[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.696186] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.161926] random: sshd: uninitialized urandom read (32 bytes read)
[   24.439311] random: sshd: uninitialized urandom read (32 bytes read)
[   24.959984] random: sshd: uninitialized urandom read (32 bytes read)
[   31.703685] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts.
[   37.284669] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   37.380793] ==================================================================
[   37.388247] BUG: KASAN: slab-out-of-bounds in _autofs_dev_ioctl+0x8f5/0x990
[   37.395335] Read of size 4 at addr ffff8801aced2d00 by task syz-executor356/4406
[   37.402848] 
[   37.404464] CPU: 1 PID: 4406 Comm: syz-executor356 Not tainted 4.18.0-rc8+ #183
[   37.411894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.421233] Call Trace:
[   37.423820]  dump_stack+0x1c9/0x2b4
[   37.427439]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.432618]  ? printk+0xa7/0xcf
[   37.435939]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   37.440715]  ? _autofs_dev_ioctl+0x8f5/0x990
[   37.445116]  print_address_description+0x6c/0x20b
[   37.449947]  ? _autofs_dev_ioctl+0x8f5/0x990
[   37.454343]  kasan_report.cold.7+0x242/0x2fe
[   37.458741]  ? find_autofs_mount.isra.5+0x2d0/0x2d0
[   37.463747]  __asan_report_load4_noabort+0x14/0x20
[   37.468669]  _autofs_dev_ioctl+0x8f5/0x990
[   37.472910]  ? autofs_dev_ioctl_closemount+0x90/0x90
[   37.478003]  ? trace_hardirqs_off+0xd/0x10
[   37.482239]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   37.487329]  ? _autofs_dev_ioctl+0x990/0x990
[   37.491790]  autofs_dev_ioctl+0x1b/0x30
[   37.495758]  do_vfs_ioctl+0x1de/0x1720
[   37.499633]  ? rcu_is_watching+0x8c/0x150
[   37.503767]  ? rcu_pm_notify+0xc0/0xc0
[   37.507642]  ? ioctl_preallocate+0x300/0x300
[   37.512053]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.517596]  ? __fget_light+0x2f7/0x440
[   37.521560]  ? fget_raw+0x20/0x20
[   37.525008]  ? kmem_cache_free+0x25c/0x2d0
[   37.529250]  ? putname+0xf7/0x130
[   37.532703]  ? do_sys_open+0x3cb/0x760
[   37.536580]  ? security_file_ioctl+0x94/0xc0
[   37.540977]  ksys_ioctl+0xa9/0xd0
[   37.544421]  __x64_sys_ioctl+0x73/0xb0
[   37.548298]  do_syscall_64+0x1b9/0x820
[   37.552174]  ? syscall_return_slowpath+0x5e0/0x5e0
[   37.557098]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.562030]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   37.567400]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.572232]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.577407] RIP: 0033:0x440139
[   37.580579] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   37.599772] RSP: 002b:00007ffddd407408 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   37.607467] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440139
[   37.614725] RDX: 0000000020000180 RSI: 800000000000937e RDI: 0000000000000005
[   37.621982] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   37.629280] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019c0
[   37.636542] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   37.643807] 
[   37.645420] Allocated by task 4406:
[   37.649046]  save_stack+0x43/0xd0
[   37.652496]  kasan_kmalloc+0xc4/0xe0
[   37.656200]  kmem_cache_alloc_trace+0x152/0x780
[   37.660858]  ramfs_fill_super+0xc4/0x580
[   37.664908]  mount_nodev+0x6b/0x110
[   37.668520]  ramfs_mount+0x2c/0x40
[   37.672057]  mount_fs+0xae/0x328
[   37.675427]  vfs_kern_mount.part.34+0xdc/0x4e0
[   37.679997]  do_mount+0x581/0x30e0
[   37.683530]  ksys_mount+0x12d/0x140
[   37.687145]  __x64_sys_mount+0xbe/0x150
[   37.691107]  do_syscall_64+0x1b9/0x820
[   37.695024]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.700263] 
[   37.701879] Freed by task 2740:
[   37.705148]  save_stack+0x43/0xd0
[   37.708591]  __kasan_slab_free+0x11a/0x170
[   37.712819]  kasan_slab_free+0xe/0x10
[   37.716607]  kfree+0xd9/0x260
[   37.719699]  single_release+0x8f/0xb0
[   37.723531]  __fput+0x355/0x8b0
[   37.726814]  ____fput+0x15/0x20
[   37.730086]  task_work_run+0x1ec/0x2a0
[   37.733962]  exit_to_usermode_loop+0x313/0x370
[   37.738532]  do_syscall_64+0x6be/0x820
[   37.742406]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.747574] 
[   37.749191] The buggy address belongs to the object at ffff8801aced2d00
[   37.749191]  which belongs to the cache kmalloc-32 of size 32
[   37.761663] The buggy address is located 0 bytes inside of
[   37.761663]  32-byte region [ffff8801aced2d00, ffff8801aced2d20)
[   37.773274] The buggy address belongs to the page:
[   37.778187] page:ffffea0006b3b480 count:1 mapcount:0 mapping:ffff8801dac001c0 index:0xffff8801aced2fc1
[   37.787623] flags: 0x2fffc0000000100(slab)
[   37.791848] raw: 02fffc0000000100 ffffea0007664788 ffffea00076b0308 ffff8801dac001c0
[   37.799718] raw: ffff8801aced2fc1 ffff8801aced2000 0000000100000018 0000000000000000
[   37.807579] page dumped because: kasan: bad access detected
[   37.813272] 
[   37.814882] Memory state around the buggy address:
[   37.819799]  ffff8801aced2c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   37.827145]  ffff8801aced2c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   37.834490] >ffff8801aced2d00: 02 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc
[   37.841833]                    ^
[   37.845186]  ffff8801aced2d80: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[   37.852532]  ffff8801aced2e00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   37.859871] ==================================================================
[   37.867209] Disabling lock debugging due to kernel taint
[   37.872752] Kernel panic - not syncing: panic_on_warn set ...
[   37.872752] 
[   37.880128] CPU: 1 PID: 4406 Comm: syz-executor356 Tainted: G    B             4.18.0-rc8+ #183
[   37.888944] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.898292] Call Trace:
[   37.900866]  dump_stack+0x1c9/0x2b4
[   37.904480]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.909655]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.914408]  panic+0x238/0x4e7
[   37.917590]  ? add_taint.cold.5+0x16/0x16
[   37.921726]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.926121]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.930521]  ? _autofs_dev_ioctl+0x8f5/0x990
[   37.934916]  kasan_end_report+0x47/0x4f
[   37.938879]  kasan_report.cold.7+0x76/0x2fe
[   37.943193]  ? find_autofs_mount.isra.5+0x2d0/0x2d0
[   37.948193]  __asan_report_load4_noabort+0x14/0x20
[   37.953107]  _autofs_dev_ioctl+0x8f5/0x990
[   37.957331]  ? autofs_dev_ioctl_closemount+0x90/0x90
[   37.962423]  ? trace_hardirqs_off+0xd/0x10
[   37.966643]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   37.971734]  ? _autofs_dev_ioctl+0x990/0x990
[   37.976128]  autofs_dev_ioctl+0x1b/0x30
[   37.980086]  do_vfs_ioctl+0x1de/0x1720
[   37.983956]  ? rcu_is_watching+0x8c/0x150
[   37.988089]  ? rcu_pm_notify+0xc0/0xc0
[   37.991962]  ? ioctl_preallocate+0x300/0x300
[   37.996358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.001888]  ? __fget_light+0x2f7/0x440
[   38.005858]  ? fget_raw+0x20/0x20
[   38.009301]  ? kmem_cache_free+0x25c/0x2d0
[   38.013523]  ? putname+0xf7/0x130
[   38.016962]  ? do_sys_open+0x3cb/0x760
[   38.020833]  ? security_file_ioctl+0x94/0xc0
[   38.025272]  ksys_ioctl+0xa9/0xd0
[   38.028721]  __x64_sys_ioctl+0x73/0xb0
[   38.032597]  do_syscall_64+0x1b9/0x820
[   38.036473]  ? syscall_return_slowpath+0x5e0/0x5e0
[   38.041390]  ? syscall_return_slowpath+0x31d/0x5e0
[   38.046309]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   38.051662]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.056501]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.061684] RIP: 0033:0x440139
[   38.064856] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   38.084019] RSP: 002b:00007ffddd407408 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   38.091740] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440139
[   38.099016] RDX: 0000000020000180 RSI: 800000000000937e RDI: 0000000000000005
[   38.106287] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
[   38.113542] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019c0
[   38.120795] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   38.128382] Dumping ftrace buffer:
[   38.131912]    (ftrace buffer empty)
[   38.135603] Kernel Offset: disabled
[   38.139283] Rebooting in 86400 seconds..