[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 14.598269] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.075303] random: sshd: uninitialized urandom read (32 bytes read) [ 19.268440] random: sshd: uninitialized urandom read (32 bytes read) [ 19.949893] random: sshd: uninitialized urandom read (32 bytes read) [ 20.079206] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.22' (ECDSA) to the list of known hosts. [ 25.496327] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program [ 25.573939] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 25.602657] ================================================================== [ 25.610022] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 25.616146] Read of size 15518 at addr ffff8801cbba072d by task syz-executor899/4460 [ 25.623997] [ 25.625615] CPU: 0 PID: 4460 Comm: syz-executor899 Not tainted 4.18.0-rc3-next-20180709+ #2 [ 25.634079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.643409] Call Trace: [ 25.645976] dump_stack+0x1c9/0x2b4 [ 25.649583] ? dump_stack_print_info.cold.2+0x52/0x52 [ 25.654752] ? printk+0xa7/0xcf [ 25.658010] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 25.662749] ? pdu_read+0x90/0xd0 [ 25.666180] print_address_description+0x6c/0x20b [ 25.670998] ? pdu_read+0x90/0xd0 [ 25.674434] kasan_report.cold.7+0x242/0x30d [ 25.678822] check_memory_region+0x13e/0x1b0 [ 25.683219] memcpy+0x23/0x50 [ 25.686300] pdu_read+0x90/0xd0 [ 25.689557] p9pdu_readf+0x579/0x2170 [ 25.693335] ? p9pdu_writef+0xe0/0xe0 [ 25.697116] ? ksys_dup3+0x690/0x690 [ 25.700809] ? check_same_owner+0x340/0x340 [ 25.705109] ? p9_fd_poll+0x2b0/0x2b0 [ 25.708889] ? kasan_kmalloc+0xc4/0xe0 [ 25.712755] ? kasan_unpoison_shadow+0x35/0x50 [ 25.717314] ? p9_fd_show_options+0x1c0/0x1c0 [ 25.721787] ? __raw_spin_lock_init+0x2d/0x100 [ 25.726347] p9_client_create+0xde0/0x16c9 [ 25.730561] ? p9_client_read+0xc60/0xc60 [ 25.734688] ? kasan_check_read+0x11/0x20 [ 25.738814] ? lock_acquire+0x1e4/0x540 [ 25.742777] ? fs_reclaim_acquire+0x20/0x20 [ 25.747079] ? lock_release+0xa30/0xa30 [ 25.751036] ? __lockdep_init_map+0x105/0x590 [ 25.755513] ? kasan_check_write+0x14/0x20 [ 25.759726] ? __init_rwsem+0x1cc/0x2a0 [ 25.763677] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 25.768673] ? __kmalloc_track_caller+0x311/0x760 [ 25.773492] ? save_stack+0xa9/0xd0 [ 25.777099] ? save_stack+0x43/0xd0 [ 25.780702] ? kasan_kmalloc+0xc4/0xe0 [ 25.784574] ? kmem_cache_alloc_trace+0x152/0x780 [ 25.789400] ? memcpy+0x45/0x50 [ 25.792660] v9fs_session_init+0x21a/0x1a80 [ 25.796959] ? rcu_note_context_switch+0x730/0x730 [ 25.801864] ? do_mount+0x69e/0x1fb0 [ 25.805556] ? lock_acquire+0x1e4/0x540 [ 25.809508] ? lock_downgrade+0x8f0/0x8f0 [ 25.813645] ? v9fs_show_options+0x7e0/0x7e0 [ 25.818268] ? kasan_check_read+0x11/0x20 [ 25.822399] ? do_raw_spin_unlock+0xa7/0x2f0 [ 25.826784] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 25.831344] ? kasan_check_write+0x14/0x20 [ 25.835554] ? do_raw_spin_lock+0xc1/0x200 [ 25.839778] ? kasan_unpoison_shadow+0x35/0x50 [ 25.844337] ? kasan_kmalloc+0xc4/0xe0 [ 25.848204] ? kmem_cache_alloc_trace+0x318/0x780 [ 25.853030] ? kasan_unpoison_shadow+0x35/0x50 [ 25.857594] ? kasan_kmalloc+0xc4/0xe0 [ 25.861461] v9fs_mount+0x7c/0x900 [ 25.864979] ? v9fs_drop_inode+0x150/0x150 [ 25.869192] legacy_get_tree+0x118/0x440 [ 25.873231] vfs_get_tree+0x1cb/0x5c0 [ 25.877015] do_mount+0x6c1/0x1fb0 [ 25.880540] ? kasan_check_read+0x11/0x20 [ 25.884666] ? do_raw_spin_unlock+0xa7/0x2f0 [ 25.889054] ? copy_mount_string+0x40/0x40 [ 25.893265] ? kasan_kmalloc+0xc4/0xe0 [ 25.897131] ? kmem_cache_alloc_trace+0x318/0x780 [ 25.901964] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.907479] ? copy_mount_options+0x285/0x380 [ 25.911952] ksys_mount+0x12d/0x140 [ 25.915557] __x64_sys_mount+0xbe/0x150 [ 25.919513] do_syscall_64+0x1b9/0x820 [ 25.923378] ? syscall_return_slowpath+0x5e0/0x5e0 [ 25.928284] ? syscall_return_slowpath+0x31d/0x5e0 [ 25.933198] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 25.938193] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.943707] ? prepare_exit_to_usermode+0x291/0x3b0 [ 25.948700] ? perf_trace_sys_enter+0xb10/0xb10 [ 25.953346] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.958178] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 25.963350] RIP: 0033:0x440959 [ 25.966513] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 25.985648] RSP: 002b:00007ffc42105348 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 25.993335] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 26.000582] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 26.007827] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 26.015072] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000063ff [ 26.022317] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 26.029568] [ 26.031176] Allocated by task 4460: [ 26.034789] save_stack+0x43/0xd0 [ 26.038218] kasan_kmalloc+0xc4/0xe0 [ 26.041906] __kmalloc+0x14e/0x760 [ 26.045424] p9_fcall_alloc+0x1e/0x90 [ 26.049203] p9_client_prepare_req.part.9+0x754/0xcd0 [ 26.054369] p9_client_rpc+0x1bd/0x1400 [ 26.058320] p9_client_create+0xd09/0x16c9 [ 26.062543] v9fs_session_init+0x21a/0x1a80 [ 26.066854] v9fs_mount+0x7c/0x900 [ 26.070370] legacy_get_tree+0x118/0x440 [ 26.074409] vfs_get_tree+0x1cb/0x5c0 [ 26.078186] do_mount+0x6c1/0x1fb0 [ 26.081704] ksys_mount+0x12d/0x140 [ 26.085306] __x64_sys_mount+0xbe/0x150 [ 26.089256] do_syscall_64+0x1b9/0x820 [ 26.093119] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.098277] [ 26.099879] Freed by task 0: [ 26.102869] (stack is not available) [ 26.106555] [ 26.108170] The buggy address belongs to the object at ffff8801cbba0700 [ 26.108170] which belongs to the cache kmalloc-16384 of size 16384 [ 26.121150] The buggy address is located 45 bytes inside of [ 26.121150] 16384-byte region [ffff8801cbba0700, ffff8801cbba4700) [ 26.133082] The buggy address belongs to the page: [ 26.137995] page:ffffea00072ee800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 26.147945] flags: 0x2fffc0000008100(slab|head) [ 26.152595] raw: 02fffc0000008100 ffffea0007381408 ffffea00072e0a08 ffff8801da802200 [ 26.160455] raw: 0000000000000000 ffff8801cbba0700 0000000100000001 0000000000000000 [ 26.168309] page dumped because: kasan: bad access detected [ 26.173989] [ 26.175594] Memory state around the buggy address: [ 26.180498] ffff8801cbba2600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.187831] ffff8801cbba2680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.195164] >ffff8801cbba2700: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 26.202494] ^ [ 26.206886] ffff8801cbba2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.214218] ffff8801cbba2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.221555] ================================================================== [ 26.228997] Kernel panic - not syncing: panic_on_warn set ... [ 26.228997] [ 26.236365] CPU: 0 PID: 4460 Comm: syz-executor899 Tainted: G B 4.18.0-rc3-next-20180709+ #2 [ 26.246215] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.255548] Call Trace: [ 26.258117] dump_stack+0x1c9/0x2b4 [ 26.261723] ? dump_stack_print_info.cold.2+0x52/0x52 [ 26.266899] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.271638] panic+0x238/0x4e7 [ 26.274809] ? add_taint.cold.5+0x16/0x16 [ 26.278938] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.283322] ? pdu_read+0x90/0xd0 [ 26.286751] kasan_end_report+0x47/0x4f [ 26.290702] kasan_report.cold.7+0x76/0x30d [ 26.295002] check_memory_region+0x13e/0x1b0 [ 26.299395] memcpy+0x23/0x50 [ 26.302478] pdu_read+0x90/0xd0 [ 26.305738] p9pdu_readf+0x579/0x2170 [ 26.309519] ? p9pdu_writef+0xe0/0xe0 [ 26.313302] ? ksys_dup3+0x690/0x690 [ 26.316992] ? check_same_owner+0x340/0x340 [ 26.321292] ? p9_fd_poll+0x2b0/0x2b0 [ 26.325072] ? kasan_kmalloc+0xc4/0xe0 [ 26.328939] ? kasan_unpoison_shadow+0x35/0x50 [ 26.333510] ? p9_fd_show_options+0x1c0/0x1c0 [ 26.337985] ? __raw_spin_lock_init+0x2d/0x100 [ 26.342554] p9_client_create+0xde0/0x16c9 [ 26.346769] ? p9_client_read+0xc60/0xc60 [ 26.350897] ? kasan_check_read+0x11/0x20 [ 26.355030] ? lock_acquire+0x1e4/0x540 [ 26.358983] ? fs_reclaim_acquire+0x20/0x20 [ 26.363285] ? lock_release+0xa30/0xa30 [ 26.367237] ? __lockdep_init_map+0x105/0x590 [ 26.371712] ? kasan_check_write+0x14/0x20 [ 26.375922] ? __init_rwsem+0x1cc/0x2a0 [ 26.379874] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 26.384867] ? __kmalloc_track_caller+0x311/0x760 [ 26.389685] ? save_stack+0xa9/0xd0 [ 26.393290] ? save_stack+0x43/0xd0 [ 26.396892] ? kasan_kmalloc+0xc4/0xe0 [ 26.400756] ? kmem_cache_alloc_trace+0x152/0x780 [ 26.405576] ? memcpy+0x45/0x50 [ 26.408834] v9fs_session_init+0x21a/0x1a80 [ 26.413134] ? rcu_note_context_switch+0x730/0x730 [ 26.418041] ? do_mount+0x69e/0x1fb0 [ 26.421732] ? lock_acquire+0x1e4/0x540 [ 26.425684] ? lock_downgrade+0x8f0/0x8f0 [ 26.429809] ? v9fs_show_options+0x7e0/0x7e0 [ 26.434195] ? kasan_check_read+0x11/0x20 [ 26.438319] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.442705] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 26.447264] ? kasan_check_write+0x14/0x20 [ 26.451474] ? do_raw_spin_lock+0xc1/0x200 [ 26.455697] ? kasan_unpoison_shadow+0x35/0x50 [ 26.460256] ? kasan_kmalloc+0xc4/0xe0 [ 26.464121] ? kmem_cache_alloc_trace+0x318/0x780 [ 26.468941] ? kasan_unpoison_shadow+0x35/0x50 [ 26.473501] ? kasan_kmalloc+0xc4/0xe0 [ 26.477366] v9fs_mount+0x7c/0x900 [ 26.480884] ? v9fs_drop_inode+0x150/0x150 [ 26.485098] legacy_get_tree+0x118/0x440 [ 26.489137] vfs_get_tree+0x1cb/0x5c0 [ 26.492919] do_mount+0x6c1/0x1fb0 [ 26.496436] ? kasan_check_read+0x11/0x20 [ 26.500571] ? do_raw_spin_unlock+0xa7/0x2f0 [ 26.504964] ? copy_mount_string+0x40/0x40 [ 26.509195] ? kasan_kmalloc+0xc4/0xe0 [ 26.513066] ? kmem_cache_alloc_trace+0x318/0x780 [ 26.517890] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.523403] ? copy_mount_options+0x285/0x380 [ 26.527877] ksys_mount+0x12d/0x140 [ 26.531494] __x64_sys_mount+0xbe/0x150 [ 26.535447] do_syscall_64+0x1b9/0x820 [ 26.539313] ? syscall_return_slowpath+0x5e0/0x5e0 [ 26.544229] ? syscall_return_slowpath+0x31d/0x5e0 [ 26.549135] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 26.554130] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 26.559643] ? prepare_exit_to_usermode+0x291/0x3b0 [ 26.564635] ? perf_trace_sys_enter+0xb10/0xb10 [ 26.569284] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.574106] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.579273] RIP: 0033:0x440959 [ 26.582439] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 26.601556] RSP: 002b:00007ffc42105348 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 26.609239] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 26.616488] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 26.623734] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 26.630981] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000063ff [ 26.638240] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 26.645911] Dumping ftrace buffer: [ 26.649427] (ftrace buffer empty) [ 26.653110] Kernel Offset: disabled [ 26.656712] Rebooting in 86400 seconds..