[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.176270] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.853227] random: sshd: uninitialized urandom read (32 bytes read)
[   24.300913] random: sshd: uninitialized urandom read (32 bytes read)
[   25.155915] random: sshd: uninitialized urandom read (32 bytes read)
[   25.314924] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts.
[   30.809158] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.901879] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.922606] ==================================================================
[   30.930077] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.936218] Read of size 29793 at addr ffff8801ace303ed by task syz-executor067/4545
[   30.944088] 
[   30.945712] CPU: 1 PID: 4545 Comm: syz-executor067 Not tainted 4.18.0-rc3+ #137
[   30.953138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.962469] Call Trace:
[   30.965053]  dump_stack+0x1c9/0x2b4
[   30.968666]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.973838]  ? printk+0xa7/0xcf
[   30.977099]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.981837]  ? pdu_read+0x90/0xd0
[   30.985272]  print_address_description+0x6c/0x20b
[   30.990105]  ? pdu_read+0x90/0xd0
[   30.993547]  kasan_report.cold.7+0x242/0x2fe
[   30.997960]  check_memory_region+0x13e/0x1b0
[   31.002360]  memcpy+0x23/0x50
[   31.005462]  pdu_read+0x90/0xd0
[   31.008736]  p9pdu_readf+0x579/0x2170
[   31.012525]  ? p9pdu_writef+0xe0/0xe0
[   31.016308]  ? __fget+0x414/0x670
[   31.019744]  ? rcu_is_watching+0x61/0x150
[   31.023873]  ? expand_files.part.8+0x9c0/0x9c0
[   31.028439]  ? finish_wait+0x430/0x430
[   31.032310]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.037317]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.041799]  p9_client_create+0xde0/0x16c9
[   31.046035]  ? p9_client_read+0xc60/0xc60
[   31.050169]  ? find_held_lock+0x36/0x1c0
[   31.054218]  ? __lockdep_init_map+0x105/0x590
[   31.058700]  ? kasan_check_write+0x14/0x20
[   31.062928]  ? __init_rwsem+0x1cc/0x2a0
[   31.066887]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.071884]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.076893]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.081725]  ? save_stack+0xa9/0xd0
[   31.085341]  ? save_stack+0x43/0xd0
[   31.088949]  ? kasan_kmalloc+0xc4/0xe0
[   31.092818]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.097642]  ? memcpy+0x45/0x50
[   31.100917]  v9fs_session_init+0x21a/0x1a80
[   31.105221]  ? find_held_lock+0x36/0x1c0
[   31.109270]  ? v9fs_show_options+0x7e0/0x7e0
[   31.113678]  ? kasan_check_read+0x11/0x20
[   31.117808]  ? rcu_is_watching+0x8c/0x150
[   31.121936]  ? rcu_pm_notify+0xc0/0xc0
[   31.125818]  ? v9fs_mount+0x61/0x900
[   31.129514]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.134526]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.139369]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.144904]  v9fs_mount+0x7c/0x900
[   31.148432]  mount_fs+0xae/0x328
[   31.151803]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.156366]  ? may_umount+0xb0/0xb0
[   31.159980]  ? _raw_read_unlock+0x22/0x30
[   31.164130]  ? __get_fs_type+0x97/0xc0
[   31.168008]  do_mount+0x581/0x30e0
[   31.171540]  ? copy_mount_string+0x40/0x40
[   31.175755]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.180496]  ? retint_kernel+0x10/0x10
[   31.184366]  ? copy_mount_options+0x1e3/0x380
[   31.188846]  ? write_comp_data+0x70/0x70
[   31.192900]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.198415]  ? copy_mount_options+0x285/0x380
[   31.202893]  ksys_mount+0x12d/0x140
[   31.206515]  __x64_sys_mount+0xbe/0x150
[   31.210472]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.215482]  do_syscall_64+0x1b9/0x820
[   31.219352]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.224281]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.229193]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.234710]  ? retint_user+0x18/0x18
[   31.238408]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.243244]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.248414] RIP: 0033:0x440229
[   31.251583] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.270774] RSP: 002b:00007ffcc5596648 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.278477] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440229
[   31.285747] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.293005] RBP: 0030656c69662f2e R08: 0000000020000180 R09: 0000000000000001
[   31.300264] R10: 0000000000000000 R11: 0000000000000206 R12: 646e657478656f6e
[   31.307514] R13: 64663d736e617274 R14: 0000000000000000 R15: 0000000000000000
[   31.314781] 
[   31.316389] Allocated by task 4545:
[   31.320008]  save_stack+0x43/0xd0
[   31.323450]  kasan_kmalloc+0xc4/0xe0
[   31.327152]  __kmalloc+0x14e/0x760
[   31.330678]  p9_fcall_alloc+0x1e/0x90
[   31.334458]  p9_client_prepare_req.part.8+0x754/0xcd0
[   31.339627]  p9_client_rpc+0x1bd/0x1400
[   31.343581]  p9_client_create+0xd09/0x16c9
[   31.347809]  v9fs_session_init+0x21a/0x1a80
[   31.352109]  v9fs_mount+0x7c/0x900
[   31.355629]  mount_fs+0xae/0x328
[   31.358992]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.363558]  do_mount+0x581/0x30e0
[   31.367078]  ksys_mount+0x12d/0x140
[   31.370682]  __x64_sys_mount+0xbe/0x150
[   31.374648]  do_syscall_64+0x1b9/0x820
[   31.378519]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.383696] 
[   31.385303] Freed by task 0:
[   31.388296] (stack is not available)
[   31.391985] 
[   31.393609] The buggy address belongs to the object at ffff8801ace303c0
[   31.393609]  which belongs to the cache kmalloc-16384 of size 16384
[   31.406595] The buggy address is located 45 bytes inside of
[   31.406595]  16384-byte region [ffff8801ace303c0, ffff8801ace343c0)
[   31.418534] The buggy address belongs to the page:
[   31.423446] page:ffffea0006b38c00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   31.433393] flags: 0x2fffc0000008100(slab|head)
[   31.438057] raw: 02fffc0000008100 ffffea0007655608 ffff8801da801c48 ffff8801da802200
[   31.445920] raw: 0000000000000000 ffff8801ace303c0 0000000100000001 0000000000000000
[   31.453777] page dumped because: kasan: bad access detected
[   31.459460] 
[   31.461066] Memory state around the buggy address:
[   31.465988]  ffff8801ace32280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.473336]  ffff8801ace32300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.480677] >ffff8801ace32380: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   31.488022]                                                        ^
[   31.494500]  ffff8801ace32400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.501844]  ffff8801ace32480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.509180] ==================================================================
[   31.516514] Disabling lock debugging due to kernel taint
[   31.522044] Kernel panic - not syncing: panic_on_warn set ...
[   31.522044] 
[   31.529418] CPU: 1 PID: 4545 Comm: syz-executor067 Tainted: G    B             4.18.0-rc3+ #137
[   31.538259] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.547593] Call Trace:
[   31.550167]  dump_stack+0x1c9/0x2b4
[   31.553786]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.558970]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.563710]  panic+0x238/0x4e7
[   31.566886]  ? add_taint.cold.5+0x16/0x16
[   31.571026]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.575427]  ? pdu_read+0x90/0xd0
[   31.578865]  kasan_end_report+0x47/0x4f
[   31.582825]  kasan_report.cold.7+0x76/0x2fe
[   31.587133]  check_memory_region+0x13e/0x1b0
[   31.591524]  memcpy+0x23/0x50
[   31.594626]  pdu_read+0x90/0xd0
[   31.597898]  p9pdu_readf+0x579/0x2170
[   31.601680]  ? p9pdu_writef+0xe0/0xe0
[   31.605464]  ? __fget+0x414/0x670
[   31.608908]  ? rcu_is_watching+0x61/0x150
[   31.613040]  ? expand_files.part.8+0x9c0/0x9c0
[   31.617621]  ? finish_wait+0x430/0x430
[   31.621494]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.626497]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.630990]  p9_client_create+0xde0/0x16c9
[   31.635212]  ? p9_client_read+0xc60/0xc60
[   31.639341]  ? find_held_lock+0x36/0x1c0
[   31.643398]  ? __lockdep_init_map+0x105/0x590
[   31.647879]  ? kasan_check_write+0x14/0x20
[   31.652092]  ? __init_rwsem+0x1cc/0x2a0
[   31.656051]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.661056]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.666060]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.670884]  ? save_stack+0xa9/0xd0
[   31.674491]  ? save_stack+0x43/0xd0
[   31.678107]  ? kasan_kmalloc+0xc4/0xe0
[   31.681975]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.686796]  ? memcpy+0x45/0x50
[   31.690071]  v9fs_session_init+0x21a/0x1a80
[   31.694377]  ? find_held_lock+0x36/0x1c0
[   31.698437]  ? v9fs_show_options+0x7e0/0x7e0
[   31.702829]  ? kasan_check_read+0x11/0x20
[   31.706961]  ? rcu_is_watching+0x8c/0x150
[   31.711094]  ? rcu_pm_notify+0xc0/0xc0
[   31.714971]  ? v9fs_mount+0x61/0x900
[   31.718677]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.723686]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.728520]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.734059]  v9fs_mount+0x7c/0x900
[   31.737588]  mount_fs+0xae/0x328
[   31.740954]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.745534]  ? may_umount+0xb0/0xb0
[   31.749153]  ? _raw_read_unlock+0x22/0x30
[   31.753294]  ? __get_fs_type+0x97/0xc0
[   31.757168]  do_mount+0x581/0x30e0
[   31.760695]  ? copy_mount_string+0x40/0x40
[   31.764915]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.769664]  ? retint_kernel+0x10/0x10
[   31.773549]  ? copy_mount_options+0x1e3/0x380
[   31.778037]  ? write_comp_data+0x70/0x70
[   31.782087]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.788430]  ? copy_mount_options+0x285/0x380
[   31.792921]  ksys_mount+0x12d/0x140
[   31.796544]  __x64_sys_mount+0xbe/0x150
[   31.800502]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.805508]  do_syscall_64+0x1b9/0x820
[   31.809380]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.814400]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.819313]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.824854]  ? retint_user+0x18/0x18
[   31.828550]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.833383]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.838553] RIP: 0033:0x440229
[   31.841719] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.860842] RSP: 002b:00007ffcc5596648 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   31.868535] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440229
[   31.875791] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.883047] RBP: 0030656c69662f2e R08: 0000000020000180 R09: 0000000000000001
[   31.890300] R10: 0000000000000000 R11: 0000000000000206 R12: 646e657478656f6e
[   31.897552] R13: 64663d736e617274 R14: 0000000000000000 R15: 0000000000000000
[   31.905291] Dumping ftrace buffer:
[   31.908819]    (ftrace buffer empty)
[   31.912514] Kernel Offset: disabled
[   31.916155] Rebooting in 86400 seconds..