[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.038331] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.088314] random: sshd: uninitialized urandom read (32 bytes read)
[   25.436135] random: sshd: uninitialized urandom read (32 bytes read)
[   26.296551] random: sshd: uninitialized urandom read (32 bytes read)
[   26.451422] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
[   31.914000] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   32.005755] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   32.038439] ==================================================================
[   32.045876] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   32.052003] Read of size 11380 at addr ffff8801bfda866d by task syz-executor833/4534
[   32.059863] 
[   32.061481] CPU: 1 PID: 4534 Comm: syz-executor833 Not tainted 4.18.0-rc3+ #137
[   32.068909] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.078240] Call Trace:
[   32.080812]  dump_stack+0x1c9/0x2b4
[   32.084419]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.089590]  ? printk+0xa7/0xcf
[   32.092849]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.097589]  ? pdu_read+0x90/0xd0
[   32.101031]  print_address_description+0x6c/0x20b
[   32.105857]  ? pdu_read+0x90/0xd0
[   32.109299]  kasan_report.cold.7+0x242/0x2fe
[   32.113698]  check_memory_region+0x13e/0x1b0
[   32.118097]  memcpy+0x23/0x50
[   32.121188]  pdu_read+0x90/0xd0
[   32.124472]  p9pdu_readf+0x579/0x2170
[   32.128262]  ? p9pdu_writef+0xe0/0xe0
[   32.132048]  ? __fget+0x414/0x670
[   32.135486]  ? rcu_is_watching+0x61/0x150
[   32.139614]  ? expand_files.part.8+0x9c0/0x9c0
[   32.144188]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.149196]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.153682]  p9_client_create+0xde0/0x16c9
[   32.157904]  ? p9_client_read+0xc60/0xc60
[   32.162035]  ? find_held_lock+0x36/0x1c0
[   32.166083]  ? __lockdep_init_map+0x105/0x590
[   32.170562]  ? kasan_check_write+0x14/0x20
[   32.174776]  ? __init_rwsem+0x1cc/0x2a0
[   32.178731]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.183729]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.188734]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.193558]  ? save_stack+0xa9/0xd0
[   32.197164]  ? save_stack+0x43/0xd0
[   32.200780]  ? kasan_kmalloc+0xc4/0xe0
[   32.204646]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.209468]  ? memcpy+0x45/0x50
[   32.212744]  v9fs_session_init+0x21a/0x1a80
[   32.217050]  ? find_held_lock+0x36/0x1c0
[   32.221101]  ? v9fs_show_options+0x7e0/0x7e0
[   32.225496]  ? kasan_check_read+0x11/0x20
[   32.229626]  ? rcu_is_watching+0x8c/0x150
[   32.233764]  ? rcu_pm_notify+0xc0/0xc0
[   32.237637]  ? v9fs_mount+0x61/0x900
[   32.241343]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.246340]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.251165]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.256699]  v9fs_mount+0x7c/0x900
[   32.260234]  mount_fs+0xae/0x328
[   32.263585]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.268160]  ? may_umount+0xb0/0xb0
[   32.271767]  ? _raw_read_unlock+0x22/0x30
[   32.275894]  ? __get_fs_type+0x97/0xc0
[   32.279763]  do_mount+0x581/0x30e0
[   32.283287]  ? copy_mount_string+0x40/0x40
[   32.287513]  ? copy_mount_options+0x5f/0x380
[   32.291902]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.296900]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.301728]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.307249]  ? copy_mount_options+0x285/0x380
[   32.311730]  ksys_mount+0x12d/0x140
[   32.315338]  __x64_sys_mount+0xbe/0x150
[   32.319291]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.324290]  do_syscall_64+0x1b9/0x820
[   32.328170]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.333094]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.338009]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.343536]  ? retint_user+0x18/0x18
[   32.347229]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.352054]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.357220] RIP: 0033:0x440959
[   32.360385] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.379558] RSP: 002b:00007ffd5a759228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   32.387247] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.394503] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.401752] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.408997] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007d20
[   32.416251] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.423505] 
[   32.425110] Allocated by task 4534:
[   32.428720]  save_stack+0x43/0xd0
[   32.432154]  kasan_kmalloc+0xc4/0xe0
[   32.435845]  __kmalloc+0x14e/0x760
[   32.439375]  p9_fcall_alloc+0x1e/0x90
[   32.443157]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.448326]  p9_client_rpc+0x1bd/0x1400
[   32.452281]  p9_client_create+0xd09/0x16c9
[   32.456506]  v9fs_session_init+0x21a/0x1a80
[   32.460806]  v9fs_mount+0x7c/0x900
[   32.464324]  mount_fs+0xae/0x328
[   32.467679]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.472238]  do_mount+0x581/0x30e0
[   32.475756]  ksys_mount+0x12d/0x140
[   32.479359]  __x64_sys_mount+0xbe/0x150
[   32.483313]  do_syscall_64+0x1b9/0x820
[   32.487194]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.492363] 
[   32.493967] Freed by task 0:
[   32.496957] (stack is not available)
[   32.500642] 
[   32.502247] The buggy address belongs to the object at ffff8801bfda8640
[   32.502247]  which belongs to the cache kmalloc-16384 of size 16384
[   32.515235] The buggy address is located 45 bytes inside of
[   32.515235]  16384-byte region [ffff8801bfda8640, ffff8801bfdac640)
[   32.527175] The buggy address belongs to the page:
[   32.532085] page:ffffea0006ff6a00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.542043] flags: 0x2fffc0000008100(slab|head)
[   32.546694] raw: 02fffc0000008100 ffffea0007030208 ffffea0006f73e08 ffff8801da802200
[   32.554556] raw: 0000000000000000 ffff8801bfda8640 0000000100000001 0000000000000000
[   32.562412] page dumped because: kasan: bad access detected
[   32.568095] 
[   32.569698] Memory state around the buggy address:
[   32.574606]  ffff8801bfdaa500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.581943]  ffff8801bfdaa580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.589277] >ffff8801bfdaa600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   32.596611]                                                        ^
[   32.603080]  ffff8801bfdaa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.610423]  ffff8801bfdaa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.617754] ==================================================================
[   32.625088] Disabling lock debugging due to kernel taint
[   32.630608] Kernel panic - not syncing: panic_on_warn set ...
[   32.630608] 
[   32.637975] CPU: 1 PID: 4534 Comm: syz-executor833 Tainted: G    B             4.18.0-rc3+ #137
[   32.646796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.656125] Call Trace:
[   32.658695]  dump_stack+0x1c9/0x2b4
[   32.662312]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.667493]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.672237]  panic+0x238/0x4e7
[   32.675408]  ? add_taint.cold.5+0x16/0x16
[   32.679541]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.683929]  ? pdu_read+0x90/0xd0
[   32.687358]  kasan_end_report+0x47/0x4f
[   32.691310]  kasan_report.cold.7+0x76/0x2fe
[   32.695611]  check_memory_region+0x13e/0x1b0
[   32.699997]  memcpy+0x23/0x50
[   32.703087]  pdu_read+0x90/0xd0
[   32.706344]  p9pdu_readf+0x579/0x2170
[   32.710124]  ? p9pdu_writef+0xe0/0xe0
[   32.713902]  ? __fget+0x414/0x670
[   32.717332]  ? rcu_is_watching+0x61/0x150
[   32.721457]  ? expand_files.part.8+0x9c0/0x9c0
[   32.726029]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.731034]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.735511]  p9_client_create+0xde0/0x16c9
[   32.739727]  ? p9_client_read+0xc60/0xc60
[   32.743862]  ? find_held_lock+0x36/0x1c0
[   32.747909]  ? __lockdep_init_map+0x105/0x590
[   32.752384]  ? kasan_check_write+0x14/0x20
[   32.756594]  ? __init_rwsem+0x1cc/0x2a0
[   32.760547]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.765542]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.770535]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.775354]  ? save_stack+0xa9/0xd0
[   32.778957]  ? save_stack+0x43/0xd0
[   32.782561]  ? kasan_kmalloc+0xc4/0xe0
[   32.786427]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.791247]  ? memcpy+0x45/0x50
[   32.794509]  v9fs_session_init+0x21a/0x1a80
[   32.798808]  ? find_held_lock+0x36/0x1c0
[   32.802849]  ? v9fs_show_options+0x7e0/0x7e0
[   32.807238]  ? kasan_check_read+0x11/0x20
[   32.811362]  ? rcu_is_watching+0x8c/0x150
[   32.815487]  ? rcu_pm_notify+0xc0/0xc0
[   32.819354]  ? v9fs_mount+0x61/0x900
[   32.823048]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.828042]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.832865]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.838380]  v9fs_mount+0x7c/0x900
[   32.841902]  mount_fs+0xae/0x328
[   32.845247]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.849812]  ? may_umount+0xb0/0xb0
[   32.853423]  ? _raw_read_unlock+0x22/0x30
[   32.857549]  ? __get_fs_type+0x97/0xc0
[   32.861415]  do_mount+0x581/0x30e0
[   32.864933]  ? copy_mount_string+0x40/0x40
[   32.869151]  ? copy_mount_options+0x5f/0x380
[   32.873541]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.878536]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.883358]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.888873]  ? copy_mount_options+0x285/0x380
[   32.893347]  ksys_mount+0x12d/0x140
[   32.896954]  __x64_sys_mount+0xbe/0x150
[   32.900909]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.905905]  do_syscall_64+0x1b9/0x820
[   32.909769]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.914675]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.919583]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.925101]  ? retint_user+0x18/0x18
[   32.928803]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.933637]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.938804] RIP: 0033:0x440959
[   32.941975] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.961117] RSP: 002b:00007ffd5a759228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   32.968805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.976051] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.983307] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.990553] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007d20
[   32.997798] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   33.005518] Dumping ftrace buffer:
[   33.009035]    (ftrace buffer empty)
[   33.012720] Kernel Offset: disabled
[   33.016321] Rebooting in 86400 seconds..