[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.340701] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.605456] random: sshd: uninitialized urandom read (32 bytes read)
[   20.918246] random: sshd: uninitialized urandom read (32 bytes read)
[   21.795438] random: sshd: uninitialized urandom read (32 bytes read)
[   21.956951] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts.
[   27.390465] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   27.483642] ==================================================================
[   27.491102] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880
[   27.498447] Read of size 4 at addr ffff8801d2fad5a4 by task syz-executor681/4546
[   27.505954] 
[   27.507567] CPU: 0 PID: 4546 Comm: syz-executor681 Not tainted 4.18.0-rc4+ #138
[   27.515004] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.524343] Call Trace:
[   27.526921]  dump_stack+0x1c9/0x2b4
[   27.530541]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.535712]  ? printk+0xa7/0xcf
[   27.538973]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.543710]  ? fscache_alloc_cookie+0x7a9/0x880
[   27.548359]  print_address_description+0x6c/0x20b
[   27.553181]  ? fscache_alloc_cookie+0x7a9/0x880
[   27.557831]  kasan_report.cold.7+0x242/0x2fe
[   27.562219]  __asan_report_load4_noabort+0x14/0x20
[   27.567128]  fscache_alloc_cookie+0x7a9/0x880
[   27.571605]  ? fscache_cookie_init_once+0x80/0x80
[   27.576433]  ? lock_downgrade+0x8f0/0x8f0
[   27.580559]  ? radix_tree_delete_item+0x188/0x310
[   27.585384]  ? kasan_check_read+0x11/0x20
[   27.589514]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.593903]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   27.598469]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   27.603554]  __fscache_acquire_cookie+0x230/0xb00
[   27.608377]  ? fscache_cookie_put+0x850/0x850
[   27.612856]  ? p9_client_attach+0x215/0x860
[   27.617160]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   27.622242]  ? debug_check_no_obj_freed+0x30b/0x595
[   27.627237]  ? p9_client_walk+0xab0/0xab0
[   27.631366]  ? trace_hardirqs_off+0xd/0x10
[   27.635585]  ? quarantine_put+0x10d/0x1b0
[   27.639734]  ? kfree+0x111/0x260
[   27.643103]  v9fs_cache_session_get_cookie+0xc4/0x270
[   27.648280]  v9fs_session_init+0x1013/0x1a80
[   27.652677]  ? v9fs_show_options+0x7e0/0x7e0
[   27.657069]  ? rcu_is_watching+0x8c/0x150
[   27.661198]  ? rcu_pm_notify+0xc0/0xc0
[   27.665071]  ? v9fs_mount+0x61/0x900
[   27.668779]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.673784]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   27.679315]  v9fs_mount+0x7c/0x900
[   27.682847]  mount_fs+0xae/0x328
[   27.686196]  vfs_kern_mount.part.34+0xdc/0x4e0
[   27.690766]  ? may_umount+0xb0/0xb0
[   27.694376]  ? _raw_read_unlock+0x22/0x30
[   27.698504]  ? __get_fs_type+0x97/0xc0
[   27.702377]  do_mount+0x581/0x30e0
[   27.705907]  ? copy_mount_string+0x40/0x40
[   27.710146]  ? copy_mount_options+0x5f/0x380
[   27.714565]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.719577]  ? kmem_cache_alloc_trace+0x616/0x780
[   27.724402]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.729920]  ? _copy_from_user+0xdf/0x150
[   27.734054]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.739573]  ? copy_mount_options+0x285/0x380
[   27.744053]  ksys_mount+0x12d/0x140
[   27.747662]  __x64_sys_mount+0xbe/0x150
[   27.751619]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.756617]  do_syscall_64+0x1b9/0x820
[   27.760483]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.765391]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.770303]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.775822]  ? retint_user+0x18/0x18
[   27.779518]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.784342]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.789518] RIP: 0033:0x440169
[   27.792682] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.811858] RSP: 002b:00007ffc8106fd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   27.819549] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440169
[   27.826797] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   27.834044] RBP: 00000000006ca018 R08: 0000000020000080 R09: 00000000004002c8
[   27.841294] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000004019f0
[   27.848545] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000
[   27.855800] 
[   27.857406] Allocated by task 4546:
[   27.861104]  save_stack+0x43/0xd0
[   27.864536]  kasan_kmalloc+0xc4/0xe0
[   27.868250]  __kmalloc+0x14e/0x760
[   27.871773]  fscache_alloc_cookie+0x701/0x880
[   27.876245]  __fscache_acquire_cookie+0x230/0xb00
[   27.881076]  v9fs_cache_session_get_cookie+0xc4/0x270
[   27.886248]  v9fs_session_init+0x1013/0x1a80
[   27.890643]  v9fs_mount+0x7c/0x900
[   27.894165]  mount_fs+0xae/0x328
[   27.897512]  vfs_kern_mount.part.34+0xdc/0x4e0
[   27.902083]  do_mount+0x581/0x30e0
[   27.905605]  ksys_mount+0x12d/0x140
[   27.909211]  __x64_sys_mount+0xbe/0x150
[   27.913171]  do_syscall_64+0x1b9/0x820
[   27.917041]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.922215] 
[   27.923820] Freed by task 1:
[   27.926821]  save_stack+0x43/0xd0
[   27.930252]  __kasan_slab_free+0x11a/0x170
[   27.934471]  kasan_slab_free+0xe/0x10
[   27.938250]  kfree+0xd9/0x260
[   27.941336]  kobject_uevent_env+0x275/0x1110
[   27.945738]  kobject_uevent+0x1f/0x30
[   27.949518]  device_add+0x95d/0x16f0
[   27.953210]  device_create_groups_vargs+0x1ff/0x270
[   27.958202]  device_create_with_groups+0xe0/0x110
[   27.963032]  misc_register+0x2e8/0x7d0
[   27.966904]  loop_init+0x149/0x261
[   27.970426]  do_one_initcall+0x127/0x913
[   27.974468]  kernel_init_freeable+0x49b/0x58e
[   27.978943]  kernel_init+0x11/0x1b3
[   27.982550]  ret_from_fork+0x3a/0x50
[   27.986332] 
[   27.987950] The buggy address belongs to the object at ffff8801d2fad580
[   27.987950]  which belongs to the cache kmalloc-64 of size 64
[   28.000415] The buggy address is located 36 bytes inside of
[   28.000415]  64-byte region [ffff8801d2fad580, ffff8801d2fad5c0)
[   28.012093] The buggy address belongs to the page:
[   28.017002] page:ffffea00074beb40 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0
[   28.025134] flags: 0x2fffc0000000100(slab)
[   28.029349] raw: 02fffc0000000100 ffffea00074bcac8 ffffea00074ab808 ffff8801da800340
[   28.037210] raw: 0000000000000000 ffff8801d2fad000 0000000100000020 0000000000000000
[   28.045066] page dumped because: kasan: bad access detected
[   28.050750] 
[   28.052351] Memory state around the buggy address:
[   28.057260]  ffff8801d2fad480: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   28.064598]  ffff8801d2fad500: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   28.071934] >ffff8801d2fad580: 00 00 00 00 05 fc fc fc fc fc fc fc fc fc fc fc
[   28.079278]                                ^
[   28.083671]  ffff8801d2fad600: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   28.091028]  ffff8801d2fad680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.098366] ==================================================================
[   28.105716] Disabling lock debugging due to kernel taint
[   28.111338] Kernel panic - not syncing: panic_on_warn set ...
[   28.111338] 
[   28.118739] CPU: 0 PID: 4546 Comm: syz-executor681 Tainted: G    B             4.18.0-rc4+ #138
[   28.127572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   28.136908] Call Trace:
[   28.139479]  dump_stack+0x1c9/0x2b4
[   28.143093]  ? dump_stack_print_info.cold.2+0x52/0x52
[   28.148262]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   28.152999]  panic+0x238/0x4e7
[   28.156176]  ? add_taint.cold.5+0x16/0x16
[   28.160304]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.164692]  ? fscache_alloc_cookie+0x7a9/0x880
[   28.169346]  kasan_end_report+0x47/0x4f
[   28.173298]  kasan_report.cold.7+0x76/0x2fe
[   28.177597]  __asan_report_load4_noabort+0x14/0x20
[   28.182506]  fscache_alloc_cookie+0x7a9/0x880
[   28.186977]  ? fscache_cookie_init_once+0x80/0x80
[   28.191800]  ? lock_downgrade+0x8f0/0x8f0
[   28.195923]  ? radix_tree_delete_item+0x188/0x310
[   28.200745]  ? kasan_check_read+0x11/0x20
[   28.204872]  ? do_raw_spin_unlock+0xa7/0x2f0
[   28.209259]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   28.213822]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   28.218920]  __fscache_acquire_cookie+0x230/0xb00
[   28.223746]  ? fscache_cookie_put+0x850/0x850
[   28.228232]  ? p9_client_attach+0x215/0x860
[   28.232534]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   28.237628]  ? debug_check_no_obj_freed+0x30b/0x595
[   28.242645]  ? p9_client_walk+0xab0/0xab0
[   28.246776]  ? trace_hardirqs_off+0xd/0x10
[   28.250992]  ? quarantine_put+0x10d/0x1b0
[   28.255123]  ? kfree+0x111/0x260
[   28.258470]  v9fs_cache_session_get_cookie+0xc4/0x270
[   28.263647]  v9fs_session_init+0x1013/0x1a80
[   28.268043]  ? v9fs_show_options+0x7e0/0x7e0
[   28.272435]  ? rcu_is_watching+0x8c/0x150
[   28.276559]  ? rcu_pm_notify+0xc0/0xc0
[   28.280433]  ? v9fs_mount+0x61/0x900
[   28.284123]  ? rcu_read_lock_sched_held+0x108/0x120
[   28.289119]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   28.294634]  v9fs_mount+0x7c/0x900
[   28.298155]  mount_fs+0xae/0x328
[   28.301500]  vfs_kern_mount.part.34+0xdc/0x4e0
[   28.306060]  ? may_umount+0xb0/0xb0
[   28.309664]  ? _raw_read_unlock+0x22/0x30
[   28.313796]  ? __get_fs_type+0x97/0xc0
[   28.317662]  do_mount+0x581/0x30e0
[   28.321181]  ? copy_mount_string+0x40/0x40
[   28.325393]  ? copy_mount_options+0x5f/0x380
[   28.329779]  ? rcu_read_lock_sched_held+0x108/0x120
[   28.334786]  ? kmem_cache_alloc_trace+0x616/0x780
[   28.339609]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.345125]  ? _copy_from_user+0xdf/0x150
[   28.349254]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.354771]  ? copy_mount_options+0x285/0x380
[   28.359252]  ksys_mount+0x12d/0x140
[   28.362858]  __x64_sys_mount+0xbe/0x150
[   28.366812]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   28.371812]  do_syscall_64+0x1b9/0x820
[   28.375683]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.380591]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.385502]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.391032]  ? retint_user+0x18/0x18
[   28.394726]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.399551]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.404731] RIP: 0033:0x440169
[   28.407896] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   28.427040] RSP: 002b:00007ffc8106fd08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   28.434732] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440169
[   28.442005] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   28.449264] RBP: 00000000006ca018 R08: 0000000020000080 R09: 00000000004002c8
[   28.456520] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000004019f0
[   28.463769] R13: 0000000000401a80 R14: 0000000000000000 R15: 0000000000000000
[   28.471531] Dumping ftrace buffer:
[   28.475054]    (ftrace buffer empty)
[   28.478741] Kernel Offset: disabled
[   28.482349] Rebooting in 86400 seconds..