[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.247852] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 19.052803] random: sshd: uninitialized urandom read (32 bytes read) [ 19.298990] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.173825] random: sshd: uninitialized urandom read (32 bytes read) [ 24.081189] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 29.470161] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/08 23:04:35 parsed 1 programs [ 31.016801] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/08 23:04:37 executed programs: 0 [ 31.980548] IPVS: ftp: loaded support on port[0] = 21 [ 32.163235] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.169707] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.176813] device bridge_slave_0 entered promiscuous mode [ 32.193398] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.199766] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.206697] device bridge_slave_1 entered promiscuous mode [ 32.221213] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 32.236579] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 32.274578] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.291536] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.347043] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.354246] team0: Port device team_slave_0 added [ 32.368288] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.375580] team0: Port device team_slave_1 added [ 32.389415] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.404547] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.419640] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 32.435681] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 32.541562] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.547993] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.554785] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.561125] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.937938] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.944042] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.983755] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.022341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.029868] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.064623] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 33.070737] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.113327] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 33.541534] ================================================================== [ 33.548985] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0 [ 33.555108] Read of size 29811 at addr ffff8801ab6f27ad by task syz-executor0/4832 [ 33.562785] [ 33.564396] CPU: 0 PID: 4832 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40 [ 33.571557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.580888] Call Trace: [ 33.583454] dump_stack+0x1c9/0x2b4 [ 33.587063] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.592231] ? printk+0xa7/0xcf [ 33.595489] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.600222] ? pdu_read+0x90/0xd0 [ 33.603655] print_address_description+0x6c/0x20b [ 33.608476] ? pdu_read+0x90/0xd0 [ 33.611907] kasan_report.cold.7+0x242/0x2fe [ 33.616298] check_memory_region+0x13e/0x1b0 [ 33.620683] memcpy+0x23/0x50 [ 33.623786] pdu_read+0x90/0xd0 [ 33.627046] p9pdu_readf+0x579/0x2170 [ 33.630830] ? p9pdu_writef+0xe0/0xe0 [ 33.634609] ? __fget+0x414/0x670 [ 33.638043] ? rcu_is_watching+0x61/0x150 [ 33.642169] ? expand_files.part.8+0x9c0/0x9c0 [ 33.646736] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.651746] ? p9_fd_show_options+0x1c0/0x1c0 [ 33.656226] p9_client_create+0xde0/0x16c9 [ 33.660451] ? p9_client_read+0xc60/0xc60 [ 33.664577] ? find_held_lock+0x36/0x1c0 [ 33.668622] ? __lockdep_init_map+0x105/0x590 [ 33.673098] ? kasan_check_write+0x14/0x20 [ 33.677309] ? __init_rwsem+0x1cc/0x2a0 [ 33.681262] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 33.686258] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.691249] ? __kmalloc_track_caller+0x5f5/0x760 [ 33.696076] ? save_stack+0xa9/0xd0 [ 33.699681] ? save_stack+0x43/0xd0 [ 33.703285] ? kasan_kmalloc+0xc4/0xe0 [ 33.707149] ? memcpy+0x45/0x50 [ 33.710412] v9fs_session_init+0x21a/0x1a80 [ 33.714713] ? find_held_lock+0x36/0x1c0 [ 33.718758] ? v9fs_show_options+0x7e0/0x7e0 [ 33.723147] ? kasan_check_read+0x11/0x20 [ 33.727272] ? rcu_is_watching+0x8c/0x150 [ 33.731411] ? rcu_pm_notify+0xc0/0xc0 [ 33.735277] ? rcu_pm_notify+0xc0/0xc0 [ 33.739155] ? v9fs_mount+0x61/0x900 [ 33.742849] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.747841] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.752663] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 33.758180] v9fs_mount+0x7c/0x900 [ 33.761699] mount_fs+0xae/0x328 [ 33.765048] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.769605] ? may_umount+0xb0/0xb0 [ 33.773209] ? _raw_read_unlock+0x22/0x30 [ 33.777335] ? __get_fs_type+0x97/0xc0 [ 33.781201] do_mount+0x581/0x30e0 [ 33.784720] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.789107] ? copy_mount_string+0x40/0x40 [ 33.793321] ? copy_mount_options+0x5f/0x380 [ 33.797708] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.802702] ? kmem_cache_alloc_trace+0x616/0x780 [ 33.807520] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.813038] ? _copy_from_user+0xdf/0x150 [ 33.817166] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.822680] ? copy_mount_options+0x285/0x380 [ 33.827160] __ia32_compat_sys_mount+0x5d5/0x860 [ 33.831898] do_fast_syscall_32+0x34d/0xfb2 [ 33.836201] ? do_int80_syscall_32+0x890/0x890 [ 33.840763] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.845499] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.851013] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.855932] ? sysret32_from_system_call+0x5/0x46 [ 33.860756] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.865577] entry_SYSENTER_compat+0x70/0x7f [ 33.869962] RIP: 0023:0xf7ff7cb9 [ 33.873303] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 33.892474] RSP: 002b:00000000ffe01d7c EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 33.900162] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 33.907406] RDX: 0000000020000140 RSI: 0000000000010000 RDI: 0000000020000280 [ 33.914653] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 33.921899] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 33.929146] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.936398] [ 33.938004] Allocated by task 4832: [ 33.941613] save_stack+0x43/0xd0 [ 33.945043] kasan_kmalloc+0xc4/0xe0 [ 33.948732] __kmalloc+0x14e/0x760 [ 33.952249] p9_fcall_alloc+0x1e/0x90 [ 33.956026] p9_client_prepare_req.part.8+0x754/0xcd0 [ 33.961191] p9_client_rpc+0x1bd/0x1400 [ 33.965158] p9_client_create+0xd09/0x16c9 [ 33.969379] v9fs_session_init+0x21a/0x1a80 [ 33.973684] v9fs_mount+0x7c/0x900 [ 33.977209] mount_fs+0xae/0x328 [ 33.980556] vfs_kern_mount.part.34+0xdc/0x4e0 [ 33.985115] do_mount+0x581/0x30e0 [ 33.988636] __ia32_compat_sys_mount+0x5d5/0x860 [ 33.993372] do_fast_syscall_32+0x34d/0xfb2 [ 33.997672] entry_SYSENTER_compat+0x70/0x7f [ 34.002055] [ 34.003659] Freed by task 0: [ 34.006650] (stack is not available) [ 34.010334] [ 34.011940] The buggy address belongs to the object at ffff8801ab6f2780 [ 34.011940] which belongs to the cache kmalloc-16384 of size 16384 [ 34.024922] The buggy address is located 45 bytes inside of [ 34.024922] 16384-byte region [ffff8801ab6f2780, ffff8801ab6f6780) [ 34.036857] The buggy address belongs to the page: [ 34.041764] page:ffffea0006adbc00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0 [ 34.051711] flags: 0x2fffc0000008100(slab|head) [ 34.056358] raw: 02fffc0000008100 ffffea0007491608 ffff8801da801c48 ffff8801da802200 [ 34.064218] raw: 0000000000000000 ffff8801ab6f2780 0000000100000001 0000000000000000 [ 34.072074] page dumped because: kasan: bad access detected [ 34.077754] [ 34.079358] Memory state around the buggy address: [ 34.084263] ffff8801ab6f4680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.091599] ffff8801ab6f4700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.098933] >ffff8801ab6f4780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 34.106268] ^ [ 34.110652] ffff8801ab6f4800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.117990] ffff8801ab6f4880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.125324] ================================================================== [ 34.132658] Disabling lock debugging due to kernel taint [ 34.138268] Kernel panic - not syncing: panic_on_warn set ... [ 34.138268] [ 34.145652] CPU: 0 PID: 4832 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40 [ 34.154214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.163546] Call Trace: [ 34.166117] dump_stack+0x1c9/0x2b4 [ 34.169722] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.174890] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.179624] panic+0x238/0x4e7 [ 34.182794] ? add_taint.cold.5+0x16/0x16 [ 34.186922] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.191309] ? pdu_read+0x90/0xd0 [ 34.194740] kasan_end_report+0x47/0x4f [ 34.198690] kasan_report.cold.7+0x76/0x2fe [ 34.202993] check_memory_region+0x13e/0x1b0 [ 34.207381] memcpy+0x23/0x50 [ 34.210465] pdu_read+0x90/0xd0 [ 34.213724] p9pdu_readf+0x579/0x2170 [ 34.217513] ? p9pdu_writef+0xe0/0xe0 [ 34.221295] ? __fget+0x414/0x670 [ 34.224728] ? rcu_is_watching+0x61/0x150 [ 34.228853] ? expand_files.part.8+0x9c0/0x9c0 [ 34.233414] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.238410] ? p9_fd_show_options+0x1c0/0x1c0 [ 34.242886] p9_client_create+0xde0/0x16c9 [ 34.247103] ? p9_client_read+0xc60/0xc60 [ 34.251249] ? find_held_lock+0x36/0x1c0 [ 34.255296] ? __lockdep_init_map+0x105/0x590 [ 34.259772] ? kasan_check_write+0x14/0x20 [ 34.263999] ? __init_rwsem+0x1cc/0x2a0 [ 34.267959] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 34.272954] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.277946] ? __kmalloc_track_caller+0x5f5/0x760 [ 34.282765] ? save_stack+0xa9/0xd0 [ 34.286369] ? save_stack+0x43/0xd0 [ 34.289973] ? kasan_kmalloc+0xc4/0xe0 [ 34.293847] ? memcpy+0x45/0x50 [ 34.297116] v9fs_session_init+0x21a/0x1a80 [ 34.301851] ? find_held_lock+0x36/0x1c0 [ 34.305891] ? v9fs_show_options+0x7e0/0x7e0 [ 34.310281] ? kasan_check_read+0x11/0x20 [ 34.314419] ? rcu_is_watching+0x8c/0x150 [ 34.318548] ? rcu_pm_notify+0xc0/0xc0 [ 34.322417] ? rcu_pm_notify+0xc0/0xc0 [ 34.326289] ? v9fs_mount+0x61/0x900 [ 34.329982] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.334979] ? kmem_cache_alloc_trace+0x616/0x780 [ 34.339806] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 34.345326] v9fs_mount+0x7c/0x900 [ 34.348851] mount_fs+0xae/0x328 [ 34.352200] vfs_kern_mount.part.34+0xdc/0x4e0 [ 34.356768] ? may_umount+0xb0/0xb0 [ 34.360372] ? _raw_read_unlock+0x22/0x30 [ 34.364495] ? __get_fs_type+0x97/0xc0 [ 34.368360] do_mount+0x581/0x30e0 [ 34.371888] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.376277] ? copy_mount_string+0x40/0x40 [ 34.380492] ? copy_mount_options+0x5f/0x380 [ 34.384878] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.389870] ? kmem_cache_alloc_trace+0x616/0x780 [ 34.394695] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.400227] ? _copy_from_user+0xdf/0x150 [ 34.404357] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.409880] ? copy_mount_options+0x285/0x380 [ 34.414357] __ia32_compat_sys_mount+0x5d5/0x860 [ 34.419096] do_fast_syscall_32+0x34d/0xfb2 [ 34.423406] ? do_int80_syscall_32+0x890/0x890 [ 34.427968] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 34.432711] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.438226] ? syscall_return_slowpath+0x31d/0x5e0 [ 34.443138] ? sysret32_from_system_call+0x5/0x46 [ 34.447966] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.452795] entry_SYSENTER_compat+0x70/0x7f [ 34.457178] RIP: 0023:0xf7ff7cb9 [ 34.460515] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 34.479629] RSP: 002b:00000000ffe01d7c EFLAGS: 00000282 ORIG_RAX: 0000000000000015 [ 34.487312] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000100 [ 34.495169] RDX: 0000000020000140 RSI: 0000000000010000 RDI: 0000000020000280 [ 34.502417] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 34.509664] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 34.516914] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.524651] Dumping ftrace buffer: [ 34.528170] (ftrace buffer empty) [ 34.531855] Kernel Offset: disabled [ 34.535457] Rebooting in 86400 seconds..