[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.237204] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.324601] random: sshd: uninitialized urandom read (32 bytes read) [ 25.674881] random: sshd: uninitialized urandom read (32 bytes read) [ 26.511253] random: sshd: uninitialized urandom read (32 bytes read) [ 26.667461] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. [ 32.108813] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.201486] ================================================================== [ 32.208959] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 [ 32.216314] Read of size 4 at addr ffff8801cfa7eaa4 by task syz-executor765/4534 [ 32.223829] [ 32.225449] CPU: 1 PID: 4534 Comm: syz-executor765 Not tainted 4.18.0-rc4+ #138 [ 32.232889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.242223] Call Trace: [ 32.244802] dump_stack+0x1c9/0x2b4 [ 32.248415] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.253597] ? printk+0xa7/0xcf [ 32.256863] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.261606] ? fscache_alloc_cookie+0x7a9/0x880 [ 32.266259] print_address_description+0x6c/0x20b [ 32.271082] ? fscache_alloc_cookie+0x7a9/0x880 [ 32.275733] kasan_report.cold.7+0x242/0x2fe [ 32.280124] __asan_report_load4_noabort+0x14/0x20 [ 32.285044] fscache_alloc_cookie+0x7a9/0x880 [ 32.289548] ? fscache_cookie_init_once+0x80/0x80 [ 32.294384] ? lock_downgrade+0x8f0/0x8f0 [ 32.298519] ? radix_tree_delete_item+0x188/0x310 [ 32.303366] ? kasan_check_read+0x11/0x20 [ 32.307499] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.311890] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.316457] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.321568] __fscache_acquire_cookie+0x230/0xb00 [ 32.326514] ? fscache_cookie_put+0x850/0x850 [ 32.331005] ? p9_client_attach+0x215/0x860 [ 32.335309] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 32.340405] ? debug_check_no_obj_freed+0x30b/0x595 [ 32.345405] ? p9_client_walk+0xab0/0xab0 [ 32.349542] ? trace_hardirqs_off+0xd/0x10 [ 32.353765] ? quarantine_put+0x10d/0x1b0 [ 32.357911] ? kfree+0x111/0x260 [ 32.361265] v9fs_cache_session_get_cookie+0xc4/0x270 [ 32.366446] v9fs_session_init+0x1013/0x1a80 [ 32.370848] ? v9fs_show_options+0x7e0/0x7e0 [ 32.375242] ? rcu_is_watching+0x8c/0x150 [ 32.379371] ? rcu_pm_notify+0xc0/0xc0 [ 32.383242] ? v9fs_mount+0x61/0x900 [ 32.386936] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.391946] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.397486] v9fs_mount+0x7c/0x900 [ 32.401024] mount_fs+0xae/0x328 [ 32.404381] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.408943] ? may_umount+0xb0/0xb0 [ 32.412553] ? _raw_read_unlock+0x22/0x30 [ 32.416680] ? __get_fs_type+0x97/0xc0 [ 32.420553] do_mount+0x581/0x30e0 [ 32.424080] ? copy_mount_string+0x40/0x40 [ 32.428303] ? copy_mount_options+0x5f/0x380 [ 32.432700] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.437719] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.442548] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.448077] ? _copy_from_user+0xdf/0x150 [ 32.452221] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.457750] ? copy_mount_options+0x285/0x380 [ 32.462237] ksys_mount+0x12d/0x140 [ 32.465847] __x64_sys_mount+0xbe/0x150 [ 32.469809] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.474819] do_syscall_64+0x1b9/0x820 [ 32.478686] ? syscall_slow_exit_work+0x500/0x500 [ 32.483511] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.488421] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.493333] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.498851] ? retint_user+0x18/0x18 [ 32.502548] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.507380] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.512555] RIP: 0033:0x440169 [ 32.515724] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.535089] RSP: 002b:00007fffcc8f19b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.542786] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440169 [ 32.550041] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 32.557298] RBP: 00000000006ca018 R08: 0000000020000080 R09: 00000000004002c8 [ 32.564555] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004019f0 [ 32.571814] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000 [ 32.579088] [ 32.580697] Allocated by task 4534: [ 32.584320] save_stack+0x43/0xd0 [ 32.587755] kasan_kmalloc+0xc4/0xe0 [ 32.591454] __kmalloc+0x14e/0x760 [ 32.594975] fscache_alloc_cookie+0x701/0x880 [ 32.599451] __fscache_acquire_cookie+0x230/0xb00 [ 32.604273] v9fs_cache_session_get_cookie+0xc4/0x270 [ 32.609452] v9fs_session_init+0x1013/0x1a80 [ 32.613848] v9fs_mount+0x7c/0x900 [ 32.618589] mount_fs+0xae/0x328 [ 32.621940] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.626519] do_mount+0x581/0x30e0 [ 32.630038] ksys_mount+0x12d/0x140 [ 32.633649] __x64_sys_mount+0xbe/0x150 [ 32.637605] do_syscall_64+0x1b9/0x820 [ 32.641476] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.646641] [ 32.648245] Freed by task 1: [ 32.651252] save_stack+0x43/0xd0 [ 32.654701] __kasan_slab_free+0x11a/0x170 [ 32.658912] kasan_slab_free+0xe/0x10 [ 32.662693] kfree+0xd9/0x260 [ 32.665783] virtscsi_target_destroy+0x37/0x50 [ 32.670346] scsi_target_destroy+0x202/0x570 [ 32.674734] scsi_target_reap+0xf8/0x140 [ 32.678780] __scsi_scan_target+0x21b/0xfe0 [ 32.683078] scsi_scan_channel.part.7+0x11f/0x190 [ 32.687898] scsi_scan_host_selected+0x2b9/0x3d0 [ 32.692632] do_scsi_scan_host+0x1ee/0x260 [ 32.696845] scsi_scan_host+0x4b6/0x5a0 [ 32.700804] virtscsi_probe+0xc00/0xf24 [ 32.704762] virtio_dev_probe+0x592/0x942 [ 32.708899] driver_probe_device+0x6ad/0x970 [ 32.713295] __driver_attach+0x28b/0x2f0 [ 32.717336] bus_for_each_dev+0x15d/0x1f0 [ 32.721464] driver_attach+0x3d/0x50 [ 32.725165] bus_add_driver+0x4b2/0x600 [ 32.729117] driver_register+0x1c8/0x320 [ 32.733159] register_virtio_driver+0x79/0xd0 [ 32.737639] init+0xa3/0x114 [ 32.740640] do_one_initcall+0x127/0x913 [ 32.744688] kernel_init_freeable+0x49b/0x58e [ 32.749169] kernel_init+0x11/0x1b3 [ 32.752782] ret_from_fork+0x3a/0x50 [ 32.756469] [ 32.758081] The buggy address belongs to the object at ffff8801cfa7ea80 [ 32.758081] which belongs to the cache kmalloc-64 of size 64 [ 32.770550] The buggy address is located 36 bytes inside of [ 32.770550] 64-byte region [ffff8801cfa7ea80, ffff8801cfa7eac0) [ 32.782230] The buggy address belongs to the page: [ 32.787156] page:ffffea00073e9f80 count:1 mapcount:0 mapping:ffff8801da800340 index:0xffff8801cfa7ed80 [ 32.796587] flags: 0x2fffc0000000100(slab) [ 32.800810] raw: 02fffc0000000100 ffff8801da801338 ffffea00074b2148 ffff8801da800340 [ 32.808674] raw: ffff8801cfa7ed80 ffff8801cfa7e000 000000010000001b 0000000000000000 [ 32.816531] page dumped because: kasan: bad access detected [ 32.822224] [ 32.823829] Memory state around the buggy address: [ 32.828744] ffff8801cfa7e980: 00 00 00 00 06 fc fc fc fc fc fc fc fc fc fc fc [ 32.836085] ffff8801cfa7ea00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.843425] >ffff8801cfa7ea80: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc [ 32.850759] ^ [ 32.855150] ffff8801cfa7eb00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.862498] ffff8801cfa7eb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.869832] ================================================================== [ 32.877165] Disabling lock debugging due to kernel taint [ 32.882720] Kernel panic - not syncing: panic_on_warn set ... [ 32.882720] [ 32.890100] CPU: 1 PID: 4534 Comm: syz-executor765 Tainted: G B 4.18.0-rc4+ #138 [ 32.898927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.908264] Call Trace: [ 32.910849] dump_stack+0x1c9/0x2b4 [ 32.914472] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.919652] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.924389] panic+0x238/0x4e7 [ 32.927559] ? add_taint.cold.5+0x16/0x16 [ 32.931686] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.936087] ? fscache_alloc_cookie+0x7a9/0x880 [ 32.940733] kasan_end_report+0x47/0x4f [ 32.944690] kasan_report.cold.7+0x76/0x2fe [ 32.949001] __asan_report_load4_noabort+0x14/0x20 [ 32.953915] fscache_alloc_cookie+0x7a9/0x880 [ 32.958402] ? fscache_cookie_init_once+0x80/0x80 [ 32.964020] ? lock_downgrade+0x8f0/0x8f0 [ 32.968156] ? radix_tree_delete_item+0x188/0x310 [ 32.972990] ? kasan_check_read+0x11/0x20 [ 32.977123] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.981530] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.986114] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.991197] __fscache_acquire_cookie+0x230/0xb00 [ 32.996030] ? fscache_cookie_put+0x850/0x850 [ 33.000518] ? p9_client_attach+0x215/0x860 [ 33.004820] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 33.009904] ? debug_check_no_obj_freed+0x30b/0x595 [ 33.014902] ? p9_client_walk+0xab0/0xab0 [ 33.019037] ? trace_hardirqs_off+0xd/0x10 [ 33.023256] ? quarantine_put+0x10d/0x1b0 [ 33.027400] ? kfree+0x111/0x260 [ 33.030755] v9fs_cache_session_get_cookie+0xc4/0x270 [ 33.035938] v9fs_session_init+0x1013/0x1a80 [ 33.040340] ? v9fs_show_options+0x7e0/0x7e0 [ 33.044731] ? rcu_is_watching+0x8c/0x150 [ 33.048857] ? rcu_pm_notify+0xc0/0xc0 [ 33.052724] ? v9fs_mount+0x61/0x900 [ 33.056414] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.061411] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.066927] v9fs_mount+0x7c/0x900 [ 33.070457] mount_fs+0xae/0x328 [ 33.073803] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.078364] ? may_umount+0xb0/0xb0 [ 33.081971] ? _raw_read_unlock+0x22/0x30 [ 33.086101] ? __get_fs_type+0x97/0xc0 [ 33.089971] do_mount+0x581/0x30e0 [ 33.093492] ? copy_mount_string+0x40/0x40 [ 33.097719] ? copy_mount_options+0x5f/0x380 [ 33.102119] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.107122] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.111947] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.117470] ? _copy_from_user+0xdf/0x150 [ 33.121606] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.127136] ? copy_mount_options+0x285/0x380 [ 33.131638] ksys_mount+0x12d/0x140 [ 33.135250] __x64_sys_mount+0xbe/0x150 [ 33.139295] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.144305] do_syscall_64+0x1b9/0x820 [ 33.148179] ? syscall_slow_exit_work+0x500/0x500 [ 33.153046] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.157954] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.162890] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.168409] ? retint_user+0x18/0x18 [ 33.172111] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.176943] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.182113] RIP: 0033:0x440169 [ 33.185276] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.204494] RSP: 002b:00007fffcc8f19b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 33.212182] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440169 [ 33.219428] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000 [ 33.226678] RBP: 00000000006ca018 R08: 0000000020000080 R09: 00000000004002c8 [ 33.233928] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000004019f0 [ 33.241193] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000 [ 33.248941] Dumping ftrace buffer: [ 33.252467] (ftrace buffer empty) [ 33.256160] Kernel Offset: disabled [ 33.259794] Rebooting in 86400 seconds..