[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.434782] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.397204] random: sshd: uninitialized urandom read (32 bytes read) [ 24.845742] random: sshd: uninitialized urandom read (32 bytes read) [ 25.694979] random: sshd: uninitialized urandom read (32 bytes read) [ 100.739436] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts. [ 106.169905] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 07:42:00 parsed 1 programs [ 107.804158] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 07:42:03 executed programs: 0 [ 109.512613] IPVS: ftp: loaded support on port[0] = 21 [ 109.699712] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.706359] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.713840] device bridge_slave_0 entered promiscuous mode [ 109.732044] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.738706] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.745708] device bridge_slave_1 entered promiscuous mode [ 109.761228] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 109.776515] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 109.816251] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 109.834264] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 109.897186] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 109.904472] team0: Port device team_slave_0 added [ 109.919228] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 109.926332] team0: Port device team_slave_1 added [ 109.940534] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 109.956578] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 109.973819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 109.990198] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 110.103677] bridge0: port 2(bridge_slave_1) entered blocking state [ 110.110168] bridge0: port 2(bridge_slave_1) entered forwarding state [ 110.117030] bridge0: port 1(bridge_slave_0) entered blocking state [ 110.123396] bridge0: port 1(bridge_slave_0) entered forwarding state [ 110.530562] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 110.536719] 8021q: adding VLAN 0 to HW filter on device bond0 [ 110.580235] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 110.623217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 110.630732] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 110.666904] 8021q: adding VLAN 0 to HW filter on device team0 [ 110.908879] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 111.390776] ================================================================== [ 111.398280] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 111.404406] Read of size 58954 at addr ffff8801d7082fed by task syz-executor0/4893 [ 111.412103] [ 111.413717] CPU: 0 PID: 4893 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 111.421154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 111.430485] Call Trace: [ 111.433074] dump_stack+0x1c9/0x2b4 [ 111.436689] ? dump_stack_print_info.cold.2+0x52/0x52 [ 111.441860] ? printk+0xa7/0xcf [ 111.445117] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 111.449858] ? pdu_read+0x90/0xd0 [ 111.453305] print_address_description+0x6c/0x20b [ 111.458132] ? pdu_read+0x90/0xd0 [ 111.461564] kasan_report.cold.7+0x242/0x2fe [ 111.465953] check_memory_region+0x13e/0x1b0 [ 111.470342] memcpy+0x23/0x50 [ 111.473430] pdu_read+0x90/0xd0 [ 111.476691] p9pdu_readf+0x579/0x2170 [ 111.480473] ? p9pdu_writef+0xe0/0xe0 [ 111.484253] ? __fget+0x414/0x670 [ 111.487688] ? rcu_is_watching+0x61/0x150 [ 111.491831] ? expand_files.part.8+0x9c0/0x9c0 [ 111.496406] ? rcu_read_lock_sched_held+0x108/0x120 [ 111.501407] ? p9_fd_show_options+0x1c0/0x1c0 [ 111.505886] p9_client_create+0xde0/0x16c9 [ 111.510115] ? p9_client_read+0xc60/0xc60 [ 111.514249] ? find_held_lock+0x36/0x1c0 [ 111.518383] ? __lockdep_init_map+0x105/0x590 [ 111.522862] ? kasan_check_write+0x14/0x20 [ 111.527085] ? __init_rwsem+0x1cc/0x2a0 [ 111.531044] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 111.536042] ? rcu_read_lock_sched_held+0x108/0x120 [ 111.541037] ? __kmalloc_track_caller+0x5f5/0x760 [ 111.545859] ? save_stack+0xa9/0xd0 [ 111.549462] ? save_stack+0x43/0xd0 [ 111.553096] ? kasan_kmalloc+0xc4/0xe0 [ 111.556963] ? memcpy+0x45/0x50 [ 111.560233] v9fs_session_init+0x21a/0x1a80 [ 111.564536] ? find_held_lock+0x36/0x1c0 [ 111.568580] ? v9fs_show_options+0x7e0/0x7e0 [ 111.572970] ? kasan_check_read+0x11/0x20 [ 111.577098] ? rcu_is_watching+0x8c/0x150 [ 111.581222] ? rcu_pm_notify+0xc0/0xc0 [ 111.585089] ? rcu_pm_notify+0xc0/0xc0 [ 111.588961] ? v9fs_mount+0x61/0x900 [ 111.592650] ? rcu_read_lock_sched_held+0x108/0x120 [ 111.597644] ? kmem_cache_alloc_trace+0x616/0x780 [ 111.602468] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 111.608085] v9fs_mount+0x7c/0x900 [ 111.611621] mount_fs+0xae/0x328 [ 111.614969] vfs_kern_mount.part.34+0xdc/0x4e0 [ 111.619531] ? may_umount+0xb0/0xb0 [ 111.623137] ? _raw_read_unlock+0x22/0x30 [ 111.627260] ? __get_fs_type+0x97/0xc0 [ 111.631128] do_mount+0x581/0x30e0 [ 111.634647] ? do_raw_spin_unlock+0xa7/0x2f0 [ 111.639035] ? copy_mount_string+0x40/0x40 [ 111.643251] ? copy_mount_options+0x5f/0x380 [ 111.647639] ? rcu_read_lock_sched_held+0x108/0x120 [ 111.652981] ? kmem_cache_alloc_trace+0x616/0x780 [ 111.657956] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 111.663491] ? _copy_from_user+0xdf/0x150 [ 111.667670] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 111.673195] ? copy_mount_options+0x285/0x380 [ 111.677693] __ia32_compat_sys_mount+0x5d5/0x860 [ 111.682439] do_fast_syscall_32+0x34d/0xfb2 [ 111.686746] ? do_int80_syscall_32+0x890/0x890 [ 111.691310] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 111.696055] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 111.701575] ? syscall_return_slowpath+0x31d/0x5e0 [ 111.706506] ? sysret32_from_system_call+0x5/0x46 [ 111.711354] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 111.716533] entry_SYSENTER_compat+0x70/0x7f [ 111.720922] RIP: 0023:0xf7f15cb9 [ 111.724263] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 111.743443] RSP: 002b:00000000ffecc4ac EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 111.751138] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 111.759519] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 111.766782] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 111.774037] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 111.781289] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 111.788547] [ 111.790154] Allocated by task 4893: [ 111.793769] save_stack+0x43/0xd0 [ 111.797206] kasan_kmalloc+0xc4/0xe0 [ 111.800902] __kmalloc+0x14e/0x760 [ 111.804424] p9_fcall_alloc+0x1e/0x90 [ 111.808206] p9_client_prepare_req.part.8+0x754/0xcd0 [ 111.813379] p9_client_rpc+0x1bd/0x1400 [ 111.817347] p9_client_create+0xd09/0x16c9 [ 111.821565] v9fs_session_init+0x21a/0x1a80 [ 111.825867] v9fs_mount+0x7c/0x900 [ 111.829389] mount_fs+0xae/0x328 [ 111.832746] vfs_kern_mount.part.34+0xdc/0x4e0 [ 111.837310] do_mount+0x581/0x30e0 [ 111.840833] __ia32_compat_sys_mount+0x5d5/0x860 [ 111.845568] do_fast_syscall_32+0x34d/0xfb2 [ 111.849871] entry_SYSENTER_compat+0x70/0x7f [ 111.854254] [ 111.855859] Freed by task 0: [ 111.858858] (stack is not available) [ 111.862559] [ 111.864170] The buggy address belongs to the object at ffff8801d7082fc0 [ 111.864170] which belongs to the cache kmalloc-16384 of size 16384 [ 111.877578] The buggy address is located 45 bytes inside of [ 111.877578] 16384-byte region [ffff8801d7082fc0, ffff8801d7086fc0) [ 111.889521] The buggy address belongs to the page: [ 111.894444] page:ffffea00075c2000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 111.904405] flags: 0x2fffc0000008100(slab|head) [ 111.909069] raw: 02fffc0000008100 ffffea00075b4208 ffff8801da801c48 ffff8801da802200 [ 111.916948] raw: 0000000000000000 ffff8801d7082fc0 0000000100000001 0000000000000000 [ 111.924804] page dumped because: kasan: bad access detected [ 111.930489] [ 111.932093] Memory state around the buggy address: [ 111.937016] ffff8801d7084e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 111.944360] ffff8801d7084f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 111.951701] >ffff8801d7084f80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 111.959049] ^ [ 111.965531] ffff8801d7085000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 111.972873] ffff8801d7085080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 111.980210] ================================================================== [ 111.987554] Disabling lock debugging due to kernel taint [ 111.993475] Kernel panic - not syncing: panic_on_warn set ... [ 111.993475] [ 112.000855] CPU: 0 PID: 4893 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 112.009435] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.018767] Call Trace: [ 112.021345] dump_stack+0x1c9/0x2b4 [ 112.024961] ? dump_stack_print_info.cold.2+0x52/0x52 [ 112.030135] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 112.034877] panic+0x238/0x4e7 [ 112.038054] ? add_taint.cold.5+0x16/0x16 [ 112.042188] ? do_raw_spin_unlock+0xa7/0x2f0 [ 112.046576] ? pdu_read+0x90/0xd0 [ 112.050011] kasan_end_report+0x47/0x4f [ 112.053975] kasan_report.cold.7+0x76/0x2fe [ 112.058278] check_memory_region+0x13e/0x1b0 [ 112.062667] memcpy+0x23/0x50 [ 112.065774] pdu_read+0x90/0xd0 [ 112.069036] p9pdu_readf+0x579/0x2170 [ 112.072823] ? p9pdu_writef+0xe0/0xe0 [ 112.076605] ? __fget+0x414/0x670 [ 112.080044] ? rcu_is_watching+0x61/0x150 [ 112.084174] ? expand_files.part.8+0x9c0/0x9c0 [ 112.088738] ? rcu_read_lock_sched_held+0x108/0x120 [ 112.093738] ? p9_fd_show_options+0x1c0/0x1c0 [ 112.098226] p9_client_create+0xde0/0x16c9 [ 112.102446] ? p9_client_read+0xc60/0xc60 [ 112.106576] ? find_held_lock+0x36/0x1c0 [ 112.110627] ? __lockdep_init_map+0x105/0x590 [ 112.115106] ? kasan_check_write+0x14/0x20 [ 112.119322] ? __init_rwsem+0x1cc/0x2a0 [ 112.123284] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 112.128294] ? rcu_read_lock_sched_held+0x108/0x120 [ 112.133289] ? __kmalloc_track_caller+0x5f5/0x760 [ 112.138122] ? save_stack+0xa9/0xd0 [ 112.141730] ? save_stack+0x43/0xd0 [ 112.145336] ? kasan_kmalloc+0xc4/0xe0 [ 112.149203] ? memcpy+0x45/0x50 [ 112.152466] v9fs_session_init+0x21a/0x1a80 [ 112.156779] ? find_held_lock+0x36/0x1c0 [ 112.160824] ? v9fs_show_options+0x7e0/0x7e0 [ 112.165213] ? kasan_check_read+0x11/0x20 [ 112.169365] ? rcu_is_watching+0x8c/0x150 [ 112.173491] ? rcu_pm_notify+0xc0/0xc0 [ 112.177356] ? rcu_pm_notify+0xc0/0xc0 [ 112.181224] ? v9fs_mount+0x61/0x900 [ 112.184918] ? rcu_read_lock_sched_held+0x108/0x120 [ 112.189917] ? kmem_cache_alloc_trace+0x616/0x780 [ 112.194745] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 112.200266] v9fs_mount+0x7c/0x900 [ 112.203791] mount_fs+0xae/0x328 [ 112.207150] vfs_kern_mount.part.34+0xdc/0x4e0 [ 112.211713] ? may_umount+0xb0/0xb0 [ 112.215323] ? _raw_read_unlock+0x22/0x30 [ 112.219451] ? __get_fs_type+0x97/0xc0 [ 112.223330] do_mount+0x581/0x30e0 [ 112.226850] ? do_raw_spin_unlock+0xa7/0x2f0 [ 112.231240] ? copy_mount_string+0x40/0x40 [ 112.235456] ? copy_mount_options+0x5f/0x380 [ 112.239847] ? rcu_read_lock_sched_held+0x108/0x120 [ 112.244843] ? kmem_cache_alloc_trace+0x616/0x780 [ 112.249679] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 112.255200] ? _copy_from_user+0xdf/0x150 [ 112.259329] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 112.264858] ? copy_mount_options+0x285/0x380 [ 112.269338] __ia32_compat_sys_mount+0x5d5/0x860 [ 112.274095] do_fast_syscall_32+0x34d/0xfb2 [ 112.278413] ? do_int80_syscall_32+0x890/0x890 [ 112.282976] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 112.287714] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 112.293234] ? syscall_return_slowpath+0x31d/0x5e0 [ 112.298157] ? sysret32_from_system_call+0x5/0x46 [ 112.303270] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 112.308110] entry_SYSENTER_compat+0x70/0x7f [ 112.312500] RIP: 0023:0xf7f15cb9 [ 112.315843] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 112.334981] RSP: 002b:00000000ffecc4ac EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 112.342692] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 112.349956] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 112.357209] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 112.364462] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 112.371712] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 112.379552] Dumping ftrace buffer: [ 112.383079] (ftrace buffer empty) [ 112.386770] Kernel Offset: disabled [ 112.390387] Rebooting in 86400 seconds..