[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.682945] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.515927] random: sshd: uninitialized urandom read (32 bytes read) [ 23.955452] random: sshd: uninitialized urandom read (32 bytes read) [ 24.847196] random: sshd: uninitialized urandom read (32 bytes read) [ 85.820211] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. [ 91.253391] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 03:49:41 parsed 1 programs [ 92.796819] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 03:49:43 executed programs: 0 [ 93.799969] IPVS: ftp: loaded support on port[0] = 21 [ 93.996591] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.003062] bridge0: port 1(bridge_slave_0) entered disabled state [ 94.010465] device bridge_slave_0 entered promiscuous mode [ 94.027893] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.034279] bridge0: port 2(bridge_slave_1) entered disabled state [ 94.041530] device bridge_slave_1 entered promiscuous mode [ 94.057311] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 94.073278] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 94.114555] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 94.132554] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 94.196193] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 94.203662] team0: Port device team_slave_0 added [ 94.218836] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 94.225945] team0: Port device team_slave_1 added [ 94.241077] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 94.258395] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 94.275655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 94.292736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 94.413531] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.419991] bridge0: port 2(bridge_slave_1) entered forwarding state [ 94.426952] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.433321] bridge0: port 1(bridge_slave_0) entered forwarding state [ 94.851467] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 94.857587] 8021q: adding VLAN 0 to HW filter on device bond0 [ 94.901101] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 94.945087] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 94.953522] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 94.993493] 8021q: adding VLAN 0 to HW filter on device team0 [ 95.255684] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 95.774590] ================================================================== [ 95.782158] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 95.788308] Read of size 65415 at addr ffff8801d83e2ced by task syz-executor0/4804 [ 95.795994] [ 95.797612] CPU: 1 PID: 4804 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 95.804865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.814205] Call Trace: [ 95.816780] dump_stack+0x1c9/0x2b4 [ 95.820393] ? dump_stack_print_info.cold.2+0x52/0x52 [ 95.825565] ? printk+0xa7/0xcf [ 95.828823] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 95.833561] ? pdu_read+0x90/0xd0 [ 95.836998] print_address_description+0x6c/0x20b [ 95.841828] ? pdu_read+0x90/0xd0 [ 95.845261] kasan_report.cold.7+0x242/0x2fe [ 95.849655] check_memory_region+0x13e/0x1b0 [ 95.854050] memcpy+0x23/0x50 [ 95.857147] pdu_read+0x90/0xd0 [ 95.860417] p9pdu_readf+0x579/0x2170 [ 95.864215] ? p9pdu_writef+0xe0/0xe0 [ 95.868008] ? __fget+0x414/0x670 [ 95.871469] ? rcu_is_watching+0x61/0x150 [ 95.875607] ? expand_files.part.8+0x9c0/0x9c0 [ 95.882001] ? rcu_read_lock_sched_held+0x108/0x120 [ 95.887032] ? p9_fd_show_options+0x1c0/0x1c0 [ 95.891524] p9_client_create+0xde0/0x16c9 [ 95.895757] ? p9_client_read+0xc60/0xc60 [ 95.899891] ? find_held_lock+0x36/0x1c0 [ 95.903949] ? __lockdep_init_map+0x105/0x590 [ 95.908447] ? kasan_check_write+0x14/0x20 [ 95.912666] ? __init_rwsem+0x1cc/0x2a0 [ 95.916627] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 95.921631] ? rcu_read_lock_sched_held+0x108/0x120 [ 95.926631] ? __kmalloc_track_caller+0x5f5/0x760 [ 95.931466] ? save_stack+0xa9/0xd0 [ 95.935088] ? save_stack+0x43/0xd0 [ 95.938709] ? kasan_kmalloc+0xc4/0xe0 [ 95.942581] ? memcpy+0x45/0x50 [ 95.945848] v9fs_session_init+0x21a/0x1a80 [ 95.950153] ? find_held_lock+0x36/0x1c0 [ 95.954201] ? v9fs_show_options+0x7e0/0x7e0 [ 95.958596] ? kasan_check_read+0x11/0x20 [ 95.962726] ? rcu_is_watching+0x8c/0x150 [ 95.966861] ? rcu_pm_notify+0xc0/0xc0 [ 95.970740] ? rcu_pm_notify+0xc0/0xc0 [ 95.974613] ? v9fs_mount+0x61/0x900 [ 95.978311] ? rcu_read_lock_sched_held+0x108/0x120 [ 95.983311] ? kmem_cache_alloc_trace+0x616/0x780 [ 95.988139] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 95.993658] v9fs_mount+0x7c/0x900 [ 95.997183] mount_fs+0xae/0x328 [ 96.000554] vfs_kern_mount.part.34+0xdc/0x4e0 [ 96.005139] ? may_umount+0xb0/0xb0 [ 96.008749] ? _raw_read_unlock+0x22/0x30 [ 96.012878] ? __get_fs_type+0x97/0xc0 [ 96.016750] do_mount+0x581/0x30e0 [ 96.020288] ? do_raw_spin_unlock+0xa7/0x2f0 [ 96.024682] ? copy_mount_string+0x40/0x40 [ 96.028924] ? copy_mount_options+0x5f/0x380 [ 96.033327] ? rcu_read_lock_sched_held+0x108/0x120 [ 96.038330] ? kmem_cache_alloc_trace+0x616/0x780 [ 96.043161] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.048683] ? _copy_from_user+0xdf/0x150 [ 96.052817] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.058336] ? copy_mount_options+0x285/0x380 [ 96.062827] __ia32_compat_sys_mount+0x5d5/0x860 [ 96.067570] do_fast_syscall_32+0x34d/0xfb2 [ 96.071883] ? do_int80_syscall_32+0x890/0x890 [ 96.076448] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.081193] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.086720] ? syscall_return_slowpath+0x31d/0x5e0 [ 96.091650] ? sysret32_from_system_call+0x5/0x46 [ 96.096494] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 96.101325] entry_SYSENTER_compat+0x70/0x7f [ 96.105725] RIP: 0023:0xf7f49cb9 [ 96.109072] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 96.128245] RSP: 002b:00000000ff87b38c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 96.135948] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 96.143201] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 96.150470] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 96.157721] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 96.164972] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 96.172231] [ 96.173837] Allocated by task 4804: [ 96.177465] save_stack+0x43/0xd0 [ 96.180904] kasan_kmalloc+0xc4/0xe0 [ 96.184600] __kmalloc+0x14e/0x760 [ 96.188137] p9_fcall_alloc+0x1e/0x90 [ 96.191926] p9_client_prepare_req.part.8+0x754/0xcd0 [ 96.197100] p9_client_rpc+0x1bd/0x1400 [ 96.201055] p9_client_create+0xd09/0x16c9 [ 96.205272] v9fs_session_init+0x21a/0x1a80 [ 96.209581] v9fs_mount+0x7c/0x900 [ 96.213103] mount_fs+0xae/0x328 [ 96.216448] vfs_kern_mount.part.34+0xdc/0x4e0 [ 96.221029] do_mount+0x581/0x30e0 [ 96.224554] __ia32_compat_sys_mount+0x5d5/0x860 [ 96.229298] do_fast_syscall_32+0x34d/0xfb2 [ 96.233610] entry_SYSENTER_compat+0x70/0x7f [ 96.238011] [ 96.239633] Freed by task 0: [ 96.242626] (stack is not available) [ 96.246311] [ 96.247919] The buggy address belongs to the object at ffff8801d83e2cc0 [ 96.247919] which belongs to the cache kmalloc-16384 of size 16384 [ 96.260922] The buggy address is located 45 bytes inside of [ 96.260922] 16384-byte region [ffff8801d83e2cc0, ffff8801d83e6cc0) [ 96.272869] The buggy address belongs to the page: [ 96.277786] page:ffffea000760f800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 96.287737] flags: 0x2fffc0000008100(slab|head) [ 96.292388] raw: 02fffc0000008100 ffffea0007618c08 ffff8801da801c48 ffff8801da802200 [ 96.300253] raw: 0000000000000000 ffff8801d83e2cc0 0000000100000001 0000000000000000 [ 96.308109] page dumped because: kasan: bad access detected [ 96.313802] [ 96.315408] Memory state around the buggy address: [ 96.321085] ffff8801d83e4b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.328429] ffff8801d83e4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.335784] >ffff8801d83e4c80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 96.343120] ^ [ 96.349594] ffff8801d83e4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.356940] ffff8801d83e4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.364275] ================================================================== [ 96.371611] Disabling lock debugging due to kernel taint [ 96.377601] Kernel panic - not syncing: panic_on_warn set ... [ 96.377601] [ 96.384976] CPU: 1 PID: 4804 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 96.393541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.402887] Call Trace: [ 96.405473] dump_stack+0x1c9/0x2b4 [ 96.409081] ? dump_stack_print_info.cold.2+0x52/0x52 [ 96.414255] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.419111] panic+0x238/0x4e7 [ 96.422288] ? add_taint.cold.5+0x16/0x16 [ 96.426435] ? do_raw_spin_unlock+0xa7/0x2f0 [ 96.430833] ? pdu_read+0x90/0xd0 [ 96.434265] kasan_end_report+0x47/0x4f [ 96.438218] kasan_report.cold.7+0x76/0x2fe [ 96.442519] check_memory_region+0x13e/0x1b0 [ 96.446907] memcpy+0x23/0x50 [ 96.449998] pdu_read+0x90/0xd0 [ 96.453265] p9pdu_readf+0x579/0x2170 [ 96.457047] ? p9pdu_writef+0xe0/0xe0 [ 96.460831] ? __fget+0x414/0x670 [ 96.464288] ? rcu_is_watching+0x61/0x150 [ 96.468427] ? expand_files.part.8+0x9c0/0x9c0 [ 96.472995] ? rcu_read_lock_sched_held+0x108/0x120 [ 96.477999] ? p9_fd_show_options+0x1c0/0x1c0 [ 96.482484] p9_client_create+0xde0/0x16c9 [ 96.486700] ? p9_client_read+0xc60/0xc60 [ 96.490826] ? find_held_lock+0x36/0x1c0 [ 96.494872] ? __lockdep_init_map+0x105/0x590 [ 96.499349] ? kasan_check_write+0x14/0x20 [ 96.503563] ? __init_rwsem+0x1cc/0x2a0 [ 96.507520] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 96.512529] ? rcu_read_lock_sched_held+0x108/0x120 [ 96.517536] ? __kmalloc_track_caller+0x5f5/0x760 [ 96.522365] ? save_stack+0xa9/0xd0 [ 96.525978] ? save_stack+0x43/0xd0 [ 96.529592] ? kasan_kmalloc+0xc4/0xe0 [ 96.533462] ? memcpy+0x45/0x50 [ 96.536723] v9fs_session_init+0x21a/0x1a80 [ 96.541036] ? find_held_lock+0x36/0x1c0 [ 96.545081] ? v9fs_show_options+0x7e0/0x7e0 [ 96.549472] ? kasan_check_read+0x11/0x20 [ 96.553604] ? rcu_is_watching+0x8c/0x150 [ 96.557727] ? rcu_pm_notify+0xc0/0xc0 [ 96.561599] ? rcu_pm_notify+0xc0/0xc0 [ 96.565467] ? v9fs_mount+0x61/0x900 [ 96.569167] ? rcu_read_lock_sched_held+0x108/0x120 [ 96.574257] ? kmem_cache_alloc_trace+0x616/0x780 [ 96.579096] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 96.584615] v9fs_mount+0x7c/0x900 [ 96.588145] mount_fs+0xae/0x328 [ 96.591505] vfs_kern_mount.part.34+0xdc/0x4e0 [ 96.596076] ? may_umount+0xb0/0xb0 [ 96.599684] ? _raw_read_unlock+0x22/0x30 [ 96.603812] ? __get_fs_type+0x97/0xc0 [ 96.607682] do_mount+0x581/0x30e0 [ 96.611203] ? do_raw_spin_unlock+0xa7/0x2f0 [ 96.615592] ? copy_mount_string+0x40/0x40 [ 96.619816] ? copy_mount_options+0x5f/0x380 [ 96.624205] ? rcu_read_lock_sched_held+0x108/0x120 [ 96.629209] ? kmem_cache_alloc_trace+0x616/0x780 [ 96.634042] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.639573] ? _copy_from_user+0xdf/0x150 [ 96.643704] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.649218] ? copy_mount_options+0x285/0x380 [ 96.653695] __ia32_compat_sys_mount+0x5d5/0x860 [ 96.658440] do_fast_syscall_32+0x34d/0xfb2 [ 96.662745] ? do_int80_syscall_32+0x890/0x890 [ 96.667316] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.672063] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.677582] ? syscall_return_slowpath+0x31d/0x5e0 [ 96.682501] ? sysret32_from_system_call+0x5/0x46 [ 96.687341] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 96.692173] entry_SYSENTER_compat+0x70/0x7f [ 96.696571] RIP: 0023:0xf7f49cb9 [ 96.699910] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 96.719046] RSP: 002b:00000000ff87b38c EFLAGS: 00000286 ORIG_RAX: 0000000000000015 [ 96.726744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0 [ 96.733995] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180 [ 96.741249] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 96.748497] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 96.755746] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 96.763462] Dumping ftrace buffer: [ 96.766980] (ftrace buffer empty) [ 96.770668] Kernel Offset: disabled [ 96.774273] Rebooting in 86400 seconds..