[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.742415] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.780201] random: sshd: uninitialized urandom read (32 bytes read)
[   25.091297] random: sshd: uninitialized urandom read (32 bytes read)
[   25.943265] random: sshd: uninitialized urandom read (32 bytes read)
[   26.103338] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts.
[   31.545723] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.640425] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   31.660936] ==================================================================
[   31.668383] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   31.674518] Read of size 51163 at addr ffff8801ac59042d by task syz-executor781/4572
[   31.682377] 
[   31.683991] CPU: 1 PID: 4572 Comm: syz-executor781 Not tainted 4.18.0-rc3+ #137
[   31.691419] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.700763] Call Trace:
[   31.703348]  dump_stack+0x1c9/0x2b4
[   31.706976]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.712164]  ? printk+0xa7/0xcf
[   31.715430]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.720177]  ? pdu_read+0x90/0xd0
[   31.723614]  print_address_description+0x6c/0x20b
[   31.728439]  ? pdu_read+0x90/0xd0
[   31.731873]  kasan_report.cold.7+0x242/0x2fe
[   31.736284]  check_memory_region+0x13e/0x1b0
[   31.740683]  memcpy+0x23/0x50
[   31.743775]  pdu_read+0x90/0xd0
[   31.747042]  p9pdu_readf+0x579/0x2170
[   31.750844]  ? p9pdu_writef+0xe0/0xe0
[   31.754627]  ? __fget+0x414/0x670
[   31.758065]  ? rcu_is_watching+0x61/0x150
[   31.762194]  ? expand_files.part.8+0x9c0/0x9c0
[   31.766763]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.771767]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.776250]  p9_client_create+0xde0/0x16c9
[   31.780471]  ? p9_client_read+0xc60/0xc60
[   31.784599]  ? find_held_lock+0x36/0x1c0
[   31.788657]  ? __lockdep_init_map+0x105/0x590
[   31.793139]  ? kasan_check_write+0x14/0x20
[   31.797354]  ? __init_rwsem+0x1cc/0x2a0
[   31.801319]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.806321]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.811331]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.816158]  ? save_stack+0xa9/0xd0
[   31.819781]  ? save_stack+0x43/0xd0
[   31.823391]  ? kasan_kmalloc+0xc4/0xe0
[   31.827256]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.832081]  ? memcpy+0x45/0x50
[   31.835353]  v9fs_session_init+0x21a/0x1a80
[   31.839677]  ? lock_downgrade+0x8f0/0x8f0
[   31.843811]  ? v9fs_show_options+0x7e0/0x7e0
[   31.848203]  ? kasan_check_read+0x11/0x20
[   31.852348]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.856738]  ? kasan_check_read+0x11/0x20
[   31.860868]  ? rcu_is_watching+0x8c/0x150
[   31.865004]  ? rcu_pm_notify+0xc0/0xc0
[   31.868888]  ? v9fs_mount+0x61/0x900
[   31.872600]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.877600]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.882437]  v9fs_mount+0x7c/0x900
[   31.885972]  mount_fs+0xae/0x328
[   31.889332]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.893897]  ? may_umount+0xb0/0xb0
[   31.897507]  ? _raw_read_unlock+0x22/0x30
[   31.901632]  ? __get_fs_type+0x97/0xc0
[   31.905506]  do_mount+0x581/0x30e0
[   31.909039]  ? copy_mount_string+0x40/0x40
[   31.913260]  ? copy_mount_options+0x5f/0x380
[   31.917651]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.922648]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.927478]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.932997]  ? copy_mount_options+0x285/0x380
[   31.937484]  ksys_mount+0x12d/0x140
[   31.941094]  __x64_sys_mount+0xbe/0x150
[   31.945061]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.950060]  do_syscall_64+0x1b9/0x820
[   31.956193]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.961109]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.966036]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.971566]  ? retint_user+0x18/0x18
[   31.975292]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.980129]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.985306] RIP: 0033:0x440959
[   31.988473] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.007683] RSP: 002b:00007ffde3458a38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   32.015375] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.022626] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.029875] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.037132] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401e20
[   32.044384] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.051653] 
[   32.053261] Allocated by task 4572:
[   32.056876]  save_stack+0x43/0xd0
[   32.060311]  kasan_kmalloc+0xc4/0xe0
[   32.064008]  __kmalloc+0x14e/0x760
[   32.067542]  p9_fcall_alloc+0x1e/0x90
[   32.071325]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.076503]  p9_client_rpc+0x1bd/0x1400
[   32.080472]  p9_client_create+0xd09/0x16c9
[   32.084688]  v9fs_session_init+0x21a/0x1a80
[   32.088994]  v9fs_mount+0x7c/0x900
[   32.092521]  mount_fs+0xae/0x328
[   32.095955]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.100519]  do_mount+0x581/0x30e0
[   32.104051]  ksys_mount+0x12d/0x140
[   32.107666]  __x64_sys_mount+0xbe/0x150
[   32.111632]  do_syscall_64+0x1b9/0x820
[   32.115508]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.120692] 
[   32.122300] Freed by task 0:
[   32.125293] (stack is not available)
[   32.128984] 
[   32.130599] The buggy address belongs to the object at ffff8801ac590400
[   32.130599]  which belongs to the cache kmalloc-16384 of size 16384
[   32.143598] The buggy address is located 45 bytes inside of
[   32.143598]  16384-byte region [ffff8801ac590400, ffff8801ac594400)
[   32.155539] The buggy address belongs to the page:
[   32.160451] page:ffffea0006b16400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.170402] flags: 0x2fffc0000008100(slab|head)
[   32.175062] raw: 02fffc0000008100 ffffea0006b19008 ffff8801da801c48 ffff8801da802200
[   32.182931] raw: 0000000000000000 ffff8801ac590400 0000000100000001 0000000000000000
[   32.190791] page dumped because: kasan: bad access detected
[   32.196479] 
[   32.198082] Memory state around the buggy address:
[   32.202989]  ffff8801ac592300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.210341]  ffff8801ac592380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.217859] >ffff8801ac592400: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.225204]                                ^
[   32.229596]  ffff8801ac592480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.236957]  ffff8801ac592500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.244296] ==================================================================
[   32.251637] Disabling lock debugging due to kernel taint
[   32.257184] Kernel panic - not syncing: panic_on_warn set ...
[   32.257184] 
[   32.264560] CPU: 1 PID: 4572 Comm: syz-executor781 Tainted: G    B             4.18.0-rc3+ #137
[   32.273398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.282818] Call Trace:
[   32.285393]  dump_stack+0x1c9/0x2b4
[   32.289001]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.294179]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.298930]  panic+0x238/0x4e7
[   32.302103]  ? add_taint.cold.5+0x16/0x16
[   32.306237]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.310623]  ? pdu_read+0x90/0xd0
[   32.314056]  kasan_end_report+0x47/0x4f
[   32.318011]  kasan_report.cold.7+0x76/0x2fe
[   32.322329]  check_memory_region+0x13e/0x1b0
[   32.326718]  memcpy+0x23/0x50
[   32.329805]  pdu_read+0x90/0xd0
[   32.333065]  p9pdu_readf+0x579/0x2170
[   32.336847]  ? p9pdu_writef+0xe0/0xe0
[   32.340634]  ? __fget+0x414/0x670
[   32.344067]  ? rcu_is_watching+0x61/0x150
[   32.348191]  ? expand_files.part.8+0x9c0/0x9c0
[   32.352755]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.357760]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.362239]  p9_client_create+0xde0/0x16c9
[   32.366464]  ? p9_client_read+0xc60/0xc60
[   32.370597]  ? find_held_lock+0x36/0x1c0
[   32.375163]  ? __lockdep_init_map+0x105/0x590
[   32.379641]  ? kasan_check_write+0x14/0x20
[   32.383857]  ? __init_rwsem+0x1cc/0x2a0
[   32.387828]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.392832]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.397829]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.402659]  ? save_stack+0xa9/0xd0
[   32.406274]  ? save_stack+0x43/0xd0
[   32.409880]  ? kasan_kmalloc+0xc4/0xe0
[   32.413745]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.418577]  ? memcpy+0x45/0x50
[   32.421840]  v9fs_session_init+0x21a/0x1a80
[   32.426145]  ? lock_downgrade+0x8f0/0x8f0
[   32.430275]  ? v9fs_show_options+0x7e0/0x7e0
[   32.434673]  ? kasan_check_read+0x11/0x20
[   32.438802]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.443191]  ? kasan_check_read+0x11/0x20
[   32.447318]  ? rcu_is_watching+0x8c/0x150
[   32.451445]  ? rcu_pm_notify+0xc0/0xc0
[   32.455315]  ? v9fs_mount+0x61/0x900
[   32.459023]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.464032]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.468859]  v9fs_mount+0x7c/0x900
[   32.472383]  mount_fs+0xae/0x328
[   32.475739]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.480299]  ? may_umount+0xb0/0xb0
[   32.483926]  ? _raw_read_unlock+0x22/0x30
[   32.488052]  ? __get_fs_type+0x97/0xc0
[   32.491935]  do_mount+0x581/0x30e0
[   32.495455]  ? copy_mount_string+0x40/0x40
[   32.499674]  ? copy_mount_options+0x5f/0x380
[   32.504070]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.509070]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.513904]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.519442]  ? copy_mount_options+0x285/0x380
[   32.523935]  ksys_mount+0x12d/0x140
[   32.527565]  __x64_sys_mount+0xbe/0x150
[   32.531536]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.536552]  do_syscall_64+0x1b9/0x820
[   32.540426]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.545342]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.550268]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.555797]  ? retint_user+0x18/0x18
[   32.559504]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.564330]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.569500] RIP: 0033:0x440959
[   32.572672] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.591808] RSP: 002b:00007ffde3458a38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   32.599505] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.606758] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.614022] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.621291] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401e20
[   32.628545] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.636690] Dumping ftrace buffer:
[   32.640225]    (ftrace buffer empty)
[   32.643937] Kernel Offset: disabled
[   32.647550] Rebooting in 86400 seconds..