[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.994306] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.943863] random: sshd: uninitialized urandom read (32 bytes read)
[   22.241624] random: sshd: uninitialized urandom read (32 bytes read)
[   23.076638] random: sshd: uninitialized urandom read (32 bytes read)
[   23.243798] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts.
[   28.731683] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   28.829108] ==================================================================
[   28.836603] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   28.842746] Read of size 58818 at addr ffff8801c8ac08ad by task syz-executor077/4446
[   28.850600] 
[   28.852219] CPU: 0 PID: 4446 Comm: syz-executor077 Not tainted 4.18.0-rc4+ #142
[   28.859734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.869067] Call Trace:
[   28.871646]  dump_stack+0x1c9/0x2b4
[   28.875265]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.880437]  ? printk+0xa7/0xcf
[   28.883700]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   28.888445]  ? pdu_read+0x90/0xd0
[   28.891892]  print_address_description+0x6c/0x20b
[   28.896716]  ? pdu_read+0x90/0xd0
[   28.900158]  kasan_report.cold.7+0x242/0x2fe
[   28.904562]  check_memory_region+0x13e/0x1b0
[   28.908960]  memcpy+0x23/0x50
[   28.912049]  pdu_read+0x90/0xd0
[   28.915316]  p9pdu_readf+0x579/0x2170
[   28.919112]  ? p9pdu_writef+0xe0/0xe0
[   28.922987]  ? __fget+0x414/0x670
[   28.926446]  ? rcu_is_watching+0x61/0x150
[   28.930591]  ? expand_files.part.8+0x9c0/0x9c0
[   28.935163]  ? rcu_read_lock_sched_held+0x108/0x120
[   28.940188]  ? p9_fd_show_options+0x1c0/0x1c0
[   28.944672]  p9_client_create+0xde0/0x16c9
[   28.948898]  ? p9_client_read+0xc60/0xc60
[   28.953031]  ? find_held_lock+0x36/0x1c0
[   28.957100]  ? __lockdep_init_map+0x105/0x590
[   28.961595]  ? kasan_check_write+0x14/0x20
[   28.965814]  ? __init_rwsem+0x1cc/0x2a0
[   28.969776]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   28.974794]  ? rcu_read_lock_sched_held+0x108/0x120
[   28.979797]  ? __kmalloc_track_caller+0x5f5/0x760
[   28.984626]  ? save_stack+0xa9/0xd0
[   28.988238]  ? save_stack+0x43/0xd0
[   28.991859]  ? kasan_kmalloc+0xc4/0xe0
[   28.995738]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.000575]  ? memcpy+0x45/0x50
[   29.003841]  v9fs_session_init+0x21a/0x1a80
[   29.008149]  ? find_held_lock+0x36/0x1c0
[   29.012195]  ? v9fs_show_options+0x7e0/0x7e0
[   29.016585]  ? kasan_check_read+0x11/0x20
[   29.020713]  ? rcu_is_watching+0x8c/0x150
[   29.024843]  ? rcu_pm_notify+0xc0/0xc0
[   29.028718]  ? v9fs_mount+0x61/0x900
[   29.032414]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.037412]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.042243]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.047765]  v9fs_mount+0x7c/0x900
[   29.051293]  mount_fs+0xae/0x328
[   29.054644]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.059225]  ? may_umount+0xb0/0xb0
[   29.062855]  ? _raw_read_unlock+0x22/0x30
[   29.066984]  ? __get_fs_type+0x97/0xc0
[   29.070861]  do_mount+0x581/0x30e0
[   29.074384]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.078776]  ? copy_mount_string+0x40/0x40
[   29.083011]  ? copy_mount_options+0x5f/0x380
[   29.087415]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.092416]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.097248]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.102771]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.108297]  ? copy_mount_options+0x285/0x380
[   29.112777]  ksys_mount+0x12d/0x140
[   29.116385]  __x64_sys_mount+0xbe/0x150
[   29.120348]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.125353]  do_syscall_64+0x1b9/0x820
[   29.129224]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.134136]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.139066]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.144433]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.149263]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.154438] RIP: 0033:0x440149
[   29.157605] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.176803] RSP: 002b:00007fffd4300208 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.184494] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   29.191756] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   29.199010] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   29.206271] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   29.213523] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   29.220785] 
[   29.222395] Allocated by task 4446:
[   29.226018]  save_stack+0x43/0xd0
[   29.229465]  kasan_kmalloc+0xc4/0xe0
[   29.233177]  __kmalloc+0x14e/0x760
[   29.236705]  p9_fcall_alloc+0x1e/0x90
[   29.240504]  p9_client_prepare_req.part.8+0x754/0xcd0
[   29.245679]  p9_client_rpc+0x1bd/0x1400
[   29.249637]  p9_client_create+0xd09/0x16c9
[   29.253859]  v9fs_session_init+0x21a/0x1a80
[   29.258164]  v9fs_mount+0x7c/0x900
[   29.261692]  mount_fs+0xae/0x328
[   29.265047]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.269611]  do_mount+0x581/0x30e0
[   29.273132]  ksys_mount+0x12d/0x140
[   29.276740]  __x64_sys_mount+0xbe/0x150
[   29.280696]  do_syscall_64+0x1b9/0x820
[   29.284580]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.289746] 
[   29.291366] Freed by task 0:
[   29.294360] (stack is not available)
[   29.298051] 
[   29.299675] The buggy address belongs to the object at ffff8801c8ac0880
[   29.299675]  which belongs to the cache kmalloc-16384 of size 16384
[   29.312661] The buggy address is located 45 bytes inside of
[   29.312661]  16384-byte region [ffff8801c8ac0880, ffff8801c8ac4880)
[   29.324609] The buggy address belongs to the page:
[   29.329532] page:ffffea000722b000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   29.339482] flags: 0x2fffc0000008100(slab|head)
[   29.344136] raw: 02fffc0000008100 ffffea0007211e08 ffff8801da801c48 ffff8801da802200
[   29.352019] raw: 0000000000000000 ffff8801c8ac0880 0000000100000001 0000000000000000
[   29.359895] page dumped because: kasan: bad access detected
[   29.365590] 
[   29.367196] Memory state around the buggy address:
[   29.372111]  ffff8801c8ac2780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.379451]  ffff8801c8ac2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.386790] >ffff8801c8ac2880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   29.394127]                                ^
[   29.398514]  ffff8801c8ac2900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.405867]  ffff8801c8ac2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.413215] ==================================================================
[   29.420553] Disabling lock debugging due to kernel taint
[   29.426079] Kernel panic - not syncing: panic_on_warn set ...
[   29.426079] 
[   29.433457] CPU: 0 PID: 4446 Comm: syz-executor077 Tainted: G    B             4.18.0-rc4+ #142
[   29.442283] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.451632] Call Trace:
[   29.454209]  dump_stack+0x1c9/0x2b4
[   29.457832]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.463008]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.467753]  panic+0x238/0x4e7
[   29.470925]  ? add_taint.cold.5+0x16/0x16
[   29.475066]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.479477]  ? pdu_read+0x90/0xd0
[   29.482911]  kasan_end_report+0x47/0x4f
[   29.486867]  kasan_report.cold.7+0x76/0x2fe
[   29.491177]  check_memory_region+0x13e/0x1b0
[   29.495565]  memcpy+0x23/0x50
[   29.498653]  pdu_read+0x90/0xd0
[   29.501925]  p9pdu_readf+0x579/0x2170
[   29.505707]  ? p9pdu_writef+0xe0/0xe0
[   29.509496]  ? __fget+0x414/0x670
[   29.512929]  ? rcu_is_watching+0x61/0x150
[   29.517067]  ? expand_files.part.8+0x9c0/0x9c0
[   29.521641]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.526643]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.531118]  p9_client_create+0xde0/0x16c9
[   29.535345]  ? p9_client_read+0xc60/0xc60
[   29.539473]  ? find_held_lock+0x36/0x1c0
[   29.543519]  ? __lockdep_init_map+0x105/0x590
[   29.547995]  ? kasan_check_write+0x14/0x20
[   29.552214]  ? __init_rwsem+0x1cc/0x2a0
[   29.556167]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.561164]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.566159]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.570978]  ? save_stack+0xa9/0xd0
[   29.574583]  ? save_stack+0x43/0xd0
[   29.578192]  ? kasan_kmalloc+0xc4/0xe0
[   29.582061]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.586910]  ? memcpy+0x45/0x50
[   29.590173]  v9fs_session_init+0x21a/0x1a80
[   29.594478]  ? find_held_lock+0x36/0x1c0
[   29.598541]  ? v9fs_show_options+0x7e0/0x7e0
[   29.602933]  ? kasan_check_read+0x11/0x20
[   29.607059]  ? rcu_is_watching+0x8c/0x150
[   29.611190]  ? rcu_pm_notify+0xc0/0xc0
[   29.615063]  ? v9fs_mount+0x61/0x900
[   29.618788]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.623815]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.628638]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.634154]  v9fs_mount+0x7c/0x900
[   29.637675]  mount_fs+0xae/0x328
[   29.641032]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.645614]  ? may_umount+0xb0/0xb0
[   29.649223]  ? _raw_read_unlock+0x22/0x30
[   29.653350]  ? __get_fs_type+0x97/0xc0
[   29.657220]  do_mount+0x581/0x30e0
[   29.660754]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.665145]  ? copy_mount_string+0x40/0x40
[   29.669361]  ? copy_mount_options+0x5f/0x380
[   29.673749]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.678744]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.683569]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.689087]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.694620]  ? copy_mount_options+0x285/0x380
[   29.699110]  ksys_mount+0x12d/0x140
[   29.702721]  __x64_sys_mount+0xbe/0x150
[   29.706677]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.711673]  do_syscall_64+0x1b9/0x820
[   29.715549]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.720459]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.725383]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.730741]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.735578]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.740746] RIP: 0033:0x440149
[   29.743911] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.763056] RSP: 002b:00007fffd4300208 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.770745] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   29.777993] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   29.785244] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   29.792490] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   29.799748] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   29.807504] Dumping ftrace buffer:
[   29.811032]    (ftrace buffer empty)
[   29.814720] Kernel Offset: disabled
[   29.818327] Rebooting in 86400 seconds..