Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. [ 43.188041] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 43.302187] audit: type=1400 audit(1567925269.469:36): avc: denied { map } for pid=6976 comm="syz-executor307" path="/root/syz-executor307587025" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.331609] ================================================================== [ 43.339089] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 43.345252] Read of size 52719 at addr ffff888097ff856d by task syz-executor307/6978 [ 43.353128] [ 43.354744] CPU: 0 PID: 6978 Comm: syz-executor307 Not tainted 4.14.142 #0 [ 43.361735] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.371113] Call Trace: [ 43.373698] dump_stack+0x138/0x197 [ 43.377341] ? pdu_read+0x90/0xd0 [ 43.380780] print_address_description.cold+0x7c/0x1dc [ 43.386048] ? pdu_read+0x90/0xd0 [ 43.389486] kasan_report.cold+0xa9/0x2af [ 43.393635] check_memory_region+0x123/0x190 [ 43.398044] memcpy+0x24/0x50 [ 43.401134] pdu_read+0x90/0xd0 [ 43.404396] p9pdu_readf+0x379/0x1780 [ 43.408186] ? p9_conn_create+0x4c0/0x4c0 [ 43.412316] ? pipe_poll+0x261/0x2d0 [ 43.416099] ? p9pdu_writef+0xd0/0xd0 [ 43.419885] ? p9_fd_create+0x245/0x340 [ 43.423842] ? parse_opts.part.0+0x2e0/0x2e0 [ 43.428242] p9_client_create+0xa1f/0x1120 [ 43.432615] ? p9_client_zc_rpc.constprop.0+0x1120/0x1120 [ 43.438161] ? __kmalloc_track_caller+0x372/0x790 [ 43.442996] ? __lockdep_init_map+0x10c/0x570 [ 43.447490] ? lockdep_init_map+0x9/0x10 [ 43.451541] ? __raw_spin_lock_init+0x2d/0x100 [ 43.456119] v9fs_session_init+0x1dc/0x1620 [ 43.460434] ? check_preemption_disabled+0x3c/0x250 [ 43.465444] ? v9fs_show_options+0x730/0x730 [ 43.469846] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.475283] ? v9fs_mount+0x5e/0x870 [ 43.478981] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.483989] ? kmem_cache_alloc_trace+0x623/0x790 [ 43.488900] ? free_pages+0x46/0x50 [ 43.492516] v9fs_mount+0x7d/0x870 [ 43.496081] mount_fs+0x97/0x2a1 [ 43.499516] vfs_kern_mount.part.0+0x5e/0x3d0 [ 43.504096] do_mount+0x417/0x27d0 [ 43.507622] ? copy_mount_options+0x5c/0x2f0 [ 43.512018] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.517052] ? copy_mount_string+0x40/0x40 [ 43.521275] ? copy_mount_options+0x1fe/0x2f0 [ 43.525773] SyS_mount+0xab/0x120 [ 43.529214] ? copy_mnt_ns+0x8c0/0x8c0 [ 43.533185] do_syscall_64+0x1e8/0x640 [ 43.537055] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.541885] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.547071] RIP: 0033:0x444f29 [ 43.550241] RSP: 002b:00007ffcd77aeb98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 43.557945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f29 [ 43.565200] RDX: 00000000200000c0 RSI: 0000000020000480 RDI: 0000000000000000 [ 43.572456] RBP: 000000000000a928 R08: 00000000200001c0 R09: 00000000004002e0 [ 43.579710] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402170 [ 43.586977] R13: 0000000000402200 R14: 0000000000000000 R15: 0000000000000000 [ 43.594251] [ 43.595858] Allocated by task 6978: [ 43.599468] save_stack_trace+0x16/0x20 [ 43.603424] save_stack+0x45/0xd0 [ 43.606856] kasan_kmalloc+0xce/0xf0 [ 43.610650] __kmalloc+0x15d/0x7a0 [ 43.614173] p9_fcall_alloc+0x1d/0x90 [ 43.617967] p9_client_prepare_req.part.0+0x73a/0xa90 [ 43.623144] p9_client_rpc+0x170/0x1180 [ 43.627113] p9_client_create+0x997/0x1120 [ 43.631347] v9fs_session_init+0x1dc/0x1620 [ 43.635657] v9fs_mount+0x7d/0x870 [ 43.639217] mount_fs+0x97/0x2a1 [ 43.642566] vfs_kern_mount.part.0+0x5e/0x3d0 [ 43.647085] do_mount+0x417/0x27d0 [ 43.650619] SyS_mount+0xab/0x120 [ 43.654063] do_syscall_64+0x1e8/0x640 [ 43.657937] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.663144] [ 43.664767] Freed by task 0: [ 43.667763] (stack is not available) [ 43.671454] [ 43.673063] The buggy address belongs to the object at ffff888097ff8540 [ 43.673063] which belongs to the cache kmalloc-16384 of size 16384 [ 43.686177] The buggy address is located 45 bytes inside of [ 43.686177] 16384-byte region [ffff888097ff8540, ffff888097ffc540) [ 43.698167] The buggy address belongs to the page: [ 43.703092] page:ffffea00025ffe00 count:1 mapcount:0 mapping:ffff888097ff8540 index:0x0 compound_mapcount: 0 [ 43.713047] flags: 0x1fffc0000008100(slab|head) [ 43.717700] raw: 01fffc0000008100 ffff888097ff8540 0000000000000000 0000000100000001 [ 43.725565] raw: ffffea0001de8c20 ffff8880aa801c48 ffff8880aa802200 0000000000000000 [ 43.733435] page dumped because: kasan: bad access detected [ 43.739251] [ 43.740872] Memory state around the buggy address: [ 43.745795] ffff888097ffa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.753138] ffff888097ffa480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.760479] >ffff888097ffa500: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 43.767838] ^ [ 43.774588] ffff888097ffa580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.781959] ffff888097ffa600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.789298] ================================================================== [ 43.796647] Disabling lock debugging due to kernel taint [ 43.802384] Kernel panic - not syncing: panic_on_warn set ... [ 43.802384] [ 43.809963] CPU: 0 PID: 6978 Comm: syz-executor307 Tainted: G B 4.14.142 #0 [ 43.818183] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.827702] Call Trace: [ 43.830291] dump_stack+0x138/0x197 [ 43.834061] ? pdu_read+0x90/0xd0 [ 43.837504] panic+0x1f2/0x426 [ 43.840698] ? add_taint.cold+0x16/0x16 [ 43.844658] ? ___preempt_schedule+0x16/0x18 [ 43.849062] kasan_end_report+0x47/0x4f [ 43.853017] kasan_report.cold+0x130/0x2af [ 43.857230] check_memory_region+0x123/0x190 [ 43.861629] memcpy+0x24/0x50 [ 43.864821] pdu_read+0x90/0xd0 [ 43.868092] p9pdu_readf+0x379/0x1780 [ 43.871901] ? p9_conn_create+0x4c0/0x4c0 [ 43.876044] ? pipe_poll+0x261/0x2d0 [ 43.879736] ? p9pdu_writef+0xd0/0xd0 [ 43.883524] ? p9_fd_create+0x245/0x340 [ 43.887577] ? parse_opts.part.0+0x2e0/0x2e0 [ 43.891991] p9_client_create+0xa1f/0x1120 [ 43.896304] ? p9_client_zc_rpc.constprop.0+0x1120/0x1120 [ 43.902062] ? __kmalloc_track_caller+0x372/0x790 [ 43.906894] ? __lockdep_init_map+0x10c/0x570 [ 43.911373] ? lockdep_init_map+0x9/0x10 [ 43.915511] ? __raw_spin_lock_init+0x2d/0x100 [ 43.920334] v9fs_session_init+0x1dc/0x1620 [ 43.924642] ? check_preemption_disabled+0x3c/0x250 [ 43.929640] ? v9fs_show_options+0x730/0x730 [ 43.934029] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.939470] ? v9fs_mount+0x5e/0x870 [ 43.943163] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.948172] ? kmem_cache_alloc_trace+0x623/0x790 [ 43.952996] ? free_pages+0x46/0x50 [ 43.956618] v9fs_mount+0x7d/0x870 [ 43.960146] mount_fs+0x97/0x2a1 [ 43.963498] vfs_kern_mount.part.0+0x5e/0x3d0 [ 43.967982] do_mount+0x417/0x27d0 [ 43.971925] ? copy_mount_options+0x5c/0x2f0 [ 43.976314] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.981312] ? copy_mount_string+0x40/0x40 [ 43.985547] ? copy_mount_options+0x1fe/0x2f0 [ 43.990029] SyS_mount+0xab/0x120 [ 43.993470] ? copy_mnt_ns+0x8c0/0x8c0 [ 43.997359] do_syscall_64+0x1e8/0x640 [ 44.001226] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.006054] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.011225] RIP: 0033:0x444f29 [ 44.014394] RSP: 002b:00007ffcd77aeb98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 44.022090] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444f29 [ 44.029388] RDX: 00000000200000c0 RSI: 0000000020000480 RDI: 0000000000000000 [ 44.036659] RBP: 000000000000a928 R08: 00000000200001c0 R09: 00000000004002e0 [ 44.043920] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402170 [ 44.051175] R13: 0000000000402200 R14: 0000000000000000 R15: 0000000000000000 [ 44.060202] Kernel Offset: disabled [ 44.063834] Rebooting in 86400 seconds..