[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.382886] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.318846] random: sshd: uninitialized urandom read (32 bytes read)
[   23.660291] random: sshd: uninitialized urandom read (32 bytes read)
[   24.500474] random: sshd: uninitialized urandom read (32 bytes read)
[   24.654244] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts.
[   30.070978] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/10 08:10:42 parsed 1 programs
[   31.789904] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/10 08:10:44 executed programs: 0
[   32.917233] IPVS: ftp: loaded support on port[0] = 21
[   33.109723] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.116201] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.123634] device bridge_slave_0 entered promiscuous mode
[   33.139962] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.146365] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.153467] device bridge_slave_1 entered promiscuous mode
[   33.168635] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   33.183982] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   33.224422] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   33.242734] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   33.303182] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   33.310576] team0: Port device team_slave_0 added
[   33.330129] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   33.337481] team0: Port device team_slave_1 added
[   33.352664] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.370616] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.387641] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   33.405367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.523686] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.530174] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.537166] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.543562] bridge0: port 1(bridge_slave_0) entered forwarding state
[   33.951862] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   33.957968] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.000124] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   34.043836] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   34.052611] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   34.094992] 8021q: adding VLAN 0 to HW filter on device team0
[   34.340479] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   34.837650] ==================================================================
[   34.845175] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   34.851304] Read of size 30051 at addr ffff8801d6b4acad by task syz-executor0/4849
[   34.858995] 
[   34.860611] CPU: 0 PID: 4849 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #42
[   34.867780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.877119] Call Trace:
[   34.879695]  dump_stack+0x1c9/0x2b4
[   34.883304]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.888491]  ? printk+0xa7/0xcf
[   34.891751]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.896489]  ? pdu_read+0x90/0xd0
[   34.899934]  print_address_description+0x6c/0x20b
[   34.904759]  ? pdu_read+0x90/0xd0
[   34.908199]  kasan_report.cold.7+0x242/0x2fe
[   34.912771]  check_memory_region+0x13e/0x1b0
[   34.917161]  memcpy+0x23/0x50
[   34.920254]  pdu_read+0x90/0xd0
[   34.923522]  p9pdu_readf+0x579/0x2170
[   34.927307]  ? p9pdu_writef+0xe0/0xe0
[   34.931087]  ? __fget+0x414/0x670
[   34.934525]  ? rcu_is_watching+0x61/0x150
[   34.938653]  ? expand_files.part.8+0x9c0/0x9c0
[   34.943221]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.948224]  ? p9_fd_show_options+0x1c0/0x1c0
[   34.952705]  p9_client_create+0xde0/0x16c9
[   34.956922]  ? p9_client_read+0xc60/0xc60
[   34.961053]  ? find_held_lock+0x36/0x1c0
[   34.965118]  ? __lockdep_init_map+0x105/0x590
[   34.969597]  ? kasan_check_write+0x14/0x20
[   34.973811]  ? __init_rwsem+0x1cc/0x2a0
[   34.977765]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   34.982763]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.987849]  ? __kmalloc_track_caller+0x5f5/0x760
[   34.992678]  ? save_stack+0xa9/0xd0
[   34.996285]  ? save_stack+0x43/0xd0
[   34.999888]  ? kasan_kmalloc+0xc4/0xe0
[   35.003755]  ? memcpy+0x45/0x50
[   35.007029]  v9fs_session_init+0x21a/0x1a80
[   35.011344]  ? find_held_lock+0x36/0x1c0
[   35.015389]  ? v9fs_show_options+0x7e0/0x7e0
[   35.019807]  ? kasan_check_read+0x11/0x20
[   35.023942]  ? rcu_is_watching+0x8c/0x150
[   35.028076]  ? rcu_pm_notify+0xc0/0xc0
[   35.031943]  ? rcu_pm_notify+0xc0/0xc0
[   35.035817]  ? v9fs_mount+0x61/0x900
[   35.039525]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.044532]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.049359]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   35.054876]  v9fs_mount+0x7c/0x900
[   35.058402]  mount_fs+0xae/0x328
[   35.061750]  vfs_kern_mount.part.34+0xdc/0x4e0
[   35.066312]  ? may_umount+0xb0/0xb0
[   35.069919]  ? _raw_read_unlock+0x22/0x30
[   35.074052]  ? __get_fs_type+0x97/0xc0
[   35.077921]  do_mount+0x581/0x30e0
[   35.081442]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.085834]  ? copy_mount_string+0x40/0x40
[   35.090057]  ? copy_mount_options+0x5f/0x380
[   35.094446]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.099443]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.104271]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.109789]  ? _copy_from_user+0xdf/0x150
[   35.113924]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.119441]  ? copy_mount_options+0x285/0x380
[   35.123921]  __ia32_compat_sys_mount+0x5d5/0x860
[   35.128669]  do_fast_syscall_32+0x34d/0xfb2
[   35.132973]  ? do_int80_syscall_32+0x890/0x890
[   35.137535]  ? syscall_slow_exit_work+0x500/0x500
[   35.142358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.147877]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.152793]  ? sysret32_from_system_call+0x5/0x46
[   35.157620]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.162443]  entry_SYSENTER_compat+0x70/0x7f
[   35.166830] RIP: 0023:0xf7fa6cb9
[   35.170171] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.189341] RSP: 002b:00000000ffb7ae4c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   35.197033] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   35.204283] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   35.211529] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.218775] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   35.226031] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.233290] 
[   35.234893] Allocated by task 4849:
[   35.238504]  save_stack+0x43/0xd0
[   35.241936]  kasan_kmalloc+0xc4/0xe0
[   35.245626]  __kmalloc+0x14e/0x760
[   35.249155]  p9_fcall_alloc+0x1e/0x90
[   35.252942]  p9_client_prepare_req.part.8+0x754/0xcd0
[   35.258108]  p9_client_rpc+0x1bd/0x1400
[   35.262072]  p9_client_create+0xd09/0x16c9
[   35.266300]  v9fs_session_init+0x21a/0x1a80
[   35.270600]  v9fs_mount+0x7c/0x900
[   35.274118]  mount_fs+0xae/0x328
[   35.277461]  vfs_kern_mount.part.34+0xdc/0x4e0
[   35.282027]  do_mount+0x581/0x30e0
[   35.285561]  __ia32_compat_sys_mount+0x5d5/0x860
[   35.290295]  do_fast_syscall_32+0x34d/0xfb2
[   35.294593]  entry_SYSENTER_compat+0x70/0x7f
[   35.298973] 
[   35.300576] Freed by task 0:
[   35.303565] (stack is not available)
[   35.307251] 
[   35.308867] The buggy address belongs to the object at ffff8801d6b4ac80
[   35.308867]  which belongs to the cache kmalloc-16384 of size 16384
[   35.321859] The buggy address is located 45 bytes inside of
[   35.321859]  16384-byte region [ffff8801d6b4ac80, ffff8801d6b4ec80)
[   35.333806] The buggy address belongs to the page:
[   35.338728] page:ffffea00075ad200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   35.348694] flags: 0x2fffc0000008100(slab|head)
[   35.353460] raw: 02fffc0000008100 ffffea0006ac0008 ffff8801da801c48 ffff8801da802200
[   35.361327] raw: 0000000000000000 ffff8801d6b4ac80 0000000100000001 0000000000000000
[   35.369193] page dumped because: kasan: bad access detected
[   35.374881] 
[   35.376485] Memory state around the buggy address:
[   35.381394]  ffff8801d6b4cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.388742]  ffff8801d6b4cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   35.396081] >ffff8801d6b4cc80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   35.403415]                                ^
[   35.407802]  ffff8801d6b4cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.415142]  ffff8801d6b4cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.422489] ==================================================================
[   35.429828] Disabling lock debugging due to kernel taint
[   35.435685] Kernel panic - not syncing: panic_on_warn set ...
[   35.435685] 
[   35.443059] CPU: 0 PID: 4849 Comm: syz-executor0 Tainted: G    B             4.18.0-rc4+ #42
[   35.451624] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.460961] Call Trace:
[   35.463542]  dump_stack+0x1c9/0x2b4
[   35.467164]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.472334]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.477069]  panic+0x238/0x4e7
[   35.480244]  ? add_taint.cold.5+0x16/0x16
[   35.484373]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.488773]  ? pdu_read+0x90/0xd0
[   35.492215]  kasan_end_report+0x47/0x4f
[   35.496194]  kasan_report.cold.7+0x76/0x2fe
[   35.500510]  check_memory_region+0x13e/0x1b0
[   35.504899]  memcpy+0x23/0x50
[   35.507985]  pdu_read+0x90/0xd0
[   35.511250]  p9pdu_readf+0x579/0x2170
[   35.515040]  ? p9pdu_writef+0xe0/0xe0
[   35.518840]  ? __fget+0x414/0x670
[   35.522291]  ? rcu_is_watching+0x61/0x150
[   35.526423]  ? expand_files.part.8+0x9c0/0x9c0
[   35.530991]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.535998]  ? p9_fd_show_options+0x1c0/0x1c0
[   35.540487]  p9_client_create+0xde0/0x16c9
[   35.544708]  ? p9_client_read+0xc60/0xc60
[   35.548841]  ? find_held_lock+0x36/0x1c0
[   35.552888]  ? __lockdep_init_map+0x105/0x590
[   35.557369]  ? kasan_check_write+0x14/0x20
[   35.561590]  ? __init_rwsem+0x1cc/0x2a0
[   35.565555]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   35.570561]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.575560]  ? __kmalloc_track_caller+0x5f5/0x760
[   35.580382]  ? save_stack+0xa9/0xd0
[   35.583987]  ? save_stack+0x43/0xd0
[   35.587595]  ? kasan_kmalloc+0xc4/0xe0
[   35.591465]  ? memcpy+0x45/0x50
[   35.594729]  v9fs_session_init+0x21a/0x1a80
[   35.599039]  ? find_held_lock+0x36/0x1c0
[   35.603084]  ? v9fs_show_options+0x7e0/0x7e0
[   35.607483]  ? kasan_check_read+0x11/0x20
[   35.611632]  ? rcu_is_watching+0x8c/0x150
[   35.615758]  ? rcu_pm_notify+0xc0/0xc0
[   35.619630]  ? rcu_pm_notify+0xc0/0xc0
[   35.623588]  ? v9fs_mount+0x61/0x900
[   35.627635]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.632647]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.637488]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   35.643006]  v9fs_mount+0x7c/0x900
[   35.646537]  mount_fs+0xae/0x328
[   35.650592]  vfs_kern_mount.part.34+0xdc/0x4e0
[   35.655163]  ? may_umount+0xb0/0xb0
[   35.658770]  ? _raw_read_unlock+0x22/0x30
[   35.662982]  ? __get_fs_type+0x97/0xc0
[   35.666853]  do_mount+0x581/0x30e0
[   35.670372]  ? do_raw_spin_unlock+0xa7/0x2f0
[   35.674762]  ? copy_mount_string+0x40/0x40
[   35.678979]  ? copy_mount_options+0x5f/0x380
[   35.683374]  ? rcu_read_lock_sched_held+0x108/0x120
[   35.688371]  ? kmem_cache_alloc_trace+0x616/0x780
[   35.693194]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.698712]  ? _copy_from_user+0xdf/0x150
[   35.702841]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.708361]  ? copy_mount_options+0x285/0x380
[   35.712929]  __ia32_compat_sys_mount+0x5d5/0x860
[   35.717676]  do_fast_syscall_32+0x34d/0xfb2
[   35.721982]  ? do_int80_syscall_32+0x890/0x890
[   35.726545]  ? syscall_slow_exit_work+0x500/0x500
[   35.731370]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.736984]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.741906]  ? sysret32_from_system_call+0x5/0x46
[   35.746739]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.751566]  entry_SYSENTER_compat+0x70/0x7f
[   35.755951] RIP: 0023:0xf7fa6cb9
[   35.759289] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.778414] RSP: 002b:00000000ffb7ae4c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   35.786109] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   35.793360] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   35.800614] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.808125] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   35.815373] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.823087] Dumping ftrace buffer:
[   35.826621]    (ftrace buffer empty)
[   35.830315] Kernel Offset: disabled
[   35.833918] Rebooting in 86400 seconds..