[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.449369] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.991548] random: sshd: uninitialized urandom read (32 bytes read) [ 24.234879] random: sshd: uninitialized urandom read (32 bytes read) [ 25.075768] random: sshd: uninitialized urandom read (32 bytes read) [ 25.235250] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 30.692910] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program [ 30.790687] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 30.828514] ================================================================== [ 30.836070] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 30.842213] Read of size 15519 at addr ffff8801c68d066d by task syz-executor155/4572 [ 30.850086] [ 30.851705] CPU: 0 PID: 4572 Comm: syz-executor155 Not tainted 4.18.0-rc4+ #138 [ 30.859144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.868483] Call Trace: [ 30.871078] dump_stack+0x1c9/0x2b4 [ 30.874709] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.879903] ? printk+0xa7/0xcf [ 30.883211] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.887976] ? pdu_read+0x90/0xd0 [ 30.891425] print_address_description+0x6c/0x20b [ 30.896260] ? pdu_read+0x90/0xd0 [ 30.899698] kasan_report.cold.7+0x242/0x2fe [ 30.904096] check_memory_region+0x13e/0x1b0 [ 30.908492] memcpy+0x23/0x50 [ 30.911591] pdu_read+0x90/0xd0 [ 30.914869] p9pdu_readf+0x579/0x2170 [ 30.918660] ? p9pdu_writef+0xe0/0xe0 [ 30.922446] ? __fget+0x414/0x670 [ 30.925890] ? rcu_is_watching+0x61/0x150 [ 30.930031] ? expand_files.part.8+0x9c0/0x9c0 [ 30.934630] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.939657] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.944145] p9_client_create+0xde0/0x16c9 [ 30.948373] ? p9_client_read+0xc60/0xc60 [ 30.952522] ? find_held_lock+0x36/0x1c0 [ 30.956587] ? __lockdep_init_map+0x105/0x590 [ 30.961078] ? kasan_check_write+0x14/0x20 [ 30.965300] ? __init_rwsem+0x1cc/0x2a0 [ 30.969263] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.974267] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.979268] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.984095] ? save_stack+0xa9/0xd0 [ 30.987706] ? save_stack+0x43/0xd0 [ 30.991313] ? kasan_kmalloc+0xc4/0xe0 [ 30.995182] ? kmem_cache_alloc_trace+0x152/0x780 [ 31.000021] ? memcpy+0x45/0x50 [ 31.003303] v9fs_session_init+0x21a/0x1a80 [ 31.007620] ? find_held_lock+0x36/0x1c0 [ 31.011671] ? v9fs_show_options+0x7e0/0x7e0 [ 31.016073] ? kasan_check_read+0x11/0x20 [ 31.020207] ? rcu_is_watching+0x8c/0x150 [ 31.024341] ? rcu_pm_notify+0xc0/0xc0 [ 31.028217] ? v9fs_mount+0x61/0x900 [ 31.031928] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.036950] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.041788] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.047314] v9fs_mount+0x7c/0x900 [ 31.050939] mount_fs+0xae/0x328 [ 31.054296] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.058863] ? may_umount+0xb0/0xb0 [ 31.062499] ? _raw_read_unlock+0x22/0x30 [ 31.066636] ? __get_fs_type+0x97/0xc0 [ 31.070523] do_mount+0x581/0x30e0 [ 31.074071] ? copy_mount_string+0x40/0x40 [ 31.078299] ? copy_mount_options+0x5f/0x380 [ 31.082696] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.087699] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.092549] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.098090] ? _copy_from_user+0xdf/0x150 [ 31.102250] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.107782] ? copy_mount_options+0x285/0x380 [ 31.112288] ksys_mount+0x12d/0x140 [ 31.115917] __x64_sys_mount+0xbe/0x150 [ 31.119890] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.124898] do_syscall_64+0x1b9/0x820 [ 31.128785] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.133704] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.138627] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.144157] ? retint_user+0x18/0x18 [ 31.147860] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.155733] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.160911] RIP: 0033:0x440979 [ 31.164080] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.183270] RSP: 002b:00007ffeb932e288 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 31.190969] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 31.198226] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 31.205495] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 31.212752] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007864 [ 31.220013] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 31.227301] [ 31.228920] Allocated by task 4572: [ 31.232539] save_stack+0x43/0xd0 [ 31.235977] kasan_kmalloc+0xc4/0xe0 [ 31.239697] __kmalloc+0x14e/0x760 [ 31.243229] p9_fcall_alloc+0x1e/0x90 [ 31.247019] p9_client_prepare_req.part.8+0x754/0xcd0 [ 31.252203] p9_client_rpc+0x1bd/0x1400 [ 31.256160] p9_client_create+0xd09/0x16c9 [ 31.260383] v9fs_session_init+0x21a/0x1a80 [ 31.264687] v9fs_mount+0x7c/0x900 [ 31.268220] mount_fs+0xae/0x328 [ 31.271592] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.276158] do_mount+0x581/0x30e0 [ 31.279679] ksys_mount+0x12d/0x140 [ 31.283301] __x64_sys_mount+0xbe/0x150 [ 31.287262] do_syscall_64+0x1b9/0x820 [ 31.291139] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.296309] [ 31.297926] Freed by task 0: [ 31.300924] (stack is not available) [ 31.304626] [ 31.306258] The buggy address belongs to the object at ffff8801c68d0640 [ 31.306258] which belongs to the cache kmalloc-16384 of size 16384 [ 31.319261] The buggy address is located 45 bytes inside of [ 31.319261] 16384-byte region [ffff8801c68d0640, ffff8801c68d4640) [ 31.331208] The buggy address belongs to the page: [ 31.336139] page:ffffea00071a3400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 31.346104] flags: 0x2fffc0000008100(slab|head) [ 31.350771] raw: 02fffc0000008100 ffffea0006c05a08 ffffea00074f5e08 ffff8801da802200 [ 31.358642] raw: 0000000000000000 ffff8801c68d0640 0000000100000001 0000000000000000 [ 31.366503] page dumped because: kasan: bad access detected [ 31.372207] [ 31.373823] Memory state around the buggy address: [ 31.378752] ffff8801c68d2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.386116] ffff8801c68d2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.393475] >ffff8801c68d2600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 31.400815] ^ [ 31.407293] ffff8801c68d2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.414639] ffff8801c68d2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.421990] ================================================================== [ 31.429336] Disabling lock debugging due to kernel taint [ 31.434893] Kernel panic - not syncing: panic_on_warn set ... [ 31.434893] [ 31.442274] CPU: 0 PID: 4572 Comm: syz-executor155 Tainted: G B 4.18.0-rc4+ #138 [ 31.451128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.460479] Call Trace: [ 31.463068] dump_stack+0x1c9/0x2b4 [ 31.466682] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.471863] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.476610] panic+0x238/0x4e7 [ 31.479793] ? add_taint.cold.5+0x16/0x16 [ 31.483931] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.488339] ? pdu_read+0x90/0xd0 [ 31.491796] kasan_end_report+0x47/0x4f [ 31.495752] kasan_report.cold.7+0x76/0x2fe [ 31.500065] check_memory_region+0x13e/0x1b0 [ 31.504460] memcpy+0x23/0x50 [ 31.507641] pdu_read+0x90/0xd0 [ 31.510905] p9pdu_readf+0x579/0x2170 [ 31.514696] ? p9pdu_writef+0xe0/0xe0 [ 31.518492] ? __fget+0x414/0x670 [ 31.521929] ? rcu_is_watching+0x61/0x150 [ 31.526060] ? expand_files.part.8+0x9c0/0x9c0 [ 31.530640] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.535653] ? p9_fd_show_options+0x1c0/0x1c0 [ 31.540145] p9_client_create+0xde0/0x16c9 [ 31.544378] ? p9_client_read+0xc60/0xc60 [ 31.548537] ? find_held_lock+0x36/0x1c0 [ 31.552600] ? __lockdep_init_map+0x105/0x590 [ 31.557085] ? kasan_check_write+0x14/0x20 [ 31.561301] ? __init_rwsem+0x1cc/0x2a0 [ 31.565260] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 31.570260] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.575271] ? __kmalloc_track_caller+0x5f5/0x760 [ 31.580103] ? save_stack+0xa9/0xd0 [ 31.583715] ? save_stack+0x43/0xd0 [ 31.587340] ? kasan_kmalloc+0xc4/0xe0 [ 31.591212] ? kmem_cache_alloc_trace+0x152/0x780 [ 31.596043] ? memcpy+0x45/0x50 [ 31.599310] v9fs_session_init+0x21a/0x1a80 [ 31.603617] ? find_held_lock+0x36/0x1c0 [ 31.607676] ? v9fs_show_options+0x7e0/0x7e0 [ 31.612080] ? kasan_check_read+0x11/0x20 [ 31.616214] ? rcu_is_watching+0x8c/0x150 [ 31.620346] ? rcu_pm_notify+0xc0/0xc0 [ 31.624227] ? v9fs_mount+0x61/0x900 [ 31.627926] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.632938] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.637775] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.643301] v9fs_mount+0x7c/0x900 [ 31.646852] mount_fs+0xae/0x328 [ 31.650208] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.654773] ? may_umount+0xb0/0xb0 [ 31.658383] ? _raw_read_unlock+0x22/0x30 [ 31.662515] ? __get_fs_type+0x97/0xc0 [ 31.666388] do_mount+0x581/0x30e0 [ 31.669913] ? copy_mount_string+0x40/0x40 [ 31.674134] ? copy_mount_options+0x5f/0x380 [ 31.678528] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.683545] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.688375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.693914] ? _copy_from_user+0xdf/0x150 [ 31.698051] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.703574] ? copy_mount_options+0x285/0x380 [ 31.708056] ksys_mount+0x12d/0x140 [ 31.711674] __x64_sys_mount+0xbe/0x150 [ 31.715635] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.720640] do_syscall_64+0x1b9/0x820 [ 31.724525] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.729444] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.734372] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.739898] ? retint_user+0x18/0x18 [ 31.743596] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.748426] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.753612] RIP: 0033:0x440979 [ 31.756799] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.775934] RSP: 002b:00007ffeb932e288 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 31.783646] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 31.790924] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 31.798187] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 31.805453] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007864 [ 31.812722] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 31.820484] Dumping ftrace buffer: [ 31.824035] (ftrace buffer empty) [ 31.827723] Kernel Offset: disabled [ 31.831343] Rebooting in 86400 seconds..