[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.531731] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.301566] random: sshd: uninitialized urandom read (32 bytes read)
[   25.524465] random: sshd: uninitialized urandom read (32 bytes read)
[   26.478356] random: sshd: uninitialized urandom read (32 bytes read)
[   47.710165] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   53.574405] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[   53.678775] ==================================================================
[   53.686299] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   53.692440] Read of size 16842 at addr ffff8801b3e5072d by task syz-executor195/4544
[   53.700303] 
[   53.701927] CPU: 0 PID: 4544 Comm: syz-executor195 Not tainted 4.18.0-rc4+ #138
[   53.709359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   53.718702] Call Trace:
[   53.721290]  dump_stack+0x1c9/0x2b4
[   53.724917]  ? dump_stack_print_info.cold.2+0x52/0x52
[   53.730128]  ? printk+0xa7/0xcf
[   53.733409]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   53.738163]  ? pdu_read+0x90/0xd0
[   53.741610]  print_address_description+0x6c/0x20b
[   53.746450]  ? pdu_read+0x90/0xd0
[   53.749912]  kasan_report.cold.7+0x242/0x2fe
[   53.754338]  check_memory_region+0x13e/0x1b0
[   53.758744]  memcpy+0x23/0x50
[   53.761846]  pdu_read+0x90/0xd0
[   53.765140]  p9pdu_readf+0x579/0x2170
[   53.768947]  ? p9pdu_writef+0xe0/0xe0
[   53.772751]  ? __fget+0x414/0x670
[   53.776213]  ? rcu_is_watching+0x61/0x150
[   53.780368]  ? expand_files.part.8+0x9c0/0x9c0
[   53.784983]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.790057]  ? p9_fd_show_options+0x1c0/0x1c0
[   53.794567]  p9_client_create+0xde0/0x16c9
[   53.798820]  ? p9_client_read+0xc60/0xc60
[   53.802985]  ? find_held_lock+0x36/0x1c0
[   53.807064]  ? __lockdep_init_map+0x105/0x590
[   53.811582]  ? kasan_check_write+0x14/0x20
[   53.815837]  ? __init_rwsem+0x1cc/0x2a0
[   53.819818]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   53.824874]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.829900]  ? __kmalloc_track_caller+0x5f5/0x760
[   53.834744]  ? save_stack+0xa9/0xd0
[   53.838385]  ? save_stack+0x43/0xd0
[   53.842015]  ? kasan_kmalloc+0xc4/0xe0
[   53.845901]  ? kmem_cache_alloc_trace+0x152/0x780
[   53.850746]  ? memcpy+0x45/0x50
[   53.854026]  v9fs_session_init+0x21a/0x1a80
[   53.858359]  ? find_held_lock+0x36/0x1c0
[   53.862432]  ? v9fs_show_options+0x7e0/0x7e0
[   53.866869]  ? kasan_check_read+0x11/0x20
[   53.871030]  ? rcu_is_watching+0x8c/0x150
[   53.875176]  ? rcu_pm_notify+0xc0/0xc0
[   53.879066]  ? v9fs_mount+0x61/0x900
[   53.882780]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.887810]  ? kmem_cache_alloc_trace+0x616/0x780
[   53.892655]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   53.898193]  v9fs_mount+0x7c/0x900
[   53.901755]  mount_fs+0xae/0x328
[   53.905124]  vfs_kern_mount.part.34+0xdc/0x4e0
[   53.909708]  ? may_umount+0xb0/0xb0
[   53.913344]  ? _raw_read_unlock+0x22/0x30
[   53.917516]  ? __get_fs_type+0x97/0xc0
[   53.921406]  do_mount+0x581/0x30e0
[   53.924944]  ? copy_mount_string+0x40/0x40
[   53.929206]  ? copy_mount_options+0x5f/0x380
[   53.933620]  ? rcu_read_lock_sched_held+0x108/0x120
[   53.938638]  ? kmem_cache_alloc_trace+0x616/0x780
[   53.943479]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   53.949614]  ? _copy_from_user+0xdf/0x150
[   53.953771]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   53.959314]  ? copy_mount_options+0x285/0x380
[   53.963812]  ksys_mount+0x12d/0x140
[   53.967437]  __x64_sys_mount+0xbe/0x150
[   53.971410]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   53.976446]  do_syscall_64+0x1b9/0x820
[   53.980331]  ? syscall_return_slowpath+0x5e0/0x5e0
[   53.985272]  ? syscall_return_slowpath+0x31d/0x5e0
[   53.990206]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   53.995577]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.000435]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.005621] RIP: 0033:0x440109
[   54.008899] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   54.028132] RSP: 002b:00007ffd30a92a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   54.035831] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109
[   54.043093] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   54.050372] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8
[   54.057640] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   54.064908] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000
[   54.072198] 
[   54.073821] Allocated by task 4544:
[   54.077451]  save_stack+0x43/0xd0
[   54.080898]  kasan_kmalloc+0xc4/0xe0
[   54.084625]  __kmalloc+0x14e/0x760
[   54.088167]  p9_fcall_alloc+0x1e/0x90
[   54.091991]  p9_client_prepare_req.part.8+0x754/0xcd0
[   54.097198]  p9_client_rpc+0x1bd/0x1400
[   54.101171]  p9_client_create+0xd09/0x16c9
[   54.105507]  v9fs_session_init+0x21a/0x1a80
[   54.109822]  v9fs_mount+0x7c/0x900
[   54.113363]  mount_fs+0xae/0x328
[   54.116739]  vfs_kern_mount.part.34+0xdc/0x4e0
[   54.121313]  do_mount+0x581/0x30e0
[   54.124857]  ksys_mount+0x12d/0x140
[   54.128480]  __x64_sys_mount+0xbe/0x150
[   54.132454]  do_syscall_64+0x1b9/0x820
[   54.136366]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.141542] 
[   54.143159] Freed by task 0:
[   54.146164] (stack is not available)
[   54.149859] 
[   54.151524] The buggy address belongs to the object at ffff8801b3e50700
[   54.151524]  which belongs to the cache kmalloc-16384 of size 16384
[   54.165291] The buggy address is located 45 bytes inside of
[   54.165291]  16384-byte region [ffff8801b3e50700, ffff8801b3e54700)
[   54.177257] The buggy address belongs to the page:
[   54.182190] page:ffffea0006cf9400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   54.192174] flags: 0x2fffc0000008100(slab|head)
[   54.196852] raw: 02fffc0000008100 ffffea0006cf6208 ffff8801da801c48 ffff8801da802200
[   54.204753] raw: 0000000000000000 ffff8801b3e50700 0000000100000001 0000000000000000
[   54.212634] page dumped because: kasan: bad access detected
[   54.218359] 
[   54.219975] Memory state around the buggy address:
[   54.224908]  ffff8801b3e52600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   54.232274]  ffff8801b3e52680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   54.239671] >ffff8801b3e52700: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   54.247042]                                ^
[   54.251458]  ffff8801b3e52780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.258808]  ffff8801b3e52800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   54.266167] ==================================================================
[   54.273518] Disabling lock debugging due to kernel taint
[   54.279284] Kernel panic - not syncing: panic_on_warn set ...
[   54.279284] 
[   54.286673] CPU: 0 PID: 4544 Comm: syz-executor195 Tainted: G    B             4.18.0-rc4+ #138
[   54.295498] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   54.304845] Call Trace:
[   54.307435]  dump_stack+0x1c9/0x2b4
[   54.311053]  ? dump_stack_print_info.cold.2+0x52/0x52
[   54.316242]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   54.321021]  panic+0x238/0x4e7
[   54.324211]  ? add_taint.cold.5+0x16/0x16
[   54.328357]  ? do_raw_spin_unlock+0xa7/0x2f0
[   54.332759]  ? pdu_read+0x90/0xd0
[   54.336211]  kasan_end_report+0x47/0x4f
[   54.340195]  kasan_report.cold.7+0x76/0x2fe
[   54.344521]  check_memory_region+0x13e/0x1b0
[   54.348925]  memcpy+0x23/0x50
[   54.352030]  pdu_read+0x90/0xd0
[   54.355309]  p9pdu_readf+0x579/0x2170
[   54.359130]  ? p9pdu_writef+0xe0/0xe0
[   54.362925]  ? __fget+0x414/0x670
[   54.366373]  ? rcu_is_watching+0x61/0x150
[   54.370515]  ? expand_files.part.8+0x9c0/0x9c0
[   54.375093]  ? rcu_read_lock_sched_held+0x108/0x120
[   54.380111]  ? p9_fd_show_options+0x1c0/0x1c0
[   54.384598]  p9_client_create+0xde0/0x16c9
[   54.388832]  ? p9_client_read+0xc60/0xc60
[   54.392975]  ? find_held_lock+0x36/0x1c0
[   54.397038]  ? __lockdep_init_map+0x105/0x590
[   54.401534]  ? kasan_check_write+0x14/0x20
[   54.405760]  ? __init_rwsem+0x1cc/0x2a0
[   54.409726]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   54.414760]  ? rcu_read_lock_sched_held+0x108/0x120
[   54.419773]  ? __kmalloc_track_caller+0x5f5/0x760
[   54.424629]  ? save_stack+0xa9/0xd0
[   54.428250]  ? save_stack+0x43/0xd0
[   54.431873]  ? kasan_kmalloc+0xc4/0xe0
[   54.435755]  ? kmem_cache_alloc_trace+0x152/0x780
[   54.440594]  ? memcpy+0x45/0x50
[   54.443886]  v9fs_session_init+0x21a/0x1a80
[   54.448206]  ? find_held_lock+0x36/0x1c0
[   54.452262]  ? v9fs_show_options+0x7e0/0x7e0
[   54.456661]  ? kasan_check_read+0x11/0x20
[   54.460797]  ? rcu_is_watching+0x8c/0x150
[   54.464936]  ? rcu_pm_notify+0xc0/0xc0
[   54.468821]  ? v9fs_mount+0x61/0x900
[   54.472537]  ? rcu_read_lock_sched_held+0x108/0x120
[   54.477558]  ? kmem_cache_alloc_trace+0x616/0x780
[   54.482410]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   54.487972]  v9fs_mount+0x7c/0x900
[   54.491531]  mount_fs+0xae/0x328
[   54.494916]  vfs_kern_mount.part.34+0xdc/0x4e0
[   54.499505]  ? may_umount+0xb0/0xb0
[   54.503132]  ? _raw_read_unlock+0x22/0x30
[   54.507387]  ? __get_fs_type+0x97/0xc0
[   54.511273]  do_mount+0x581/0x30e0
[   54.514808]  ? copy_mount_string+0x40/0x40
[   54.519039]  ? copy_mount_options+0x5f/0x380
[   54.523443]  ? rcu_read_lock_sched_held+0x108/0x120
[   54.528459]  ? kmem_cache_alloc_trace+0x616/0x780
[   54.533302]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   54.538858]  ? _copy_from_user+0xdf/0x150
[   54.543007]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   54.548547]  ? copy_mount_options+0x285/0x380
[   54.553058]  ksys_mount+0x12d/0x140
[   54.556688]  __x64_sys_mount+0xbe/0x150
[   54.560665]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   54.565676]  do_syscall_64+0x1b9/0x820
[   54.569552]  ? syscall_return_slowpath+0x5e0/0x5e0
[   54.574479]  ? syscall_return_slowpath+0x31d/0x5e0
[   54.579407]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   54.584764]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   54.589612]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   54.594802] RIP: 0033:0x440109
[   54.597975] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   54.617156] RSP: 002b:00007ffd30a92a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   54.624858] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440109
[   54.632118] RDX: 0000000020000080 RSI: 0000000020000000 RDI: 0000000000000000
[   54.639469] RBP: 0030656c69662f2e R08: 0000000020000380 R09: 00000000004002c8
[   54.646990] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   54.654347] R13: 0000000000401a20 R14: 0000000000000000 R15: 0000000000000000
[   54.662047] Dumping ftrace buffer:
[   54.665594]    (ftrace buffer empty)
[   54.669289] Kernel Offset: disabled
[   54.672901] Rebooting in 86400 seconds..