[....] Starting OpenBSD Secure Shell server: sshd[   25.948924] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   26.699361] random: sshd: uninitialized urandom read (32 bytes read)
[   26.972473] sshd (5334) used greatest stack depth: 16232 bytes left
[   26.995823] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.607972] random: sshd: uninitialized urandom read (32 bytes read)
[   27.841262] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[   33.513311] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.645863] ==================================================================
[   33.653333] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7ad/0x880
[   33.660701] Read of size 4 at addr ffff8801d83f27d4 by task syz-executor823/5350
[   33.668209] 
[   33.669827] CPU: 0 PID: 5350 Comm: syz-executor823 Not tainted 4.19.0-rc3+ #9
[   33.677081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.686413] Call Trace:
[   33.689000]  dump_stack+0x1c4/0x2b4
[   33.692644]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.697815]  ? printk+0xa7/0xcf
[   33.701095]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.705837]  print_address_description.cold.8+0x9/0x1ff
[   33.711184]  kasan_report.cold.9+0x242/0x309
[   33.715573]  ? fscache_alloc_cookie+0x7ad/0x880
[   33.720226]  __asan_report_load4_noabort+0x14/0x20
[   33.725138]  fscache_alloc_cookie+0x7ad/0x880
[   33.729627]  ? fscache_cookie_init_once+0x80/0x80
[   33.734456]  ? rpcauth_cache_shrink_scan+0x180/0x180
[   33.739560]  ? __kmalloc_track_caller+0x14a/0x750
[   33.744409]  ? kstrdup+0x39/0x70
[   33.747757]  ? nfs_alloc_client+0x383/0x760
[   33.752058]  ? nfs_get_client+0x8e8/0x14d0
[   33.756272]  ? nfs_init_server+0x357/0x1010
[   33.760573]  ? nfs_create_server+0x86/0x5f0
[   33.764874]  ? nfs_fs_mount+0x17f8/0x2f1c
[   33.768999]  ? mount_fs+0xae/0x31d
[   33.772526]  ? vfs_kern_mount.part.35+0xdc/0x4f0
[   33.777267]  ? do_mount+0x581/0x31f0
[   33.780980]  ? ksys_mount+0x12d/0x140
[   33.781009]  ? __x64_sys_mount+0xbe/0x150
[   33.781024]  ? do_syscall_64+0x1b9/0x820
[   33.789088]  __fscache_acquire_cookie+0x230/0xb60
[   33.797978]  ? fscache_cookie_put+0x880/0x880
[   33.802499]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.808067]  ? check_preemption_disabled+0x48/0x200
[   33.813091]  ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0
[   33.818616]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[   33.823876]  ? rcu_pm_notify+0xc0/0xc0
[   33.827750]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.833275]  nfs_fscache_get_client_cookie+0x463/0x600
[   33.838545]  ? nfs_readpage_from_fscache_complete+0x200/0x200
[   33.844421]  nfs_alloc_client+0x563/0x760
[   33.848552]  ? register_nfs_version+0x280/0x280
[   33.853207]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.857796]  nfs_get_client+0x8e8/0x14d0
[   33.861843]  ? kmem_cache_alloc_trace+0x152/0x750
[   33.866670]  ? mount_fs+0xae/0x31d
[   33.870200]  ? nfs_put_client+0x30/0x30
[   33.874155]  ? nfs_alloc_server+0x5ca/0x730
[   33.878456]  ? depot_save_stack+0x292/0x470
[   33.882758]  ? nfs_wait_client_init_complete+0x210/0x210
[   33.888212]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.893733]  ? check_preemption_disabled+0x48/0x200
[   33.898727]  ? check_preemption_disabled+0x48/0x200
[   33.903724]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   33.908895]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   33.913899]  nfs_init_server+0x357/0x1010
[   33.918036]  ? nfs_clone_server+0x920/0x920
[   33.922341]  ? nfs_alloc_fattr+0x48/0x1d0
[   33.926469]  ? rcu_read_lock_sched_held+0x108/0x120
[   33.931476]  nfs_create_server+0x86/0x5f0
[   33.935611]  nfs_try_mount+0x180/0xa80
[   33.939486]  ? lock_downgrade+0x900/0x900
[   33.943644]  ? nfs_request_mount.constprop.18+0x920/0x920
[   33.949166]  ? kasan_check_read+0x11/0x20
[   33.953298]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.957688]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.962257]  ? kasan_check_write+0x14/0x20
[   33.966490]  ? do_raw_spin_lock+0xc1/0x200
[   33.970722]  ? _raw_spin_unlock+0x2c/0x50
[   33.974850]  ? find_nfs_version+0x138/0x190
[   33.979156]  nfs_fs_mount+0x17f8/0x2f1c
[   33.983114]  ? nfs_show_options+0x250/0x250
[   33.987419]  ? nfs_clone_super+0x420/0x420
[   33.991635]  ? nfs_parse_mount_options+0x2660/0x2660
[   33.996718]  ? lock_downgrade+0x900/0x900
[   34.000860]  mount_fs+0xae/0x31d
[   34.004206]  ? digsig_verify+0x1530/0x1530
[   34.008426]  vfs_kern_mount.part.35+0xdc/0x4f0
[   34.012993]  ? may_umount+0xb0/0xb0
[   34.016604]  ? _raw_read_unlock+0x2c/0x50
[   34.020737]  ? __get_fs_type+0x97/0xc0
[   34.024609]  do_mount+0x581/0x31f0
[   34.028134]  ? copy_mount_string+0x40/0x40
[   34.032359]  ? copy_mount_options+0x5f/0x380
[   34.036749]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.041837]  ? kmem_cache_alloc_trace+0x353/0x750
[   34.046680]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.052203]  ? _copy_from_user+0xdf/0x150
[   34.056334]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.061853]  ? copy_mount_options+0x288/0x380
[   34.066332]  ksys_mount+0x12d/0x140
[   34.069972]  __x64_sys_mount+0xbe/0x150
[   34.073937]  do_syscall_64+0x1b9/0x820
[   34.077810]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   34.083158]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.088072]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.092903]  ? trace_hardirqs_on_caller+0x310/0x310
[   34.097902]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   34.102903]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.108422]  ? prepare_exit_to_usermode+0x291/0x3b0
[   34.113423]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.118253]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.123425] RIP: 0033:0x440129
[   34.126603] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   34.145488] RSP: 002b:00007ffcce43dff8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   34.153184] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129
[   34.160448] RDX: 000000002015bffc RSI: 0000000020343ff8 RDI: 0000000020000080
[   34.167695] RBP: 00000000006ca018 R08: 000000002000a000 R09: 0000000000000000
[   34.174948] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004019b0
[   34.182216] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000
[   34.189518] 
[   34.191151] Allocated by task 5350:
[   34.194778]  save_stack+0x43/0xd0
[   34.198211]  kasan_kmalloc+0xc7/0xe0
[   34.201909]  __kmalloc+0x14e/0x760
[   34.205431]  fscache_alloc_cookie+0x6f7/0x880
[   34.209908]  __fscache_acquire_cookie+0x230/0xb60
[   34.214734]  nfs_fscache_get_client_cookie+0x463/0x600
[   34.219995]  nfs_alloc_client+0x563/0x760
[   34.224123]  nfs_get_client+0x8e8/0x14d0
[   34.228162]  nfs_init_server+0x357/0x1010
[   34.232291]  nfs_create_server+0x86/0x5f0
[   34.236418]  nfs_try_mount+0x180/0xa80
[   34.240288]  nfs_fs_mount+0x17f8/0x2f1c
[   34.244243]  mount_fs+0xae/0x31d
[   34.247591]  vfs_kern_mount.part.35+0xdc/0x4f0
[   34.252154]  do_mount+0x581/0x31f0
[   34.255673]  ksys_mount+0x12d/0x140
[   34.259278]  __x64_sys_mount+0xbe/0x150
[   34.263234]  do_syscall_64+0x1b9/0x820
[   34.267102]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.272268] 
[   34.273875] Freed by task 3196:
[   34.277134]  save_stack+0x43/0xd0
[   34.280565]  __kasan_slab_free+0x102/0x150
[   34.284777]  kasan_slab_free+0xe/0x10
[   34.288560]  kfree+0xcf/0x230
[   34.291647]  smk_import_entry+0x101/0x420
[   34.295778]  smk_fetch.part.24+0xe0/0xf0
[   34.299824]  smack_d_instantiate+0x94e/0xea0
[   34.304215]  security_d_instantiate+0x5c/0xf0
[   34.308693]  d_instantiate+0x5e/0xa0
[   34.312390]  shmem_mknod+0x189/0x1f0
[   34.316081]  shmem_create+0x2b/0x40
[   34.319689]  lookup_open+0x1319/0x1b90
[   34.323558]  path_openat+0x15e7/0x5160
[   34.327423]  do_filp_open+0x255/0x380
[   34.331207]  do_sys_open+0x568/0x700
[   34.334899]  __x64_sys_open+0x7e/0xc0
[   34.338679]  do_syscall_64+0x1b9/0x820
[   34.342551]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.347714] 
[   34.349321] The buggy address belongs to the object at ffff8801d83f27c0
[   34.349321]  which belongs to the cache kmalloc-32 of size 32
[   34.361784] The buggy address is located 20 bytes inside of
[   34.361784]  32-byte region [ffff8801d83f27c0, ffff8801d83f27e0)
[   34.373460] The buggy address belongs to the page:
[   34.378371] page:ffffea000760fc80 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d83f2fc1
[   34.387800] flags: 0x2fffc0000000100(slab)
[   34.392019] raw: 02fffc0000000100 ffffea00075f6748 ffffea00075f6108 ffff8801da8001c0
[   34.399890] raw: ffff8801d83f2fc1 ffff8801d83f2000 000000010000003f 0000000000000000
[   34.407764] page dumped because: kasan: bad access detected
[   34.413468] 
[   34.415073] Memory state around the buggy address:
[   34.419981]  ffff8801d83f2680: 00 00 01 fc fc fc fc fc 01 fc fc fc fc fc fc fc
[   34.427321]  ffff8801d83f2700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   34.434683] >ffff8801d83f2780: fb fb fb fb fc fc fc fc 00 00 06 fc fc fc fc fc
[   34.442108]                                                  ^
[   34.448063]  ffff8801d83f2800: 00 02 fc fc fc fc fc fc 00 02 fc fc fc fc fc fc
[   34.455404]  ffff8801d83f2880: 00 00 01 fc fc fc fc fc 00 00 fc fc fc fc fc fc
[   34.462745] ==================================================================
[   34.470085] Disabling lock debugging due to kernel taint
[   34.476045] Kernel panic - not syncing: panic_on_warn set ...
[   34.476045] 
[   34.483432] CPU: 0 PID: 5350 Comm: syz-executor823 Tainted: G    B             4.19.0-rc3+ #9
[   34.492088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.501427] Call Trace:
[   34.504000]  dump_stack+0x1c4/0x2b4
[   34.507606]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.512780]  panic+0x238/0x4e7
[   34.515950]  ? add_taint.cold.5+0x16/0x16
[   34.520097]  ? preempt_schedule+0x4d/0x60
[   34.524225]  ? ___preempt_schedule+0x16/0x18
[   34.528612]  ? trace_hardirqs_on+0xb4/0x310
[   34.532917]  kasan_end_report+0x47/0x4f
[   34.536871]  kasan_report.cold.9+0x76/0x309
[   34.541178]  ? fscache_alloc_cookie+0x7ad/0x880
[   34.545827]  __asan_report_load4_noabort+0x14/0x20
[   34.550751]  fscache_alloc_cookie+0x7ad/0x880
[   34.555227]  ? fscache_cookie_init_once+0x80/0x80
[   34.560056]  ? rpcauth_cache_shrink_scan+0x180/0x180
[   34.565139]  ? __kmalloc_track_caller+0x14a/0x750
[   34.569962]  ? kstrdup+0x39/0x70
[   34.573308]  ? nfs_alloc_client+0x383/0x760
[   34.577607]  ? nfs_get_client+0x8e8/0x14d0
[   34.581837]  ? nfs_init_server+0x357/0x1010
[   34.586140]  ? nfs_create_server+0x86/0x5f0
[   34.590444]  ? nfs_fs_mount+0x17f8/0x2f1c
[   34.594570]  ? mount_fs+0xae/0x31d
[   34.598091]  ? vfs_kern_mount.part.35+0xdc/0x4f0
[   34.602824]  ? do_mount+0x581/0x31f0
[   34.606519]  ? ksys_mount+0x12d/0x140
[   34.610306]  ? __x64_sys_mount+0xbe/0x150
[   34.614434]  ? do_syscall_64+0x1b9/0x820
[   34.618478]  __fscache_acquire_cookie+0x230/0xb60
[   34.623303]  ? fscache_cookie_put+0x880/0x880
[   34.627778]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.633313]  ? check_preemption_disabled+0x48/0x200
[   34.638329]  ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0
[   34.643846]  ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160
[   34.649103]  ? rcu_pm_notify+0xc0/0xc0
[   34.653003]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.658534]  nfs_fscache_get_client_cookie+0x463/0x600
[   34.663796]  ? nfs_readpage_from_fscache_complete+0x200/0x200
[   34.669669]  nfs_alloc_client+0x563/0x760
[   34.673798]  ? register_nfs_version+0x280/0x280
[   34.678458]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.683022]  nfs_get_client+0x8e8/0x14d0
[   34.687063]  ? kmem_cache_alloc_trace+0x152/0x750
[   34.691888]  ? mount_fs+0xae/0x31d
[   34.695411]  ? nfs_put_client+0x30/0x30
[   34.699362]  ? nfs_alloc_server+0x5ca/0x730
[   34.703663]  ? depot_save_stack+0x292/0x470
[   34.707963]  ? nfs_wait_client_init_complete+0x210/0x210
[   34.713395]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.718928]  ? check_preemption_disabled+0x48/0x200
[   34.723925]  ? check_preemption_disabled+0x48/0x200
[   34.728919]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.734089]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   34.739115]  nfs_init_server+0x357/0x1010
[   34.743244]  ? nfs_clone_server+0x920/0x920
[   34.747548]  ? nfs_alloc_fattr+0x48/0x1d0
[   34.751679]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.756681]  nfs_create_server+0x86/0x5f0
[   34.760810]  nfs_try_mount+0x180/0xa80
[   34.764681]  ? lock_downgrade+0x900/0x900
[   34.768810]  ? nfs_request_mount.constprop.18+0x920/0x920
[   34.774332]  ? kasan_check_read+0x11/0x20
[   34.778464]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.782855]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.787417]  ? kasan_check_write+0x14/0x20
[   34.791649]  ? do_raw_spin_lock+0xc1/0x200
[   34.795868]  ? _raw_spin_unlock+0x2c/0x50
[   34.799996]  ? find_nfs_version+0x138/0x190
[   34.804300]  nfs_fs_mount+0x17f8/0x2f1c
[   34.808253]  ? nfs_show_options+0x250/0x250
[   34.812558]  ? nfs_clone_super+0x420/0x420
[   34.816770]  ? nfs_parse_mount_options+0x2660/0x2660
[   34.821853]  ? lock_downgrade+0x900/0x900
[   34.825981]  mount_fs+0xae/0x31d
[   34.829325]  ? digsig_verify+0x1530/0x1530
[   34.833547]  vfs_kern_mount.part.35+0xdc/0x4f0
[   34.838108]  ? may_umount+0xb0/0xb0
[   34.841715]  ? _raw_read_unlock+0x2c/0x50
[   34.845846]  ? __get_fs_type+0x97/0xc0
[   34.849718]  do_mount+0x581/0x31f0
[   34.853257]  ? copy_mount_string+0x40/0x40
[   34.857473]  ? copy_mount_options+0x5f/0x380
[   34.861867]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.866865]  ? kmem_cache_alloc_trace+0x353/0x750
[   34.871708]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.877227]  ? _copy_from_user+0xdf/0x150
[   34.881359]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.886876]  ? copy_mount_options+0x288/0x380
[   34.891355]  ksys_mount+0x12d/0x140
[   34.894961]  __x64_sys_mount+0xbe/0x150
[   34.898914]  do_syscall_64+0x1b9/0x820
[   34.902786]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   34.908129]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.913040]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.917864]  ? trace_hardirqs_on_caller+0x310/0x310
[   34.922859]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   34.927854]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.933458]  ? prepare_exit_to_usermode+0x291/0x3b0
[   34.938459]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.943285]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.948520] RIP: 0033:0x440129
[   34.951703] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   34.970585] RSP: 002b:00007ffcce43dff8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   34.978274] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129
[   34.985525] RDX: 000000002015bffc RSI: 0000000020343ff8 RDI: 0000000020000080
[   34.992780] RBP: 00000000006ca018 R08: 000000002000a000 R09: 0000000000000000
[   35.000032] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004019b0
[   35.007282] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000
[   35.015447] Kernel Offset: disabled
[   35.019066] Rebooting in 86400 seconds..