[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.132363] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.087357] random: sshd: uninitialized urandom read (32 bytes read)
[   22.409838] random: sshd: uninitialized urandom read (32 bytes read)
[   23.244448] random: sshd: uninitialized urandom read (32 bytes read)
[   23.401482] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts.
[   28.932391] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   29.028462] ==================================================================
[   29.035922] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.042051] Read of size 65417 at addr ffff8801ce76062d by task syz-executor959/4564
[   29.049910] 
[   29.051523] CPU: 0 PID: 4564 Comm: syz-executor959 Not tainted 4.18.0-rc4+ #144
[   29.058945] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.068277] Call Trace:
[   29.070851]  dump_stack+0x1c9/0x2b4
[   29.074459]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.079626]  ? printk+0xa7/0xcf
[   29.082885]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.087622]  ? pdu_read+0x90/0xd0
[   29.091066]  print_address_description+0x6c/0x20b
[   29.095898]  ? pdu_read+0x90/0xd0
[   29.099336]  kasan_report.cold.7+0x242/0x2fe
[   29.103744]  check_memory_region+0x13e/0x1b0
[   29.108142]  memcpy+0x23/0x50
[   29.111229]  pdu_read+0x90/0xd0
[   29.114487]  p9pdu_readf+0x579/0x2170
[   29.118356]  ? p9pdu_writef+0xe0/0xe0
[   29.122138]  ? __fget+0x414/0x670
[   29.125571]  ? rcu_is_watching+0x61/0x150
[   29.129701]  ? expand_files.part.8+0x9c0/0x9c0
[   29.134268]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.139284]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.143776]  p9_client_create+0xde0/0x16c9
[   29.147994]  ? p9_client_read+0xc60/0xc60
[   29.152130]  ? find_held_lock+0x36/0x1c0
[   29.156180]  ? __lockdep_init_map+0x105/0x590
[   29.160659]  ? kasan_check_write+0x14/0x20
[   29.164883]  ? __init_rwsem+0x1cc/0x2a0
[   29.168837]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.173843]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.178839]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.183661]  ? save_stack+0xa9/0xd0
[   29.187275]  ? save_stack+0x43/0xd0
[   29.190882]  ? kasan_kmalloc+0xc4/0xe0
[   29.194762]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.199588]  ? memcpy+0x45/0x50
[   29.202850]  v9fs_session_init+0x21a/0x1a80
[   29.207154]  ? find_held_lock+0x36/0x1c0
[   29.211199]  ? v9fs_show_options+0x7e0/0x7e0
[   29.215591]  ? kasan_check_read+0x11/0x20
[   29.219719]  ? rcu_is_watching+0x8c/0x150
[   29.223848]  ? rcu_pm_notify+0xc0/0xc0
[   29.227720]  ? v9fs_mount+0x61/0x900
[   29.231416]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.236411]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.241237]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.246771]  v9fs_mount+0x7c/0x900
[   29.250295]  mount_fs+0xae/0x328
[   29.253651]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.258220]  ? may_umount+0xb0/0xb0
[   29.261826]  ? _raw_read_unlock+0x22/0x30
[   29.265951]  ? __get_fs_type+0x97/0xc0
[   29.269822]  do_mount+0x581/0x30e0
[   29.273354]  ? copy_mount_string+0x40/0x40
[   29.277570]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.282308]  ? retint_kernel+0x10/0x10
[   29.286179]  ? copy_mount_options+0x1de/0x380
[   29.290657]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.296175]  ? copy_mount_options+0x285/0x380
[   29.300649]  ksys_mount+0x12d/0x140
[   29.304259]  __x64_sys_mount+0xbe/0x150
[   29.308214]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.313213]  do_syscall_64+0x1b9/0x820
[   29.317083]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.321992]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.326918]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.332264]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.337094]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.342263] RIP: 0033:0x440149
[   29.345431] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.364599] RSP: 002b:00007fff44d4eb58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.372293] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   29.379550] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   29.386805] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   29.394054] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   29.401310] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   29.408565] 
[   29.410171] Allocated by task 4564:
[   29.413783]  save_stack+0x43/0xd0
[   29.417219]  kasan_kmalloc+0xc4/0xe0
[   29.420918]  __kmalloc+0x14e/0x760
[   29.424440]  p9_fcall_alloc+0x1e/0x90
[   29.428218]  p9_client_prepare_req.part.8+0x754/0xcd0
[   29.433384]  p9_client_rpc+0x1bd/0x1400
[   29.437337]  p9_client_create+0xd09/0x16c9
[   29.441898]  v9fs_session_init+0x21a/0x1a80
[   29.446197]  v9fs_mount+0x7c/0x900
[   29.449716]  mount_fs+0xae/0x328
[   29.453072]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.457632]  do_mount+0x581/0x30e0
[   29.461158]  ksys_mount+0x12d/0x140
[   29.464762]  __x64_sys_mount+0xbe/0x150
[   29.468741]  do_syscall_64+0x1b9/0x820
[   29.472610]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.477771] 
[   29.479377] Freed by task 0:
[   29.482367] (stack is not available)
[   29.486056] 
[   29.487669] The buggy address belongs to the object at ffff8801ce760600
[   29.487669]  which belongs to the cache kmalloc-16384 of size 16384
[   29.500663] The buggy address is located 45 bytes inside of
[   29.500663]  16384-byte region [ffff8801ce760600, ffff8801ce764600)
[   29.512601] The buggy address belongs to the page:
[   29.517510] page:ffffea000739d800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   29.527459] flags: 0x2fffc0000008100(slab|head)
[   29.532110] raw: 02fffc0000008100 ffffea0006b12808 ffff8801da801c48 ffff8801da802200
[   29.539979] raw: 0000000000000000 ffff8801ce760600 0000000100000001 0000000000000000
[   29.547841] page dumped because: kasan: bad access detected
[   29.553525] 
[   29.555128] Memory state around the buggy address:
[   29.560041]  ffff8801ce762500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.567379]  ffff8801ce762580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.574722] >ffff8801ce762600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   29.582061]                                ^
[   29.586446]  ffff8801ce762680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.593791]  ffff8801ce762700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.601139] ==================================================================
[   29.608474] Disabling lock debugging due to kernel taint
[   29.613970] Kernel panic - not syncing: panic_on_warn set ...
[   29.613970] 
[   29.621342] CPU: 0 PID: 4564 Comm: syz-executor959 Tainted: G    B             4.18.0-rc4+ #144
[   29.630166] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.639510] Call Trace:
[   29.642091]  dump_stack+0x1c9/0x2b4
[   29.645702]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.650883]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.655623]  panic+0x238/0x4e7
[   29.658810]  ? add_taint.cold.5+0x16/0x16
[   29.662938]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.667324]  ? pdu_read+0x90/0xd0
[   29.670756]  kasan_end_report+0x47/0x4f
[   29.674712]  kasan_report.cold.7+0x76/0x2fe
[   29.679020]  check_memory_region+0x13e/0x1b0
[   29.683412]  memcpy+0x23/0x50
[   29.686498]  pdu_read+0x90/0xd0
[   29.689765]  p9pdu_readf+0x579/0x2170
[   29.693552]  ? p9pdu_writef+0xe0/0xe0
[   29.697329]  ? __fget+0x414/0x670
[   29.700760]  ? rcu_is_watching+0x61/0x150
[   29.704883]  ? expand_files.part.8+0x9c0/0x9c0
[   29.709445]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.714446]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.718921]  p9_client_create+0xde0/0x16c9
[   29.723144]  ? p9_client_read+0xc60/0xc60
[   29.727273]  ? find_held_lock+0x36/0x1c0
[   29.731323]  ? __lockdep_init_map+0x105/0x590
[   29.735801]  ? kasan_check_write+0x14/0x20
[   29.740018]  ? __init_rwsem+0x1cc/0x2a0
[   29.743975]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.748969]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.753966]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.758786]  ? save_stack+0xa9/0xd0
[   29.762390]  ? save_stack+0x43/0xd0
[   29.765993]  ? kasan_kmalloc+0xc4/0xe0
[   29.769873]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.774696]  ? memcpy+0x45/0x50
[   29.777956]  v9fs_session_init+0x21a/0x1a80
[   29.782256]  ? find_held_lock+0x36/0x1c0
[   29.786298]  ? v9fs_show_options+0x7e0/0x7e0
[   29.790690]  ? kasan_check_read+0x11/0x20
[   29.794815]  ? rcu_is_watching+0x8c/0x150
[   29.798949]  ? rcu_pm_notify+0xc0/0xc0
[   29.802822]  ? v9fs_mount+0x61/0x900
[   29.806513]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.811506]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.816328]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.821857]  v9fs_mount+0x7c/0x900
[   29.825376]  mount_fs+0xae/0x328
[   29.828725]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.833284]  ? may_umount+0xb0/0xb0
[   29.836889]  ? _raw_read_unlock+0x22/0x30
[   29.841017]  ? __get_fs_type+0x97/0xc0
[   29.844893]  do_mount+0x581/0x30e0
[   29.848410]  ? copy_mount_string+0x40/0x40
[   29.852624]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.857463]  ? retint_kernel+0x10/0x10
[   29.861332]  ? copy_mount_options+0x1de/0x380
[   29.865811]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.871326]  ? copy_mount_options+0x285/0x380
[   29.875799]  ksys_mount+0x12d/0x140
[   29.879403]  __x64_sys_mount+0xbe/0x150
[   29.883360]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.888354]  do_syscall_64+0x1b9/0x820
[   29.892217]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.897124]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.902044]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.907388]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.912212]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.917377] RIP: 0033:0x440149
[   29.920543] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.939663] RSP: 002b:00007fff44d4eb58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   29.947351] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   29.954597] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   29.961853] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   29.969108] R10: 0000000000000000 R11: 0000000000000202 R12: 64663d736e617274
[   29.976355] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   29.984043] Dumping ftrace buffer:
[   29.987564]    (ftrace buffer empty)
[   29.991248] Kernel Offset: disabled
[   29.994852] Rebooting in 86400 seconds..