[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.302082] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.946220] random: sshd: uninitialized urandom read (32 bytes read)
[   18.377110] random: sshd: uninitialized urandom read (32 bytes read)
[   19.115341] random: sshd: uninitialized urandom read (32 bytes read)
[   19.253299] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts.
[   24.730614] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   24.944616] ==================================================================
[   24.952040] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   24.958186] Read of size 15078 at addr ffff8801b09605ed by task syz-executor120/4489
[   24.966047] 
[   24.967665] CPU: 1 PID: 4489 Comm: syz-executor120 Not tainted 4.18.0-rc5-next-20180720+ #12
[   24.976227] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.985577] Call Trace:
[   24.988159]  dump_stack+0x1c9/0x2b4
[   24.991775]  ? dump_stack_print_info.cold.2+0x52/0x52
[   24.996964]  ? printk+0xa7/0xcf
[   25.000237]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   25.004986]  ? pdu_read+0x90/0xd0
[   25.008428]  print_address_description+0x6c/0x20b
[   25.013272]  ? pdu_read+0x90/0xd0
[   25.016718]  kasan_report.cold.7+0x242/0x30d
[   25.021121]  check_memory_region+0x13e/0x1b0
[   25.025530]  memcpy+0x23/0x50
[   25.028619]  pdu_read+0x90/0xd0
[   25.031882]  p9pdu_readf+0x579/0x2170
[   25.035684]  ? p9pdu_writef+0xe0/0xe0
[   25.039476]  ? ksys_dup3+0x690/0x690
[   25.043184]  ? check_same_owner+0x340/0x340
[   25.047492]  ? p9_fd_poll+0x2b0/0x2b0
[   25.051280]  ? finish_wait+0x430/0x430
[   25.055161]  ? p9_fd_show_options+0x1c0/0x1c0
[   25.059665]  p9_client_create+0x6d0/0x1537
[   25.063915]  ? p9_client_read+0xbb0/0xbb0
[   25.068080]  ? lock_acquire+0x1e4/0x540
[   25.072045]  ? fs_reclaim_acquire+0x20/0x20
[   25.076367]  ? lock_release+0xa30/0xa30
[   25.080330]  ? __lockdep_init_map+0x105/0x590
[   25.084813]  ? kasan_check_write+0x14/0x20
[   25.089060]  ? __init_rwsem+0x1cc/0x2a0
[   25.093029]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   25.098063]  ? __kmalloc_track_caller+0x311/0x760
[   25.102902]  ? save_stack+0xa9/0xd0
[   25.106512]  ? save_stack+0x43/0xd0
[   25.110127]  ? kasan_kmalloc+0xc4/0xe0
[   25.114003]  ? memcpy+0x45/0x50
[   25.117275]  v9fs_session_init+0x21a/0x1a80
[   25.121579]  ? rcu_note_context_switch+0x730/0x730
[   25.126498]  ? legacy_parse_monolithic+0xde/0x1e0
[   25.131337]  ? v9fs_show_options+0x7e0/0x7e0
[   25.135744]  ? lock_release+0xa30/0xa30
[   25.139705]  ? check_same_owner+0x340/0x340
[   25.144022]  ? lock_downgrade+0x8f0/0x8f0
[   25.148170]  ? kasan_unpoison_shadow+0x35/0x50
[   25.152755]  ? kasan_kmalloc+0xc4/0xe0
[   25.156640]  ? kmem_cache_alloc_trace+0x318/0x780
[   25.161477]  ? kasan_unpoison_shadow+0x35/0x50
[   25.166058]  ? kasan_kmalloc+0xc4/0xe0
[   25.169936]  v9fs_mount+0x7c/0x900
[   25.173460]  ? v9fs_drop_inode+0x150/0x150
[   25.177676]  legacy_get_tree+0x131/0x460
[   25.181720]  vfs_get_tree+0x1cb/0x5c0
[   25.185514]  do_mount+0x6f2/0x1e20
[   25.189061]  ? check_same_owner+0x340/0x340
[   25.193375]  ? lock_release+0xa30/0xa30
[   25.197352]  ? copy_mount_string+0x40/0x40
[   25.201568]  ? kasan_kmalloc+0xc4/0xe0
[   25.205437]  ? kmem_cache_alloc_trace+0x318/0x780
[   25.210260]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   25.215808]  ? _copy_from_user+0xdf/0x150
[   25.219940]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   25.225459]  ? copy_mount_options+0x285/0x380
[   25.229950]  ksys_mount+0x12d/0x140
[   25.233575]  __x64_sys_mount+0xbe/0x150
[   25.237535]  do_syscall_64+0x1b9/0x820
[   25.241407]  ? finish_task_switch+0x1d3/0x870
[   25.245885]  ? syscall_return_slowpath+0x5e0/0x5e0
[   25.250800]  ? syscall_return_slowpath+0x31d/0x5e0
[   25.255717]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   25.260903]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   25.266438]  ? prepare_exit_to_usermode+0x291/0x3b0
[   25.271463]  ? perf_trace_sys_enter+0xb10/0xb10
[   25.276122]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.280955]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   25.286125] RIP: 0033:0x445d79
[   25.289291] Code: e8 ec ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   25.308414] RSP: 002b:00007fb160c54da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   25.316107] RAX: ffffffffffffffda RBX: 00000000006dbc44 RCX: 0000000000445d79
[   25.323373] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   25.330646] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   25.337919] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dbc40
[   25.345186] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   25.352461] 
[   25.354095] Allocated by task 4489:
[   25.357723]  save_stack+0x43/0xd0
[   25.361173]  kasan_kmalloc+0xc4/0xe0
[   25.364878]  __kmalloc+0x14e/0x760
[   25.368418]  p9_fcall_alloc+0x1e/0x90
[   25.372209]  p9_client_prepare_req.part.8+0x132/0xa00
[   25.377386]  p9_client_rpc+0x242/0x1330
[   25.381346]  p9_client_create+0xca4/0x1537
[   25.386460]  v9fs_session_init+0x21a/0x1a80
[   25.390779]  v9fs_mount+0x7c/0x900
[   25.394317]  legacy_get_tree+0x131/0x460
[   25.398369]  vfs_get_tree+0x1cb/0x5c0
[   25.402160]  do_mount+0x6f2/0x1e20
[   25.405700]  ksys_mount+0x12d/0x140
[   25.409317]  __x64_sys_mount+0xbe/0x150
[   25.413295]  do_syscall_64+0x1b9/0x820
[   25.417173]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   25.422365] 
[   25.423977] Freed by task 0:
[   25.426973] (stack is not available)
[   25.430670] 
[   25.432296] The buggy address belongs to the object at ffff8801b09605c0
[   25.432296]  which belongs to the cache kmalloc-16384 of size 16384
[   25.445298] The buggy address is located 45 bytes inside of
[   25.445298]  16384-byte region [ffff8801b09605c0, ffff8801b09645c0)
[   25.457257] The buggy address belongs to the page:
[   25.462185] page:ffffea0006c25800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   25.472153] flags: 0x2fffc0000010200(slab|head)
[   25.476821] raw: 02fffc0000010200 ffffea000750fe08 ffffea0006c25408 ffff8801da802200
[   25.484711] raw: 0000000000000000 ffff8801b09605c0 0000000100000001 0000000000000000
[   25.492593] page dumped because: kasan: bad access detected
[   25.498295] 
[   25.499910] Memory state around the buggy address:
[   25.504841]  ffff8801b0962480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.512193]  ffff8801b0962500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   25.519542] >ffff8801b0962580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   25.526907]                                                        ^
[   25.533405]  ffff8801b0962600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.540758]  ffff8801b0962680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.548101] ==================================================================
[   25.555546] Kernel panic - not syncing: panic_on_warn set ...
[   25.555546] 
[   25.562911] CPU: 1 PID: 4489 Comm: syz-executor120 Tainted: G    B             4.18.0-rc5-next-20180720+ #12
[   25.572857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.582196] Call Trace:
[   25.584775]  dump_stack+0x1c9/0x2b4
[   25.588390]  ? dump_stack_print_info.cold.2+0x52/0x52
[   25.593582]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.598333]  panic+0x238/0x4e7
[   25.601541]  ? add_taint.cold.5+0x16/0x16
[   25.605700]  ? do_raw_spin_unlock+0xa7/0x2f0
[   25.610120]  ? pdu_read+0x90/0xd0
[   25.613572]  kasan_end_report+0x47/0x4f
[   25.617547]  kasan_report.cold.7+0x76/0x30d
[   25.621855]  check_memory_region+0x13e/0x1b0
[   25.626252]  memcpy+0x23/0x50
[   25.629355]  pdu_read+0x90/0xd0
[   25.632622]  p9pdu_readf+0x579/0x2170
[   25.636414]  ? p9pdu_writef+0xe0/0xe0
[   25.640197]  ? ksys_dup3+0x690/0x690
[   25.643892]  ? check_same_owner+0x340/0x340
[   25.648193]  ? p9_fd_poll+0x2b0/0x2b0
[   25.651990]  ? finish_wait+0x430/0x430
[   25.655902]  ? p9_fd_show_options+0x1c0/0x1c0
[   25.660390]  p9_client_create+0x6d0/0x1537
[   25.664622]  ? p9_client_read+0xbb0/0xbb0
[   25.668770]  ? lock_acquire+0x1e4/0x540
[   25.672748]  ? fs_reclaim_acquire+0x20/0x20
[   25.677068]  ? lock_release+0xa30/0xa30
[   25.681034]  ? __lockdep_init_map+0x105/0x590
[   25.685533]  ? kasan_check_write+0x14/0x20
[   25.689747]  ? __init_rwsem+0x1cc/0x2a0
[   25.693710]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   25.698723]  ? __kmalloc_track_caller+0x311/0x760
[   25.703557]  ? save_stack+0xa9/0xd0
[   25.707166]  ? save_stack+0x43/0xd0
[   25.710773]  ? kasan_kmalloc+0xc4/0xe0
[   25.714645]  ? memcpy+0x45/0x50
[   25.717909]  v9fs_session_init+0x21a/0x1a80
[   25.722212]  ? rcu_note_context_switch+0x730/0x730
[   25.727126]  ? legacy_parse_monolithic+0xde/0x1e0
[   25.731965]  ? v9fs_show_options+0x7e0/0x7e0
[   25.736366]  ? lock_release+0xa30/0xa30
[   25.740334]  ? check_same_owner+0x340/0x340
[   25.744655]  ? lock_downgrade+0x8f0/0x8f0
[   25.748784]  ? kasan_unpoison_shadow+0x35/0x50
[   25.753355]  ? kasan_kmalloc+0xc4/0xe0
[   25.757227]  ? kmem_cache_alloc_trace+0x318/0x780
[   25.762051]  ? kasan_unpoison_shadow+0x35/0x50
[   25.766616]  ? kasan_kmalloc+0xc4/0xe0
[   25.770487]  v9fs_mount+0x7c/0x900
[   25.774021]  ? v9fs_drop_inode+0x150/0x150
[   25.778243]  legacy_get_tree+0x131/0x460
[   25.782291]  vfs_get_tree+0x1cb/0x5c0
[   25.786084]  do_mount+0x6f2/0x1e20
[   25.789606]  ? check_same_owner+0x340/0x340
[   25.793918]  ? lock_release+0xa30/0xa30
[   25.797912]  ? copy_mount_string+0x40/0x40
[   25.802141]  ? kasan_kmalloc+0xc4/0xe0
[   25.806029]  ? kmem_cache_alloc_trace+0x318/0x780
[   25.810868]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   25.816391]  ? _copy_from_user+0xdf/0x150
[   25.820537]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   25.826068]  ? copy_mount_options+0x285/0x380
[   25.830552]  ksys_mount+0x12d/0x140
[   25.834161]  __x64_sys_mount+0xbe/0x150
[   25.838120]  do_syscall_64+0x1b9/0x820
[   25.842011]  ? finish_task_switch+0x1d3/0x870
[   25.846503]  ? syscall_return_slowpath+0x5e0/0x5e0
[   25.851427]  ? syscall_return_slowpath+0x31d/0x5e0
[   25.856348]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   25.861358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   25.866878]  ? prepare_exit_to_usermode+0x291/0x3b0
[   25.871890]  ? perf_trace_sys_enter+0xb10/0xb10
[   25.876563]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.881407]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   25.886586] RIP: 0033:0x445d79
[   25.889773] Code: e8 ec ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   25.908900] RSP: 002b:00007fb160c54da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   25.916604] RAX: ffffffffffffffda RBX: 00000000006dbc44 RCX: 0000000000445d79
[   25.923859] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   25.931293] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   25.938548] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dbc40
[   25.945797] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   25.953465] Dumping ftrace buffer:
[   25.956985]    (ftrace buffer empty)
[   25.960673] Kernel Offset: disabled
[   25.964276] Rebooting in 86400 seconds..