[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.980417] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.333911] random: sshd: uninitialized urandom read (32 bytes read)
[   20.776630] random: sshd: uninitialized urandom read (32 bytes read)
[   21.484036] random: sshd: uninitialized urandom read (32 bytes read)
[   21.619470] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts.
[   27.050257] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   27.134547] ==================================================================
[   27.141961] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   27.148103] Read of size 31184 at addr ffff8801bc9b08ad by task syz-executor851/4438
[   27.155968] 
[   27.157592] CPU: 0 PID: 4438 Comm: syz-executor851 Not tainted 4.18.0-rc4-next-20180711+ #4
[   27.166083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.175438] Call Trace:
[   27.178046]  dump_stack+0x1c9/0x2b4
[   27.181665]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.186840]  ? printk+0xa7/0xcf
[   27.190109]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   27.194861]  ? pdu_read+0x90/0xd0
[   27.198299]  print_address_description+0x6c/0x20b
[   27.203139]  ? pdu_read+0x90/0xd0
[   27.206582]  kasan_report.cold.7+0x242/0x30d
[   27.210986]  check_memory_region+0x13e/0x1b0
[   27.215383]  memcpy+0x23/0x50
[   27.218472]  pdu_read+0x90/0xd0
[   27.221736]  p9pdu_readf+0x579/0x2170
[   27.225528]  ? p9pdu_writef+0xe0/0xe0
[   27.229342]  ? ksys_dup3+0x690/0x690
[   27.233059]  ? do_raw_spin_lock+0xc1/0x200
[   27.237288]  ? kasan_kmalloc+0xc4/0xe0
[   27.241163]  ? kasan_unpoison_shadow+0x35/0x50
[   27.245734]  ? p9_fd_show_options+0x1c0/0x1c0
[   27.250218]  ? __raw_spin_lock_init+0x2d/0x100
[   27.254795]  p9_client_create+0xe87/0x1770
[   27.259029]  ? p9_client_read+0xc60/0xc60
[   27.263163]  ? kasan_check_read+0x11/0x20
[   27.267306]  ? lock_acquire+0x1e4/0x540
[   27.271270]  ? fs_reclaim_acquire+0x20/0x20
[   27.275585]  ? lock_release+0xa30/0xa30
[   27.279553]  ? __lockdep_init_map+0x105/0x590
[   27.284047]  ? kasan_check_write+0x14/0x20
[   27.288266]  ? __init_rwsem+0x1cc/0x2a0
[   27.292247]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   27.297249]  ? __kmalloc_track_caller+0x311/0x760
[   27.302079]  ? save_stack+0xa9/0xd0
[   27.305699]  ? save_stack+0x43/0xd0
[   27.309306]  ? kasan_kmalloc+0xc4/0xe0
[   27.313175]  ? kmem_cache_alloc_trace+0x152/0x780
[   27.318002]  ? memcpy+0x45/0x50
[   27.321272]  v9fs_session_init+0x21a/0x1a80
[   27.325591]  ? rcu_note_context_switch+0x730/0x730
[   27.330520]  ? do_mount+0x69e/0x1fb0
[   27.334223]  ? lock_acquire+0x1e4/0x540
[   27.338209]  ? v9fs_show_options+0x7e0/0x7e0
[   27.342605]  ? lock_release+0xa30/0xa30
[   27.346564]  ? check_same_owner+0x340/0x340
[   27.350872]  ? kasan_unpoison_shadow+0x35/0x50
[   27.355447]  ? kasan_kmalloc+0xc4/0xe0
[   27.359316]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.364151]  ? kasan_unpoison_shadow+0x35/0x50
[   27.368721]  ? kasan_kmalloc+0xc4/0xe0
[   27.372598]  v9fs_mount+0x7c/0x900
[   27.376125]  ? v9fs_drop_inode+0x150/0x150
[   27.380345]  legacy_get_tree+0x118/0x440
[   27.384393]  vfs_get_tree+0x1cb/0x5c0
[   27.388180]  do_mount+0x6c1/0x1fb0
[   27.391707]  ? kasan_check_write+0x14/0x20
[   27.395934]  ? copy_mount_string+0x40/0x40
[   27.400153]  ? kasan_kmalloc+0xc4/0xe0
[   27.404033]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.408863]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.414385]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.419907]  ? copy_mount_options+0x285/0x380
[   27.424410]  ksys_mount+0x12d/0x140
[   27.428050]  __x64_sys_mount+0xbe/0x150
[   27.432021]  do_syscall_64+0x1b9/0x820
[   27.435914]  ? syscall_slow_exit_work+0x500/0x500
[   27.440743]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.445664]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.450588]  ? prepare_exit_to_usermode+0x291/0x3b0
[   27.455586]  ? perf_trace_sys_enter+0xb10/0xb10
[   27.460250]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.465075]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.470274] RIP: 0033:0x440149
[   27.473451] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.492578] RSP: 002b:00007ffca23fe8b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   27.500293] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   27.507553] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   27.514822] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   27.522086] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   27.529343] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   27.536602] 
[   27.538222] Allocated by task 4438:
[   27.541841]  save_stack+0x43/0xd0
[   27.545280]  kasan_kmalloc+0xc4/0xe0
[   27.548986]  __kmalloc+0x14e/0x760
[   27.552518]  p9_fcall_alloc+0x1e/0x90
[   27.556314]  p9_client_prepare_req.part.9+0x754/0xcd0
[   27.561487]  p9_client_rpc+0x1bd/0x1400
[   27.565446]  p9_client_create+0xdb0/0x1770
[   27.569662]  v9fs_session_init+0x21a/0x1a80
[   27.573979]  v9fs_mount+0x7c/0x900
[   27.577511]  legacy_get_tree+0x118/0x440
[   27.581564]  vfs_get_tree+0x1cb/0x5c0
[   27.585363]  do_mount+0x6c1/0x1fb0
[   27.588899]  ksys_mount+0x12d/0x140
[   27.592508]  __x64_sys_mount+0xbe/0x150
[   27.596474]  do_syscall_64+0x1b9/0x820
[   27.600348]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.605511] 
[   27.607118] Freed by task 0:
[   27.610120] (stack is not available)
[   27.613813] 
[   27.615432] The buggy address belongs to the object at ffff8801bc9b0880
[   27.615432]  which belongs to the cache kmalloc-16384 of size 16384
[   27.628434] The buggy address is located 45 bytes inside of
[   27.628434]  16384-byte region [ffff8801bc9b0880, ffff8801bc9b4880)
[   27.640379] The buggy address belongs to the page:
[   27.645301] page:ffffea0006f26c00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   27.655268] flags: 0x2fffc0000008100(slab|head)
[   27.659934] raw: 02fffc0000008100 ffffea0006f9be08 ffff8801da801c48 ffff8801da802200
[   27.667806] raw: 0000000000000000 ffff8801bc9b0880 0000000100000001 0000000000000000
[   27.675667] page dumped because: kasan: bad access detected
[   27.681355] 
[   27.682964] Memory state around the buggy address:
[   27.687875]  ffff8801bc9b2780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.695237]  ffff8801bc9b2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   27.702623] >ffff8801bc9b2880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   27.709977]                                ^
[   27.714369]  ffff8801bc9b2900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.721723]  ffff8801bc9b2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.729073] ==================================================================
[   27.736718] Kernel panic - not syncing: panic_on_warn set ...
[   27.736718] 
[   27.744088] CPU: 0 PID: 4438 Comm: syz-executor851 Tainted: G    B             4.18.0-rc4-next-20180711+ #4
[   27.753949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   27.763283] Call Trace:
[   27.765858]  dump_stack+0x1c9/0x2b4
[   27.769473]  ? dump_stack_print_info.cold.2+0x52/0x52
[   27.774649]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   27.779400]  panic+0x238/0x4e7
[   27.782581]  ? add_taint.cold.5+0x16/0x16
[   27.786716]  ? do_raw_spin_unlock+0xa7/0x2f0
[   27.791121]  ? pdu_read+0x90/0xd0
[   27.794557]  kasan_end_report+0x47/0x4f
[   27.798515]  kasan_report.cold.7+0x76/0x30d
[   27.802829]  check_memory_region+0x13e/0x1b0
[   27.807219]  memcpy+0x23/0x50
[   27.810315]  pdu_read+0x90/0xd0
[   27.813577]  p9pdu_readf+0x579/0x2170
[   27.817370]  ? p9pdu_writef+0xe0/0xe0
[   27.821157]  ? ksys_dup3+0x690/0x690
[   27.824865]  ? do_raw_spin_lock+0xc1/0x200
[   27.829087]  ? kasan_kmalloc+0xc4/0xe0
[   27.832968]  ? kasan_unpoison_shadow+0x35/0x50
[   27.837539]  ? p9_fd_show_options+0x1c0/0x1c0
[   27.842032]  ? __raw_spin_lock_init+0x2d/0x100
[   27.846599]  p9_client_create+0xe87/0x1770
[   27.850826]  ? p9_client_read+0xc60/0xc60
[   27.854959]  ? kasan_check_read+0x11/0x20
[   27.859102]  ? lock_acquire+0x1e4/0x540
[   27.863072]  ? fs_reclaim_acquire+0x20/0x20
[   27.867379]  ? lock_release+0xa30/0xa30
[   27.871339]  ? __lockdep_init_map+0x105/0x590
[   27.875829]  ? kasan_check_write+0x14/0x20
[   27.880051]  ? __init_rwsem+0x1cc/0x2a0
[   27.884030]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   27.889038]  ? __kmalloc_track_caller+0x311/0x760
[   27.893875]  ? save_stack+0xa9/0xd0
[   27.897486]  ? save_stack+0x43/0xd0
[   27.901106]  ? kasan_kmalloc+0xc4/0xe0
[   27.904978]  ? kmem_cache_alloc_trace+0x152/0x780
[   27.909817]  ? memcpy+0x45/0x50
[   27.913086]  v9fs_session_init+0x21a/0x1a80
[   27.917402]  ? rcu_note_context_switch+0x730/0x730
[   27.922321]  ? do_mount+0x69e/0x1fb0
[   27.926041]  ? lock_acquire+0x1e4/0x540
[   27.929998]  ? v9fs_show_options+0x7e0/0x7e0
[   27.934396]  ? lock_release+0xa30/0xa30
[   27.938374]  ? check_same_owner+0x340/0x340
[   27.942690]  ? kasan_unpoison_shadow+0x35/0x50
[   27.947269]  ? kasan_kmalloc+0xc4/0xe0
[   27.951153]  ? kmem_cache_alloc_trace+0x318/0x780
[   27.955980]  ? kasan_unpoison_shadow+0x35/0x50
[   27.960553]  ? kasan_kmalloc+0xc4/0xe0
[   27.964445]  v9fs_mount+0x7c/0x900
[   27.967970]  ? v9fs_drop_inode+0x150/0x150
[   27.972188]  legacy_get_tree+0x118/0x440
[   27.976241]  vfs_get_tree+0x1cb/0x5c0
[   27.980033]  do_mount+0x6c1/0x1fb0
[   27.983567]  ? kasan_check_write+0x14/0x20
[   27.987793]  ? copy_mount_string+0x40/0x40
[   27.992030]  ? kasan_kmalloc+0xc4/0xe0
[   27.995902]  ? kmem_cache_alloc_trace+0x318/0x780
[   28.000727]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   28.006251]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   28.011772]  ? copy_mount_options+0x285/0x380
[   28.016273]  ksys_mount+0x12d/0x140
[   28.019882]  __x64_sys_mount+0xbe/0x150
[   28.023838]  do_syscall_64+0x1b9/0x820
[   28.027708]  ? syscall_slow_exit_work+0x500/0x500
[   28.032530]  ? syscall_return_slowpath+0x5e0/0x5e0
[   28.037445]  ? syscall_return_slowpath+0x31d/0x5e0
[   28.042360]  ? prepare_exit_to_usermode+0x291/0x3b0
[   28.047359]  ? perf_trace_sys_enter+0xb10/0xb10
[   28.052026]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.056857]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.062033] RIP: 0033:0x440149
[   28.065207] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   28.084331] RSP: 002b:00007ffca23fe8b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   28.092030] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440149
[   28.099289] RDX: 0000000020000000 RSI: 0000000020000140 RDI: 0000000000000000
[   28.106549] RBP: 0030656c69662f2e R08: 0000000020000440 R09: 00000000004002c8
[   28.113807] R10: 0000000000000000 R11: 0000000000000206 R12: 64663d736e617274
[   28.121057] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000
[   28.128785] Dumping ftrace buffer:
[   28.132327]    (ftrace buffer empty)
[   28.136013] Kernel Offset: disabled
[   28.139620] Rebooting in 86400 seconds..