[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 15.913828] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 16.592988] random: sshd: uninitialized urandom read (32 bytes read)
[ 16.813632] random: sshd: uninitialized urandom read (32 bytes read)
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 17.521459] random: sshd: uninitialized urandom read (32 bytes read)
[ 17.658505] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts.
[ 23.101574] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[ 23.183473] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
[ 23.215948] ==================================================================
[ 23.223439] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[ 23.229563] Read of size 29264 at addr ffff8801ac5406ed by task syz-executor935/4463
[ 23.237426]
[ 23.239037] CPU: 1 PID: 4463 Comm: syz-executor935 Not tainted 4.18.0-rc3-next-20180709+ #2
[ 23.247500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.256828] Call Trace:
[ 23.259402] dump_stack+0x1c9/0x2b4
[ 23.263016] ? dump_stack_print_info.cold.2+0x52/0x52
[ 23.268200] ? printk+0xa7/0xcf
[ 23.271463] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 23.276202] ? pdu_read+0x90/0xd0
[ 23.279639] print_address_description+0x6c/0x20b
[ 23.284460] ? pdu_read+0x90/0xd0
[ 23.287903] kasan_report.cold.7+0x242/0x30d
[ 23.292309] check_memory_region+0x13e/0x1b0
[ 23.296702] memcpy+0x23/0x50
[ 23.299787] pdu_read+0x90/0xd0
[ 23.303044] p9pdu_readf+0x579/0x2170
[ 23.306823] ? p9pdu_writef+0xe0/0xe0
[ 23.310604] ? ksys_dup3+0x690/0x690
[ 23.314301] ? do_raw_spin_lock+0xc1/0x200
[ 23.318517] ? kasan_kmalloc+0xc4/0xe0
[ 23.322386] ? kasan_unpoison_shadow+0x35/0x50
[ 23.326952] ? p9_fd_show_options+0x1c0/0x1c0
[ 23.331428] ? __raw_spin_lock_init+0x2d/0x100
[ 23.335993] p9_client_create+0xde0/0x16c9
[ 23.340215] ? p9_client_read+0xc60/0xc60
[ 23.344344] ? kasan_check_read+0x11/0x20
[ 23.348474] ? lock_acquire+0x1e4/0x540
[ 23.352434] ? fs_reclaim_acquire+0x20/0x20
[ 23.356744] ? lock_release+0xa30/0xa30
[ 23.360704] ? __lockdep_init_map+0x105/0x590
[ 23.365198] ? kasan_check_write+0x14/0x20
[ 23.369418] ? __init_rwsem+0x1cc/0x2a0
[ 23.373379] ? do_raw_write_unlock.cold.8+0x49/0x49
[ 23.378376] ? __kmalloc_track_caller+0x311/0x760
[ 23.383206] ? save_stack+0xa9/0xd0
[ 23.386814] ? save_stack+0x43/0xd0
[ 23.390425] ? kasan_kmalloc+0xc4/0xe0
[ 23.394300] ? kmem_cache_alloc_trace+0x152/0x780
[ 23.399153] ? memcpy+0x45/0x50
[ 23.402422] v9fs_session_init+0x21a/0x1a80
[ 23.406735] ? rcu_note_context_switch+0x730/0x730
[ 23.411643] ? do_mount+0x69e/0x1fb0
[ 23.415341] ? lock_acquire+0x1e4/0x540
[ 23.419298] ? v9fs_show_options+0x7e0/0x7e0
[ 23.423692] ? lock_release+0xa30/0xa30
[ 23.427648] ? check_same_owner+0x340/0x340
[ 23.431957] ? kasan_unpoison_shadow+0x35/0x50
[ 23.436527] ? kasan_kmalloc+0xc4/0xe0
[ 23.440394] ? kmem_cache_alloc_trace+0x318/0x780
[ 23.445219] ? kasan_unpoison_shadow+0x35/0x50
[ 23.449791] ? kasan_kmalloc+0xc4/0xe0
[ 23.453678] v9fs_mount+0x7c/0x900
[ 23.457201] ? v9fs_drop_inode+0x150/0x150
[ 23.461423] legacy_get_tree+0x118/0x440
[ 23.465469] vfs_get_tree+0x1cb/0x5c0
[ 23.469260] do_mount+0x6c1/0x1fb0
[ 23.472780] ? kasan_check_write+0x14/0x20
[ 23.476996] ? copy_mount_string+0x40/0x40
[ 23.481216] ? kasan_kmalloc+0xc4/0xe0
[ 23.485084] ? kmem_cache_alloc_trace+0x318/0x780
[ 23.489907] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 23.495425] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 23.500954] ? copy_mount_options+0x285/0x380
[ 23.505443] ksys_mount+0x12d/0x140
[ 23.509052] __x64_sys_mount+0xbe/0x150
[ 23.513012] do_syscall_64+0x1b9/0x820
[ 23.516882] ? syscall_return_slowpath+0x5e0/0x5e0
[ 23.521791] ? syscall_return_slowpath+0x31d/0x5e0
[ 23.526702] ? prepare_exit_to_usermode+0x3b0/0x3b0
[ 23.531697] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 23.537218] ? prepare_exit_to_usermode+0x291/0x3b0
[ 23.542213] ? perf_trace_sys_enter+0xb10/0xb10
[ 23.546862] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 23.551691] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 23.556861] RIP: 0033:0x440959
[ 23.560028] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[ 23.579175] RSP: 002b:00007ffec11dec08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 23.586864] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[ 23.594114] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[ 23.601361] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[ 23.608608] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000005aaa
[ 23.615858] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[ 23.623108]
[ 23.624714] Allocated by task 4463:
[ 23.628327] save_stack+0x43/0xd0
[ 23.631761] kasan_kmalloc+0xc4/0xe0
[ 23.635451] __kmalloc+0x14e/0x760
[ 23.638972] p9_fcall_alloc+0x1e/0x90
[ 23.642760] p9_client_prepare_req.part.9+0x754/0xcd0
[ 23.647930] p9_client_rpc+0x1bd/0x1400
[ 23.651886] p9_client_create+0xd09/0x16c9
[ 23.656100] v9fs_session_init+0x21a/0x1a80
[ 23.660398] v9fs_mount+0x7c/0x900
[ 23.663923] legacy_get_tree+0x118/0x440
[ 23.667964] vfs_get_tree+0x1cb/0x5c0
[ 23.671749] do_mount+0x6c1/0x1fb0
[ 23.675267] ksys_mount+0x12d/0x140
[ 23.678874] __x64_sys_mount+0xbe/0x150
[ 23.682835] do_syscall_64+0x1b9/0x820
[ 23.686708] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 23.691869]
[ 23.693471] Freed by task 0:
[ 23.696469] (stack is not available)
[ 23.700157]
[ 23.701771] The buggy address belongs to the object at ffff8801ac5406c0
[ 23.701771] which belongs to the cache kmalloc-16384 of size 16384
[ 23.714754] The buggy address is located 45 bytes inside of
[ 23.714754] 16384-byte region [ffff8801ac5406c0, ffff8801ac5446c0)
[ 23.726699] The buggy address belongs to the page:
[ 23.731611] page:ffffea0006b15000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[ 23.741566] flags: 0x2fffc0000008100(slab|head)
[ 23.746226] raw: 02fffc0000008100 ffffea0006b17808 ffff8801da801c48 ffff8801da802200
[ 23.754098] raw: 0000000000000000 ffff8801ac5406c0 0000000100000001 0000000000000000
[ 23.762052] page dumped because: kasan: bad access detected
[ 23.767739]
[ 23.769344] Memory state around the buggy address:
[ 23.774254] ffff8801ac542580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 23.781602] ffff8801ac542600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 23.788958] >ffff8801ac542680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 23.796299] ^
[ 23.802779] ffff8801ac542700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 23.810128] ffff8801ac542780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 23.817477] ==================================================================
[ 23.825009] Kernel panic - not syncing: panic_on_warn set ...
[ 23.825009]
[ 23.832381] CPU: 1 PID: 4463 Comm: syz-executor935 Tainted: G B 4.18.0-rc3-next-20180709+ #2
[ 23.842250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 23.851596] Call Trace:
[ 23.854180] dump_stack+0x1c9/0x2b4
[ 23.857809] ? dump_stack_print_info.cold.2+0x52/0x52
[ 23.862992] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 23.867760] panic+0x238/0x4e7
[ 23.870947] ? add_taint.cold.5+0x16/0x16
[ 23.875088] ? do_raw_spin_unlock+0xa7/0x2f0
[ 23.879486] ? pdu_read+0x90/0xd0
[ 23.882932] kasan_end_report+0x47/0x4f
[ 23.886896] kasan_report.cold.7+0x76/0x30d
[ 23.891216] check_memory_region+0x13e/0x1b0
[ 23.895633] memcpy+0x23/0x50
[ 23.898737] pdu_read+0x90/0xd0
[ 23.902006] p9pdu_readf+0x579/0x2170
[ 23.905806] ? p9pdu_writef+0xe0/0xe0
[ 23.909606] ? ksys_dup3+0x690/0x690
[ 23.913327] ? do_raw_spin_lock+0xc1/0x200
[ 23.917558] ? kasan_kmalloc+0xc4/0xe0
[ 23.921438] ? kasan_unpoison_shadow+0x35/0x50
[ 23.926014] ? p9_fd_show_options+0x1c0/0x1c0
[ 23.930530] ? __raw_spin_lock_init+0x2d/0x100
[ 23.935104] p9_client_create+0xde0/0x16c9
[ 23.939337] ? p9_client_read+0xc60/0xc60
[ 23.943481] ? kasan_check_read+0x11/0x20
[ 23.947644] ? lock_acquire+0x1e4/0x540
[ 23.951605] ? fs_reclaim_acquire+0x20/0x20
[ 23.955916] ? lock_release+0xa30/0xa30
[ 23.959881] ? __lockdep_init_map+0x105/0x590
[ 23.964374] ? kasan_check_write+0x14/0x20
[ 23.968599] ? __init_rwsem+0x1cc/0x2a0
[ 23.972563] ? do_raw_write_unlock.cold.8+0x49/0x49
[ 23.977567] ? __kmalloc_track_caller+0x311/0x760
[ 23.982393] ? save_stack+0xa9/0xd0
[ 23.986001] ? save_stack+0x43/0xd0
[ 23.989618] ? kasan_kmalloc+0xc4/0xe0
[ 23.993484] ? kmem_cache_alloc_trace+0x152/0x780
[ 23.998308] ? memcpy+0x45/0x50
[ 24.001575] v9fs_session_init+0x21a/0x1a80
[ 24.005892] ? rcu_note_context_switch+0x730/0x730
[ 24.010808] ? do_mount+0x69e/0x1fb0
[ 24.014513] ? lock_acquire+0x1e4/0x540
[ 24.018469] ? v9fs_show_options+0x7e0/0x7e0
[ 24.022870] ? lock_release+0xa30/0xa30
[ 24.026828] ? check_same_owner+0x340/0x340
[ 24.031148] ? kasan_unpoison_shadow+0x35/0x50
[ 24.035713] ? kasan_kmalloc+0xc4/0xe0
[ 24.039594] ? kmem_cache_alloc_trace+0x318/0x780
[ 24.044426] ? kasan_unpoison_shadow+0x35/0x50
[ 24.048989] ? kasan_kmalloc+0xc4/0xe0
[ 24.052862] v9fs_mount+0x7c/0x900
[ 24.056383] ? v9fs_drop_inode+0x150/0x150
[ 24.060599] legacy_get_tree+0x118/0x440
[ 24.064648] vfs_get_tree+0x1cb/0x5c0
[ 24.068430] do_mount+0x6c1/0x1fb0
[ 24.071951] ? kasan_check_write+0x14/0x20
[ 24.076166] ? copy_mount_string+0x40/0x40
[ 24.080403] ? kasan_kmalloc+0xc4/0xe0
[ 24.084290] ? kmem_cache_alloc_trace+0x318/0x780
[ 24.089117] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 24.094645] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 24.100166] ? copy_mount_options+0x285/0x380
[ 24.104652] ksys_mount+0x12d/0x140
[ 24.108262] __x64_sys_mount+0xbe/0x150
[ 24.112221] do_syscall_64+0x1b9/0x820
[ 24.116100] ? syscall_return_slowpath+0x5e0/0x5e0
[ 24.121013] ? syscall_return_slowpath+0x31d/0x5e0
[ 24.125936] ? prepare_exit_to_usermode+0x3b0/0x3b0
[ 24.130933] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 24.136453] ? prepare_exit_to_usermode+0x291/0x3b0
[ 24.141458] ? perf_trace_sys_enter+0xb10/0xb10
[ 24.146120] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 24.150955] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 24.156126] RIP: 0033:0x440959
[ 24.159291] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[ 24.178417] RSP: 002b:00007ffec11dec08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 24.186136] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[ 24.193389] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[ 24.200658] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[ 24.207908] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000005aaa
[ 24.215159] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[ 24.222938] Dumping ftrace buffer:
[ 24.226467] (ftrace buffer empty)
[ 24.230154] Kernel Offset: disabled
[ 24.233760] Rebooting in 86400 seconds..