[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.449369] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.991548] random: sshd: uninitialized urandom read (32 bytes read)
[   24.234879] random: sshd: uninitialized urandom read (32 bytes read)
[   25.075768] random: sshd: uninitialized urandom read (32 bytes read)
[   25.235250] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
[   30.692910] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   30.790687] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.828514] ==================================================================
[   30.836070] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.842213] Read of size 15519 at addr ffff8801c68d066d by task syz-executor155/4572
[   30.850086] 
[   30.851705] CPU: 0 PID: 4572 Comm: syz-executor155 Not tainted 4.18.0-rc4+ #138
[   30.859144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.868483] Call Trace:
[   30.871078]  dump_stack+0x1c9/0x2b4
[   30.874709]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.879903]  ? printk+0xa7/0xcf
[   30.883211]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.887976]  ? pdu_read+0x90/0xd0
[   30.891425]  print_address_description+0x6c/0x20b
[   30.896260]  ? pdu_read+0x90/0xd0
[   30.899698]  kasan_report.cold.7+0x242/0x2fe
[   30.904096]  check_memory_region+0x13e/0x1b0
[   30.908492]  memcpy+0x23/0x50
[   30.911591]  pdu_read+0x90/0xd0
[   30.914869]  p9pdu_readf+0x579/0x2170
[   30.918660]  ? p9pdu_writef+0xe0/0xe0
[   30.922446]  ? __fget+0x414/0x670
[   30.925890]  ? rcu_is_watching+0x61/0x150
[   30.930031]  ? expand_files.part.8+0x9c0/0x9c0
[   30.934630]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.939657]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.944145]  p9_client_create+0xde0/0x16c9
[   30.948373]  ? p9_client_read+0xc60/0xc60
[   30.952522]  ? find_held_lock+0x36/0x1c0
[   30.956587]  ? __lockdep_init_map+0x105/0x590
[   30.961078]  ? kasan_check_write+0x14/0x20
[   30.965300]  ? __init_rwsem+0x1cc/0x2a0
[   30.969263]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.974267]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.979268]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.984095]  ? save_stack+0xa9/0xd0
[   30.987706]  ? save_stack+0x43/0xd0
[   30.991313]  ? kasan_kmalloc+0xc4/0xe0
[   30.995182]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.000021]  ? memcpy+0x45/0x50
[   31.003303]  v9fs_session_init+0x21a/0x1a80
[   31.007620]  ? find_held_lock+0x36/0x1c0
[   31.011671]  ? v9fs_show_options+0x7e0/0x7e0
[   31.016073]  ? kasan_check_read+0x11/0x20
[   31.020207]  ? rcu_is_watching+0x8c/0x150
[   31.024341]  ? rcu_pm_notify+0xc0/0xc0
[   31.028217]  ? v9fs_mount+0x61/0x900
[   31.031928]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.036950]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.041788]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.047314]  v9fs_mount+0x7c/0x900
[   31.050939]  mount_fs+0xae/0x328
[   31.054296]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.058863]  ? may_umount+0xb0/0xb0
[   31.062499]  ? _raw_read_unlock+0x22/0x30
[   31.066636]  ? __get_fs_type+0x97/0xc0
[   31.070523]  do_mount+0x581/0x30e0
[   31.074071]  ? copy_mount_string+0x40/0x40
[   31.078299]  ? copy_mount_options+0x5f/0x380
[   31.082696]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.087699]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.092549]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.098090]  ? _copy_from_user+0xdf/0x150
[   31.102250]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.107782]  ? copy_mount_options+0x285/0x380
[   31.112288]  ksys_mount+0x12d/0x140
[   31.115917]  __x64_sys_mount+0xbe/0x150
[   31.119890]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.124898]  do_syscall_64+0x1b9/0x820
[   31.128785]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.133704]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.138627]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.144157]  ? retint_user+0x18/0x18
[   31.147860]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.155733]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.160911] RIP: 0033:0x440979
[   31.164080] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.183270] RSP: 002b:00007ffeb932e288 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.190969] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   31.198226] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.205495] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.212752] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007864
[   31.220013] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   31.227301] 
[   31.228920] Allocated by task 4572:
[   31.232539]  save_stack+0x43/0xd0
[   31.235977]  kasan_kmalloc+0xc4/0xe0
[   31.239697]  __kmalloc+0x14e/0x760
[   31.243229]  p9_fcall_alloc+0x1e/0x90
[   31.247019]  p9_client_prepare_req.part.8+0x754/0xcd0
[   31.252203]  p9_client_rpc+0x1bd/0x1400
[   31.256160]  p9_client_create+0xd09/0x16c9
[   31.260383]  v9fs_session_init+0x21a/0x1a80
[   31.264687]  v9fs_mount+0x7c/0x900
[   31.268220]  mount_fs+0xae/0x328
[   31.271592]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.276158]  do_mount+0x581/0x30e0
[   31.279679]  ksys_mount+0x12d/0x140
[   31.283301]  __x64_sys_mount+0xbe/0x150
[   31.287262]  do_syscall_64+0x1b9/0x820
[   31.291139]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.296309] 
[   31.297926] Freed by task 0:
[   31.300924] (stack is not available)
[   31.304626] 
[   31.306258] The buggy address belongs to the object at ffff8801c68d0640
[   31.306258]  which belongs to the cache kmalloc-16384 of size 16384
[   31.319261] The buggy address is located 45 bytes inside of
[   31.319261]  16384-byte region [ffff8801c68d0640, ffff8801c68d4640)
[   31.331208] The buggy address belongs to the page:
[   31.336139] page:ffffea00071a3400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   31.346104] flags: 0x2fffc0000008100(slab|head)
[   31.350771] raw: 02fffc0000008100 ffffea0006c05a08 ffffea00074f5e08 ffff8801da802200
[   31.358642] raw: 0000000000000000 ffff8801c68d0640 0000000100000001 0000000000000000
[   31.366503] page dumped because: kasan: bad access detected
[   31.372207] 
[   31.373823] Memory state around the buggy address:
[   31.378752]  ffff8801c68d2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.386116]  ffff8801c68d2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.393475] >ffff8801c68d2600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   31.400815]                                                        ^
[   31.407293]  ffff8801c68d2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.414639]  ffff8801c68d2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.421990] ==================================================================
[   31.429336] Disabling lock debugging due to kernel taint
[   31.434893] Kernel panic - not syncing: panic_on_warn set ...
[   31.434893] 
[   31.442274] CPU: 0 PID: 4572 Comm: syz-executor155 Tainted: G    B             4.18.0-rc4+ #138
[   31.451128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.460479] Call Trace:
[   31.463068]  dump_stack+0x1c9/0x2b4
[   31.466682]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.471863]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.476610]  panic+0x238/0x4e7
[   31.479793]  ? add_taint.cold.5+0x16/0x16
[   31.483931]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.488339]  ? pdu_read+0x90/0xd0
[   31.491796]  kasan_end_report+0x47/0x4f
[   31.495752]  kasan_report.cold.7+0x76/0x2fe
[   31.500065]  check_memory_region+0x13e/0x1b0
[   31.504460]  memcpy+0x23/0x50
[   31.507641]  pdu_read+0x90/0xd0
[   31.510905]  p9pdu_readf+0x579/0x2170
[   31.514696]  ? p9pdu_writef+0xe0/0xe0
[   31.518492]  ? __fget+0x414/0x670
[   31.521929]  ? rcu_is_watching+0x61/0x150
[   31.526060]  ? expand_files.part.8+0x9c0/0x9c0
[   31.530640]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.535653]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.540145]  p9_client_create+0xde0/0x16c9
[   31.544378]  ? p9_client_read+0xc60/0xc60
[   31.548537]  ? find_held_lock+0x36/0x1c0
[   31.552600]  ? __lockdep_init_map+0x105/0x590
[   31.557085]  ? kasan_check_write+0x14/0x20
[   31.561301]  ? __init_rwsem+0x1cc/0x2a0
[   31.565260]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.570260]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.575271]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.580103]  ? save_stack+0xa9/0xd0
[   31.583715]  ? save_stack+0x43/0xd0
[   31.587340]  ? kasan_kmalloc+0xc4/0xe0
[   31.591212]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.596043]  ? memcpy+0x45/0x50
[   31.599310]  v9fs_session_init+0x21a/0x1a80
[   31.603617]  ? find_held_lock+0x36/0x1c0
[   31.607676]  ? v9fs_show_options+0x7e0/0x7e0
[   31.612080]  ? kasan_check_read+0x11/0x20
[   31.616214]  ? rcu_is_watching+0x8c/0x150
[   31.620346]  ? rcu_pm_notify+0xc0/0xc0
[   31.624227]  ? v9fs_mount+0x61/0x900
[   31.627926]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.632938]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.637775]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.643301]  v9fs_mount+0x7c/0x900
[   31.646852]  mount_fs+0xae/0x328
[   31.650208]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.654773]  ? may_umount+0xb0/0xb0
[   31.658383]  ? _raw_read_unlock+0x22/0x30
[   31.662515]  ? __get_fs_type+0x97/0xc0
[   31.666388]  do_mount+0x581/0x30e0
[   31.669913]  ? copy_mount_string+0x40/0x40
[   31.674134]  ? copy_mount_options+0x5f/0x380
[   31.678528]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.683545]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.688375]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.693914]  ? _copy_from_user+0xdf/0x150
[   31.698051]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.703574]  ? copy_mount_options+0x285/0x380
[   31.708056]  ksys_mount+0x12d/0x140
[   31.711674]  __x64_sys_mount+0xbe/0x150
[   31.715635]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.720640]  do_syscall_64+0x1b9/0x820
[   31.724525]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.729444]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.734372]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.739898]  ? retint_user+0x18/0x18
[   31.743596]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.748426]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.753612] RIP: 0033:0x440979
[   31.756799] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.775934] RSP: 002b:00007ffeb932e288 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.783646] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   31.790924] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.798187] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.805453] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007864
[   31.812722] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   31.820484] Dumping ftrace buffer:
[   31.824035]    (ftrace buffer empty)
[   31.827723] Kernel Offset: disabled
[   31.831343] Rebooting in 86400 seconds..