xc0/0xc0 [ 30.683050] ? v9fs_mount+0x61/0x900 [ 30.686751] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.691765] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.696606] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.702139] v9fs_mount+0x7c/0x900 [ 30.705677] mount_fs+0xae/0x328 [ 30.709040] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.713606] ? may_umount+0xb0/0xb0 [ 30.717220] ? _raw_read_unlock+0x22/0x30 [ 30.721367] ? __get_fs_type+0x97/0xc0 [ 30.725248] do_mount+0x581/0x30e0 [ 30.728791] ? copy_mount_string+0x40/0x40 [ 30.733022] ? copy_mount_options+0x5f/0x380 [ 30.737421] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.742426] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.747270] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.752800] ? _copy_from_user+0xdf/0x150 [ 30.756937] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.762463] ? copy_mount_options+0x285/0x380 [ 30.766947] ksys_mount+0x12d/0x140 [ 30.770569] __x64_sys_mount+0xbe/0x150 [ 30.774530] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.779545] do_syscall_64+0x1b9/0x820 [ 30.783423] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.788352] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.793283] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.798827] ? retint_user+0x18/0x18 [ 30.802536] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.807376] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.812551] RIP: 0033:0x440959 [ 30.815723] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.834998] RSP: 002b:00007ffd5a046ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.842708] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.849966] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.857222] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.864913] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000076f5 [ 30.872607] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.879869] [ 30.881480] Allocated by task 4539: [ 30.885186] save_stack+0x43/0xd0 [ 30.888626] kasan_kmalloc+0xc4/0xe0 [ 30.892330] __kmalloc+0x14e/0x760 [ 30.896063] p9_fcall_alloc+0x1e/0x90 [ 30.899876] p9_client_prepare_req.part.8+0x754/0xcd0 [ 30.905066] p9_client_rpc+0x1bd/0x1400 [ 30.909041] p9_client_create+0xd09/0x16c9 [ 30.913271] v9fs_session_init+0x21a/0x1a80 [ 30.917582] v9fs_mount+0x7c/0x900 [ 30.921105] mount_fs+0xae/0x328 [ 30.924455] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.929032] do_mount+0x581/0x30e0 [ 30.932556] ksys_mount+0x12d/0x140 [ 30.936164] __x64_sys_mount+0xbe/0x150 [ 30.940128] do_syscall_64+0x1b9/0x820 [ 30.944006] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.949186] [ 30.950796] Freed by task 0: [ 30.953792] (stack is not available) [ 30.957482] [ 30.959093] The buggy address belongs to the object at ffff8801b3238480 [ 30.959093] which belongs to the cache kmalloc-16384 of size 16384 [ 30.972288] The buggy address is located 45 bytes inside of [ 30.972288] 16384-byte region [ffff8801b3238480, ffff8801b323c480) [ 30.984326] The buggy address belongs to the page: [ 30.989460] page:ffffea0006cc8e00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 30.999427] flags: 0x2fffc0000008100(slab|head) [ 31.004088] raw: 02fffc0000008100 ffffea0007399808 ffff8801da801c48 ffff8801da802200 [ 31.011966] raw: 0000000000000000 ffff8801b3238480 0000000100000001 0000000000000000 [ 31.019835] page dumped because: kasan: bad access detected [ 31.025532] [ 31.027157] Memory state around the buggy address: [ 31.032521] ffff8801b323a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.039879] ffff8801b323a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.047229] >ffff8801b323a480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 31.054681] ^ [ 31.059085] ffff8801b323a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.066431] ffff8801b323a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.073771] ================================================================== [ 31.081122] Disabling lock debugging due to kernel taint [ 31.086693] Kernel panic - not syncing: panic_on_warn set ... [ 31.086693] [ 31.094075] CPU: 0 PID: 4539 Comm: syz-executor009 Tainted: G B 4.18.0-rc4+ #144 [ 31.102993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.112340] Call Trace: [ 31.114919] dump_stack+0x1c9/0x2b4 [ 31.118530] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.123715] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.128472] panic+0x238/0x4e7 [ 31.131660] ? add_taint.cold.5+0x16/0x16 [ 31.135790] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.140191] ? pdu_read+0x90/0xd0 [ 31.143625] kasan_end_report+0x47/0x4f [ 31.147596] kasan_report.cold.7+0x76/0x2fe [ 31.151900] check_memory_region+0x13e/0x1b0 [ 31.156300] memcpy+0x23/0x50 [ 31.159394] pdu_read+0x90/0xd0 [ 31.162664] p9pdu_readf+0x579/0x2170 [ 31.166451] ? p9pdu_writef+0xe0/0xe0 [ 31.170236] ? __fget+0x414/0x670 [ 31.173677] ? rcu_is_watching+0x61/0x150 [ 31.177821] ? expand_files.part.8+0x9c0/0x9c0 [ 31.182402] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.187417] ? p9_fd_show_options+0x1c0/0x1c0 [ 31.191905] p9_client_create+0xde0/0x16c9 [ 31.196145] ? p9_client_read+0xc60/0xc60 [ 31.200278] ? find_held_lock+0x36/0x1c0 [ 31.204333] ? __lockdep_init_map+0x105/0x590 [ 31.208830] ? kasan_check_write+0x14/0x20 [ 31.213058] ? __init_rwsem+0x1cc/0x2a0 [ 31.217045] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 31.222059] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.227066] ? __kmalloc_track_caller+0x5f5/0x760 [ 31.231898] ? save_stack+0xa9/0xd0 [ 31.235514] ? save_stack+0x43/0xd0 [ 31.239143] ? kasan_kmalloc+0xc4/0xe0 [ 31.243027] ? kmem_cache_alloc_trace+0x152/0x780 [ 31.247864] ? memcpy+0x45/0x50 [ 31.251135] v9fs_session_init+0x21a/0x1a80 [ 31.255444] ? find_held_lock+0x36/0x1c0 [ 31.259503] ? v9fs_show_options+0x7e0/0x7e0 [ 31.263906] ? kasan_check_read+0x11/0x20 [ 31.268044] ? rcu_is_watching+0x8c/0x150 [ 31.272190] ? rcu_pm_notify+0xc0/0xc0 [ 31.276070] ? v9fs_mount+0x61/0x900 [ 31.279774] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.284781] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.289616] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.295156] v9fs_mount+0x7c/0x900 [ 31.298719] mount_fs+0xae/0x328 [ 31.302076] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.306670] ? may_umount+0xb0/0xb0 [ 31.310293] ? _raw_read_unlock+0x22/0x30 [ 31.314433] ? __get_fs_type+0x97/0xc0 [ 31.318313] do_mount+0x581/0x30e0 [ 31.321979] ? copy_mount_string+0x40/0x40 [ 31.326225] ? copy_mount_options+0x5f/0x380 [ 31.330663] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.335676] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.340511] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.346054] ? _copy_from_user+0xdf/0x150 [ 31.350216] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.355759] ? copy_mount_options+0x285/0x380 [ 31.360266] ksys_mount+0x12d/0x140 [ 31.363895] __x64_sys_mount+0xbe/0x150 [ 31.367854] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.372879] do_syscall_64+0x1b9/0x820 [ 31.376893] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.381817] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.386745] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.392276] ? retint_user+0x18/0x18 [ 31.395995] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.400855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.406042] RIP: 0033:0x440959 [ 31.409317] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.428452] RSP: 002b:00007ffd5a046ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 31.436174] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 31.443468] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 31.450737] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 31.458014] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000076f5 [ 31.465379] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 31.473340] Dumping ftrace buffer: [ 31.476869] (ftrace buffer empty) [ 31.480571] Kernel Offset: disabled [ 31.484213] Rebooting in 86400 seconds..