[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.074774] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.720474] random: sshd: uninitialized urandom read (32 bytes read)
[   18.917680] random: sshd: uninitialized urandom read (32 bytes read)
[   19.653545] random: sshd: uninitialized urandom read (32 bytes read)
[   39.024087] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts.
[   44.461401] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   44.553424] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   45.037460] ==================================================================
[   45.044859] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   45.051011] Read of size 40727 at addr ffff8801b43909ad by task syz-executor146/4503
[   45.058875] 
[   45.061099] CPU: 1 PID: 4503 Comm: syz-executor146 Not tainted 4.18.0-rc5-next-20180720+ #12
[   45.069655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.078999] Call Trace:
[   45.081583]  dump_stack+0x1c9/0x2b4
[   45.085193]  ? dump_stack_print_info.cold.2+0x52/0x52
[   45.090369]  ? printk+0xa7/0xcf
[   45.093638]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   45.098377]  ? pdu_read+0x90/0xd0
[   45.101819]  print_address_description+0x6c/0x20b
[   45.106651]  ? pdu_read+0x90/0xd0
[   45.110090]  kasan_report.cold.7+0x242/0x30d
[   45.114489]  check_memory_region+0x13e/0x1b0
[   45.118880]  memcpy+0x23/0x50
[   45.121966]  pdu_read+0x90/0xd0
[   45.125232]  p9pdu_readf+0x579/0x2170
[   45.129013]  ? p9pdu_writef+0xe0/0xe0
[   45.132802]  ? ksys_dup3+0x690/0x690
[   45.136519]  ? check_same_owner+0x340/0x340
[   45.140830]  ? p9_fd_poll+0x2b0/0x2b0
[   45.144612]  ? finish_wait+0x430/0x430
[   45.148487]  ? p9_fd_show_options+0x1c0/0x1c0
[   45.152966]  p9_client_create+0x6d0/0x1537
[   45.157191]  ? p9_client_read+0xbb0/0xbb0
[   45.161317]  ? lock_acquire+0x1e4/0x540
[   45.165273]  ? fs_reclaim_acquire+0x20/0x20
[   45.169573]  ? lock_release+0xa30/0xa30
[   45.173552]  ? __lockdep_init_map+0x105/0x590
[   45.178032]  ? kasan_check_write+0x14/0x20
[   45.182245]  ? __init_rwsem+0x1cc/0x2a0
[   45.186197]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   45.191195]  ? __kmalloc_track_caller+0x311/0x760
[   45.196014]  ? save_stack+0xa9/0xd0
[   45.199618]  ? save_stack+0x43/0xd0
[   45.203396]  ? kasan_kmalloc+0xc4/0xe0
[   45.207277]  ? memcpy+0x45/0x50
[   45.210556]  v9fs_session_init+0x21a/0x1a80
[   45.214918]  ? rcu_note_context_switch+0x730/0x730
[   45.219842]  ? legacy_parse_monolithic+0xde/0x1e0
[   45.224687]  ? v9fs_show_options+0x7e0/0x7e0
[   45.229096]  ? lock_release+0xa30/0xa30
[   45.233073]  ? check_same_owner+0x340/0x340
[   45.237390]  ? lock_downgrade+0x8f0/0x8f0
[   45.241554]  ? kasan_unpoison_shadow+0x35/0x50
[   45.246151]  ? kasan_kmalloc+0xc4/0xe0
[   45.250037]  ? kmem_cache_alloc_trace+0x318/0x780
[   45.254898]  ? kasan_unpoison_shadow+0x35/0x50
[   45.259485]  ? kasan_kmalloc+0xc4/0xe0
[   45.263385]  v9fs_mount+0x7c/0x900
[   45.266929]  ? v9fs_drop_inode+0x150/0x150
[   45.271156]  legacy_get_tree+0x131/0x460
[   45.275221]  vfs_get_tree+0x1cb/0x5c0
[   45.279015]  do_mount+0x6f2/0x1e20
[   45.282545]  ? check_same_owner+0x340/0x340
[   45.286855]  ? lock_release+0xa30/0xa30
[   45.290912]  ? copy_mount_string+0x40/0x40
[   45.295144]  ? kasan_kmalloc+0xc4/0xe0
[   45.299022]  ? kmem_cache_alloc_trace+0x318/0x780
[   45.303871]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.309594]  ? _copy_from_user+0xdf/0x150
[   45.313745]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.319280]  ? copy_mount_options+0x285/0x380
[   45.323791]  ksys_mount+0x12d/0x140
[   45.327415]  __x64_sys_mount+0xbe/0x150
[   45.331395]  do_syscall_64+0x1b9/0x820
[   45.335281]  ? syscall_return_slowpath+0x5e0/0x5e0
[   45.340203]  ? syscall_return_slowpath+0x31d/0x5e0
[   45.345129]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   45.350140]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.355672]  ? prepare_exit_to_usermode+0x291/0x3b0
[   45.360703]  ? perf_trace_sys_enter+0xb10/0xb10
[   45.365371]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.370214]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.375407] RIP: 0033:0x446a19
[   45.378594] Code: e8 ac bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   45.397753] RSP: 002b:00007fd6e580cda8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   45.405456] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a19
[   45.412722] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   45.419985] RBP: 00000000006e29e4 R08: 00000000200001c0 R09: 0000000000000000
[   45.427254] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006e29e0
[   45.434543] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   45.441803] 
[   45.443422] Allocated by task 4503:
[   45.447045]  save_stack+0x43/0xd0
[   45.450498]  kasan_kmalloc+0xc4/0xe0
[   45.454214]  __kmalloc+0x14e/0x760
[   45.457750]  p9_fcall_alloc+0x1e/0x90
[   45.461552]  p9_client_prepare_req.part.8+0x132/0xa00
[   45.466826]  p9_client_rpc+0x242/0x1330
[   45.470802]  p9_client_create+0xca4/0x1537
[   45.475028]  v9fs_session_init+0x21a/0x1a80
[   45.479355]  v9fs_mount+0x7c/0x900
[   45.482912]  legacy_get_tree+0x131/0x460
[   45.486978]  vfs_get_tree+0x1cb/0x5c0
[   45.490777]  do_mount+0x6f2/0x1e20
[   45.494298]  ksys_mount+0x12d/0x140
[   45.497913]  __x64_sys_mount+0xbe/0x150
[   45.501889]  do_syscall_64+0x1b9/0x820
[   45.505758]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.510920] 
[   45.512525] Freed by task 0:
[   45.515520] (stack is not available)
[   45.519208] 
[   45.520823] The buggy address belongs to the object at ffff8801b4390980
[   45.520823]  which belongs to the cache kmalloc-16384 of size 16384
[   45.533821] The buggy address is located 45 bytes inside of
[   45.533821]  16384-byte region [ffff8801b4390980, ffff8801b4394980)
[   45.545778] The buggy address belongs to the page:
[   45.550703] page:ffffea0006d0e400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   45.560664] flags: 0x2fffc0000010200(slab|head)
[   45.565442] raw: 02fffc0000010200 ffffea0006d42c08 ffff8801da801c48 ffff8801da802200
[   45.573340] raw: 0000000000000000 ffff8801b4390980 0000000100000001 0000000000000000
[   45.581231] page dumped because: kasan: bad access detected
[   45.586927] 
[   45.588545] Memory state around the buggy address:
[   45.593474]  ffff8801b4392880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   45.600833]  ffff8801b4392900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   45.608192] >ffff8801b4392980: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   45.615540]                                ^
[   45.619948]  ffff8801b4392a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.627296]  ffff8801b4392a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.634638] ==================================================================
[   45.642194] Kernel panic - not syncing: panic_on_warn set ...
[   45.642194] 
[   45.649564] CPU: 1 PID: 4503 Comm: syz-executor146 Tainted: G    B             4.18.0-rc5-next-20180720+ #12
[   45.659521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.668874] Call Trace:
[   45.671465]  dump_stack+0x1c9/0x2b4
[   45.675096]  ? dump_stack_print_info.cold.2+0x52/0x52
[   45.680306]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   45.685062]  panic+0x238/0x4e7
[   45.688258]  ? add_taint.cold.5+0x16/0x16
[   45.692412]  ? do_raw_spin_unlock+0xa7/0x2f0
[   45.696829]  ? pdu_read+0x90/0xd0
[   45.700286]  kasan_end_report+0x47/0x4f
[   45.704259]  kasan_report.cold.7+0x76/0x30d
[   45.708592]  check_memory_region+0x13e/0x1b0
[   45.713026]  memcpy+0x23/0x50
[   45.716151]  pdu_read+0x90/0xd0
[   45.719435]  p9pdu_readf+0x579/0x2170
[   45.723237]  ? p9pdu_writef+0xe0/0xe0
[   45.727032]  ? ksys_dup3+0x690/0x690
[   45.730863]  ? check_same_owner+0x340/0x340
[   45.735182]  ? p9_fd_poll+0x2b0/0x2b0
[   45.739000]  ? finish_wait+0x430/0x430
[   45.742887]  ? p9_fd_show_options+0x1c0/0x1c0
[   45.747393]  p9_client_create+0x6d0/0x1537
[   45.751644]  ? p9_client_read+0xbb0/0xbb0
[   45.755811]  ? lock_acquire+0x1e4/0x540
[   45.759799]  ? fs_reclaim_acquire+0x20/0x20
[   45.764128]  ? lock_release+0xa30/0xa30
[   45.768101]  ? __lockdep_init_map+0x105/0x590
[   45.772605]  ? kasan_check_write+0x14/0x20
[   45.776848]  ? __init_rwsem+0x1cc/0x2a0
[   45.780818]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   45.785841]  ? __kmalloc_track_caller+0x311/0x760
[   45.790696]  ? save_stack+0xa9/0xd0
[   45.794316]  ? save_stack+0x43/0xd0
[   45.797937]  ? kasan_kmalloc+0xc4/0xe0
[   45.801826]  ? memcpy+0x45/0x50
[   45.805103]  v9fs_session_init+0x21a/0x1a80
[   45.809508]  ? rcu_note_context_switch+0x730/0x730
[   45.814643]  ? legacy_parse_monolithic+0xde/0x1e0
[   45.819477]  ? v9fs_show_options+0x7e0/0x7e0
[   45.823890]  ? lock_release+0xa30/0xa30
[   45.827866]  ? check_same_owner+0x340/0x340
[   45.832289]  ? lock_downgrade+0x8f0/0x8f0
[   45.836434]  ? kasan_unpoison_shadow+0x35/0x50
[   45.841010]  ? kasan_kmalloc+0xc4/0xe0
[   45.844892]  ? kmem_cache_alloc_trace+0x318/0x780
[   45.849726]  ? kasan_unpoison_shadow+0x35/0x50
[   45.854301]  ? kasan_kmalloc+0xc4/0xe0
[   45.858191]  v9fs_mount+0x7c/0x900
[   45.861736]  ? v9fs_drop_inode+0x150/0x150
[   45.865984]  legacy_get_tree+0x131/0x460
[   45.870043]  vfs_get_tree+0x1cb/0x5c0
[   45.873844]  do_mount+0x6f2/0x1e20
[   45.877390]  ? check_same_owner+0x340/0x340
[   45.881727]  ? lock_release+0xa30/0xa30
[   45.885715]  ? copy_mount_string+0x40/0x40
[   45.889943]  ? kasan_kmalloc+0xc4/0xe0
[   45.893831]  ? kmem_cache_alloc_trace+0x318/0x780
[   45.898681]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.904217]  ? _copy_from_user+0xdf/0x150
[   45.908379]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.913928]  ? copy_mount_options+0x285/0x380
[   45.918855]  ksys_mount+0x12d/0x140
[   45.922487]  __x64_sys_mount+0xbe/0x150
[   45.926471]  do_syscall_64+0x1b9/0x820
[   45.930373]  ? syscall_return_slowpath+0x5e0/0x5e0
[   45.935311]  ? syscall_return_slowpath+0x31d/0x5e0
[   45.940530]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   45.945555]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   45.951094]  ? prepare_exit_to_usermode+0x291/0x3b0
[   45.956114]  ? perf_trace_sys_enter+0xb10/0xb10
[   45.960801]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.965654]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.970838] RIP: 0033:0x446a19
[   45.974029] Code: e8 ac bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   45.993182] RSP: 002b:00007fd6e580cda8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   46.000903] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a19
[   46.008185] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   46.015451] RBP: 00000000006e29e4 R08: 00000000200001c0 R09: 0000000000000000
[   46.022729] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006e29e0
[   46.029994] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   46.037696] Dumping ftrace buffer:
[   46.041223]    (ftrace buffer empty)
[   46.044925] Kernel Offset: disabled
[   46.048552] Rebooting in 86400 seconds..