[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.873874] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.201650] random: sshd: uninitialized urandom read (32 bytes read)
[   24.554630] random: sshd: uninitialized urandom read (32 bytes read)
[   25.418666] random: sshd: uninitialized urandom read (32 bytes read)
[   27.595356] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
[   33.053495] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   33.156801] ==================================================================
[   33.164323] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   33.170463] Read of size 42743 at addr ffff8801c280866d by task syz-executor517/4529
[   33.178320] 
[   33.179931] CPU: 1 PID: 4529 Comm: syz-executor517 Not tainted 4.18.0-rc4+ #138
[   33.187358] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.196705] Call Trace:
[   33.199293]  dump_stack+0x1c9/0x2b4
[   33.202907]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.208079]  ? printk+0xa7/0xcf
[   33.211344]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.216095]  ? pdu_read+0x90/0xd0
[   33.219663]  print_address_description+0x6c/0x20b
[   33.224488]  ? pdu_read+0x90/0xd0
[   33.227921]  kasan_report.cold.7+0x242/0x2fe
[   33.232322]  check_memory_region+0x13e/0x1b0
[   33.236711]  memcpy+0x23/0x50
[   33.239799]  pdu_read+0x90/0xd0
[   33.243060]  p9pdu_readf+0x579/0x2170
[   33.246849]  ? p9pdu_writef+0xe0/0xe0
[   33.250632]  ? __fget+0x414/0x670
[   33.254069]  ? rcu_is_watching+0x61/0x150
[   33.258197]  ? expand_files.part.8+0x9c0/0x9c0
[   33.262767]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.267777]  ? p9_fd_show_options+0x1c0/0x1c0
[   33.272258]  p9_client_create+0xde0/0x16c9
[   33.276487]  ? p9_client_read+0xc60/0xc60
[   33.280617]  ? find_held_lock+0x36/0x1c0
[   33.284683]  ? __lockdep_init_map+0x105/0x590
[   33.289184]  ? kasan_check_write+0x14/0x20
[   33.293406]  ? __init_rwsem+0x1cc/0x2a0
[   33.297365]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   33.302365]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.307370]  ? __kmalloc_track_caller+0x5f5/0x760
[   33.312195]  ? save_stack+0xa9/0xd0
[   33.315825]  ? save_stack+0x43/0xd0
[   33.319440]  ? kasan_kmalloc+0xc4/0xe0
[   33.323317]  ? kmem_cache_alloc_trace+0x152/0x780
[   33.328149]  ? memcpy+0x45/0x50
[   33.331421]  v9fs_session_init+0x21a/0x1a80
[   33.335734]  ? find_held_lock+0x36/0x1c0
[   33.339797]  ? v9fs_show_options+0x7e0/0x7e0
[   33.344204]  ? kasan_check_read+0x11/0x20
[   33.348338]  ? rcu_is_watching+0x8c/0x150
[   33.352490]  ? rcu_pm_notify+0xc0/0xc0
[   33.356371]  ? v9fs_mount+0x61/0x900
[   33.360077]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.365079]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.369918]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   33.375449]  v9fs_mount+0x7c/0x900
[   33.379011]  mount_fs+0xae/0x328
[   33.382371]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.386935]  ? may_umount+0xb0/0xb0
[   33.390557]  ? _raw_read_unlock+0x22/0x30
[   33.394686]  ? __get_fs_type+0x97/0xc0
[   33.398559]  do_mount+0x581/0x30e0
[   33.402087]  ? copy_mount_string+0x40/0x40
[   33.406320]  ? copy_mount_options+0x5f/0x380
[   33.410717]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.415728]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.420556]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.426079]  ? _copy_from_user+0xdf/0x150
[   33.430225]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.435751]  ? copy_mount_options+0x285/0x380
[   33.440243]  ksys_mount+0x12d/0x140
[   33.443854]  __x64_sys_mount+0xbe/0x150
[   33.447815]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.452817]  do_syscall_64+0x1b9/0x820
[   33.456690]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.461615]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.466533]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.472058]  ? retint_user+0x18/0x18
[   33.475779]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.480626]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.485826] RIP: 0033:0x4408d9
[   33.489014] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   33.508250] RSP: 002b:00007ffde2c51d28 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   33.515955] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   33.523223] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   33.530485] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   33.537745] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000008180
[   33.544998] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   33.552271] 
[   33.553881] Allocated by task 4529:
[   33.557510]  save_stack+0x43/0xd0
[   33.560959]  kasan_kmalloc+0xc4/0xe0
[   33.564656]  __kmalloc+0x14e/0x760
[   33.568180]  p9_fcall_alloc+0x1e/0x90
[   33.571975]  p9_client_prepare_req.part.8+0x754/0xcd0
[   33.577153]  p9_client_rpc+0x1bd/0x1400
[   33.581107]  p9_client_create+0xd09/0x16c9
[   33.585326]  v9fs_session_init+0x21a/0x1a80
[   33.589626]  v9fs_mount+0x7c/0x900
[   33.593149]  mount_fs+0xae/0x328
[   33.596496]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.601063]  do_mount+0x581/0x30e0
[   33.604588]  ksys_mount+0x12d/0x140
[   33.608206]  __x64_sys_mount+0xbe/0x150
[   33.612166]  do_syscall_64+0x1b9/0x820
[   33.616041]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.621205] 
[   33.622810] Freed by task 0:
[   33.625805] (stack is not available)
[   33.629491] 
[   33.631113] The buggy address belongs to the object at ffff8801c2808640
[   33.631113]  which belongs to the cache kmalloc-16384 of size 16384
[   33.644117] The buggy address is located 45 bytes inside of
[   33.644117]  16384-byte region [ffff8801c2808640, ffff8801c280c640)
[   33.656059] The buggy address belongs to the page:
[   33.660971] page:ffffea00070a0200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   33.670920] flags: 0x2fffc0000008100(slab|head)
[   33.675578] raw: 02fffc0000008100 ffffea0007071408 ffff8801da801c48 ffff8801da802200
[   33.683441] raw: 0000000000000000 ffff8801c2808640 0000000100000001 0000000000000000
[   33.691295] page dumped because: kasan: bad access detected
[   33.696988] 
[   33.698606] Memory state around the buggy address:
[   33.703527]  ffff8801c280a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.710877]  ffff8801c280a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.718250] >ffff8801c280a600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   33.725615]                                                        ^
[   33.732089]  ffff8801c280a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.739428]  ffff8801c280a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.746772] ==================================================================
[   33.754110] Disabling lock debugging due to kernel taint
[   33.759659] Kernel panic - not syncing: panic_on_warn set ...
[   33.759659] 
[   33.767025] CPU: 1 PID: 4529 Comm: syz-executor517 Tainted: G    B             4.18.0-rc4+ #138
[   33.775852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.785195] Call Trace:
[   33.787770]  dump_stack+0x1c9/0x2b4
[   33.791382]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.796553]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.801292]  panic+0x238/0x4e7
[   33.804463]  ? add_taint.cold.5+0x16/0x16
[   33.808589]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.812985]  ? pdu_read+0x90/0xd0
[   33.816420]  kasan_end_report+0x47/0x4f
[   33.820371]  kasan_report.cold.7+0x76/0x2fe
[   33.824683]  check_memory_region+0x13e/0x1b0
[   33.829071]  memcpy+0x23/0x50
[   33.832155]  pdu_read+0x90/0xd0
[   33.835421]  p9pdu_readf+0x579/0x2170
[   33.839223]  ? p9pdu_writef+0xe0/0xe0
[   33.843006]  ? __fget+0x414/0x670
[   33.846448]  ? rcu_is_watching+0x61/0x150
[   33.850575]  ? expand_files.part.8+0x9c0/0x9c0
[   33.855140]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.860145]  ? p9_fd_show_options+0x1c0/0x1c0
[   33.864628]  p9_client_create+0xde0/0x16c9
[   33.868844]  ? p9_client_read+0xc60/0xc60
[   33.873005]  ? find_held_lock+0x36/0x1c0
[   33.877069]  ? __lockdep_init_map+0x105/0x590
[   33.881550]  ? kasan_check_write+0x14/0x20
[   33.885769]  ? __init_rwsem+0x1cc/0x2a0
[   33.889733]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   33.894730]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.899724]  ? __kmalloc_track_caller+0x5f5/0x760
[   33.904547]  ? save_stack+0xa9/0xd0
[   33.908163]  ? save_stack+0x43/0xd0
[   33.911773]  ? kasan_kmalloc+0xc4/0xe0
[   33.915638]  ? kmem_cache_alloc_trace+0x152/0x780
[   33.920470]  ? memcpy+0x45/0x50
[   33.923735]  v9fs_session_init+0x21a/0x1a80
[   33.928039]  ? find_held_lock+0x36/0x1c0
[   33.932081]  ? v9fs_show_options+0x7e0/0x7e0
[   33.936469]  ? kasan_check_read+0x11/0x20
[   33.940595]  ? rcu_is_watching+0x8c/0x150
[   33.944721]  ? rcu_pm_notify+0xc0/0xc0
[   33.948588]  ? v9fs_mount+0x61/0x900
[   33.952285]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.957281]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.962113]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   33.967643]  v9fs_mount+0x7c/0x900
[   33.971172]  mount_fs+0xae/0x328
[   33.974520]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.979080]  ? may_umount+0xb0/0xb0
[   33.982685]  ? _raw_read_unlock+0x22/0x30
[   33.986808]  ? __get_fs_type+0x97/0xc0
[   33.990675]  do_mount+0x581/0x30e0
[   33.994197]  ? copy_mount_string+0x40/0x40
[   33.998427]  ? copy_mount_options+0x5f/0x380
[   34.002815]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.007818]  ? kmem_cache_alloc_trace+0x616/0x780
[   34.012641]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.018166]  ? _copy_from_user+0xdf/0x150
[   34.022298]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.027821]  ? copy_mount_options+0x285/0x380
[   34.032301]  ksys_mount+0x12d/0x140
[   34.035908]  __x64_sys_mount+0xbe/0x150
[   34.039873]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.044871]  do_syscall_64+0x1b9/0x820
[   34.048739]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.053663]  ? syscall_return_slowpath+0x31d/0x5e0
[   34.058589]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.064116]  ? retint_user+0x18/0x18
[   34.067811]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.072632]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.077800] RIP: 0033:0x4408d9
[   34.080965] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   34.100119] RSP: 002b:00007ffde2c51d28 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   34.107811] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   34.115061] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   34.122318] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   34.129569] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000008180
[   34.136824] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   34.144706] Dumping ftrace buffer:
[   34.148227]    (ftrace buffer empty)
[   34.151918] Kernel Offset: disabled
[   34.155530] Rebooting in 86400 seconds..