[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.330402] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.592831] random: sshd: uninitialized urandom read (32 bytes read)
[   23.955810] random: sshd: uninitialized urandom read (32 bytes read)
[   24.842672] random: sshd: uninitialized urandom read (32 bytes read)
[   34.144187] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts.
[   39.655259] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   39.752846] ==================================================================
[   39.760329] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   39.766468] Read of size 30024 at addr ffff8801ab7384ed by task syz-executor662/4515
[   39.774329] 
[   39.776033] CPU: 1 PID: 4515 Comm: syz-executor662 Not tainted 4.18.0-rc3+ #137
[   39.783473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.792810] Call Trace:
[   39.795387]  dump_stack+0x1c9/0x2b4
[   39.799000]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.804179]  ? printk+0xa7/0xcf
[   39.807454]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.812194]  ? pdu_read+0x90/0xd0
[   39.815630]  print_address_description+0x6c/0x20b
[   39.820469]  ? pdu_read+0x90/0xd0
[   39.823906]  kasan_report.cold.7+0x242/0x2fe
[   39.828321]  check_memory_region+0x13e/0x1b0
[   39.832719]  memcpy+0x23/0x50
[   39.835818]  pdu_read+0x90/0xd0
[   39.839080]  p9pdu_readf+0x579/0x2170
[   39.842870]  ? p9pdu_writef+0xe0/0xe0
[   39.846656]  ? __fget+0x414/0x670
[   39.850099]  ? rcu_is_watching+0x61/0x150
[   39.854235]  ? expand_files.part.8+0x9c0/0x9c0
[   39.858811]  ? rcu_read_lock_sched_held+0x108/0x120
[   39.863824]  ? p9_fd_show_options+0x1c0/0x1c0
[   39.868309]  p9_client_create+0xde0/0x16c9
[   39.872549]  ? p9_client_read+0xc60/0xc60
[   39.876684]  ? find_held_lock+0x36/0x1c0
[   39.880739]  ? __lockdep_init_map+0x105/0x590
[   39.885235]  ? kasan_check_write+0x14/0x20
[   39.889455]  ? __init_rwsem+0x1cc/0x2a0
[   39.893416]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   39.898420]  ? rcu_read_lock_sched_held+0x108/0x120
[   39.903442]  ? __kmalloc_track_caller+0x5f5/0x760
[   39.908320]  ? save_stack+0xa9/0xd0
[   39.911959]  ? save_stack+0x43/0xd0
[   39.915577]  ? kasan_kmalloc+0xc4/0xe0
[   39.919450]  ? kmem_cache_alloc_trace+0x152/0x780
[   39.924295]  ? memcpy+0x45/0x50
[   39.927576]  v9fs_session_init+0x21a/0x1a80
[   39.931907]  ? find_held_lock+0x36/0x1c0
[   39.935964]  ? v9fs_show_options+0x7e0/0x7e0
[   39.940367]  ? kasan_check_read+0x11/0x20
[   39.944512]  ? rcu_is_watching+0x8c/0x150
[   39.948706]  ? rcu_pm_notify+0xc0/0xc0
[   39.952595]  ? v9fs_mount+0x61/0x900
[   39.956310]  ? rcu_read_lock_sched_held+0x108/0x120
[   39.961343]  ? kmem_cache_alloc_trace+0x616/0x780
[   39.966194]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   39.971738]  v9fs_mount+0x7c/0x900
[   39.975287]  mount_fs+0xae/0x328
[   39.978672]  vfs_kern_mount.part.34+0xdc/0x4e0
[   39.983267]  ? may_umount+0xb0/0xb0
[   39.986896]  ? _raw_read_unlock+0x22/0x30
[   39.991041]  ? __get_fs_type+0x97/0xc0
[   39.994927]  do_mount+0x581/0x30e0
[   39.998455]  ? copy_mount_string+0x40/0x40
[   40.002677]  ? copy_mount_options+0x5f/0x380
[   40.007159]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.012197]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.017061]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.022603]  ? _copy_from_user+0xdf/0x150
[   40.026760]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.032313]  ? copy_mount_options+0x285/0x380
[   40.036835]  ksys_mount+0x12d/0x140
[   40.040488]  __x64_sys_mount+0xbe/0x150
[   40.044483]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.049524]  do_syscall_64+0x1b9/0x820
[   40.053436]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.058390]  ? syscall_return_slowpath+0x31d/0x5e0
[   40.063346]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   40.068749]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.073630]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.078829] RIP: 0033:0x4401a9
[   40.082016] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   40.101259] RSP: 002b:00007ffdf1967498 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   40.108969] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401a9
[   40.116270] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   40.123558] RBP: ffffffffffffffff R08: 0000000020000140 R09: 00000000004002c8
[   40.130825] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   40.138096] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
[   40.145372] 
[   40.146994] Allocated by task 4515:
[   40.150625]  save_stack+0x43/0xd0
[   40.154079]  kasan_kmalloc+0xc4/0xe0
[   40.157792]  __kmalloc+0x14e/0x760
[   40.161329]  p9_fcall_alloc+0x1e/0x90
[   40.165158]  p9_client_prepare_req.part.8+0x754/0xcd0
[   40.170370]  p9_client_rpc+0x1bd/0x1400
[   40.174468]  p9_client_create+0xd09/0x16c9
[   40.178701]  v9fs_session_init+0x21a/0x1a80
[   40.183019]  v9fs_mount+0x7c/0x900
[   40.186558]  mount_fs+0xae/0x328
[   40.189938]  vfs_kern_mount.part.34+0xdc/0x4e0
[   40.194517]  do_mount+0x581/0x30e0
[   40.198061]  ksys_mount+0x12d/0x140
[   40.201683]  __x64_sys_mount+0xbe/0x150
[   40.205660]  do_syscall_64+0x1b9/0x820
[   40.209568]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.214760] 
[   40.216390] Freed by task 0:
[   40.219396] (stack is not available)
[   40.223116] 
[   40.224734] The buggy address belongs to the object at ffff8801ab7384c0
[   40.224734]  which belongs to the cache kmalloc-16384 of size 16384
[   40.237750] The buggy address is located 45 bytes inside of
[   40.237750]  16384-byte region [ffff8801ab7384c0, ffff8801ab73c4c0)
[   40.249799] The buggy address belongs to the page:
[   40.254728] page:ffffea0006adce00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   40.264696] flags: 0x2fffc0000008100(slab|head)
[   40.269375] raw: 02fffc0000008100 ffffea0006c0e608 ffff8801da801c48 ffff8801da802200
[   40.277272] raw: 0000000000000000 ffff8801ab7384c0 0000000100000001 0000000000000000
[   40.285163] page dumped because: kasan: bad access detected
[   40.290871] 
[   40.292493] Memory state around the buggy address:
[   40.297422]  ffff8801ab73a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.304780]  ffff8801ab73a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.312141] >ffff8801ab73a480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   40.319500]                                                        ^
[   40.325992]  ffff8801ab73a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.333355]  ffff8801ab73a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.340718] ==================================================================
[   40.348075] Disabling lock debugging due to kernel taint
[   40.353661] Kernel panic - not syncing: panic_on_warn set ...
[   40.353661] 
[   40.361029] CPU: 1 PID: 4515 Comm: syz-executor662 Tainted: G    B             4.18.0-rc3+ #137
[   40.369853] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.379200] Call Trace:
[   40.381790]  dump_stack+0x1c9/0x2b4
[   40.385411]  ? dump_stack_print_info.cold.2+0x52/0x52
[   40.390638]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.395413]  panic+0x238/0x4e7
[   40.398632]  ? add_taint.cold.5+0x16/0x16
[   40.402777]  ? do_raw_spin_unlock+0xa7/0x2f0
[   40.407181]  ? pdu_read+0x90/0xd0
[   40.410627]  kasan_end_report+0x47/0x4f
[   40.414617]  kasan_report.cold.7+0x76/0x2fe
[   40.418937]  check_memory_region+0x13e/0x1b0
[   40.423357]  memcpy+0x23/0x50
[   40.426466]  pdu_read+0x90/0xd0
[   40.429748]  p9pdu_readf+0x579/0x2170
[   40.433544]  ? p9pdu_writef+0xe0/0xe0
[   40.437341]  ? __fget+0x414/0x670
[   40.440809]  ? rcu_is_watching+0x61/0x150
[   40.444969]  ? expand_files.part.8+0x9c0/0x9c0
[   40.449564]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.454599]  ? p9_fd_show_options+0x1c0/0x1c0
[   40.459094]  p9_client_create+0xde0/0x16c9
[   40.463437]  ? p9_client_read+0xc60/0xc60
[   40.467593]  ? find_held_lock+0x36/0x1c0
[   40.471669]  ? __lockdep_init_map+0x105/0x590
[   40.476299]  ? kasan_check_write+0x14/0x20
[   40.480529]  ? __init_rwsem+0x1cc/0x2a0
[   40.484661]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   40.489680]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.494692]  ? __kmalloc_track_caller+0x5f5/0x760
[   40.499533]  ? save_stack+0xa9/0xd0
[   40.503159]  ? save_stack+0x43/0xd0
[   40.506780]  ? kasan_kmalloc+0xc4/0xe0
[   40.510662]  ? kmem_cache_alloc_trace+0x152/0x780
[   40.515515]  ? memcpy+0x45/0x50
[   40.518794]  v9fs_session_init+0x21a/0x1a80
[   40.523132]  ? find_held_lock+0x36/0x1c0
[   40.527205]  ? v9fs_show_options+0x7e0/0x7e0
[   40.531618]  ? kasan_check_read+0x11/0x20
[   40.543316]  ? rcu_is_watching+0x8c/0x150
[   40.547462]  ? rcu_pm_notify+0xc0/0xc0
[   40.551385]  ? v9fs_mount+0x61/0x900
[   40.555135]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.560178]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.565041]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   40.570586]  v9fs_mount+0x7c/0x900
[   40.574166]  mount_fs+0xae/0x328
[   40.577549]  vfs_kern_mount.part.34+0xdc/0x4e0
[   40.582166]  ? may_umount+0xb0/0xb0
[   40.585798]  ? _raw_read_unlock+0x22/0x30
[   40.589960]  ? __get_fs_type+0x97/0xc0
[   40.593845]  do_mount+0x581/0x30e0
[   40.597386]  ? copy_mount_string+0x40/0x40
[   40.601620]  ? copy_mount_options+0x5f/0x380
[   40.606043]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.611064]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.615895]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.621424]  ? _copy_from_user+0xdf/0x150
[   40.625576]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.631100]  ? copy_mount_options+0x285/0x380
[   40.635581]  ksys_mount+0x12d/0x140
[   40.639191]  __x64_sys_mount+0xbe/0x150
[   40.643149]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   40.648149]  do_syscall_64+0x1b9/0x820
[   40.652017]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.656922]  ? syscall_return_slowpath+0x31d/0x5e0
[   40.661834]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   40.667182]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.672013]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.677185] RIP: 0033:0x4401a9
[   40.680356] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   40.699582] RSP: 002b:00007ffdf1967498 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   40.707284] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401a9
[   40.714556] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   40.721818] RBP: ffffffffffffffff R08: 0000000020000140 R09: 00000000004002c8
[   40.729075] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   40.736336] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
[   40.743985] Dumping ftrace buffer:
[   40.747508]    (ftrace buffer empty)
[   40.751209] Kernel Offset: disabled
[   40.754827] Rebooting in 86400 seconds..