[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.247572] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.699484] random: sshd: uninitialized urandom read (32 bytes read)
[   24.129269] random: sshd: uninitialized urandom read (32 bytes read)
[   25.007688] random: sshd: uninitialized urandom read (32 bytes read)
[   25.164062] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts.
[   30.668329] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   30.765796] ==================================================================
[   30.773262] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.779392] Read of size 60617 at addr ffff8801c1d5062d by task syz-executor708/4546
[   30.787245] 
[   30.788857] CPU: 1 PID: 4546 Comm: syz-executor708 Not tainted 4.18.0-rc4+ #142
[   30.796281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.805624] Call Trace:
[   30.808202]  dump_stack+0x1c9/0x2b4
[   30.811814]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.816987]  ? printk+0xa7/0xcf
[   30.820252]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.825006]  ? pdu_read+0x90/0xd0
[   30.828461]  print_address_description+0x6c/0x20b
[   30.833320]  ? pdu_read+0x90/0xd0
[   30.836764]  kasan_report.cold.7+0x242/0x2fe
[   30.841157]  check_memory_region+0x13e/0x1b0
[   30.845547]  memcpy+0x23/0x50
[   30.848635]  pdu_read+0x90/0xd0
[   30.851896]  p9pdu_readf+0x579/0x2170
[   30.855692]  ? p9pdu_writef+0xe0/0xe0
[   30.859477]  ? __fget+0x414/0x670
[   30.862911]  ? rcu_is_watching+0x61/0x150
[   30.867046]  ? expand_files.part.8+0x9c0/0x9c0
[   30.871615]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.876622]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.881115]  p9_client_create+0xde0/0x16c9
[   30.885374]  ? p9_client_read+0xc60/0xc60
[   30.889523]  ? find_held_lock+0x36/0x1c0
[   30.893579]  ? __lockdep_init_map+0x105/0x590
[   30.898087]  ? kasan_check_write+0x14/0x20
[   30.902315]  ? __init_rwsem+0x1cc/0x2a0
[   30.906269]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.911279]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.916297]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.921123]  ? save_stack+0xa9/0xd0
[   30.924734]  ? save_stack+0x43/0xd0
[   30.928344]  ? kasan_kmalloc+0xc4/0xe0
[   30.932212]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.937059]  ? memcpy+0x45/0x50
[   30.940340]  v9fs_session_init+0x21a/0x1a80
[   30.944666]  ? lock_downgrade+0x8f0/0x8f0
[   30.948799]  ? v9fs_show_options+0x7e0/0x7e0
[   30.953203]  ? kasan_check_read+0x11/0x20
[   30.957344]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.961736]  ? kasan_check_read+0x11/0x20
[   30.965878]  ? rcu_is_watching+0x8c/0x150
[   30.970013]  ? rcu_pm_notify+0xc0/0xc0
[   30.973896]  ? v9fs_mount+0x61/0x900
[   30.977594]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.982594]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.987433]  v9fs_mount+0x7c/0x900
[   30.990961]  mount_fs+0xae/0x328
[   30.994310]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.998875]  ? may_umount+0xb0/0xb0
[   31.002497]  ? _raw_read_unlock+0x22/0x30
[   31.006627]  ? __get_fs_type+0x97/0xc0
[   31.010511]  do_mount+0x581/0x30e0
[   31.014047]  ? copy_mount_string+0x40/0x40
[   31.018274]  ? copy_mount_options+0x5f/0x380
[   31.022667]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.027681]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.032511]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.038041]  ? _copy_from_user+0xdf/0x150
[   31.042178]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.047720]  ? copy_mount_options+0x285/0x380
[   31.052217]  ksys_mount+0x12d/0x140
[   31.055847]  __x64_sys_mount+0xbe/0x150
[   31.059806]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.064808]  do_syscall_64+0x1b9/0x820
[   31.068680]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.073591]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.078509]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.083860]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.088690]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.093864] RIP: 0033:0x4401a9
[   31.097035] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.116228] RSP: 002b:00007fff37881e38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.123919] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401a9
[   31.131175] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   31.138427] RBP: 0030656c69662f2e R08: 00000000200002c0 R09: 0000000000000001
[   31.145687] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   31.152942] R13: 0000040000000002 R14: 0000000000000000 R15: 0000000000000000
[   31.160218] 
[   31.161831] Allocated by task 4546:
[   31.165452]  save_stack+0x43/0xd0
[   31.168900]  kasan_kmalloc+0xc4/0xe0
[   31.172603]  __kmalloc+0x14e/0x760
[   31.176127]  p9_fcall_alloc+0x1e/0x90
[   31.179909]  p9_client_prepare_req.part.8+0x754/0xcd0
[   31.185079]  p9_client_rpc+0x1bd/0x1400
[   31.189042]  p9_client_create+0xd09/0x16c9
[   31.193260]  v9fs_session_init+0x21a/0x1a80
[   31.197561]  v9fs_mount+0x7c/0x900
[   31.201097]  mount_fs+0xae/0x328
[   31.204454]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.209025]  do_mount+0x581/0x30e0
[   31.212551]  ksys_mount+0x12d/0x140
[   31.216158]  __x64_sys_mount+0xbe/0x150
[   31.220115]  do_syscall_64+0x1b9/0x820
[   31.223988]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.229168] 
[   31.230787] Freed by task 0:
[   31.233779] (stack is not available)
[   31.237468] 
[   31.239079] The buggy address belongs to the object at ffff8801c1d50600
[   31.239079]  which belongs to the cache kmalloc-16384 of size 16384
[   31.252067] The buggy address is located 45 bytes inside of
[   31.252067]  16384-byte region [ffff8801c1d50600, ffff8801c1d54600)
[   31.264009] The buggy address belongs to the page:
[   31.268928] page:ffffea0007075400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   31.278898] flags: 0x2fffc0000008100(slab|head)
[   31.283560] raw: 02fffc0000008100 ffffea0006b17c08 ffff8801da801c48 ffff8801da802200
[   31.291422] raw: 0000000000000000 ffff8801c1d50600 0000000100000001 0000000000000000
[   31.299282] page dumped because: kasan: bad access detected
[   31.304981] 
[   31.306596] Memory state around the buggy address:
[   31.311504]  ffff8801c1d52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.318843]  ffff8801c1d52580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.326193] >ffff8801c1d52600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   31.333542]                                ^
[   31.337933]  ffff8801c1d52680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.345271]  ffff8801c1d52700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.352604] ==================================================================
[   31.359940] Disabling lock debugging due to kernel taint
[   31.365466] Kernel panic - not syncing: panic_on_warn set ...
[   31.365466] 
[   31.372838] CPU: 1 PID: 4546 Comm: syz-executor708 Tainted: G    B             4.18.0-rc4+ #142
[   31.381662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.391000] Call Trace:
[   31.393588]  dump_stack+0x1c9/0x2b4
[   31.397213]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.402388]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.407127]  panic+0x238/0x4e7
[   31.410300]  ? add_taint.cold.5+0x16/0x16
[   31.414431]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.418823]  ? pdu_read+0x90/0xd0
[   31.422256]  kasan_end_report+0x47/0x4f
[   31.426222]  kasan_report.cold.7+0x76/0x2fe
[   31.430536]  check_memory_region+0x13e/0x1b0
[   31.434924]  memcpy+0x23/0x50
[   31.438017]  pdu_read+0x90/0xd0
[   31.441285]  p9pdu_readf+0x579/0x2170
[   31.445069]  ? p9pdu_writef+0xe0/0xe0
[   31.448847]  ? __fget+0x414/0x670
[   31.452278]  ? rcu_is_watching+0x61/0x150
[   31.456413]  ? expand_files.part.8+0x9c0/0x9c0
[   31.460986]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.465992]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.470471]  p9_client_create+0xde0/0x16c9
[   31.474692]  ? p9_client_read+0xc60/0xc60
[   31.478835]  ? find_held_lock+0x36/0x1c0
[   31.482882]  ? __lockdep_init_map+0x105/0x590
[   31.487364]  ? kasan_check_write+0x14/0x20
[   31.491579]  ? __init_rwsem+0x1cc/0x2a0
[   31.495534]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.500531]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.505525]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.510345]  ? save_stack+0xa9/0xd0
[   31.513953]  ? save_stack+0x43/0xd0
[   31.517564]  ? kasan_kmalloc+0xc4/0xe0
[   31.521437]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.526261]  ? memcpy+0x45/0x50
[   31.529524]  v9fs_session_init+0x21a/0x1a80
[   31.533832]  ? lock_downgrade+0x8f0/0x8f0
[   31.537976]  ? v9fs_show_options+0x7e0/0x7e0
[   31.542369]  ? kasan_check_read+0x11/0x20
[   31.546498]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.550889]  ? kasan_check_read+0x11/0x20
[   31.555026]  ? rcu_is_watching+0x8c/0x150
[   31.559162]  ? rcu_pm_notify+0xc0/0xc0
[   31.563040]  ? v9fs_mount+0x61/0x900
[   31.566732]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.571733]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.576573]  v9fs_mount+0x7c/0x900
[   31.580113]  mount_fs+0xae/0x328
[   31.583462]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.588031]  ? may_umount+0xb0/0xb0
[   31.591660]  ? _raw_read_unlock+0x22/0x30
[   31.595784]  ? __get_fs_type+0x97/0xc0
[   31.599664]  do_mount+0x581/0x30e0
[   31.603187]  ? copy_mount_string+0x40/0x40
[   31.607402]  ? copy_mount_options+0x5f/0x380
[   31.611796]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.616795]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.621630]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.627147]  ? _copy_from_user+0xdf/0x150
[   31.631275]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.636793]  ? copy_mount_options+0x285/0x380
[   31.641269]  ksys_mount+0x12d/0x140
[   31.644878]  __x64_sys_mount+0xbe/0x150
[   31.648835]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.653833]  do_syscall_64+0x1b9/0x820
[   31.657699]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.662607]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.667520]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.672865]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.677689]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.682859] RIP: 0033:0x4401a9
[   31.686027] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.705147] RSP: 002b:00007fff37881e38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.712834] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401a9
[   31.720082] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   31.727344] RBP: 0030656c69662f2e R08: 00000000200002c0 R09: 0000000000000001
[   31.734604] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   31.741853] R13: 0000040000000002 R14: 0000000000000000 R15: 0000000000000000
[   31.749593] Dumping ftrace buffer:
[   31.753111]    (ftrace buffer empty)
[   31.756799] Kernel Offset: disabled
[   31.760407] Rebooting in 86400 seconds..