[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.309299] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.686180] random: sshd: uninitialized urandom read (32 bytes read)
[   20.939416] random: sshd: uninitialized urandom read (32 bytes read)
[   21.808525] random: sshd: uninitialized urandom read (32 bytes read)
[   47.102253] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts.
[   52.547796] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
[   52.642168] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   52.672307] ==================================================================
[   52.679775] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   52.685911] Read of size 17044 at addr ffff8801c2d705ed by task syz-executor999/4571
[   52.693786] 
[   52.695421] CPU: 1 PID: 4571 Comm: syz-executor999 Not tainted 4.18.0-rc3+ #137
[   52.702844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.712184] Call Trace:
[   52.714766]  dump_stack+0x1c9/0x2b4
[   52.718374]  ? dump_stack_print_info.cold.2+0x52/0x52
[   52.723543]  ? printk+0xa7/0xcf
[   52.726811]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   52.731549]  ? pdu_read+0x90/0xd0
[   52.734987]  print_address_description+0x6c/0x20b
[   52.739812]  ? pdu_read+0x90/0xd0
[   52.743245]  kasan_report.cold.7+0x242/0x2fe
[   52.747650]  check_memory_region+0x13e/0x1b0
[   52.752043]  memcpy+0x23/0x50
[   52.755131]  pdu_read+0x90/0xd0
[   52.758396]  p9pdu_readf+0x579/0x2170
[   52.762183]  ? p9pdu_writef+0xe0/0xe0
[   52.765968]  ? __fget+0x414/0x670
[   52.769423]  ? rcu_is_watching+0x61/0x150
[   52.773556]  ? expand_files.part.8+0x9c0/0x9c0
[   52.778126]  ? rcu_read_lock_sched_held+0x108/0x120
[   52.783138]  ? p9_fd_show_options+0x1c0/0x1c0
[   52.787620]  p9_client_create+0xde0/0x16c9
[   52.791855]  ? p9_client_read+0xc60/0xc60
[   52.795996]  ? find_held_lock+0x36/0x1c0
[   52.800048]  ? __lockdep_init_map+0x105/0x590
[   52.804529]  ? kasan_check_write+0x14/0x20
[   52.808747]  ? __init_rwsem+0x1cc/0x2a0
[   52.812712]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   52.817715]  ? rcu_read_lock_sched_held+0x108/0x120
[   52.822720]  ? __kmalloc_track_caller+0x5f5/0x760
[   52.827554]  ? save_stack+0xa9/0xd0
[   52.831168]  ? save_stack+0x43/0xd0
[   52.834783]  ? kasan_kmalloc+0xc4/0xe0
[   52.838662]  ? kmem_cache_alloc_trace+0x152/0x780
[   52.843760]  ? memcpy+0x45/0x50
[   52.847027]  v9fs_session_init+0x21a/0x1a80
[   52.851332]  ? find_held_lock+0x36/0x1c0
[   52.855381]  ? v9fs_show_options+0x7e0/0x7e0
[   52.859786]  ? kasan_check_read+0x11/0x20
[   52.863920]  ? rcu_is_watching+0x8c/0x150
[   52.868052]  ? rcu_pm_notify+0xc0/0xc0
[   52.871938]  ? v9fs_mount+0x61/0x900
[   52.875648]  ? rcu_read_lock_sched_held+0x108/0x120
[   52.880665]  ? kmem_cache_alloc_trace+0x616/0x780
[   52.885496]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   52.891023]  v9fs_mount+0x7c/0x900
[   52.894556]  mount_fs+0xae/0x328
[   52.897916]  vfs_kern_mount.part.34+0xdc/0x4e0
[   52.902478]  ? may_umount+0xb0/0xb0
[   52.906091]  ? _raw_read_unlock+0x22/0x30
[   52.910225]  ? __get_fs_type+0x97/0xc0
[   52.914104]  do_mount+0x581/0x30e0
[   52.917735]  ? copy_mount_string+0x40/0x40
[   52.921953]  ? copy_mount_options+0x5f/0x380
[   52.926345]  ? rcu_read_lock_sched_held+0x108/0x120
[   52.931345]  ? kmem_cache_alloc_trace+0x616/0x780
[   52.936175]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   52.941694]  ? _copy_from_user+0xdf/0x150
[   52.945828]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.951347]  ? copy_mount_options+0x285/0x380
[   52.955832]  ksys_mount+0x12d/0x140
[   52.959444]  __x64_sys_mount+0xbe/0x150
[   52.963418]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   52.968422]  do_syscall_64+0x1b9/0x820
[   52.972303]  ? syscall_return_slowpath+0x5e0/0x5e0
[   52.977225]  ? syscall_return_slowpath+0x31d/0x5e0
[   52.982151]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   52.987759]  ? retint_user+0x18/0x18
[   52.991808]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.996636]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.001805] RIP: 0033:0x440979
[   53.004973] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   53.024262] RSP: 002b:00007ffd4d3788b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   53.031955] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   53.039219] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   53.046472] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   53.053724] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000cdb9
[   53.060990] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   53.068249] 
[   53.069865] Allocated by task 4571:
[   53.073474]  save_stack+0x43/0xd0
[   53.077957]  kasan_kmalloc+0xc4/0xe0
[   53.081649]  __kmalloc+0x14e/0x760
[   53.085180]  p9_fcall_alloc+0x1e/0x90
[   53.088960]  p9_client_prepare_req.part.8+0x754/0xcd0
[   53.094131]  p9_client_rpc+0x1bd/0x1400
[   53.098093]  p9_client_create+0xd09/0x16c9
[   53.102530]  v9fs_session_init+0x21a/0x1a80
[   53.106836]  v9fs_mount+0x7c/0x900
[   53.110374]  mount_fs+0xae/0x328
[   53.113735]  vfs_kern_mount.part.34+0xdc/0x4e0
[   53.118301]  do_mount+0x581/0x30e0
[   53.121824]  ksys_mount+0x12d/0x140
[   53.126181]  __x64_sys_mount+0xbe/0x150
[   53.130388]  do_syscall_64+0x1b9/0x820
[   53.134296]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.139466] 
[   53.141077] Freed by task 0:
[   53.144071] (stack is not available)
[   53.147762] 
[   53.149369] The buggy address belongs to the object at ffff8801c2d705c0
[   53.149369]  which belongs to the cache kmalloc-16384 of size 16384
[   53.162356] The buggy address is located 45 bytes inside of
[   53.162356]  16384-byte region [ffff8801c2d705c0, ffff8801c2d745c0)
[   53.174300] The buggy address belongs to the page:
[   53.179213] page:ffffea00070b5c00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   53.189175] flags: 0x2fffc0000008100(slab|head)
[   53.193826] raw: 02fffc0000008100 ffffea0006b29608 ffff8801da801c48 ffff8801da802200
[   53.201690] raw: 0000000000000000 ffff8801c2d705c0 0000000100000001 0000000000000000
[   53.209554] page dumped because: kasan: bad access detected
[   53.215247] 
[   53.216850] Memory state around the buggy address:
[   53.221771]  ffff8801c2d72480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.229489]  ffff8801c2d72500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   53.236830] >ffff8801c2d72580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   53.244167]                                                        ^
[   53.250639]  ffff8801c2d72600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.257993]  ffff8801c2d72680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   53.265329] ==================================================================
[   53.272664] Disabling lock debugging due to kernel taint
[   53.278199] Kernel panic - not syncing: panic_on_warn set ...
[   53.278199] 
[   53.285555] CPU: 1 PID: 4571 Comm: syz-executor999 Tainted: G    B             4.18.0-rc3+ #137
[   53.294370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.303702] Call Trace:
[   53.306277]  dump_stack+0x1c9/0x2b4
[   53.309884]  ? dump_stack_print_info.cold.2+0x52/0x52
[   53.315055]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   53.319792]  panic+0x238/0x4e7
[   53.322965]  ? add_taint.cold.5+0x16/0x16
[   53.327093]  ? do_raw_spin_unlock+0xa7/0x2f0
[   53.331482]  ? pdu_read+0x90/0xd0
[   53.334923]  kasan_end_report+0x47/0x4f
[   53.338886]  kasan_report.cold.7+0x76/0x2fe
[   53.343186]  check_memory_region+0x13e/0x1b0
[   53.348963]  memcpy+0x23/0x50
[   53.352056]  pdu_read+0x90/0xd0
[   53.355319]  p9pdu_readf+0x579/0x2170
[   53.359097]  ? p9pdu_writef+0xe0/0xe0
[   53.362964]  ? __fget+0x414/0x670
[   53.366396]  ? rcu_is_watching+0x61/0x150
[   53.370523]  ? expand_files.part.8+0x9c0/0x9c0
[   53.375099]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.380099]  ? p9_fd_show_options+0x1c0/0x1c0
[   53.384577]  p9_client_create+0xde0/0x16c9
[   53.388802]  ? p9_client_read+0xc60/0xc60
[   53.392929]  ? find_held_lock+0x36/0x1c0
[   53.396971]  ? __lockdep_init_map+0x105/0x590
[   53.401536]  ? kasan_check_write+0x14/0x20
[   53.405846]  ? __init_rwsem+0x1cc/0x2a0
[   53.409900]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   53.414918]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.419929]  ? __kmalloc_track_caller+0x5f5/0x760
[   53.424759]  ? save_stack+0xa9/0xd0
[   53.428365]  ? save_stack+0x43/0xd0
[   53.431977]  ? kasan_kmalloc+0xc4/0xe0
[   53.435845]  ? kmem_cache_alloc_trace+0x152/0x780
[   53.440668]  ? memcpy+0x45/0x50
[   53.443930]  v9fs_session_init+0x21a/0x1a80
[   53.448234]  ? find_held_lock+0x36/0x1c0
[   53.452275]  ? v9fs_show_options+0x7e0/0x7e0
[   53.456665]  ? kasan_check_read+0x11/0x20
[   53.460789]  ? rcu_is_watching+0x8c/0x150
[   53.464919]  ? rcu_pm_notify+0xc0/0xc0
[   53.468798]  ? v9fs_mount+0x61/0x900
[   53.472503]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.477506]  ? kmem_cache_alloc_trace+0x616/0x780
[   53.482331]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   53.487869]  v9fs_mount+0x7c/0x900
[   53.491391]  mount_fs+0xae/0x328
[   53.494741]  vfs_kern_mount.part.34+0xdc/0x4e0
[   53.499312]  ? may_umount+0xb0/0xb0
[   53.502920]  ? _raw_read_unlock+0x22/0x30
[   53.507046]  ? __get_fs_type+0x97/0xc0
[   53.510912]  do_mount+0x581/0x30e0
[   53.514440]  ? copy_mount_string+0x40/0x40
[   53.518662]  ? copy_mount_options+0x5f/0x380
[   53.523068]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.528064]  ? kmem_cache_alloc_trace+0x616/0x780
[   53.532889]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   53.538410]  ? _copy_from_user+0xdf/0x150
[   53.542541]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.548068]  ? copy_mount_options+0x285/0x380
[   53.552541]  ksys_mount+0x12d/0x140
[   53.556145]  __x64_sys_mount+0xbe/0x150
[   53.560106]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   53.565110]  do_syscall_64+0x1b9/0x820
[   53.568996]  ? syscall_return_slowpath+0x5e0/0x5e0
[   53.573909]  ? syscall_return_slowpath+0x31d/0x5e0
[   53.578828]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.584345]  ? retint_user+0x18/0x18
[   53.588039]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   53.592864]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   53.598031] RIP: 0033:0x440979
[   53.601220] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   53.620397] RSP: 002b:00007ffd4d3788b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   53.628083] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   53.635332] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   53.642578] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   53.649831] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000000cdb9
[   53.657091] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   53.664776] Dumping ftrace buffer:
[   53.668292]    (ftrace buffer empty)
[   53.671989] Kernel Offset: disabled
[   53.675596] Rebooting in 86400 seconds..