[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 20.051664] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 21.689662] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.043067] random: sshd: uninitialized urandom read (32 bytes read)
[ 22.916711] random: sshd: uninitialized urandom read (32 bytes read)
[ 47.972572] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
[ 53.371278] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/09 00:47:34 parsed 1 programs
[ 55.422542] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/09 00:47:36 executed programs: 0
[ 56.778697] IPVS: ftp: loaded support on port[0] = 21
[ 56.920214] ip (4592) used greatest stack depth: 16680 bytes left
[ 57.069164] bridge0: port 1(bridge_slave_0) entered blocking state
[ 57.075919] bridge0: port 1(bridge_slave_0) entered disabled state
[ 57.083882] device bridge_slave_0 entered promiscuous mode
[ 57.104746] bridge0: port 2(bridge_slave_1) entered blocking state
[ 57.111362] bridge0: port 2(bridge_slave_1) entered disabled state
[ 57.118453] device bridge_slave_1 entered promiscuous mode
[ 57.136467] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[ 57.153196] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[ 57.202847] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 57.222250] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 57.293765] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 57.301476] team0: Port device team_slave_0 added
[ 57.317550] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 57.324999] team0: Port device team_slave_1 added
[ 57.341380] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 57.359814] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 57.378573] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 57.396091] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[ 57.530606] bridge0: port 2(bridge_slave_1) entered blocking state
[ 57.537150] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 57.544224] bridge0: port 1(bridge_slave_0) entered blocking state
[ 57.550636] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 58.060100] 8021q: adding VLAN 0 to HW filter on device bond0
[ 58.112305] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 58.162472] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[ 58.168874] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[ 58.176729] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 58.221686] 8021q: adding VLAN 0 to HW filter on device team0
[ 58.542800] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
[ 58.563934] ==================================================================
[ 58.571528] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[ 58.577690] Read of size 14848 at addr ffff8801d65196ed by task syz-executor0/4831
[ 58.585741]
[ 58.587360] CPU: 0 PID: 4831 Comm: syz-executor0 Not tainted 4.18.0-rc3+ #40
[ 58.594531] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 58.603883] Call Trace:
[ 58.606735] dump_stack+0x1c9/0x2b4
[ 58.610448] ? dump_stack_print_info.cold.2+0x52/0x52
[ 58.615638] ? printk+0xa7/0xcf
[ 58.618919] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 58.623679] ? pdu_read+0x90/0xd0
[ 58.627129] print_address_description+0x6c/0x20b
[ 58.631979] ? pdu_read+0x90/0xd0
[ 58.635434] kasan_report.cold.7+0x242/0x2fe
[ 58.639850] check_memory_region+0x13e/0x1b0
[ 58.644253] memcpy+0x23/0x50
[ 58.647353] pdu_read+0x90/0xd0
[ 58.650632] p9pdu_readf+0x579/0x2170
[ 58.654620] ? p9pdu_writef+0xe0/0xe0
[ 58.658413] ? __fget+0x414/0x670
[ 58.661880] ? rcu_is_watching+0x61/0x150
[ 58.666024] ? expand_files.part.8+0x9c0/0x9c0
[ 58.670609] ? finish_wait+0x430/0x430
[ 58.674512] ? rcu_read_lock_sched_held+0x108/0x120
[ 58.679550] ? p9_fd_show_options+0x1c0/0x1c0
[ 58.684055] p9_client_create+0xde0/0x16c9
[ 58.688300] ? p9_client_read+0xc60/0xc60
[ 58.692468] ? find_held_lock+0x36/0x1c0
[ 58.696530] ? __lockdep_init_map+0x105/0x590
[ 58.701036] ? kasan_check_write+0x14/0x20
[ 58.705268] ? __init_rwsem+0x1cc/0x2a0
[ 58.709434] ? do_raw_write_unlock.cold.8+0x49/0x49
[ 58.714456] ? rcu_read_lock_sched_held+0x108/0x120
[ 58.719482] ? __kmalloc_track_caller+0x5f5/0x760
[ 58.724336] ? save_stack+0xa9/0xd0
[ 58.727960] ? save_stack+0x43/0xd0
[ 58.731578] ? kasan_kmalloc+0xc4/0xe0
[ 58.735629] ? memcpy+0x45/0x50
[ 58.738913] v9fs_session_init+0x21a/0x1a80
[ 58.743233] ? find_held_lock+0x36/0x1c0
[ 58.747306] ? v9fs_show_options+0x7e0/0x7e0
[ 58.751810] ? kasan_check_read+0x11/0x20
[ 58.755955] ? rcu_is_watching+0x8c/0x150
[ 58.760093] ? rcu_pm_notify+0xc0/0xc0
[ 58.764017] ? rcu_pm_notify+0xc0/0xc0
[ 58.767934] ? v9fs_mount+0x61/0x900
[ 58.771670] ? rcu_read_lock_sched_held+0x108/0x120
[ 58.776693] ? kmem_cache_alloc_trace+0x616/0x780
[ 58.781528] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 58.787063] v9fs_mount+0x7c/0x900
[ 58.790606] mount_fs+0xae/0x328
[ 58.793982] vfs_kern_mount.part.34+0xdc/0x4e0
[ 58.798563] ? may_umount+0xb0/0xb0
[ 58.802181] ? _raw_read_unlock+0x22/0x30
[ 58.806321] ? __get_fs_type+0x97/0xc0
[ 58.810211] do_mount+0x581/0x30e0
[ 58.813750] ? copy_mount_string+0x40/0x40
[ 58.818014] ? copy_mount_options+0x5f/0x380
[ 58.822439] ? rcu_read_lock_sched_held+0x108/0x120
[ 58.827464] ? kmem_cache_alloc_trace+0x616/0x780
[ 58.832304] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 58.837837] ? _copy_from_user+0xdf/0x150
[ 58.841986] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 58.847544] ? copy_mount_options+0x285/0x380
[ 58.852058] __ia32_compat_sys_mount+0x5d5/0x860
[ 58.856950] do_fast_syscall_32+0x34d/0xfb2
[ 58.861315] ? do_int80_syscall_32+0x890/0x890
[ 58.865895] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 58.870656] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 58.876196] ? syscall_return_slowpath+0x31d/0x5e0
[ 58.881144] ? sysret32_from_system_call+0x5/0x46
[ 58.886019] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 58.890878] entry_SYSENTER_compat+0x70/0x7f
[ 58.895308] RIP: 0023:0xf7fdccb9
[ 58.898657] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[ 58.918378] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015
[ 58.926172] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[ 58.933461] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[ 58.940720] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 58.947981] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 58.955252] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 58.962534]
[ 58.964152] Allocated by task 4831:
[ 58.967784] save_stack+0x43/0xd0
[ 58.971227] kasan_kmalloc+0xc4/0xe0
[ 58.974926] __kmalloc+0x14e/0x760
[ 58.978456] p9_fcall_alloc+0x1e/0x90
[ 58.982249] p9_client_prepare_req.part.8+0x754/0xcd0
[ 58.987437] p9_client_rpc+0x1bd/0x1400
[ 58.991403] p9_client_create+0xd09/0x16c9
[ 58.995632] v9fs_session_init+0x21a/0x1a80
[ 58.999950] v9fs_mount+0x7c/0x900
[ 59.003477] mount_fs+0xae/0x328
[ 59.006851] vfs_kern_mount.part.34+0xdc/0x4e0
[ 59.011423] do_mount+0x581/0x30e0
[ 59.014966] __ia32_compat_sys_mount+0x5d5/0x860
[ 59.019730] do_fast_syscall_32+0x34d/0xfb2
[ 59.024056] entry_SYSENTER_compat+0x70/0x7f
[ 59.028443]
[ 59.030067] Freed by task 0:
[ 59.033064] (stack is not available)
[ 59.036761]
[ 59.038377] The buggy address belongs to the object at ffff8801d65196c0
[ 59.038377] which belongs to the cache kmalloc-16384 of size 16384
[ 59.051397] The buggy address is located 45 bytes inside of
[ 59.051397] 16384-byte region [ffff8801d65196c0, ffff8801d651d6c0)
[ 59.063534] The buggy address belongs to the page:
[ 59.068718] page:ffffea0007594600 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[ 59.078685] flags: 0x2fffc0000008100(slab|head)
[ 59.083344] raw: 02fffc0000008100 ffffea00074a0c08 ffffea00074b6608 ffff8801da802200
[ 59.091226] raw: 0000000000000000 ffff8801d65196c0 0000000100000001 0000000000000000
[ 59.099087] page dumped because: kasan: bad access detected
[ 59.104786]
[ 59.106392] Memory state around the buggy address:
[ 59.111311] ffff8801d651b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 59.118666] ffff8801d651b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 59.126274] >ffff8801d651b680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 59.133616] ^
[ 59.140108] ffff8801d651b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.147753] ffff8801d651b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.155119] ==================================================================
[ 59.162462] Disabling lock debugging due to kernel taint
[ 59.168130] Kernel panic - not syncing: panic_on_warn set ...
[ 59.168130]
[ 59.175511] CPU: 0 PID: 4831 Comm: syz-executor0 Tainted: G B 4.18.0-rc3+ #40
[ 59.184248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.193600] Call Trace:
[ 59.196201] dump_stack+0x1c9/0x2b4
[ 59.199813] ? dump_stack_print_info.cold.2+0x52/0x52
[ 59.204999] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 59.209756] panic+0x238/0x4e7
[ 59.212934] ? add_taint.cold.5+0x16/0x16
[ 59.217073] ? do_raw_spin_unlock+0xa7/0x2f0
[ 59.221471] ? pdu_read+0x90/0xd0
[ 59.224922] kasan_end_report+0x47/0x4f
[ 59.228885] kasan_report.cold.7+0x76/0x2fe
[ 59.233201] check_memory_region+0x13e/0x1b0
[ 59.237608] memcpy+0x23/0x50
[ 59.240709] pdu_read+0x90/0xd0
[ 59.243974] p9pdu_readf+0x579/0x2170
[ 59.247769] ? p9pdu_writef+0xe0/0xe0
[ 59.251554] ? __fget+0x414/0x670
[ 59.255005] ? rcu_is_watching+0x61/0x150
[ 59.259166] ? expand_files.part.8+0x9c0/0x9c0
[ 59.263959] ? finish_wait+0x430/0x430
[ 59.267872] ? rcu_read_lock_sched_held+0x108/0x120
[ 59.272898] ? p9_fd_show_options+0x1c0/0x1c0
[ 59.277983] p9_client_create+0xde0/0x16c9
[ 59.282303] ? p9_client_read+0xc60/0xc60
[ 59.286464] ? find_held_lock+0x36/0x1c0
[ 59.290536] ? __lockdep_init_map+0x105/0x590
[ 59.295053] ? kasan_check_write+0x14/0x20
[ 59.299284] ? __init_rwsem+0x1cc/0x2a0
[ 59.303258] ? do_raw_write_unlock.cold.8+0x49/0x49
[ 59.308274] ? rcu_read_lock_sched_held+0x108/0x120
[ 59.313294] ? __kmalloc_track_caller+0x5f5/0x760
[ 59.318147] ? save_stack+0xa9/0xd0
[ 59.321780] ? save_stack+0x43/0xd0
[ 59.325410] ? kasan_kmalloc+0xc4/0xe0
[ 59.329297] ? memcpy+0x45/0x50
[ 59.332592] v9fs_session_init+0x21a/0x1a80
[ 59.336917] ? find_held_lock+0x36/0x1c0
[ 59.341074] ? v9fs_show_options+0x7e0/0x7e0
[ 59.345474] ? kasan_check_read+0x11/0x20
[ 59.349614] ? rcu_is_watching+0x8c/0x150
[ 59.353765] ? rcu_pm_notify+0xc0/0xc0
[ 59.357664] ? rcu_pm_notify+0xc0/0xc0
[ 59.361543] ? v9fs_mount+0x61/0x900
[ 59.365247] ? rcu_read_lock_sched_held+0x108/0x120
[ 59.370264] ? kmem_cache_alloc_trace+0x616/0x780
[ 59.375113] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[ 59.380664] v9fs_mount+0x7c/0x900
[ 59.384215] mount_fs+0xae/0x328
[ 59.387571] vfs_kern_mount.part.34+0xdc/0x4e0
[ 59.392149] ? may_umount+0xb0/0xb0
[ 59.395781] ? _raw_read_unlock+0x22/0x30
[ 59.399915] ? __get_fs_type+0x97/0xc0
[ 59.403803] do_mount+0x581/0x30e0
[ 59.407330] ? copy_mount_string+0x40/0x40
[ 59.411569] ? copy_mount_options+0x5f/0x380
[ 59.415979] ? rcu_read_lock_sched_held+0x108/0x120
[ 59.420992] ? kmem_cache_alloc_trace+0x616/0x780
[ 59.425837] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 59.431365] ? _copy_from_user+0xdf/0x150
[ 59.435504] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 59.441046] ? copy_mount_options+0x285/0x380
[ 59.445533] __ia32_compat_sys_mount+0x5d5/0x860
[ 59.450295] do_fast_syscall_32+0x34d/0xfb2
[ 59.454622] ? do_int80_syscall_32+0x890/0x890
[ 59.459204] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 59.463958] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 59.469495] ? syscall_return_slowpath+0x31d/0x5e0
[ 59.474418] ? sysret32_from_system_call+0x5/0x46
[ 59.479266] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 59.484110] entry_SYSENTER_compat+0x70/0x7f
[ 59.488512] RIP: 0023:0xf7fdccb9
[ 59.491864] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[ 59.511108] RSP: 002b:000000000845e90c EFLAGS: 00000202 ORIG_RAX: 0000000000000015
[ 59.518819] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000200000c0
[ 59.526076] RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000020000180
[ 59.533344] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 59.540622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 59.547887] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 59.555652] Dumping ftrace buffer:
[ 59.559180] (ftrace buffer empty)
[ 59.562893] Kernel Offset: disabled
[ 59.566507] Rebooting in 86400 seconds..