[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.291433] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.318719] random: sshd: uninitialized urandom read (32 bytes read)
[   19.547731] random: sshd: uninitialized urandom read (32 bytes read)
[   20.296722] random: sshd: uninitialized urandom read (32 bytes read)
[   30.717388] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts.
[   36.182998] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
[   36.468689] ==================================================================
[   36.476091] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   36.482829] Read of size 8306 at addr ffff8801b0e688ed by task syz-executor116/4416
[   36.490686] 
[   36.492323] CPU: 0 PID: 4416 Comm: syz-executor116 Not tainted 4.18.0-rc5-next-20180720+ #12
[   36.500973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.510412] Call Trace:
[   36.512992]  dump_stack+0x1c9/0x2b4
[   36.516617]  ? dump_stack_print_info.cold.2+0x52/0x52
[   36.521791]  ? printk+0xa7/0xcf
[   36.525067]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   36.529838]  ? pdu_read+0x90/0xd0
[   36.533328]  print_address_description+0x6c/0x20b
[   36.538194]  ? pdu_read+0x90/0xd0
[   36.541649]  kasan_report.cold.7+0x242/0x30d
[   36.546096]  check_memory_region+0x13e/0x1b0
[   36.550516]  memcpy+0x23/0x50
[   36.553631]  pdu_read+0x90/0xd0
[   36.556926]  p9pdu_readf+0x579/0x2170
[   36.560735]  ? p9pdu_writef+0xe0/0xe0
[   36.564564]  ? ksys_dup3+0x690/0x690
[   36.568324]  ? do_raw_spin_lock+0xc1/0x200
[   36.572567]  ? finish_wait+0x430/0x430
[   36.576673]  ? p9_fd_show_options+0x1c0/0x1c0
[   36.581627]  p9_client_create+0x6d0/0x1537
[   36.585864]  ? p9_client_read+0xbb0/0xbb0
[   36.590270]  ? lock_acquire+0x1e4/0x540
[   36.594238]  ? fs_reclaim_acquire+0x20/0x20
[   36.598557]  ? lock_release+0xa30/0xa30
[   36.602522]  ? __lockdep_init_map+0x105/0x590
[   36.607007]  ? kasan_check_write+0x14/0x20
[   36.611234]  ? __init_rwsem+0x1cc/0x2a0
[   36.615193]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   36.620196]  ? __kmalloc_track_caller+0x311/0x760
[   36.625022]  ? save_stack+0xa9/0xd0
[   36.629334]  ? save_stack+0x43/0xd0
[   36.633084]  ? kasan_kmalloc+0xc4/0xe0
[   36.636974]  ? memcpy+0x45/0x50
[   36.640336]  v9fs_session_init+0x21a/0x1a80
[   36.644645]  ? rcu_note_context_switch+0x730/0x730
[   36.650014]  ? legacy_parse_monolithic+0xde/0x1e0
[   36.654865]  ? v9fs_show_options+0x7e0/0x7e0
[   36.659288]  ? lock_release+0xa30/0xa30
[   36.663276]  ? check_same_owner+0x340/0x340
[   36.667616]  ? lock_downgrade+0x8f0/0x8f0
[   36.671771]  ? kasan_unpoison_shadow+0x35/0x50
[   36.676613]  ? kasan_kmalloc+0xc4/0xe0
[   36.680498]  ? kmem_cache_alloc_trace+0x318/0x780
[   36.685898]  ? kasan_unpoison_shadow+0x35/0x50
[   36.691898]  ? kasan_kmalloc+0xc4/0xe0
[   36.695799]  v9fs_mount+0x7c/0x900
[   36.700236]  ? v9fs_drop_inode+0x150/0x150
[   36.704459]  legacy_get_tree+0x131/0x460
[   36.708518]  vfs_get_tree+0x1cb/0x5c0
[   36.712300]  do_mount+0x6f2/0x1e20
[   36.715827]  ? check_same_owner+0x340/0x340
[   36.720131]  ? lock_release+0xa30/0xa30
[   36.724103]  ? copy_mount_string+0x40/0x40
[   36.728342]  ? kasan_kmalloc+0xc4/0xe0
[   36.732231]  ? kmem_cache_alloc_trace+0x318/0x780
[   36.737075]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   36.743340]  ? _copy_from_user+0xdf/0x150
[   36.747510]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.754045]  ? copy_mount_options+0x285/0x380
[   36.758557]  ksys_mount+0x12d/0x140
[   36.762351]  __x64_sys_mount+0xbe/0x150
[   36.766311]  do_syscall_64+0x1b9/0x820
[   36.770195]  ? finish_task_switch+0x1d3/0x870
[   36.774872]  ? syscall_return_slowpath+0x5e0/0x5e0
[   36.779794]  ? syscall_return_slowpath+0x31d/0x5e0
[   36.784730]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   36.789738]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   36.795256]  ? prepare_exit_to_usermode+0x291/0x3b0
[   36.800262]  ? perf_trace_sys_enter+0xb10/0xb10
[   36.806147]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   36.810989]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.816161] RIP: 0033:0x445fb9
[   36.819344] Code: e8 dc bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   36.838485] RSP: 002b:00007f54eadf5ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   36.846203] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000445fb9
[   36.853477] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   36.860730] RBP: 00000000006dbc20 R08: 0000000020000080 R09: 0000000000000000
[   36.867998] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   36.875267] R13: 00007ffcc6d3dcaf R14: 00007f54eadf69c0 R15: 0000000000000001
[   36.882539] 
[   36.884150] Allocated by task 4416:
[   36.887761]  save_stack+0x43/0xd0
[   36.891192]  kasan_kmalloc+0xc4/0xe0
[   36.894895]  __kmalloc+0x14e/0x760
[   36.898426]  p9_fcall_alloc+0x1e/0x90
[   36.902207]  p9_client_prepare_req.part.8+0x132/0xa00
[   36.907388]  p9_client_rpc+0x242/0x1330
[   36.911342]  p9_client_create+0xca4/0x1537
[   36.915564]  v9fs_session_init+0x21a/0x1a80
[   36.920226]  v9fs_mount+0x7c/0x900
[   36.923759]  legacy_get_tree+0x131/0x460
[   36.927818]  vfs_get_tree+0x1cb/0x5c0
[   36.931599]  do_mount+0x6f2/0x1e20
[   36.935117]  ksys_mount+0x12d/0x140
[   36.938721]  __x64_sys_mount+0xbe/0x150
[   36.942689]  do_syscall_64+0x1b9/0x820
[   36.946558]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   36.951720] 
[   36.953336] Freed by task 0:
[   36.956332] (stack is not available)
[   36.960020] 
[   36.961627] The buggy address belongs to the object at ffff8801b0e688c0
[   36.961627]  which belongs to the cache kmalloc-16384 of size 16384
[   36.974884] The buggy address is located 45 bytes inside of
[   36.974884]  16384-byte region [ffff8801b0e688c0, ffff8801b0e6c8c0)
[   36.987274] The buggy address belongs to the page:
[   36.992194] page:ffffea0006c39a00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   37.002411] flags: 0x2fffc0000010200(slab|head)
[   37.007076] raw: 02fffc0000010200 ffffea00073fa208 ffffea0006c3be08 ffff8801da802200
[   37.014952] raw: 0000000000000000 ffff8801b0e688c0 0000000100000001 0000000000000000
[   37.022812] page dumped because: kasan: bad access detected
[   37.028619] 
[   37.030245] Memory state around the buggy address:
[   37.035190]  ffff8801b0e6a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.042544]  ffff8801b0e6a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.049903] >ffff8801b0e6a880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   37.057869]                                                        ^
[   37.064360]  ffff8801b0e6a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.071713]  ffff8801b0e6a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.079061] ==================================================================
[   37.086538] Kernel panic - not syncing: panic_on_warn set ...
[   37.086538] 
[   37.093916] CPU: 0 PID: 4416 Comm: syz-executor116 Tainted: G    B             4.18.0-rc5-next-20180720+ #12
[   37.103873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.113311] Call Trace:
[   37.115918]  dump_stack+0x1c9/0x2b4
[   37.119532]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.124712]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   37.129460]  panic+0x238/0x4e7
[   37.132640]  ? add_taint.cold.5+0x16/0x16
[   37.136821]  ? do_raw_spin_unlock+0xa7/0x2f0
[   37.141240]  ? pdu_read+0x90/0xd0
[   37.144693]  kasan_end_report+0x47/0x4f
[   37.148685]  kasan_report.cold.7+0x76/0x30d
[   37.153010]  check_memory_region+0x13e/0x1b0
[   37.157406]  memcpy+0x23/0x50
[   37.160595]  pdu_read+0x90/0xd0
[   37.163857]  p9pdu_readf+0x579/0x2170
[   37.167647]  ? p9pdu_writef+0xe0/0xe0
[   37.171433]  ? ksys_dup3+0x690/0x690
[   37.175135]  ? do_raw_spin_lock+0xc1/0x200
[   37.180794]  ? finish_wait+0x430/0x430
[   37.184682]  ? p9_fd_show_options+0x1c0/0x1c0
[   37.189177]  p9_client_create+0x6d0/0x1537
[   37.193420]  ? p9_client_read+0xbb0/0xbb0
[   37.197570]  ? lock_acquire+0x1e4/0x540
[   37.201553]  ? fs_reclaim_acquire+0x20/0x20
[   37.206234]  ? lock_release+0xa30/0xa30
[   37.210226]  ? __lockdep_init_map+0x105/0x590
[   37.214712]  ? kasan_check_write+0x14/0x20
[   37.218943]  ? __init_rwsem+0x1cc/0x2a0
[   37.222918]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   37.227940]  ? __kmalloc_track_caller+0x311/0x760
[   37.232784]  ? save_stack+0xa9/0xd0
[   37.236427]  ? save_stack+0x43/0xd0
[   37.240048]  ? kasan_kmalloc+0xc4/0xe0
[   37.243929]  ? memcpy+0x45/0x50
[   37.247225]  v9fs_session_init+0x21a/0x1a80
[   37.251554]  ? rcu_note_context_switch+0x730/0x730
[   37.256518]  ? legacy_parse_monolithic+0xde/0x1e0
[   37.261374]  ? v9fs_show_options+0x7e0/0x7e0
[   37.265772]  ? lock_release+0xa30/0xa30
[   37.269743]  ? check_same_owner+0x340/0x340
[   37.274044]  ? lock_downgrade+0x8f0/0x8f0
[   37.278198]  ? kasan_unpoison_shadow+0x35/0x50
[   37.282764]  ? kasan_kmalloc+0xc4/0xe0
[   37.286643]  ? kmem_cache_alloc_trace+0x318/0x780
[   37.291475]  ? kasan_unpoison_shadow+0x35/0x50
[   37.296036]  ? kasan_kmalloc+0xc4/0xe0
[   37.299911]  v9fs_mount+0x7c/0x900
[   37.303569]  ? v9fs_drop_inode+0x150/0x150
[   37.307786]  legacy_get_tree+0x131/0x460
[   37.311831]  vfs_get_tree+0x1cb/0x5c0
[   37.315626]  do_mount+0x6f2/0x1e20
[   37.319158]  ? check_same_owner+0x340/0x340
[   37.323461]  ? lock_release+0xa30/0xa30
[   37.327417]  ? copy_mount_string+0x40/0x40
[   37.331633]  ? kasan_kmalloc+0xc4/0xe0
[   37.335512]  ? kmem_cache_alloc_trace+0x318/0x780
[   37.340338]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   37.345858]  ? _copy_from_user+0xdf/0x150
[   37.350351]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.355885]  ? copy_mount_options+0x285/0x380
[   37.360384]  ksys_mount+0x12d/0x140
[   37.364016]  __x64_sys_mount+0xbe/0x150
[   37.368069]  do_syscall_64+0x1b9/0x820
[   37.371952]  ? finish_task_switch+0x1d3/0x870
[   37.376440]  ? syscall_return_slowpath+0x5e0/0x5e0
[   37.381353]  ? syscall_return_slowpath+0x31d/0x5e0
[   37.386273]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   37.391279]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   37.397422]  ? prepare_exit_to_usermode+0x291/0x3b0
[   37.402426]  ? perf_trace_sys_enter+0xb10/0xb10
[   37.407173]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   37.412006]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.417193] RIP: 0033:0x445fb9
[   37.420361] Code: e8 dc bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   37.439491] RSP: 002b:00007f54eadf5ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   37.447181] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000445fb9
[   37.454429] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   37.461970] RBP: 00000000006dbc20 R08: 0000000020000080 R09: 0000000000000000
[   37.469263] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   37.476774] R13: 00007ffcc6d3dcaf R14: 00007f54eadf69c0 R15: 0000000000000001
[   37.484666] Dumping ftrace buffer:
[   37.488287]    (ftrace buffer empty)
[   37.491987] Kernel Offset: disabled
[   37.495718] Rebooting in 86400 seconds..