[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.429461] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.116608] random: sshd: uninitialized urandom read (32 bytes read)
[   24.572130] random: sshd: uninitialized urandom read (32 bytes read)
[   25.408930] random: sshd: uninitialized urandom read (32 bytes read)
[  344.379191] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts.
[  349.873906] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/10 12:38:26 parsed 1 programs
[  351.487584] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/10 12:38:28 executed programs: 0
[  352.603055] IPVS: ftp: loaded support on port[0] = 21
[  352.796452] bridge0: port 1(bridge_slave_0) entered blocking state
[  352.802900] bridge0: port 1(bridge_slave_0) entered disabled state
[  352.810447] device bridge_slave_0 entered promiscuous mode
[  352.826970] bridge0: port 2(bridge_slave_1) entered blocking state
[  352.833404] bridge0: port 2(bridge_slave_1) entered disabled state
[  352.840594] device bridge_slave_1 entered promiscuous mode
[  352.856083] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  352.871821] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  352.911867] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  352.929412] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  352.990815] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  352.998204] team0: Port device team_slave_0 added
[  353.012487] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  353.019595] team0: Port device team_slave_1 added
[  353.034912] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  353.052869] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  353.069930] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  353.087645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  353.203263] bridge0: port 2(bridge_slave_1) entered blocking state
[  353.209710] bridge0: port 2(bridge_slave_1) entered forwarding state
[  353.216675] bridge0: port 1(bridge_slave_0) entered blocking state
[  353.223230] bridge0: port 1(bridge_slave_0) entered forwarding state
[  353.623987] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  353.630824] 8021q: adding VLAN 0 to HW filter on device bond0
[  353.673649] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  353.715328] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  353.723491] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  353.762691] 8021q: adding VLAN 0 to HW filter on device team0
[  356.741420] ==================================================================
[  356.748996] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[  356.755134] Read of size 61175 at addr ffff8801bb1a1bed by task syz-executor0/5142
[  356.762821] 
[  356.764438] CPU: 0 PID: 5142 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #42
[  356.771602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  356.780952] Call Trace:
[  356.783566]  dump_stack+0x1c9/0x2b4
[  356.787190]  ? dump_stack_print_info.cold.2+0x52/0x52
[  356.792367]  ? printk+0xa7/0xcf
[  356.795628]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  356.800377]  ? pdu_read+0x90/0xd0
[  356.803812]  print_address_description+0x6c/0x20b
[  356.808634]  ? pdu_read+0x90/0xd0
[  356.812070]  kasan_report.cold.7+0x242/0x2fe
[  356.816464]  check_memory_region+0x13e/0x1b0
[  356.820854]  memcpy+0x23/0x50
[  356.823949]  pdu_read+0x90/0xd0
[  356.827209]  p9pdu_readf+0x579/0x2170
[  356.830995]  ? p9pdu_writef+0xe0/0xe0
[  356.834788]  ? __fget+0x414/0x670
[  356.838225]  ? rcu_is_watching+0x61/0x150
[  356.842355]  ? expand_files.part.8+0x9c0/0x9c0
[  356.846937]  ? finish_wait+0x430/0x430
[  356.850808]  ? rcu_read_lock_sched_held+0x108/0x120
[  356.855813]  ? p9_fd_show_options+0x1c0/0x1c0
[  356.860292]  p9_client_create+0xde0/0x16c9
[  356.864512]  ? p9_client_read+0xc60/0xc60
[  356.868639]  ? find_held_lock+0x36/0x1c0
[  356.872688]  ? __lockdep_init_map+0x105/0x590
[  356.877171]  ? kasan_check_write+0x14/0x20
[  356.881383]  ? __init_rwsem+0x1cc/0x2a0
[  356.885347]  ? do_raw_write_unlock.cold.8+0x49/0x49
[  356.890348]  ? rcu_read_lock_sched_held+0x108/0x120
[  356.895349]  ? __kmalloc_track_caller+0x5f5/0x760
[  356.900173]  ? save_stack+0xa9/0xd0
[  356.903782]  ? save_stack+0x43/0xd0
[  356.907411]  ? kasan_kmalloc+0xc4/0xe0
[  356.911288]  ? memcpy+0x45/0x50
[  356.914556]  v9fs_session_init+0x21a/0x1a80
[  356.918871]  ? find_held_lock+0x36/0x1c0
[  356.922920]  ? v9fs_show_options+0x7e0/0x7e0
[  356.927314]  ? kasan_check_read+0x11/0x20
[  356.931449]  ? rcu_is_watching+0x8c/0x150
[  356.935590]  ? rcu_pm_notify+0xc0/0xc0
[  356.939469]  ? rcu_pm_notify+0xc0/0xc0
[  356.943356]  ? v9fs_mount+0x61/0x900
[  356.947065]  ? rcu_read_lock_sched_held+0x108/0x120
[  356.952075]  ? kmem_cache_alloc_trace+0x616/0x780
[  356.956908]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  356.962448]  v9fs_mount+0x7c/0x900
[  356.965989]  mount_fs+0xae/0x328
[  356.969355]  vfs_kern_mount.part.34+0xdc/0x4e0
[  356.973924]  ? may_umount+0xb0/0xb0
[  356.977604]  ? _raw_read_unlock+0x22/0x30
[  356.981740]  ? __get_fs_type+0x97/0xc0
[  356.985633]  do_mount+0x581/0x30e0
[  356.989157]  ? do_raw_spin_unlock+0xa7/0x2f0
[  356.993563]  ? copy_mount_string+0x40/0x40
[  356.997788]  ? copy_mount_options+0x5f/0x380
[  357.002179]  ? rcu_read_lock_sched_held+0x108/0x120
[  357.007191]  ? kmem_cache_alloc_trace+0x616/0x780
[  357.012029]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  357.017576]  ? _copy_from_user+0xdf/0x150
[  357.021725]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  357.027263]  ? copy_mount_options+0x285/0x380
[  357.031749]  __ia32_compat_sys_mount+0x5d5/0x860
[  357.036496]  do_fast_syscall_32+0x34d/0xfb2
[  357.040804]  ? do_int80_syscall_32+0x890/0x890
[  357.045377]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  357.050126]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  357.055644]  ? syscall_return_slowpath+0x31d/0x5e0
[  357.060567]  ? sysret32_from_system_call+0x5/0x46
[  357.065414]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  357.070266]  entry_SYSENTER_compat+0x70/0x7f
[  357.074662] RIP: 0023:0xf7fc7cb9
[  357.078011] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[  357.097254] RSP: 002b:00000000fffb7cac EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[  357.104960] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100
[  357.112212] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0
[  357.119476] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  357.126736] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  357.133998] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  357.141280] 
[  357.142910] Allocated by task 5142:
[  357.146533]  save_stack+0x43/0xd0
[  357.149976]  kasan_kmalloc+0xc4/0xe0
[  357.153688]  __kmalloc+0x14e/0x760
[  357.157220]  p9_fcall_alloc+0x1e/0x90
[  357.161007]  p9_client_prepare_req.part.8+0x754/0xcd0
[  357.166207]  p9_client_rpc+0x1bd/0x1400
[  357.170172]  p9_client_create+0xd09/0x16c9
[  357.174399]  v9fs_session_init+0x21a/0x1a80
[  357.178806]  v9fs_mount+0x7c/0x900
[  357.182333]  mount_fs+0xae/0x328
[  357.185693]  vfs_kern_mount.part.34+0xdc/0x4e0
[  357.190357]  do_mount+0x581/0x30e0
[  357.193887]  __ia32_compat_sys_mount+0x5d5/0x860
[  357.198645]  do_fast_syscall_32+0x34d/0xfb2
[  357.202973]  entry_SYSENTER_compat+0x70/0x7f
[  357.207362] 
[  357.208970] Freed by task 0:
[  357.211981] (stack is not available)
[  357.215685] 
[  357.217298] The buggy address belongs to the object at ffff8801bb1a1bc0
[  357.217298]  which belongs to the cache kmalloc-16384 of size 16384
[  357.230322] The buggy address is located 45 bytes inside of
[  357.230322]  16384-byte region [ffff8801bb1a1bc0, ffff8801bb1a5bc0)
[  357.242275] The buggy address belongs to the page:
[  357.247197] page:ffffea0006ec6800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[  357.257156] flags: 0x2fffc0000008100(slab|head)
[  357.261809] raw: 02fffc0000008100 ffffea0006d2fc08 ffff8801da801c48 ffff8801da802200
[  357.269686] raw: 0000000000000000 ffff8801bb1a1bc0 0000000100000001 0000000000000000
[  357.277545] page dumped because: kasan: bad access detected
[  357.283237] 
[  357.284848] Memory state around the buggy address:
[  357.289757]  ffff8801bb1a3a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  357.297108]  ffff8801bb1a3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  357.304448] >ffff8801bb1a3b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[  357.311813]                                                        ^
[  357.318291]  ffff8801bb1a3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  357.325636]  ffff8801bb1a3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  357.332972] ==================================================================
[  357.340393] Disabling lock debugging due to kernel taint
[  357.345865] Kernel panic - not syncing: panic_on_warn set ...
[  357.345865] 
[  357.353236] CPU: 0 PID: 5142 Comm: syz-executor0 Tainted: G    B             4.18.0-rc4+ #42
[  357.361810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  357.371241] Call Trace:
[  357.373823]  dump_stack+0x1c9/0x2b4
[  357.377436]  ? dump_stack_print_info.cold.2+0x52/0x52
[  357.382625]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  357.387365]  panic+0x238/0x4e7
[  357.390537]  ? add_taint.cold.5+0x16/0x16
[  357.394674]  ? do_raw_spin_unlock+0xa7/0x2f0
[  357.399063]  ? pdu_read+0x90/0xd0
[  357.402496]  kasan_end_report+0x47/0x4f
[  357.406456]  kasan_report.cold.7+0x76/0x2fe
[  357.410763]  check_memory_region+0x13e/0x1b0
[  357.415160]  memcpy+0x23/0x50
[  357.418262]  pdu_read+0x90/0xd0
[  357.421528]  p9pdu_readf+0x579/0x2170
[  357.425312]  ? p9pdu_writef+0xe0/0xe0
[  357.429093]  ? __fget+0x414/0x670
[  357.432531]  ? rcu_is_watching+0x61/0x150
[  357.436660]  ? expand_files.part.8+0x9c0/0x9c0
[  357.441244]  ? finish_wait+0x430/0x430
[  357.445115]  ? rcu_read_lock_sched_held+0x108/0x120
[  357.450134]  ? p9_fd_show_options+0x1c0/0x1c0
[  357.454620]  p9_client_create+0xde0/0x16c9
[  357.458858]  ? p9_client_read+0xc60/0xc60
[  357.462994]  ? find_held_lock+0x36/0x1c0
[  357.467055]  ? __lockdep_init_map+0x105/0x590
[  357.471535]  ? kasan_check_write+0x14/0x20
[  357.475748]  ? __init_rwsem+0x1cc/0x2a0
[  357.479705]  ? do_raw_write_unlock.cold.8+0x49/0x49
[  357.484703]  ? rcu_read_lock_sched_held+0x108/0x120
[  357.489697]  ? __kmalloc_track_caller+0x5f5/0x760
[  357.494518]  ? save_stack+0xa9/0xd0
[  357.498124]  ? save_stack+0x43/0xd0
[  357.501739]  ? kasan_kmalloc+0xc4/0xe0
[  357.505613]  ? memcpy+0x45/0x50
[  357.508964]  v9fs_session_init+0x21a/0x1a80
[  357.513276]  ? find_held_lock+0x36/0x1c0
[  357.517334]  ? v9fs_show_options+0x7e0/0x7e0
[  357.521723]  ? kasan_check_read+0x11/0x20
[  357.525857]  ? rcu_is_watching+0x8c/0x150
[  357.529984]  ? rcu_pm_notify+0xc0/0xc0
[  357.533940]  ? rcu_pm_notify+0xc0/0xc0
[  357.537817]  ? v9fs_mount+0x61/0x900
[  357.541519]  ? rcu_read_lock_sched_held+0x108/0x120
[  357.546515]  ? kmem_cache_alloc_trace+0x616/0x780
[  357.551349]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  357.556879]  v9fs_mount+0x7c/0x900
[  357.560400]  mount_fs+0xae/0x328
[  357.563746]  vfs_kern_mount.part.34+0xdc/0x4e0
[  357.568313]  ? may_umount+0xb0/0xb0
[  357.571920]  ? _raw_read_unlock+0x22/0x30
[  357.576046]  ? __get_fs_type+0x97/0xc0
[  357.579914]  do_mount+0x581/0x30e0
[  357.583435]  ? do_raw_spin_unlock+0xa7/0x2f0
[  357.587822]  ? copy_mount_string+0x40/0x40
[  357.592070]  ? copy_mount_options+0x5f/0x380
[  357.596461]  ? rcu_read_lock_sched_held+0x108/0x120
[  357.601569]  ? kmem_cache_alloc_trace+0x616/0x780
[  357.606411]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  357.611936]  ? _copy_from_user+0xdf/0x150
[  357.616084]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  357.621605]  ? copy_mount_options+0x285/0x380
[  357.626800]  __ia32_compat_sys_mount+0x5d5/0x860
[  357.631542]  do_fast_syscall_32+0x34d/0xfb2
[  357.635846]  ? do_int80_syscall_32+0x890/0x890
[  357.640418]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  357.645166]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  357.650688]  ? syscall_return_slowpath+0x31d/0x5e0
[  357.655617]  ? sysret32_from_system_call+0x5/0x46
[  357.660441]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  357.665278]  entry_SYSENTER_compat+0x70/0x7f
[  357.669665] RIP: 0023:0xf7fc7cb9
[  357.673009] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[  357.692245] RSP: 002b:00000000fffb7cac EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[  357.699951] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100
[  357.707209] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0
[  357.714461] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  357.721711] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  357.728959] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  357.736713] Dumping ftrace buffer:
[  357.740229]    (ftrace buffer empty)
[  357.743922] Kernel Offset: disabled
[  357.747533] Rebooting in 86400 seconds..