[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.434782] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.397204] random: sshd: uninitialized urandom read (32 bytes read)
[   24.845742] random: sshd: uninitialized urandom read (32 bytes read)
[   25.694979] random: sshd: uninitialized urandom read (32 bytes read)
[  100.739436] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts.
[  106.169905] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 07:42:00 parsed 1 programs
[  107.804158] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 07:42:03 executed programs: 0
[  109.512613] IPVS: ftp: loaded support on port[0] = 21
[  109.699712] bridge0: port 1(bridge_slave_0) entered blocking state
[  109.706359] bridge0: port 1(bridge_slave_0) entered disabled state
[  109.713840] device bridge_slave_0 entered promiscuous mode
[  109.732044] bridge0: port 2(bridge_slave_1) entered blocking state
[  109.738706] bridge0: port 2(bridge_slave_1) entered disabled state
[  109.745708] device bridge_slave_1 entered promiscuous mode
[  109.761228] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  109.776515] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  109.816251] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  109.834264] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  109.897186] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  109.904472] team0: Port device team_slave_0 added
[  109.919228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  109.926332] team0: Port device team_slave_1 added
[  109.940534] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  109.956578] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  109.973819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  109.990198] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  110.103677] bridge0: port 2(bridge_slave_1) entered blocking state
[  110.110168] bridge0: port 2(bridge_slave_1) entered forwarding state
[  110.117030] bridge0: port 1(bridge_slave_0) entered blocking state
[  110.123396] bridge0: port 1(bridge_slave_0) entered forwarding state
[  110.530562] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  110.536719] 8021q: adding VLAN 0 to HW filter on device bond0
[  110.580235] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  110.623217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  110.630732] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  110.666904] 8021q: adding VLAN 0 to HW filter on device team0
[  110.908879] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[  111.390776] ==================================================================
[  111.398280] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[  111.404406] Read of size 58954 at addr ffff8801d7082fed by task syz-executor0/4893
[  111.412103] 
[  111.413717] CPU: 0 PID: 4893 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[  111.421154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  111.430485] Call Trace:
[  111.433074]  dump_stack+0x1c9/0x2b4
[  111.436689]  ? dump_stack_print_info.cold.2+0x52/0x52
[  111.441860]  ? printk+0xa7/0xcf
[  111.445117]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  111.449858]  ? pdu_read+0x90/0xd0
[  111.453305]  print_address_description+0x6c/0x20b
[  111.458132]  ? pdu_read+0x90/0xd0
[  111.461564]  kasan_report.cold.7+0x242/0x2fe
[  111.465953]  check_memory_region+0x13e/0x1b0
[  111.470342]  memcpy+0x23/0x50
[  111.473430]  pdu_read+0x90/0xd0
[  111.476691]  p9pdu_readf+0x579/0x2170
[  111.480473]  ? p9pdu_writef+0xe0/0xe0
[  111.484253]  ? __fget+0x414/0x670
[  111.487688]  ? rcu_is_watching+0x61/0x150
[  111.491831]  ? expand_files.part.8+0x9c0/0x9c0
[  111.496406]  ? rcu_read_lock_sched_held+0x108/0x120
[  111.501407]  ? p9_fd_show_options+0x1c0/0x1c0
[  111.505886]  p9_client_create+0xde0/0x16c9
[  111.510115]  ? p9_client_read+0xc60/0xc60
[  111.514249]  ? find_held_lock+0x36/0x1c0
[  111.518383]  ? __lockdep_init_map+0x105/0x590
[  111.522862]  ? kasan_check_write+0x14/0x20
[  111.527085]  ? __init_rwsem+0x1cc/0x2a0
[  111.531044]  ? do_raw_write_unlock.cold.8+0x49/0x49
[  111.536042]  ? rcu_read_lock_sched_held+0x108/0x120
[  111.541037]  ? __kmalloc_track_caller+0x5f5/0x760
[  111.545859]  ? save_stack+0xa9/0xd0
[  111.549462]  ? save_stack+0x43/0xd0
[  111.553096]  ? kasan_kmalloc+0xc4/0xe0
[  111.556963]  ? memcpy+0x45/0x50
[  111.560233]  v9fs_session_init+0x21a/0x1a80
[  111.564536]  ? find_held_lock+0x36/0x1c0
[  111.568580]  ? v9fs_show_options+0x7e0/0x7e0
[  111.572970]  ? kasan_check_read+0x11/0x20
[  111.577098]  ? rcu_is_watching+0x8c/0x150
[  111.581222]  ? rcu_pm_notify+0xc0/0xc0
[  111.585089]  ? rcu_pm_notify+0xc0/0xc0
[  111.588961]  ? v9fs_mount+0x61/0x900
[  111.592650]  ? rcu_read_lock_sched_held+0x108/0x120
[  111.597644]  ? kmem_cache_alloc_trace+0x616/0x780
[  111.602468]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  111.608085]  v9fs_mount+0x7c/0x900
[  111.611621]  mount_fs+0xae/0x328
[  111.614969]  vfs_kern_mount.part.34+0xdc/0x4e0
[  111.619531]  ? may_umount+0xb0/0xb0
[  111.623137]  ? _raw_read_unlock+0x22/0x30
[  111.627260]  ? __get_fs_type+0x97/0xc0
[  111.631128]  do_mount+0x581/0x30e0
[  111.634647]  ? do_raw_spin_unlock+0xa7/0x2f0
[  111.639035]  ? copy_mount_string+0x40/0x40
[  111.643251]  ? copy_mount_options+0x5f/0x380
[  111.647639]  ? rcu_read_lock_sched_held+0x108/0x120
[  111.652981]  ? kmem_cache_alloc_trace+0x616/0x780
[  111.657956]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  111.663491]  ? _copy_from_user+0xdf/0x150
[  111.667670]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  111.673195]  ? copy_mount_options+0x285/0x380
[  111.677693]  __ia32_compat_sys_mount+0x5d5/0x860
[  111.682439]  do_fast_syscall_32+0x34d/0xfb2
[  111.686746]  ? do_int80_syscall_32+0x890/0x890
[  111.691310]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  111.696055]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  111.701575]  ? syscall_return_slowpath+0x31d/0x5e0
[  111.706506]  ? sysret32_from_system_call+0x5/0x46
[  111.711354]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  111.716533]  entry_SYSENTER_compat+0x70/0x7f
[  111.720922] RIP: 0023:0xf7f15cb9
[  111.724263] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[  111.743443] RSP: 002b:00000000ffecc4ac EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[  111.751138] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[  111.759519] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[  111.766782] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  111.774037] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  111.781289] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  111.788547] 
[  111.790154] Allocated by task 4893:
[  111.793769]  save_stack+0x43/0xd0
[  111.797206]  kasan_kmalloc+0xc4/0xe0
[  111.800902]  __kmalloc+0x14e/0x760
[  111.804424]  p9_fcall_alloc+0x1e/0x90
[  111.808206]  p9_client_prepare_req.part.8+0x754/0xcd0
[  111.813379]  p9_client_rpc+0x1bd/0x1400
[  111.817347]  p9_client_create+0xd09/0x16c9
[  111.821565]  v9fs_session_init+0x21a/0x1a80
[  111.825867]  v9fs_mount+0x7c/0x900
[  111.829389]  mount_fs+0xae/0x328
[  111.832746]  vfs_kern_mount.part.34+0xdc/0x4e0
[  111.837310]  do_mount+0x581/0x30e0
[  111.840833]  __ia32_compat_sys_mount+0x5d5/0x860
[  111.845568]  do_fast_syscall_32+0x34d/0xfb2
[  111.849871]  entry_SYSENTER_compat+0x70/0x7f
[  111.854254] 
[  111.855859] Freed by task 0:
[  111.858858] (stack is not available)
[  111.862559] 
[  111.864170] The buggy address belongs to the object at ffff8801d7082fc0
[  111.864170]  which belongs to the cache kmalloc-16384 of size 16384
[  111.877578] The buggy address is located 45 bytes inside of
[  111.877578]  16384-byte region [ffff8801d7082fc0, ffff8801d7086fc0)
[  111.889521] The buggy address belongs to the page:
[  111.894444] page:ffffea00075c2000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[  111.904405] flags: 0x2fffc0000008100(slab|head)
[  111.909069] raw: 02fffc0000008100 ffffea00075b4208 ffff8801da801c48 ffff8801da802200
[  111.916948] raw: 0000000000000000 ffff8801d7082fc0 0000000100000001 0000000000000000
[  111.924804] page dumped because: kasan: bad access detected
[  111.930489] 
[  111.932093] Memory state around the buggy address:
[  111.937016]  ffff8801d7084e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.944360]  ffff8801d7084f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.951701] >ffff8801d7084f80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[  111.959049]                                                        ^
[  111.965531]  ffff8801d7085000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  111.972873]  ffff8801d7085080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  111.980210] ==================================================================
[  111.987554] Disabling lock debugging due to kernel taint
[  111.993475] Kernel panic - not syncing: panic_on_warn set ...
[  111.993475] 
[  112.000855] CPU: 0 PID: 4893 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[  112.009435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  112.018767] Call Trace:
[  112.021345]  dump_stack+0x1c9/0x2b4
[  112.024961]  ? dump_stack_print_info.cold.2+0x52/0x52
[  112.030135]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  112.034877]  panic+0x238/0x4e7
[  112.038054]  ? add_taint.cold.5+0x16/0x16
[  112.042188]  ? do_raw_spin_unlock+0xa7/0x2f0
[  112.046576]  ? pdu_read+0x90/0xd0
[  112.050011]  kasan_end_report+0x47/0x4f
[  112.053975]  kasan_report.cold.7+0x76/0x2fe
[  112.058278]  check_memory_region+0x13e/0x1b0
[  112.062667]  memcpy+0x23/0x50
[  112.065774]  pdu_read+0x90/0xd0
[  112.069036]  p9pdu_readf+0x579/0x2170
[  112.072823]  ? p9pdu_writef+0xe0/0xe0
[  112.076605]  ? __fget+0x414/0x670
[  112.080044]  ? rcu_is_watching+0x61/0x150
[  112.084174]  ? expand_files.part.8+0x9c0/0x9c0
[  112.088738]  ? rcu_read_lock_sched_held+0x108/0x120
[  112.093738]  ? p9_fd_show_options+0x1c0/0x1c0
[  112.098226]  p9_client_create+0xde0/0x16c9
[  112.102446]  ? p9_client_read+0xc60/0xc60
[  112.106576]  ? find_held_lock+0x36/0x1c0
[  112.110627]  ? __lockdep_init_map+0x105/0x590
[  112.115106]  ? kasan_check_write+0x14/0x20
[  112.119322]  ? __init_rwsem+0x1cc/0x2a0
[  112.123284]  ? do_raw_write_unlock.cold.8+0x49/0x49
[  112.128294]  ? rcu_read_lock_sched_held+0x108/0x120
[  112.133289]  ? __kmalloc_track_caller+0x5f5/0x760
[  112.138122]  ? save_stack+0xa9/0xd0
[  112.141730]  ? save_stack+0x43/0xd0
[  112.145336]  ? kasan_kmalloc+0xc4/0xe0
[  112.149203]  ? memcpy+0x45/0x50
[  112.152466]  v9fs_session_init+0x21a/0x1a80
[  112.156779]  ? find_held_lock+0x36/0x1c0
[  112.160824]  ? v9fs_show_options+0x7e0/0x7e0
[  112.165213]  ? kasan_check_read+0x11/0x20
[  112.169365]  ? rcu_is_watching+0x8c/0x150
[  112.173491]  ? rcu_pm_notify+0xc0/0xc0
[  112.177356]  ? rcu_pm_notify+0xc0/0xc0
[  112.181224]  ? v9fs_mount+0x61/0x900
[  112.184918]  ? rcu_read_lock_sched_held+0x108/0x120
[  112.189917]  ? kmem_cache_alloc_trace+0x616/0x780
[  112.194745]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[  112.200266]  v9fs_mount+0x7c/0x900
[  112.203791]  mount_fs+0xae/0x328
[  112.207150]  vfs_kern_mount.part.34+0xdc/0x4e0
[  112.211713]  ? may_umount+0xb0/0xb0
[  112.215323]  ? _raw_read_unlock+0x22/0x30
[  112.219451]  ? __get_fs_type+0x97/0xc0
[  112.223330]  do_mount+0x581/0x30e0
[  112.226850]  ? do_raw_spin_unlock+0xa7/0x2f0
[  112.231240]  ? copy_mount_string+0x40/0x40
[  112.235456]  ? copy_mount_options+0x5f/0x380
[  112.239847]  ? rcu_read_lock_sched_held+0x108/0x120
[  112.244843]  ? kmem_cache_alloc_trace+0x616/0x780
[  112.249679]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  112.255200]  ? _copy_from_user+0xdf/0x150
[  112.259329]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  112.264858]  ? copy_mount_options+0x285/0x380
[  112.269338]  __ia32_compat_sys_mount+0x5d5/0x860
[  112.274095]  do_fast_syscall_32+0x34d/0xfb2
[  112.278413]  ? do_int80_syscall_32+0x890/0x890
[  112.282976]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  112.287714]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  112.293234]  ? syscall_return_slowpath+0x31d/0x5e0
[  112.298157]  ? sysret32_from_system_call+0x5/0x46
[  112.303270]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  112.308110]  entry_SYSENTER_compat+0x70/0x7f
[  112.312500] RIP: 0023:0xf7f15cb9
[  112.315843] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[  112.334981] RSP: 002b:00000000ffecc4ac EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[  112.342692] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[  112.349956] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[  112.357209] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  112.364462] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  112.371712] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  112.379552] Dumping ftrace buffer:
[  112.383079]    (ftrace buffer empty)
[  112.386770] Kernel Offset: disabled
[  112.390387] Rebooting in 86400 seconds..