[....] Starting OpenBSD Secure Shell server: sshd[ 19.494620] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.489956] random: sshd: uninitialized urandom read (32 bytes read) [ 23.790733] sshd (4525) used greatest stack depth: 17032 bytes left [ 23.810244] random: sshd: uninitialized urandom read (32 bytes read) [ 24.671979] random: sshd: uninitialized urandom read (32 bytes read) [ 24.829183] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts. [ 30.326306] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 30.417336] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 30.442889] ================================================================== [ 30.450330] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 30.456466] Read of size 13088 at addr ffff8801d95d04ad by task syz-executor870/4545 [ 30.464323] [ 30.465945] CPU: 0 PID: 4545 Comm: syz-executor870 Not tainted 4.18.0-rc3+ #137 [ 30.473377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.482717] Call Trace: [ 30.485298] dump_stack+0x1c9/0x2b4 [ 30.488912] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.494094] ? printk+0xa7/0xcf [ 30.497356] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.502106] ? pdu_read+0x90/0xd0 [ 30.505540] print_address_description+0x6c/0x20b [ 30.510368] ? pdu_read+0x90/0xd0 [ 30.513801] kasan_report.cold.7+0x242/0x2fe [ 30.518207] check_memory_region+0x13e/0x1b0 [ 30.522628] memcpy+0x23/0x50 [ 30.525732] pdu_read+0x90/0xd0 [ 30.529017] p9pdu_readf+0x579/0x2170 [ 30.532816] ? p9pdu_writef+0xe0/0xe0 [ 30.536604] ? __fget+0x414/0x670 [ 30.540218] ? rcu_is_watching+0x61/0x150 [ 30.544352] ? expand_files.part.8+0x9c0/0x9c0 [ 30.548926] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.553938] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.558429] p9_client_create+0xde0/0x16c9 [ 30.562664] ? p9_client_read+0xc60/0xc60 [ 30.566796] ? find_held_lock+0x36/0x1c0 [ 30.570860] ? __lockdep_init_map+0x105/0x590 [ 30.575365] ? kasan_check_write+0x14/0x20 [ 30.579587] ? __init_rwsem+0x1cc/0x2a0 [ 30.583548] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.588553] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.593568] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.598433] ? save_stack+0xa9/0xd0 [ 30.602052] ? save_stack+0x43/0xd0 [ 30.605663] ? kasan_kmalloc+0xc4/0xe0 [ 30.609535] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.614377] ? memcpy+0x45/0x50 [ 30.617648] v9fs_session_init+0x21a/0x1a80 [ 30.621979] ? find_held_lock+0x36/0x1c0 [ 30.626043] ? v9fs_show_options+0x7e0/0x7e0 [ 30.630444] ? kasan_check_read+0x11/0x20 [ 30.634581] ? rcu_is_watching+0x8c/0x150 [ 30.638728] ? rcu_pm_notify+0xc0/0xc0 [ 30.642624] ? v9fs_mount+0x61/0x900 [ 30.646330] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.651346] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.656192] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.661731] v9fs_mount+0x7c/0x900 [ 30.665275] mount_fs+0xae/0x328 [ 30.668852] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.673454] ? may_umount+0xb0/0xb0 [ 30.677087] ? _raw_read_unlock+0x22/0x30 [ 30.681235] ? __get_fs_type+0x97/0xc0 [ 30.685201] do_mount+0x581/0x30e0 [ 30.688751] ? copy_mount_string+0x40/0x40 [ 30.692989] ? copy_mount_options+0x5f/0x380 [ 30.697426] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.702436] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.707557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.713095] ? _copy_from_user+0xdf/0x150 [ 30.717236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.722780] ? copy_mount_options+0x285/0x380 [ 30.727273] ksys_mount+0x12d/0x140 [ 30.730895] __x64_sys_mount+0xbe/0x150 [ 30.734873] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.739887] do_syscall_64+0x1b9/0x820 [ 30.743768] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.748777] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.753703] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.759424] ? retint_user+0x18/0x18 [ 30.763160] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.768018] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.773203] RIP: 0033:0x440959 [ 30.776372] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.795995] RSP: 002b:00007ffdcb9c3ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 30.803720] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 30.810991] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.818253] RBP: 0000000000000000 R08: 0000000020000680 R09: 00000000004002c8 [ 30.825513] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000076cf [ 30.832770] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 30.840041] [ 30.841663] Allocated by task 4545: [ 30.845292] save_stack+0x43/0xd0 [ 30.848754] kasan_kmalloc+0xc4/0xe0 [ 30.852469] __kmalloc+0x14e/0x760 [ 30.856007] p9_fcall_alloc+0x1e/0x90 [ 30.859899] p9_client_prepare_req.part.8+0x754/0xcd0 [ 30.865104] p9_client_rpc+0x1bd/0x1400 [ 30.869079] p9_client_create+0xd09/0x16c9 [ 30.873308] v9fs_session_init+0x21a/0x1a80 [ 30.877619] v9fs_mount+0x7c/0x900 [ 30.881147] mount_fs+0xae/0x328 [ 30.884496] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.889084] do_mount+0x581/0x30e0 [ 30.892639] ksys_mount+0x12d/0x140 [ 30.896279] __x64_sys_mount+0xbe/0x150 [ 30.900250] do_syscall_64+0x1b9/0x820 [ 30.904302] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.909486] [ 30.911094] Freed by task 0: [ 30.914100] (stack is not available) [ 30.917794] [ 30.919416] The buggy address belongs to the object at ffff8801d95d0480 [ 30.919416] which belongs to the cache kmalloc-16384 of size 16384 [ 30.932412] The buggy address is located 45 bytes inside of [ 30.932412] 16384-byte region [ffff8801d95d0480, ffff8801d95d4480) [ 30.944366] The buggy address belongs to the page: [ 30.949300] page:ffffea0007657400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 30.959263] flags: 0x2fffc0000008100(slab|head) [ 30.964029] raw: 02fffc0000008100 ffffea0006b2e808 ffffea0006b2f808 ffff8801da802200 [ 30.971904] raw: 0000000000000000 ffff8801d95d0480 0000000100000001 0000000000000000 [ 30.979776] page dumped because: kasan: bad access detected [ 30.985473] [ 30.987095] Memory state around the buggy address: [ 30.992011] ffff8801d95d2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.999362] ffff8801d95d2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.006711] >ffff8801d95d2480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 31.014056] ^ [ 31.018450] ffff8801d95d2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.025803] ffff8801d95d2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.033149] ================================================================== [ 31.040490] Disabling lock debugging due to kernel taint [ 31.046039] Kernel panic - not syncing: panic_on_warn set ... [ 31.046039] [ 31.053420] CPU: 0 PID: 4545 Comm: syz-executor870 Tainted: G B 4.18.0-rc3+ #137 [ 31.062262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.071617] Call Trace: [ 31.074193] dump_stack+0x1c9/0x2b4 [ 31.077805] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.082977] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.087717] panic+0x238/0x4e7 [ 31.090892] ? add_taint.cold.5+0x16/0x16 [ 31.095032] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.099424] ? pdu_read+0x90/0xd0 [ 31.102857] kasan_end_report+0x47/0x4f [ 31.106814] kasan_report.cold.7+0x76/0x2fe [ 31.111118] check_memory_region+0x13e/0x1b0 [ 31.115518] memcpy+0x23/0x50 [ 31.118623] pdu_read+0x90/0xd0 [ 31.121886] p9pdu_readf+0x579/0x2170 [ 31.125667] ? p9pdu_writef+0xe0/0xe0 [ 31.129469] ? __fget+0x414/0x670 [ 31.132911] ? rcu_is_watching+0x61/0x150 [ 31.137043] ? expand_files.part.8+0x9c0/0x9c0 [ 31.141614] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.146625] ? p9_fd_show_options+0x1c0/0x1c0 [ 31.151111] p9_client_create+0xde0/0x16c9 [ 31.155329] ? p9_client_read+0xc60/0xc60 [ 31.159460] ? find_held_lock+0x36/0x1c0 [ 31.163508] ? __lockdep_init_map+0x105/0x590 [ 31.168004] ? kasan_check_write+0x14/0x20 [ 31.172228] ? __init_rwsem+0x1cc/0x2a0 [ 31.176195] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 31.181192] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.186186] ? __kmalloc_track_caller+0x5f5/0x760 [ 31.191028] ? save_stack+0xa9/0xd0 [ 31.194646] ? save_stack+0x43/0xd0 [ 31.198263] ? kasan_kmalloc+0xc4/0xe0 [ 31.202133] ? kmem_cache_alloc_trace+0x152/0x780 [ 31.206970] ? memcpy+0x45/0x50 [ 31.210253] v9fs_session_init+0x21a/0x1a80 [ 31.214570] ? find_held_lock+0x36/0x1c0 [ 31.218616] ? v9fs_show_options+0x7e0/0x7e0 [ 31.223022] ? kasan_check_read+0x11/0x20 [ 31.227161] ? rcu_is_watching+0x8c/0x150 [ 31.231292] ? rcu_pm_notify+0xc0/0xc0 [ 31.235173] ? v9fs_mount+0x61/0x900 [ 31.238869] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.243879] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.248716] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 31.254262] v9fs_mount+0x7c/0x900 [ 31.257832] mount_fs+0xae/0x328 [ 31.261215] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.265785] ? may_umount+0xb0/0xb0 [ 31.269412] ? _raw_read_unlock+0x22/0x30 [ 31.273570] ? __get_fs_type+0x97/0xc0 [ 31.277460] do_mount+0x581/0x30e0 [ 31.281003] ? copy_mount_string+0x40/0x40 [ 31.285230] ? copy_mount_options+0x5f/0x380 [ 31.289630] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.294637] ? kmem_cache_alloc_trace+0x616/0x780 [ 31.299463] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.305070] ? _copy_from_user+0xdf/0x150 [ 31.309201] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.314720] ? copy_mount_options+0x285/0x380 [ 31.319199] ksys_mount+0x12d/0x140 [ 31.322807] __x64_sys_mount+0xbe/0x150 [ 31.326768] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.331769] do_syscall_64+0x1b9/0x820 [ 31.335640] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.340550] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.345465] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.350986] ? retint_user+0x18/0x18 [ 31.354686] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.359528] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.364712] RIP: 0033:0x440959 [ 31.367877] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.387033] RSP: 002b:00007ffdcb9c3ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 31.394729] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 31.401980] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 31.409245] RBP: 0000000000000000 R08: 0000000020000680 R09: 00000000004002c8 [ 31.416496] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000076cf [ 31.423746] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 31.431512] Dumping ftrace buffer: [ 31.435034] (ftrace buffer empty) [ 31.438725] Kernel Offset: disabled [ 31.442351] Rebooting in 86400 seconds..