[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.497704] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.805641] random: sshd: uninitialized urandom read (32 bytes read)
[   23.116604] random: sshd: uninitialized urandom read (32 bytes read)
[   23.989557] random: sshd: uninitialized urandom read (32 bytes read)
[   24.153593] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
[   29.620182] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   29.713466] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   29.739513] ==================================================================
[   29.746990] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.753131] Read of size 41608 at addr ffff8801b31c04ad by task syz-executor005/4577
[   29.760989] 
[   29.762608] CPU: 0 PID: 4577 Comm: syz-executor005 Not tainted 4.18.0-rc4+ #138
[   29.770047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.779391] Call Trace:
[   29.781977]  dump_stack+0x1c9/0x2b4
[   29.785602]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.790798]  ? printk+0xa7/0xcf
[   29.794072]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.798825]  ? pdu_read+0x90/0xd0
[   29.802274]  print_address_description+0x6c/0x20b
[   29.807099]  ? pdu_read+0x90/0xd0
[   29.810541]  kasan_report.cold.7+0x242/0x2fe
[   29.814934]  check_memory_region+0x13e/0x1b0
[   29.819339]  memcpy+0x23/0x50
[   29.822434]  pdu_read+0x90/0xd0
[   29.825700]  p9pdu_readf+0x579/0x2170
[   29.829490]  ? p9pdu_writef+0xe0/0xe0
[   29.833274]  ? __fget+0x414/0x670
[   29.836717]  ? rcu_is_watching+0x61/0x150
[   29.840850]  ? expand_files.part.8+0x9c0/0x9c0
[   29.845431]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.850439]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.854924]  p9_client_create+0xde0/0x16c9
[   29.859158]  ? p9_client_read+0xc60/0xc60
[   29.863294]  ? find_held_lock+0x36/0x1c0
[   29.867352]  ? __lockdep_init_map+0x105/0x590
[   29.871840]  ? kasan_check_write+0x14/0x20
[   29.876058]  ? __init_rwsem+0x1cc/0x2a0
[   29.880038]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.885049]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.890055]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.894884]  ? save_stack+0xa9/0xd0
[   29.898509]  ? save_stack+0x43/0xd0
[   29.902128]  ? kasan_kmalloc+0xc4/0xe0
[   29.906000]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.910837]  ? memcpy+0x45/0x50
[   29.914113]  v9fs_session_init+0x21a/0x1a80
[   29.918422]  ? find_held_lock+0x36/0x1c0
[   29.922474]  ? v9fs_show_options+0x7e0/0x7e0
[   29.926879]  ? kasan_check_read+0x11/0x20
[   29.931015]  ? rcu_is_watching+0x8c/0x150
[   29.935157]  ? rcu_pm_notify+0xc0/0xc0
[   29.939045]  ? v9fs_mount+0x61/0x900
[   29.942752]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.947764]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.952605]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.958138]  v9fs_mount+0x7c/0x900
[   29.961677]  mount_fs+0xae/0x328
[   29.965039]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.969608]  ? may_umount+0xb0/0xb0
[   29.973220]  ? _raw_read_unlock+0x22/0x30
[   29.977351]  ? __get_fs_type+0x97/0xc0
[   29.981224]  do_mount+0x581/0x30e0
[   29.984751]  ? copy_mount_string+0x40/0x40
[   29.988983]  ? copy_mount_options+0x5f/0x380
[   29.993382]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.998396]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.003231]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.008767]  ? _copy_from_user+0xdf/0x150
[   30.012929]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.018454]  ? copy_mount_options+0x285/0x380
[   30.022938]  ksys_mount+0x12d/0x140
[   30.026564]  __x64_sys_mount+0xbe/0x150
[   30.030529]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.035547]  do_syscall_64+0x1b9/0x820
[   30.039433]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.044354]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.049299]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.054830]  ? retint_user+0x18/0x18
[   30.058551]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.063401]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.068675] RIP: 0033:0x440959
[   30.071845] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.091047] RSP: 002b:00007ffde89125a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.098762] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.106033] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.113288] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.120547] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000740f
[   30.127810] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.135072] 
[   30.136690] Allocated by task 4577:
[   30.140307]  save_stack+0x43/0xd0
[   30.143746]  kasan_kmalloc+0xc4/0xe0
[   30.147457]  __kmalloc+0x14e/0x760
[   30.150998]  p9_fcall_alloc+0x1e/0x90
[   30.154801]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.159974]  p9_client_rpc+0x1bd/0x1400
[   30.163932]  p9_client_create+0xd09/0x16c9
[   30.168149]  v9fs_session_init+0x21a/0x1a80
[   30.172461]  v9fs_mount+0x7c/0x900
[   30.175992]  mount_fs+0xae/0x328
[   30.179351]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.183921]  do_mount+0x581/0x30e0
[   30.187449]  ksys_mount+0x12d/0x140
[   30.191069]  __x64_sys_mount+0xbe/0x150
[   30.195036]  do_syscall_64+0x1b9/0x820
[   30.198916]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.204089] 
[   30.205708] Freed by task 0:
[   30.208728] (stack is not available)
[   30.212429] 
[   30.214046] The buggy address belongs to the object at ffff8801b31c0480
[   30.214046]  which belongs to the cache kmalloc-16384 of size 16384
[   30.227046] The buggy address is located 45 bytes inside of
[   30.227046]  16384-byte region [ffff8801b31c0480, ffff8801b31c4480)
[   30.239006] The buggy address belongs to the page:
[   30.243936] page:ffffea0006cc7000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.253895] flags: 0x2fffc0000008100(slab|head)
[   30.258551] raw: 02fffc0000008100 ffffea0006cb2c08 ffff8801da801c48 ffff8801da802200
[   30.266434] raw: 0000000000000000 ffff8801b31c0480 0000000100000001 0000000000000000
[   30.274308] page dumped because: kasan: bad access detected
[   30.279999] 
[   30.281616] Memory state around the buggy address:
[   30.286537]  ffff8801b31c2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.293897]  ffff8801b31c2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.301242] >ffff8801b31c2480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   30.308588]                                ^
[   30.312993]  ffff8801b31c2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.320354]  ffff8801b31c2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.327701] ==================================================================
[   30.335046] Disabling lock debugging due to kernel taint
[   30.340579] Kernel panic - not syncing: panic_on_warn set ...
[   30.340579] 
[   30.347954] CPU: 0 PID: 4577 Comm: syz-executor005 Tainted: G    B             4.18.0-rc4+ #138
[   30.356875] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.366221] Call Trace:
[   30.368800]  dump_stack+0x1c9/0x2b4
[   30.372423]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.377612]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.382362]  panic+0x238/0x4e7
[   30.385634]  ? add_taint.cold.5+0x16/0x16
[   30.389765]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.394172]  ? pdu_read+0x90/0xd0
[   30.397611]  kasan_end_report+0x47/0x4f
[   30.401576]  kasan_report.cold.7+0x76/0x2fe
[   30.405882]  check_memory_region+0x13e/0x1b0
[   30.410272]  memcpy+0x23/0x50
[   30.413372]  pdu_read+0x90/0xd0
[   30.416645]  p9pdu_readf+0x579/0x2170
[   30.420439]  ? p9pdu_writef+0xe0/0xe0
[   30.424227]  ? __fget+0x414/0x670
[   30.427671]  ? rcu_is_watching+0x61/0x150
[   30.431802]  ? expand_files.part.8+0x9c0/0x9c0
[   30.436374]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.441390]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.445881]  p9_client_create+0xde0/0x16c9
[   30.450113]  ? p9_client_read+0xc60/0xc60
[   30.454247]  ? find_held_lock+0x36/0x1c0
[   30.458295]  ? __lockdep_init_map+0x105/0x590
[   30.462795]  ? kasan_check_write+0x14/0x20
[   30.467019]  ? __init_rwsem+0x1cc/0x2a0
[   30.470978]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.475976]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.480972]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.485795]  ? save_stack+0xa9/0xd0
[   30.489413]  ? save_stack+0x43/0xd0
[   30.493035]  ? kasan_kmalloc+0xc4/0xe0
[   30.496916]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.501742]  ? memcpy+0x45/0x50
[   30.505009]  v9fs_session_init+0x21a/0x1a80
[   30.509335]  ? find_held_lock+0x36/0x1c0
[   30.513394]  ? v9fs_show_options+0x7e0/0x7e0
[   30.517788]  ? kasan_check_read+0x11/0x20
[   30.521918]  ? rcu_is_watching+0x8c/0x150
[   30.526054]  ? rcu_pm_notify+0xc0/0xc0
[   30.529935]  ? v9fs_mount+0x61/0x900
[   30.533634]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.538638]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.543476]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.549000]  v9fs_mount+0x7c/0x900
[   30.552535]  mount_fs+0xae/0x328
[   30.555897]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.560465]  ? may_umount+0xb0/0xb0
[   30.564084]  ? _raw_read_unlock+0x22/0x30
[   30.568232]  ? __get_fs_type+0x97/0xc0
[   30.572116]  do_mount+0x581/0x30e0
[   30.575656]  ? copy_mount_string+0x40/0x40
[   30.579873]  ? copy_mount_options+0x5f/0x380
[   30.584281]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.589287]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.594136]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.599654]  ? _copy_from_user+0xdf/0x150
[   30.603795]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.609316]  ? copy_mount_options+0x285/0x380
[   30.613795]  ksys_mount+0x12d/0x140
[   30.617407]  __x64_sys_mount+0xbe/0x150
[   30.621368]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.626368]  do_syscall_64+0x1b9/0x820
[   30.630254]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.635191]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.640122]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.645675]  ? retint_user+0x18/0x18
[   30.649414]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.654268]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.659445] RIP: 0033:0x440959
[   30.662625] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.681779] RSP: 002b:00007ffde89125a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.689481] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.696735] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.703988] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.711260] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000740f
[   30.718530] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.726385] Dumping ftrace buffer:
[   30.729916]    (ftrace buffer empty)
[   30.733614] Kernel Offset: disabled
[   30.737218] Rebooting in 86400 seconds..