[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.124809] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.779217] random: sshd: uninitialized urandom read (32 bytes read)
[   23.164258] random: sshd: uninitialized urandom read (32 bytes read)
[   24.056160] random: sshd: uninitialized urandom read (32 bytes read)
[   24.215663] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts.
[   29.798423] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   29.893744] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   29.920894] ==================================================================
[   29.928375] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.934512] Read of size 20347 at addr ffff8801b26a852d by task syz-executor224/4530
[   29.942413] 
[   29.944037] CPU: 1 PID: 4530 Comm: syz-executor224 Not tainted 4.18.0-rc4+ #142
[   29.951503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.960846] Call Trace:
[   29.963433]  dump_stack+0x1c9/0x2b4
[   29.967056]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.972320]  ? printk+0xa7/0xcf
[   29.975597]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.980346]  ? pdu_read+0x90/0xd0
[   29.983786]  print_address_description+0x6c/0x20b
[   29.988616]  ? pdu_read+0x90/0xd0
[   29.992053]  kasan_report.cold.7+0x242/0x2fe
[   29.996451]  check_memory_region+0x13e/0x1b0
[   30.000867]  memcpy+0x23/0x50
[   30.003979]  pdu_read+0x90/0xd0
[   30.007258]  p9pdu_readf+0x579/0x2170
[   30.011068]  ? p9pdu_writef+0xe0/0xe0
[   30.014860]  ? __fget+0x414/0x670
[   30.018303]  ? rcu_is_watching+0x61/0x150
[   30.022450]  ? expand_files.part.8+0x9c0/0x9c0
[   30.027042]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.032064]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.036562]  p9_client_create+0xde0/0x16c9
[   30.040793]  ? p9_client_read+0xc60/0xc60
[   30.044928]  ? find_held_lock+0x36/0x1c0
[   30.048982]  ? __lockdep_init_map+0x105/0x590
[   30.053477]  ? kasan_check_write+0x14/0x20
[   30.057719]  ? __init_rwsem+0x1cc/0x2a0
[   30.061679]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.066698]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.071717]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.076570]  ? save_stack+0xa9/0xd0
[   30.080187]  ? save_stack+0x43/0xd0
[   30.083799]  ? kasan_kmalloc+0xc4/0xe0
[   30.087680]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.092510]  ? memcpy+0x45/0x50
[   30.095783]  v9fs_session_init+0x21a/0x1a80
[   30.100101]  ? find_held_lock+0x36/0x1c0
[   30.104170]  ? v9fs_show_options+0x7e0/0x7e0
[   30.108577]  ? kasan_check_read+0x11/0x20
[   30.112709]  ? rcu_is_watching+0x8c/0x150
[   30.116863]  ? rcu_pm_notify+0xc0/0xc0
[   30.120749]  ? v9fs_mount+0x61/0x900
[   30.124458]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.129466]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.134316]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.139855]  v9fs_mount+0x7c/0x900
[   30.143387]  mount_fs+0xae/0x328
[   30.146741]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.151307]  ? may_umount+0xb0/0xb0
[   30.154919]  ? _raw_read_unlock+0x22/0x30
[   30.160972]  ? __get_fs_type+0x97/0xc0
[   30.164860]  do_mount+0x581/0x30e0
[   30.168389]  ? copy_mount_string+0x40/0x40
[   30.172715]  ? copy_mount_options+0x5f/0x380
[   30.177117]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.182181]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.187016]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.192573]  ? _copy_from_user+0xdf/0x150
[   30.196719]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.202256]  ? copy_mount_options+0x285/0x380
[   30.206745]  ksys_mount+0x12d/0x140
[   30.210364]  __x64_sys_mount+0xbe/0x150
[   30.214330]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.219340]  do_syscall_64+0x1b9/0x820
[   30.223222]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.228153]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.233083]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.238617]  ? retint_user+0x18/0x18
[   30.242335]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.247169]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.252353] RIP: 0033:0x440959
[   30.255529] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.274713] RSP: 002b:00007ffe02e53858 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.282410] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.289684] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.296956] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.304218] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000074c3
[   30.311473] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.318732] 
[   30.320342] Allocated by task 4530:
[   30.323958]  save_stack+0x43/0xd0
[   30.327401]  kasan_kmalloc+0xc4/0xe0
[   30.331098]  __kmalloc+0x14e/0x760
[   30.334624]  p9_fcall_alloc+0x1e/0x90
[   30.338415]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.343586]  p9_client_rpc+0x1bd/0x1400
[   30.347548]  p9_client_create+0xd09/0x16c9
[   30.351769]  v9fs_session_init+0x21a/0x1a80
[   30.356083]  v9fs_mount+0x7c/0x900
[   30.359616]  mount_fs+0xae/0x328
[   30.362967]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.367534]  do_mount+0x581/0x30e0
[   30.371072]  ksys_mount+0x12d/0x140
[   30.374696]  __x64_sys_mount+0xbe/0x150
[   30.378653]  do_syscall_64+0x1b9/0x820
[   30.382533]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.387697] 
[   30.389313] Freed by task 0:
[   30.392315] (stack is not available)
[   30.396020] 
[   30.397650] The buggy address belongs to the object at ffff8801b26a8500
[   30.397650]  which belongs to the cache kmalloc-16384 of size 16384
[   30.410659] The buggy address is located 45 bytes inside of
[   30.410659]  16384-byte region [ffff8801b26a8500, ffff8801b26ac500)
[   30.422606] The buggy address belongs to the page:
[   30.427556] page:ffffea0006c9aa00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.437604] flags: 0x2fffc0000008100(slab|head)
[   30.442267] raw: 02fffc0000008100 ffffea0006b1d008 ffff8801da801c48 ffff8801da802200
[   30.450131] raw: 0000000000000000 ffff8801b26a8500 0000000100000001 0000000000000000
[   30.457997] page dumped because: kasan: bad access detected
[   30.463690] 
[   30.465298] Memory state around the buggy address:
[   30.470221]  ffff8801b26aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.477563]  ffff8801b26aa480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.484902] >ffff8801b26aa500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   30.492249]                                ^
[   30.496636]  ffff8801b26aa580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.503988]  ffff8801b26aa600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.511333] ==================================================================
[   30.518679] Disabling lock debugging due to kernel taint
[   30.524217] Kernel panic - not syncing: panic_on_warn set ...
[   30.524217] 
[   30.531593] CPU: 1 PID: 4530 Comm: syz-executor224 Tainted: G    B             4.18.0-rc4+ #142
[   30.540422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.549766] Call Trace:
[   30.552341]  dump_stack+0x1c9/0x2b4
[   30.555951]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.561133]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.565874]  panic+0x238/0x4e7
[   30.569049]  ? add_taint.cold.5+0x16/0x16
[   30.573184]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.577576]  ? pdu_read+0x90/0xd0
[   30.581025]  kasan_end_report+0x47/0x4f
[   30.584989]  kasan_report.cold.7+0x76/0x2fe
[   30.589307]  check_memory_region+0x13e/0x1b0
[   30.593699]  memcpy+0x23/0x50
[   30.596876]  pdu_read+0x90/0xd0
[   30.600146]  p9pdu_readf+0x579/0x2170
[   30.603937]  ? p9pdu_writef+0xe0/0xe0
[   30.607734]  ? __fget+0x414/0x670
[   30.611174]  ? rcu_is_watching+0x61/0x150
[   30.615309]  ? expand_files.part.8+0x9c0/0x9c0
[   30.619882]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.624892]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.629376]  p9_client_create+0xde0/0x16c9
[   30.633598]  ? p9_client_read+0xc60/0xc60
[   30.637737]  ? find_held_lock+0x36/0x1c0
[   30.641785]  ? __lockdep_init_map+0x105/0x590
[   30.646277]  ? kasan_check_write+0x14/0x20
[   30.650512]  ? __init_rwsem+0x1cc/0x2a0
[   30.654508]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.659539]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.664547]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.669373]  ? save_stack+0xa9/0xd0
[   30.672981]  ? save_stack+0x43/0xd0
[   30.676595]  ? kasan_kmalloc+0xc4/0xe0
[   30.680467]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.685291]  ? memcpy+0x45/0x50
[   30.688563]  v9fs_session_init+0x21a/0x1a80
[   30.692871]  ? find_held_lock+0x36/0x1c0
[   30.696921]  ? v9fs_show_options+0x7e0/0x7e0
[   30.701313]  ? kasan_check_read+0x11/0x20
[   30.705455]  ? rcu_is_watching+0x8c/0x150
[   30.709594]  ? rcu_pm_notify+0xc0/0xc0
[   30.713474]  ? v9fs_mount+0x61/0x900
[   30.717183]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.722193]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.727046]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.732606]  v9fs_mount+0x7c/0x900
[   30.736138]  mount_fs+0xae/0x328
[   30.739492]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.744061]  ? may_umount+0xb0/0xb0
[   30.747671]  ? _raw_read_unlock+0x22/0x30
[   30.751801]  ? __get_fs_type+0x97/0xc0
[   30.755672]  do_mount+0x581/0x30e0
[   30.759193]  ? copy_mount_string+0x40/0x40
[   30.763419]  ? copy_mount_options+0x5f/0x380
[   30.767812]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.772830]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.777673]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.783198]  ? _copy_from_user+0xdf/0x150
[   30.787327]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.792848]  ? copy_mount_options+0x285/0x380
[   30.797332]  ksys_mount+0x12d/0x140
[   30.800958]  __x64_sys_mount+0xbe/0x150
[   30.804919]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.809923]  do_syscall_64+0x1b9/0x820
[   30.813796]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.818712]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.823632]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.829158]  ? retint_user+0x18/0x18
[   30.832858]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.837690]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.842878] RIP: 0033:0x440959
[   30.846062] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.865197] RSP: 002b:00007ffe02e53858 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.872898] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.880167] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.887421] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.894683] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000074c3
[   30.902385] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.910132] Dumping ftrace buffer:
[   30.913654]    (ftrace buffer empty)
[   30.917341] Kernel Offset: disabled
[   30.920948] Rebooting in 86400 seconds..