[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.117086] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.972723] random: sshd: uninitialized urandom read (32 bytes read)
[   21.310207] random: sshd: uninitialized urandom read (32 bytes read)
[   22.166917] random: sshd: uninitialized urandom read (32 bytes read)
[   34.317417] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[   39.761811] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   39.862608] ==================================================================
[   39.870336] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   39.876595] Read of size 49748 at addr ffff8801b74588ad by task syz-executor611/4505
[   39.884498] 
[   39.886121] CPU: 0 PID: 4505 Comm: syz-executor611 Not tainted 4.18.0-rc3+ #40
[   39.893474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.902834] Call Trace:
[   39.905435]  dump_stack+0x1c9/0x2b4
[   39.909665]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.914851]  ? printk+0xa7/0xcf
[   39.918130]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.922998]  ? pdu_read+0x90/0xd0
[   39.926459]  print_address_description+0x6c/0x20b
[   39.931310]  ? pdu_read+0x90/0xd0
[   39.934746]  kasan_report.cold.7+0x242/0x2fe
[   39.939164]  check_memory_region+0x13e/0x1b0
[   39.943757]  memcpy+0x23/0x50
[   39.946860]  pdu_read+0x90/0xd0
[   39.950126]  p9pdu_readf+0x579/0x2170
[   39.953916]  ? p9pdu_writef+0xe0/0xe0
[   39.957706]  ? __fget+0x414/0x670
[   39.961164]  ? rcu_is_watching+0x61/0x150
[   39.965312]  ? expand_files.part.8+0x9c0/0x9c0
[   39.970337]  ? rcu_read_lock_sched_held+0x108/0x120
[   39.975360]  ? p9_fd_show_options+0x1c0/0x1c0
[   39.979944]  p9_client_create+0xde0/0x16c9
[   39.984181]  ? p9_client_read+0xc60/0xc60
[   39.988325]  ? find_held_lock+0x36/0x1c0
[   39.992397]  ? __lockdep_init_map+0x105/0x590
[   39.996887]  ? kasan_check_write+0x14/0x20
[   40.001104]  ? __init_rwsem+0x1cc/0x2a0
[   40.005108]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   40.010113]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.015126]  ? __kmalloc_track_caller+0x5f5/0x760
[   40.019960]  ? save_stack+0xa9/0xd0
[   40.023608]  ? save_stack+0x43/0xd0
[   40.027249]  ? kasan_kmalloc+0xc4/0xe0
[   40.031156]  ? memcpy+0x45/0x50
[   40.034455]  v9fs_session_init+0x21a/0x1a80
[   40.038774]  ? find_held_lock+0x36/0x1c0
[   40.042835]  ? v9fs_show_options+0x7e0/0x7e0
[   40.047233]  ? kasan_check_read+0x11/0x20
[   40.051365]  ? rcu_is_watching+0x8c/0x150
[   40.055716]  ? rcu_pm_notify+0xc0/0xc0
[   40.059606]  ? rcu_pm_notify+0xc0/0xc0
[   40.063508]  ? v9fs_mount+0x61/0x900
[   40.067243]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.072250]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.077102]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   40.082652]  v9fs_mount+0x7c/0x900
[   40.086271]  mount_fs+0xae/0x328
[   40.089798]  vfs_kern_mount.part.34+0xdc/0x4e0
[   40.094375]  ? may_umount+0xb0/0xb0
[   40.097998]  ? _raw_read_unlock+0x22/0x30
[   40.102138]  ? __get_fs_type+0x97/0xc0
[   40.106019]  do_mount+0x581/0x30e0
[   40.109562]  ? copy_mount_string+0x40/0x40
[   40.114467]  ? copy_mount_options+0x5f/0x380
[   40.118883]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.123891]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.128721]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.134263]  ? _copy_from_user+0xdf/0x150
[   40.138420]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.143971]  ? copy_mount_options+0x285/0x380
[   40.148472]  __ia32_compat_sys_mount+0x5d5/0x860
[   40.153514]  do_fast_syscall_32+0x34d/0xfb2
[   40.157946]  ? do_int80_syscall_32+0x890/0x890
[   40.162523]  ? do_syscall_64+0x497/0x820
[   40.166574]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.171500]  ? syscall_return_slowpath+0x31d/0x5e0
[   40.176435]  ? sysret32_from_system_call+0x5/0x46
[   40.181283]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.186136]  entry_SYSENTER_compat+0x70/0x7f
[   40.190644] RIP: 0023:0xf7f81cb9
[   40.194175] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   40.213368] RSP: 002b:00000000fffefd6c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   40.221075] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000000
[   40.228357] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000020000380
[   40.235615] RBP: 0000000000000042 R08: 0000000000000000 R09: 0000000000000000
[   40.242882] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   40.250140] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   40.257423] 
[   40.259040] Allocated by task 4505:
[   40.262658]  save_stack+0x43/0xd0
[   40.266117]  kasan_kmalloc+0xc4/0xe0
[   40.269829]  __kmalloc+0x14e/0x760
[   40.273377]  p9_fcall_alloc+0x1e/0x90
[   40.277178]  p9_client_prepare_req.part.8+0x754/0xcd0
[   40.282354]  p9_client_rpc+0x1bd/0x1400
[   40.286324]  p9_client_create+0xd09/0x16c9
[   40.290554]  v9fs_session_init+0x21a/0x1a80
[   40.294883]  v9fs_mount+0x7c/0x900
[   40.298417]  mount_fs+0xae/0x328
[   40.301791]  vfs_kern_mount.part.34+0xdc/0x4e0
[   40.306358]  do_mount+0x581/0x30e0
[   40.309899]  __ia32_compat_sys_mount+0x5d5/0x860
[   40.314644]  do_fast_syscall_32+0x34d/0xfb2
[   40.319155]  entry_SYSENTER_compat+0x70/0x7f
[   40.323543] 
[   40.325193] Freed by task 0:
[   40.328223] (stack is not available)
[   40.331927] 
[   40.333561] The buggy address belongs to the object at ffff8801b7458880
[   40.333561]  which belongs to the cache kmalloc-16384 of size 16384
[   40.347038] The buggy address is located 45 bytes inside of
[   40.347038]  16384-byte region [ffff8801b7458880, ffff8801b745c880)
[   40.359086] The buggy address belongs to the page:
[   40.364190] page:ffffea0006dd1600 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   40.374236] flags: 0x2fffc0000008100(slab|head)
[   40.378980] raw: 02fffc0000008100 ffffea0006de8808 ffff8801da801c48 ffff8801da802200
[   40.386847] raw: 0000000000000000 ffff8801b7458880 0000000100000001 0000000000000000
[   40.394721] page dumped because: kasan: bad access detected
[   40.400685] 
[   40.402291] Memory state around the buggy address:
[   40.407207]  ffff8801b745a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.414567]  ffff8801b745a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.421909] >ffff8801b745a880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   40.429595]                                ^
[   40.433997]  ffff8801b745a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.441522]  ffff8801b745a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.448883] ==================================================================
[   40.456242] Disabling lock debugging due to kernel taint
[   40.461809] Kernel panic - not syncing: panic_on_warn set ...
[   40.461809] 
[   40.469265] CPU: 0 PID: 4505 Comm: syz-executor611 Tainted: G    B             4.18.0-rc3+ #40
[   40.478006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.487514] Call Trace:
[   40.490093]  dump_stack+0x1c9/0x2b4
[   40.493716]  ? dump_stack_print_info.cold.2+0x52/0x52
[   40.498891]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   40.503651]  panic+0x238/0x4e7
[   40.506823]  ? add_taint.cold.5+0x16/0x16
[   40.510955]  ? do_raw_spin_unlock+0xa7/0x2f0
[   40.515343]  ? pdu_read+0x90/0xd0
[   40.518776]  kasan_end_report+0x47/0x4f
[   40.522744]  kasan_report.cold.7+0x76/0x2fe
[   40.527049]  check_memory_region+0x13e/0x1b0
[   40.531449]  memcpy+0x23/0x50
[   40.534680]  pdu_read+0x90/0xd0
[   40.537947]  p9pdu_readf+0x579/0x2170
[   40.541746]  ? p9pdu_writef+0xe0/0xe0
[   40.545541]  ? __fget+0x414/0x670
[   40.548982]  ? rcu_is_watching+0x61/0x150
[   40.553117]  ? expand_files.part.8+0x9c0/0x9c0
[   40.557810]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.562811]  ? p9_fd_show_options+0x1c0/0x1c0
[   40.567289]  p9_client_create+0xde0/0x16c9
[   40.571518]  ? p9_client_read+0xc60/0xc60
[   40.575648]  ? find_held_lock+0x36/0x1c0
[   40.579696]  ? __lockdep_init_map+0x105/0x590
[   40.584180]  ? kasan_check_write+0x14/0x20
[   40.588508]  ? __init_rwsem+0x1cc/0x2a0
[   40.592485]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   40.597599]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.602606]  ? __kmalloc_track_caller+0x5f5/0x760
[   40.607433]  ? save_stack+0xa9/0xd0
[   40.611052]  ? save_stack+0x43/0xd0
[   40.614661]  ? kasan_kmalloc+0xc4/0xe0
[   40.618542]  ? memcpy+0x45/0x50
[   40.621805]  v9fs_session_init+0x21a/0x1a80
[   40.626111]  ? find_held_lock+0x36/0x1c0
[   40.630164]  ? v9fs_show_options+0x7e0/0x7e0
[   40.634564]  ? kasan_check_read+0x11/0x20
[   40.639831]  ? rcu_is_watching+0x8c/0x150
[   40.643957]  ? rcu_pm_notify+0xc0/0xc0
[   40.647838]  ? rcu_pm_notify+0xc0/0xc0
[   40.651707]  ? v9fs_mount+0x61/0x900
[   40.655418]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.660434]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.665378]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   40.670919]  v9fs_mount+0x7c/0x900
[   40.674480]  mount_fs+0xae/0x328
[   40.677840]  vfs_kern_mount.part.34+0xdc/0x4e0
[   40.682587]  ? may_umount+0xb0/0xb0
[   40.686210]  ? _raw_read_unlock+0x22/0x30
[   40.690356]  ? __get_fs_type+0x97/0xc0
[   40.694239]  do_mount+0x581/0x30e0
[   40.697766]  ? copy_mount_string+0x40/0x40
[   40.701986]  ? copy_mount_options+0x5f/0x380
[   40.706393]  ? rcu_read_lock_sched_held+0x108/0x120
[   40.711414]  ? kmem_cache_alloc_trace+0x616/0x780
[   40.716255]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.721983]  ? _copy_from_user+0xdf/0x150
[   40.726128]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.731659]  ? copy_mount_options+0x285/0x380
[   40.736153]  __ia32_compat_sys_mount+0x5d5/0x860
[   40.740907]  do_fast_syscall_32+0x34d/0xfb2
[   40.745214]  ? do_int80_syscall_32+0x890/0x890
[   40.749806]  ? do_syscall_64+0x497/0x820
[   40.753855]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.758783]  ? syscall_return_slowpath+0x31d/0x5e0
[   40.763699]  ? sysret32_from_system_call+0x5/0x46
[   40.768556]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.773402]  entry_SYSENTER_compat+0x70/0x7f
[   40.777828] RIP: 0023:0xf7f81cb9
[   40.781187] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   40.800340] RSP: 002b:00000000fffefd6c EFLAGS: 00000282 ORIG_RAX: 0000000000000015
[   40.808032] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000020000000
[   40.815289] RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000020000380
[   40.822560] RBP: 0000000000000042 R08: 0000000000000000 R09: 0000000000000000
[   40.829837] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   40.837288] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   40.845110] Dumping ftrace buffer:
[   40.848637]    (ftrace buffer empty)
[   40.852332] Kernel Offset: disabled
[   40.855944] Rebooting in 86400 seconds..