[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.156096] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.886889] random: sshd: uninitialized urandom read (32 bytes read) [ 25.192480] random: sshd: uninitialized urandom read (32 bytes read) [ 26.053265] random: sshd: uninitialized urandom read (32 bytes read) [ 26.210283] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.60' (ECDSA) to the list of known hosts. [ 31.745422] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 31.839659] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 31.865010] ================================================================== [ 31.872501] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 31.878635] Read of size 20291 at addr ffff8801b27b046d by task syz-executor738/4538 [ 31.886497] [ 31.888119] CPU: 0 PID: 4538 Comm: syz-executor738 Not tainted 4.18.0-rc4+ #138 [ 31.895544] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.904879] Call Trace: [ 31.907460] dump_stack+0x1c9/0x2b4 [ 31.911077] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.916260] ? printk+0xa7/0xcf [ 31.919521] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.924265] ? pdu_read+0x90/0xd0 [ 31.927701] print_address_description+0x6c/0x20b [ 31.932525] ? pdu_read+0x90/0xd0 [ 31.935958] kasan_report.cold.7+0x242/0x2fe [ 31.940349] check_memory_region+0x13e/0x1b0 [ 31.944738] memcpy+0x23/0x50 [ 31.947824] pdu_read+0x90/0xd0 [ 31.951091] p9pdu_readf+0x579/0x2170 [ 31.954892] ? p9pdu_writef+0xe0/0xe0 [ 31.958680] ? __fget+0x414/0x670 [ 31.962117] ? rcu_is_watching+0x61/0x150 [ 31.966246] ? expand_files.part.8+0x9c0/0x9c0 [ 31.970815] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.975845] ? p9_fd_show_options+0x1c0/0x1c0 [ 31.980331] p9_client_create+0xde0/0x16c9 [ 31.984565] ? p9_client_read+0xc60/0xc60 [ 31.988700] ? find_held_lock+0x36/0x1c0 [ 31.992760] ? __lockdep_init_map+0x105/0x590 [ 31.997242] ? kasan_check_write+0x14/0x20 [ 32.001461] ? __init_rwsem+0x1cc/0x2a0 [ 32.005425] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 32.010424] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.015424] ? __kmalloc_track_caller+0x5f5/0x760 [ 32.020266] ? save_stack+0xa9/0xd0 [ 32.023874] ? save_stack+0x43/0xd0 [ 32.027481] ? kasan_kmalloc+0xc4/0xe0 [ 32.031348] ? kmem_cache_alloc_trace+0x152/0x780 [ 32.036171] ? memcpy+0x45/0x50 [ 32.039439] v9fs_session_init+0x21a/0x1a80 [ 32.043750] ? find_held_lock+0x36/0x1c0 [ 32.048494] ? v9fs_show_options+0x7e0/0x7e0 [ 32.052901] ? kasan_check_read+0x11/0x20 [ 32.057041] ? rcu_is_watching+0x8c/0x150 [ 32.061182] ? rcu_pm_notify+0xc0/0xc0 [ 32.065062] ? v9fs_mount+0x61/0x900 [ 32.068761] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.073765] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.078597] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.084129] v9fs_mount+0x7c/0x900 [ 32.087772] mount_fs+0xae/0x328 [ 32.091128] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.095700] ? may_umount+0xb0/0xb0 [ 32.099309] ? _raw_read_unlock+0x22/0x30 [ 32.103445] ? __get_fs_type+0x97/0xc0 [ 32.107326] do_mount+0x581/0x30e0 [ 32.110870] ? copy_mount_string+0x40/0x40 [ 32.115097] ? copy_mount_options+0x5f/0x380 [ 32.119499] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.124508] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.129344] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.134874] ? _copy_from_user+0xdf/0x150 [ 32.139012] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.144541] ? copy_mount_options+0x285/0x380 [ 32.149040] ksys_mount+0x12d/0x140 [ 32.152653] __x64_sys_mount+0xbe/0x150 [ 32.156610] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.161617] do_syscall_64+0x1b9/0x820 [ 32.165487] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.170398] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.175310] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.180833] ? retint_user+0x18/0x18 [ 32.184543] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.189372] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.194542] RIP: 0033:0x440979 [ 32.197720] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.216917] RSP: 002b:00007ffe90909ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.224614] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 32.231869] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 32.239124] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 32.246379] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007c5d [ 32.253650] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 32.260933] [ 32.262551] Allocated by task 4538: [ 32.266179] save_stack+0x43/0xd0 [ 32.269615] kasan_kmalloc+0xc4/0xe0 [ 32.273310] __kmalloc+0x14e/0x760 [ 32.276833] p9_fcall_alloc+0x1e/0x90 [ 32.280627] p9_client_prepare_req.part.8+0x754/0xcd0 [ 32.285795] p9_client_rpc+0x1bd/0x1400 [ 32.290185] p9_client_create+0xd09/0x16c9 [ 32.294401] v9fs_session_init+0x21a/0x1a80 [ 32.298704] v9fs_mount+0x7c/0x900 [ 32.302224] mount_fs+0xae/0x328 [ 32.305569] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.310155] do_mount+0x581/0x30e0 [ 32.313677] ksys_mount+0x12d/0x140 [ 32.317291] __x64_sys_mount+0xbe/0x150 [ 32.321261] do_syscall_64+0x1b9/0x820 [ 32.325137] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.330300] [ 32.331904] Freed by task 0: [ 32.334896] (stack is not available) [ 32.338597] [ 32.340204] The buggy address belongs to the object at ffff8801b27b0440 [ 32.340204] which belongs to the cache kmalloc-16384 of size 16384 [ 32.353200] The buggy address is located 45 bytes inside of [ 32.353200] 16384-byte region [ffff8801b27b0440, ffff8801b27b4440) [ 32.365150] The buggy address belongs to the page: [ 32.370066] page:ffffea0006c9ec00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 32.380019] flags: 0x2fffc0000008100(slab|head) [ 32.384689] raw: 02fffc0000008100 ffffea0006c82608 ffff8801da801c48 ffff8801da802200 [ 32.392555] raw: 0000000000000000 ffff8801b27b0440 0000000100000001 0000000000000000 [ 32.400414] page dumped because: kasan: bad access detected [ 32.406100] [ 32.407706] Memory state around the buggy address: [ 32.412613] ffff8801b27b2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.419951] ffff8801b27b2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.427289] >ffff8801b27b2400: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 32.434640] ^ [ 32.441109] ffff8801b27b2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.448446] ffff8801b27b2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.455806] ================================================================== [ 32.463141] Disabling lock debugging due to kernel taint [ 32.468643] Kernel panic - not syncing: panic_on_warn set ... [ 32.468643] [ 32.476029] CPU: 0 PID: 4538 Comm: syz-executor738 Tainted: G B 4.18.0-rc4+ #138 [ 32.484859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.494192] Call Trace: [ 32.496768] dump_stack+0x1c9/0x2b4 [ 32.500392] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.505583] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.510332] panic+0x238/0x4e7 [ 32.513507] ? add_taint.cold.5+0x16/0x16 [ 32.517635] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.522035] ? pdu_read+0x90/0xd0 [ 32.525489] kasan_end_report+0x47/0x4f [ 32.529448] kasan_report.cold.7+0x76/0x2fe [ 32.533749] check_memory_region+0x13e/0x1b0 [ 32.538143] memcpy+0x23/0x50 [ 32.541233] pdu_read+0x90/0xd0 [ 32.544491] p9pdu_readf+0x579/0x2170 [ 32.548272] ? p9pdu_writef+0xe0/0xe0 [ 32.552052] ? __fget+0x414/0x670 [ 32.555492] ? rcu_is_watching+0x61/0x150 [ 32.559620] ? expand_files.part.8+0x9c0/0x9c0 [ 32.564186] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.569187] ? p9_fd_show_options+0x1c0/0x1c0 [ 32.573671] p9_client_create+0xde0/0x16c9 [ 32.577895] ? p9_client_read+0xc60/0xc60 [ 32.582033] ? find_held_lock+0x36/0x1c0 [ 32.586088] ? __lockdep_init_map+0x105/0x590 [ 32.590576] ? kasan_check_write+0x14/0x20 [ 32.594804] ? __init_rwsem+0x1cc/0x2a0 [ 32.598759] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 32.603757] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.608765] ? __kmalloc_track_caller+0x5f5/0x760 [ 32.613611] ? save_stack+0xa9/0xd0 [ 32.617224] ? save_stack+0x43/0xd0 [ 32.620828] ? kasan_kmalloc+0xc4/0xe0 [ 32.624691] ? kmem_cache_alloc_trace+0x152/0x780 [ 32.629512] ? memcpy+0x45/0x50 [ 32.632779] v9fs_session_init+0x21a/0x1a80 [ 32.637085] ? find_held_lock+0x36/0x1c0 [ 32.641127] ? v9fs_show_options+0x7e0/0x7e0 [ 32.645516] ? kasan_check_read+0x11/0x20 [ 32.649640] ? rcu_is_watching+0x8c/0x150 [ 32.653782] ? rcu_pm_notify+0xc0/0xc0 [ 32.657651] ? v9fs_mount+0x61/0x900 [ 32.661351] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.666347] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.671170] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 32.676688] v9fs_mount+0x7c/0x900 [ 32.680211] mount_fs+0xae/0x328 [ 32.683560] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.688122] ? may_umount+0xb0/0xb0 [ 32.691728] ? _raw_read_unlock+0x22/0x30 [ 32.695855] ? __get_fs_type+0x97/0xc0 [ 32.699722] do_mount+0x581/0x30e0 [ 32.703240] ? copy_mount_string+0x40/0x40 [ 32.707456] ? copy_mount_options+0x5f/0x380 [ 32.711843] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.716836] ? kmem_cache_alloc_trace+0x616/0x780 [ 32.721660] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.727177] ? _copy_from_user+0xdf/0x150 [ 32.731305] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.736825] ? copy_mount_options+0x285/0x380 [ 32.741300] ksys_mount+0x12d/0x140 [ 32.744906] __x64_sys_mount+0xbe/0x150 [ 32.748874] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.753873] do_syscall_64+0x1b9/0x820 [ 32.757742] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.762658] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.767579] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.773104] ? retint_user+0x18/0x18 [ 32.776813] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.781643] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.786810] RIP: 0033:0x440979 [ 32.789974] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.809136] RSP: 002b:00007ffe90909ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.816833] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 32.824099] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 32.831353] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 32.838612] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007c5d [ 32.845862] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 32.853641] Dumping ftrace buffer: [ 32.857161] (ftrace buffer empty) [ 32.860848] Kernel Offset: disabled [ 32.864454] Rebooting in 86400 seconds..