[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.124809] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.779217] random: sshd: uninitialized urandom read (32 bytes read) [ 23.164258] random: sshd: uninitialized urandom read (32 bytes read) [ 24.056160] random: sshd: uninitialized urandom read (32 bytes read) [ 24.215663] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. [ 29.798423] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 29.893744] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 29.920894] ================================================================== [ 29.928375] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 29.934512] Read of size 20347 at addr ffff8801b26a852d by task syz-executor224/4530 [ 29.942413] [ 29.944037] CPU: 1 PID: 4530 Comm: syz-executor224 Not tainted 4.18.0-rc4+ #142 [ 29.951503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.960846] Call Trace: [ 29.963433] dump_stack+0x1c9/0x2b4 [ 29.967056] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.972320] ? printk+0xa7/0xcf [ 29.975597] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.980346] ? pdu_read+0x90/0xd0 [ 29.983786] print_address_description+0x6c/0x20b [ 29.988616] ? pdu_read+0x90/0xd0 [ 29.992053] kasan_report.cold.7+0x242/0x2fe [ 29.996451] check_memory_region+0x13e/0x1b0 [ 30.000867] memcpy+0x23/0x50 [ 30.003979] pdu_read+0x90/0xd0 [ 30.007258] p9pdu_readf+0x579/0x2170 [ 30.011068] ? p9pdu_writef+0xe0/0xe0 [ 30.014860] ? __fget+0x414/0x670 [ 30.018303] ? rcu_is_watching+0x61/0x150 [ 30.022450] ? expand_files.part.8+0x9c0/0x9c0 [ 30.027042] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.032064] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.036562] p9_client_create+0xde0/0x16c9 [ 30.040793] ? p9_client_read+0xc60/0xc60 [ 30.044928] ? find_held_lock+0x36/0x1c0 [ 30.048982] ? __lockdep_init_map+0x105/0x590 [ 30.053477] ? kasan_check_write+0x14/0x20 [ 30.057719] ? __init_rwsem+0x1cc/0x2a0 [ 30.061679] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.066698] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.071717] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.076570] ? save_stack+0xa9/0xd0 [ 30.080187] ? save_stack+0x43/0xd0 [ 30.083799] ? kasan_kmalloc+0xc4/0xe0 [ 30.087680] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.092510] ? memcpy+0x45/0x50 [ 30.095783] v9fs_session_init+0x21a/0x1a80 [ 30.100101] ? find_held_lock+0x36/0x1c0 [ 30.104170] ? v9fs_show_options+0x7e0/0x7e0 [ 30.108577] ? kasan_check_read+0x11/0x20 [ 30.112709] ? rcu_is_watching+0x8c/0x150 [ 30.116863] ? rcu_pm_notify+0xc0/0xc0 [ 30.120749] ? v9fs_mount+0x61/0x900 [ 30.124458] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.129466] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.134316] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.139855] v9fs_mount+0x7c/0x900 [ 30.143387] mount_fs+0xae/0x328 [ 30.146741] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.151307] ? may_umount+0xb0/0xb0 [ 30.154919] ? _raw_read_unlock+0x22/0x30 [ 30.160972] ? __get_fs_type+0x97/0xc0 [ 30.164860] do_mount+0x581/0x30e0 [ 30.168389] ? copy_mount_string+0x40/0x40 [ 30.172715] ? copy_mount_options+0x5f/0x380 [ 30.177117] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.182181] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.187016] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.192573] ? _copy_from_user+0xdf/0x150 [ 30.196719] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.202256] ? copy_mount_options+0x285/0x380 [ 30.206745] ksys_mount+0x12d/0x140 [ 30.210364] __x64_sys_mount+0xbe/0x150 [ 30.214330] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.219340] do_syscall_64+0x1b9/0x820 [ 30.223222] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.228153] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.233083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.238617] ? retint_user+0x18/0x18 [ 30.242335] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.247169] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.252353] RIP: 0033:0x440959 [ 30.255529] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.274713] RSP: 002b:00007ffe02e53858 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.282410] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.289684] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.296956] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.304218] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000074c3 [ 30.311473] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.318732] [ 30.320342] Allocated by task 4530: [ 30.323958] save_stack+0x43/0xd0 [ 30.327401] kasan_kmalloc+0xc4/0xe0 [ 30.331098] __kmalloc+0x14e/0x760 [ 30.334624] p9_fcall_alloc+0x1e/0x90 [ 30.338415] p9_client_prepare_req.part.8+0x754/0xcd0 [ 30.343586] p9_client_rpc+0x1bd/0x1400 [ 30.347548] p9_client_create+0xd09/0x16c9 [ 30.351769] v9fs_session_init+0x21a/0x1a80 [ 30.356083] v9fs_mount+0x7c/0x900 [ 30.359616] mount_fs+0xae/0x328 [ 30.362967] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.367534] do_mount+0x581/0x30e0 [ 30.371072] ksys_mount+0x12d/0x140 [ 30.374696] __x64_sys_mount+0xbe/0x150 [ 30.378653] do_syscall_64+0x1b9/0x820 [ 30.382533] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.387697] [ 30.389313] Freed by task 0: [ 30.392315] (stack is not available) [ 30.396020] [ 30.397650] The buggy address belongs to the object at ffff8801b26a8500 [ 30.397650] which belongs to the cache kmalloc-16384 of size 16384 [ 30.410659] The buggy address is located 45 bytes inside of [ 30.410659] 16384-byte region [ffff8801b26a8500, ffff8801b26ac500) [ 30.422606] The buggy address belongs to the page: [ 30.427556] page:ffffea0006c9aa00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 30.437604] flags: 0x2fffc0000008100(slab|head) [ 30.442267] raw: 02fffc0000008100 ffffea0006b1d008 ffff8801da801c48 ffff8801da802200 [ 30.450131] raw: 0000000000000000 ffff8801b26a8500 0000000100000001 0000000000000000 [ 30.457997] page dumped because: kasan: bad access detected [ 30.463690] [ 30.465298] Memory state around the buggy address: [ 30.470221] ffff8801b26aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.477563] ffff8801b26aa480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.484902] >ffff8801b26aa500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 30.492249] ^ [ 30.496636] ffff8801b26aa580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.503988] ffff8801b26aa600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.511333] ================================================================== [ 30.518679] Disabling lock debugging due to kernel taint [ 30.524217] Kernel panic - not syncing: panic_on_warn set ... [ 30.524217] [ 30.531593] CPU: 1 PID: 4530 Comm: syz-executor224 Tainted: G B 4.18.0-rc4+ #142 [ 30.540422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.549766] Call Trace: [ 30.552341] dump_stack+0x1c9/0x2b4 [ 30.555951] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.561133] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.565874] panic+0x238/0x4e7 [ 30.569049] ? add_taint.cold.5+0x16/0x16 [ 30.573184] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.577576] ? pdu_read+0x90/0xd0 [ 30.581025] kasan_end_report+0x47/0x4f [ 30.584989] kasan_report.cold.7+0x76/0x2fe [ 30.589307] check_memory_region+0x13e/0x1b0 [ 30.593699] memcpy+0x23/0x50 [ 30.596876] pdu_read+0x90/0xd0 [ 30.600146] p9pdu_readf+0x579/0x2170 [ 30.603937] ? p9pdu_writef+0xe0/0xe0 [ 30.607734] ? __fget+0x414/0x670 [ 30.611174] ? rcu_is_watching+0x61/0x150 [ 30.615309] ? expand_files.part.8+0x9c0/0x9c0 [ 30.619882] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.624892] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.629376] p9_client_create+0xde0/0x16c9 [ 30.633598] ? p9_client_read+0xc60/0xc60 [ 30.637737] ? find_held_lock+0x36/0x1c0 [ 30.641785] ? __lockdep_init_map+0x105/0x590 [ 30.646277] ? kasan_check_write+0x14/0x20 [ 30.650512] ? __init_rwsem+0x1cc/0x2a0 [ 30.654508] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.659539] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.664547] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.669373] ? save_stack+0xa9/0xd0 [ 30.672981] ? save_stack+0x43/0xd0 [ 30.676595] ? kasan_kmalloc+0xc4/0xe0 [ 30.680467] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.685291] ? memcpy+0x45/0x50 [ 30.688563] v9fs_session_init+0x21a/0x1a80 [ 30.692871] ? find_held_lock+0x36/0x1c0 [ 30.696921] ? v9fs_show_options+0x7e0/0x7e0 [ 30.701313] ? kasan_check_read+0x11/0x20 [ 30.705455] ? rcu_is_watching+0x8c/0x150 [ 30.709594] ? rcu_pm_notify+0xc0/0xc0 [ 30.713474] ? v9fs_mount+0x61/0x900 [ 30.717183] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.722193] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.727046] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.732606] v9fs_mount+0x7c/0x900 [ 30.736138] mount_fs+0xae/0x328 [ 30.739492] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.744061] ? may_umount+0xb0/0xb0 [ 30.747671] ? _raw_read_unlock+0x22/0x30 [ 30.751801] ? __get_fs_type+0x97/0xc0 [ 30.755672] do_mount+0x581/0x30e0 [ 30.759193] ? copy_mount_string+0x40/0x40 [ 30.763419] ? copy_mount_options+0x5f/0x380 [ 30.767812] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.772830] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.777673] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.783198] ? _copy_from_user+0xdf/0x150 [ 30.787327] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.792848] ? copy_mount_options+0x285/0x380 [ 30.797332] ksys_mount+0x12d/0x140 [ 30.800958] __x64_sys_mount+0xbe/0x150 [ 30.804919] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.809923] do_syscall_64+0x1b9/0x820 [ 30.813796] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.818712] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.823632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.829158] ? retint_user+0x18/0x18 [ 30.832858] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.837690] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.842878] RIP: 0033:0x440959 [ 30.846062] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.865197] RSP: 002b:00007ffe02e53858 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.872898] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.880167] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.887421] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.894683] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000074c3 [ 30.902385] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.910132] Dumping ftrace buffer: [ 30.913654] (ftrace buffer empty) [ 30.917341] Kernel Offset: disabled [ 30.920948] Rebooting in 86400 seconds..