[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.958441] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.073926] random: sshd: uninitialized urandom read (32 bytes read) [ 24.531423] random: sshd: uninitialized urandom read (32 bytes read) [ 25.355774] random: sshd: uninitialized urandom read (32 bytes read) [ 25.504857] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. [ 30.904599] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 01:14:30 parsed 1 programs [ 32.604548] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 01:14:33 executed programs: 0 [ 33.804568] IPVS: ftp: loaded support on port[0] = 21 [ 33.996882] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.003381] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.010752] device bridge_slave_0 entered promiscuous mode [ 34.026978] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.033361] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.040542] device bridge_slave_1 entered promiscuous mode [ 34.055856] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 34.071053] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 34.110364] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.128087] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.187214] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.194597] team0: Port device team_slave_0 added [ 34.208548] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.215700] team0: Port device team_slave_1 added [ 34.231089] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.247433] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.263388] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 34.280412] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.391945] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.398392] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.405339] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.411806] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.802456] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 34.808569] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.849351] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.890677] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.898772] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.937287] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 34.943421] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.949775] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 35.190421] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 35.632761] ================================================================== [ 35.640298] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 35.646434] Read of size 62190 at addr ffff8801a9922a6d by task syz-executor0/4851 [ 35.654125] [ 35.655735] CPU: 1 PID: 4851 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 35.662897] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.672240] Call Trace: [ 35.674812] dump_stack+0x1c9/0x2b4 [ 35.678421] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.683605] ? printk+0xa7/0xcf [ 35.686873] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.691616] ? pdu_read+0x90/0xd0 [ 35.695051] print_address_description+0x6c/0x20b [ 35.699873] ? pdu_read+0x90/0xd0 [ 35.703307] kasan_report.cold.7+0x242/0x2fe [ 35.707710] check_memory_region+0x13e/0x1b0 [ 35.712099] memcpy+0x23/0x50 [ 35.715185] pdu_read+0x90/0xd0 [ 35.718446] p9pdu_readf+0x579/0x2170 [ 35.722230] ? p9pdu_writef+0xe0/0xe0 [ 35.726015] ? __fget+0x414/0x670 [ 35.729457] ? rcu_is_watching+0x61/0x150 [ 35.733585] ? expand_files.part.8+0x9c0/0x9c0 [ 35.738156] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.743162] ? p9_fd_show_options+0x1c0/0x1c0 [ 35.747640] p9_client_create+0xde0/0x16c9 [ 35.751857] ? p9_client_read+0xc60/0xc60 [ 35.755983] ? find_held_lock+0x36/0x1c0 [ 35.760042] ? __lockdep_init_map+0x105/0x590 [ 35.764533] ? kasan_check_write+0x14/0x20 [ 35.768747] ? __init_rwsem+0x1cc/0x2a0 [ 35.772701] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 35.777698] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.782694] ? __kmalloc_track_caller+0x5f5/0x760 [ 35.787516] ? save_stack+0xa9/0xd0 [ 35.791124] ? save_stack+0x43/0xd0 [ 35.794740] ? kasan_kmalloc+0xc4/0xe0 [ 35.798610] ? memcpy+0x45/0x50 [ 35.801875] v9fs_session_init+0x21a/0x1a80 [ 35.806189] ? find_held_lock+0x36/0x1c0 [ 35.810246] ? v9fs_show_options+0x7e0/0x7e0 [ 35.814638] ? kasan_check_read+0x11/0x20 [ 35.818764] ? rcu_is_watching+0x8c/0x150 [ 35.822905] ? rcu_pm_notify+0xc0/0xc0 [ 35.826774] ? rcu_pm_notify+0xc0/0xc0 [ 35.830645] ? v9fs_mount+0x61/0x900 [ 35.834338] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.839338] ? kmem_cache_alloc_trace+0x616/0x780 [ 35.844164] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 35.849684] v9fs_mount+0x7c/0x900 [ 35.853208] mount_fs+0xae/0x328 [ 35.856558] vfs_kern_mount.part.34+0xdc/0x4e0 [ 35.861120] ? may_umount+0xb0/0xb0 [ 35.864729] ? _raw_read_unlock+0x22/0x30 [ 35.868857] ? __get_fs_type+0x97/0xc0 [ 35.872728] do_mount+0x581/0x30e0 [ 35.876250] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.880642] ? copy_mount_string+0x40/0x40 [ 35.884857] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.889874] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.894615] ? retint_kernel+0x10/0x10 [ 35.898502] ? copy_mount_options+0x1e3/0x380 [ 35.902990] ? copy_mount_options+0x1f0/0x380 [ 35.907477] ? copy_mount_options+0x1fa/0x380 [ 35.911960] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.917488] ? copy_mount_options+0x285/0x380 [ 35.921978] __ia32_compat_sys_mount+0x5d5/0x860 [ 35.926727] do_fast_syscall_32+0x34d/0xfb2 [ 35.931038] ? do_int80_syscall_32+0x890/0x890 [ 35.935602] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.940339] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.945854] ? syscall_return_slowpath+0x31d/0x5e0 [ 35.950765] ? sysret32_from_system_call+0x5/0x46 [ 35.955594] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.960430] entry_SYSENTER_compat+0x70/0x7f [ 35.964826] RIP: 0023:0xf7fbacb9 [ 35.968166] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 35.987347] RSP: 002b:00000000ffd9bcdc EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 35.995040] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 36.002299] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 36.009548] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 36.016807] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.024056] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.031319] [ 36.032935] Allocated by task 4851: [ 36.036554] save_stack+0x43/0xd0 [ 36.039993] kasan_kmalloc+0xc4/0xe0 [ 36.043689] __kmalloc+0x14e/0x760 [ 36.047215] p9_fcall_alloc+0x1e/0x90 [ 36.050994] p9_client_prepare_req.part.8+0x754/0xcd0 [ 36.056165] p9_client_rpc+0x1bd/0x1400 [ 36.060133] p9_client_create+0xd09/0x16c9 [ 36.064346] v9fs_session_init+0x21a/0x1a80 [ 36.068651] v9fs_mount+0x7c/0x900 [ 36.072171] mount_fs+0xae/0x328 [ 36.075527] vfs_kern_mount.part.34+0xdc/0x4e0 [ 36.080091] do_mount+0x581/0x30e0 [ 36.084145] __ia32_compat_sys_mount+0x5d5/0x860 [ 36.088883] do_fast_syscall_32+0x34d/0xfb2 [ 36.093187] entry_SYSENTER_compat+0x70/0x7f [ 36.097573] [ 36.099176] Freed by task 0: [ 36.102168] (stack is not available) [ 36.105863] [ 36.107472] The buggy address belongs to the object at ffff8801a9922a40 [ 36.107472] which belongs to the cache kmalloc-16384 of size 16384 [ 36.120454] The buggy address is located 45 bytes inside of [ 36.120454] 16384-byte region [ffff8801a9922a40, ffff8801a9926a40) [ 36.132391] The buggy address belongs to the page: [ 36.137300] page:ffffea0006a64800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 36.147257] flags: 0x2fffc0000008100(slab|head) [ 36.151917] raw: 02fffc0000008100 ffffea00073e6608 ffff8801da801c48 ffff8801da802200 [ 36.159779] raw: 0000000000000000 ffff8801a9922a40 0000000100000001 0000000000000000 [ 36.167634] page dumped because: kasan: bad access detected [ 36.173316] [ 36.174919] Memory state around the buggy address: [ 36.179828] ffff8801a9924900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.187165] ffff8801a9924980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.194502] >ffff8801a9924a00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 36.201837] ^ [ 36.208318] ffff8801a9924a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.215654] ffff8801a9924b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.223075] ================================================================== [ 36.230410] Disabling lock debugging due to kernel taint [ 36.236888] Kernel panic - not syncing: panic_on_warn set ... [ 36.236888] [ 36.244266] CPU: 1 PID: 4851 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 36.252826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.262161] Call Trace: [ 36.264735] dump_stack+0x1c9/0x2b4 [ 36.268347] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.273515] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.278253] panic+0x238/0x4e7 [ 36.281426] ? add_taint.cold.5+0x16/0x16 [ 36.285558] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.289947] ? pdu_read+0x90/0xd0 [ 36.293381] kasan_end_report+0x47/0x4f [ 36.297334] kasan_report.cold.7+0x76/0x2fe [ 36.301636] check_memory_region+0x13e/0x1b0 [ 36.306030] memcpy+0x23/0x50 [ 36.309117] pdu_read+0x90/0xd0 [ 36.312374] p9pdu_readf+0x579/0x2170 [ 36.316165] ? p9pdu_writef+0xe0/0xe0 [ 36.319956] ? __fget+0x414/0x670 [ 36.323387] ? rcu_is_watching+0x61/0x150 [ 36.327526] ? expand_files.part.8+0x9c0/0x9c0 [ 36.332109] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.337109] ? p9_fd_show_options+0x1c0/0x1c0 [ 36.341597] p9_client_create+0xde0/0x16c9 [ 36.345812] ? p9_client_read+0xc60/0xc60 [ 36.349940] ? find_held_lock+0x36/0x1c0 [ 36.353998] ? __lockdep_init_map+0x105/0x590 [ 36.358483] ? kasan_check_write+0x14/0x20 [ 36.362696] ? __init_rwsem+0x1cc/0x2a0 [ 36.366650] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 36.371648] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.376643] ? __kmalloc_track_caller+0x5f5/0x760 [ 36.381467] ? save_stack+0xa9/0xd0 [ 36.385074] ? save_stack+0x43/0xd0 [ 36.388680] ? kasan_kmalloc+0xc4/0xe0 [ 36.392548] ? memcpy+0x45/0x50 [ 36.395810] v9fs_session_init+0x21a/0x1a80 [ 36.400125] ? find_held_lock+0x36/0x1c0 [ 36.404167] ? v9fs_show_options+0x7e0/0x7e0 [ 36.408562] ? kasan_check_read+0x11/0x20 [ 36.412690] ? rcu_is_watching+0x8c/0x150 [ 36.416814] ? rcu_pm_notify+0xc0/0xc0 [ 36.420681] ? rcu_pm_notify+0xc0/0xc0 [ 36.424550] ? v9fs_mount+0x61/0x900 [ 36.428243] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.433236] ? kmem_cache_alloc_trace+0x616/0x780 [ 36.438070] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 36.443589] v9fs_mount+0x7c/0x900 [ 36.447112] mount_fs+0xae/0x328 [ 36.450459] vfs_kern_mount.part.34+0xdc/0x4e0 [ 36.455027] ? may_umount+0xb0/0xb0 [ 36.458635] ? _raw_read_unlock+0x22/0x30 [ 36.462759] ? __get_fs_type+0x97/0xc0 [ 36.466626] do_mount+0x581/0x30e0 [ 36.470166] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.474557] ? copy_mount_string+0x40/0x40 [ 36.478770] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.483780] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.488517] ? retint_kernel+0x10/0x10 [ 36.492389] ? copy_mount_options+0x1e3/0x380 [ 36.496861] ? copy_mount_options+0x1f0/0x380 [ 36.501334] ? copy_mount_options+0x1fa/0x380 [ 36.505818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.511353] ? copy_mount_options+0x285/0x380 [ 36.515851] __ia32_compat_sys_mount+0x5d5/0x860 [ 36.520591] do_fast_syscall_32+0x34d/0xfb2 [ 36.524893] ? do_int80_syscall_32+0x890/0x890 [ 36.529453] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.534192] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.539708] ? syscall_return_slowpath+0x31d/0x5e0 [ 36.544627] ? sysret32_from_system_call+0x5/0x46 [ 36.549450] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.554273] entry_SYSENTER_compat+0x70/0x7f [ 36.558669] RIP: 0023:0xf7fbacb9 [ 36.562013] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 36.581150] RSP: 002b:00000000ffd9bcdc EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 36.588839] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 36.596099] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 36.603349] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 36.610596] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 36.617843] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.625583] Dumping ftrace buffer: [ 36.629105] (ftrace buffer empty) [ 36.632790] Kernel Offset: disabled [ 36.636393] Rebooting in 86400 seconds..