[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.288115] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.526270] random: sshd: uninitialized urandom read (32 bytes read)
[   23.875818] random: sshd: uninitialized urandom read (32 bytes read)
[   24.681413] random: sshd: uninitialized urandom read (32 bytes read)
[   40.473158] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts.
[   45.907958] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   45.998673] ==================================================================
[   46.006157] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   46.012291] Read of size 62219 at addr ffff8801c9e904ed by task syz-executor251/4548
[   46.020155] 
[   46.021768] CPU: 0 PID: 4548 Comm: syz-executor251 Not tainted 4.18.0-rc3+ #137
[   46.029193] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.038535] Call Trace:
[   46.041129]  dump_stack+0x1c9/0x2b4
[   46.044753]  ? dump_stack_print_info.cold.2+0x52/0x52
[   46.049945]  ? printk+0xa7/0xcf
[   46.053209]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   46.057947]  ? pdu_read+0x90/0xd0
[   46.061382]  print_address_description+0x6c/0x20b
[   46.066206]  ? pdu_read+0x90/0xd0
[   46.069640]  kasan_report.cold.7+0x242/0x2fe
[   46.074033]  check_memory_region+0x13e/0x1b0
[   46.078422]  memcpy+0x23/0x50
[   46.081507]  pdu_read+0x90/0xd0
[   46.084784]  p9pdu_readf+0x579/0x2170
[   46.088569]  ? p9pdu_writef+0xe0/0xe0
[   46.092350]  ? __fget+0x414/0x670
[   46.095784]  ? rcu_is_watching+0x61/0x150
[   46.099912]  ? expand_files.part.8+0x9c0/0x9c0
[   46.104481]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.109489]  ? p9_fd_show_options+0x1c0/0x1c0
[   46.113971]  p9_client_create+0xde0/0x16c9
[   46.118191]  ? p9_client_read+0xc60/0xc60
[   46.122329]  ? find_held_lock+0x36/0x1c0
[   46.126379]  ? __lockdep_init_map+0x105/0x590
[   46.130856]  ? kasan_check_write+0x14/0x20
[   46.135072]  ? __init_rwsem+0x1cc/0x2a0
[   46.139039]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   46.144037]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.149032]  ? __kmalloc_track_caller+0x5f5/0x760
[   46.153856]  ? save_stack+0xa9/0xd0
[   46.157462]  ? save_stack+0x43/0xd0
[   46.161068]  ? kasan_kmalloc+0xc4/0xe0
[   46.164941]  ? kmem_cache_alloc_trace+0x152/0x780
[   46.169775]  ? memcpy+0x45/0x50
[   46.173133]  v9fs_session_init+0x21a/0x1a80
[   46.177437]  ? find_held_lock+0x36/0x1c0
[   46.181485]  ? v9fs_show_options+0x7e0/0x7e0
[   46.185876]  ? kasan_check_read+0x11/0x20
[   46.190003]  ? rcu_is_watching+0x8c/0x150
[   46.194143]  ? rcu_pm_notify+0xc0/0xc0
[   46.198015]  ? v9fs_mount+0x61/0x900
[   46.201719]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.206720]  ? kmem_cache_alloc_trace+0x616/0x780
[   46.211547]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   46.217082]  v9fs_mount+0x7c/0x900
[   46.220608]  mount_fs+0xae/0x328
[   46.223970]  vfs_kern_mount.part.34+0xdc/0x4e0
[   46.228533]  ? may_umount+0xb0/0xb0
[   46.232144]  ? _raw_read_unlock+0x22/0x30
[   46.236270]  ? __get_fs_type+0x97/0xc0
[   46.240142]  do_mount+0x581/0x30e0
[   46.243670]  ? copy_mount_string+0x40/0x40
[   46.247922]  ? copy_mount_options+0x5f/0x380
[   46.252328]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.257326]  ? kmem_cache_alloc_trace+0x616/0x780
[   46.262165]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   46.267685]  ? copy_mount_options+0x285/0x380
[   46.272172]  ksys_mount+0x12d/0x140
[   46.275782]  __x64_sys_mount+0xbe/0x150
[   46.279736]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   46.284736]  do_syscall_64+0x1b9/0x820
[   46.288617]  ? syscall_return_slowpath+0x5e0/0x5e0
[   46.293529]  ? syscall_return_slowpath+0x31d/0x5e0
[   46.298448]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   46.303794]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   46.308623]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.313793] RIP: 0033:0x440319
[   46.316959] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   46.336141] RSP: 002b:00007ffdfd76d4e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   46.343833] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440319
[   46.351088] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   46.358347] RBP: 69736f7030707070 R08: 0000000020000280 R09: 0000000000000001
[   46.365597] R10: 0000000000010000 R11: 0000000000000206 R12: 4c50473070707028
[   46.372853] R13: 64663d736e617274 R14: 0000000000000000 R15: 0000000000000000
[   46.380120] 
[   46.381727] Allocated by task 4548:
[   46.385343]  save_stack+0x43/0xd0
[   46.388790]  kasan_kmalloc+0xc4/0xe0
[   46.392505]  __kmalloc+0x14e/0x760
[   46.396074]  p9_fcall_alloc+0x1e/0x90
[   46.399870]  p9_client_prepare_req.part.8+0x754/0xcd0
[   46.405040]  p9_client_rpc+0x1bd/0x1400
[   46.409001]  p9_client_create+0xd09/0x16c9
[   46.413228]  v9fs_session_init+0x21a/0x1a80
[   46.417534]  v9fs_mount+0x7c/0x900
[   46.421074]  mount_fs+0xae/0x328
[   46.424430]  vfs_kern_mount.part.34+0xdc/0x4e0
[   46.428994]  do_mount+0x581/0x30e0
[   46.432513]  ksys_mount+0x12d/0x140
[   46.436117]  __x64_sys_mount+0xbe/0x150
[   46.440091]  do_syscall_64+0x1b9/0x820
[   46.443961]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.449125] 
[   46.450730] Freed by task 0:
[   46.453720] (stack is not available)
[   46.457406] 
[   46.459024] The buggy address belongs to the object at ffff8801c9e904c0
[   46.459024]  which belongs to the cache kmalloc-16384 of size 16384
[   46.472007] The buggy address is located 45 bytes inside of
[   46.472007]  16384-byte region [ffff8801c9e904c0, ffff8801c9e944c0)
[   46.483945] The buggy address belongs to the page:
[   46.488856] page:ffffea000727a400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   46.498806] flags: 0x2fffc0000008100(slab|head)
[   46.503460] raw: 02fffc0000008100 ffffea0006d88408 ffff8801da801c48 ffff8801da802200
[   46.511321] raw: 0000000000000000 ffff8801c9e904c0 0000000100000001 0000000000000000
[   46.519177] page dumped because: kasan: bad access detected
[   46.524864] 
[   46.526470] Memory state around the buggy address:
[   46.531387]  ffff8801c9e92380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   46.538743]  ffff8801c9e92400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   46.546777] >ffff8801c9e92480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   46.554125]                                                        ^
[   46.560597]  ffff8801c9e92500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.568107]  ffff8801c9e92580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.575450] ==================================================================
[   46.582784] Disabling lock debugging due to kernel taint
[   46.588294] Kernel panic - not syncing: panic_on_warn set ...
[   46.588294] 
[   46.595650] CPU: 0 PID: 4548 Comm: syz-executor251 Tainted: G    B             4.18.0-rc3+ #137
[   46.604470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   46.613885] Call Trace:
[   46.616459]  dump_stack+0x1c9/0x2b4
[   46.620067]  ? dump_stack_print_info.cold.2+0x52/0x52
[   46.625247]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   46.629983]  panic+0x238/0x4e7
[   46.633156]  ? add_taint.cold.5+0x16/0x16
[   46.637286]  ? do_raw_spin_unlock+0xa7/0x2f0
[   46.641674]  ? pdu_read+0x90/0xd0
[   46.645115]  kasan_end_report+0x47/0x4f
[   46.649068]  kasan_report.cold.7+0x76/0x2fe
[   46.653368]  check_memory_region+0x13e/0x1b0
[   46.657765]  memcpy+0x23/0x50
[   46.660849]  pdu_read+0x90/0xd0
[   46.664118]  p9pdu_readf+0x579/0x2170
[   46.667900]  ? p9pdu_writef+0xe0/0xe0
[   46.671687]  ? __fget+0x414/0x670
[   46.675126]  ? rcu_is_watching+0x61/0x150
[   46.679252]  ? expand_files.part.8+0x9c0/0x9c0
[   46.683815]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.688814]  ? p9_fd_show_options+0x1c0/0x1c0
[   46.693289]  p9_client_create+0xde0/0x16c9
[   46.697513]  ? p9_client_read+0xc60/0xc60
[   46.701640]  ? find_held_lock+0x36/0x1c0
[   46.705686]  ? __lockdep_init_map+0x105/0x590
[   46.710159]  ? kasan_check_write+0x14/0x20
[   46.714372]  ? __init_rwsem+0x1cc/0x2a0
[   46.718335]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   46.723339]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.728346]  ? __kmalloc_track_caller+0x5f5/0x760
[   46.733255]  ? save_stack+0xa9/0xd0
[   46.736860]  ? save_stack+0x43/0xd0
[   46.740466]  ? kasan_kmalloc+0xc4/0xe0
[   46.744334]  ? kmem_cache_alloc_trace+0x152/0x780
[   46.749156]  ? memcpy+0x45/0x50
[   46.752417]  v9fs_session_init+0x21a/0x1a80
[   46.756718]  ? find_held_lock+0x36/0x1c0
[   46.760771]  ? v9fs_show_options+0x7e0/0x7e0
[   46.765170]  ? kasan_check_read+0x11/0x20
[   46.769294]  ? rcu_is_watching+0x8c/0x150
[   46.773421]  ? rcu_pm_notify+0xc0/0xc0
[   46.777286]  ? v9fs_mount+0x61/0x900
[   46.780989]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.785984]  ? kmem_cache_alloc_trace+0x616/0x780
[   46.790816]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   46.796332]  v9fs_mount+0x7c/0x900
[   46.799852]  mount_fs+0xae/0x328
[   46.803196]  vfs_kern_mount.part.34+0xdc/0x4e0
[   46.807756]  ? may_umount+0xb0/0xb0
[   46.811359]  ? _raw_read_unlock+0x22/0x30
[   46.815483]  ? __get_fs_type+0x97/0xc0
[   46.819347]  do_mount+0x581/0x30e0
[   46.822867]  ? copy_mount_string+0x40/0x40
[   46.827084]  ? copy_mount_options+0x5f/0x380
[   46.831481]  ? rcu_read_lock_sched_held+0x108/0x120
[   46.836485]  ? kmem_cache_alloc_trace+0x616/0x780
[   46.841316]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   46.846844]  ? copy_mount_options+0x285/0x380
[   46.851322]  ksys_mount+0x12d/0x140
[   46.854927]  __x64_sys_mount+0xbe/0x150
[   46.858898]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   46.863908]  do_syscall_64+0x1b9/0x820
[   46.867774]  ? syscall_return_slowpath+0x5e0/0x5e0
[   46.872683]  ? syscall_return_slowpath+0x31d/0x5e0
[   46.877597]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   46.882938]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   46.887771]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   46.892958] RIP: 0033:0x440319
[   46.896142] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   46.915264] RSP: 002b:00007ffdfd76d4e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   46.922951] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440319
[   46.930202] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   46.937451] RBP: 69736f7030707070 R08: 0000000020000280 R09: 0000000000000001
[   46.944701] R10: 0000000000010000 R11: 0000000000000206 R12: 4c50473070707028
[   46.951950] R13: 64663d736e617274 R14: 0000000000000000 R15: 0000000000000000
[   46.959666] Dumping ftrace buffer:
[   46.963192]    (ftrace buffer empty)
[   46.966879] Kernel Offset: disabled
[   46.970484] Rebooting in 86400 seconds..