[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.865732] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.532653] random: sshd: uninitialized urandom read (32 bytes read)
[   23.864167] random: sshd: uninitialized urandom read (32 bytes read)
[   24.729928] random: sshd: uninitialized urandom read (32 bytes read)
[   24.888772] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts.
[   30.356821] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   30.455681] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.482351] ==================================================================
[   30.489821] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.496238] Read of size 27306 at addr ffff8801b32384ad by task syz-executor009/4539
[   30.504108] 
[   30.505751] CPU: 0 PID: 4539 Comm: syz-executor009 Not tainted 4.18.0-rc4+ #144
[   30.513186] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.522531] Call Trace:
[   30.525111]  dump_stack+0x1c9/0x2b4
[   30.528737]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.533915]  ? printk+0xa7/0xcf
[   30.537184]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.541928]  ? pdu_read+0x90/0xd0
[   30.545365]  print_address_description+0x6c/0x20b
[   30.550195]  ? pdu_read+0x90/0xd0
[   30.553634]  kasan_report.cold.7+0x242/0x2fe
[   30.558045]  check_memory_region+0x13e/0x1b0
[   30.562462]  memcpy+0x23/0x50
[   30.565568]  pdu_read+0x90/0xd0
[   30.568838]  p9pdu_readf+0x579/0x2170
[   30.572628]  ? p9pdu_writef+0xe0/0xe0
[   30.576416]  ? __fget+0x414/0x670
[   30.579855]  ? rcu_is_watching+0x61/0x150
[   30.584009]  ? expand_files.part.8+0x9c0/0x9c0
[   30.588590]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.593603]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.598928]  p9_client_create+0xde0/0x16c9
[   30.603160]  ? p9_client_read+0xc60/0xc60
[   30.607294]  ? find_held_lock+0x36/0x1c0
[   30.611349]  ? __lockdep_init_map+0x105/0x590
[   30.615836]  ? kasan_check_write+0x14/0x20
[   30.620078]  ? __init_rwsem+0x1cc/0x2a0
[   30.624044]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.629053]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.634057]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.638895]  ? save_stack+0xa9/0xd0
[   30.642514]  ? save_stack+0x43/0xd0
[   30.646134]  ? kasan_kmalloc+0xc4/0xe0
[   30.650008]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.654857]  ? memcpy+0x45/0x50
[   30.658134]  v9fs_session_init+0x21a/0x1a80
[   30.662440]  ? find_held_lock+0x36/0x1c0
[   30.666493]  ? v9fs_show_options+0x7e0/0x7e0
[   30.670896]  ? kasan_check_read+0x11/0x20
[   30.675039]  ? rcu_is_watching+0x8c/0x150
[   30.679171]  ? rcu_pm_notify+0xc0/0xc0
[   30.683050]  ? v9fs_mount+0x61/0x900
[   30.686751]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.691765]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.696606]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.702139]  v9fs_mount+0x7c/0x900
[   30.705677]  mount_fs+0xae/0x328
[   30.709040]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.713606]  ? may_umount+0xb0/0xb0
[   30.717220]  ? _raw_read_unlock+0x22/0x30
[   30.721367]  ? __get_fs_type+0x97/0xc0
[   30.725248]  do_mount+0x581/0x30e0
[   30.728791]  ? copy_mount_string+0x40/0x40
[   30.733022]  ? copy_mount_options+0x5f/0x380
[   30.737421]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.742426]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.747270]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.752800]  ? _copy_from_user+0xdf/0x150
[   30.756937]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.762463]  ? copy_mount_options+0x285/0x380
[   30.766947]  ksys_mount+0x12d/0x140
[   30.770569]  __x64_sys_mount+0xbe/0x150
[   30.774530]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.779545]  do_syscall_64+0x1b9/0x820
[   30.783423]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.788352]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.793283]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.798827]  ? retint_user+0x18/0x18
[   30.802536]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.807376]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.812551] RIP: 0033:0x440959
[   30.815723] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.834998] RSP: 002b:00007ffd5a046ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.842708] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.849966] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.857222] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.864913] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000076f5
[   30.872607] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.879869] 
[   30.881480] Allocated by task 4539:
[   30.885186]  save_stack+0x43/0xd0
[   30.888626]  kasan_kmalloc+0xc4/0xe0
[   30.892330]  __kmalloc+0x14e/0x760
[   30.896063]  p9_fcall_alloc+0x1e/0x90
[   30.899876]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.905066]  p9_client_rpc+0x1bd/0x1400
[   30.909041]  p9_client_create+0xd09/0x16c9
[   30.913271]  v9fs_session_init+0x21a/0x1a80
[   30.917582]  v9fs_mount+0x7c/0x900
[   30.921105]  mount_fs+0xae/0x328
[   30.924455]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.929032]  do_mount+0x581/0x30e0
[   30.932556]  ksys_mount+0x12d/0x140
[   30.936164]  __x64_sys_mount+0xbe/0x150
[   30.940128]  do_syscall_64+0x1b9/0x820
[   30.944006]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.949186] 
[   30.950796] Freed by task 0:
[   30.953792] (stack is not available)
[   30.957482] 
[   30.959093] The buggy address belongs to the object at ffff8801b3238480
[   30.959093]  which belongs to the cache kmalloc-16384 of size 16384
[   30.972288] The buggy address is located 45 bytes inside of
[   30.972288]  16384-byte region [ffff8801b3238480, ffff8801b323c480)
[   30.984326] The buggy address belongs to the page:
[   30.989460] page:ffffea0006cc8e00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.999427] flags: 0x2fffc0000008100(slab|head)
[   31.004088] raw: 02fffc0000008100 ffffea0007399808 ffff8801da801c48 ffff8801da802200
[   31.011966] raw: 0000000000000000 ffff8801b3238480 0000000100000001 0000000000000000
[   31.019835] page dumped because: kasan: bad access detected
[   31.025532] 
[   31.027157] Memory state around the buggy address:
[   31.032521]  ffff8801b323a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.039879]  ffff8801b323a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.047229] >ffff8801b323a480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   31.054681]                                ^
[   31.059085]  ffff8801b323a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.066431]  ffff8801b323a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.073771] ==================================================================
[   31.081122] Disabling lock debugging due to kernel taint
[   31.086693] Kernel panic - not syncing: panic_on_warn set ...
[   31.086693] 
[   31.094075] CPU: 0 PID: 4539 Comm: syz-executor009 Tainted: G    B             4.18.0-rc4+ #144
[   31.102993] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.112340] Call Trace:
[   31.114919]  dump_stack+0x1c9/0x2b4
[   31.118530]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.123715]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.128472]  panic+0x238/0x4e7
[   31.131660]  ? add_taint.cold.5+0x16/0x16
[   31.135790]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.140191]  ? pdu_read+0x90/0xd0
[   31.143625]  kasan_end_report+0x47/0x4f
[   31.147596]  kasan_report.cold.7+0x76/0x2fe
[   31.151900]  check_memory_region+0x13e/0x1b0
[   31.156300]  memcpy+0x23/0x50
[   31.159394]  pdu_read+0x90/0xd0
[   31.162664]  p9pdu_readf+0x579/0x2170
[   31.166451]  ? p9pdu_writef+0xe0/0xe0
[   31.170236]  ? __fget+0x414/0x670
[   31.173677]  ? rcu_is_watching+0x61/0x150
[   31.177821]  ? expand_files.part.8+0x9c0/0x9c0
[   31.182402]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.187417]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.191905]  p9_client_create+0xde0/0x16c9
[   31.196145]  ? p9_client_read+0xc60/0xc60
[   31.200278]  ? find_held_lock+0x36/0x1c0
[   31.204333]  ? __lockdep_init_map+0x105/0x590
[   31.208830]  ? kasan_check_write+0x14/0x20
[   31.213058]  ? __init_rwsem+0x1cc/0x2a0
[   31.217045]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.222059]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.227066]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.231898]  ? save_stack+0xa9/0xd0
[   31.235514]  ? save_stack+0x43/0xd0
[   31.239143]  ? kasan_kmalloc+0xc4/0xe0
[   31.243027]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.247864]  ? memcpy+0x45/0x50
[   31.251135]  v9fs_session_init+0x21a/0x1a80
[   31.255444]  ? find_held_lock+0x36/0x1c0
[   31.259503]  ? v9fs_show_options+0x7e0/0x7e0
[   31.263906]  ? kasan_check_read+0x11/0x20
[   31.268044]  ? rcu_is_watching+0x8c/0x150
[   31.272190]  ? rcu_pm_notify+0xc0/0xc0
[   31.276070]  ? v9fs_mount+0x61/0x900
[   31.279774]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.284781]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.289616]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.295156]  v9fs_mount+0x7c/0x900
[   31.298719]  mount_fs+0xae/0x328
[   31.302076]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.306670]  ? may_umount+0xb0/0xb0
[   31.310293]  ? _raw_read_unlock+0x22/0x30
[   31.314433]  ? __get_fs_type+0x97/0xc0
[   31.318313]  do_mount+0x581/0x30e0
[   31.321979]  ? copy_mount_string+0x40/0x40
[   31.326225]  ? copy_mount_options+0x5f/0x380
[   31.330663]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.335676]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.340511]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.346054]  ? _copy_from_user+0xdf/0x150
[   31.350216]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.355759]  ? copy_mount_options+0x285/0x380
[   31.360266]  ksys_mount+0x12d/0x140
[   31.363895]  __x64_sys_mount+0xbe/0x150
[   31.367854]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.372879]  do_syscall_64+0x1b9/0x820
[   31.376893]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.381817]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.386745]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.392276]  ? retint_user+0x18/0x18
[   31.395995]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.400855]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.406042] RIP: 0033:0x440959
[   31.409317] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.428452] RSP: 002b:00007ffd5a046ec8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.436174] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   31.443468] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.450737] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.458014] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000076f5
[   31.465379] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   31.473340] Dumping ftrace buffer:
[   31.476869]    (ftrace buffer empty)
[   31.480571] Kernel Offset: disabled
[   31.484213] Rebooting in 86400 seconds..