[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.915489] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.378861] random: sshd: uninitialized urandom read (32 bytes read)
[   22.527347] random: sshd: uninitialized urandom read (32 bytes read)
[   23.349253] random: sshd: uninitialized urandom read (32 bytes read)
[   23.501961] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts.
[   28.985542] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   29.076304] ==================================================================
[   29.083737] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.089860] Read of size 29811 at addr ffff8801abb104ed by task syz-executor958/4519
[   29.097721] 
[   29.099332] CPU: 1 PID: 4519 Comm: syz-executor958 Not tainted 4.18.0-rc4+ #139
[   29.106754] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.116087] Call Trace:
[   29.118661]  dump_stack+0x1c9/0x2b4
[   29.122276]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.127446]  ? printk+0xa7/0xcf
[   29.130706]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.135442]  ? pdu_read+0x90/0xd0
[   29.138877]  print_address_description+0x6c/0x20b
[   29.143697]  ? pdu_read+0x90/0xd0
[   29.147137]  kasan_report.cold.7+0x242/0x2fe
[   29.151526]  check_memory_region+0x13e/0x1b0
[   29.155917]  memcpy+0x23/0x50
[   29.159002]  pdu_read+0x90/0xd0
[   29.162263]  p9pdu_readf+0x579/0x2170
[   29.166045]  ? p9pdu_writef+0xe0/0xe0
[   29.169826]  ? __fget+0x414/0x670
[   29.173257]  ? rcu_is_watching+0x61/0x150
[   29.177382]  ? expand_files.part.8+0x9c0/0x9c0
[   29.181950]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.186958]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.191439]  p9_client_create+0xde0/0x16c9
[   29.195658]  ? p9_client_read+0xc60/0xc60
[   29.199783]  ? find_held_lock+0x36/0x1c0
[   29.203833]  ? __lockdep_init_map+0x105/0x590
[   29.208321]  ? kasan_check_write+0x14/0x20
[   29.212534]  ? __init_rwsem+0x1cc/0x2a0
[   29.216506]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.221503]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.226497]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.231316]  ? save_stack+0xa9/0xd0
[   29.234921]  ? save_stack+0x43/0xd0
[   29.238529]  ? kasan_kmalloc+0xc4/0xe0
[   29.242394]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.247231]  ? memcpy+0x45/0x50
[   29.250494]  v9fs_session_init+0x21a/0x1a80
[   29.254797]  ? find_held_lock+0x36/0x1c0
[   29.258844]  ? v9fs_show_options+0x7e0/0x7e0
[   29.263232]  ? kasan_check_read+0x11/0x20
[   29.267368]  ? rcu_is_watching+0x8c/0x150
[   29.271498]  ? rcu_pm_notify+0xc0/0xc0
[   29.275370]  ? v9fs_mount+0x61/0x900
[   29.279064]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.284068]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.288902]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.294417]  v9fs_mount+0x7c/0x900
[   29.297952]  mount_fs+0xae/0x328
[   29.301300]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.305863]  ? may_umount+0xb0/0xb0
[   29.309471]  ? _raw_read_unlock+0x22/0x30
[   29.313598]  ? __get_fs_type+0x97/0xc0
[   29.317465]  do_mount+0x581/0x30e0
[   29.320985]  ? copy_mount_string+0x40/0x40
[   29.325201]  ? copy_mount_options+0x5f/0x380
[   29.329587]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.334583]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.339405]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.344922]  ? _copy_from_user+0xdf/0x150
[   29.349051]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.354574]  ? copy_mount_options+0x285/0x380
[   29.359049]  ksys_mount+0x12d/0x140
[   29.362656]  __x64_sys_mount+0xbe/0x150
[   29.366612]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.371608]  do_syscall_64+0x1b9/0x820
[   29.375477]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.380387]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.385298]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.390644]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.395470]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.400640] RIP: 0033:0x440109
[   29.403805] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.422992] RSP: 002b:00007ffc488c2e58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.430687] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109
[   29.437935] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   29.445180] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8
[   29.452429] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   29.459688] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000
[   29.466939] 
[   29.468546] Allocated by task 4519:
[   29.472157]  save_stack+0x43/0xd0
[   29.475585]  kasan_kmalloc+0xc4/0xe0
[   29.479275]  __kmalloc+0x14e/0x760
[   29.482796]  p9_fcall_alloc+0x1e/0x90
[   29.486575]  p9_client_prepare_req.part.8+0x754/0xcd0
[   29.491740]  p9_client_rpc+0x1bd/0x1400
[   29.495691]  p9_client_create+0xd09/0x16c9
[   29.499903]  v9fs_session_init+0x21a/0x1a80
[   29.504204]  v9fs_mount+0x7c/0x900
[   29.507723]  mount_fs+0xae/0x328
[   29.511069]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.515629]  do_mount+0x581/0x30e0
[   29.519145]  ksys_mount+0x12d/0x140
[   29.522754]  __x64_sys_mount+0xbe/0x150
[   29.526706]  do_syscall_64+0x1b9/0x820
[   29.530572]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.535734] 
[   29.537340] Freed by task 0:
[   29.540329] (stack is not available)
[   29.544016] 
[   29.545633] The buggy address belongs to the object at ffff8801abb104c0
[   29.545633]  which belongs to the cache kmalloc-16384 of size 16384
[   29.558611] The buggy address is located 45 bytes inside of
[   29.558611]  16384-byte region [ffff8801abb104c0, ffff8801abb144c0)
[   29.570545] The buggy address belongs to the page:
[   29.575452] page:ffffea0006aec400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   29.585399] flags: 0x2fffc0000008100(slab|head)
[   29.590048] raw: 02fffc0000008100 ffffea0006aebe08 ffff8801da801c48 ffff8801da802200
[   29.597909] raw: 0000000000000000 ffff8801abb104c0 0000000100000001 0000000000000000
[   29.605764] page dumped because: kasan: bad access detected
[   29.611447] 
[   29.613050] Memory state around the buggy address:
[   29.617953]  ffff8801abb12380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.625292]  ffff8801abb12400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.632626] >ffff8801abb12480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   29.639958]                                                        ^
[   29.646424]  ffff8801abb12500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.653759]  ffff8801abb12580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.661093] ==================================================================
[   29.668426] Disabling lock debugging due to kernel taint
[   29.673990] Kernel panic - not syncing: panic_on_warn set ...
[   29.673990] 
[   29.681359] CPU: 1 PID: 4519 Comm: syz-executor958 Tainted: G    B             4.18.0-rc4+ #139
[   29.690178] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.699518] Call Trace:
[   29.702088]  dump_stack+0x1c9/0x2b4
[   29.705694]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.710872]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.715604]  panic+0x238/0x4e7
[   29.718790]  ? add_taint.cold.5+0x16/0x16
[   29.722923]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.727311]  ? pdu_read+0x90/0xd0
[   29.730740]  kasan_end_report+0x47/0x4f
[   29.734691]  kasan_report.cold.7+0x76/0x2fe
[   29.738999]  check_memory_region+0x13e/0x1b0
[   29.743390]  memcpy+0x23/0x50
[   29.746471]  pdu_read+0x90/0xd0
[   29.749731]  p9pdu_readf+0x579/0x2170
[   29.753510]  ? p9pdu_writef+0xe0/0xe0
[   29.757288]  ? __fget+0x414/0x670
[   29.760719]  ? rcu_is_watching+0x61/0x150
[   29.764843]  ? expand_files.part.8+0x9c0/0x9c0
[   29.769408]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.774407]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.778883]  p9_client_create+0xde0/0x16c9
[   29.783095]  ? p9_client_read+0xc60/0xc60
[   29.787219]  ? find_held_lock+0x36/0x1c0
[   29.791262]  ? __lockdep_init_map+0x105/0x590
[   29.795737]  ? kasan_check_write+0x14/0x20
[   29.799949]  ? __init_rwsem+0x1cc/0x2a0
[   29.803899]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.808892]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.813882]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.818713]  ? save_stack+0xa9/0xd0
[   29.822318]  ? save_stack+0x43/0xd0
[   29.825922]  ? kasan_kmalloc+0xc4/0xe0
[   29.829788]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.834607]  ? memcpy+0x45/0x50
[   29.837868]  v9fs_session_init+0x21a/0x1a80
[   29.842168]  ? find_held_lock+0x36/0x1c0
[   29.846207]  ? v9fs_show_options+0x7e0/0x7e0
[   29.850603]  ? kasan_check_read+0x11/0x20
[   29.854734]  ? rcu_is_watching+0x8c/0x150
[   29.858863]  ? rcu_pm_notify+0xc0/0xc0
[   29.862733]  ? v9fs_mount+0x61/0x900
[   29.866430]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.872046]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.876867]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.882389]  v9fs_mount+0x7c/0x900
[   29.885917]  mount_fs+0xae/0x328
[   29.889264]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.893824]  ? may_umount+0xb0/0xb0
[   29.897431]  ? _raw_read_unlock+0x22/0x30
[   29.901553]  ? __get_fs_type+0x97/0xc0
[   29.905418]  do_mount+0x581/0x30e0
[   29.908934]  ? copy_mount_string+0x40/0x40
[   29.913150]  ? copy_mount_options+0x5f/0x380
[   29.917536]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.922528]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.927350]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   29.932865]  ? _copy_from_user+0xdf/0x150
[   29.936990]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.942504]  ? copy_mount_options+0x285/0x380
[   29.946978]  ksys_mount+0x12d/0x140
[   29.950581]  __x64_sys_mount+0xbe/0x150
[   29.954536]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.959533]  do_syscall_64+0x1b9/0x820
[   29.963405]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.968310]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.973219]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.978561]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.983380]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.988546] RIP: 0033:0x440109
[   29.991708] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.010822] RSP: 002b:00007ffc488c2e58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.018522] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109
[   30.025784] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   30.033030] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8
[   30.040278] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   30.047523] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000
[   30.055251] Dumping ftrace buffer:
[   30.058765]    (ftrace buffer empty)
[   30.062451] Kernel Offset: disabled
[   30.066055] Rebooting in 86400 seconds..