[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.850888] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.380410] random: sshd: uninitialized urandom read (32 bytes read) [ 17.740497] random: sshd: uninitialized urandom read (32 bytes read) [ 18.439493] random: sshd: uninitialized urandom read (32 bytes read) [ 18.572737] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. [ 23.971186] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 24.073972] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 24.121342] ================================================================== [ 24.128751] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 24.134876] Read of size 61430 at addr ffff8801cab38aed by task syz-executor738/4475 [ 24.142741] [ 24.144350] CPU: 0 PID: 4475 Comm: syz-executor738 Not tainted 4.18.0-rc3-next-20180709+ #2 [ 24.152817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.162165] Call Trace: [ 24.164760] dump_stack+0x1c9/0x2b4 [ 24.168372] ? dump_stack_print_info.cold.2+0x52/0x52 [ 24.173544] ? printk+0xa7/0xcf [ 24.176804] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 24.181543] ? pdu_read+0x90/0xd0 [ 24.184979] print_address_description+0x6c/0x20b [ 24.189809] ? pdu_read+0x90/0xd0 [ 24.193244] kasan_report.cold.7+0x242/0x30d [ 24.197643] check_memory_region+0x13e/0x1b0 [ 24.202037] memcpy+0x23/0x50 [ 24.205133] pdu_read+0x90/0xd0 [ 24.208403] p9pdu_readf+0x579/0x2170 [ 24.212193] ? p9pdu_writef+0xe0/0xe0 [ 24.215986] ? ksys_dup3+0x690/0x690 [ 24.219684] ? do_raw_spin_lock+0xc1/0x200 [ 24.223900] ? kasan_kmalloc+0xc4/0xe0 [ 24.227775] ? kasan_unpoison_shadow+0x35/0x50 [ 24.232350] ? p9_fd_show_options+0x1c0/0x1c0 [ 24.236836] ? __raw_spin_lock_init+0x2d/0x100 [ 24.241404] p9_client_create+0xde0/0x16c9 [ 24.245627] ? p9_client_read+0xc60/0xc60 [ 24.249766] ? kasan_check_read+0x11/0x20 [ 24.253909] ? lock_acquire+0x1e4/0x540 [ 24.257865] ? fs_reclaim_acquire+0x20/0x20 [ 24.262176] ? lock_release+0xa30/0xa30 [ 24.266142] ? __lockdep_init_map+0x105/0x590 [ 24.270627] ? kasan_check_write+0x14/0x20 [ 24.274844] ? __init_rwsem+0x1cc/0x2a0 [ 24.278808] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 24.283817] ? __kmalloc_track_caller+0x311/0x760 [ 24.288643] ? save_stack+0xa9/0xd0 [ 24.292254] ? save_stack+0x43/0xd0 [ 24.295863] ? kasan_kmalloc+0xc4/0xe0 [ 24.299743] ? kmem_cache_alloc_trace+0x152/0x780 [ 24.304566] ? memcpy+0x45/0x50 [ 24.307939] v9fs_session_init+0x21a/0x1a80 [ 24.312252] ? rcu_note_context_switch+0x730/0x730 [ 24.317160] ? do_mount+0x69e/0x1fb0 [ 24.320864] ? lock_acquire+0x1e4/0x540 [ 24.324830] ? v9fs_show_options+0x7e0/0x7e0 [ 24.329229] ? lock_release+0xa30/0xa30 [ 24.333195] ? check_same_owner+0x340/0x340 [ 24.337500] ? kasan_unpoison_shadow+0x35/0x50 [ 24.342064] ? kasan_kmalloc+0xc4/0xe0 [ 24.345943] ? kmem_cache_alloc_trace+0x318/0x780 [ 24.350776] ? kasan_unpoison_shadow+0x35/0x50 [ 24.355340] ? kasan_kmalloc+0xc4/0xe0 [ 24.359218] v9fs_mount+0x7c/0x900 [ 24.362753] ? v9fs_drop_inode+0x150/0x150 [ 24.366978] legacy_get_tree+0x118/0x440 [ 24.371035] vfs_get_tree+0x1cb/0x5c0 [ 24.374824] do_mount+0x6c1/0x1fb0 [ 24.378350] ? kasan_check_write+0x14/0x20 [ 24.382565] ? copy_mount_string+0x40/0x40 [ 24.386780] ? retint_kernel+0x10/0x10 [ 24.390649] ? copy_mount_options+0x1e3/0x380 [ 24.395139] ? copy_mount_options+0x1f0/0x380 [ 24.399617] ? copy_mount_options+0x1f6/0x380 [ 24.404127] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 24.409645] ? copy_mount_options+0x285/0x380 [ 24.414136] ksys_mount+0x12d/0x140 [ 24.417751] __x64_sys_mount+0xbe/0x150 [ 24.421719] do_syscall_64+0x1b9/0x820 [ 24.425606] ? syscall_return_slowpath+0x5e0/0x5e0 [ 24.430518] ? syscall_return_slowpath+0x31d/0x5e0 [ 24.435444] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 24.440458] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 24.445977] ? prepare_exit_to_usermode+0x291/0x3b0 [ 24.450981] ? perf_trace_sys_enter+0xb10/0xb10 [ 24.455631] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 24.460470] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 24.465654] RIP: 0033:0x440959 [ 24.468820] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 24.487939] RSP: 002b:00007fff63372e18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 24.495638] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 24.502896] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 24.510154] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 24.517415] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000005e35 [ 24.524664] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 24.531923] [ 24.533531] Allocated by task 4475: [ 24.537147] save_stack+0x43/0xd0 [ 24.540579] kasan_kmalloc+0xc4/0xe0 [ 24.544273] __kmalloc+0x14e/0x760 [ 24.547791] p9_fcall_alloc+0x1e/0x90 [ 24.551572] p9_client_prepare_req.part.9+0x754/0xcd0 [ 24.556741] p9_client_rpc+0x1bd/0x1400 [ 24.560699] p9_client_create+0xd09/0x16c9 [ 24.564936] v9fs_session_init+0x21a/0x1a80 [ 24.569238] v9fs_mount+0x7c/0x900 [ 24.572758] legacy_get_tree+0x118/0x440 [ 24.576800] vfs_get_tree+0x1cb/0x5c0 [ 24.580584] do_mount+0x6c1/0x1fb0 [ 24.584125] ksys_mount+0x12d/0x140 [ 24.587749] __x64_sys_mount+0xbe/0x150 [ 24.591714] do_syscall_64+0x1b9/0x820 [ 24.595594] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 24.600756] [ 24.602362] Freed by task 0: [ 24.605353] (stack is not available) [ 24.609053] [ 24.610665] The buggy address belongs to the object at ffff8801cab38ac0 [ 24.610665] which belongs to the cache kmalloc-16384 of size 16384 [ 24.623735] The buggy address is located 45 bytes inside of [ 24.623735] 16384-byte region [ffff8801cab38ac0, ffff8801cab3cac0) [ 24.635673] The buggy address belongs to the page: [ 24.640581] page:ffffea00072ace00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 24.650527] flags: 0x2fffc0000008100(slab|head) [ 24.655185] raw: 02fffc0000008100 ffffea0006b13808 ffff8801da801c48 ffff8801da802200 [ 24.663052] raw: 0000000000000000 ffff8801cab38ac0 0000000100000001 0000000000000000 [ 24.670923] page dumped because: kasan: bad access detected [ 24.676609] [ 24.678213] Memory state around the buggy address: [ 24.683142] ffff8801cab3a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.690480] ffff8801cab3aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.697827] >ffff8801cab3aa80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 24.705164] ^ [ 24.711636] ffff8801cab3ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.718977] ffff8801cab3ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.726312] ================================================================== [ 24.733728] Kernel panic - not syncing: panic_on_warn set ... [ 24.733728] [ 24.741092] CPU: 0 PID: 4475 Comm: syz-executor738 Tainted: G B 4.18.0-rc3-next-20180709+ #2 [ 24.750962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.760312] Call Trace: [ 24.762899] dump_stack+0x1c9/0x2b4 [ 24.766526] ? dump_stack_print_info.cold.2+0x52/0x52 [ 24.771707] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 24.776446] panic+0x238/0x4e7 [ 24.779619] ? add_taint.cold.5+0x16/0x16 [ 24.783748] ? do_raw_spin_unlock+0xa7/0x2f0 [ 24.788135] ? pdu_read+0x90/0xd0 [ 24.791569] kasan_end_report+0x47/0x4f [ 24.795535] kasan_report.cold.7+0x76/0x30d [ 24.799838] check_memory_region+0x13e/0x1b0 [ 24.804228] memcpy+0x23/0x50 [ 24.807315] pdu_read+0x90/0xd0 [ 24.810575] p9pdu_readf+0x579/0x2170 [ 24.814357] ? p9pdu_writef+0xe0/0xe0 [ 24.818148] ? ksys_dup3+0x690/0x690 [ 24.821843] ? do_raw_spin_lock+0xc1/0x200 [ 24.826072] ? kasan_kmalloc+0xc4/0xe0 [ 24.829946] ? kasan_unpoison_shadow+0x35/0x50 [ 24.834510] ? p9_fd_show_options+0x1c0/0x1c0 [ 24.838986] ? __raw_spin_lock_init+0x2d/0x100 [ 24.843563] p9_client_create+0xde0/0x16c9 [ 24.847780] ? p9_client_read+0xc60/0xc60 [ 24.851906] ? kasan_check_read+0x11/0x20 [ 24.856040] ? lock_acquire+0x1e4/0x540 [ 24.859994] ? fs_reclaim_acquire+0x20/0x20 [ 24.864303] ? lock_release+0xa30/0xa30 [ 24.868257] ? __lockdep_init_map+0x105/0x590 [ 24.872743] ? kasan_check_write+0x14/0x20 [ 24.876959] ? __init_rwsem+0x1cc/0x2a0 [ 24.880912] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 24.885920] ? __kmalloc_track_caller+0x311/0x760 [ 24.890741] ? save_stack+0xa9/0xd0 [ 24.894348] ? save_stack+0x43/0xd0 [ 24.897955] ? kasan_kmalloc+0xc4/0xe0 [ 24.901828] ? kmem_cache_alloc_trace+0x152/0x780 [ 24.906655] ? memcpy+0x45/0x50 [ 24.909920] v9fs_session_init+0x21a/0x1a80 [ 24.914221] ? rcu_note_context_switch+0x730/0x730 [ 24.919141] ? do_mount+0x69e/0x1fb0 [ 24.922839] ? lock_acquire+0x1e4/0x540 [ 24.926807] ? v9fs_show_options+0x7e0/0x7e0 [ 24.931196] ? lock_release+0xa30/0xa30 [ 24.935171] ? check_same_owner+0x340/0x340 [ 24.939487] ? kasan_unpoison_shadow+0x35/0x50 [ 24.944082] ? kasan_kmalloc+0xc4/0xe0 [ 24.947954] ? kmem_cache_alloc_trace+0x318/0x780 [ 24.952778] ? kasan_unpoison_shadow+0x35/0x50 [ 24.957349] ? kasan_kmalloc+0xc4/0xe0 [ 24.961221] v9fs_mount+0x7c/0x900 [ 24.964743] ? v9fs_drop_inode+0x150/0x150 [ 24.968959] legacy_get_tree+0x118/0x440 [ 24.973003] vfs_get_tree+0x1cb/0x5c0 [ 24.976792] do_mount+0x6c1/0x1fb0 [ 24.980314] ? kasan_check_write+0x14/0x20 [ 24.984530] ? copy_mount_string+0x40/0x40 [ 24.988751] ? retint_kernel+0x10/0x10 [ 24.992631] ? copy_mount_options+0x1e3/0x380 [ 24.997107] ? copy_mount_options+0x1f0/0x380 [ 25.001594] ? copy_mount_options+0x1f6/0x380 [ 25.006077] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.011603] ? copy_mount_options+0x285/0x380 [ 25.016087] ksys_mount+0x12d/0x140 [ 25.019697] __x64_sys_mount+0xbe/0x150 [ 25.023653] do_syscall_64+0x1b9/0x820 [ 25.027526] ? syscall_return_slowpath+0x5e0/0x5e0 [ 25.032438] ? syscall_return_slowpath+0x31d/0x5e0 [ 25.037348] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 25.042355] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 25.047874] ? prepare_exit_to_usermode+0x291/0x3b0 [ 25.052879] ? perf_trace_sys_enter+0xb10/0xb10 [ 25.057528] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.062355] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 25.067523] RIP: 0033:0x440959 [ 25.070688] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 25.089805] RSP: 002b:00007fff63372e18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 25.097492] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959 [ 25.104740] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 25.111998] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 25.119256] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000005e35 [ 25.126506] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000 [ 25.134293] Dumping ftrace buffer: [ 25.137817] (ftrace buffer empty) [ 25.141514] Kernel Offset: disabled [ 25.145133] Rebooting in 86400 seconds..