[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.682945] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.515927] random: sshd: uninitialized urandom read (32 bytes read)
[   23.955452] random: sshd: uninitialized urandom read (32 bytes read)
[   24.847196] random: sshd: uninitialized urandom read (32 bytes read)
[   85.820211] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts.
[   91.253391] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 03:49:41 parsed 1 programs
[   92.796819] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 03:49:43 executed programs: 0
[   93.799969] IPVS: ftp: loaded support on port[0] = 21
[   93.996591] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.003062] bridge0: port 1(bridge_slave_0) entered disabled state
[   94.010465] device bridge_slave_0 entered promiscuous mode
[   94.027893] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.034279] bridge0: port 2(bridge_slave_1) entered disabled state
[   94.041530] device bridge_slave_1 entered promiscuous mode
[   94.057311] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   94.073278] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   94.114555] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   94.132554] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   94.196193] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   94.203662] team0: Port device team_slave_0 added
[   94.218836] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   94.225945] team0: Port device team_slave_1 added
[   94.241077] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   94.258395] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   94.275655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   94.292736] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   94.413531] bridge0: port 2(bridge_slave_1) entered blocking state
[   94.419991] bridge0: port 2(bridge_slave_1) entered forwarding state
[   94.426952] bridge0: port 1(bridge_slave_0) entered blocking state
[   94.433321] bridge0: port 1(bridge_slave_0) entered forwarding state
[   94.851467] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   94.857587] 8021q: adding VLAN 0 to HW filter on device bond0
[   94.901101] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   94.945087] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   94.953522] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   94.993493] 8021q: adding VLAN 0 to HW filter on device team0
[   95.255684] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   95.774590] ==================================================================
[   95.782158] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   95.788308] Read of size 65415 at addr ffff8801d83e2ced by task syz-executor0/4804
[   95.795994] 
[   95.797612] CPU: 1 PID: 4804 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[   95.804865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   95.814205] Call Trace:
[   95.816780]  dump_stack+0x1c9/0x2b4
[   95.820393]  ? dump_stack_print_info.cold.2+0x52/0x52
[   95.825565]  ? printk+0xa7/0xcf
[   95.828823]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   95.833561]  ? pdu_read+0x90/0xd0
[   95.836998]  print_address_description+0x6c/0x20b
[   95.841828]  ? pdu_read+0x90/0xd0
[   95.845261]  kasan_report.cold.7+0x242/0x2fe
[   95.849655]  check_memory_region+0x13e/0x1b0
[   95.854050]  memcpy+0x23/0x50
[   95.857147]  pdu_read+0x90/0xd0
[   95.860417]  p9pdu_readf+0x579/0x2170
[   95.864215]  ? p9pdu_writef+0xe0/0xe0
[   95.868008]  ? __fget+0x414/0x670
[   95.871469]  ? rcu_is_watching+0x61/0x150
[   95.875607]  ? expand_files.part.8+0x9c0/0x9c0
[   95.882001]  ? rcu_read_lock_sched_held+0x108/0x120
[   95.887032]  ? p9_fd_show_options+0x1c0/0x1c0
[   95.891524]  p9_client_create+0xde0/0x16c9
[   95.895757]  ? p9_client_read+0xc60/0xc60
[   95.899891]  ? find_held_lock+0x36/0x1c0
[   95.903949]  ? __lockdep_init_map+0x105/0x590
[   95.908447]  ? kasan_check_write+0x14/0x20
[   95.912666]  ? __init_rwsem+0x1cc/0x2a0
[   95.916627]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   95.921631]  ? rcu_read_lock_sched_held+0x108/0x120
[   95.926631]  ? __kmalloc_track_caller+0x5f5/0x760
[   95.931466]  ? save_stack+0xa9/0xd0
[   95.935088]  ? save_stack+0x43/0xd0
[   95.938709]  ? kasan_kmalloc+0xc4/0xe0
[   95.942581]  ? memcpy+0x45/0x50
[   95.945848]  v9fs_session_init+0x21a/0x1a80
[   95.950153]  ? find_held_lock+0x36/0x1c0
[   95.954201]  ? v9fs_show_options+0x7e0/0x7e0
[   95.958596]  ? kasan_check_read+0x11/0x20
[   95.962726]  ? rcu_is_watching+0x8c/0x150
[   95.966861]  ? rcu_pm_notify+0xc0/0xc0
[   95.970740]  ? rcu_pm_notify+0xc0/0xc0
[   95.974613]  ? v9fs_mount+0x61/0x900
[   95.978311]  ? rcu_read_lock_sched_held+0x108/0x120
[   95.983311]  ? kmem_cache_alloc_trace+0x616/0x780
[   95.988139]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   95.993658]  v9fs_mount+0x7c/0x900
[   95.997183]  mount_fs+0xae/0x328
[   96.000554]  vfs_kern_mount.part.34+0xdc/0x4e0
[   96.005139]  ? may_umount+0xb0/0xb0
[   96.008749]  ? _raw_read_unlock+0x22/0x30
[   96.012878]  ? __get_fs_type+0x97/0xc0
[   96.016750]  do_mount+0x581/0x30e0
[   96.020288]  ? do_raw_spin_unlock+0xa7/0x2f0
[   96.024682]  ? copy_mount_string+0x40/0x40
[   96.028924]  ? copy_mount_options+0x5f/0x380
[   96.033327]  ? rcu_read_lock_sched_held+0x108/0x120
[   96.038330]  ? kmem_cache_alloc_trace+0x616/0x780
[   96.043161]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   96.048683]  ? _copy_from_user+0xdf/0x150
[   96.052817]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.058336]  ? copy_mount_options+0x285/0x380
[   96.062827]  __ia32_compat_sys_mount+0x5d5/0x860
[   96.067570]  do_fast_syscall_32+0x34d/0xfb2
[   96.071883]  ? do_int80_syscall_32+0x890/0x890
[   96.076448]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   96.081193]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.086720]  ? syscall_return_slowpath+0x31d/0x5e0
[   96.091650]  ? sysret32_from_system_call+0x5/0x46
[   96.096494]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   96.101325]  entry_SYSENTER_compat+0x70/0x7f
[   96.105725] RIP: 0023:0xf7f49cb9
[   96.109072] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   96.128245] RSP: 002b:00000000ff87b38c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   96.135948] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   96.143201] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   96.150470] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   96.157721] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   96.164972] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   96.172231] 
[   96.173837] Allocated by task 4804:
[   96.177465]  save_stack+0x43/0xd0
[   96.180904]  kasan_kmalloc+0xc4/0xe0
[   96.184600]  __kmalloc+0x14e/0x760
[   96.188137]  p9_fcall_alloc+0x1e/0x90
[   96.191926]  p9_client_prepare_req.part.8+0x754/0xcd0
[   96.197100]  p9_client_rpc+0x1bd/0x1400
[   96.201055]  p9_client_create+0xd09/0x16c9
[   96.205272]  v9fs_session_init+0x21a/0x1a80
[   96.209581]  v9fs_mount+0x7c/0x900
[   96.213103]  mount_fs+0xae/0x328
[   96.216448]  vfs_kern_mount.part.34+0xdc/0x4e0
[   96.221029]  do_mount+0x581/0x30e0
[   96.224554]  __ia32_compat_sys_mount+0x5d5/0x860
[   96.229298]  do_fast_syscall_32+0x34d/0xfb2
[   96.233610]  entry_SYSENTER_compat+0x70/0x7f
[   96.238011] 
[   96.239633] Freed by task 0:
[   96.242626] (stack is not available)
[   96.246311] 
[   96.247919] The buggy address belongs to the object at ffff8801d83e2cc0
[   96.247919]  which belongs to the cache kmalloc-16384 of size 16384
[   96.260922] The buggy address is located 45 bytes inside of
[   96.260922]  16384-byte region [ffff8801d83e2cc0, ffff8801d83e6cc0)
[   96.272869] The buggy address belongs to the page:
[   96.277786] page:ffffea000760f800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   96.287737] flags: 0x2fffc0000008100(slab|head)
[   96.292388] raw: 02fffc0000008100 ffffea0007618c08 ffff8801da801c48 ffff8801da802200
[   96.300253] raw: 0000000000000000 ffff8801d83e2cc0 0000000100000001 0000000000000000
[   96.308109] page dumped because: kasan: bad access detected
[   96.313802] 
[   96.315408] Memory state around the buggy address:
[   96.321085]  ffff8801d83e4b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.328429]  ffff8801d83e4c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.335784] >ffff8801d83e4c80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   96.343120]                                                        ^
[   96.349594]  ffff8801d83e4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.356940]  ffff8801d83e4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.364275] ==================================================================
[   96.371611] Disabling lock debugging due to kernel taint
[   96.377601] Kernel panic - not syncing: panic_on_warn set ...
[   96.377601] 
[   96.384976] CPU: 1 PID: 4804 Comm: syz-executor0 Tainted: G    B             4.18.0-rc3+ #40
[   96.393541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   96.402887] Call Trace:
[   96.405473]  dump_stack+0x1c9/0x2b4
[   96.409081]  ? dump_stack_print_info.cold.2+0x52/0x52
[   96.414255]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   96.419111]  panic+0x238/0x4e7
[   96.422288]  ? add_taint.cold.5+0x16/0x16
[   96.426435]  ? do_raw_spin_unlock+0xa7/0x2f0
[   96.430833]  ? pdu_read+0x90/0xd0
[   96.434265]  kasan_end_report+0x47/0x4f
[   96.438218]  kasan_report.cold.7+0x76/0x2fe
[   96.442519]  check_memory_region+0x13e/0x1b0
[   96.446907]  memcpy+0x23/0x50
[   96.449998]  pdu_read+0x90/0xd0
[   96.453265]  p9pdu_readf+0x579/0x2170
[   96.457047]  ? p9pdu_writef+0xe0/0xe0
[   96.460831]  ? __fget+0x414/0x670
[   96.464288]  ? rcu_is_watching+0x61/0x150
[   96.468427]  ? expand_files.part.8+0x9c0/0x9c0
[   96.472995]  ? rcu_read_lock_sched_held+0x108/0x120
[   96.477999]  ? p9_fd_show_options+0x1c0/0x1c0
[   96.482484]  p9_client_create+0xde0/0x16c9
[   96.486700]  ? p9_client_read+0xc60/0xc60
[   96.490826]  ? find_held_lock+0x36/0x1c0
[   96.494872]  ? __lockdep_init_map+0x105/0x590
[   96.499349]  ? kasan_check_write+0x14/0x20
[   96.503563]  ? __init_rwsem+0x1cc/0x2a0
[   96.507520]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   96.512529]  ? rcu_read_lock_sched_held+0x108/0x120
[   96.517536]  ? __kmalloc_track_caller+0x5f5/0x760
[   96.522365]  ? save_stack+0xa9/0xd0
[   96.525978]  ? save_stack+0x43/0xd0
[   96.529592]  ? kasan_kmalloc+0xc4/0xe0
[   96.533462]  ? memcpy+0x45/0x50
[   96.536723]  v9fs_session_init+0x21a/0x1a80
[   96.541036]  ? find_held_lock+0x36/0x1c0
[   96.545081]  ? v9fs_show_options+0x7e0/0x7e0
[   96.549472]  ? kasan_check_read+0x11/0x20
[   96.553604]  ? rcu_is_watching+0x8c/0x150
[   96.557727]  ? rcu_pm_notify+0xc0/0xc0
[   96.561599]  ? rcu_pm_notify+0xc0/0xc0
[   96.565467]  ? v9fs_mount+0x61/0x900
[   96.569167]  ? rcu_read_lock_sched_held+0x108/0x120
[   96.574257]  ? kmem_cache_alloc_trace+0x616/0x780
[   96.579096]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   96.584615]  v9fs_mount+0x7c/0x900
[   96.588145]  mount_fs+0xae/0x328
[   96.591505]  vfs_kern_mount.part.34+0xdc/0x4e0
[   96.596076]  ? may_umount+0xb0/0xb0
[   96.599684]  ? _raw_read_unlock+0x22/0x30
[   96.603812]  ? __get_fs_type+0x97/0xc0
[   96.607682]  do_mount+0x581/0x30e0
[   96.611203]  ? do_raw_spin_unlock+0xa7/0x2f0
[   96.615592]  ? copy_mount_string+0x40/0x40
[   96.619816]  ? copy_mount_options+0x5f/0x380
[   96.624205]  ? rcu_read_lock_sched_held+0x108/0x120
[   96.629209]  ? kmem_cache_alloc_trace+0x616/0x780
[   96.634042]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   96.639573]  ? _copy_from_user+0xdf/0x150
[   96.643704]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.649218]  ? copy_mount_options+0x285/0x380
[   96.653695]  __ia32_compat_sys_mount+0x5d5/0x860
[   96.658440]  do_fast_syscall_32+0x34d/0xfb2
[   96.662745]  ? do_int80_syscall_32+0x890/0x890
[   96.667316]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   96.672063]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   96.677582]  ? syscall_return_slowpath+0x31d/0x5e0
[   96.682501]  ? sysret32_from_system_call+0x5/0x46
[   96.687341]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   96.692173]  entry_SYSENTER_compat+0x70/0x7f
[   96.696571] RIP: 0023:0xf7f49cb9
[   96.699910] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   96.719046] RSP: 002b:00000000ff87b38c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   96.726744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[   96.733995] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[   96.741249] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   96.748497] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   96.755746] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   96.763462] Dumping ftrace buffer:
[   96.766980]    (ftrace buffer empty)
[   96.770668] Kernel Offset: disabled
[   96.774273] Rebooting in 86400 seconds..