[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.836239] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.062083] random: sshd: uninitialized urandom read (32 bytes read)
[   24.435386] random: sshd: uninitialized urandom read (32 bytes read)
[   25.304682] random: sshd: uninitialized urandom read (32 bytes read)
[   26.331184] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
[   31.823360] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 02:06:18 parsed 1 programs
[   33.566768] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 02:06:21 executed programs: 0
[   34.932571] IPVS: ftp: loaded support on port[0] = 21
[   35.139089] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.145615] bridge0: port 1(bridge_slave_0) entered disabled state
[   35.153201] device bridge_slave_0 entered promiscuous mode
[   35.170205] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.176633] bridge0: port 2(bridge_slave_1) entered disabled state
[   35.183910] device bridge_slave_1 entered promiscuous mode
[   35.199991] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   35.217456] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   35.261237] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   35.281708] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   35.347932] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   35.355672] team0: Port device team_slave_0 added
[   35.372475] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   35.379659] team0: Port device team_slave_1 added
[   35.395336] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   35.413487] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   35.431256] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   35.450117] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   35.537578] ip (4657) used greatest stack depth: 16824 bytes left
[   35.578403] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.584897] bridge0: port 2(bridge_slave_1) entered forwarding state
[   35.591966] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.598355] bridge0: port 1(bridge_slave_0) entered forwarding state
[   36.046605] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   36.052745] 8021q: adding VLAN 0 to HW filter on device bond0
[   36.098599] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   36.129414] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   36.150952] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   36.157190] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   36.164912] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   36.204557] 8021q: adding VLAN 0 to HW filter on device team0
[   36.467523] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   37.598898] ==================================================================
[   37.606447] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   37.612572] Read of size 65535 at addr ffff8801d849122d by task syz-executor0/4974
[   37.620276] 
[   37.621889] CPU: 1 PID: 4974 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[   37.629051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.638383] Call Trace:
[   37.640956]  dump_stack+0x1c9/0x2b4
[   37.644567]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.649735]  ? printk+0xa7/0xcf
[   37.653011]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   37.657760]  ? pdu_read+0x90/0xd0
[   37.661199]  print_address_description+0x6c/0x20b
[   37.666040]  ? pdu_read+0x90/0xd0
[   37.669484]  kasan_report.cold.7+0x242/0x2fe
[   37.673879]  check_memory_region+0x13e/0x1b0
[   37.678270]  memcpy+0x23/0x50
[   37.681371]  pdu_read+0x90/0xd0
[   37.684639]  p9pdu_readf+0x579/0x2170
[   37.688426]  ? p9pdu_writef+0xe0/0xe0
[   37.692210]  ? __fget+0x414/0x670
[   37.695649]  ? rcu_is_watching+0x61/0x150
[   37.699782]  ? expand_files.part.8+0x9c0/0x9c0
[   37.704353]  ? rcu_read_lock_sched_held+0x108/0x120
[   37.709363]  ? p9_fd_show_options+0x1c0/0x1c0
[   37.713844]  p9_client_create+0xde0/0x16c9
[   37.718071]  ? p9_client_read+0xc60/0xc60
[   37.722201]  ? find_held_lock+0x36/0x1c0
[   37.726254]  ? __lockdep_init_map+0x105/0x590
[   37.730744]  ? kasan_check_write+0x14/0x20
[   37.734962]  ? __init_rwsem+0x1cc/0x2a0
[   37.738922]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   37.743925]  ? rcu_read_lock_sched_held+0x108/0x120
[   37.748939]  ? __kmalloc_track_caller+0x5f5/0x760
[   37.753759]  ? save_stack+0xa9/0xd0
[   37.757365]  ? save_stack+0x43/0xd0
[   37.760969]  ? kasan_kmalloc+0xc4/0xe0
[   37.764837]  ? memcpy+0x45/0x50
[   37.768103]  v9fs_session_init+0x21a/0x1a80
[   37.772407]  ? find_held_lock+0x36/0x1c0
[   37.776457]  ? v9fs_show_options+0x7e0/0x7e0
[   37.780852]  ? kasan_check_read+0x11/0x20
[   37.784980]  ? rcu_is_watching+0x8c/0x150
[   37.789117]  ? rcu_pm_notify+0xc0/0xc0
[   37.792988]  ? rcu_pm_notify+0xc0/0xc0
[   37.796863]  ? v9fs_mount+0x61/0x900
[   37.800557]  ? rcu_read_lock_sched_held+0x108/0x120
[   37.805638]  ? kmem_cache_alloc_trace+0x616/0x780
[   37.810472]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   37.815992]  v9fs_mount+0x7c/0x900
[   37.819518]  mount_fs+0xae/0x328
[   37.822870]  vfs_kern_mount.part.34+0xdc/0x4e0
[   37.827432]  ? may_umount+0xb0/0xb0
[   37.831049]  ? _raw_read_unlock+0x22/0x30
[   37.835273]  ? __get_fs_type+0x97/0xc0
[   37.839144]  do_mount+0x581/0x30e0
[   37.842664]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.847062]  ? copy_mount_string+0x40/0x40
[   37.851286]  ? retint_kernel+0x10/0x10
[   37.855157]  ? copy_mount_options+0x213/0x380
[   37.859636]  ? __sanitizer_cov_trace_const_cmp4+0x11/0x20
[   37.865153]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.870671]  ? copy_mount_options+0x285/0x380
[   37.875157]  __ia32_compat_sys_mount+0x5d5/0x860
[   37.879898]  do_fast_syscall_32+0x34d/0xfb2
[   37.884203]  ? do_int80_syscall_32+0x890/0x890
[   37.888764]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.893510]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.899036]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.903958]  ? sysret32_from_system_call+0x5/0x46
[   37.908782]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.913622]  entry_SYSENTER_compat+0x70/0x7f
[   37.918013] RIP: 0023:0xf7fa9cb9
[   37.921361] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   37.940535] RSP: 002b:00000000ffed255c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   37.948225] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   37.955477] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   37.962727] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   37.969975] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   37.977256] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   37.984525] 
[   37.986144] Allocated by task 4974:
[   37.989764]  save_stack+0x43/0xd0
[   37.993197]  kasan_kmalloc+0xc4/0xe0
[   37.996889]  __kmalloc+0x14e/0x760
[   38.000415]  p9_fcall_alloc+0x1e/0x90
[   38.004194]  p9_client_prepare_req.part.8+0x754/0xcd0
[   38.009364]  p9_client_rpc+0x1bd/0x1400
[   38.013319]  p9_client_create+0xd09/0x16c9
[   38.017535]  v9fs_session_init+0x21a/0x1a80
[   38.021843]  v9fs_mount+0x7c/0x900
[   38.025383]  mount_fs+0xae/0x328
[   38.028732]  vfs_kern_mount.part.34+0xdc/0x4e0
[   38.033293]  do_mount+0x581/0x30e0
[   38.036813]  __ia32_compat_sys_mount+0x5d5/0x860
[   38.041550]  do_fast_syscall_32+0x34d/0xfb2
[   38.045851]  entry_SYSENTER_compat+0x70/0x7f
[   38.050234] 
[   38.051840] Freed by task 0:
[   38.054833] (stack is not available)
[   38.058518] 
[   38.060127] The buggy address belongs to the object at ffff8801d8491200
[   38.060127]  which belongs to the cache kmalloc-16384 of size 16384
[   38.073112] The buggy address is located 45 bytes inside of
[   38.073112]  16384-byte region [ffff8801d8491200, ffff8801d8495200)
[   38.085053] The buggy address belongs to the page:
[   38.089965] page:ffffea0007612400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   38.099928] flags: 0x2fffc0000008100(slab|head)
[   38.104591] raw: 02fffc0000008100 ffffea000761c008 ffff8801da801c48 ffff8801da802200
[   38.112458] raw: 0000000000000000 ffff8801d8491200 0000000100000001 0000000000000000
[   38.120325] page dumped because: kasan: bad access detected
[   38.126013] 
[   38.127623] Memory state around the buggy address:
[   38.132531]  ffff8801d8493100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.139867]  ffff8801d8493180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.147206] >ffff8801d8493200: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   38.154541]                                ^
[   38.158927]  ffff8801d8493280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.166265]  ffff8801d8493300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.173607] ==================================================================
[   38.180948] Disabling lock debugging due to kernel taint
[   38.186989] Kernel panic - not syncing: panic_on_warn set ...
[   38.186989] 
[   38.194362] CPU: 1 PID: 4974 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[   38.202923] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.212263] Call Trace:
[   38.214835]  dump_stack+0x1c9/0x2b4
[   38.218445]  ? dump_stack_print_info.cold.2+0x52/0x52
[   38.223620]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.228364]  panic+0x238/0x4e7
[   38.231547]  ? add_taint.cold.5+0x16/0x16
[   38.235676]  ? do_raw_spin_unlock+0xa7/0x2f0
[   38.240075]  ? pdu_read+0x90/0xd0
[   38.243525]  kasan_end_report+0x47/0x4f
[   38.247514]  kasan_report.cold.7+0x76/0x2fe
[   38.251838]  check_memory_region+0x13e/0x1b0
[   38.256249]  memcpy+0x23/0x50
[   38.259349]  pdu_read+0x90/0xd0
[   38.262625]  p9pdu_readf+0x579/0x2170
[   38.266431]  ? p9pdu_writef+0xe0/0xe0
[   38.270219]  ? __fget+0x414/0x670
[   38.273669]  ? rcu_is_watching+0x61/0x150
[   38.277812]  ? expand_files.part.8+0x9c0/0x9c0
[   38.282391]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.287406]  ? p9_fd_show_options+0x1c0/0x1c0
[   38.291893]  p9_client_create+0xde0/0x16c9
[   38.296112]  ? p9_client_read+0xc60/0xc60
[   38.300256]  ? find_held_lock+0x36/0x1c0
[   38.304314]  ? __lockdep_init_map+0x105/0x590
[   38.308802]  ? kasan_check_write+0x14/0x20
[   38.313037]  ? __init_rwsem+0x1cc/0x2a0
[   38.317006]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   38.322014]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.327028]  ? __kmalloc_track_caller+0x5f5/0x760
[   38.331854]  ? save_stack+0xa9/0xd0
[   38.335468]  ? save_stack+0x43/0xd0
[   38.339076]  ? kasan_kmalloc+0xc4/0xe0
[   38.342948]  ? memcpy+0x45/0x50
[   38.346212]  v9fs_session_init+0x21a/0x1a80
[   38.350517]  ? find_held_lock+0x36/0x1c0
[   38.354564]  ? v9fs_show_options+0x7e0/0x7e0
[   38.358955]  ? kasan_check_read+0x11/0x20
[   38.363083]  ? rcu_is_watching+0x8c/0x150
[   38.367210]  ? rcu_pm_notify+0xc0/0xc0
[   38.371094]  ? rcu_pm_notify+0xc0/0xc0
[   38.374967]  ? v9fs_mount+0x61/0x900
[   38.378672]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.383674]  ? kmem_cache_alloc_trace+0x616/0x780
[   38.388504]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   38.394048]  v9fs_mount+0x7c/0x900
[   38.397583]  mount_fs+0xae/0x328
[   38.400943]  vfs_kern_mount.part.34+0xdc/0x4e0
[   38.405509]  ? may_umount+0xb0/0xb0
[   38.409118]  ? _raw_read_unlock+0x22/0x30
[   38.413253]  ? __get_fs_type+0x97/0xc0
[   38.417125]  do_mount+0x581/0x30e0
[   38.420645]  ? do_raw_spin_unlock+0xa7/0x2f0
[   38.425042]  ? copy_mount_string+0x40/0x40
[   38.429263]  ? retint_kernel+0x10/0x10
[   38.433134]  ? copy_mount_options+0x213/0x380
[   38.437612]  ? __sanitizer_cov_trace_const_cmp4+0x11/0x20
[   38.443131]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.448648]  ? copy_mount_options+0x285/0x380
[   38.453130]  __ia32_compat_sys_mount+0x5d5/0x860
[   38.457872]  do_fast_syscall_32+0x34d/0xfb2
[   38.462176]  ? do_int80_syscall_32+0x890/0x890
[   38.466739]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.471481]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.477000]  ? syscall_return_slowpath+0x31d/0x5e0
[   38.481924]  ? sysret32_from_system_call+0x5/0x46
[   38.486750]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.491575]  entry_SYSENTER_compat+0x70/0x7f
[   38.495964] RIP: 0023:0xf7fa9cb9
[   38.499300] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   38.518454] RSP: 002b:00000000ffed255c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   38.526154] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   38.533405] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   38.540661] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   38.547919] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   38.555174] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   38.562952] Dumping ftrace buffer:
[   38.566474]    (ftrace buffer empty)
[   38.570161] Kernel Offset: disabled
[   38.573766] Rebooting in 86400 seconds..