[....] Starting OpenBSD Secure Shell server: sshd[   19.494620] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.489956] random: sshd: uninitialized urandom read (32 bytes read)
[   23.790733] sshd (4525) used greatest stack depth: 17032 bytes left
[   23.810244] random: sshd: uninitialized urandom read (32 bytes read)
[   24.671979] random: sshd: uninitialized urandom read (32 bytes read)
[   24.829183] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.15.203' (ECDSA) to the list of known hosts.
[   30.326306] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   30.417336] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.442889] ==================================================================
[   30.450330] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.456466] Read of size 13088 at addr ffff8801d95d04ad by task syz-executor870/4545
[   30.464323] 
[   30.465945] CPU: 0 PID: 4545 Comm: syz-executor870 Not tainted 4.18.0-rc3+ #137
[   30.473377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.482717] Call Trace:
[   30.485298]  dump_stack+0x1c9/0x2b4
[   30.488912]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.494094]  ? printk+0xa7/0xcf
[   30.497356]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.502106]  ? pdu_read+0x90/0xd0
[   30.505540]  print_address_description+0x6c/0x20b
[   30.510368]  ? pdu_read+0x90/0xd0
[   30.513801]  kasan_report.cold.7+0x242/0x2fe
[   30.518207]  check_memory_region+0x13e/0x1b0
[   30.522628]  memcpy+0x23/0x50
[   30.525732]  pdu_read+0x90/0xd0
[   30.529017]  p9pdu_readf+0x579/0x2170
[   30.532816]  ? p9pdu_writef+0xe0/0xe0
[   30.536604]  ? __fget+0x414/0x670
[   30.540218]  ? rcu_is_watching+0x61/0x150
[   30.544352]  ? expand_files.part.8+0x9c0/0x9c0
[   30.548926]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.553938]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.558429]  p9_client_create+0xde0/0x16c9
[   30.562664]  ? p9_client_read+0xc60/0xc60
[   30.566796]  ? find_held_lock+0x36/0x1c0
[   30.570860]  ? __lockdep_init_map+0x105/0x590
[   30.575365]  ? kasan_check_write+0x14/0x20
[   30.579587]  ? __init_rwsem+0x1cc/0x2a0
[   30.583548]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.588553]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.593568]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.598433]  ? save_stack+0xa9/0xd0
[   30.602052]  ? save_stack+0x43/0xd0
[   30.605663]  ? kasan_kmalloc+0xc4/0xe0
[   30.609535]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.614377]  ? memcpy+0x45/0x50
[   30.617648]  v9fs_session_init+0x21a/0x1a80
[   30.621979]  ? find_held_lock+0x36/0x1c0
[   30.626043]  ? v9fs_show_options+0x7e0/0x7e0
[   30.630444]  ? kasan_check_read+0x11/0x20
[   30.634581]  ? rcu_is_watching+0x8c/0x150
[   30.638728]  ? rcu_pm_notify+0xc0/0xc0
[   30.642624]  ? v9fs_mount+0x61/0x900
[   30.646330]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.651346]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.656192]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.661731]  v9fs_mount+0x7c/0x900
[   30.665275]  mount_fs+0xae/0x328
[   30.668852]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.673454]  ? may_umount+0xb0/0xb0
[   30.677087]  ? _raw_read_unlock+0x22/0x30
[   30.681235]  ? __get_fs_type+0x97/0xc0
[   30.685201]  do_mount+0x581/0x30e0
[   30.688751]  ? copy_mount_string+0x40/0x40
[   30.692989]  ? copy_mount_options+0x5f/0x380
[   30.697426]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.702436]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.707557]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.713095]  ? _copy_from_user+0xdf/0x150
[   30.717236]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.722780]  ? copy_mount_options+0x285/0x380
[   30.727273]  ksys_mount+0x12d/0x140
[   30.730895]  __x64_sys_mount+0xbe/0x150
[   30.734873]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.739887]  do_syscall_64+0x1b9/0x820
[   30.743768]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.748777]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.753703]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.759424]  ? retint_user+0x18/0x18
[   30.763160]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.768018]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.773203] RIP: 0033:0x440959
[   30.776372] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.795995] RSP: 002b:00007ffdcb9c3ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   30.803720] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   30.810991] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.818253] RBP: 0000000000000000 R08: 0000000020000680 R09: 00000000004002c8
[   30.825513] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000076cf
[   30.832770] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   30.840041] 
[   30.841663] Allocated by task 4545:
[   30.845292]  save_stack+0x43/0xd0
[   30.848754]  kasan_kmalloc+0xc4/0xe0
[   30.852469]  __kmalloc+0x14e/0x760
[   30.856007]  p9_fcall_alloc+0x1e/0x90
[   30.859899]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.865104]  p9_client_rpc+0x1bd/0x1400
[   30.869079]  p9_client_create+0xd09/0x16c9
[   30.873308]  v9fs_session_init+0x21a/0x1a80
[   30.877619]  v9fs_mount+0x7c/0x900
[   30.881147]  mount_fs+0xae/0x328
[   30.884496]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.889084]  do_mount+0x581/0x30e0
[   30.892639]  ksys_mount+0x12d/0x140
[   30.896279]  __x64_sys_mount+0xbe/0x150
[   30.900250]  do_syscall_64+0x1b9/0x820
[   30.904302]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.909486] 
[   30.911094] Freed by task 0:
[   30.914100] (stack is not available)
[   30.917794] 
[   30.919416] The buggy address belongs to the object at ffff8801d95d0480
[   30.919416]  which belongs to the cache kmalloc-16384 of size 16384
[   30.932412] The buggy address is located 45 bytes inside of
[   30.932412]  16384-byte region [ffff8801d95d0480, ffff8801d95d4480)
[   30.944366] The buggy address belongs to the page:
[   30.949300] page:ffffea0007657400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.959263] flags: 0x2fffc0000008100(slab|head)
[   30.964029] raw: 02fffc0000008100 ffffea0006b2e808 ffffea0006b2f808 ffff8801da802200
[   30.971904] raw: 0000000000000000 ffff8801d95d0480 0000000100000001 0000000000000000
[   30.979776] page dumped because: kasan: bad access detected
[   30.985473] 
[   30.987095] Memory state around the buggy address:
[   30.992011]  ffff8801d95d2380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.999362]  ffff8801d95d2400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.006711] >ffff8801d95d2480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   31.014056]                                ^
[   31.018450]  ffff8801d95d2500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.025803]  ffff8801d95d2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.033149] ==================================================================
[   31.040490] Disabling lock debugging due to kernel taint
[   31.046039] Kernel panic - not syncing: panic_on_warn set ...
[   31.046039] 
[   31.053420] CPU: 0 PID: 4545 Comm: syz-executor870 Tainted: G    B             4.18.0-rc3+ #137
[   31.062262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.071617] Call Trace:
[   31.074193]  dump_stack+0x1c9/0x2b4
[   31.077805]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.082977]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.087717]  panic+0x238/0x4e7
[   31.090892]  ? add_taint.cold.5+0x16/0x16
[   31.095032]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.099424]  ? pdu_read+0x90/0xd0
[   31.102857]  kasan_end_report+0x47/0x4f
[   31.106814]  kasan_report.cold.7+0x76/0x2fe
[   31.111118]  check_memory_region+0x13e/0x1b0
[   31.115518]  memcpy+0x23/0x50
[   31.118623]  pdu_read+0x90/0xd0
[   31.121886]  p9pdu_readf+0x579/0x2170
[   31.125667]  ? p9pdu_writef+0xe0/0xe0
[   31.129469]  ? __fget+0x414/0x670
[   31.132911]  ? rcu_is_watching+0x61/0x150
[   31.137043]  ? expand_files.part.8+0x9c0/0x9c0
[   31.141614]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.146625]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.151111]  p9_client_create+0xde0/0x16c9
[   31.155329]  ? p9_client_read+0xc60/0xc60
[   31.159460]  ? find_held_lock+0x36/0x1c0
[   31.163508]  ? __lockdep_init_map+0x105/0x590
[   31.168004]  ? kasan_check_write+0x14/0x20
[   31.172228]  ? __init_rwsem+0x1cc/0x2a0
[   31.176195]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.181192]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.186186]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.191028]  ? save_stack+0xa9/0xd0
[   31.194646]  ? save_stack+0x43/0xd0
[   31.198263]  ? kasan_kmalloc+0xc4/0xe0
[   31.202133]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.206970]  ? memcpy+0x45/0x50
[   31.210253]  v9fs_session_init+0x21a/0x1a80
[   31.214570]  ? find_held_lock+0x36/0x1c0
[   31.218616]  ? v9fs_show_options+0x7e0/0x7e0
[   31.223022]  ? kasan_check_read+0x11/0x20
[   31.227161]  ? rcu_is_watching+0x8c/0x150
[   31.231292]  ? rcu_pm_notify+0xc0/0xc0
[   31.235173]  ? v9fs_mount+0x61/0x900
[   31.238869]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.243879]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.248716]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.254262]  v9fs_mount+0x7c/0x900
[   31.257832]  mount_fs+0xae/0x328
[   31.261215]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.265785]  ? may_umount+0xb0/0xb0
[   31.269412]  ? _raw_read_unlock+0x22/0x30
[   31.273570]  ? __get_fs_type+0x97/0xc0
[   31.277460]  do_mount+0x581/0x30e0
[   31.281003]  ? copy_mount_string+0x40/0x40
[   31.285230]  ? copy_mount_options+0x5f/0x380
[   31.289630]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.294637]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.299463]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.305070]  ? _copy_from_user+0xdf/0x150
[   31.309201]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.314720]  ? copy_mount_options+0x285/0x380
[   31.319199]  ksys_mount+0x12d/0x140
[   31.322807]  __x64_sys_mount+0xbe/0x150
[   31.326768]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.331769]  do_syscall_64+0x1b9/0x820
[   31.335640]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.340550]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.345465]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.350986]  ? retint_user+0x18/0x18
[   31.354686]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.359528]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.364712] RIP: 0033:0x440959
[   31.367877] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.387033] RSP: 002b:00007ffdcb9c3ad8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.394729] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   31.401980] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.409245] RBP: 0000000000000000 R08: 0000000020000680 R09: 00000000004002c8
[   31.416496] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000000076cf
[   31.423746] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   31.431512] Dumping ftrace buffer:
[   31.435034]    (ftrace buffer empty)
[   31.438725] Kernel Offset: disabled
[   31.442351] Rebooting in 86400 seconds..