[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.382886] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.318846] random: sshd: uninitialized urandom read (32 bytes read) [ 23.660291] random: sshd: uninitialized urandom read (32 bytes read) [ 24.500474] random: sshd: uninitialized urandom read (32 bytes read) [ 24.654244] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 30.070978] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/10 08:10:42 parsed 1 programs [ 31.789904] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/10 08:10:44 executed programs: 0 [ 32.917233] IPVS: ftp: loaded support on port[0] = 21 [ 33.109723] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.116201] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.123634] device bridge_slave_0 entered promiscuous mode [ 33.139962] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.146365] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.153467] device bridge_slave_1 entered promiscuous mode [ 33.168635] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 33.183982] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 33.224422] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.242734] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.303182] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.310576] team0: Port device team_slave_0 added [ 33.330129] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.337481] team0: Port device team_slave_1 added [ 33.352664] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.370616] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.387641] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 33.405367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 33.523686] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.530174] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.537166] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.543562] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.951862] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.957968] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.000124] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.043836] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.052611] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.094992] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.340479] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 34.837650] ================================================================== [ 34.845175] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 34.851304] Read of size 30051 at addr ffff8801d6b4acad by task syz-executor0/4849 [ 34.858995] [ 34.860611] CPU: 0 PID: 4849 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #42 [ 34.867780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.877119] Call Trace: [ 34.879695] dump_stack+0x1c9/0x2b4 [ 34.883304] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.888491] ? printk+0xa7/0xcf [ 34.891751] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.896489] ? pdu_read+0x90/0xd0 [ 34.899934] print_address_description+0x6c/0x20b [ 34.904759] ? pdu_read+0x90/0xd0 [ 34.908199] kasan_report.cold.7+0x242/0x2fe [ 34.912771] check_memory_region+0x13e/0x1b0 [ 34.917161] memcpy+0x23/0x50 [ 34.920254] pdu_read+0x90/0xd0 [ 34.923522] p9pdu_readf+0x579/0x2170 [ 34.927307] ? p9pdu_writef+0xe0/0xe0 [ 34.931087] ? __fget+0x414/0x670 [ 34.934525] ? rcu_is_watching+0x61/0x150 [ 34.938653] ? expand_files.part.8+0x9c0/0x9c0 [ 34.943221] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.948224] ? p9_fd_show_options+0x1c0/0x1c0 [ 34.952705] p9_client_create+0xde0/0x16c9 [ 34.956922] ? p9_client_read+0xc60/0xc60 [ 34.961053] ? find_held_lock+0x36/0x1c0 [ 34.965118] ? __lockdep_init_map+0x105/0x590 [ 34.969597] ? kasan_check_write+0x14/0x20 [ 34.973811] ? __init_rwsem+0x1cc/0x2a0 [ 34.977765] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 34.982763] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.987849] ? __kmalloc_track_caller+0x5f5/0x760 [ 34.992678] ? save_stack+0xa9/0xd0 [ 34.996285] ? save_stack+0x43/0xd0 [ 34.999888] ? kasan_kmalloc+0xc4/0xe0 [ 35.003755] ? memcpy+0x45/0x50 [ 35.007029] v9fs_session_init+0x21a/0x1a80 [ 35.011344] ? find_held_lock+0x36/0x1c0 [ 35.015389] ? v9fs_show_options+0x7e0/0x7e0 [ 35.019807] ? kasan_check_read+0x11/0x20 [ 35.023942] ? rcu_is_watching+0x8c/0x150 [ 35.028076] ? rcu_pm_notify+0xc0/0xc0 [ 35.031943] ? rcu_pm_notify+0xc0/0xc0 [ 35.035817] ? v9fs_mount+0x61/0x900 [ 35.039525] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.044532] ? kmem_cache_alloc_trace+0x616/0x780 [ 35.049359] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 35.054876] v9fs_mount+0x7c/0x900 [ 35.058402] mount_fs+0xae/0x328 [ 35.061750] vfs_kern_mount.part.34+0xdc/0x4e0 [ 35.066312] ? may_umount+0xb0/0xb0 [ 35.069919] ? _raw_read_unlock+0x22/0x30 [ 35.074052] ? __get_fs_type+0x97/0xc0 [ 35.077921] do_mount+0x581/0x30e0 [ 35.081442] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.085834] ? copy_mount_string+0x40/0x40 [ 35.090057] ? copy_mount_options+0x5f/0x380 [ 35.094446] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.099443] ? kmem_cache_alloc_trace+0x616/0x780 [ 35.104271] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.109789] ? _copy_from_user+0xdf/0x150 [ 35.113924] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.119441] ? copy_mount_options+0x285/0x380 [ 35.123921] __ia32_compat_sys_mount+0x5d5/0x860 [ 35.128669] do_fast_syscall_32+0x34d/0xfb2 [ 35.132973] ? do_int80_syscall_32+0x890/0x890 [ 35.137535] ? syscall_slow_exit_work+0x500/0x500 [ 35.142358] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.147877] ? syscall_return_slowpath+0x31d/0x5e0 [ 35.152793] ? sysret32_from_system_call+0x5/0x46 [ 35.157620] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.162443] entry_SYSENTER_compat+0x70/0x7f [ 35.166830] RIP: 0023:0xf7fa6cb9 [ 35.170171] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 35.189341] RSP: 002b:00000000ffb7ae4c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 35.197033] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 35.204283] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 35.211529] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.218775] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 35.226031] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.233290] [ 35.234893] Allocated by task 4849: [ 35.238504] save_stack+0x43/0xd0 [ 35.241936] kasan_kmalloc+0xc4/0xe0 [ 35.245626] __kmalloc+0x14e/0x760 [ 35.249155] p9_fcall_alloc+0x1e/0x90 [ 35.252942] p9_client_prepare_req.part.8+0x754/0xcd0 [ 35.258108] p9_client_rpc+0x1bd/0x1400 [ 35.262072] p9_client_create+0xd09/0x16c9 [ 35.266300] v9fs_session_init+0x21a/0x1a80 [ 35.270600] v9fs_mount+0x7c/0x900 [ 35.274118] mount_fs+0xae/0x328 [ 35.277461] vfs_kern_mount.part.34+0xdc/0x4e0 [ 35.282027] do_mount+0x581/0x30e0 [ 35.285561] __ia32_compat_sys_mount+0x5d5/0x860 [ 35.290295] do_fast_syscall_32+0x34d/0xfb2 [ 35.294593] entry_SYSENTER_compat+0x70/0x7f [ 35.298973] [ 35.300576] Freed by task 0: [ 35.303565] (stack is not available) [ 35.307251] [ 35.308867] The buggy address belongs to the object at ffff8801d6b4ac80 [ 35.308867] which belongs to the cache kmalloc-16384 of size 16384 [ 35.321859] The buggy address is located 45 bytes inside of [ 35.321859] 16384-byte region [ffff8801d6b4ac80, ffff8801d6b4ec80) [ 35.333806] The buggy address belongs to the page: [ 35.338728] page:ffffea00075ad200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 35.348694] flags: 0x2fffc0000008100(slab|head) [ 35.353460] raw: 02fffc0000008100 ffffea0006ac0008 ffff8801da801c48 ffff8801da802200 [ 35.361327] raw: 0000000000000000 ffff8801d6b4ac80 0000000100000001 0000000000000000 [ 35.369193] page dumped because: kasan: bad access detected [ 35.374881] [ 35.376485] Memory state around the buggy address: [ 35.381394] ffff8801d6b4cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.388742] ffff8801d6b4cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.396081] >ffff8801d6b4cc80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 35.403415] ^ [ 35.407802] ffff8801d6b4cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.415142] ffff8801d6b4cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.422489] ================================================================== [ 35.429828] Disabling lock debugging due to kernel taint [ 35.435685] Kernel panic - not syncing: panic_on_warn set ... [ 35.435685] [ 35.443059] CPU: 0 PID: 4849 Comm: syz-executor0 Tainted: G B 4.18.0-rc4+ #42 [ 35.451624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.460961] Call Trace: [ 35.463542] dump_stack+0x1c9/0x2b4 [ 35.467164] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.472334] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 35.477069] panic+0x238/0x4e7 [ 35.480244] ? add_taint.cold.5+0x16/0x16 [ 35.484373] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.488773] ? pdu_read+0x90/0xd0 [ 35.492215] kasan_end_report+0x47/0x4f [ 35.496194] kasan_report.cold.7+0x76/0x2fe [ 35.500510] check_memory_region+0x13e/0x1b0 [ 35.504899] memcpy+0x23/0x50 [ 35.507985] pdu_read+0x90/0xd0 [ 35.511250] p9pdu_readf+0x579/0x2170 [ 35.515040] ? p9pdu_writef+0xe0/0xe0 [ 35.518840] ? __fget+0x414/0x670 [ 35.522291] ? rcu_is_watching+0x61/0x150 [ 35.526423] ? expand_files.part.8+0x9c0/0x9c0 [ 35.530991] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.535998] ? p9_fd_show_options+0x1c0/0x1c0 [ 35.540487] p9_client_create+0xde0/0x16c9 [ 35.544708] ? p9_client_read+0xc60/0xc60 [ 35.548841] ? find_held_lock+0x36/0x1c0 [ 35.552888] ? __lockdep_init_map+0x105/0x590 [ 35.557369] ? kasan_check_write+0x14/0x20 [ 35.561590] ? __init_rwsem+0x1cc/0x2a0 [ 35.565555] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 35.570561] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.575560] ? __kmalloc_track_caller+0x5f5/0x760 [ 35.580382] ? save_stack+0xa9/0xd0 [ 35.583987] ? save_stack+0x43/0xd0 [ 35.587595] ? kasan_kmalloc+0xc4/0xe0 [ 35.591465] ? memcpy+0x45/0x50 [ 35.594729] v9fs_session_init+0x21a/0x1a80 [ 35.599039] ? find_held_lock+0x36/0x1c0 [ 35.603084] ? v9fs_show_options+0x7e0/0x7e0 [ 35.607483] ? kasan_check_read+0x11/0x20 [ 35.611632] ? rcu_is_watching+0x8c/0x150 [ 35.615758] ? rcu_pm_notify+0xc0/0xc0 [ 35.619630] ? rcu_pm_notify+0xc0/0xc0 [ 35.623588] ? v9fs_mount+0x61/0x900 [ 35.627635] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.632647] ? kmem_cache_alloc_trace+0x616/0x780 [ 35.637488] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 35.643006] v9fs_mount+0x7c/0x900 [ 35.646537] mount_fs+0xae/0x328 [ 35.650592] vfs_kern_mount.part.34+0xdc/0x4e0 [ 35.655163] ? may_umount+0xb0/0xb0 [ 35.658770] ? _raw_read_unlock+0x22/0x30 [ 35.662982] ? __get_fs_type+0x97/0xc0 [ 35.666853] do_mount+0x581/0x30e0 [ 35.670372] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.674762] ? copy_mount_string+0x40/0x40 [ 35.678979] ? copy_mount_options+0x5f/0x380 [ 35.683374] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.688371] ? kmem_cache_alloc_trace+0x616/0x780 [ 35.693194] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.698712] ? _copy_from_user+0xdf/0x150 [ 35.702841] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.708361] ? copy_mount_options+0x285/0x380 [ 35.712929] __ia32_compat_sys_mount+0x5d5/0x860 [ 35.717676] do_fast_syscall_32+0x34d/0xfb2 [ 35.721982] ? do_int80_syscall_32+0x890/0x890 [ 35.726545] ? syscall_slow_exit_work+0x500/0x500 [ 35.731370] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.736984] ? syscall_return_slowpath+0x31d/0x5e0 [ 35.741906] ? sysret32_from_system_call+0x5/0x46 [ 35.746739] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.751566] entry_SYSENTER_compat+0x70/0x7f [ 35.755951] RIP: 0023:0xf7fa6cb9 [ 35.759289] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 35.778414] RSP: 002b:00000000ffb7ae4c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 35.786109] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 35.793360] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 35.800614] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 35.808125] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 35.815373] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.823087] Dumping ftrace buffer: [ 35.826621] (ftrace buffer empty) [ 35.830315] Kernel Offset: disabled [ 35.833918] Rebooting in 86400 seconds..