[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.088610] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 16.184393] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.506603] random: sshd: uninitialized urandom read (32 bytes read) [ 17.209749] random: sshd: uninitialized urandom read (32 bytes read) [ 17.346177] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts. [ 22.769477] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 22.852244] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 22.899973] ================================================================== [ 22.907388] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 22.913547] Read of size 56496 at addr ffff8801cba109ad by task syz-executor576/4452 [ 22.921451] [ 22.923065] CPU: 0 PID: 4452 Comm: syz-executor576 Not tainted 4.18.0-rc3-next-20180706+ #1 [ 22.931529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.940865] Call Trace: [ 22.943438] dump_stack+0x1c9/0x2b4 [ 22.947057] ? dump_stack_print_info.cold.2+0x52/0x52 [ 22.952241] ? printk+0xa7/0xcf [ 22.955500] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 22.960235] ? pdu_read+0x90/0xd0 [ 22.963667] print_address_description+0x6c/0x20b [ 22.968499] ? pdu_read+0x90/0xd0 [ 22.971935] kasan_report.cold.7+0x242/0x30d [ 22.976337] check_memory_region+0x13e/0x1b0 [ 22.980728] memcpy+0x23/0x50 [ 22.983815] pdu_read+0x90/0xd0 [ 22.987076] p9pdu_readf+0x579/0x2170 [ 22.990856] ? p9pdu_writef+0xe0/0xe0 [ 22.994637] ? ksys_dup3+0x690/0x690 [ 22.998419] ? check_same_owner+0x340/0x340 [ 23.002723] ? p9_fd_poll+0x2b0/0x2b0 [ 23.006507] ? kasan_kmalloc+0xc4/0xe0 [ 23.010376] ? kasan_unpoison_shadow+0x35/0x50 [ 23.014942] ? p9_fd_show_options+0x1c0/0x1c0 [ 23.019417] ? __raw_spin_lock_init+0x2d/0x100 [ 23.023982] p9_client_create+0xde0/0x16c9 [ 23.028208] ? p9_client_read+0xc60/0xc60 [ 23.032337] ? kasan_check_read+0x11/0x20 [ 23.036465] ? lock_acquire+0x1e4/0x540 [ 23.040418] ? fs_reclaim_acquire+0x20/0x20 [ 23.044718] ? lock_release+0xa30/0xa30 [ 23.048669] ? __lockdep_init_map+0x105/0x590 [ 23.053147] ? kasan_check_write+0x14/0x20 [ 23.057375] ? __init_rwsem+0x1cc/0x2a0 [ 23.061335] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 23.066348] ? __kmalloc_track_caller+0x311/0x760 [ 23.071171] ? save_stack+0xa9/0xd0 [ 23.074775] ? save_stack+0x43/0xd0 [ 23.078390] ? kasan_kmalloc+0xc4/0xe0 [ 23.082276] ? kmem_cache_alloc_trace+0x152/0x780 [ 23.087097] ? memcpy+0x45/0x50 [ 23.090361] v9fs_session_init+0x21a/0x1a80 [ 23.094671] ? rcu_note_context_switch+0x730/0x730 [ 23.099591] ? do_mount+0x69e/0x1fb0 [ 23.103287] ? lock_acquire+0x1e4/0x540 [ 23.107246] ? v9fs_show_options+0x7e0/0x7e0 [ 23.111647] ? lock_release+0xa30/0xa30 [ 23.115601] ? check_same_owner+0x340/0x340 [ 23.119911] ? kasan_unpoison_shadow+0x35/0x50 [ 23.124475] ? kasan_kmalloc+0xc4/0xe0 [ 23.128342] ? kmem_cache_alloc_trace+0x318/0x780 [ 23.133163] ? kasan_unpoison_shadow+0x35/0x50 [ 23.137723] ? kasan_kmalloc+0xc4/0xe0 [ 23.141593] v9fs_mount+0x7c/0x900 [ 23.145115] ? v9fs_drop_inode+0x150/0x150 [ 23.149340] legacy_get_tree+0x118/0x440 [ 23.153383] vfs_get_tree+0x1cb/0x5c0 [ 23.157164] do_mount+0x6c1/0x1fb0 [ 23.160685] ? kasan_check_write+0x14/0x20 [ 23.164900] ? copy_mount_string+0x40/0x40 [ 23.169116] ? kasan_kmalloc+0xc4/0xe0 [ 23.172988] ? kmem_cache_alloc_trace+0x318/0x780 [ 23.177817] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 23.183339] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 23.188861] ? copy_mount_options+0x285/0x380 [ 23.193336] ksys_mount+0x12d/0x140 [ 23.196946] __x64_sys_mount+0xbe/0x150 [ 23.200911] do_syscall_64+0x1b9/0x820 [ 23.204778] ? syscall_return_slowpath+0x5e0/0x5e0 [ 23.209696] ? syscall_return_slowpath+0x31d/0x5e0 [ 23.214610] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 23.219617] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 23.225146] ? prepare_exit_to_usermode+0x291/0x3b0 [ 23.230142] ? perf_trace_sys_enter+0xb10/0xb10 [ 23.234790] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.239613] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 23.244778] RIP: 0033:0x440979 [ 23.247943] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 23.267101] RSP: 002b:00007ffd9829d878 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 23.274791] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 23.282044] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 23.289295] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 23.296546] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000596e [ 23.303794] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 23.311053] [ 23.312666] Allocated by task 4452: [ 23.316290] save_stack+0x43/0xd0 [ 23.319721] kasan_kmalloc+0xc4/0xe0 [ 23.323412] __kmalloc+0x14e/0x760 [ 23.326931] p9_fcall_alloc+0x1e/0x90 [ 23.330710] p9_client_prepare_req.part.9+0x754/0xcd0 [ 23.335878] p9_client_rpc+0x1bd/0x1400 [ 23.339828] p9_client_create+0xd09/0x16c9 [ 23.344048] v9fs_session_init+0x21a/0x1a80 [ 23.348347] v9fs_mount+0x7c/0x900 [ 23.351873] legacy_get_tree+0x118/0x440 [ 23.355913] vfs_get_tree+0x1cb/0x5c0 [ 23.359690] do_mount+0x6c1/0x1fb0 [ 23.363205] ksys_mount+0x12d/0x140 [ 23.366812] __x64_sys_mount+0xbe/0x150 [ 23.370768] do_syscall_64+0x1b9/0x820 [ 23.374637] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 23.379806] [ 23.381411] Freed by task 0: [ 23.384399] (stack is not available) [ 23.388086] [ 23.390111] The buggy address belongs to the object at ffff8801cba10980 [ 23.390111] which belongs to the cache kmalloc-16384 of size 16384 [ 23.403102] The buggy address is located 45 bytes inside of [ 23.403102] 16384-byte region [ffff8801cba10980, ffff8801cba14980) [ 23.415042] The buggy address belongs to the page: [ 23.419955] page:ffffea00072e8400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 23.429913] flags: 0x2fffc0000008100(slab|head) [ 23.434567] raw: 02fffc0000008100 ffffea00072c1a08 ffff8801da801c48 ffff8801da802200 [ 23.442429] raw: 0000000000000000 ffff8801cba10980 0000000100000001 0000000000000000 [ 23.450292] page dumped because: kasan: bad access detected [ 23.455974] [ 23.457575] Memory state around the buggy address: [ 23.462483] ffff8801cba12880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.470089] ffff8801cba12900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.477425] >ffff8801cba12980: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 23.484757] ^ [ 23.489143] ffff8801cba12a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.496478] ffff8801cba12a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.503811] ================================================================== [ 23.511274] Kernel panic - not syncing: panic_on_warn set ... [ 23.511274] [ 23.518644] CPU: 0 PID: 4452 Comm: syz-executor576 Tainted: G B 4.18.0-rc3-next-20180706+ #1 [ 23.531279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.540611] Call Trace: [ 23.543182] dump_stack+0x1c9/0x2b4 [ 23.546789] ? dump_stack_print_info.cold.2+0x52/0x52 [ 23.551964] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 23.556700] panic+0x238/0x4e7 [ 23.559879] ? add_taint.cold.5+0x16/0x16 [ 23.564022] ? do_raw_spin_unlock+0xa7/0x2f0 [ 23.568422] ? pdu_read+0x90/0xd0 [ 23.571854] kasan_end_report+0x47/0x4f [ 23.575807] kasan_report.cold.7+0x76/0x30d [ 23.580107] check_memory_region+0x13e/0x1b0 [ 23.584496] memcpy+0x23/0x50 [ 23.587590] pdu_read+0x90/0xd0 [ 23.590851] p9pdu_readf+0x579/0x2170 [ 23.594631] ? p9pdu_writef+0xe0/0xe0 [ 23.598413] ? ksys_dup3+0x690/0x690 [ 23.602108] ? check_same_owner+0x340/0x340 [ 23.606411] ? p9_fd_poll+0x2b0/0x2b0 [ 23.610205] ? kasan_kmalloc+0xc4/0xe0 [ 23.614071] ? kasan_unpoison_shadow+0x35/0x50 [ 23.618648] ? p9_fd_show_options+0x1c0/0x1c0 [ 23.623154] ? __raw_spin_lock_init+0x2d/0x100 [ 23.627731] p9_client_create+0xde0/0x16c9 [ 23.631960] ? p9_client_read+0xc60/0xc60 [ 23.636107] ? kasan_check_read+0x11/0x20 [ 23.640237] ? lock_acquire+0x1e4/0x540 [ 23.644190] ? fs_reclaim_acquire+0x20/0x20 [ 23.648493] ? lock_release+0xa30/0xa30 [ 23.652449] ? __lockdep_init_map+0x105/0x590 [ 23.656927] ? kasan_check_write+0x14/0x20 [ 23.661143] ? __init_rwsem+0x1cc/0x2a0 [ 23.665096] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 23.670094] ? __kmalloc_track_caller+0x311/0x760 [ 23.674916] ? save_stack+0xa9/0xd0 [ 23.678524] ? save_stack+0x43/0xd0 [ 23.682131] ? kasan_kmalloc+0xc4/0xe0 [ 23.685998] ? kmem_cache_alloc_trace+0x152/0x780 [ 23.690825] ? memcpy+0x45/0x50 [ 23.694088] v9fs_session_init+0x21a/0x1a80 [ 23.698392] ? rcu_note_context_switch+0x730/0x730 [ 23.703304] ? do_mount+0x69e/0x1fb0 [ 23.707001] ? lock_acquire+0x1e4/0x540 [ 23.710979] ? v9fs_show_options+0x7e0/0x7e0 [ 23.715374] ? lock_release+0xa30/0xa30 [ 23.719330] ? check_same_owner+0x340/0x340 [ 23.723637] ? kasan_unpoison_shadow+0x35/0x50 [ 23.728211] ? kasan_kmalloc+0xc4/0xe0 [ 23.732092] ? kmem_cache_alloc_trace+0x318/0x780 [ 23.736915] ? kasan_unpoison_shadow+0x35/0x50 [ 23.741478] ? kasan_kmalloc+0xc4/0xe0 [ 23.745701] v9fs_mount+0x7c/0x900 [ 23.749233] ? v9fs_drop_inode+0x150/0x150 [ 23.753450] legacy_get_tree+0x118/0x440 [ 23.757499] vfs_get_tree+0x1cb/0x5c0 [ 23.761289] do_mount+0x6c1/0x1fb0 [ 23.764813] ? kasan_check_write+0x14/0x20 [ 23.769045] ? copy_mount_string+0x40/0x40 [ 23.773272] ? kasan_kmalloc+0xc4/0xe0 [ 23.777162] ? kmem_cache_alloc_trace+0x318/0x780 [ 23.782009] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 23.787548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 23.793069] ? copy_mount_options+0x285/0x380 [ 23.797545] ksys_mount+0x12d/0x140 [ 23.801170] __x64_sys_mount+0xbe/0x150 [ 23.805127] do_syscall_64+0x1b9/0x820 [ 23.809015] ? syscall_return_slowpath+0x5e0/0x5e0 [ 23.813932] ? syscall_return_slowpath+0x31d/0x5e0 [ 23.818841] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 23.823837] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 23.829366] ? prepare_exit_to_usermode+0x291/0x3b0 [ 23.834362] ? perf_trace_sys_enter+0xb10/0xb10 [ 23.839032] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 23.843869] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 23.849040] RIP: 0033:0x440979 [ 23.852205] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 23.871334] RSP: 002b:00007ffd9829d878 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 23.879029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 23.886292] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 23.893547] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 23.900796] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000596e [ 23.909184] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 23.916917] Dumping ftrace buffer: [ 23.920619] (ftrace buffer empty) [ 23.924315] Kernel Offset: disabled [ 23.927923] Rebooting in 86400 seconds..