[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.428215] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.534564] random: sshd: uninitialized urandom read (32 bytes read) [ 23.909905] random: sshd: uninitialized urandom read (32 bytes read) [ 24.767571] random: sshd: uninitialized urandom read (32 bytes read) [ 38.115783] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. [ 43.546743] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 00:25:11 parsed 1 programs [ 45.506624] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 00:25:13 executed programs: 0 [ 46.780367] IPVS: ftp: loaded support on port[0] = 21 [ 46.979928] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.986438] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.993957] device bridge_slave_0 entered promiscuous mode [ 47.010282] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.016705] bridge0: port 2(bridge_slave_1) entered disabled state [ 47.023874] device bridge_slave_1 entered promiscuous mode [ 47.039502] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 47.055469] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 47.097584] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 47.116387] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 47.180555] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.188145] team0: Port device team_slave_0 added [ 47.203524] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.210685] team0: Port device team_slave_1 added [ 47.226632] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.244322] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.261513] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.279651] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 47.401305] bridge0: port 2(bridge_slave_1) entered blocking state [ 47.407886] bridge0: port 2(bridge_slave_1) entered forwarding state [ 47.414909] bridge0: port 1(bridge_slave_0) entered blocking state [ 47.421315] bridge0: port 1(bridge_slave_0) entered forwarding state [ 47.850498] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 47.858049] 8021q: adding VLAN 0 to HW filter on device bond0 [ 47.900993] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 47.946484] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 47.954883] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 47.994706] 8021q: adding VLAN 0 to HW filter on device team0 [ 48.253323] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 48.590889] ================================================================== [ 48.598482] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 48.604631] Read of size 65411 at addr ffff8801cf5ba4ed by task syz-executor0/4854 [ 48.612345] [ 48.613967] CPU: 0 PID: 4854 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 48.621137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.630480] Call Trace: [ 48.633067] dump_stack+0x1c9/0x2b4 [ 48.636696] ? dump_stack_print_info.cold.2+0x52/0x52 [ 48.641881] ? printk+0xa7/0xcf [ 48.645151] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 48.649911] ? pdu_read+0x90/0xd0 [ 48.653364] print_address_description+0x6c/0x20b [ 48.658199] ? pdu_read+0x90/0xd0 [ 48.661653] kasan_report.cold.7+0x242/0x2fe [ 48.666078] check_memory_region+0x13e/0x1b0 [ 48.670477] memcpy+0x23/0x50 [ 48.673573] pdu_read+0x90/0xd0 [ 48.676850] p9pdu_readf+0x579/0x2170 [ 48.680656] ? p9pdu_writef+0xe0/0xe0 [ 48.684460] ? __fget+0x414/0x670 [ 48.687905] ? rcu_is_watching+0x61/0x150 [ 48.692062] ? expand_files.part.8+0x9c0/0x9c0 [ 48.696639] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.701665] ? p9_fd_show_options+0x1c0/0x1c0 [ 48.706155] p9_client_create+0xde0/0x16c9 [ 48.710385] ? p9_client_read+0xc60/0xc60 [ 48.714545] ? find_held_lock+0x36/0x1c0 [ 48.718603] ? __lockdep_init_map+0x105/0x590 [ 48.723098] ? kasan_check_write+0x14/0x20 [ 48.727328] ? __init_rwsem+0x1cc/0x2a0 [ 48.731304] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 48.736315] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.741327] ? __kmalloc_track_caller+0x5f5/0x760 [ 48.746171] ? save_stack+0xa9/0xd0 [ 48.749808] ? save_stack+0x43/0xd0 [ 48.753435] ? kasan_kmalloc+0xc4/0xe0 [ 48.757331] ? memcpy+0x45/0x50 [ 48.760616] v9fs_session_init+0x21a/0x1a80 [ 48.764933] ? find_held_lock+0x36/0x1c0 [ 48.768998] ? v9fs_show_options+0x7e0/0x7e0 [ 48.773417] ? kasan_check_read+0x11/0x20 [ 48.777556] ? rcu_is_watching+0x8c/0x150 [ 48.781689] ? rcu_pm_notify+0xc0/0xc0 [ 48.785561] ? rcu_pm_notify+0xc0/0xc0 [ 48.789438] ? v9fs_mount+0x61/0x900 [ 48.793138] ? rcu_read_lock_sched_held+0x108/0x120 [ 48.798143] ? kmem_cache_alloc_trace+0x616/0x780 [ 48.802984] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 48.808522] v9fs_mount+0x7c/0x900 [ 48.812063] mount_fs+0xae/0x328 [ 48.815423] vfs_kern_mount.part.34+0xdc/0x4e0 [ 48.820008] ? may_umount+0xb0/0xb0 [ 48.823633] ? _raw_read_unlock+0x22/0x30 [ 48.827784] ? __get_fs_type+0x97/0xc0 [ 48.831679] do_mount+0x581/0x30e0 [ 48.835222] ? do_raw_spin_unlock+0xa7/0x2f0 [ 48.839633] ? copy_mount_string+0x40/0x40 [ 48.843869] ? retint_kernel+0x10/0x10 [ 48.847749] ? copy_mount_options+0x1e3/0x380 [ 48.852254] ? __sanitizer_cov_trace_pc+0x14/0x50 [ 48.857100] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.862643] ? copy_mount_options+0x285/0x380 [ 48.867144] __ia32_compat_sys_mount+0x5d5/0x860 [ 48.871898] do_fast_syscall_32+0x34d/0xfb2 [ 48.876230] ? do_int80_syscall_32+0x890/0x890 [ 48.880893] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.885652] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.891189] ? syscall_return_slowpath+0x31d/0x5e0 [ 48.896112] ? sysret32_from_system_call+0x5/0x46 [ 48.901150] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 48.906076] entry_SYSENTER_compat+0x70/0x7f [ 48.910472] RIP: 0023:0xf7f22cb9 [ 48.913826] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 48.933055] RSP: 002b:00000000ffe69c8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 48.940759] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 48.948043] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 48.955312] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 48.962587] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 48.969849] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 48.977114] [ 48.978738] Allocated by task 4854: [ 48.982361] save_stack+0x43/0xd0 [ 48.985835] kasan_kmalloc+0xc4/0xe0 [ 48.989535] __kmalloc+0x14e/0x760 [ 48.993082] p9_fcall_alloc+0x1e/0x90 [ 48.996986] p9_client_prepare_req.part.8+0x754/0xcd0 [ 49.002167] p9_client_rpc+0x1bd/0x1400 [ 49.006131] p9_client_create+0xd09/0x16c9 [ 49.010356] v9fs_session_init+0x21a/0x1a80 [ 49.014663] v9fs_mount+0x7c/0x900 [ 49.018194] mount_fs+0xae/0x328 [ 49.021549] vfs_kern_mount.part.34+0xdc/0x4e0 [ 49.026127] do_mount+0x581/0x30e0 [ 49.029654] __ia32_compat_sys_mount+0x5d5/0x860 [ 49.034408] do_fast_syscall_32+0x34d/0xfb2 [ 49.038720] entry_SYSENTER_compat+0x70/0x7f [ 49.043106] [ 49.044731] Freed by task 0: [ 49.047737] (stack is not available) [ 49.051435] [ 49.053050] The buggy address belongs to the object at ffff8801cf5ba4c0 [ 49.053050] which belongs to the cache kmalloc-16384 of size 16384 [ 49.066068] The buggy address is located 45 bytes inside of [ 49.066068] 16384-byte region [ffff8801cf5ba4c0, ffff8801cf5be4c0) [ 49.078035] The buggy address belongs to the page: [ 49.082959] page:ffffea00073d6e00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 49.093616] flags: 0x2fffc0000008100(slab|head) [ 49.098278] raw: 02fffc0000008100 ffffea0006aa1008 ffff8801da801c48 ffff8801da802200 [ 49.106156] raw: 0000000000000000 ffff8801cf5ba4c0 0000000100000001 0000000000000000 [ 49.114045] page dumped because: kasan: bad access detected [ 49.119756] [ 49.121367] Memory state around the buggy address: [ 49.126290] ffff8801cf5bc380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.133653] ffff8801cf5bc400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.141004] >ffff8801cf5bc480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 49.148363] ^ [ 49.154854] ffff8801cf5bc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.162299] ffff8801cf5bc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.169652] ================================================================== [ 49.177002] Disabling lock debugging due to kernel taint [ 49.183034] Kernel panic - not syncing: panic_on_warn set ... [ 49.183034] [ 49.190415] CPU: 0 PID: 4854 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 49.198982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.208339] Call Trace: [ 49.210920] dump_stack+0x1c9/0x2b4 [ 49.214534] ? dump_stack_print_info.cold.2+0x52/0x52 [ 49.219725] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.224468] panic+0x238/0x4e7 [ 49.227653] ? add_taint.cold.5+0x16/0x16 [ 49.231797] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.236201] ? pdu_read+0x90/0xd0 [ 49.239638] kasan_end_report+0x47/0x4f [ 49.243598] kasan_report.cold.7+0x76/0x2fe [ 49.247920] check_memory_region+0x13e/0x1b0 [ 49.252316] memcpy+0x23/0x50 [ 49.255409] pdu_read+0x90/0xd0 [ 49.258672] p9pdu_readf+0x579/0x2170 [ 49.262474] ? p9pdu_writef+0xe0/0xe0 [ 49.266255] ? __fget+0x414/0x670 [ 49.269700] ? rcu_is_watching+0x61/0x150 [ 49.273839] ? expand_files.part.8+0x9c0/0x9c0 [ 49.278408] ? rcu_read_lock_sched_held+0x108/0x120 [ 49.283428] ? p9_fd_show_options+0x1c0/0x1c0 [ 49.287925] p9_client_create+0xde0/0x16c9 [ 49.292150] ? p9_client_read+0xc60/0xc60 [ 49.296302] ? find_held_lock+0x36/0x1c0 [ 49.300355] ? __lockdep_init_map+0x105/0x590 [ 49.304849] ? kasan_check_write+0x14/0x20 [ 49.309079] ? __init_rwsem+0x1cc/0x2a0 [ 49.313057] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 49.318071] ? rcu_read_lock_sched_held+0x108/0x120 [ 49.323080] ? __kmalloc_track_caller+0x5f5/0x760 [ 49.327910] ? save_stack+0xa9/0xd0 [ 49.331521] ? save_stack+0x43/0xd0 [ 49.335141] ? kasan_kmalloc+0xc4/0xe0 [ 49.339039] ? memcpy+0x45/0x50 [ 49.342315] v9fs_session_init+0x21a/0x1a80 [ 49.346626] ? find_held_lock+0x36/0x1c0 [ 49.350684] ? v9fs_show_options+0x7e0/0x7e0 [ 49.355083] ? kasan_check_read+0x11/0x20 [ 49.359212] ? rcu_is_watching+0x8c/0x150 [ 49.363352] ? rcu_pm_notify+0xc0/0xc0 [ 49.367225] ? rcu_pm_notify+0xc0/0xc0 [ 49.371106] ? v9fs_mount+0x61/0x900 [ 49.374838] ? rcu_read_lock_sched_held+0x108/0x120 [ 49.379852] ? kmem_cache_alloc_trace+0x616/0x780 [ 49.384689] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 49.390234] v9fs_mount+0x7c/0x900 [ 49.393774] mount_fs+0xae/0x328 [ 49.397138] vfs_kern_mount.part.34+0xdc/0x4e0 [ 49.401713] ? may_umount+0xb0/0xb0 [ 49.405342] ? _raw_read_unlock+0x22/0x30 [ 49.409476] ? __get_fs_type+0x97/0xc0 [ 49.413363] do_mount+0x581/0x30e0 [ 49.416891] ? do_raw_spin_unlock+0xa7/0x2f0 [ 49.421289] ? copy_mount_string+0x40/0x40 [ 49.425525] ? retint_kernel+0x10/0x10 [ 49.429400] ? copy_mount_options+0x1e3/0x380 [ 49.433893] ? __sanitizer_cov_trace_pc+0x14/0x50 [ 49.438736] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.444275] ? copy_mount_options+0x285/0x380 [ 49.448757] __ia32_compat_sys_mount+0x5d5/0x860 [ 49.453502] do_fast_syscall_32+0x34d/0xfb2 [ 49.457830] ? do_int80_syscall_32+0x890/0x890 [ 49.462399] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 49.467154] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.472700] ? syscall_return_slowpath+0x31d/0x5e0 [ 49.477617] ? sysret32_from_system_call+0x5/0x46 [ 49.482446] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.487294] entry_SYSENTER_compat+0x70/0x7f [ 49.491688] RIP: 0023:0xf7f22cb9 [ 49.495031] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 49.514178] RSP: 002b:00000000ffe69c8c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 49.521886] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 49.529151] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 49.536412] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 49.543666] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 49.550923] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 49.558775] Dumping ftrace buffer: [ 49.562326] (ftrace buffer empty) [ 49.566027] Kernel Offset: disabled [ 49.569635] Rebooting in 86400 seconds..