[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.429461] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.116608] random: sshd: uninitialized urandom read (32 bytes read) [ 24.572130] random: sshd: uninitialized urandom read (32 bytes read) [ 25.408930] random: sshd: uninitialized urandom read (32 bytes read) [ 344.379191] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts. [ 349.873906] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/10 12:38:26 parsed 1 programs [ 351.487584] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/10 12:38:28 executed programs: 0 [ 352.603055] IPVS: ftp: loaded support on port[0] = 21 [ 352.796452] bridge0: port 1(bridge_slave_0) entered blocking state [ 352.802900] bridge0: port 1(bridge_slave_0) entered disabled state [ 352.810447] device bridge_slave_0 entered promiscuous mode [ 352.826970] bridge0: port 2(bridge_slave_1) entered blocking state [ 352.833404] bridge0: port 2(bridge_slave_1) entered disabled state [ 352.840594] device bridge_slave_1 entered promiscuous mode [ 352.856083] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 352.871821] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 352.911867] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 352.929412] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 352.990815] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 352.998204] team0: Port device team_slave_0 added [ 353.012487] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 353.019595] team0: Port device team_slave_1 added [ 353.034912] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 353.052869] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 353.069930] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 353.087645] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 353.203263] bridge0: port 2(bridge_slave_1) entered blocking state [ 353.209710] bridge0: port 2(bridge_slave_1) entered forwarding state [ 353.216675] bridge0: port 1(bridge_slave_0) entered blocking state [ 353.223230] bridge0: port 1(bridge_slave_0) entered forwarding state [ 353.623987] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 353.630824] 8021q: adding VLAN 0 to HW filter on device bond0 [ 353.673649] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 353.715328] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 353.723491] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 353.762691] 8021q: adding VLAN 0 to HW filter on device team0 [ 356.741420] ================================================================== [ 356.748996] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 356.755134] Read of size 61175 at addr ffff8801bb1a1bed by task syz-executor0/5142 [ 356.762821] [ 356.764438] CPU: 0 PID: 5142 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #42 [ 356.771602] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 356.780952] Call Trace: [ 356.783566] dump_stack+0x1c9/0x2b4 [ 356.787190] ? dump_stack_print_info.cold.2+0x52/0x52 [ 356.792367] ? printk+0xa7/0xcf [ 356.795628] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 356.800377] ? pdu_read+0x90/0xd0 [ 356.803812] print_address_description+0x6c/0x20b [ 356.808634] ? pdu_read+0x90/0xd0 [ 356.812070] kasan_report.cold.7+0x242/0x2fe [ 356.816464] check_memory_region+0x13e/0x1b0 [ 356.820854] memcpy+0x23/0x50 [ 356.823949] pdu_read+0x90/0xd0 [ 356.827209] p9pdu_readf+0x579/0x2170 [ 356.830995] ? p9pdu_writef+0xe0/0xe0 [ 356.834788] ? __fget+0x414/0x670 [ 356.838225] ? rcu_is_watching+0x61/0x150 [ 356.842355] ? expand_files.part.8+0x9c0/0x9c0 [ 356.846937] ? finish_wait+0x430/0x430 [ 356.850808] ? rcu_read_lock_sched_held+0x108/0x120 [ 356.855813] ? p9_fd_show_options+0x1c0/0x1c0 [ 356.860292] p9_client_create+0xde0/0x16c9 [ 356.864512] ? p9_client_read+0xc60/0xc60 [ 356.868639] ? find_held_lock+0x36/0x1c0 [ 356.872688] ? __lockdep_init_map+0x105/0x590 [ 356.877171] ? kasan_check_write+0x14/0x20 [ 356.881383] ? __init_rwsem+0x1cc/0x2a0 [ 356.885347] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 356.890348] ? rcu_read_lock_sched_held+0x108/0x120 [ 356.895349] ? __kmalloc_track_caller+0x5f5/0x760 [ 356.900173] ? save_stack+0xa9/0xd0 [ 356.903782] ? save_stack+0x43/0xd0 [ 356.907411] ? kasan_kmalloc+0xc4/0xe0 [ 356.911288] ? memcpy+0x45/0x50 [ 356.914556] v9fs_session_init+0x21a/0x1a80 [ 356.918871] ? find_held_lock+0x36/0x1c0 [ 356.922920] ? v9fs_show_options+0x7e0/0x7e0 [ 356.927314] ? kasan_check_read+0x11/0x20 [ 356.931449] ? rcu_is_watching+0x8c/0x150 [ 356.935590] ? rcu_pm_notify+0xc0/0xc0 [ 356.939469] ? rcu_pm_notify+0xc0/0xc0 [ 356.943356] ? v9fs_mount+0x61/0x900 [ 356.947065] ? rcu_read_lock_sched_held+0x108/0x120 [ 356.952075] ? kmem_cache_alloc_trace+0x616/0x780 [ 356.956908] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 356.962448] v9fs_mount+0x7c/0x900 [ 356.965989] mount_fs+0xae/0x328 [ 356.969355] vfs_kern_mount.part.34+0xdc/0x4e0 [ 356.973924] ? may_umount+0xb0/0xb0 [ 356.977604] ? _raw_read_unlock+0x22/0x30 [ 356.981740] ? __get_fs_type+0x97/0xc0 [ 356.985633] do_mount+0x581/0x30e0 [ 356.989157] ? do_raw_spin_unlock+0xa7/0x2f0 [ 356.993563] ? copy_mount_string+0x40/0x40 [ 356.997788] ? copy_mount_options+0x5f/0x380 [ 357.002179] ? rcu_read_lock_sched_held+0x108/0x120 [ 357.007191] ? kmem_cache_alloc_trace+0x616/0x780 [ 357.012029] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 357.017576] ? _copy_from_user+0xdf/0x150 [ 357.021725] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 357.027263] ? copy_mount_options+0x285/0x380 [ 357.031749] __ia32_compat_sys_mount+0x5d5/0x860 [ 357.036496] do_fast_syscall_32+0x34d/0xfb2 [ 357.040804] ? do_int80_syscall_32+0x890/0x890 [ 357.045377] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 357.050126] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 357.055644] ? syscall_return_slowpath+0x31d/0x5e0 [ 357.060567] ? sysret32_from_system_call+0x5/0x46 [ 357.065414] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 357.070266] entry_SYSENTER_compat+0x70/0x7f [ 357.074662] RIP: 0023:0xf7fc7cb9 [ 357.078011] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 357.097254] RSP: 002b:00000000fffb7cac EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 357.104960] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 357.112212] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0 [ 357.119476] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 357.126736] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 357.133998] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 357.141280] [ 357.142910] Allocated by task 5142: [ 357.146533] save_stack+0x43/0xd0 [ 357.149976] kasan_kmalloc+0xc4/0xe0 [ 357.153688] __kmalloc+0x14e/0x760 [ 357.157220] p9_fcall_alloc+0x1e/0x90 [ 357.161007] p9_client_prepare_req.part.8+0x754/0xcd0 [ 357.166207] p9_client_rpc+0x1bd/0x1400 [ 357.170172] p9_client_create+0xd09/0x16c9 [ 357.174399] v9fs_session_init+0x21a/0x1a80 [ 357.178806] v9fs_mount+0x7c/0x900 [ 357.182333] mount_fs+0xae/0x328 [ 357.185693] vfs_kern_mount.part.34+0xdc/0x4e0 [ 357.190357] do_mount+0x581/0x30e0 [ 357.193887] __ia32_compat_sys_mount+0x5d5/0x860 [ 357.198645] do_fast_syscall_32+0x34d/0xfb2 [ 357.202973] entry_SYSENTER_compat+0x70/0x7f [ 357.207362] [ 357.208970] Freed by task 0: [ 357.211981] (stack is not available) [ 357.215685] [ 357.217298] The buggy address belongs to the object at ffff8801bb1a1bc0 [ 357.217298] which belongs to the cache kmalloc-16384 of size 16384 [ 357.230322] The buggy address is located 45 bytes inside of [ 357.230322] 16384-byte region [ffff8801bb1a1bc0, ffff8801bb1a5bc0) [ 357.242275] The buggy address belongs to the page: [ 357.247197] page:ffffea0006ec6800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 357.257156] flags: 0x2fffc0000008100(slab|head) [ 357.261809] raw: 02fffc0000008100 ffffea0006d2fc08 ffff8801da801c48 ffff8801da802200 [ 357.269686] raw: 0000000000000000 ffff8801bb1a1bc0 0000000100000001 0000000000000000 [ 357.277545] page dumped because: kasan: bad access detected [ 357.283237] [ 357.284848] Memory state around the buggy address: [ 357.289757] ffff8801bb1a3a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 357.297108] ffff8801bb1a3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 357.304448] >ffff8801bb1a3b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 357.311813] ^ [ 357.318291] ffff8801bb1a3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 357.325636] ffff8801bb1a3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 357.332972] ================================================================== [ 357.340393] Disabling lock debugging due to kernel taint [ 357.345865] Kernel panic - not syncing: panic_on_warn set ... [ 357.345865] [ 357.353236] CPU: 0 PID: 5142 Comm: syz-executor0 Tainted: G B 4.18.0-rc4+ #42 [ 357.361810] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 357.371241] Call Trace: [ 357.373823] dump_stack+0x1c9/0x2b4 [ 357.377436] ? dump_stack_print_info.cold.2+0x52/0x52 [ 357.382625] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 357.387365] panic+0x238/0x4e7 [ 357.390537] ? add_taint.cold.5+0x16/0x16 [ 357.394674] ? do_raw_spin_unlock+0xa7/0x2f0 [ 357.399063] ? pdu_read+0x90/0xd0 [ 357.402496] kasan_end_report+0x47/0x4f [ 357.406456] kasan_report.cold.7+0x76/0x2fe [ 357.410763] check_memory_region+0x13e/0x1b0 [ 357.415160] memcpy+0x23/0x50 [ 357.418262] pdu_read+0x90/0xd0 [ 357.421528] p9pdu_readf+0x579/0x2170 [ 357.425312] ? p9pdu_writef+0xe0/0xe0 [ 357.429093] ? __fget+0x414/0x670 [ 357.432531] ? rcu_is_watching+0x61/0x150 [ 357.436660] ? expand_files.part.8+0x9c0/0x9c0 [ 357.441244] ? finish_wait+0x430/0x430 [ 357.445115] ? rcu_read_lock_sched_held+0x108/0x120 [ 357.450134] ? p9_fd_show_options+0x1c0/0x1c0 [ 357.454620] p9_client_create+0xde0/0x16c9 [ 357.458858] ? p9_client_read+0xc60/0xc60 [ 357.462994] ? find_held_lock+0x36/0x1c0 [ 357.467055] ? __lockdep_init_map+0x105/0x590 [ 357.471535] ? kasan_check_write+0x14/0x20 [ 357.475748] ? __init_rwsem+0x1cc/0x2a0 [ 357.479705] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 357.484703] ? rcu_read_lock_sched_held+0x108/0x120 [ 357.489697] ? __kmalloc_track_caller+0x5f5/0x760 [ 357.494518] ? save_stack+0xa9/0xd0 [ 357.498124] ? save_stack+0x43/0xd0 [ 357.501739] ? kasan_kmalloc+0xc4/0xe0 [ 357.505613] ? memcpy+0x45/0x50 [ 357.508964] v9fs_session_init+0x21a/0x1a80 [ 357.513276] ? find_held_lock+0x36/0x1c0 [ 357.517334] ? v9fs_show_options+0x7e0/0x7e0 [ 357.521723] ? kasan_check_read+0x11/0x20 [ 357.525857] ? rcu_is_watching+0x8c/0x150 [ 357.529984] ? rcu_pm_notify+0xc0/0xc0 [ 357.533940] ? rcu_pm_notify+0xc0/0xc0 [ 357.537817] ? v9fs_mount+0x61/0x900 [ 357.541519] ? rcu_read_lock_sched_held+0x108/0x120 [ 357.546515] ? kmem_cache_alloc_trace+0x616/0x780 [ 357.551349] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 357.556879] v9fs_mount+0x7c/0x900 [ 357.560400] mount_fs+0xae/0x328 [ 357.563746] vfs_kern_mount.part.34+0xdc/0x4e0 [ 357.568313] ? may_umount+0xb0/0xb0 [ 357.571920] ? _raw_read_unlock+0x22/0x30 [ 357.576046] ? __get_fs_type+0x97/0xc0 [ 357.579914] do_mount+0x581/0x30e0 [ 357.583435] ? do_raw_spin_unlock+0xa7/0x2f0 [ 357.587822] ? copy_mount_string+0x40/0x40 [ 357.592070] ? copy_mount_options+0x5f/0x380 [ 357.596461] ? rcu_read_lock_sched_held+0x108/0x120 [ 357.601569] ? kmem_cache_alloc_trace+0x616/0x780 [ 357.606411] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 357.611936] ? _copy_from_user+0xdf/0x150 [ 357.616084] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 357.621605] ? copy_mount_options+0x285/0x380 [ 357.626800] __ia32_compat_sys_mount+0x5d5/0x860 [ 357.631542] do_fast_syscall_32+0x34d/0xfb2 [ 357.635846] ? do_int80_syscall_32+0x890/0x890 [ 357.640418] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 357.645166] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 357.650688] ? syscall_return_slowpath+0x31d/0x5e0 [ 357.655617] ? sysret32_from_system_call+0x5/0x46 [ 357.660441] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 357.665278] entry_SYSENTER_compat+0x70/0x7f [ 357.669665] RIP: 0023:0xf7fc7cb9 [ 357.673009] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 357.692245] RSP: 002b:00000000fffb7cac EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 357.699951] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 357.707209] RDX: 0000000020000140 RSI: 0000000000000000 RDI: 00000000200002c0 [ 357.714461] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 357.721711] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 357.728959] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 357.736713] Dumping ftrace buffer: [ 357.740229] (ftrace buffer empty) [ 357.743922] Kernel Offset: disabled [ 357.747533] Rebooting in 86400 seconds..