[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.663088] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 15.423189] random: sshd: uninitialized urandom read (32 bytes read) [ 15.656164] random: sshd: uninitialized urandom read (32 bytes read) [ 16.588951] random: sshd: uninitialized urandom read (32 bytes read) [ 22.725781] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. [ 28.091593] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/10 06:00:10 parsed 1 programs [ 29.548945] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/10 06:00:12 executed programs: 0 [ 30.820822] IPVS: Creating netns size=2536 id=1 [ 30.852286] IPVS: Creating netns size=2536 id=2 [ 30.875742] IPVS: Creating netns size=2536 id=3 [ 30.891025] IPVS: Creating netns size=2536 id=4 [ 30.918075] IPVS: Creating netns size=2536 id=5 [ 30.958786] IPVS: Creating netns size=2536 id=6 [ 30.981333] IPVS: Creating netns size=2536 id=7 [ 31.007541] IPVS: Creating netns size=2536 id=8 [ 31.141479] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.164038] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.222345] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.252516] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.339506] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.355809] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.365892] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.376011] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.391617] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.401875] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.412977] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.420898] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.434039] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.447472] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.454738] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.470651] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.499778] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.525880] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.538931] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 31.585289] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 31.600842] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.608605] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.616032] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.623818] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.635250] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.643529] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.650768] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.662989] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.670374] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.677702] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.685094] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.693599] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.701973] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.713330] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.736164] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.748001] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.764806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.778343] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.792813] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 31.819816] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 31.835231] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.844969] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.867747] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.881123] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.889166] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.916246] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.925036] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.932392] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.942238] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.949572] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.960343] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 31.971098] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 31.980036] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 31.987687] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 31.998719] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.008652] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.017012] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.027235] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.035388] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 32.042720] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.049626] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.058179] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.065818] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.073335] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.084137] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.091418] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.099026] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.106537] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.114273] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.121644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.130546] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.144515] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.151974] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.165681] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.179288] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.189825] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 34.551384] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.717683] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.729298] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.737032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.813782] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.839399] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.939796] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.964465] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 34.971838] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 34.979148] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.989127] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.998754] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.014151] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.026482] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.047547] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.056814] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.100177] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.111212] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.118414] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.163638] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.170900] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.181408] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.190162] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.205325] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.213091] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.219839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.239753] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.253207] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.261540] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.316925] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 35.331705] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 35.339294] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/07/10 06:00:18 executed programs: 8 [ 37.036535] ================================================================== [ 37.043937] BUG: KASAN: slab-out-of-bounds in p9pdu_readf+0x535/0x1d50 [ 37.050581] Read of size 65411 at addr ffff8801b7fbc02d by task syz-executor2/6838 [ 37.058265] [ 37.059878] CPU: 1 PID: 6838 Comm: syz-executor2 Not tainted 4.9.111-g03c70fe #10 [ 37.067508] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.076844] ffff8801c30ef570 ffffffff81eb2729 ffffea0006dfef00 ffff8801b7fbc02d [ 37.084858] 0000000000000000 ffff8801b7fbe025 fffffffffffffff3 ffff8801c30ef5a8 [ 37.092878] ffffffff81567b59 ffff8801b7fbc02d 000000000000ff83 0000000000000000 [ 37.100883] Call Trace: [ 37.103453] [] dump_stack+0xc1/0x128 [ 37.108796] [] print_address_description+0x6c/0x234 [ 37.115445] [] kasan_report.cold.6+0x242/0x2fe [ 37.121657] [] ? p9pdu_readf+0x535/0x1d50 [ 37.127444] [] check_memory_region+0x14f/0x1b0 [ 37.133667] [] memcpy+0x23/0x50 [ 37.138574] [] p9pdu_readf+0x535/0x1d50 [ 37.144182] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.151006] [] ? p9_client_rpc+0x643/0x1140 [ 37.156969] [] ? trace_event_raw_event_9p_client_res+0x270/0x270 [ 37.164741] [] ? add_wait_queue+0x76/0xa0 [ 37.170522] [] ? p9pdu_writef+0xe0/0xe0 [ 37.176146] [] ? iface_stat_update.cold.40+0xf4/0x143 [ 37.182967] [] ? pipe_poll+0x25c/0x2d0 [ 37.188481] [] ? p9_fd_poll+0x246/0x310 [ 37.194084] [] ? lockdep_init_map+0x105/0x4f0 [ 37.200210] [] ? prepare_to_wait_event+0x450/0x450 [ 37.206778] [] ? p9_conn_create+0x3c0/0x4c0 [ 37.212731] [] ? parse_opts.part.1+0x320/0x320 [ 37.218943] [] ? __raw_spin_lock_init+0x2d/0x100 [ 37.225329] [] p9_client_create+0xa3f/0x10a0 [ 37.231368] [] ? p9_client_zc_rpc.constprop.11+0x1020/0x1020 [ 37.238803] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.245638] [] ? bdi_register+0xb4/0x570 [ 37.251344] [] ? bdi_init+0x7ae/0xab0 [ 37.256795] [] v9fs_session_init+0x333/0x13a0 [ 37.262927] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 37.269855] [] ? debug_check_no_obj_freed+0x2ec/0x930 [ 37.276677] [] ? v9fs_inode_init_once+0x30/0x30 [ 37.282980] [] ? debug_object_activate+0x4e0/0x4e0 [ 37.289547] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.296373] [] ? free_hot_cold_page+0x493/0x840 [ 37.302669] [] ? check_preemption_disabled+0x3b/0x170 [ 37.309493] [] ? kasan_unpoison_shadow+0x35/0x50 [ 37.315884] [] ? kasan_kmalloc+0xc7/0xe0 [ 37.321581] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 37.328139] [] v9fs_mount+0x7d/0x810 [ 37.333486] [] mount_fs+0x28c/0x370 [ 37.338747] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 37.345136] [] ? ns_capable_common+0x12a/0x150 [ 37.351355] [] do_mount+0x3c9/0x2740 [ 37.356695] [] ? copy_mount_string+0x40/0x40 [ 37.362738] [] ? kasan_unpoison_shadow+0x35/0x50 [ 37.369143] [] ? kasan_kmalloc+0xc7/0xe0 [ 37.374859] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 37.381421] [] ? copy_mount_options+0x5f/0x320 [ 37.387629] [] ? copy_mount_options+0x1e5/0x320 [ 37.394019] [] compat_SyS_mount+0x4fc/0xff0 [ 37.399989] [] ? do_fast_syscall_32+0xcf/0x870 [ 37.406208] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 37.412510] [] do_fast_syscall_32+0x2f7/0x870 [ 37.418629] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.425284] [] entry_SYSENTER_compat+0x90/0xa2 [ 37.431490] [ 37.433096] The buggy address belongs to the page: [ 37.437999] page:ffffea0006dfef00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 37.448176] flags: 0x8000000000004000(head) [ 37.452471] page dumped because: kasan: bad access detected [ 37.458158] [ 37.459759] Memory state around the buggy address: [ 37.464672] ffff8801b7fbdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.472025] ffff8801b7fbdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.479365] >ffff8801b7fbe000: 00 00 00 00 fe fe fe fe fe fe fe fe fe fe fe fe [ 37.486713] ^ [ 37.491113] ffff8801b7fbe080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 37.498462] ffff8801b7fbe100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 37.505804] ================================================================== [ 37.513143] Disabling lock debugging due to kernel taint [ 37.520214] Kernel panic - not syncing: panic_on_warn set ... [ 37.520214] [ 37.527584] CPU: 1 PID: 6838 Comm: syz-executor2 Tainted: G B 4.9.111-g03c70fe #10 [ 37.536411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.545762] ffff8801c30ef4d0 ffffffff81eb2729 ffffffff843c71a7 00000000ffffffff [ 37.553786] 0000000000000000 0000000000000001 fffffffffffffff3 ffff8801c30ef590 [ 37.561779] ffffffff814219f5 0000000041b58ab3 ffffffff843ba8c0 ffffffff81421836 [ 37.569794] Call Trace: [ 37.572363] [] dump_stack+0xc1/0x128 [ 37.577717] [] panic+0x1bf/0x3bc [ 37.582720] [] ? add_taint.cold.6+0x16/0x16 [ 37.588675] [] ? ___preempt_schedule+0x16/0x18 [ 37.594902] [] kasan_end_report+0x47/0x4f [ 37.600677] [] kasan_report.cold.6+0x76/0x2fe [ 37.606837] [] ? p9pdu_readf+0x535/0x1d50 [ 37.612613] [] check_memory_region+0x14f/0x1b0 [ 37.618823] [] memcpy+0x23/0x50 [ 37.623741] [] p9pdu_readf+0x535/0x1d50 [ 37.629355] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.636183] [] ? p9_client_rpc+0x643/0x1140 [ 37.642150] [] ? trace_event_raw_event_9p_client_res+0x270/0x270 [ 37.649923] [] ? add_wait_queue+0x76/0xa0 [ 37.655741] [] ? p9pdu_writef+0xe0/0xe0 [ 37.661359] [] ? iface_stat_update.cold.40+0xf4/0x143 [ 37.668177] [] ? pipe_poll+0x25c/0x2d0 [ 37.673695] [] ? p9_fd_poll+0x246/0x310 [ 37.679296] [] ? lockdep_init_map+0x105/0x4f0 [ 37.685418] [] ? prepare_to_wait_event+0x450/0x450 [ 37.691976] [] ? p9_conn_create+0x3c0/0x4c0 [ 37.697948] [] ? parse_opts.part.1+0x320/0x320 [ 37.704182] [] ? __raw_spin_lock_init+0x2d/0x100 [ 37.710574] [] p9_client_create+0xa3f/0x10a0 [ 37.716634] [] ? p9_client_zc_rpc.constprop.11+0x1020/0x1020 [ 37.724072] [] ? rcu_read_lock_sched_held+0x103/0x120 [ 37.730904] [] ? bdi_register+0xb4/0x570 [ 37.736613] [] ? bdi_init+0x7ae/0xab0 [ 37.742046] [] v9fs_session_init+0x333/0x13a0 [ 37.748176] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 37.755097] [] ? debug_check_no_obj_freed+0x2ec/0x930 [ 37.761918] [] ? v9fs_inode_init_once+0x30/0x30 [ 37.768223] [] ? debug_object_activate+0x4e0/0x4e0 [ 37.774788] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 37.781620] [] ? free_hot_cold_page+0x493/0x840 [ 37.787921] [] ? check_preemption_disabled+0x3b/0x170 [ 37.794831] [] ? kasan_unpoison_shadow+0x35/0x50 [ 37.801215] [] ? kasan_kmalloc+0xc7/0xe0 [ 37.806910] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 37.813483] [] v9fs_mount+0x7d/0x810 [ 37.818832] [] mount_fs+0x28c/0x370 [ 37.824089] [] vfs_kern_mount.part.29+0xd1/0x3d0 [ 37.830492] [] ? ns_capable_common+0x12a/0x150 [ 37.836711] [] do_mount+0x3c9/0x2740 [ 37.842065] [] ? copy_mount_string+0x40/0x40 [ 37.848379] [] ? kasan_unpoison_shadow+0x35/0x50 [ 37.854784] [] ? kasan_kmalloc+0xc7/0xe0 [ 37.860490] [] ? kmem_cache_alloc_trace+0xfd/0x2b0 [ 37.867072] [] ? copy_mount_options+0x5f/0x320 [ 37.873310] [] ? copy_mount_options+0x1e5/0x320 [ 37.879613] [] compat_SyS_mount+0x4fc/0xff0 [ 37.885572] [] ? do_fast_syscall_32+0xcf/0x870 [ 37.891781] [] ? compat_SyS_io_submit+0xf0/0xf0 [ 37.898077] [] do_fast_syscall_32+0x2f7/0x870 [ 37.904290] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.910942] [] entry_SYSENTER_compat+0x90/0xa2 [ 37.917593] Dumping ftrace buffer: [ 37.921113] (ftrace buffer empty) [ 37.924796] Kernel Offset: disabled [ 37.928412] Rebooting in 86400 seconds..