[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.543688] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.127153] random: sshd: uninitialized urandom read (32 bytes read)
[   22.548521] random: sshd: uninitialized urandom read (32 bytes read)
[   23.372239] random: sshd: uninitialized urandom read (32 bytes read)
[   23.546149] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts.
[   28.968637] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   29.057925] ==================================================================
[   29.065368] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880
[   29.072717] Read of size 4 at addr ffff8801d4355c34 by task syz-executor895/4511
[   29.080254] 
[   29.081873] CPU: 0 PID: 4511 Comm: syz-executor895 Not tainted 4.18.0-rc3+ #137
[   29.089294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.098627] Call Trace:
[   29.101199]  dump_stack+0x1c9/0x2b4
[   29.104806]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.109986]  ? printk+0xa7/0xcf
[   29.113250]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.117989]  ? fscache_alloc_cookie+0x7a9/0x880
[   29.122641]  print_address_description+0x6c/0x20b
[   29.127472]  ? fscache_alloc_cookie+0x7a9/0x880
[   29.132120]  kasan_report.cold.7+0x242/0x2fe
[   29.136509]  __asan_report_load4_noabort+0x14/0x20
[   29.141426]  fscache_alloc_cookie+0x7a9/0x880
[   29.145903]  ? fscache_cookie_init_once+0x80/0x80
[   29.150726]  ? lock_downgrade+0x8f0/0x8f0
[   29.154854]  ? radix_tree_delete_item+0x188/0x310
[   29.159682]  ? kasan_check_read+0x11/0x20
[   29.163811]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.168197]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   29.172761]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   29.177850]  __fscache_acquire_cookie+0x230/0xb00
[   29.182675]  ? fscache_cookie_put+0x850/0x850
[   29.187152]  ? p9_client_attach+0x215/0x860
[   29.191455]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   29.196539]  ? debug_check_no_obj_freed+0x30b/0x595
[   29.201534]  ? p9_client_walk+0xab0/0xab0
[   29.205666]  ? trace_hardirqs_off+0xd/0x10
[   29.209882]  ? quarantine_put+0x10d/0x1b0
[   29.214017]  ? kfree+0x111/0x260
[   29.217377]  v9fs_cache_session_get_cookie+0xc4/0x270
[   29.222551]  v9fs_session_init+0x1013/0x1a80
[   29.226955]  ? v9fs_show_options+0x7e0/0x7e0
[   29.231344]  ? rcu_is_watching+0x8c/0x150
[   29.235469]  ? rcu_pm_notify+0xc0/0xc0
[   29.239349]  ? v9fs_mount+0x61/0x900
[   29.243046]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.248058]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.253580]  v9fs_mount+0x7c/0x900
[   29.257114]  mount_fs+0xae/0x328
[   29.260469]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.265044]  ? may_umount+0xb0/0xb0
[   29.268667]  ? _raw_read_unlock+0x22/0x30
[   29.272794]  ? __get_fs_type+0x97/0xc0
[   29.276665]  do_mount+0x581/0x30e0
[   29.280187]  ? copy_mount_string+0x40/0x40
[   29.284412]  ? copy_mount_options+0x5f/0x380
[   29.288802]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.293809]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.298635]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.304154]  ? _copy_from_user+0xdf/0x150
[   29.308283]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.313800]  ? copy_mount_options+0x285/0x380
[   29.318276]  ksys_mount+0x12d/0x140
[   29.321892]  __x64_sys_mount+0xbe/0x150
[   29.325853]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.330853]  do_syscall_64+0x1b9/0x820
[   29.334722]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.339632]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.344552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.350080]  ? retint_user+0x18/0x18
[   29.353777]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.358601]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.363767] RIP: 0033:0x440309
[   29.366932] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.386120] RSP: 002b:00007ffc5c160458 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.393807] RAX: ffffffffffffffda RBX: 6761746568636163 RCX: 0000000000440309
[   29.401054] RDX: 00000000200002c0 RSI: 0000000020000280 RDI: 0000000000000000
[   29.408303] RBP: 00000000006ca018 R08: 0000000020000340 R09: 00000000004002c8
[   29.415551] R10: 0000000000800000 R11: 0000000000000202 R12: 0000000000401b90
[   29.422803] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
[   29.430061] 
[   29.431666] Allocated by task 4511:
[   29.435274]  save_stack+0x43/0xd0
[   29.438704]  kasan_kmalloc+0xc4/0xe0
[   29.442399]  __kmalloc+0x14e/0x760
[   29.445918]  fscache_alloc_cookie+0x701/0x880
[   29.450390]  __fscache_acquire_cookie+0x230/0xb00
[   29.455212]  v9fs_cache_session_get_cookie+0xc4/0x270
[   29.460387]  v9fs_session_init+0x1013/0x1a80
[   29.464772]  v9fs_mount+0x7c/0x900
[   29.468290]  mount_fs+0xae/0x328
[   29.471635]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.476210]  do_mount+0x581/0x30e0
[   29.479731]  ksys_mount+0x12d/0x140
[   29.483338]  __x64_sys_mount+0xbe/0x150
[   29.487292]  do_syscall_64+0x1b9/0x820
[   29.491163]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.496324] 
[   29.497929] Freed by task 1:
[   29.500937]  save_stack+0x43/0xd0
[   29.504373]  __kasan_slab_free+0x11a/0x170
[   29.508585]  kasan_slab_free+0xe/0x10
[   29.512365]  kfree+0xd9/0x260
[   29.515450]  __kthread_create_on_node+0x34a/0x4c0
[   29.520268]  kthread_create_on_node+0xb1/0xe0
[   29.524743]  cryptomgr_notify+0x5ac/0xb90
[   29.528878]  notifier_call_chain+0x180/0x390
[   29.533267]  blocking_notifier_call_chain+0x147/0x190
[   29.538436]  crypto_probing_notify+0x26/0x80
[   29.542828]  crypto_wait_for_test+0x42/0xe0
[   29.547126]  crypto_register_alg+0xc0/0xe0
[   29.551339]  crypto_register_shash+0x35/0x50
[   29.555727]  crypto_register_shashes+0x5d/0xe0
[   29.560290]  sha256_ssse3_mod_init+0x1c3/0x3ea
[   29.564851]  do_one_initcall+0x127/0x913
[   29.568891]  kernel_init_freeable+0x49b/0x58e
[   29.573365]  kernel_init+0x11/0x1b3
[   29.576971]  ret_from_fork+0x3a/0x50
[   29.580658] 
[   29.582267] The buggy address belongs to the object at ffff8801d4355c00
[   29.582267]  which belongs to the cache kmalloc-64 of size 64
[   29.594728] The buggy address is located 52 bytes inside of
[   29.594728]  64-byte region [ffff8801d4355c00, ffff8801d4355c40)
[   29.606404] The buggy address belongs to the page:
[   29.611314] page:ffffea000750d540 count:1 mapcount:0 mapping:ffff8801da800340 index:0xffff8801d4355080
[   29.620736] flags: 0x2fffc0000000100(slab)
[   29.624953] raw: 02fffc0000000100 ffffea00075988c8 ffffea0007511b88 ffff8801da800340
[   29.632822] raw: ffff8801d4355080 ffff8801d4355000 000000010000000d 0000000000000000
[   29.640685] page dumped because: kasan: bad access detected
[   29.646381] 
[   29.647985] Memory state around the buggy address:
[   29.652899]  ffff8801d4355b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.660237]  ffff8801d4355b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.667576] >ffff8801d4355c00: 00 00 00 00 00 00 07 fc fc fc fc fc fc fc fc fc
[   29.674911]                                      ^
[   29.679817]  ffff8801d4355c80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   29.687153]  ffff8801d4355d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.694484] ==================================================================
[   29.701817] Disabling lock debugging due to kernel taint
[   29.707583] Kernel panic - not syncing: panic_on_warn set ...
[   29.707583] 
[   29.714961] CPU: 0 PID: 4511 Comm: syz-executor895 Tainted: G    B             4.18.0-rc3+ #137
[   29.723780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.733116] Call Trace:
[   29.735686]  dump_stack+0x1c9/0x2b4
[   29.739294]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.744464]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.749209]  panic+0x238/0x4e7
[   29.752384]  ? add_taint.cold.5+0x16/0x16
[   29.756519]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.760926]  ? fscache_alloc_cookie+0x7a9/0x880
[   29.765580]  kasan_end_report+0x47/0x4f
[   29.769530]  kasan_report.cold.7+0x76/0x2fe
[   29.773836]  __asan_report_load4_noabort+0x14/0x20
[   29.778754]  fscache_alloc_cookie+0x7a9/0x880
[   29.783230]  ? fscache_cookie_init_once+0x80/0x80
[   29.788054]  ? lock_downgrade+0x8f0/0x8f0
[   29.792177]  ? radix_tree_delete_item+0x188/0x310
[   29.797002]  ? kasan_check_read+0x11/0x20
[   29.801143]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.805528]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   29.810091]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   29.815175]  __fscache_acquire_cookie+0x230/0xb00
[   29.819996]  ? fscache_cookie_put+0x850/0x850
[   29.824473]  ? p9_client_attach+0x215/0x860
[   29.828773]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   29.833855]  ? debug_check_no_obj_freed+0x30b/0x595
[   29.838851]  ? p9_client_walk+0xab0/0xab0
[   29.842979]  ? trace_hardirqs_off+0xd/0x10
[   29.847189]  ? quarantine_put+0x10d/0x1b0
[   29.851316]  ? kfree+0x111/0x260
[   29.854674]  v9fs_cache_session_get_cookie+0xc4/0x270
[   29.859845]  v9fs_session_init+0x1013/0x1a80
[   29.864236]  ? v9fs_show_options+0x7e0/0x7e0
[   29.868622]  ? rcu_is_watching+0x8c/0x150
[   29.872747]  ? rcu_pm_notify+0xc0/0xc0
[   29.876616]  ? v9fs_mount+0x61/0x900
[   29.880317]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.885319]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.890842]  v9fs_mount+0x7c/0x900
[   29.894363]  mount_fs+0xae/0x328
[   29.897711]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.902272]  ? may_umount+0xb0/0xb0
[   29.905885]  ? _raw_read_unlock+0x22/0x30
[   29.910015]  ? __get_fs_type+0x97/0xc0
[   29.913893]  do_mount+0x581/0x30e0
[   29.917413]  ? copy_mount_string+0x40/0x40
[   29.921629]  ? copy_mount_options+0x5f/0x380
[   29.926022]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.931029]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.935864]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.941379]  ? _copy_from_user+0xdf/0x150
[   29.945507]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.951030]  ? copy_mount_options+0x285/0x380
[   29.955511]  ksys_mount+0x12d/0x140
[   29.959116]  __x64_sys_mount+0xbe/0x150
[   29.963071]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.968064]  do_syscall_64+0x1b9/0x820
[   29.971936]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.976845]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.981755]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.987270]  ? retint_user+0x18/0x18
[   29.990969]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.995792]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.000957] RIP: 0033:0x440309
[   30.004121] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.023234] RSP: 002b:00007ffc5c160458 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.030921] RAX: ffffffffffffffda RBX: 6761746568636163 RCX: 0000000000440309
[   30.038166] RDX: 00000000200002c0 RSI: 0000000020000280 RDI: 0000000000000000
[   30.045413] RBP: 00000000006ca018 R08: 0000000020000340 R09: 00000000004002c8
[   30.052658] R10: 0000000000800000 R11: 0000000000000202 R12: 0000000000401b90
[   30.059904] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
[   30.067637] Dumping ftrace buffer:
[   30.071154]    (ftrace buffer empty)
[   30.074840] Kernel Offset: disabled
[   30.078454] Rebooting in 86400 seconds..