[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.643952] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.224896] random: sshd: uninitialized urandom read (32 bytes read)
[   25.461934] random: sshd: uninitialized urandom read (32 bytes read)
[   26.117387] random: sshd: uninitialized urandom read (32 bytes read)
[   43.811034] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts.
[   49.311253] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
[   49.607479] ==================================================================
[   49.614883] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   49.621017] Read of size 17292 at addr ffff8801b17386ed by task syz-executor583/4471
[   49.628872] 
[   49.630483] CPU: 1 PID: 4471 Comm: syz-executor583 Not tainted 4.18.0-rc5-next-20180719+ #11
[   49.639035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.648366] Call Trace:
[   49.650942]  dump_stack+0x1c9/0x2b4
[   49.654552]  ? dump_stack_print_info.cold.2+0x52/0x52
[   49.659722]  ? printk+0xa7/0xcf
[   49.663035]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   49.667874]  ? pdu_read+0x90/0xd0
[   49.671310]  print_address_description+0x6c/0x20b
[   49.676139]  ? pdu_read+0x90/0xd0
[   49.679576]  kasan_report.cold.7+0x242/0x30d
[   49.683975]  check_memory_region+0x13e/0x1b0
[   49.688365]  memcpy+0x23/0x50
[   49.691454]  pdu_read+0x90/0xd0
[   49.694714]  p9pdu_readf+0x579/0x2170
[   49.699390]  ? p9pdu_writef+0xe0/0xe0
[   49.703276]  ? ksys_dup3+0x690/0x690
[   49.706970]  ? do_raw_spin_lock+0xc1/0x200
[   49.711182]  ? finish_wait+0x430/0x430
[   49.715058]  ? p9_fd_show_options+0x1c0/0x1c0
[   49.719539]  p9_client_create+0x6d0/0x1537
[   49.723763]  ? p9_client_read+0xbb0/0xbb0
[   49.727923]  ? lock_acquire+0x1e4/0x540
[   49.731880]  ? fs_reclaim_acquire+0x20/0x20
[   49.736189]  ? lock_release+0xa30/0xa30
[   49.740149]  ? __lockdep_init_map+0x105/0x590
[   49.744628]  ? kasan_check_write+0x14/0x20
[   49.748847]  ? __init_rwsem+0x1cc/0x2a0
[   49.752809]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   49.757810]  ? __kmalloc_track_caller+0x311/0x760
[   49.762640]  ? save_stack+0xa9/0xd0
[   49.766251]  ? save_stack+0x43/0xd0
[   49.769870]  ? kasan_kmalloc+0xc4/0xe0
[   49.773828]  ? memcpy+0x45/0x50
[   49.777093]  v9fs_session_init+0x21a/0x1a80
[   49.781397]  ? rcu_note_context_switch+0x730/0x730
[   49.786310]  ? legacy_parse_monolithic+0xde/0x1e0
[   49.791141]  ? v9fs_show_options+0x7e0/0x7e0
[   49.795533]  ? lock_release+0xa30/0xa30
[   49.799500]  ? check_same_owner+0x340/0x340
[   49.803806]  ? lock_downgrade+0x8f0/0x8f0
[   49.807948]  ? kasan_unpoison_shadow+0x35/0x50
[   49.812510]  ? kasan_kmalloc+0xc4/0xe0
[   49.816379]  ? kmem_cache_alloc_trace+0x318/0x780
[   49.821200]  ? kasan_unpoison_shadow+0x35/0x50
[   49.825762]  ? kasan_kmalloc+0xc4/0xe0
[   49.829645]  v9fs_mount+0x7c/0x900
[   49.833170]  ? v9fs_drop_inode+0x150/0x150
[   49.837389]  legacy_get_tree+0x131/0x460
[   49.841452]  vfs_get_tree+0x1cb/0x5c0
[   49.845243]  do_mount+0x6f2/0x1e20
[   49.848796]  ? check_same_owner+0x340/0x340
[   49.853107]  ? lock_release+0xa30/0xa30
[   49.857067]  ? copy_mount_string+0x40/0x40
[   49.861281]  ? kasan_kmalloc+0xc4/0xe0
[   49.865157]  ? kmem_cache_alloc_trace+0x318/0x780
[   49.870003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   49.875523]  ? _copy_from_user+0xdf/0x150
[   49.879670]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.885196]  ? copy_mount_options+0x285/0x380
[   49.889766]  ksys_mount+0x12d/0x140
[   49.893379]  __x64_sys_mount+0xbe/0x150
[   49.897344]  do_syscall_64+0x1b9/0x820
[   49.901212]  ? finish_task_switch+0x1d3/0x870
[   49.905692]  ? syscall_return_slowpath+0x5e0/0x5e0
[   49.910604]  ? syscall_return_slowpath+0x31d/0x5e0
[   49.915519]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   49.920520]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   49.926043]  ? prepare_exit_to_usermode+0x291/0x3b0
[   49.931046]  ? perf_trace_sys_enter+0xb10/0xb10
[   49.935710]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   49.940539]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   49.945710] RIP: 0033:0x446df9
[   49.948876] Code: e8 cc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   49.968001] RSP: 002b:00007fe94561ace8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   49.975689] RAX: ffffffffffffffda RBX: 00000000006dcc44 RCX: 0000000000446df9
[   49.982936] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   49.990185] RBP: 00000000006dcc40 R08: 00000000200001c0 R09: 0000000000000000
[   49.997434] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   50.004683] R13: 00007ffc2c03bfbf R14: 00007fe94561b9c0 R15: 0000000000000001
[   50.011932] 
[   50.013539] Allocated by task 4471:
[   50.017147]  save_stack+0x43/0xd0
[   50.020578]  kasan_kmalloc+0xc4/0xe0
[   50.024269]  __kmalloc+0x14e/0x760
[   50.027788]  p9_fcall_alloc+0x1e/0x90
[   50.031566]  p9_client_prepare_req.part.8+0x132/0xa00
[   50.036745]  p9_client_rpc+0x242/0x1330
[   50.040712]  p9_client_create+0xca4/0x1537
[   50.044924]  v9fs_session_init+0x21a/0x1a80
[   50.049221]  v9fs_mount+0x7c/0x900
[   50.052739]  legacy_get_tree+0x131/0x460
[   50.056778]  vfs_get_tree+0x1cb/0x5c0
[   50.060557]  do_mount+0x6f2/0x1e20
[   50.064074]  ksys_mount+0x12d/0x140
[   50.067676]  __x64_sys_mount+0xbe/0x150
[   50.071628]  do_syscall_64+0x1b9/0x820
[   50.075498]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.080659] 
[   50.082264] Freed by task 0:
[   50.085256] (stack is not available)
[   50.088958] 
[   50.090565] The buggy address belongs to the object at ffff8801b17386c0
[   50.090565]  which belongs to the cache kmalloc-16384 of size 16384
[   50.103549] The buggy address is located 45 bytes inside of
[   50.103549]  16384-byte region [ffff8801b17386c0, ffff8801b173c6c0)
[   50.115484] The buggy address belongs to the page:
[   50.120392] page:ffffea0006c5ce00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   50.130347] flags: 0x2fffc0000010200(slab|head)
[   50.134999] raw: 02fffc0000010200 ffffea0006e89a08 ffff8801da801c48 ffff8801da802200
[   50.142872] raw: 0000000000000000 ffff8801b17386c0 0000000100000001 0000000000000000
[   50.150726] page dumped because: kasan: bad access detected
[   50.156417] 
[   50.158027] Memory state around the buggy address:
[   50.162934]  ffff8801b173a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   50.170269]  ffff8801b173a600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   50.177617] >ffff8801b173a680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   50.184951]                                                        ^
[   50.191419]  ffff8801b173a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.198772]  ffff8801b173a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.206112] ==================================================================
[   50.213531] Kernel panic - not syncing: panic_on_warn set ...
[   50.213531] 
[   50.220900] CPU: 1 PID: 4471 Comm: syz-executor583 Tainted: G    B             4.18.0-rc5-next-20180719+ #11
[   50.230843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.240174] Call Trace:
[   50.242757]  dump_stack+0x1c9/0x2b4
[   50.246373]  ? dump_stack_print_info.cold.2+0x52/0x52
[   50.251561]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   50.256305]  panic+0x238/0x4e7
[   50.259478]  ? add_taint.cold.5+0x16/0x16
[   50.263607]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.268011]  ? pdu_read+0x90/0xd0
[   50.271443]  kasan_end_report+0x47/0x4f
[   50.275396]  kasan_report.cold.7+0x76/0x30d
[   50.279713]  check_memory_region+0x13e/0x1b0
[   50.284100]  memcpy+0x23/0x50
[   50.287196]  pdu_read+0x90/0xd0
[   50.290455]  p9pdu_readf+0x579/0x2170
[   50.294238]  ? p9pdu_writef+0xe0/0xe0
[   50.298029]  ? ksys_dup3+0x690/0x690
[   50.301731]  ? do_raw_spin_lock+0xc1/0x200
[   50.305953]  ? finish_wait+0x430/0x430
[   50.309822]  ? p9_fd_show_options+0x1c0/0x1c0
[   50.314300]  p9_client_create+0x6d0/0x1537
[   50.318525]  ? p9_client_read+0xbb0/0xbb0
[   50.322664]  ? lock_acquire+0x1e4/0x540
[   50.326619]  ? fs_reclaim_acquire+0x20/0x20
[   50.330921]  ? lock_release+0xa30/0xa30
[   50.334871]  ? __lockdep_init_map+0x105/0x590
[   50.339346]  ? kasan_check_write+0x14/0x20
[   50.343558]  ? __init_rwsem+0x1cc/0x2a0
[   50.347513]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   50.352508]  ? __kmalloc_track_caller+0x311/0x760
[   50.357337]  ? save_stack+0xa9/0xd0
[   50.360941]  ? save_stack+0x43/0xd0
[   50.364542]  ? kasan_kmalloc+0xc4/0xe0
[   50.368406]  ? memcpy+0x45/0x50
[   50.371679]  v9fs_session_init+0x21a/0x1a80
[   50.375981]  ? rcu_note_context_switch+0x730/0x730
[   50.380901]  ? legacy_parse_monolithic+0xde/0x1e0
[   50.385742]  ? v9fs_show_options+0x7e0/0x7e0
[   50.390132]  ? lock_release+0xa30/0xa30
[   50.394098]  ? check_same_owner+0x340/0x340
[   50.398399]  ? lock_downgrade+0x8f0/0x8f0
[   50.402540]  ? kasan_unpoison_shadow+0x35/0x50
[   50.407101]  ? kasan_kmalloc+0xc4/0xe0
[   50.410970]  ? kmem_cache_alloc_trace+0x318/0x780
[   50.415790]  ? kasan_unpoison_shadow+0x35/0x50
[   50.420353]  ? kasan_kmalloc+0xc4/0xe0
[   50.424220]  v9fs_mount+0x7c/0x900
[   50.427743]  ? v9fs_drop_inode+0x150/0x150
[   50.431963]  legacy_get_tree+0x131/0x460
[   50.436008]  vfs_get_tree+0x1cb/0x5c0
[   50.439790]  do_mount+0x6f2/0x1e20
[   50.443322]  ? check_same_owner+0x340/0x340
[   50.447623]  ? lock_release+0xa30/0xa30
[   50.451585]  ? copy_mount_string+0x40/0x40
[   50.455797]  ? kasan_kmalloc+0xc4/0xe0
[   50.459663]  ? kmem_cache_alloc_trace+0x318/0x780
[   50.464486]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.470017]  ? _copy_from_user+0xdf/0x150
[   50.474145]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.479663]  ? copy_mount_options+0x285/0x380
[   50.484151]  ksys_mount+0x12d/0x140
[   50.487760]  __x64_sys_mount+0xbe/0x150
[   50.491718]  do_syscall_64+0x1b9/0x820
[   50.495588]  ? finish_task_switch+0x1d3/0x870
[   50.500064]  ? syscall_return_slowpath+0x5e0/0x5e0
[   50.504982]  ? syscall_return_slowpath+0x31d/0x5e0
[   50.509892]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   50.514891]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.520409]  ? prepare_exit_to_usermode+0x291/0x3b0
[   50.525407]  ? perf_trace_sys_enter+0xb10/0xb10
[   50.530059]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   50.534901]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.540083] RIP: 0033:0x446df9
[   50.543250] Code: e8 cc bd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   50.562374] RSP: 002b:00007fe94561ace8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   50.570064] RAX: ffffffffffffffda RBX: 00000000006dcc44 RCX: 0000000000446df9
[   50.577314] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   50.584573] RBP: 00000000006dcc40 R08: 00000000200001c0 R09: 0000000000000000
[   50.591825] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   50.599076] R13: 00007ffc2c03bfbf R14: 00007fe94561b9c0 R15: 0000000000000001
[   50.606735] Dumping ftrace buffer:
[   50.610255]    (ftrace buffer empty)
[   50.613943] Kernel Offset: disabled
[   50.617548] Rebooting in 86400 seconds..