[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.274470] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.337247] random: sshd: uninitialized urandom read (32 bytes read)
[   22.748669] random: sshd: uninitialized urandom read (32 bytes read)
[   23.640303] random: sshd: uninitialized urandom read (32 bytes read)
[   23.801445] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts.
[   29.664918] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
[   29.767882] ==================================================================
[   29.775391] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   29.781525] Read of size 52791 at addr ffff8801b60206ed by task syz-executor033/4528
[   29.789642] 
[   29.791313] CPU: 1 PID: 4528 Comm: syz-executor033 Not tainted 4.18.0-rc4+ #141
[   29.798752] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.808092] Call Trace:
[   29.810685]  dump_stack+0x1c9/0x2b4
[   29.814299]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.819731]  ? printk+0xa7/0xcf
[   29.823001]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   29.827755]  ? pdu_read+0x90/0xd0
[   29.831193]  print_address_description+0x6c/0x20b
[   29.836020]  ? pdu_read+0x90/0xd0
[   29.839459]  kasan_report.cold.7+0x242/0x2fe
[   29.843857]  check_memory_region+0x13e/0x1b0
[   29.848249]  memcpy+0x23/0x50
[   29.851340]  pdu_read+0x90/0xd0
[   29.854610]  p9pdu_readf+0x579/0x2170
[   29.858399]  ? p9pdu_writef+0xe0/0xe0
[   29.862185]  ? __fget+0x414/0x670
[   29.865624]  ? rcu_is_watching+0x61/0x150
[   29.869757]  ? expand_files.part.8+0x9c0/0x9c0
[   29.874329]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.879340]  ? p9_fd_show_options+0x1c0/0x1c0
[   29.883840]  p9_client_create+0xde0/0x16c9
[   29.888066]  ? p9_client_read+0xc60/0xc60
[   29.892213]  ? find_held_lock+0x36/0x1c0
[   29.896288]  ? __lockdep_init_map+0x105/0x590
[   29.900772]  ? kasan_check_write+0x14/0x20
[   29.904988]  ? __init_rwsem+0x1cc/0x2a0
[   29.908943]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   29.913948]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.918952]  ? __kmalloc_track_caller+0x5f5/0x760
[   29.923778]  ? save_stack+0xa9/0xd0
[   29.927389]  ? save_stack+0x43/0xd0
[   29.931009]  ? kasan_kmalloc+0xc4/0xe0
[   29.934889]  ? kmem_cache_alloc_trace+0x152/0x780
[   29.939717]  ? memcpy+0x45/0x50
[   29.943003]  v9fs_session_init+0x21a/0x1a80
[   29.947332]  ? lock_downgrade+0x8f0/0x8f0
[   29.951478]  ? v9fs_show_options+0x7e0/0x7e0
[   29.955875]  ? kasan_check_read+0x11/0x20
[   29.960010]  ? do_raw_spin_unlock+0xa7/0x2f0
[   29.964403]  ? kasan_check_read+0x11/0x20
[   29.968532]  ? rcu_is_watching+0x8c/0x150
[   29.972664]  ? rcu_pm_notify+0xc0/0xc0
[   29.976542]  ? v9fs_mount+0x61/0x900
[   29.980249]  ? rcu_read_lock_sched_held+0x108/0x120
[   29.986044]  ? kmem_cache_alloc_trace+0x616/0x780
[   29.990913]  v9fs_mount+0x7c/0x900
[   29.994447]  mount_fs+0xae/0x328
[   29.997818]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.002402]  ? may_umount+0xb0/0xb0
[   30.006034]  ? _raw_read_unlock+0x22/0x30
[   30.010179]  ? __get_fs_type+0x97/0xc0
[   30.014071]  do_mount+0x581/0x30e0
[   30.017616]  ? copy_mount_string+0x40/0x40
[   30.021839]  ? copy_mount_options+0x5f/0x380
[   30.026237]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.031242]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.036073]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.041609]  ? _copy_from_user+0xdf/0x150
[   30.045753]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.051283]  ? copy_mount_options+0x285/0x380
[   30.055761]  ksys_mount+0x12d/0x140
[   30.059371]  __x64_sys_mount+0xbe/0x150
[   30.063339]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.068356]  do_syscall_64+0x1b9/0x820
[   30.072232]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.077143]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.082075]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.087433]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.092264]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.097449] RIP: 0033:0x4401a9
[   30.100617] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.119804] RSP: 002b:00007ffcfda03fd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   30.127520] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401a9
[   30.134779] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   30.142041] RBP: 0030656c69662f2e R08: 00000000200002c0 R09: 0000000000000001
[   30.149309] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   30.156566] R13: 0000040000000002 R14: 0000000000000000 R15: 0000000000000000
[   30.163840] 
[   30.165458] Allocated by task 4528:
[   30.169079]  save_stack+0x43/0xd0
[   30.172516]  kasan_kmalloc+0xc4/0xe0
[   30.176239]  __kmalloc+0x14e/0x760
[   30.179791]  p9_fcall_alloc+0x1e/0x90
[   30.183580]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.188751]  p9_client_rpc+0x1bd/0x1400
[   30.192706]  p9_client_create+0xd09/0x16c9
[   30.196924]  v9fs_session_init+0x21a/0x1a80
[   30.201227]  v9fs_mount+0x7c/0x900
[   30.204750]  mount_fs+0xae/0x328
[   30.208111]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.212674]  do_mount+0x581/0x30e0
[   30.216200]  ksys_mount+0x12d/0x140
[   30.219825]  __x64_sys_mount+0xbe/0x150
[   30.223785]  do_syscall_64+0x1b9/0x820
[   30.227657]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.232826] 
[   30.234437] Freed by task 0:
[   30.237431] (stack is not available)
[   30.241117] 
[   30.242728] The buggy address belongs to the object at ffff8801b60206c0
[   30.242728]  which belongs to the cache kmalloc-16384 of size 16384
[   30.255730] The buggy address is located 45 bytes inside of
[   30.255730]  16384-byte region [ffff8801b60206c0, ffff8801b60246c0)
[   30.267671] The buggy address belongs to the page:
[   30.272589] page:ffffea0006d80800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.282549] flags: 0x2fffc0000008100(slab|head)
[   30.287239] raw: 02fffc0000008100 ffffea0006daba08 ffff8801da801c48 ffff8801da802200
[   30.295104] raw: 0000000000000000 ffff8801b60206c0 0000000100000001 0000000000000000
[   30.302962] page dumped because: kasan: bad access detected
[   30.308646] 
[   30.310251] Memory state around the buggy address:
[   30.315167]  ffff8801b6022580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.322510]  ffff8801b6022600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.329856] >ffff8801b6022680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   30.337201]                                                        ^
[   30.343673]  ffff8801b6022700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.351024]  ffff8801b6022780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.358370] ==================================================================
[   30.365712] Disabling lock debugging due to kernel taint
[   30.371285] Kernel panic - not syncing: panic_on_warn set ...
[   30.371285] 
[   30.378664] CPU: 1 PID: 4528 Comm: syz-executor033 Tainted: G    B             4.18.0-rc4+ #141
[   30.387499] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.396842] Call Trace:
[   30.399418]  dump_stack+0x1c9/0x2b4
[   30.403036]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.408219]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.412961]  panic+0x238/0x4e7
[   30.416142]  ? add_taint.cold.5+0x16/0x16
[   30.420277]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.424694]  ? pdu_read+0x90/0xd0
[   30.428138]  kasan_end_report+0x47/0x4f
[   30.432103]  kasan_report.cold.7+0x76/0x2fe
[   30.436411]  check_memory_region+0x13e/0x1b0
[   30.440809]  memcpy+0x23/0x50
[   30.443903]  pdu_read+0x90/0xd0
[   30.447167]  p9pdu_readf+0x579/0x2170
[   30.451217]  ? p9pdu_writef+0xe0/0xe0
[   30.455001]  ? __fget+0x414/0x670
[   30.458448]  ? rcu_is_watching+0x61/0x150
[   30.462578]  ? expand_files.part.8+0x9c0/0x9c0
[   30.467147]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.472150]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.476639]  p9_client_create+0xde0/0x16c9
[   30.480870]  ? p9_client_read+0xc60/0xc60
[   30.485017]  ? find_held_lock+0x36/0x1c0
[   30.489072]  ? __lockdep_init_map+0x105/0x590
[   30.493564]  ? kasan_check_write+0x14/0x20
[   30.497782]  ? __init_rwsem+0x1cc/0x2a0
[   30.501738]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.506738]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.511738]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.516571]  ? save_stack+0xa9/0xd0
[   30.520177]  ? save_stack+0x43/0xd0
[   30.523789]  ? kasan_kmalloc+0xc4/0xe0
[   30.527658]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.532482]  ? memcpy+0x45/0x50
[   30.535748]  v9fs_session_init+0x21a/0x1a80
[   30.540067]  ? lock_downgrade+0x8f0/0x8f0
[   30.544212]  ? v9fs_show_options+0x7e0/0x7e0
[   30.548611]  ? kasan_check_read+0x11/0x20
[   30.552755]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.557160]  ? kasan_check_read+0x11/0x20
[   30.561298]  ? rcu_is_watching+0x8c/0x150
[   30.565431]  ? rcu_pm_notify+0xc0/0xc0
[   30.569321]  ? v9fs_mount+0x61/0x900
[   30.573023]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.578050]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.582888]  v9fs_mount+0x7c/0x900
[   30.586425]  mount_fs+0xae/0x328
[   30.589789]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.594363]  ? may_umount+0xb0/0xb0
[   30.597981]  ? _raw_read_unlock+0x22/0x30
[   30.602118]  ? __get_fs_type+0x97/0xc0
[   30.605987]  do_mount+0x581/0x30e0
[   30.609509]  ? copy_mount_string+0x40/0x40
[   30.613738]  ? copy_mount_options+0x5f/0x380
[   30.618128]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.623128]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.627972]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.633493]  ? _copy_from_user+0xdf/0x150
[   30.637623]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.643147]  ? copy_mount_options+0x285/0x380
[   30.647642]  ksys_mount+0x12d/0x140
[   30.651263]  __x64_sys_mount+0xbe/0x150
[   30.655223]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.660225]  do_syscall_64+0x1b9/0x820
[   30.664095]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.669009]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.673942]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   30.679299]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.684124]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.689311] RIP: 0033:0x4401a9
[   30.692489] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.711612] RSP: 002b:00007ffcfda03fd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   30.719304] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004401a9
[   30.726565] RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000000000000
[   30.733824] RBP: 0030656c69662f2e R08: 00000000200002c0 R09: 0000000000000001
[   30.741088] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   30.748358] R13: 0000040000000002 R14: 0000000000000000 R15: 0000000000000000
[   30.756131] Dumping ftrace buffer:
[   30.759658]    (ftrace buffer empty)
[   30.763359] Kernel Offset: disabled
[   30.766967] Rebooting in 86400 seconds..