[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.841977] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.687808] random: sshd: uninitialized urandom read (32 bytes read)
[   20.054667] random: sshd: uninitialized urandom read (32 bytes read)
[   20.781289] random: sshd: uninitialized urandom read (32 bytes read)
[   20.930441] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts.
[   26.420968] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   26.743446] ==================================================================
[   26.750857] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   26.756987] Read of size 64713 at addr ffff8801b37909ad by task syz-executor051/4470
[   26.764845] 
[   26.766456] CPU: 1 PID: 4470 Comm: syz-executor051 Not tainted 4.18.0-rc5-next-20180719+ #11
[   26.775005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.784342] Call Trace:
[   26.786918]  dump_stack+0x1c9/0x2b4
[   26.790540]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.795714]  ? printk+0xa7/0xcf
[   26.798977]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   26.803980]  ? pdu_read+0x90/0xd0
[   26.807418]  print_address_description+0x6c/0x20b
[   26.812244]  ? pdu_read+0x90/0xd0
[   26.815677]  kasan_report.cold.7+0x242/0x30d
[   26.820065]  check_memory_region+0x13e/0x1b0
[   26.824466]  memcpy+0x23/0x50
[   26.827563]  pdu_read+0x90/0xd0
[   26.830835]  p9pdu_readf+0x579/0x2170
[   26.834618]  ? p9pdu_writef+0xe0/0xe0
[   26.838411]  ? ksys_dup3+0x690/0x690
[   26.842110]  ? do_raw_spin_lock+0xc1/0x200
[   26.846327]  ? finish_wait+0x430/0x430
[   26.850211]  ? p9_fd_show_options+0x1c0/0x1c0
[   26.854689]  p9_client_create+0x6d0/0x1537
[   26.858906]  ? p9_client_read+0xbb0/0xbb0
[   26.863035]  ? lock_acquire+0x1e4/0x540
[   26.866990]  ? fs_reclaim_acquire+0x20/0x20
[   26.871302]  ? lock_release+0xa30/0xa30
[   26.875262]  ? __lockdep_init_map+0x105/0x590
[   26.879751]  ? kasan_check_write+0x14/0x20
[   26.883968]  ? __init_rwsem+0x1cc/0x2a0
[   26.887931]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   26.892950]  ? __kmalloc_track_caller+0x311/0x760
[   26.897792]  ? save_stack+0xa9/0xd0
[   26.901402]  ? save_stack+0x43/0xd0
[   26.905010]  ? kasan_kmalloc+0xc4/0xe0
[   26.908885]  ? memcpy+0x45/0x50
[   26.912147]  v9fs_session_init+0x21a/0x1a80
[   26.916471]  ? rcu_note_context_switch+0x730/0x730
[   26.921385]  ? legacy_parse_monolithic+0xde/0x1e0
[   26.926211]  ? v9fs_show_options+0x7e0/0x7e0
[   26.930606]  ? lock_release+0xa30/0xa30
[   26.934561]  ? check_same_owner+0x340/0x340
[   26.938864]  ? lock_downgrade+0x8f0/0x8f0
[   26.942992]  ? kasan_unpoison_shadow+0x35/0x50
[   26.947556]  ? kasan_kmalloc+0xc4/0xe0
[   26.951428]  ? kmem_cache_alloc_trace+0x318/0x780
[   26.956253]  ? kasan_unpoison_shadow+0x35/0x50
[   26.960818]  ? kasan_kmalloc+0xc4/0xe0
[   26.964689]  v9fs_mount+0x7c/0x900
[   26.968212]  ? v9fs_drop_inode+0x150/0x150
[   26.972447]  legacy_get_tree+0x131/0x460
[   26.976619]  vfs_get_tree+0x1cb/0x5c0
[   26.980417]  do_mount+0x6f2/0x1e20
[   26.983941]  ? check_same_owner+0x340/0x340
[   26.988245]  ? lock_release+0xa30/0xa30
[   26.992202]  ? copy_mount_string+0x40/0x40
[   26.996418]  ? kasan_kmalloc+0xc4/0xe0
[   27.000290]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.005122]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.010643]  ? _copy_from_user+0xdf/0x150
[   27.014777]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.020296]  ? copy_mount_options+0x285/0x380
[   27.024773]  ksys_mount+0x12d/0x140
[   27.028383]  __x64_sys_mount+0xbe/0x150
[   27.032348]  do_syscall_64+0x1b9/0x820
[   27.036215]  ? finish_task_switch+0x1d3/0x870
[   27.040692]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.045601]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.050513]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   27.055521]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.061052]  ? prepare_exit_to_usermode+0x291/0x3b0
[   27.066050]  ? perf_trace_sys_enter+0xb10/0xb10
[   27.070700]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.075538]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.080706] RIP: 0033:0x445ce9
[   27.083873] Code: e8 ec ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.103022] RSP: 002b:00007ff7c0199da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   27.110717] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000445ce9
[   27.117981] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   27.125250] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   27.132502] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dbc20
[   27.139755] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   27.147023] 
[   27.148645] Allocated by task 4470:
[   27.152274]  save_stack+0x43/0xd0
[   27.155706]  kasan_kmalloc+0xc4/0xe0
[   27.159399]  __kmalloc+0x14e/0x760
[   27.162920]  p9_fcall_alloc+0x1e/0x90
[   27.166707]  p9_client_prepare_req.part.8+0x132/0xa00
[   27.171876]  p9_client_rpc+0x242/0x1330
[   27.175829]  p9_client_create+0xca4/0x1537
[   27.180047]  v9fs_session_init+0x21a/0x1a80
[   27.184354]  v9fs_mount+0x7c/0x900
[   27.187880]  legacy_get_tree+0x131/0x460
[   27.191920]  vfs_get_tree+0x1cb/0x5c0
[   27.195699]  do_mount+0x6f2/0x1e20
[   27.199218]  ksys_mount+0x12d/0x140
[   27.202821]  __x64_sys_mount+0xbe/0x150
[   27.206777]  do_syscall_64+0x1b9/0x820
[   27.210649]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.215821] 
[   27.217423] Freed by task 0:
[   27.220412] (stack is not available)
[   27.224096] 
[   27.225704] The buggy address belongs to the object at ffff8801b3790980
[   27.225704]  which belongs to the cache kmalloc-16384 of size 16384
[   27.238686] The buggy address is located 45 bytes inside of
[   27.238686]  16384-byte region [ffff8801b3790980, ffff8801b3794980)
[   27.250619] The buggy address belongs to the page:
[   27.255530] page:ffffea0006cde400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   27.265477] flags: 0x2fffc0000010200(slab|head)
[   27.270155] raw: 02fffc0000010200 ffffea0006dc0608 ffff8801da801c48 ffff8801da802200
[   27.278037] raw: 0000000000000000 ffff8801b3790980 0000000100000001 0000000000000000
[   27.285903] page dumped because: kasan: bad access detected
[   27.291585] 
[   27.293186] Memory state around the buggy address:
[   27.298095]  ffff8801b3792880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.305453]  ffff8801b3792900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.312795] >ffff8801b3792980: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   27.320141]                                ^
[   27.324531]  ffff8801b3792a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.331878]  ffff8801b3792a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.339232] ==================================================================
[   27.346687] Kernel panic - not syncing: panic_on_warn set ...
[   27.346687] 
[   27.354056] CPU: 1 PID: 4470 Comm: syz-executor051 Tainted: G    B             4.18.0-rc5-next-20180719+ #11
[   27.364529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.373873] Call Trace:
[   27.376451]  dump_stack+0x1c9/0x2b4
[   27.380067]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.385246]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.389985]  panic+0x238/0x4e7
[   27.393159]  ? add_taint.cold.5+0x16/0x16
[   27.397288]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.401679]  ? pdu_read+0x90/0xd0
[   27.405120]  kasan_end_report+0x47/0x4f
[   27.409078]  kasan_report.cold.7+0x76/0x30d
[   27.413385]  check_memory_region+0x13e/0x1b0
[   27.417774]  memcpy+0x23/0x50
[   27.420863]  pdu_read+0x90/0xd0
[   27.424126]  p9pdu_readf+0x579/0x2170
[   27.427915]  ? p9pdu_writef+0xe0/0xe0
[   27.431698]  ? ksys_dup3+0x690/0x690
[   27.435397]  ? do_raw_spin_lock+0xc1/0x200
[   27.439630]  ? finish_wait+0x430/0x430
[   27.443510]  ? p9_fd_show_options+0x1c0/0x1c0
[   27.447990]  p9_client_create+0x6d0/0x1537
[   27.452213]  ? p9_client_read+0xbb0/0xbb0
[   27.456346]  ? lock_acquire+0x1e4/0x540
[   27.460302]  ? fs_reclaim_acquire+0x20/0x20
[   27.464607]  ? lock_release+0xa30/0xa30
[   27.468561]  ? __lockdep_init_map+0x105/0x590
[   27.473047]  ? kasan_check_write+0x14/0x20
[   27.477274]  ? __init_rwsem+0x1cc/0x2a0
[   27.481228]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   27.486237]  ? __kmalloc_track_caller+0x311/0x760
[   27.491066]  ? save_stack+0xa9/0xd0
[   27.494681]  ? save_stack+0x43/0xd0
[   27.498289]  ? kasan_kmalloc+0xc4/0xe0
[   27.502156]  ? memcpy+0x45/0x50
[   27.505423]  v9fs_session_init+0x21a/0x1a80
[   27.509729]  ? rcu_note_context_switch+0x730/0x730
[   27.514642]  ? legacy_parse_monolithic+0xde/0x1e0
[   27.519471]  ? v9fs_show_options+0x7e0/0x7e0
[   27.523882]  ? lock_release+0xa30/0xa30
[   27.527866]  ? check_same_owner+0x340/0x340
[   27.532182]  ? lock_downgrade+0x8f0/0x8f0
[   27.536313]  ? kasan_unpoison_shadow+0x35/0x50
[   27.540874]  ? kasan_kmalloc+0xc4/0xe0
[   27.544745]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.549566]  ? kasan_unpoison_shadow+0x35/0x50
[   27.554132]  ? kasan_kmalloc+0xc4/0xe0
[   27.558026]  v9fs_mount+0x7c/0x900
[   27.561555]  ? v9fs_drop_inode+0x150/0x150
[   27.565770]  legacy_get_tree+0x131/0x460
[   27.569824]  vfs_get_tree+0x1cb/0x5c0
[   27.573620]  do_mount+0x6f2/0x1e20
[   27.577149]  ? check_same_owner+0x340/0x340
[   27.581456]  ? lock_release+0xa30/0xa30
[   27.585415]  ? copy_mount_string+0x40/0x40
[   27.589630]  ? kasan_kmalloc+0xc4/0xe0
[   27.593512]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.598341]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.603858]  ? _copy_from_user+0xdf/0x150
[   27.607991]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.613517]  ? copy_mount_options+0x285/0x380
[   27.617998]  ksys_mount+0x12d/0x140
[   27.621616]  __x64_sys_mount+0xbe/0x150
[   27.625593]  do_syscall_64+0x1b9/0x820
[   27.629463]  ? finish_task_switch+0x1d3/0x870
[   27.633939]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.638859]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.643777]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   27.648779]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.654308]  ? prepare_exit_to_usermode+0x291/0x3b0
[   27.659311]  ? perf_trace_sys_enter+0xb10/0xb10
[   27.663971]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.668802]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.673973] RIP: 0033:0x445ce9
[   27.677136] Code: e8 ec ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.696268] RSP: 002b:00007ff7c0199da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   27.703982] RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000445ce9
[   27.711249] RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
[   27.718504] RBP: 0000000000000000 R08: 00000000200001c0 R09: 0000000000000000
[   27.725757] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dbc20
[   27.733025] R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
[   27.740924] Dumping ftrace buffer:
[   27.744460]    (ftrace buffer empty)
[   27.748147] Kernel Offset: disabled
[   27.751767] Rebooting in 86400 seconds..