[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.425584] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.687161] random: sshd: uninitialized urandom read (32 bytes read)
[   24.043603] random: sshd: uninitialized urandom read (32 bytes read)
[   24.908985] random: sshd: uninitialized urandom read (32 bytes read)
[   25.068178] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts.
[   30.661437] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[   30.755207] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.795653] ==================================================================
[   30.803166] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.809322] Read of size 15873 at addr ffff8801bf0706ed by task syz-executor562/4548
[   30.817192] 
[   30.818813] CPU: 0 PID: 4548 Comm: syz-executor562 Not tainted 4.18.0-rc3+ #137
[   30.826264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.835618] Call Trace:
[   30.838201]  dump_stack+0x1c9/0x2b4
[   30.841824]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.847003]  ? printk+0xa7/0xcf
[   30.850298]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.855061]  ? pdu_read+0x90/0xd0
[   30.858508]  print_address_description+0x6c/0x20b
[   30.863353]  ? pdu_read+0x90/0xd0
[   30.866803]  kasan_report.cold.7+0x242/0x2fe
[   30.871204]  check_memory_region+0x13e/0x1b0
[   30.875604]  memcpy+0x23/0x50
[   30.878700]  pdu_read+0x90/0xd0
[   30.881970]  p9pdu_readf+0x579/0x2170
[   30.885776]  ? p9pdu_writef+0xe0/0xe0
[   30.889566]  ? __fget+0x414/0x670
[   30.893010]  ? rcu_is_watching+0x61/0x150
[   30.897159]  ? expand_files.part.8+0x9c0/0x9c0
[   30.901743]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.906777]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.911280]  p9_client_create+0xde0/0x16c9
[   30.915508]  ? p9_client_read+0xc60/0xc60
[   30.919640]  ? find_held_lock+0x36/0x1c0
[   30.923699]  ? __lockdep_init_map+0x105/0x590
[   30.928186]  ? kasan_check_write+0x14/0x20
[   30.932409]  ? __init_rwsem+0x1cc/0x2a0
[   30.936367]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.941406]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.946423]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.951259]  ? save_stack+0xa9/0xd0
[   30.954880]  ? save_stack+0x43/0xd0
[   30.958507]  ? kasan_kmalloc+0xc4/0xe0
[   30.962383]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.967217]  ? memcpy+0x45/0x50
[   30.970507]  v9fs_session_init+0x21a/0x1a80
[   30.974820]  ? find_held_lock+0x36/0x1c0
[   30.978874]  ? v9fs_show_options+0x7e0/0x7e0
[   30.983288]  ? kasan_check_read+0x11/0x20
[   30.987421]  ? rcu_is_watching+0x8c/0x150
[   30.991566]  ? rcu_pm_notify+0xc0/0xc0
[   30.995453]  ? v9fs_mount+0x61/0x900
[   30.999162]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.004165]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.009013]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.014562]  v9fs_mount+0x7c/0x900
[   31.018104]  mount_fs+0xae/0x328
[   31.021560]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.026153]  ? may_umount+0xb0/0xb0
[   31.029770]  ? _raw_read_unlock+0x22/0x30
[   31.033907]  ? __get_fs_type+0x97/0xc0
[   31.037876]  do_mount+0x581/0x30e0
[   31.041412]  ? interrupt_entry+0xb1/0xf0
[   31.045464]  ? copy_mount_string+0x40/0x40
[   31.049690]  ? retint_kernel+0x10/0x10
[   31.053571]  ? copy_mount_options+0x213/0x380
[   31.058070]  ? write_comp_data+0xa/0x70
[   31.062045]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.067591]  ? copy_mount_options+0x285/0x380
[   31.072079]  ksys_mount+0x12d/0x140
[   31.075703]  __x64_sys_mount+0xbe/0x150
[   31.079665]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.084672]  do_syscall_64+0x1b9/0x820
[   31.088551]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.093469]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.098410]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.103948]  ? retint_user+0x18/0x18
[   31.107656]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.112498]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.117673] RIP: 0033:0x440979
[   31.120846] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.140054] RSP: 002b:00007ffdaca74c08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.147754] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   31.155013] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.162276] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.169542] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000007844
[   31.176813] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   31.184078] 
[   31.185695] Allocated by task 4548:
[   31.189317]  save_stack+0x43/0xd0
[   31.193036]  kasan_kmalloc+0xc4/0xe0
[   31.197446]  __kmalloc+0x14e/0x760
[   31.200984]  p9_fcall_alloc+0x1e/0x90
[   31.204778]  p9_client_prepare_req.part.8+0x754/0xcd0
[   31.209957]  p9_client_rpc+0x1bd/0x1400
[   31.213923]  p9_client_create+0xd09/0x16c9
[   31.218162]  v9fs_session_init+0x21a/0x1a80
[   31.222487]  v9fs_mount+0x7c/0x900
[   31.226030]  mount_fs+0xae/0x328
[   31.229421]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.234051]  do_mount+0x581/0x30e0
[   31.237596]  ksys_mount+0x12d/0x140
[   31.241213]  __x64_sys_mount+0xbe/0x150
[   31.245191]  do_syscall_64+0x1b9/0x820
[   31.249080]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.254249] 
[   31.255859] Freed by task 0:
[   31.258959] (stack is not available)
[   31.262663] 
[   31.264284] The buggy address belongs to the object at ffff8801bf0706c0
[   31.264284]  which belongs to the cache kmalloc-16384 of size 16384
[   31.277297] The buggy address is located 45 bytes inside of
[   31.277297]  16384-byte region [ffff8801bf0706c0, ffff8801bf0746c0)
[   31.289247] The buggy address belongs to the page:
[   31.294177] page:ffffea0006fc1c00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   31.304142] flags: 0x2fffc0000008100(slab|head)
[   31.308805] raw: 02fffc0000008100 ffffea0006b46408 ffffea0006fc1a08 ffff8801da802200
[   31.316673] raw: 0000000000000000 ffff8801bf0706c0 0000000100000001 0000000000000000
[   31.324535] page dumped because: kasan: bad access detected
[   31.330231] 
[   31.331838] Memory state around the buggy address:
[   31.336754]  ffff8801bf072580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.344103]  ffff8801bf072600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.351458] >ffff8801bf072680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   31.358803]                                                        ^
[   31.365281]  ffff8801bf072700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.372629]  ffff8801bf072780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.379970] ==================================================================
[   31.387322] Disabling lock debugging due to kernel taint
[   31.392992] Kernel panic - not syncing: panic_on_warn set ...
[   31.392992] 
[   31.400387] CPU: 0 PID: 4548 Comm: syz-executor562 Tainted: G    B             4.18.0-rc3+ #137
[   31.409221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.418565] Call Trace:
[   31.421144]  dump_stack+0x1c9/0x2b4
[   31.424772]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.429951]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.434707]  panic+0x238/0x4e7
[   31.437889]  ? add_taint.cold.5+0x16/0x16
[   31.442045]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.446455]  ? pdu_read+0x90/0xd0
[   31.449904]  kasan_end_report+0x47/0x4f
[   31.453868]  kasan_report.cold.7+0x76/0x2fe
[   31.458187]  check_memory_region+0x13e/0x1b0
[   31.462601]  memcpy+0x23/0x50
[   31.465711]  pdu_read+0x90/0xd0
[   31.468993]  p9pdu_readf+0x579/0x2170
[   31.472817]  ? p9pdu_writef+0xe0/0xe0
[   31.476613]  ? __fget+0x414/0x670
[   31.480152]  ? rcu_is_watching+0x61/0x150
[   31.484285]  ? expand_files.part.8+0x9c0/0x9c0
[   31.488861]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.493868]  ? p9_fd_show_options+0x1c0/0x1c0
[   31.498365]  p9_client_create+0xde0/0x16c9
[   31.502593]  ? p9_client_read+0xc60/0xc60
[   31.506736]  ? find_held_lock+0x36/0x1c0
[   31.510789]  ? __lockdep_init_map+0x105/0x590
[   31.515272]  ? kasan_check_write+0x14/0x20
[   31.519498]  ? __init_rwsem+0x1cc/0x2a0
[   31.523460]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   31.528472]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.533492]  ? __kmalloc_track_caller+0x5f5/0x760
[   31.538322]  ? save_stack+0xa9/0xd0
[   31.541939]  ? save_stack+0x43/0xd0
[   31.545558]  ? kasan_kmalloc+0xc4/0xe0
[   31.549435]  ? kmem_cache_alloc_trace+0x152/0x780
[   31.554270]  ? memcpy+0x45/0x50
[   31.557543]  v9fs_session_init+0x21a/0x1a80
[   31.561854]  ? find_held_lock+0x36/0x1c0
[   31.566007]  ? v9fs_show_options+0x7e0/0x7e0
[   31.570417]  ? kasan_check_read+0x11/0x20
[   31.574553]  ? rcu_is_watching+0x8c/0x150
[   31.578699]  ? rcu_pm_notify+0xc0/0xc0
[   31.582584]  ? v9fs_mount+0x61/0x900
[   31.586295]  ? rcu_read_lock_sched_held+0x108/0x120
[   31.591298]  ? kmem_cache_alloc_trace+0x616/0x780
[   31.596131]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   31.601657]  v9fs_mount+0x7c/0x900
[   31.605188]  mount_fs+0xae/0x328
[   31.608543]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.613117]  ? may_umount+0xb0/0xb0
[   31.616733]  ? _raw_read_unlock+0x22/0x30
[   31.620865]  ? __get_fs_type+0x97/0xc0
[   31.624739]  do_mount+0x581/0x30e0
[   31.628265]  ? interrupt_entry+0xb1/0xf0
[   31.632320]  ? copy_mount_string+0x40/0x40
[   31.636555]  ? retint_kernel+0x10/0x10
[   31.640429]  ? copy_mount_options+0x213/0x380
[   31.644938]  ? write_comp_data+0xa/0x70
[   31.648917]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.654445]  ? copy_mount_options+0x285/0x380
[   31.658928]  ksys_mount+0x12d/0x140
[   31.662557]  __x64_sys_mount+0xbe/0x150
[   31.666523]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.671529]  do_syscall_64+0x1b9/0x820
[   31.675405]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.680349]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.685269]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.690797]  ? retint_user+0x18/0x18
[   31.694509]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.699343]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.704518] RIP: 0033:0x440979
[   31.707694] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.726834] RSP: 002b:00007ffdaca74c08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.734534] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   31.741797] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.749053] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.756307] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000007844
[   31.763570] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   31.771383] Dumping ftrace buffer:
[   31.774913]    (ftrace buffer empty)
[   31.778603] Kernel Offset: disabled
[   31.782212] Rebooting in 86400 seconds..