[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.722920] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.598966] random: sshd: uninitialized urandom read (32 bytes read)
[   24.939498] random: sshd: uninitialized urandom read (32 bytes read)
[   25.799439] random: sshd: uninitialized urandom read (32 bytes read)
[   25.962716] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts.
[   31.444428] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
[   31.549552] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   31.580592] ==================================================================
[   31.588084] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   31.594225] Read of size 45783 at addr ffff8801c26005ad by task syz-executor360/4561
[   31.602090] 
[   31.603821] CPU: 0 PID: 4561 Comm: syz-executor360 Not tainted 4.18.0-rc3+ #137
[   31.611252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.620589] Call Trace:
[   31.623175]  dump_stack+0x1c9/0x2b4
[   31.626797]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.631968]  ? printk+0xa7/0xcf
[   31.635237]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.639978]  ? pdu_read+0x90/0xd0
[   31.643417]  print_address_description+0x6c/0x20b
[   31.648242]  ? pdu_read+0x90/0xd0
[   31.651677]  kasan_report.cold.7+0x242/0x2fe
[   31.656077]  check_memory_region+0x13e/0x1b0
[   31.660485]  memcpy+0x23/0x50
[   31.663593]  pdu_read+0x90/0xd0
[   31.666883]  p9pdu_readf+0x579/0x2170
[   31.670691]  ? p9pdu_writef+0xe0/0xe0
[   31.674479]  ? __fget+0x414/0x670
[   31.677920]  ? rcu_is_watching+0x61/0x150
[   31.682061]  ? expand_files.part.8+0x9c0/0x9c0
[   31.686639]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.691659]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.696148]  p9_client_create+0xde0/0x16c9
[   31.700368]  ? p9_client_read+0xc60/0xc60
[   31.704508]  ? find_held_lock+0x36/0x1c0
[   31.708612]  ? __lockdep_init_map+0x105/0x590
[   31.713096]  ? kasan_check_write+0x14/0x20
[   31.717314]  ? __init_rwsem+0x1cc/0x2a0
[   31.721272]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.726307]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.731329]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.736336]  ? save_stack+0xa9/0xd0
[   31.740044]  ? save_stack+0x43/0xd0
[   31.743659]  ? kasan_kmalloc+0xc4/0xe0
[   31.747548]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.752389]  ? memcpy+0x45/0x50
[   31.755676]  v9fs_session_init+0x21a/0x1a80
[   31.760006]  ? find_held_lock+0x36/0x1c0
[   31.764094]  ? v9fs_show_options+0x7e0/0x7e0
[   31.768491]  ? kasan_check_read+0x11/0x20
[   31.772627]  ? rcu_is_watching+0x8c/0x150
[   31.776759]  ? rcu_pm_notify+0xc0/0xc0
[   31.780659]  ? v9fs_mount+0x61/0x900
[   31.784362]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.789377]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.794211]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.799735]  v9fs_mount+0x7c/0x900
[   31.803272]  mount_fs+0xae/0x328
[   31.806630]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.811209]  ? may_umount+0xb0/0xb0
[   31.814821]  ? _raw_read_unlock+0x22/0x30
[   31.818951]  ? __get_fs_type+0x97/0xc0
[   31.822827]  do_mount+0x581/0x30e0
[   31.826355]  ? copy_mount_string+0x40/0x40
[   31.830577]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.835339]  ? retint_kernel+0x10/0x10
[   31.839220]  ? copy_mount_options+0x213/0x380
[   31.843697]  ? copy_mount_options+0x1a1/0x380
[   31.848190]  ? __sanitizer_cov_trace_pc+0x20/0x50
[   31.853023]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.858557]  ? copy_mount_options+0x285/0x380
[   31.863057]  ksys_mount+0x12d/0x140
[   31.866673]  __x64_sys_mount+0xbe/0x150
[   31.870640]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.875655]  do_syscall_64+0x1b9/0x820
[   31.879547]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.884467]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.889383]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.894917]  ? retint_user+0x18/0x18
[   31.898622]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.903461]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.908639] RIP: 0033:0x440959
[   31.911805] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.932217] RSP: 002b:00007ffcfca4cee8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.939919] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   31.947173] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.954425] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.961688] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007b55
[   31.968948] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   31.976210] 
[   31.977822] Allocated by task 4561:
[   31.981437]  save_stack+0x43/0xd0
[   31.984884]  kasan_kmalloc+0xc4/0xe0
[   31.988589]  __kmalloc+0x14e/0x760
[   31.992119]  p9_fcall_alloc+0x1e/0x90
[   31.995918]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.001086]  p9_client_rpc+0x1bd/0x1400
[   32.005044]  p9_client_create+0xd09/0x16c9
[   32.009430]  v9fs_session_init+0x21a/0x1a80
[   32.013739]  v9fs_mount+0x7c/0x900
[   32.017287]  mount_fs+0xae/0x328
[   32.020637]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.025202]  do_mount+0x581/0x30e0
[   32.028726]  ksys_mount+0x12d/0x140
[   32.032333]  __x64_sys_mount+0xbe/0x150
[   32.036286]  do_syscall_64+0x1b9/0x820
[   32.040329]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.045494] 
[   32.047101] Freed by task 0:
[   32.050102] (stack is not available)
[   32.053805] 
[   32.055416] The buggy address belongs to the object at ffff8801c2600580
[   32.055416]  which belongs to the cache kmalloc-16384 of size 16384
[   32.068401] The buggy address is located 45 bytes inside of
[   32.068401]  16384-byte region [ffff8801c2600580, ffff8801c2604580)
[   32.080337] The buggy address belongs to the page:
[   32.085248] page:ffffea0007098000 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.095465] flags: 0x2fffc0000008100(slab|head)
[   32.100131] raw: 02fffc0000008100 ffffea0007099c08 ffff8801da801c48 ffff8801da802200
[   32.108002] raw: 0000000000000000 ffff8801c2600580 0000000100000001 0000000000000000
[   32.115877] page dumped because: kasan: bad access detected
[   32.121566] 
[   32.123186] Memory state around the buggy address:
[   32.129080]  ffff8801c2602480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.136437]  ffff8801c2602500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.143799] >ffff8801c2602580: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.151144]                                ^
[   32.155535]  ffff8801c2602600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.162884]  ffff8801c2602680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.170219] ==================================================================
[   32.177572] Disabling lock debugging due to kernel taint
[   32.183264] Kernel panic - not syncing: panic_on_warn set ...
[   32.183264] 
[   32.190649] CPU: 0 PID: 4561 Comm: syz-executor360 Tainted: G    B             4.18.0-rc3+ #137
[   32.199478] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.208812] Call Trace:
[   32.211405]  dump_stack+0x1c9/0x2b4
[   32.215021]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.220202]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.224942]  panic+0x238/0x4e7
[   32.228115]  ? add_taint.cold.5+0x16/0x16
[   32.232261]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.236664]  ? pdu_read+0x90/0xd0
[   32.240098]  kasan_end_report+0x47/0x4f
[   32.244054]  kasan_report.cold.7+0x76/0x2fe
[   32.248360]  check_memory_region+0x13e/0x1b0
[   32.252746]  memcpy+0x23/0x50
[   32.255831]  pdu_read+0x90/0xd0
[   32.259090]  p9pdu_readf+0x579/0x2170
[   32.262868]  ? p9pdu_writef+0xe0/0xe0
[   32.266648]  ? __fget+0x414/0x670
[   32.270083]  ? rcu_is_watching+0x61/0x150
[   32.274220]  ? expand_files.part.8+0x9c0/0x9c0
[   32.278795]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.283798]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.288275]  p9_client_create+0xde0/0x16c9
[   32.292494]  ? p9_client_read+0xc60/0xc60
[   32.296625]  ? find_held_lock+0x36/0x1c0
[   32.300688]  ? __lockdep_init_map+0x105/0x590
[   32.305178]  ? kasan_check_write+0x14/0x20
[   32.309400]  ? __init_rwsem+0x1cc/0x2a0
[   32.313355]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.318366]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.323364]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.328185]  ? save_stack+0xa9/0xd0
[   32.331790]  ? save_stack+0x43/0xd0
[   32.335400]  ? kasan_kmalloc+0xc4/0xe0
[   32.339280]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.344103]  ? memcpy+0x45/0x50
[   32.347367]  v9fs_session_init+0x21a/0x1a80
[   32.351680]  ? find_held_lock+0x36/0x1c0
[   32.355724]  ? v9fs_show_options+0x7e0/0x7e0
[   32.360123]  ? kasan_check_read+0x11/0x20
[   32.364262]  ? rcu_is_watching+0x8c/0x150
[   32.368390]  ? rcu_pm_notify+0xc0/0xc0
[   32.372262]  ? v9fs_mount+0x61/0x900
[   32.375957]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.380961]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.385804]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.391344]  v9fs_mount+0x7c/0x900
[   32.394876]  mount_fs+0xae/0x328
[   32.398243]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.402807]  ? may_umount+0xb0/0xb0
[   32.406426]  ? _raw_read_unlock+0x22/0x30
[   32.410567]  ? __get_fs_type+0x97/0xc0
[   32.414447]  do_mount+0x581/0x30e0
[   32.417978]  ? copy_mount_string+0x40/0x40
[   32.422204]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.427207]  ? retint_kernel+0x10/0x10
[   32.431080]  ? copy_mount_options+0x213/0x380
[   32.435557]  ? copy_mount_options+0x1a1/0x380
[   32.440038]  ? __sanitizer_cov_trace_pc+0x20/0x50
[   32.444879]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.450394]  ? copy_mount_options+0x285/0x380
[   32.454872]  ksys_mount+0x12d/0x140
[   32.458505]  __x64_sys_mount+0xbe/0x150
[   32.462475]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.467476]  do_syscall_64+0x1b9/0x820
[   32.471351]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.476265]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.481178]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.486709]  ? retint_user+0x18/0x18
[   32.490412]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.495248]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.500417] RIP: 0033:0x440959
[   32.503584] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.523055] RSP: 002b:00007ffcfca4cee8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   32.530835] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.538095] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.545364] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.552619] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007b55
[   32.559880] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.567647] Dumping ftrace buffer:
[   32.571174]    (ftrace buffer empty)
[   32.574858] Kernel Offset: disabled
[   32.578463] Rebooting in 86400 seconds..