[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.755328] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.524403] random: sshd: uninitialized urandom read (32 bytes read)
[   24.844419] random: sshd: uninitialized urandom read (32 bytes read)
[   25.777961] random: sshd: uninitialized urandom read (32 bytes read)
[   25.931415] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts.
[   32.158110] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   32.249618] ==================================================================
[   32.257093] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   32.263233] Read of size 30720 at addr ffff8801d904042d by task syz-executor885/4573
[   32.271102] 
[   32.272732] CPU: 1 PID: 4573 Comm: syz-executor885 Not tainted 4.18.0-rc4+ #41
[   32.280090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.289440] Call Trace:
[   32.292047]  dump_stack+0x1c9/0x2b4
[   32.295690]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.300879]  ? printk+0xa7/0xcf
[   32.304155]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.308925]  ? pdu_read+0x90/0xd0
[   32.312379]  print_address_description+0x6c/0x20b
[   32.317222]  ? pdu_read+0x90/0xd0
[   32.320678]  kasan_report.cold.7+0x242/0x2fe
[   32.325110]  check_memory_region+0x13e/0x1b0
[   32.329527]  memcpy+0x23/0x50
[   32.332642]  pdu_read+0x90/0xd0
[   32.335929]  p9pdu_readf+0x579/0x2170
[   32.339728]  ? p9pdu_writef+0xe0/0xe0
[   32.343515]  ? __fget+0x414/0x670
[   32.346956]  ? rcu_is_watching+0x61/0x150
[   32.351097]  ? expand_files.part.8+0x9c0/0x9c0
[   32.355672]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.360714]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.365219]  p9_client_create+0xde0/0x16c9
[   32.369461]  ? p9_client_read+0xc60/0xc60
[   32.373595]  ? find_held_lock+0x36/0x1c0
[   32.377653]  ? __lockdep_init_map+0x105/0x590
[   32.382143]  ? kasan_check_write+0x14/0x20
[   32.386362]  ? __init_rwsem+0x1cc/0x2a0
[   32.390323]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.395324]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.400336]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.405176]  ? save_stack+0xa9/0xd0
[   32.408810]  ? save_stack+0x43/0xd0
[   32.412435]  ? kasan_kmalloc+0xc4/0xe0
[   32.416322]  ? memcpy+0x45/0x50
[   32.419595]  v9fs_session_init+0x21a/0x1a80
[   32.423918]  ? find_held_lock+0x36/0x1c0
[   32.427967]  ? v9fs_show_options+0x7e0/0x7e0
[   32.432365]  ? kasan_check_read+0x11/0x20
[   32.436502]  ? rcu_is_watching+0x8c/0x150
[   32.440630]  ? rcu_pm_notify+0xc0/0xc0
[   32.444499]  ? rcu_pm_notify+0xc0/0xc0
[   32.448374]  ? v9fs_mount+0x61/0x900
[   32.452071]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.457087]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.461930]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.467467]  v9fs_mount+0x7c/0x900
[   32.471003]  mount_fs+0xae/0x328
[   32.474367]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.478933]  ? may_umount+0xb0/0xb0
[   32.482566]  ? _raw_read_unlock+0x22/0x30
[   32.486703]  ? __get_fs_type+0x97/0xc0
[   32.490592]  do_mount+0x581/0x30e0
[   32.494146]  ? copy_mount_string+0x40/0x40
[   32.498377]  ? copy_mount_options+0x5f/0x380
[   32.502777]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.507784]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.512627]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.518184]  ? _copy_from_user+0xdf/0x150
[   32.522350]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.527880]  ? copy_mount_options+0x285/0x380
[   32.532403]  __ia32_compat_sys_mount+0x5d5/0x860
[   32.537164]  do_fast_syscall_32+0x34d/0xfb2
[   32.541486]  ? do_int80_syscall_32+0x890/0x890
[   32.546068]  ? do_syscall_64+0x497/0x820
[   32.550127]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.555056]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.560007]  ? sysret32_from_system_call+0x5/0x46
[   32.564877]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.569726]  entry_SYSENTER_compat+0x70/0x7f
[   32.574119] RIP: 0023:0xf7f7dcb9
[   32.577469] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   32.596658] RSP: 002b:00000000ff82de0c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   32.604370] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000000
[   32.611645] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000020000340
[   32.618924] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   32.626373] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   32.633645] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   32.640936] 
[   32.642561] Allocated by task 4573:
[   32.646192]  save_stack+0x43/0xd0
[   32.649644]  kasan_kmalloc+0xc4/0xe0
[   32.653385]  __kmalloc+0x14e/0x760
[   32.656924]  p9_fcall_alloc+0x1e/0x90
[   32.660721]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.665904]  p9_client_rpc+0x1bd/0x1400
[   32.669875]  p9_client_create+0xd09/0x16c9
[   32.674105]  v9fs_session_init+0x21a/0x1a80
[   32.678408]  v9fs_mount+0x7c/0x900
[   32.681950]  mount_fs+0xae/0x328
[   32.685311]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.689890]  do_mount+0x581/0x30e0
[   32.693430]  __ia32_compat_sys_mount+0x5d5/0x860
[   32.698196]  do_fast_syscall_32+0x34d/0xfb2
[   32.702516]  entry_SYSENTER_compat+0x70/0x7f
[   32.706903] 
[   32.708515] Freed by task 0:
[   32.711518] (stack is not available)
[   32.715218] 
[   32.716831] The buggy address belongs to the object at ffff8801d9040400
[   32.716831]  which belongs to the cache kmalloc-16384 of size 16384
[   32.729832] The buggy address is located 45 bytes inside of
[   32.729832]  16384-byte region [ffff8801d9040400, ffff8801d9044400)
[   32.742218] The buggy address belongs to the page:
[   32.747145] page:ffffea0007641000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.757113] flags: 0x2fffc0000008100(slab|head)
[   32.761793] raw: 02fffc0000008100 ffffea0007643808 ffff8801da801c48 ffff8801da802200
[   32.769673] raw: 0000000000000000 ffff8801d9040400 0000000100000001 0000000000000000
[   32.777545] page dumped because: kasan: bad access detected
[   32.783276] 
[   32.784898] Memory state around the buggy address:
[   32.789819]  ffff8801d9042300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.797170]  ffff8801d9042380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.804527] >ffff8801d9042400: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.811881]                                ^
[   32.816294]  ffff8801d9042480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.823665]  ffff8801d9042500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.831029] ==================================================================
[   32.838406] Disabling lock debugging due to kernel taint
[   32.843905] Kernel panic - not syncing: panic_on_warn set ...
[   32.843905] 
[   32.851306] CPU: 1 PID: 4573 Comm: syz-executor885 Tainted: G    B             4.18.0-rc4+ #41
[   32.860054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.869405] Call Trace:
[   32.871980]  dump_stack+0x1c9/0x2b4
[   32.875622]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.880906]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.885650]  panic+0x238/0x4e7
[   32.888836]  ? add_taint.cold.5+0x16/0x16
[   32.892976]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.897386]  ? pdu_read+0x90/0xd0
[   32.900822]  kasan_end_report+0x47/0x4f
[   32.905046]  kasan_report.cold.7+0x76/0x2fe
[   32.909368]  check_memory_region+0x13e/0x1b0
[   32.913757]  memcpy+0x23/0x50
[   32.916853]  pdu_read+0x90/0xd0
[   32.920125]  p9pdu_readf+0x579/0x2170
[   32.923921]  ? p9pdu_writef+0xe0/0xe0
[   32.927702]  ? __fget+0x414/0x670
[   32.931153]  ? rcu_is_watching+0x61/0x150
[   32.935292]  ? expand_files.part.8+0x9c0/0x9c0
[   32.939872]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.944890]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.949393]  p9_client_create+0xde0/0x16c9
[   32.953631]  ? p9_client_read+0xc60/0xc60
[   32.957772]  ? find_held_lock+0x36/0x1c0
[   32.961864]  ? __lockdep_init_map+0x105/0x590
[   32.966359]  ? kasan_check_write+0x14/0x20
[   32.970581]  ? __init_rwsem+0x1cc/0x2a0
[   32.974551]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.979554]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.984559]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.989411]  ? save_stack+0xa9/0xd0
[   32.993063]  ? save_stack+0x43/0xd0
[   32.996682]  ? kasan_kmalloc+0xc4/0xe0
[   33.000562]  ? memcpy+0x45/0x50
[   33.003829]  v9fs_session_init+0x21a/0x1a80
[   33.008155]  ? find_held_lock+0x36/0x1c0
[   33.012220]  ? v9fs_show_options+0x7e0/0x7e0
[   33.016632]  ? kasan_check_read+0x11/0x20
[   33.020762]  ? rcu_is_watching+0x8c/0x150
[   33.024910]  ? rcu_pm_notify+0xc0/0xc0
[   33.028812]  ? rcu_pm_notify+0xc0/0xc0
[   33.032688]  ? v9fs_mount+0x61/0x900
[   33.036395]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.042276]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.047110]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   33.052661]  v9fs_mount+0x7c/0x900
[   33.056196]  mount_fs+0xae/0x328
[   33.059559]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.064209]  ? may_umount+0xb0/0xb0
[   33.067820]  ? _raw_read_unlock+0x22/0x30
[   33.071968]  ? __get_fs_type+0x97/0xc0
[   33.075842]  do_mount+0x581/0x30e0
[   33.079388]  ? copy_mount_string+0x40/0x40
[   33.083616]  ? copy_mount_options+0x5f/0x380
[   33.088010]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.093025]  ? kmem_cache_alloc_trace+0x616/0x780
[   33.097871]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.103398]  ? _copy_from_user+0xdf/0x150
[   33.107559]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.113100]  ? copy_mount_options+0x285/0x380
[   33.117595]  __ia32_compat_sys_mount+0x5d5/0x860
[   33.122359]  do_fast_syscall_32+0x34d/0xfb2
[   33.126682]  ? do_int80_syscall_32+0x890/0x890
[   33.131258]  ? do_syscall_64+0x497/0x820
[   33.135302]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.140235]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.145255]  ? sysret32_from_system_call+0x5/0x46
[   33.150091]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.154928]  entry_SYSENTER_compat+0x70/0x7f
[   33.159330] RIP: 0023:0xf7f7dcb9
[   33.162692] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   33.181845] RSP: 002b:00000000ff82de0c EFLAGS: 00000286 ORIG_RAX: 0000000000000015
[   33.189550] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000000
[   33.196815] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000020000340
[   33.204080] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   33.211346] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   33.218611] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   33.226536] Dumping ftrace buffer:
[   33.230080]    (ftrace buffer empty)
[   33.233785] Kernel Offset: disabled
[   33.237406] Rebooting in 86400 seconds..