[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.649062] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.105147] random: sshd: uninitialized urandom read (32 bytes read)
[   22.368309] random: sshd: uninitialized urandom read (32 bytes read)
[   23.238163] random: sshd: uninitialized urandom read (32 bytes read)
[   23.391611] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts.
[   28.901941] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
[   29.003849] ==================================================================
[   29.011346] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.017478] Read of size 43808 at addr ffff8801b42107ad by task syz-executor130/4569
[   29.025336] 
[   29.026953] CPU: 0 PID: 4569 Comm: syz-executor130 Not tainted 4.18.0-rc4+ #44
[   29.034290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.043624] Call Trace:
[   29.046215]  dump_stack+0x1c9/0x2b4
[   29.049828]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.055002]  ? printk+0xa7/0xcf
[   29.058276]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.063027]  ? pdu_read+0x90/0xd0
[   29.066472]  print_address_description+0x6c/0x20b
[   29.071297]  ? pdu_read+0x90/0xd0
[   29.074732]  kasan_report.cold.7+0x242/0x2fe
[   29.079128]  check_memory_region+0x13e/0x1b0
[   29.083523]  memcpy+0x23/0x50
[   29.086613]  pdu_read+0x90/0xd0
[   29.089888]  p9pdu_readf+0x579/0x2170
[   29.093692]  ? p9pdu_writef+0xe0/0xe0
[   29.097476]  ? __fget+0x414/0x670
[   29.100929]  ? rcu_is_watching+0x61/0x150
[   29.105235]  ? expand_files.part.8+0x9c0/0x9c0
[   29.109804]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.114811]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.119295]  p9_client_create+0xde0/0x16c9
[   29.123527]  ? p9_client_read+0xc60/0xc60
[   29.127660]  ? find_held_lock+0x36/0x1c0
[   29.131718]  ? __lockdep_init_map+0x105/0x590
[   29.136203]  ? kasan_check_write+0x14/0x20
[   29.140421]  ? __init_rwsem+0x1cc/0x2a0
[   29.144382]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.149393]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.154392]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.159217]  ? save_stack+0xa9/0xd0
[   29.162843]  ? save_stack+0x43/0xd0
[   29.166451]  ? kasan_kmalloc+0xc4/0xe0
[   29.170320]  ? memcpy+0x45/0x50
[   29.173589]  v9fs_session_init+0x21a/0x1a80
[   29.177901]  ? find_held_lock+0x36/0x1c0
[   29.181948]  ? v9fs_show_options+0x7e0/0x7e0
[   29.186350]  ? kasan_check_read+0x11/0x20
[   29.190490]  ? rcu_is_watching+0x8c/0x150
[   29.194620]  ? rcu_pm_notify+0xc0/0xc0
[   29.198489]  ? rcu_pm_notify+0xc0/0xc0
[   29.202371]  ? v9fs_mount+0x61/0x900
[   29.206081]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.211084]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.215924]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.221445]  v9fs_mount+0x7c/0x900
[   29.224973]  mount_fs+0xae/0x328
[   29.228327]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.232896]  ? may_umount+0xb0/0xb0
[   29.236510]  ? _raw_read_unlock+0x22/0x30
[   29.240659]  ? __get_fs_type+0x97/0xc0
[   29.244536]  do_mount+0x581/0x30e0
[   29.248061]  ? copy_mount_string+0x40/0x40
[   29.252292]  ? copy_mount_options+0x5f/0x380
[   29.256692]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.261695]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.266539]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.272060]  ? copy_mount_options+0x285/0x380
[   29.276544]  __ia32_compat_sys_mount+0x5d5/0x860
[   29.281289]  do_fast_syscall_32+0x34d/0xfb2
[   29.285594]  ? do_int80_syscall_32+0x890/0x890
[   29.290166]  ? do_syscall_64+0x497/0x820
[   29.294210]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.299130]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.304058]  ? sysret32_from_system_call+0x5/0x46
[   29.308907]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.313736]  entry_SYSENTER_compat+0x70/0x7f
[   29.318127] RIP: 0023:0xf7ff8cb9
[   29.321471] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   29.340659] RSP: 002b:00000000ffe0f02c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   29.348354] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000140
[   29.355604] RDX: 0000000020000000 RSI: 0000000000000000 RDI: 0000000020000440
[   29.362855] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   29.370107] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   29.377366] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   29.384623] 
[   29.386240] Allocated by task 4569:
[   29.389855]  save_stack+0x43/0xd0
[   29.393289]  kasan_kmalloc+0xc4/0xe0
[   29.396981]  __kmalloc+0x14e/0x760
[   29.400519]  p9_fcall_alloc+0x1e/0x90
[   29.404302]  p9_client_prepare_req.part.8+0x754/0xcd0
[   29.409472]  p9_client_rpc+0x1bd/0x1400
[   29.413424]  p9_client_create+0xd09/0x16c9
[   29.417643]  v9fs_session_init+0x21a/0x1a80
[   29.421954]  v9fs_mount+0x7c/0x900
[   29.425476]  mount_fs+0xae/0x328
[   29.428824]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.433387]  do_mount+0x581/0x30e0
[   29.436909]  __ia32_compat_sys_mount+0x5d5/0x860
[   29.441650]  do_fast_syscall_32+0x34d/0xfb2
[   29.445968]  entry_SYSENTER_compat+0x70/0x7f
[   29.450353] 
[   29.451960] Freed by task 0:
[   29.454950] (stack is not available)
[   29.458662] 
[   29.460270] The buggy address belongs to the object at ffff8801b4210780
[   29.460270]  which belongs to the cache kmalloc-16384 of size 16384
[   29.473253] The buggy address is located 45 bytes inside of
[   29.473253]  16384-byte region [ffff8801b4210780, ffff8801b4214780)
[   29.485193] The buggy address belongs to the page:
[   29.490105] page:ffffea0006d08400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   29.500056] flags: 0x2fffc0000008100(slab|head)
[   29.504722] raw: 02fffc0000008100 ffffea0006b29a08 ffff8801da801c48 ffff8801da802200
[   29.512589] raw: 0000000000000000 ffff8801b4210780 0000000100000001 0000000000000000
[   29.520447] page dumped because: kasan: bad access detected
[   29.526131] 
[   29.527736] Memory state around the buggy address:
[   29.532658]  ffff8801b4212680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.539995]  ffff8801b4212700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   29.547338] >ffff8801b4212780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   29.554673]                                ^
[   29.559059]  ffff8801b4212800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.566407]  ffff8801b4212880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.574311] ==================================================================
[   29.581647] Disabling lock debugging due to kernel taint
[   29.587226] Kernel panic - not syncing: panic_on_warn set ...
[   29.587226] 
[   29.594601] CPU: 0 PID: 4569 Comm: syz-executor130 Tainted: G    B             4.18.0-rc4+ #44
[   29.603352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.612683] Call Trace:
[   29.615268]  dump_stack+0x1c9/0x2b4
[   29.618878]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.624049]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   29.628790]  panic+0x238/0x4e7
[   29.631963]  ? add_taint.cold.5+0x16/0x16
[   29.636095]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.640490]  ? pdu_read+0x90/0xd0
[   29.643924]  kasan_end_report+0x47/0x4f
[   29.647880]  kasan_report.cold.7+0x76/0x2fe
[   29.652187]  check_memory_region+0x13e/0x1b0
[   29.656585]  memcpy+0x23/0x50
[   29.659683]  pdu_read+0x90/0xd0
[   29.662943]  p9pdu_readf+0x579/0x2170
[   29.666724]  ? p9pdu_writef+0xe0/0xe0
[   29.670504]  ? __fget+0x414/0x670
[   29.673937]  ? rcu_is_watching+0x61/0x150
[   29.678066]  ? expand_files.part.8+0x9c0/0x9c0
[   29.682631]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.687632]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.692121]  p9_client_create+0xde0/0x16c9
[   29.696345]  ? p9_client_read+0xc60/0xc60
[   29.700482]  ? find_held_lock+0x36/0x1c0
[   29.704527]  ? __lockdep_init_map+0x105/0x590
[   29.709007]  ? kasan_check_write+0x14/0x20
[   29.713244]  ? __init_rwsem+0x1cc/0x2a0
[   29.717212]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.722210]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.727205]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.732031]  ? save_stack+0xa9/0xd0
[   29.735640]  ? save_stack+0x43/0xd0
[   29.739254]  ? kasan_kmalloc+0xc4/0xe0
[   29.743120]  ? memcpy+0x45/0x50
[   29.746381]  v9fs_session_init+0x21a/0x1a80
[   29.750683]  ? find_held_lock+0x36/0x1c0
[   29.754726]  ? v9fs_show_options+0x7e0/0x7e0
[   29.759129]  ? kasan_check_read+0x11/0x20
[   29.763257]  ? rcu_is_watching+0x8c/0x150
[   29.767397]  ? rcu_pm_notify+0xc0/0xc0
[   29.771271]  ? rcu_pm_notify+0xc0/0xc0
[   29.775141]  ? v9fs_mount+0x61/0x900
[   29.778836]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.783837]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.788670]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   29.794203]  v9fs_mount+0x7c/0x900
[   29.797728]  mount_fs+0xae/0x328
[   29.801079]  vfs_kern_mount.part.34+0xdc/0x4e0
[   29.805655]  ? may_umount+0xb0/0xb0
[   29.809275]  ? _raw_read_unlock+0x22/0x30
[   29.813403]  ? __get_fs_type+0x97/0xc0
[   29.817272]  do_mount+0x581/0x30e0
[   29.820803]  ? copy_mount_string+0x40/0x40
[   29.825031]  ? copy_mount_options+0x5f/0x380
[   29.829436]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.834437]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.839265]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.844782]  ? copy_mount_options+0x285/0x380
[   29.849262]  __ia32_compat_sys_mount+0x5d5/0x860
[   29.854014]  do_fast_syscall_32+0x34d/0xfb2
[   29.858331]  ? do_int80_syscall_32+0x890/0x890
[   29.862891]  ? do_syscall_64+0x497/0x820
[   29.866932]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.871846]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.876760]  ? sysret32_from_system_call+0x5/0x46
[   29.881586]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.886422]  entry_SYSENTER_compat+0x70/0x7f
[   29.890825] RIP: 0023:0xf7ff8cb9
[   29.894172] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   29.913296] RSP: 002b:00000000ffe0f02c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   29.920987] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000140
[   29.928239] RDX: 0000000020000000 RSI: 0000000000000000 RDI: 0000000020000440
[   29.935511] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   29.942836] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   29.950098] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   29.957868] Dumping ftrace buffer:
[   29.961393]    (ftrace buffer empty)
[   29.965081] Kernel Offset: disabled
[   29.968686] Rebooting in 86400 seconds..