[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.316312] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.124058] random: sshd: uninitialized urandom read (32 bytes read)
[   26.679486] random: sshd: uninitialized urandom read (32 bytes read)
[   27.520547] random: sshd: uninitialized urandom read (32 bytes read)
[   27.681965] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts.
[   33.430102] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
[   33.543103] ==================================================================
[   33.550608] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   33.556772] Read of size 38413 at addr ffff8801b2ea85ed by task syz-executor312/4580
[   33.564661] 
[   33.566318] CPU: 1 PID: 4580 Comm: syz-executor312 Not tainted 4.18.0-rc4+ #139
[   33.573775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.583132] Call Trace:
[   33.585753]  dump_stack+0x1c9/0x2b4
[   33.589392]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.594717]  ? printk+0xa7/0xcf
[   33.598013]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.602784]  ? pdu_read+0x90/0xd0
[   33.606247]  print_address_description+0x6c/0x20b
[   33.611094]  ? pdu_read+0x90/0xd0
[   33.614566]  kasan_report.cold.7+0x242/0x2fe
[   33.618988]  check_memory_region+0x13e/0x1b0
[   33.623413]  memcpy+0x23/0x50
[   33.626524]  pdu_read+0x90/0xd0
[   33.629796]  p9pdu_readf+0x579/0x2170
[   33.633589]  ? p9pdu_writef+0xe0/0xe0
[   33.637396]  ? __fget+0x414/0x670
[   33.640852]  ? rcu_is_watching+0x61/0x150
[   33.645000]  ? expand_files.part.8+0x9c0/0x9c0
[   33.649611]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.654866]  ? p9_fd_show_options+0x1c0/0x1c0
[   33.659373]  p9_client_create+0xde0/0x16c9
[   33.663607]  ? p9_client_read+0xc60/0xc60
[   33.667749]  ? find_held_lock+0x36/0x1c0
[   33.671813]  ? __lockdep_init_map+0x105/0x590
[   33.676331]  ? kasan_check_write+0x14/0x20
[   33.680558]  ? __init_rwsem+0x1cc/0x2a0
[   33.684530]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   33.689572]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.694598]  ? __kmalloc_track_caller+0x5f5/0x760
[   33.699432]  ? save_stack+0xa9/0xd0
[   33.703062]  ? save_stack+0x43/0xd0
[   33.706687]  ? kasan_kmalloc+0xc4/0xe0
[   33.710564]  ? kmem_cache_alloc_trace+0x152/0x780
[   33.715410]  ? memcpy+0x45/0x50
[   33.718685]  v9fs_session_init+0x21a/0x1a80
[   33.723015]  ? lock_downgrade+0x8f0/0x8f0
[   33.727166]  ? v9fs_show_options+0x7e0/0x7e0
[   33.731582]  ? kasan_check_read+0x11/0x20
[   33.736324]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.740731]  ? kasan_check_read+0x11/0x20
[   33.744864]  ? rcu_is_watching+0x8c/0x150
[   33.749002]  ? rcu_pm_notify+0xc0/0xc0
[   33.752892]  ? v9fs_mount+0x61/0x900
[   33.756616]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.761642]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.767182]  v9fs_mount+0x7c/0x900
[   33.770728]  mount_fs+0xae/0x328
[   33.774088]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.778662]  ? may_umount+0xb0/0xb0
[   33.782286]  ? _raw_read_unlock+0x22/0x30
[   33.786431]  ? __get_fs_type+0x97/0xc0
[   33.790326]  do_mount+0x581/0x30e0
[   33.793859]  ? copy_mount_string+0x40/0x40
[   33.798092]  ? copy_mount_options+0x5f/0x380
[   33.802498]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.807506]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.812340]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.817877]  ? _copy_from_user+0xdf/0x150
[   33.822029]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.827578]  ? copy_mount_options+0x285/0x380
[   33.832074]  ksys_mount+0x12d/0x140
[   33.835708]  __x64_sys_mount+0xbe/0x150
[   33.839684]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.844737]  do_syscall_64+0x1b9/0x820
[   33.848684]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.853730]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.858676]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.864067]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.868925]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.874124] RIP: 0033:0x440179
[   33.877326] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   33.896752] RSP: 002b:00007ffca1193a48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   33.904564] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440179
[   33.911928] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   33.919226] RBP: 0030656c69662f2e R08: 0000000020000340 R09: 00000000004002c8
[   33.926802] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   33.934166] R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
[   33.941444] 
[   33.943071] Allocated by task 4580:
[   33.946695]  save_stack+0x43/0xd0
[   33.950175]  kasan_kmalloc+0xc4/0xe0
[   33.953915]  __kmalloc+0x14e/0x760
[   33.957458]  p9_fcall_alloc+0x1e/0x90
[   33.961266]  p9_client_prepare_req.part.8+0x754/0xcd0
[   33.966464]  p9_client_rpc+0x1bd/0x1400
[   33.970457]  p9_client_create+0xd09/0x16c9
[   33.974703]  v9fs_session_init+0x21a/0x1a80
[   33.979030]  v9fs_mount+0x7c/0x900
[   33.982589]  mount_fs+0xae/0x328
[   33.985974]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.990579]  do_mount+0x581/0x30e0
[   33.994124]  ksys_mount+0x12d/0x140
[   33.997753]  __x64_sys_mount+0xbe/0x150
[   34.001731]  do_syscall_64+0x1b9/0x820
[   34.005626]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.010810] 
[   34.012461] Freed by task 0:
[   34.015521] (stack is not available)
[   34.019259] 
[   34.020883] The buggy address belongs to the object at ffff8801b2ea85c0
[   34.020883]  which belongs to the cache kmalloc-16384 of size 16384
[   34.033886] The buggy address is located 45 bytes inside of
[   34.033886]  16384-byte region [ffff8801b2ea85c0, ffff8801b2eac5c0)
[   34.045933] The buggy address belongs to the page:
[   34.050885] page:ffffea0006cbaa00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   34.060951] flags: 0x2fffc0000008100(slab|head)
[   34.065641] raw: 02fffc0000008100 ffffea000763d208 ffff8801da801c48 ffff8801da802200
[   34.073564] raw: 0000000000000000 ffff8801b2ea85c0 0000000100000001 0000000000000000
[   34.081557] page dumped because: kasan: bad access detected
[   34.087272] 
[   34.088927] Memory state around the buggy address:
[   34.093856]  ffff8801b2eaa480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.101226]  ffff8801b2eaa500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.108599] >ffff8801b2eaa580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   34.115967]                                                        ^
[   34.122487]  ffff8801b2eaa600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.129848]  ffff8801b2eaa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.137556] ==================================================================
[   34.144903] Disabling lock debugging due to kernel taint
[   34.150428] Kernel panic - not syncing: panic_on_warn set ...
[   34.150428] 
[   34.157825] CPU: 1 PID: 4580 Comm: syz-executor312 Tainted: G    B             4.18.0-rc4+ #139
[   34.166658] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.176008] Call Trace:
[   34.178614]  dump_stack+0x1c9/0x2b4
[   34.182250]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.187471]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.192251]  panic+0x238/0x4e7
[   34.195446]  ? add_taint.cold.5+0x16/0x16
[   34.199604]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.204022]  ? pdu_read+0x90/0xd0
[   34.207478]  kasan_end_report+0x47/0x4f
[   34.211463]  kasan_report.cold.7+0x76/0x2fe
[   34.215797]  check_memory_region+0x13e/0x1b0
[   34.220215]  memcpy+0x23/0x50
[   34.223403]  pdu_read+0x90/0xd0
[   34.226693]  p9pdu_readf+0x579/0x2170
[   34.230502]  ? p9pdu_writef+0xe0/0xe0
[   34.234304]  ? __fget+0x414/0x670
[   34.237753]  ? rcu_is_watching+0x61/0x150
[   34.241901]  ? expand_files.part.8+0x9c0/0x9c0
[   34.246499]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.251610]  ? p9_fd_show_options+0x1c0/0x1c0
[   34.256099]  p9_client_create+0xde0/0x16c9
[   34.260505]  ? p9_client_read+0xc60/0xc60
[   34.264738]  ? find_held_lock+0x36/0x1c0
[   34.268803]  ? __lockdep_init_map+0x105/0x590
[   34.273399]  ? kasan_check_write+0x14/0x20
[   34.277626]  ? __init_rwsem+0x1cc/0x2a0
[   34.281593]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   34.286626]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.291669]  ? __kmalloc_track_caller+0x5f5/0x760
[   34.296517]  ? save_stack+0xa9/0xd0
[   34.300147]  ? save_stack+0x43/0xd0
[   34.303775]  ? kasan_kmalloc+0xc4/0xe0
[   34.307670]  ? kmem_cache_alloc_trace+0x152/0x780
[   34.312520]  ? memcpy+0x45/0x50
[   34.315801]  v9fs_session_init+0x21a/0x1a80
[   34.320121]  ? lock_downgrade+0x8f0/0x8f0
[   34.324263]  ? v9fs_show_options+0x7e0/0x7e0
[   34.328671]  ? kasan_check_read+0x11/0x20
[   34.332823]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.337227]  ? kasan_check_read+0x11/0x20
[   34.341367]  ? rcu_is_watching+0x8c/0x150
[   34.345548]  ? rcu_pm_notify+0xc0/0xc0
[   34.349490]  ? v9fs_mount+0x61/0x900
[   34.353198]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.358226]  ? kmem_cache_alloc_trace+0x616/0x780
[   34.363082]  v9fs_mount+0x7c/0x900
[   34.366642]  mount_fs+0xae/0x328
[   34.370015]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.374872]  ? may_umount+0xb0/0xb0
[   34.378499]  ? _raw_read_unlock+0x22/0x30
[   34.382642]  ? __get_fs_type+0x97/0xc0
[   34.386521]  do_mount+0x581/0x30e0
[   34.390061]  ? copy_mount_string+0x40/0x40
[   34.394291]  ? copy_mount_options+0x5f/0x380
[   34.398706]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.403711]  ? kmem_cache_alloc_trace+0x616/0x780
[   34.408552]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.414093]  ? _copy_from_user+0xdf/0x150
[   34.418241]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.423778]  ? copy_mount_options+0x285/0x380
[   34.428273]  ksys_mount+0x12d/0x140
[   34.431911]  __x64_sys_mount+0xbe/0x150
[   34.435901]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.441053]  do_syscall_64+0x1b9/0x820
[   34.444975]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.449948]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.454887]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   34.460254]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.465109]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.470299] RIP: 0033:0x440179
[   34.473489] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   34.493520] RSP: 002b:00007ffca1193a48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   34.501239] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440179
[   34.508505] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   34.515802] RBP: 0030656c69662f2e R08: 0000000020000340 R09: 00000000004002c8
[   34.523087] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   34.530362] R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
[   34.538250] Dumping ftrace buffer:
[   34.541791]    (ftrace buffer empty)
[   34.545502] Kernel Offset: disabled
[   34.549134] Rebooting in 86400 seconds..