[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.341369] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.711359] random: sshd: uninitialized urandom read (32 bytes read)
[   25.066464] random: sshd: uninitialized urandom read (32 bytes read)
[   25.891143] random: sshd: uninitialized urandom read (32 bytes read)
[   26.044913] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts.
[   31.529409] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
[   31.617688] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   31.647053] ==================================================================
[   31.654503] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   31.660628] Read of size 8523 at addr ffff8801b25c05ad by task syz-executor099/4544
[   31.668396] 
[   31.670018] CPU: 1 PID: 4544 Comm: syz-executor099 Not tainted 4.18.0-rc3+ #137
[   31.677452] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.686793] Call Trace:
[   31.689387]  dump_stack+0x1c9/0x2b4
[   31.693016]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.698200]  ? printk+0xa7/0xcf
[   31.701459]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.706207]  ? pdu_read+0x90/0xd0
[   31.709657]  print_address_description+0x6c/0x20b
[   31.714485]  ? pdu_read+0x90/0xd0
[   31.717918]  kasan_report.cold.7+0x242/0x2fe
[   31.722313]  check_memory_region+0x13e/0x1b0
[   31.726704]  memcpy+0x23/0x50
[   31.729792]  pdu_read+0x90/0xd0
[   31.733054]  p9pdu_readf+0x579/0x2170
[   31.736851]  ? p9pdu_writef+0xe0/0xe0
[   31.740635]  ? __fget+0x414/0x670
[   31.744077]  ? rcu_is_watching+0x61/0x150
[   31.748207]  ? expand_files.part.8+0x9c0/0x9c0
[   31.752776]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.757782]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.762263]  p9_client_create+0xde0/0x16c9
[   31.766484]  ? p9_client_read+0xc60/0xc60
[   31.770623]  ? find_held_lock+0x36/0x1c0
[   31.774677]  ? __lockdep_init_map+0x105/0x590
[   31.779163]  ? kasan_check_write+0x14/0x20
[   31.783381]  ? __init_rwsem+0x1cc/0x2a0
[   31.787337]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.792351]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.797354]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.802180]  ? save_stack+0xa9/0xd0
[   31.805789]  ? save_stack+0x43/0xd0
[   31.809399]  ? kasan_kmalloc+0xc4/0xe0
[   31.813278]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.818101]  ? memcpy+0x45/0x50
[   31.821365]  v9fs_session_init+0x21a/0x1a80
[   31.825670]  ? find_held_lock+0x36/0x1c0
[   31.829724]  ? v9fs_show_options+0x7e0/0x7e0
[   31.834121]  ? kasan_check_read+0x11/0x20
[   31.838249]  ? rcu_is_watching+0x8c/0x150
[   31.842377]  ? rcu_pm_notify+0xc0/0xc0
[   31.846252]  ? v9fs_mount+0x61/0x900
[   31.849958]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.854964]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.859792]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.865327]  v9fs_mount+0x7c/0x900
[   31.868865]  mount_fs+0xae/0x328
[   31.872239]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.876816]  ? may_umount+0xb0/0xb0
[   31.880426]  ? _raw_read_unlock+0x22/0x30
[   31.884555]  ? __get_fs_type+0x97/0xc0
[   31.888430]  do_mount+0x581/0x30e0
[   31.891953]  ? copy_mount_string+0x40/0x40
[   31.896170]  ? copy_mount_options+0x5f/0x380
[   31.900557]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.905557]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.910401]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.915929]  ? copy_mount_options+0x285/0x380
[   31.920412]  ksys_mount+0x12d/0x140
[   31.924032]  __x64_sys_mount+0xbe/0x150
[   31.927997]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.933005]  do_syscall_64+0x1b9/0x820
[   31.936890]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.941804]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.946718]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.952234]  ? retint_user+0x18/0x18
[   31.955928]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.960756]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.965937] RIP: 0033:0x440959
[   31.969102] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.988273] RSP: 002b:00007fffb5d80058 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.995967] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.003228] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.010486] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.017732] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000007b98
[   32.024977] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.032233] 
[   32.033837] Allocated by task 4544:
[   32.037446]  save_stack+0x43/0xd0
[   32.040881]  kasan_kmalloc+0xc4/0xe0
[   32.044578]  __kmalloc+0x14e/0x760
[   32.048102]  p9_fcall_alloc+0x1e/0x90
[   32.051880]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.057052]  p9_client_rpc+0x1bd/0x1400
[   32.061011]  p9_client_create+0xd09/0x16c9
[   32.065238]  v9fs_session_init+0x21a/0x1a80
[   32.069538]  v9fs_mount+0x7c/0x900
[   32.073067]  mount_fs+0xae/0x328
[   32.076414]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.080972]  do_mount+0x581/0x30e0
[   32.084503]  ksys_mount+0x12d/0x140
[   32.088106]  __x64_sys_mount+0xbe/0x150
[   32.092065]  do_syscall_64+0x1b9/0x820
[   32.095940]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.101102] 
[   32.102708] Freed by task 0:
[   32.105703] (stack is not available)
[   32.109397] 
[   32.111008] The buggy address belongs to the object at ffff8801b25c0580
[   32.111008]  which belongs to the cache kmalloc-16384 of size 16384
[   32.124002] The buggy address is located 45 bytes inside of
[   32.124002]  16384-byte region [ffff8801b25c0580, ffff8801b25c4580)
[   32.135953] The buggy address belongs to the page:
[   32.140865] page:ffffea0006c97000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.150817] flags: 0x2fffc0000008100(slab|head)
[   32.155470] raw: 02fffc0000008100 ffffea0006cc9808 ffffea0006c98408 ffff8801da802200
[   32.163330] raw: 0000000000000000 ffff8801b25c0580 0000000100000001 0000000000000000
[   32.171187] page dumped because: kasan: bad access detected
[   32.176871] 
[   32.178473] Memory state around the buggy address:
[   32.183379]  ffff8801b25c2480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.190715]  ffff8801b25c2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.198051] >ffff8801b25c2580: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.205386]                                ^
[   32.209778]  ffff8801b25c2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.217121]  ffff8801b25c2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.224459] ==================================================================
[   32.231794] Disabling lock debugging due to kernel taint
[   32.237347] Kernel panic - not syncing: panic_on_warn set ...
[   32.237347] 
[   32.244720] CPU: 1 PID: 4544 Comm: syz-executor099 Tainted: G    B             4.18.0-rc3+ #137
[   32.253553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.262987] Call Trace:
[   32.265571]  dump_stack+0x1c9/0x2b4
[   32.269192]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.274363]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.279109]  panic+0x238/0x4e7
[   32.282287]  ? add_taint.cold.5+0x16/0x16
[   32.286419]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.290811]  ? pdu_read+0x90/0xd0
[   32.294243]  kasan_end_report+0x47/0x4f
[   32.298204]  kasan_report.cold.7+0x76/0x2fe
[   32.302505]  check_memory_region+0x13e/0x1b0
[   32.306890]  memcpy+0x23/0x50
[   32.309992]  pdu_read+0x90/0xd0
[   32.313256]  p9pdu_readf+0x579/0x2170
[   32.317049]  ? p9pdu_writef+0xe0/0xe0
[   32.320830]  ? __fget+0x414/0x670
[   32.324262]  ? rcu_is_watching+0x61/0x150
[   32.328387]  ? expand_files.part.8+0x9c0/0x9c0
[   32.332958]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.337970]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.342445]  p9_client_create+0xde0/0x16c9
[   32.346659]  ? p9_client_read+0xc60/0xc60
[   32.350785]  ? find_held_lock+0x36/0x1c0
[   32.354828]  ? __lockdep_init_map+0x105/0x590
[   32.359304]  ? kasan_check_write+0x14/0x20
[   32.363517]  ? __init_rwsem+0x1cc/0x2a0
[   32.367470]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.372466]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.377463]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.382288]  ? save_stack+0xa9/0xd0
[   32.385901]  ? save_stack+0x43/0xd0
[   32.389509]  ? kasan_kmalloc+0xc4/0xe0
[   32.393376]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.398211]  ? memcpy+0x45/0x50
[   32.401472]  v9fs_session_init+0x21a/0x1a80
[   32.405783]  ? find_held_lock+0x36/0x1c0
[   32.409845]  ? v9fs_show_options+0x7e0/0x7e0
[   32.414237]  ? kasan_check_read+0x11/0x20
[   32.418371]  ? rcu_is_watching+0x8c/0x150
[   32.422505]  ? rcu_pm_notify+0xc0/0xc0
[   32.426373]  ? v9fs_mount+0x61/0x900
[   32.430065]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.435070]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.439890]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.445410]  v9fs_mount+0x7c/0x900
[   32.448935]  mount_fs+0xae/0x328
[   32.452284]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.456853]  ? may_umount+0xb0/0xb0
[   32.460462]  ? _raw_read_unlock+0x22/0x30
[   32.464586]  ? __get_fs_type+0x97/0xc0
[   32.468453]  do_mount+0x581/0x30e0
[   32.471980]  ? copy_mount_string+0x40/0x40
[   32.476203]  ? copy_mount_options+0x5f/0x380
[   32.480597]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.485595]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.490428]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.495944]  ? copy_mount_options+0x285/0x380
[   32.500419]  ksys_mount+0x12d/0x140
[   32.504030]  __x64_sys_mount+0xbe/0x150
[   32.507988]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.512987]  do_syscall_64+0x1b9/0x820
[   32.516855]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.521775]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.526694]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.532218]  ? retint_user+0x18/0x18
[   32.535921]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.540765]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.545939] RIP: 0033:0x440959
[   32.549103] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.568219] RSP: 002b:00007fffb5d80058 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   32.575924] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.583176] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.590431] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.597688] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000007b98
[   32.604937] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.612752] Dumping ftrace buffer:
[   32.616272]    (ftrace buffer empty)
[   32.619954] Kernel Offset: disabled
[   32.623558] Rebooting in 86400 seconds..