[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.062202] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.846159] random: sshd: uninitialized urandom read (32 bytes read)
[   24.282258] random: sshd: uninitialized urandom read (32 bytes read)
[   25.169526] random: sshd: uninitialized urandom read (32 bytes read)
[   32.319475] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   37.820864] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   37.911716] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   37.931498] ==================================================================
[   37.938950] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   37.945078] Read of size 29811 at addr ffff8801aeba846d by task syz-executor905/4527
[   37.952935] 
[   37.954547] CPU: 0 PID: 4527 Comm: syz-executor905 Not tainted 4.18.0-rc4+ #141
[   37.961973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.971394] Call Trace:
[   37.973968]  dump_stack+0x1c9/0x2b4
[   37.977587]  ? dump_stack_print_info.cold.2+0x52/0x52
[   37.982760]  ? printk+0xa7/0xcf
[   37.986028]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   37.990779]  ? pdu_read+0x90/0xd0
[   37.994216]  print_address_description+0x6c/0x20b
[   37.999041]  ? pdu_read+0x90/0xd0
[   38.002486]  kasan_report.cold.7+0x242/0x2fe
[   38.006888]  check_memory_region+0x13e/0x1b0
[   38.011297]  memcpy+0x23/0x50
[   38.014399]  pdu_read+0x90/0xd0
[   38.017664]  p9pdu_readf+0x579/0x2170
[   38.021451]  ? p9pdu_writef+0xe0/0xe0
[   38.025235]  ? __fget+0x414/0x670
[   38.028681]  ? rcu_is_watching+0x61/0x150
[   38.032813]  ? expand_files.part.8+0x9c0/0x9c0
[   38.037384]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.042396]  ? p9_fd_show_options+0x1c0/0x1c0
[   38.046880]  p9_client_create+0xde0/0x16c9
[   38.051103]  ? p9_client_read+0xc60/0xc60
[   38.055232]  ? find_held_lock+0x36/0x1c0
[   38.059282]  ? __lockdep_init_map+0x105/0x590
[   38.063771]  ? kasan_check_write+0x14/0x20
[   38.067995]  ? __init_rwsem+0x1cc/0x2a0
[   38.071954]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   38.076957]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.081958]  ? __kmalloc_track_caller+0x5f5/0x760
[   38.087066]  ? save_stack+0xa9/0xd0
[   38.090676]  ? save_stack+0x43/0xd0
[   38.094286]  ? kasan_kmalloc+0xc4/0xe0
[   38.098157]  ? kmem_cache_alloc_trace+0x152/0x780
[   38.102985]  ? memcpy+0x45/0x50
[   38.106267]  v9fs_session_init+0x21a/0x1a80
[   38.110577]  ? find_held_lock+0x36/0x1c0
[   38.114628]  ? v9fs_show_options+0x7e0/0x7e0
[   38.119024]  ? kasan_check_read+0x11/0x20
[   38.123153]  ? rcu_is_watching+0x8c/0x150
[   38.127282]  ? rcu_pm_notify+0xc0/0xc0
[   38.131158]  ? v9fs_mount+0x61/0x900
[   38.134857]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.139858]  ? kmem_cache_alloc_trace+0x616/0x780
[   38.144688]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   38.150221]  v9fs_mount+0x7c/0x900
[   38.153749]  mount_fs+0xae/0x328
[   38.157101]  vfs_kern_mount.part.34+0xdc/0x4e0
[   38.161667]  ? may_umount+0xb0/0xb0
[   38.165280]  ? _raw_read_unlock+0x22/0x30
[   38.169413]  ? __get_fs_type+0x97/0xc0
[   38.173283]  do_mount+0x581/0x30e0
[   38.176807]  ? copy_mount_string+0x40/0x40
[   38.181027]  ? copy_mount_options+0x5f/0x380
[   38.185421]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.190422]  ? kmem_cache_alloc_trace+0x616/0x780
[   38.195262]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   38.200784]  ? _copy_from_user+0xdf/0x150
[   38.204917]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.210442]  ? copy_mount_options+0x285/0x380
[   38.214925]  ksys_mount+0x12d/0x140
[   38.218539]  __x64_sys_mount+0xbe/0x150
[   38.222501]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.227596]  do_syscall_64+0x1b9/0x820
[   38.231483]  ? syscall_return_slowpath+0x5e0/0x5e0
[   38.236399]  ? syscall_return_slowpath+0x31d/0x5e0
[   38.241317]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   38.246669]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.251503]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.256677] RIP: 0033:0x440c49
[   38.259844] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   38.279017] RSP: 002b:00007fff709d9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   38.286713] RAX: ffffffffffffffda RBX: 00007fff709d9d00 RCX: 0000000000440c49
[   38.293964] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   38.301215] RBP: 0000000000000000 R08: 0000000020000180 R09: 0000000000000000
[   38.308466] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004024d0
[   38.315722] R13: 0000000000402560 R14: 0000000000000000 R15: 0000000000000000
[   38.322981] 
[   38.324588] Allocated by task 4527:
[   38.328204]  save_stack+0x43/0xd0
[   38.331652]  kasan_kmalloc+0xc4/0xe0
[   38.335346]  __kmalloc+0x14e/0x760
[   38.338867]  p9_fcall_alloc+0x1e/0x90
[   38.342649]  p9_client_prepare_req.part.8+0x754/0xcd0
[   38.347820]  p9_client_rpc+0x1bd/0x1400
[   38.351774]  p9_client_create+0xd09/0x16c9
[   38.355991]  v9fs_session_init+0x21a/0x1a80
[   38.360300]  v9fs_mount+0x7c/0x900
[   38.363829]  mount_fs+0xae/0x328
[   38.367176]  vfs_kern_mount.part.34+0xdc/0x4e0
[   38.371738]  do_mount+0x581/0x30e0
[   38.375256]  ksys_mount+0x12d/0x140
[   38.378864]  __x64_sys_mount+0xbe/0x150
[   38.382832]  do_syscall_64+0x1b9/0x820
[   38.386791]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.391955] 
[   38.393563] Freed by task 0:
[   38.396557] (stack is not available)
[   38.400256] 
[   38.401962] The buggy address belongs to the object at ffff8801aeba8440
[   38.401962]  which belongs to the cache kmalloc-16384 of size 16384
[   38.414949] The buggy address is located 45 bytes inside of
[   38.414949]  16384-byte region [ffff8801aeba8440, ffff8801aebac440)
[   38.426898] The buggy address belongs to the page:
[   38.431821] page:ffffea0006baea00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   38.441860] flags: 0x2fffc0000008100(slab|head)
[   38.446514] raw: 02fffc0000008100 ffffea0006ba7e08 ffff8801da801c48 ffff8801da802200
[   38.455519] raw: 0000000000000000 ffff8801aeba8440 0000000100000001 0000000000000000
[   38.463378] page dumped because: kasan: bad access detected
[   38.469064] 
[   38.470666] Memory state around the buggy address:
[   38.475575]  ffff8801aebaa300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.482915]  ffff8801aebaa380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   38.490258] >ffff8801aebaa400: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   38.497600]                                                        ^
[   38.504159]  ffff8801aebaa480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.511499]  ffff8801aebaa500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   38.518834] ==================================================================
[   38.526170] Disabling lock debugging due to kernel taint
[   38.531667] Kernel panic - not syncing: panic_on_warn set ...
[   38.531667] 
[   38.539028] CPU: 0 PID: 4527 Comm: syz-executor905 Tainted: G    B             4.18.0-rc4+ #141
[   38.547842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.557184] Call Trace:
[   38.559758]  dump_stack+0x1c9/0x2b4
[   38.563383]  ? dump_stack_print_info.cold.2+0x52/0x52
[   38.568556]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   38.573309]  panic+0x238/0x4e7
[   38.576479]  ? add_taint.cold.5+0x16/0x16
[   38.580610]  ? do_raw_spin_unlock+0xa7/0x2f0
[   38.585000]  ? pdu_read+0x90/0xd0
[   38.588435]  kasan_end_report+0x47/0x4f
[   38.592394]  kasan_report.cold.7+0x76/0x2fe
[   38.596715]  check_memory_region+0x13e/0x1b0
[   38.601108]  memcpy+0x23/0x50
[   38.604195]  pdu_read+0x90/0xd0
[   38.607465]  p9pdu_readf+0x579/0x2170
[   38.611248]  ? p9pdu_writef+0xe0/0xe0
[   38.615027]  ? __fget+0x414/0x670
[   38.618468]  ? rcu_is_watching+0x61/0x150
[   38.622597]  ? expand_files.part.8+0x9c0/0x9c0
[   38.627162]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.632163]  ? p9_fd_show_options+0x1c0/0x1c0
[   38.636660]  p9_client_create+0xde0/0x16c9
[   38.640887]  ? p9_client_read+0xc60/0xc60
[   38.645023]  ? find_held_lock+0x36/0x1c0
[   38.649069]  ? __lockdep_init_map+0x105/0x590
[   38.653553]  ? kasan_check_write+0x14/0x20
[   38.657775]  ? __init_rwsem+0x1cc/0x2a0
[   38.661817]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   38.666817]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.671817]  ? __kmalloc_track_caller+0x5f5/0x760
[   38.676641]  ? save_stack+0xa9/0xd0
[   38.680248]  ? save_stack+0x43/0xd0
[   38.683861]  ? kasan_kmalloc+0xc4/0xe0
[   38.687737]  ? kmem_cache_alloc_trace+0x152/0x780
[   38.692559]  ? memcpy+0x45/0x50
[   38.695820]  v9fs_session_init+0x21a/0x1a80
[   38.700260]  ? find_held_lock+0x36/0x1c0
[   38.704402]  ? v9fs_show_options+0x7e0/0x7e0
[   38.708808]  ? kasan_check_read+0x11/0x20
[   38.712935]  ? rcu_is_watching+0x8c/0x150
[   38.717061]  ? rcu_pm_notify+0xc0/0xc0
[   38.721052]  ? v9fs_mount+0x61/0x900
[   38.724758]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.729790]  ? kmem_cache_alloc_trace+0x616/0x780
[   38.734640]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   38.740172]  v9fs_mount+0x7c/0x900
[   38.743715]  mount_fs+0xae/0x328
[   38.747062]  vfs_kern_mount.part.34+0xdc/0x4e0
[   38.751632]  ? may_umount+0xb0/0xb0
[   38.755238]  ? _raw_read_unlock+0x22/0x30
[   38.759366]  ? __get_fs_type+0x97/0xc0
[   38.763236]  do_mount+0x581/0x30e0
[   38.766779]  ? copy_mount_string+0x40/0x40
[   38.770997]  ? copy_mount_options+0x5f/0x380
[   38.775388]  ? rcu_read_lock_sched_held+0x108/0x120
[   38.780398]  ? kmem_cache_alloc_trace+0x616/0x780
[   38.785222]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   38.790741]  ? _copy_from_user+0xdf/0x150
[   38.794871]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   38.800391]  ? copy_mount_options+0x285/0x380
[   38.804871]  ksys_mount+0x12d/0x140
[   38.808491]  __x64_sys_mount+0xbe/0x150
[   38.812449]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   38.817458]  do_syscall_64+0x1b9/0x820
[   38.821328]  ? syscall_return_slowpath+0x5e0/0x5e0
[   38.826237]  ? syscall_return_slowpath+0x31d/0x5e0
[   38.831155]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   38.836504]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   38.841333]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   38.846501] RIP: 0033:0x440c49
[   38.849668] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   38.868790] RSP: 002b:00007fff709d9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   38.876477] RAX: ffffffffffffffda RBX: 00007fff709d9d00 RCX: 0000000000440c49
[   38.883726] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   38.890974] RBP: 0000000000000000 R08: 0000000020000180 R09: 0000000000000000
[   38.898223] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004024d0
[   38.905473] R13: 0000000000402560 R14: 0000000000000000 R15: 0000000000000000
[   38.913146] Dumping ftrace buffer:
[   38.916662]    (ftrace buffer empty)
[   38.920376] Kernel Offset: disabled
[   38.923993] Rebooting in 86400 seconds..