[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.428215] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.534564] random: sshd: uninitialized urandom read (32 bytes read)
[   23.909905] random: sshd: uninitialized urandom read (32 bytes read)
[   24.767571] random: sshd: uninitialized urandom read (32 bytes read)
[   38.115783] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts.
[   43.546743] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 00:25:11 parsed 1 programs
[   45.506624] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 00:25:13 executed programs: 0
[   46.780367] IPVS: ftp: loaded support on port[0] = 21
[   46.979928] bridge0: port 1(bridge_slave_0) entered blocking state
[   46.986438] bridge0: port 1(bridge_slave_0) entered disabled state
[   46.993957] device bridge_slave_0 entered promiscuous mode
[   47.010282] bridge0: port 2(bridge_slave_1) entered blocking state
[   47.016705] bridge0: port 2(bridge_slave_1) entered disabled state
[   47.023874] device bridge_slave_1 entered promiscuous mode
[   47.039502] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   47.055469] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   47.097584] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   47.116387] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   47.180555] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   47.188145] team0: Port device team_slave_0 added
[   47.203524] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   47.210685] team0: Port device team_slave_1 added
[   47.226632] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   47.244322] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   47.261513] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   47.279651] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   47.401305] bridge0: port 2(bridge_slave_1) entered blocking state
[   47.407886] bridge0: port 2(bridge_slave_1) entered forwarding state
[   47.414909] bridge0: port 1(bridge_slave_0) entered blocking state
[   47.421315] bridge0: port 1(bridge_slave_0) entered forwarding state
[   47.850498] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   47.858049] 8021q: adding VLAN 0 to HW filter on device bond0
[   47.900993] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   47.946484] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   47.954883] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   47.994706] 8021q: adding VLAN 0 to HW filter on device team0
[   48.253323] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   48.590889] ==================================================================
[   48.598482] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   48.604631] Read of size 65411 at addr ffff8801cf5ba4ed by task syz-executor0/4854
[   48.612345] 
[   48.613967] CPU: 0 PID: 4854 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[   48.621137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   48.630480] Call Trace:
[   48.633067]  dump_stack+0x1c9/0x2b4
[   48.636696]  ? dump_stack_print_info.cold.2+0x52/0x52
[   48.641881]  ? printk+0xa7/0xcf
[   48.645151]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   48.649911]  ? pdu_read+0x90/0xd0
[   48.653364]  print_address_description+0x6c/0x20b
[   48.658199]  ? pdu_read+0x90/0xd0
[   48.661653]  kasan_report.cold.7+0x242/0x2fe
[   48.666078]  check_memory_region+0x13e/0x1b0
[   48.670477]  memcpy+0x23/0x50
[   48.673573]  pdu_read+0x90/0xd0
[   48.676850]  p9pdu_readf+0x579/0x2170
[   48.680656]  ? p9pdu_writef+0xe0/0xe0
[   48.684460]  ? __fget+0x414/0x670
[   48.687905]  ? rcu_is_watching+0x61/0x150
[   48.692062]  ? expand_files.part.8+0x9c0/0x9c0
[   48.696639]  ? rcu_read_lock_sched_held+0x108/0x120
[   48.701665]  ? p9_fd_show_options+0x1c0/0x1c0
[   48.706155]  p9_client_create+0xde0/0x16c9
[   48.710385]  ? p9_client_read+0xc60/0xc60
[   48.714545]  ? find_held_lock+0x36/0x1c0
[   48.718603]  ? __lockdep_init_map+0x105/0x590
[   48.723098]  ? kasan_check_write+0x14/0x20
[   48.727328]  ? __init_rwsem+0x1cc/0x2a0
[   48.731304]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   48.736315]  ? rcu_read_lock_sched_held+0x108/0x120
[   48.741327]  ? __kmalloc_track_caller+0x5f5/0x760
[   48.746171]  ? save_stack+0xa9/0xd0
[   48.749808]  ? save_stack+0x43/0xd0
[   48.753435]  ? kasan_kmalloc+0xc4/0xe0
[   48.757331]  ? memcpy+0x45/0x50
[   48.760616]  v9fs_session_init+0x21a/0x1a80
[   48.764933]  ? find_held_lock+0x36/0x1c0
[   48.768998]  ? v9fs_show_options+0x7e0/0x7e0
[   48.773417]  ? kasan_check_read+0x11/0x20
[   48.777556]  ? rcu_is_watching+0x8c/0x150
[   48.781689]  ? rcu_pm_notify+0xc0/0xc0
[   48.785561]  ? rcu_pm_notify+0xc0/0xc0
[   48.789438]  ? v9fs_mount+0x61/0x900
[   48.793138]  ? rcu_read_lock_sched_held+0x108/0x120
[   48.798143]  ? kmem_cache_alloc_trace+0x616/0x780
[   48.802984]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   48.808522]  v9fs_mount+0x7c/0x900
[   48.812063]  mount_fs+0xae/0x328
[   48.815423]  vfs_kern_mount.part.34+0xdc/0x4e0
[   48.820008]  ? may_umount+0xb0/0xb0
[   48.823633]  ? _raw_read_unlock+0x22/0x30
[   48.827784]  ? __get_fs_type+0x97/0xc0
[   48.831679]  do_mount+0x581/0x30e0
[   48.835222]  ? do_raw_spin_unlock+0xa7/0x2f0
[   48.839633]  ? copy_mount_string+0x40/0x40
[   48.843869]  ? retint_kernel+0x10/0x10
[   48.847749]  ? copy_mount_options+0x1e3/0x380
[   48.852254]  ? __sanitizer_cov_trace_pc+0x14/0x50
[   48.857100]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.862643]  ? copy_mount_options+0x285/0x380
[   48.867144]  __ia32_compat_sys_mount+0x5d5/0x860
[   48.871898]  do_fast_syscall_32+0x34d/0xfb2
[   48.876230]  ? do_int80_syscall_32+0x890/0x890
[   48.880893]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.885652]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   48.891189]  ? syscall_return_slowpath+0x31d/0x5e0
[   48.896112]  ? sysret32_from_system_call+0x5/0x46
[   48.901150]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   48.906076]  entry_SYSENTER_compat+0x70/0x7f
[   48.910472] RIP: 0023:0xf7f22cb9
[   48.913826] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   48.933055] RSP: 002b:00000000ffe69c8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   48.940759] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   48.948043] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   48.955312] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   48.962587] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   48.969849] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   48.977114] 
[   48.978738] Allocated by task 4854:
[   48.982361]  save_stack+0x43/0xd0
[   48.985835]  kasan_kmalloc+0xc4/0xe0
[   48.989535]  __kmalloc+0x14e/0x760
[   48.993082]  p9_fcall_alloc+0x1e/0x90
[   48.996986]  p9_client_prepare_req.part.8+0x754/0xcd0
[   49.002167]  p9_client_rpc+0x1bd/0x1400
[   49.006131]  p9_client_create+0xd09/0x16c9
[   49.010356]  v9fs_session_init+0x21a/0x1a80
[   49.014663]  v9fs_mount+0x7c/0x900
[   49.018194]  mount_fs+0xae/0x328
[   49.021549]  vfs_kern_mount.part.34+0xdc/0x4e0
[   49.026127]  do_mount+0x581/0x30e0
[   49.029654]  __ia32_compat_sys_mount+0x5d5/0x860
[   49.034408]  do_fast_syscall_32+0x34d/0xfb2
[   49.038720]  entry_SYSENTER_compat+0x70/0x7f
[   49.043106] 
[   49.044731] Freed by task 0:
[   49.047737] (stack is not available)
[   49.051435] 
[   49.053050] The buggy address belongs to the object at ffff8801cf5ba4c0
[   49.053050]  which belongs to the cache kmalloc-16384 of size 16384
[   49.066068] The buggy address is located 45 bytes inside of
[   49.066068]  16384-byte region [ffff8801cf5ba4c0, ffff8801cf5be4c0)
[   49.078035] The buggy address belongs to the page:
[   49.082959] page:ffffea00073d6e00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   49.093616] flags: 0x2fffc0000008100(slab|head)
[   49.098278] raw: 02fffc0000008100 ffffea0006aa1008 ffff8801da801c48 ffff8801da802200
[   49.106156] raw: 0000000000000000 ffff8801cf5ba4c0 0000000100000001 0000000000000000
[   49.114045] page dumped because: kasan: bad access detected
[   49.119756] 
[   49.121367] Memory state around the buggy address:
[   49.126290]  ffff8801cf5bc380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   49.133653]  ffff8801cf5bc400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   49.141004] >ffff8801cf5bc480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   49.148363]                                                        ^
[   49.154854]  ffff8801cf5bc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.162299]  ffff8801cf5bc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.169652] ==================================================================
[   49.177002] Disabling lock debugging due to kernel taint
[   49.183034] Kernel panic - not syncing: panic_on_warn set ...
[   49.183034] 
[   49.190415] CPU: 0 PID: 4854 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[   49.198982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.208339] Call Trace:
[   49.210920]  dump_stack+0x1c9/0x2b4
[   49.214534]  ? dump_stack_print_info.cold.2+0x52/0x52
[   49.219725]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   49.224468]  panic+0x238/0x4e7
[   49.227653]  ? add_taint.cold.5+0x16/0x16
[   49.231797]  ? do_raw_spin_unlock+0xa7/0x2f0
[   49.236201]  ? pdu_read+0x90/0xd0
[   49.239638]  kasan_end_report+0x47/0x4f
[   49.243598]  kasan_report.cold.7+0x76/0x2fe
[   49.247920]  check_memory_region+0x13e/0x1b0
[   49.252316]  memcpy+0x23/0x50
[   49.255409]  pdu_read+0x90/0xd0
[   49.258672]  p9pdu_readf+0x579/0x2170
[   49.262474]  ? p9pdu_writef+0xe0/0xe0
[   49.266255]  ? __fget+0x414/0x670
[   49.269700]  ? rcu_is_watching+0x61/0x150
[   49.273839]  ? expand_files.part.8+0x9c0/0x9c0
[   49.278408]  ? rcu_read_lock_sched_held+0x108/0x120
[   49.283428]  ? p9_fd_show_options+0x1c0/0x1c0
[   49.287925]  p9_client_create+0xde0/0x16c9
[   49.292150]  ? p9_client_read+0xc60/0xc60
[   49.296302]  ? find_held_lock+0x36/0x1c0
[   49.300355]  ? __lockdep_init_map+0x105/0x590
[   49.304849]  ? kasan_check_write+0x14/0x20
[   49.309079]  ? __init_rwsem+0x1cc/0x2a0
[   49.313057]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   49.318071]  ? rcu_read_lock_sched_held+0x108/0x120
[   49.323080]  ? __kmalloc_track_caller+0x5f5/0x760
[   49.327910]  ? save_stack+0xa9/0xd0
[   49.331521]  ? save_stack+0x43/0xd0
[   49.335141]  ? kasan_kmalloc+0xc4/0xe0
[   49.339039]  ? memcpy+0x45/0x50
[   49.342315]  v9fs_session_init+0x21a/0x1a80
[   49.346626]  ? find_held_lock+0x36/0x1c0
[   49.350684]  ? v9fs_show_options+0x7e0/0x7e0
[   49.355083]  ? kasan_check_read+0x11/0x20
[   49.359212]  ? rcu_is_watching+0x8c/0x150
[   49.363352]  ? rcu_pm_notify+0xc0/0xc0
[   49.367225]  ? rcu_pm_notify+0xc0/0xc0
[   49.371106]  ? v9fs_mount+0x61/0x900
[   49.374838]  ? rcu_read_lock_sched_held+0x108/0x120
[   49.379852]  ? kmem_cache_alloc_trace+0x616/0x780
[   49.384689]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   49.390234]  v9fs_mount+0x7c/0x900
[   49.393774]  mount_fs+0xae/0x328
[   49.397138]  vfs_kern_mount.part.34+0xdc/0x4e0
[   49.401713]  ? may_umount+0xb0/0xb0
[   49.405342]  ? _raw_read_unlock+0x22/0x30
[   49.409476]  ? __get_fs_type+0x97/0xc0
[   49.413363]  do_mount+0x581/0x30e0
[   49.416891]  ? do_raw_spin_unlock+0xa7/0x2f0
[   49.421289]  ? copy_mount_string+0x40/0x40
[   49.425525]  ? retint_kernel+0x10/0x10
[   49.429400]  ? copy_mount_options+0x1e3/0x380
[   49.433893]  ? __sanitizer_cov_trace_pc+0x14/0x50
[   49.438736]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.444275]  ? copy_mount_options+0x285/0x380
[   49.448757]  __ia32_compat_sys_mount+0x5d5/0x860
[   49.453502]  do_fast_syscall_32+0x34d/0xfb2
[   49.457830]  ? do_int80_syscall_32+0x890/0x890
[   49.462399]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   49.467154]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.472700]  ? syscall_return_slowpath+0x31d/0x5e0
[   49.477617]  ? sysret32_from_system_call+0x5/0x46
[   49.482446]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.487294]  entry_SYSENTER_compat+0x70/0x7f
[   49.491688] RIP: 0023:0xf7f22cb9
[   49.495031] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   49.514178] RSP: 002b:00000000ffe69c8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   49.521886] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   49.529151] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   49.536412] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   49.543666] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   49.550923] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   49.558775] Dumping ftrace buffer:
[   49.562326]    (ftrace buffer empty)
[   49.566027] Kernel Offset: disabled
[   49.569635] Rebooting in 86400 seconds..