[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.226596] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.058651] random: sshd: uninitialized urandom read (32 bytes read)
[   19.305152] random: sshd: uninitialized urandom read (32 bytes read)
[   19.995761] random: sshd: uninitialized urandom read (32 bytes read)
[   26.139122] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts.
[   31.623976] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   31.937499] ==================================================================
[   31.944927] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   31.951055] Read of size 50842 at addr ffff8801b639886d by task syz-executor380/4472
[   31.958908] 
[   31.960530] CPU: 0 PID: 4472 Comm: syz-executor380 Not tainted 4.18.0-rc5-next-20180720+ #12
[   31.969090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.978431] Call Trace:
[   31.981000]  dump_stack+0x1c9/0x2b4
[   31.984609]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.989787]  ? printk+0xa7/0xcf
[   31.993046]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.997781]  ? pdu_read+0x90/0xd0
[   32.001215]  print_address_description+0x6c/0x20b
[   32.006034]  ? pdu_read+0x90/0xd0
[   32.009468]  kasan_report.cold.7+0x242/0x30d
[   32.013856]  check_memory_region+0x13e/0x1b0
[   32.018240]  memcpy+0x23/0x50
[   32.021322]  pdu_read+0x90/0xd0
[   32.024577]  p9pdu_readf+0x579/0x2170
[   32.028355]  ? p9pdu_writef+0xe0/0xe0
[   32.032146]  ? ksys_dup3+0x690/0x690
[   32.035837]  ? check_same_owner+0x340/0x340
[   32.040133]  ? p9_fd_poll+0x2b0/0x2b0
[   32.043912]  ? finish_wait+0x430/0x430
[   32.047794]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.052268]  p9_client_create+0x6d0/0x1537
[   32.056491]  ? p9_client_read+0xbb0/0xbb0
[   32.060617]  ? lock_acquire+0x1e4/0x540
[   32.064571]  ? fs_reclaim_acquire+0x20/0x20
[   32.068870]  ? lock_release+0xa30/0xa30
[   32.072833]  ? __lockdep_init_map+0x105/0x590
[   32.077308]  ? kasan_check_write+0x14/0x20
[   32.081518]  ? __init_rwsem+0x1cc/0x2a0
[   32.085471]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.090462]  ? __kmalloc_track_caller+0x311/0x760
[   32.095278]  ? save_stack+0xa9/0xd0
[   32.098879]  ? save_stack+0x43/0xd0
[   32.102479]  ? kasan_kmalloc+0xc4/0xe0
[   32.106349]  ? memcpy+0x45/0x50
[   32.109617]  v9fs_session_init+0x21a/0x1a80
[   32.113925]  ? rcu_note_context_switch+0x730/0x730
[   32.118833]  ? legacy_parse_monolithic+0xde/0x1e0
[   32.123655]  ? v9fs_show_options+0x7e0/0x7e0
[   32.128043]  ? lock_release+0xa30/0xa30
[   32.131999]  ? check_same_owner+0x340/0x340
[   32.136300]  ? lock_downgrade+0x8f0/0x8f0
[   32.140428]  ? kasan_unpoison_shadow+0x35/0x50
[   32.144988]  ? kasan_kmalloc+0xc4/0xe0
[   32.148853]  ? kmem_cache_alloc_trace+0x318/0x780
[   32.153670]  ? kasan_unpoison_shadow+0x35/0x50
[   32.158227]  ? kasan_kmalloc+0xc4/0xe0
[   32.162103]  v9fs_mount+0x7c/0x900
[   32.165621]  ? v9fs_drop_inode+0x150/0x150
[   32.169831]  legacy_get_tree+0x131/0x460
[   32.173871]  vfs_get_tree+0x1cb/0x5c0
[   32.177651]  do_mount+0x6f2/0x1e20
[   32.181167]  ? check_same_owner+0x340/0x340
[   32.185466]  ? lock_release+0xa30/0xa30
[   32.189429]  ? copy_mount_string+0x40/0x40
[   32.193648]  ? kasan_kmalloc+0xc4/0xe0
[   32.197514]  ? kmem_cache_alloc_trace+0x318/0x780
[   32.202341]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.207855]  ? _copy_from_user+0xdf/0x150
[   32.211993]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.217506]  ? copy_mount_options+0x285/0x380
[   32.221980]  ksys_mount+0x12d/0x140
[   32.225587]  __x64_sys_mount+0xbe/0x150
[   32.229554]  do_syscall_64+0x1b9/0x820
[   32.233429]  ? finish_task_switch+0x1d3/0x870
[   32.237926]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.242835]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.247751]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   32.252750]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.258271]  ? prepare_exit_to_usermode+0x291/0x3b0
[   32.263275]  ? perf_trace_sys_enter+0xb10/0xb10
[   32.267924]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.272749]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.277921] RIP: 0033:0x446129
[   32.281092] Code: e8 dc bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.300219] RSP: 002b:00007f34b6da7ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   32.307916] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446129
[   32.315170] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   32.322421] RBP: 00000000006dbc20 R08: 00000000200001c0 R09: 0000000000000000
[   32.329666] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   32.336915] R13: 00007ffcc41aca9f R14: 00007f34b6da89c0 R15: 0000000000000001
[   32.344162] 
[   32.345766] Allocated by task 4472:
[   32.349373]  save_stack+0x43/0xd0
[   32.352799]  kasan_kmalloc+0xc4/0xe0
[   32.356488]  __kmalloc+0x14e/0x760
[   32.360004]  p9_fcall_alloc+0x1e/0x90
[   32.363799]  p9_client_prepare_req.part.8+0x132/0xa00
[   32.368967]  p9_client_rpc+0x242/0x1330
[   32.372935]  p9_client_create+0xca4/0x1537
[   32.377144]  v9fs_session_init+0x21a/0x1a80
[   32.381452]  v9fs_mount+0x7c/0x900
[   32.384979]  legacy_get_tree+0x131/0x460
[   32.389018]  vfs_get_tree+0x1cb/0x5c0
[   32.392806]  do_mount+0x6f2/0x1e20
[   32.396347]  ksys_mount+0x12d/0x140
[   32.399953]  __x64_sys_mount+0xbe/0x150
[   32.403906]  do_syscall_64+0x1b9/0x820
[   32.407772]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.412932] 
[   32.414535] Freed by task 0:
[   32.417535] (stack is not available)
[   32.421233] 
[   32.422837] The buggy address belongs to the object at ffff8801b6398840
[   32.422837]  which belongs to the cache kmalloc-16384 of size 16384
[   32.435817] The buggy address is located 45 bytes inside of
[   32.435817]  16384-byte region [ffff8801b6398840, ffff8801b639c840)
[   32.447753] The buggy address belongs to the page:
[   32.452656] page:ffffea0006d8e600 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.462611] flags: 0x2fffc0000010200(slab|head)
[   32.467258] raw: 02fffc0000010200 ffffea0006d86c08 ffff8801da801c48 ffff8801da802200
[   32.475203] raw: 0000000000000000 ffff8801b6398840 0000000100000001 0000000000000000
[   32.483066] page dumped because: kasan: bad access detected
[   32.488746] 
[   32.490357] Memory state around the buggy address:
[   32.495270]  ffff8801b639a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.502605]  ffff8801b639a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.509938] >ffff8801b639a800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   32.517279]                                                        ^
[   32.523745]  ffff8801b639a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.531078]  ffff8801b639a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.538420] ==================================================================
[   32.545832] Kernel panic - not syncing: panic_on_warn set ...
[   32.545832] 
[   32.553187] CPU: 0 PID: 4472 Comm: syz-executor380 Tainted: G    B             4.18.0-rc5-next-20180720+ #12
[   32.563352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.572682] Call Trace:
[   32.575249]  dump_stack+0x1c9/0x2b4
[   32.578853]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.584021]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.588756]  panic+0x238/0x4e7
[   32.591929]  ? add_taint.cold.5+0x16/0x16
[   32.596057]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.600447]  ? pdu_read+0x90/0xd0
[   32.603888]  kasan_end_report+0x47/0x4f
[   32.607838]  kasan_report.cold.7+0x76/0x30d
[   32.612140]  check_memory_region+0x13e/0x1b0
[   32.616523]  memcpy+0x23/0x50
[   32.619609]  pdu_read+0x90/0xd0
[   32.622868]  p9pdu_readf+0x579/0x2170
[   32.626657]  ? p9pdu_writef+0xe0/0xe0
[   32.630437]  ? ksys_dup3+0x690/0x690
[   32.634129]  ? check_same_owner+0x340/0x340
[   32.638427]  ? p9_fd_poll+0x2b0/0x2b0
[   32.642205]  ? finish_wait+0x430/0x430
[   32.646076]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.650549]  p9_client_create+0x6d0/0x1537
[   32.654774]  ? p9_client_read+0xbb0/0xbb0
[   32.658900]  ? lock_acquire+0x1e4/0x540
[   32.662851]  ? fs_reclaim_acquire+0x20/0x20
[   32.667150]  ? lock_release+0xa30/0xa30
[   32.671111]  ? __lockdep_init_map+0x105/0x590
[   32.675603]  ? kasan_check_write+0x14/0x20
[   32.679814]  ? __init_rwsem+0x1cc/0x2a0
[   32.683768]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.688762]  ? __kmalloc_track_caller+0x311/0x760
[   32.693593]  ? save_stack+0xa9/0xd0
[   32.697195]  ? save_stack+0x43/0xd0
[   32.700798]  ? kasan_kmalloc+0xc4/0xe0
[   32.704673]  ? memcpy+0x45/0x50
[   32.707932]  v9fs_session_init+0x21a/0x1a80
[   32.712245]  ? rcu_note_context_switch+0x730/0x730
[   32.717149]  ? legacy_parse_monolithic+0xde/0x1e0
[   32.722057]  ? v9fs_show_options+0x7e0/0x7e0
[   32.726442]  ? lock_release+0xa30/0xa30
[   32.730393]  ? check_same_owner+0x340/0x340
[   32.734690]  ? lock_downgrade+0x8f0/0x8f0
[   32.738812]  ? kasan_unpoison_shadow+0x35/0x50
[   32.743384]  ? kasan_kmalloc+0xc4/0xe0
[   32.747255]  ? kmem_cache_alloc_trace+0x318/0x780
[   32.752073]  ? kasan_unpoison_shadow+0x35/0x50
[   32.756632]  ? kasan_kmalloc+0xc4/0xe0
[   32.760498]  v9fs_mount+0x7c/0x900
[   32.764028]  ? v9fs_drop_inode+0x150/0x150
[   32.768238]  legacy_get_tree+0x131/0x460
[   32.772281]  vfs_get_tree+0x1cb/0x5c0
[   32.776062]  do_mount+0x6f2/0x1e20
[   32.779580]  ? check_same_owner+0x340/0x340
[   32.783879]  ? lock_release+0xa30/0xa30
[   32.787830]  ? copy_mount_string+0x40/0x40
[   32.792038]  ? kasan_kmalloc+0xc4/0xe0
[   32.795906]  ? kmem_cache_alloc_trace+0x318/0x780
[   32.800728]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.806242]  ? _copy_from_user+0xdf/0x150
[   32.810370]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.815885]  ? copy_mount_options+0x285/0x380
[   32.820369]  ksys_mount+0x12d/0x140
[   32.823975]  __x64_sys_mount+0xbe/0x150
[   32.827938]  do_syscall_64+0x1b9/0x820
[   32.831803]  ? finish_task_switch+0x1d3/0x870
[   32.836275]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.841182]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.846088]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   32.851080]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.856593]  ? prepare_exit_to_usermode+0x291/0x3b0
[   32.861589]  ? perf_trace_sys_enter+0xb10/0xb10
[   32.866235]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.871058]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.876221] RIP: 0033:0x446129
[   32.879387] Code: e8 dc bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.898499] RSP: 002b:00007f34b6da7ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   32.906184] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446129
[   32.913441] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   32.920774] RBP: 00000000006dbc20 R08: 00000000200001c0 R09: 0000000000000000
[   32.928022] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   32.935281] R13: 00007ffcc41aca9f R14: 00007f34b6da89c0 R15: 0000000000000001
[   32.942920] Dumping ftrace buffer:
[   32.946438]    (ftrace buffer empty)
[   32.950125] Kernel Offset: disabled
[   32.953731] Rebooting in 86400 seconds..