[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.531731] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.301566] random: sshd: uninitialized urandom read (32 bytes read) [ 25.524465] random: sshd: uninitialized urandom read (32 bytes read) [ 26.478356] random: sshd: uninitialized urandom read (32 bytes read) [ 47.710165] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 53.574405] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program [ 53.678775] ================================================================== [ 53.686299] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 53.692440] Read of size 16842 at addr ffff8801b3e5072d by task syz-executor195/4544 [ 53.700303] [ 53.701927] CPU: 0 PID: 4544 Comm: syz-executor195 Not tainted 4.18.0-rc4+ #138 [ 53.709359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.718702] Call Trace: [ 53.721290] dump_stack+0x1c9/0x2b4 [ 53.724917] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.730128] ? printk+0xa7/0xcf [ 53.733409] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.738163] ? pdu_read+0x90/0xd0 [ 53.741610] print_address_description+0x6c/0x20b [ 53.746450] ? pdu_read+0x90/0xd0 [ 53.749912] kasan_report.cold.7+0x242/0x2fe [ 53.754338] check_memory_region+0x13e/0x1b0 [ 53.758744] memcpy+0x23/0x50 [ 53.761846] pdu_read+0x90/0xd0 [ 53.765140] p9pdu_readf+0x579/0x2170 [ 53.768947] ? p9pdu_writef+0xe0/0xe0 [ 53.772751] ? __fget+0x414/0x670 [ 53.776213] ? rcu_is_watching+0x61/0x150 [ 53.780368] ? expand_files.part.8+0x9c0/0x9c0 [ 53.784983] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.790057] ? p9_fd_show_options+0x1c0/0x1c0 [ 53.794567] p9_client_create+0xde0/0x16c9 [ 53.798820] ? p9_client_read+0xc60/0xc60 [ 53.802985] ? find_held_lock+0x36/0x1c0 [ 53.807064] ? __lockdep_init_map+0x105/0x590 [ 53.811582] ? kasan_check_write+0x14/0x20 [ 53.815837] ? __init_rwsem+0x1cc/0x2a0 [ 53.819818] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 53.824874] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.829900] ? __kmalloc_track_caller+0x5f5/0x760 [ 53.834744] ? save_stack+0xa9/0xd0 [ 53.838385] ? save_stack+0x43/0xd0 [ 53.842015] ? kasan_kmalloc+0xc4/0xe0 [ 53.845901] ? kmem_cache_alloc_trace+0x152/0x780 [ 53.850746] ? memcpy+0x45/0x50 [ 53.854026] v9fs_session_init+0x21a/0x1a80 [ 53.858359] ? find_held_lock+0x36/0x1c0 [ 53.862432] ? v9fs_show_options+0x7e0/0x7e0 [ 53.866869] ? kasan_check_read+0x11/0x20 [ 53.871030] ? rcu_is_watching+0x8c/0x150 [ 53.875176] ? rcu_pm_notify+0xc0/0xc0 [ 53.879066] ? v9fs_mount+0x61/0x900 [ 53.882780] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.887810] ? kmem_cache_alloc_trace+0x616/0x780 [ 53.892655] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.898193] v9fs_mount+0x7c/0x900 [ 53.901755] mount_fs+0xae/0x328 [ 53.905124] vfs_kern_mount.part.34+0xdc/0x4e0 [ 53.909708] ? may_umount+0xb0/0xb0 [ 53.913344] ? _raw_read_unlock+0x22/0x30 [ 53.917516] ? __get_fs_type+0x97/0xc0 [ 53.921406] do_mount+0x581/0x30e0 [ 53.924944] ? copy_mount_string+0x40/0x40 [ 53.929206] ? copy_mount_options+0x5f/0x380 [ 53.933620] ? rcu_read_lock_sched_held+0x108/0x120 [ 53.938638] ? kmem_cache_alloc_trace+0x616/0x780 [ 53.943479] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.949614] ? _copy_from_user+0xdf/0x150 [ 53.953771] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.959314] ? copy_mount_options+0x285/0x380 [ 53.963812] ksys_mount+0x12d/0x140 [ 53.967437] __x64_sys_mount+0xbe/0x150 [ 53.971410] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 53.976446] do_syscall_64+0x1b9/0x820 [ 53.980331] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.985272] ? syscall_return_slowpath+0x31d/0x5e0 [ 53.990206] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 53.995577] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.000435] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.005621] RIP: 0033:0x440109 [ 54.008899] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.028132] RSP: 002b:00007ffd30a92a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 54.035831] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109 [ 54.043093] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000 [ 54.050372] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8 [ 54.057640] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274 [ 54.064908] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000 [ 54.072198] [ 54.073821] Allocated by task 4544: [ 54.077451] save_stack+0x43/0xd0 [ 54.080898] kasan_kmalloc+0xc4/0xe0 [ 54.084625] __kmalloc+0x14e/0x760 [ 54.088167] p9_fcall_alloc+0x1e/0x90 [ 54.091991] p9_client_prepare_req.part.8+0x754/0xcd0 [ 54.097198] p9_client_rpc+0x1bd/0x1400 [ 54.101171] p9_client_create+0xd09/0x16c9 [ 54.105507] v9fs_session_init+0x21a/0x1a80 [ 54.109822] v9fs_mount+0x7c/0x900 [ 54.113363] mount_fs+0xae/0x328 [ 54.116739] vfs_kern_mount.part.34+0xdc/0x4e0 [ 54.121313] do_mount+0x581/0x30e0 [ 54.124857] ksys_mount+0x12d/0x140 [ 54.128480] __x64_sys_mount+0xbe/0x150 [ 54.132454] do_syscall_64+0x1b9/0x820 [ 54.136366] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.141542] [ 54.143159] Freed by task 0: [ 54.146164] (stack is not available) [ 54.149859] [ 54.151524] The buggy address belongs to the object at ffff8801b3e50700 [ 54.151524] which belongs to the cache kmalloc-16384 of size 16384 [ 54.165291] The buggy address is located 45 bytes inside of [ 54.165291] 16384-byte region [ffff8801b3e50700, ffff8801b3e54700) [ 54.177257] The buggy address belongs to the page: [ 54.182190] page:ffffea0006cf9400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 54.192174] flags: 0x2fffc0000008100(slab|head) [ 54.196852] raw: 02fffc0000008100 ffffea0006cf6208 ffff8801da801c48 ffff8801da802200 [ 54.204753] raw: 0000000000000000 ffff8801b3e50700 0000000100000001 0000000000000000 [ 54.212634] page dumped because: kasan: bad access detected [ 54.218359] [ 54.219975] Memory state around the buggy address: [ 54.224908] ffff8801b3e52600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.232274] ffff8801b3e52680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.239671] >ffff8801b3e52700: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 54.247042] ^ [ 54.251458] ffff8801b3e52780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.258808] ffff8801b3e52800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.266167] ================================================================== [ 54.273518] Disabling lock debugging due to kernel taint [ 54.279284] Kernel panic - not syncing: panic_on_warn set ... [ 54.279284] [ 54.286673] CPU: 0 PID: 4544 Comm: syz-executor195 Tainted: G B 4.18.0-rc4+ #138 [ 54.295498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.304845] Call Trace: [ 54.307435] dump_stack+0x1c9/0x2b4 [ 54.311053] ? dump_stack_print_info.cold.2+0x52/0x52 [ 54.316242] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.321021] panic+0x238/0x4e7 [ 54.324211] ? add_taint.cold.5+0x16/0x16 [ 54.328357] ? do_raw_spin_unlock+0xa7/0x2f0 [ 54.332759] ? pdu_read+0x90/0xd0 [ 54.336211] kasan_end_report+0x47/0x4f [ 54.340195] kasan_report.cold.7+0x76/0x2fe [ 54.344521] check_memory_region+0x13e/0x1b0 [ 54.348925] memcpy+0x23/0x50 [ 54.352030] pdu_read+0x90/0xd0 [ 54.355309] p9pdu_readf+0x579/0x2170 [ 54.359130] ? p9pdu_writef+0xe0/0xe0 [ 54.362925] ? __fget+0x414/0x670 [ 54.366373] ? rcu_is_watching+0x61/0x150 [ 54.370515] ? expand_files.part.8+0x9c0/0x9c0 [ 54.375093] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.380111] ? p9_fd_show_options+0x1c0/0x1c0 [ 54.384598] p9_client_create+0xde0/0x16c9 [ 54.388832] ? p9_client_read+0xc60/0xc60 [ 54.392975] ? find_held_lock+0x36/0x1c0 [ 54.397038] ? __lockdep_init_map+0x105/0x590 [ 54.401534] ? kasan_check_write+0x14/0x20 [ 54.405760] ? __init_rwsem+0x1cc/0x2a0 [ 54.409726] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 54.414760] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.419773] ? __kmalloc_track_caller+0x5f5/0x760 [ 54.424629] ? save_stack+0xa9/0xd0 [ 54.428250] ? save_stack+0x43/0xd0 [ 54.431873] ? kasan_kmalloc+0xc4/0xe0 [ 54.435755] ? kmem_cache_alloc_trace+0x152/0x780 [ 54.440594] ? memcpy+0x45/0x50 [ 54.443886] v9fs_session_init+0x21a/0x1a80 [ 54.448206] ? find_held_lock+0x36/0x1c0 [ 54.452262] ? v9fs_show_options+0x7e0/0x7e0 [ 54.456661] ? kasan_check_read+0x11/0x20 [ 54.460797] ? rcu_is_watching+0x8c/0x150 [ 54.464936] ? rcu_pm_notify+0xc0/0xc0 [ 54.468821] ? v9fs_mount+0x61/0x900 [ 54.472537] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.477558] ? kmem_cache_alloc_trace+0x616/0x780 [ 54.482410] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 54.487972] v9fs_mount+0x7c/0x900 [ 54.491531] mount_fs+0xae/0x328 [ 54.494916] vfs_kern_mount.part.34+0xdc/0x4e0 [ 54.499505] ? may_umount+0xb0/0xb0 [ 54.503132] ? _raw_read_unlock+0x22/0x30 [ 54.507387] ? __get_fs_type+0x97/0xc0 [ 54.511273] do_mount+0x581/0x30e0 [ 54.514808] ? copy_mount_string+0x40/0x40 [ 54.519039] ? copy_mount_options+0x5f/0x380 [ 54.523443] ? rcu_read_lock_sched_held+0x108/0x120 [ 54.528459] ? kmem_cache_alloc_trace+0x616/0x780 [ 54.533302] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.538858] ? _copy_from_user+0xdf/0x150 [ 54.543007] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.548547] ? copy_mount_options+0x285/0x380 [ 54.553058] ksys_mount+0x12d/0x140 [ 54.556688] __x64_sys_mount+0xbe/0x150 [ 54.560665] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 54.565676] do_syscall_64+0x1b9/0x820 [ 54.569552] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.574479] ? syscall_return_slowpath+0x31d/0x5e0 [ 54.579407] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 54.584764] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.589612] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.594802] RIP: 0033:0x440109 [ 54.597975] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.617156] RSP: 002b:00007ffd30a92a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 54.624858] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109 [ 54.632118] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000 [ 54.639469] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8 [ 54.646990] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274 [ 54.654347] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000 [ 54.662047] Dumping ftrace buffer: [ 54.665594] (ftrace buffer empty) [ 54.669289] Kernel Offset: disabled [ 54.672901] Rebooting in 86400 seconds..