[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.543378] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   15.803679] random: sshd: uninitialized urandom read (32 bytes read)
[   16.108574] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   16.929490] random: sshd: uninitialized urandom read (32 bytes read)
[   17.097584] random: sshd: uninitialized urandom read (32 bytes read)
[   22.546451] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts.
executing program
[   22.691652] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   23.028564] ==================================================================
[   23.035993] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   23.042168] Read of size 62705 at addr ffff8801b1e507ad by task syz-executor646/4475
[   23.050026] 
[   23.051641] CPU: 1 PID: 4475 Comm: syz-executor646 Not tainted 4.18.0-rc5-next-20180720+ #12
[   23.060202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.069545] Call Trace:
[   23.072119]  dump_stack+0x1c9/0x2b4
[   23.075730]  ? dump_stack_print_info.cold.2+0x52/0x52
[   23.080903]  ? printk+0xa7/0xcf
[   23.084165]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   23.088926]  ? pdu_read+0x90/0xd0
[   23.092363]  print_address_description+0x6c/0x20b
[   23.097184]  ? pdu_read+0x90/0xd0
[   23.100619]  kasan_report.cold.7+0x242/0x30d
[   23.105016]  check_memory_region+0x13e/0x1b0
[   23.109411]  memcpy+0x23/0x50
[   23.112497]  pdu_read+0x90/0xd0
[   23.115758]  p9pdu_readf+0x579/0x2170
[   23.119540]  ? p9pdu_writef+0xe0/0xe0
[   23.123343]  ? ksys_dup3+0x690/0x690
[   23.127048]  ? check_same_owner+0x340/0x340
[   23.131349]  ? p9_fd_poll+0x2b0/0x2b0
[   23.135131]  ? finish_wait+0x430/0x430
[   23.139006]  ? p9_fd_show_options+0x1c0/0x1c0
[   23.143490]  p9_client_create+0x6d0/0x1537
[   23.147707]  ? p9_client_read+0xbb0/0xbb0
[   23.151834]  ? lock_acquire+0x1e4/0x540
[   23.155790]  ? fs_reclaim_acquire+0x20/0x20
[   23.160093]  ? lock_release+0xa30/0xa30
[   23.164051]  ? __lockdep_init_map+0x105/0x590
[   23.168542]  ? kasan_check_write+0x14/0x20
[   23.172755]  ? __init_rwsem+0x1cc/0x2a0
[   23.176712]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   23.181718]  ? __kmalloc_track_caller+0x311/0x760
[   23.186542]  ? save_stack+0xa9/0xd0
[   23.190151]  ? save_stack+0x43/0xd0
[   23.193767]  ? kasan_kmalloc+0xc4/0xe0
[   23.197661]  ? memcpy+0x45/0x50
[   23.200930]  v9fs_session_init+0x21a/0x1a80
[   23.205242]  ? rcu_note_context_switch+0x730/0x730
[   23.210152]  ? legacy_parse_monolithic+0xde/0x1e0
[   23.214976]  ? v9fs_show_options+0x7e0/0x7e0
[   23.219371]  ? lock_release+0xa30/0xa30
[   23.223328]  ? lock_downgrade+0x8f0/0x8f0
[   23.227456]  ? check_same_owner+0x340/0x340
[   23.231758]  ? kasan_unpoison_shadow+0x35/0x50
[   23.236322]  ? kasan_kmalloc+0xc4/0xe0
[   23.240194]  ? kmem_cache_alloc_trace+0x318/0x780
[   23.245021]  ? kasan_unpoison_shadow+0x35/0x50
[   23.249589]  ? kasan_kmalloc+0xc4/0xe0
[   23.253459]  v9fs_mount+0x7c/0x900
[   23.256983]  ? v9fs_drop_inode+0x150/0x150
[   23.261204]  legacy_get_tree+0x131/0x460
[   23.265251]  vfs_get_tree+0x1cb/0x5c0
[   23.269040]  do_mount+0x6f2/0x1e20
[   23.272568]  ? copy_mount_string+0x40/0x40
[   23.276793]  ? kasan_kmalloc+0xc4/0xe0
[   23.280663]  ? kmem_cache_alloc_trace+0x318/0x780
[   23.285489]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   23.291008]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   23.296539]  ? copy_mount_options+0x285/0x380
[   23.301028]  ksys_mount+0x12d/0x140
[   23.304645]  __x64_sys_mount+0xbe/0x150
[   23.308606]  do_syscall_64+0x1b9/0x820
[   23.312489]  ? finish_task_switch+0x1d3/0x870
[   23.316967]  ? syscall_return_slowpath+0x5e0/0x5e0
[   23.321876]  ? syscall_return_slowpath+0x31d/0x5e0
[   23.326787]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   23.331785]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   23.337306]  ? prepare_exit_to_usermode+0x291/0x3b0
[   23.342309]  ? perf_trace_sys_enter+0xb10/0xb10
[   23.346961]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.351788]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   23.356955] RIP: 0033:0x446af9
[   23.360122] Code: e8 ac bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   23.379271] RSP: 002b:00007f0afb2d7da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   23.386965] RAX: ffffffffffffffda RBX: 00000000006e29e4 RCX: 0000000000446af9
[   23.394236] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   23.401485] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   23.408742] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006e29e0
[   23.416004] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   23.423280] 
[   23.424914] Allocated by task 4475:
[   23.428531]  save_stack+0x43/0xd0
[   23.431966]  kasan_kmalloc+0xc4/0xe0
[   23.435666]  __kmalloc+0x14e/0x760
[   23.439202]  p9_fcall_alloc+0x1e/0x90
[   23.442992]  p9_client_prepare_req.part.8+0x132/0xa00
[   23.448177]  p9_client_rpc+0x242/0x1330
[   23.452140]  p9_client_create+0xca4/0x1537
[   23.456357]  v9fs_session_init+0x21a/0x1a80
[   23.460658]  v9fs_mount+0x7c/0x900
[   23.464177]  legacy_get_tree+0x131/0x460
[   23.468230]  vfs_get_tree+0x1cb/0x5c0
[   23.472014]  do_mount+0x6f2/0x1e20
[   23.475543]  ksys_mount+0x12d/0x140
[   23.479158]  __x64_sys_mount+0xbe/0x150
[   23.483113]  do_syscall_64+0x1b9/0x820
[   23.486982]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   23.492155] 
[   23.493770] Freed by task 0:
[   23.496767] (stack is not available)
[   23.500451] 
[   23.502060] The buggy address belongs to the object at ffff8801b1e50780
[   23.502060]  which belongs to the cache kmalloc-16384 of size 16384
[   23.515045] The buggy address is located 45 bytes inside of
[   23.515045]  16384-byte region [ffff8801b1e50780, ffff8801b1e54780)
[   23.526996] The buggy address belongs to the page:
[   23.531912] page:ffffea0006c79400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   23.541860] flags: 0x2fffc0000010200(slab|head)
[   23.546513] raw: 02fffc0000010200 ffffea0006c77008 ffff8801da801c48 ffff8801da802200
[   23.554373] raw: 0000000000000000 ffff8801b1e50780 0000000100000001 0000000000000000
[   23.562239] page dumped because: kasan: bad access detected
[   23.567930] 
[   23.569534] Memory state around the buggy address:
[   23.574442]  ffff8801b1e52680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.581782]  ffff8801b1e52700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.589121] >ffff8801b1e52780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   23.596455]                                ^
[   23.600845]  ffff8801b1e52800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.608184]  ffff8801b1e52880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.615526] ==================================================================
[   23.622933] Kernel panic - not syncing: panic_on_warn set ...
[   23.622933] 
[   23.630301] CPU: 1 PID: 4475 Comm: syz-executor646 Tainted: G    B             4.18.0-rc5-next-20180720+ #12
[   23.640248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.649596] Call Trace:
[   23.652189]  dump_stack+0x1c9/0x2b4
[   23.655809]  ? dump_stack_print_info.cold.2+0x52/0x52
[   23.660993]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   23.665736]  panic+0x238/0x4e7
[   23.668923]  ? add_taint.cold.5+0x16/0x16
[   23.673058]  ? do_raw_spin_unlock+0xa7/0x2f0
[   23.677447]  ? pdu_read+0x90/0xd0
[   23.680880]  kasan_end_report+0x47/0x4f
[   23.684835]  kasan_report.cold.7+0x76/0x30d
[   23.689137]  check_memory_region+0x13e/0x1b0
[   23.693524]  memcpy+0x23/0x50
[   23.696611]  pdu_read+0x90/0xd0
[   23.699873]  p9pdu_readf+0x579/0x2170
[   23.703653]  ? p9pdu_writef+0xe0/0xe0
[   23.707435]  ? ksys_dup3+0x690/0x690
[   23.711130]  ? check_same_owner+0x340/0x340
[   23.715452]  ? p9_fd_poll+0x2b0/0x2b0
[   23.719245]  ? finish_wait+0x430/0x430
[   23.723125]  ? p9_fd_show_options+0x1c0/0x1c0
[   23.727614]  p9_client_create+0x6d0/0x1537
[   23.731832]  ? p9_client_read+0xbb0/0xbb0
[   23.735961]  ? lock_acquire+0x1e4/0x540
[   23.739917]  ? fs_reclaim_acquire+0x20/0x20
[   23.744223]  ? lock_release+0xa30/0xa30
[   23.748188]  ? __lockdep_init_map+0x105/0x590
[   23.752670]  ? kasan_check_write+0x14/0x20
[   23.756916]  ? __init_rwsem+0x1cc/0x2a0
[   23.760869]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   23.765869]  ? __kmalloc_track_caller+0x311/0x760
[   23.770691]  ? save_stack+0xa9/0xd0
[   23.774296]  ? save_stack+0x43/0xd0
[   23.777898]  ? kasan_kmalloc+0xc4/0xe0
[   23.781765]  ? memcpy+0x45/0x50
[   23.785034]  v9fs_session_init+0x21a/0x1a80
[   23.789344]  ? rcu_note_context_switch+0x730/0x730
[   23.794258]  ? legacy_parse_monolithic+0xde/0x1e0
[   23.799096]  ? v9fs_show_options+0x7e0/0x7e0
[   23.803489]  ? lock_release+0xa30/0xa30
[   23.807443]  ? lock_downgrade+0x8f0/0x8f0
[   23.811574]  ? check_same_owner+0x340/0x340
[   23.815875]  ? kasan_unpoison_shadow+0x35/0x50
[   23.820440]  ? kasan_kmalloc+0xc4/0xe0
[   23.824311]  ? kmem_cache_alloc_trace+0x318/0x780
[   23.829132]  ? kasan_unpoison_shadow+0x35/0x50
[   23.833692]  ? kasan_kmalloc+0xc4/0xe0
[   23.837562]  v9fs_mount+0x7c/0x900
[   23.841097]  ? v9fs_drop_inode+0x150/0x150
[   23.845331]  legacy_get_tree+0x131/0x460
[   23.849389]  vfs_get_tree+0x1cb/0x5c0
[   23.853172]  do_mount+0x6f2/0x1e20
[   23.856694]  ? copy_mount_string+0x40/0x40
[   23.860910]  ? kasan_kmalloc+0xc4/0xe0
[   23.864777]  ? kmem_cache_alloc_trace+0x318/0x780
[   23.869605]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   23.875134]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   23.880650]  ? copy_mount_options+0x285/0x380
[   23.885129]  ksys_mount+0x12d/0x140
[   23.888737]  __x64_sys_mount+0xbe/0x150
[   23.892699]  do_syscall_64+0x1b9/0x820
[   23.896572]  ? finish_task_switch+0x1d3/0x870
[   23.901054]  ? syscall_return_slowpath+0x5e0/0x5e0
[   23.905964]  ? syscall_return_slowpath+0x31d/0x5e0
[   23.910882]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   23.915881]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   23.921401]  ? prepare_exit_to_usermode+0x291/0x3b0
[   23.926399]  ? perf_trace_sys_enter+0xb10/0xb10
[   23.931052]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.935877]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   23.941049] RIP: 0033:0x446af9
[   23.944216] Code: e8 ac bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   23.963349] RSP: 002b:00007f0afb2d7da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   23.971041] RAX: ffffffffffffffda RBX: 00000000006e29e4 RCX: 0000000000446af9
[   23.978299] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   23.985549] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   23.992808] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006e29e0
[   24.000061] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   24.007817] Dumping ftrace buffer:
[   24.011335]    (ftrace buffer empty)
[   24.015023] Kernel Offset: disabled
[   24.018631] Rebooting in 86400 seconds..