[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.442300] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.191567] random: sshd: uninitialized urandom read (32 bytes read) [ 23.517156] random: sshd: uninitialized urandom read (32 bytes read) [ 24.387332] random: sshd: uninitialized urandom read (32 bytes read) [ 24.546723] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. [ 29.995590] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program [ 30.085582] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 30.120071] ================================================================== [ 30.127548] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 30.133677] Read of size 20409 at addr ffff8801c42e066d by task syz-executor236/4557 [ 30.141534] [ 30.143163] CPU: 0 PID: 4557 Comm: syz-executor236 Not tainted 4.18.0-rc4+ #140 [ 30.150596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.160586] Call Trace: [ 30.163174] dump_stack+0x1c9/0x2b4 [ 30.166797] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.171971] ? printk+0xa7/0xcf [ 30.175235] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.179998] ? pdu_read+0x90/0xd0 [ 30.183448] print_address_description+0x6c/0x20b [ 30.188460] ? pdu_read+0x90/0xd0 [ 30.191908] kasan_report.cold.7+0x242/0x2fe [ 30.196304] check_memory_region+0x13e/0x1b0 [ 30.200833] memcpy+0x23/0x50 [ 30.203943] pdu_read+0x90/0xd0 [ 30.207218] p9pdu_readf+0x579/0x2170 [ 30.211005] ? p9pdu_writef+0xe0/0xe0 [ 30.215019] ? __fget+0x414/0x670 [ 30.218545] ? rcu_is_watching+0x61/0x150 [ 30.222692] ? expand_files.part.8+0x9c0/0x9c0 [ 30.227273] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.232292] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.236785] p9_client_create+0xde0/0x16c9 [ 30.241218] ? p9_client_read+0xc60/0xc60 [ 30.245361] ? find_held_lock+0x36/0x1c0 [ 30.249416] ? __lockdep_init_map+0x105/0x590 [ 30.253899] ? kasan_check_write+0x14/0x20 [ 30.258115] ? __init_rwsem+0x1cc/0x2a0 [ 30.262083] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.267097] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.272107] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.276961] ? save_stack+0xa9/0xd0 [ 30.280576] ? save_stack+0x43/0xd0 [ 30.284182] ? kasan_kmalloc+0xc4/0xe0 [ 30.288064] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.292980] ? memcpy+0x45/0x50 [ 30.296249] v9fs_session_init+0x21a/0x1a80 [ 30.300555] ? find_held_lock+0x36/0x1c0 [ 30.304601] ? v9fs_show_options+0x7e0/0x7e0 [ 30.308997] ? kasan_check_read+0x11/0x20 [ 30.313127] ? rcu_is_watching+0x8c/0x150 [ 30.317257] ? rcu_pm_notify+0xc0/0xc0 [ 30.321139] ? v9fs_mount+0x61/0x900 [ 30.324850] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.329852] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.334679] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.340211] v9fs_mount+0x7c/0x900 [ 30.343737] mount_fs+0xae/0x328 [ 30.347102] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.351669] ? may_umount+0xb0/0xb0 [ 30.355282] ? _raw_read_unlock+0x22/0x30 [ 30.359421] ? __get_fs_type+0x97/0xc0 [ 30.363294] do_mount+0x581/0x30e0 [ 30.366829] ? copy_mount_string+0x40/0x40 [ 30.371062] ? copy_mount_options+0x5f/0x380 [ 30.375454] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.380714] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.385542] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.391076] ? _copy_from_user+0xdf/0x150 [ 30.395222] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.400746] ? copy_mount_options+0x285/0x380 [ 30.405225] ksys_mount+0x12d/0x140 [ 30.408851] __x64_sys_mount+0xbe/0x150 [ 30.412812] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.417813] do_syscall_64+0x1b9/0x820 [ 30.421700] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.426627] ? syscall_return_slowpath+0x31d/0x5e0 [ 30.431552] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.437094] ? retint_user+0x18/0x18 [ 30.440795] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.445626] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.450798] RIP: 0033:0x440979 [ 30.453973] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 30.473150] RSP: 002b:00007fff7f59bcf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 30.480847] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 30.488103] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 30.495357] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 30.502621] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000075a0 [ 30.509995] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 30.517264] [ 30.518893] Allocated by task 4557: [ 30.522678] save_stack+0x43/0xd0 [ 30.526127] kasan_kmalloc+0xc4/0xe0 [ 30.529822] __kmalloc+0x14e/0x760 [ 30.533344] p9_fcall_alloc+0x1e/0x90 [ 30.537142] p9_client_prepare_req.part.8+0x754/0xcd0 [ 30.542322] p9_client_rpc+0x1bd/0x1400 [ 30.546277] p9_client_create+0xd09/0x16c9 [ 30.550494] v9fs_session_init+0x21a/0x1a80 [ 30.554795] v9fs_mount+0x7c/0x900 [ 30.558316] mount_fs+0xae/0x328 [ 30.561664] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.566227] do_mount+0x581/0x30e0 [ 30.569747] ksys_mount+0x12d/0x140 [ 30.573365] __x64_sys_mount+0xbe/0x150 [ 30.577531] do_syscall_64+0x1b9/0x820 [ 30.581414] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.586580] [ 30.588194] Freed by task 0: [ 30.591286] (stack is not available) [ 30.594974] [ 30.596584] The buggy address belongs to the object at ffff8801c42e0640 [ 30.596584] which belongs to the cache kmalloc-16384 of size 16384 [ 30.609586] The buggy address is located 45 bytes inside of [ 30.609586] 16384-byte region [ffff8801c42e0640, ffff8801c42e4640) [ 30.621525] The buggy address belongs to the page: [ 30.626447] page:ffffea000710b800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 30.636398] flags: 0x2fffc0000008100(slab|head) [ 30.641067] raw: 02fffc0000008100 ffffea0007095c08 ffff8801da801c48 ffff8801da802200 [ 30.648934] raw: 0000000000000000 ffff8801c42e0640 0000000100000001 0000000000000000 [ 30.656799] page dumped because: kasan: bad access detected [ 30.662490] [ 30.664113] Memory state around the buggy address: [ 30.669037] ffff8801c42e2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.676380] ffff8801c42e2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 30.683736] >ffff8801c42e2600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 30.691088] ^ [ 30.697577] ffff8801c42e2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.704944] ffff8801c42e2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.712299] ================================================================== [ 30.719650] Disabling lock debugging due to kernel taint [ 30.725187] Kernel panic - not syncing: panic_on_warn set ... [ 30.725187] [ 30.732556] CPU: 0 PID: 4557 Comm: syz-executor236 Tainted: G B 4.18.0-rc4+ #140 [ 30.741375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.750729] Call Trace: [ 30.753304] dump_stack+0x1c9/0x2b4 [ 30.756946] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.762121] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.766858] panic+0x238/0x4e7 [ 30.770043] ? add_taint.cold.5+0x16/0x16 [ 30.774175] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.778566] ? pdu_read+0x90/0xd0 [ 30.782016] kasan_end_report+0x47/0x4f [ 30.785971] kasan_report.cold.7+0x76/0x2fe [ 30.790466] check_memory_region+0x13e/0x1b0 [ 30.794858] memcpy+0x23/0x50 [ 30.797965] pdu_read+0x90/0xd0 [ 30.801240] p9pdu_readf+0x579/0x2170 [ 30.805031] ? p9pdu_writef+0xe0/0xe0 [ 30.808817] ? __fget+0x414/0x670 [ 30.812258] ? rcu_is_watching+0x61/0x150 [ 30.816476] ? expand_files.part.8+0x9c0/0x9c0 [ 30.821047] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.826067] ? p9_fd_show_options+0x1c0/0x1c0 [ 30.830561] p9_client_create+0xde0/0x16c9 [ 30.834783] ? p9_client_read+0xc60/0xc60 [ 30.838913] ? find_held_lock+0x36/0x1c0 [ 30.842968] ? __lockdep_init_map+0x105/0x590 [ 30.847450] ? kasan_check_write+0x14/0x20 [ 30.851678] ? __init_rwsem+0x1cc/0x2a0 [ 30.855636] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 30.860650] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.865835] ? __kmalloc_track_caller+0x5f5/0x760 [ 30.870661] ? save_stack+0xa9/0xd0 [ 30.874445] ? save_stack+0x43/0xd0 [ 30.878055] ? kasan_kmalloc+0xc4/0xe0 [ 30.881946] ? kmem_cache_alloc_trace+0x152/0x780 [ 30.886773] ? memcpy+0x45/0x50 [ 30.890346] v9fs_session_init+0x21a/0x1a80 [ 30.894654] ? find_held_lock+0x36/0x1c0 [ 30.898717] ? v9fs_show_options+0x7e0/0x7e0 [ 30.903109] ? kasan_check_read+0x11/0x20 [ 30.907255] ? rcu_is_watching+0x8c/0x150 [ 30.911397] ? rcu_pm_notify+0xc0/0xc0 [ 30.915268] ? v9fs_mount+0x61/0x900 [ 30.918966] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.923978] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.928821] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 30.934349] v9fs_mount+0x7c/0x900 [ 30.937922] mount_fs+0xae/0x328 [ 30.941358] vfs_kern_mount.part.34+0xdc/0x4e0 [ 30.945942] ? may_umount+0xb0/0xb0 [ 30.949551] ? _raw_read_unlock+0x22/0x30 [ 30.953691] ? __get_fs_type+0x97/0xc0 [ 30.957562] do_mount+0x581/0x30e0 [ 30.961098] ? copy_mount_string+0x40/0x40 [ 30.965329] ? copy_mount_options+0x5f/0x380 [ 30.969732] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.974736] ? kmem_cache_alloc_trace+0x616/0x780 [ 30.979566] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.985100] ? _copy_from_user+0xdf/0x150 [ 30.989231] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.994760] ? copy_mount_options+0x285/0x380 [ 30.999247] ksys_mount+0x12d/0x140 [ 31.002871] __x64_sys_mount+0xbe/0x150 [ 31.006861] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.011861] do_syscall_64+0x1b9/0x820 [ 31.015744] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.020654] ? syscall_return_slowpath+0x31d/0x5e0 [ 31.025579] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.031096] ? retint_user+0x18/0x18 [ 31.034792] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.039629] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.044924] RIP: 0033:0x440979 [ 31.048094] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 31.067227] RSP: 002b:00007fff7f59bcf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 31.074929] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979 [ 31.082191] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000 [ 31.089442] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8 [ 31.096700] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000075a0 [ 31.103951] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000 [ 31.111628] Dumping ftrace buffer: [ 31.115148] (ftrace buffer empty) [ 31.118840] Kernel Offset: disabled [ 31.122448] Rebooting in 86400 seconds..