[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.682219] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   19.356636] random: sshd: uninitialized urandom read (32 bytes read)
[   19.703205] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.564383] random: sshd: uninitialized urandom read (32 bytes read)
[   20.725880] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts.
[   26.146235] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   26.242940] ==================================================================
[   26.250441] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   26.256583] Read of size 25445 at addr ffff8801d97284ed by task syz-executor706/4546
[   26.264445] 
[   26.266063] CPU: 0 PID: 4546 Comm: syz-executor706 Not tainted 4.18.0-rc3+ #137
[   26.273490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.282853] Call Trace:
[   26.285427]  dump_stack+0x1c9/0x2b4
[   26.289046]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.294221]  ? printk+0xa7/0xcf
[   26.297483]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   26.302228]  ? pdu_read+0x90/0xd0
[   26.305696]  print_address_description+0x6c/0x20b
[   26.310530]  ? pdu_read+0x90/0xd0
[   26.313968]  kasan_report.cold.7+0x242/0x2fe
[   26.318384]  check_memory_region+0x13e/0x1b0
[   26.322782]  memcpy+0x23/0x50
[   26.325882]  pdu_read+0x90/0xd0
[   26.329148]  p9pdu_readf+0x579/0x2170
[   26.332935]  ? p9pdu_writef+0xe0/0xe0
[   26.336718]  ? __fget+0x414/0x670
[   26.340156]  ? rcu_is_watching+0x61/0x150
[   26.344290]  ? expand_files.part.8+0x9c0/0x9c0
[   26.348863]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.353879]  ? p9_fd_show_options+0x1c0/0x1c0
[   26.358369]  p9_client_create+0xde0/0x16c9
[   26.362610]  ? p9_client_read+0xc60/0xc60
[   26.366744]  ? find_held_lock+0x36/0x1c0
[   26.370798]  ? __lockdep_init_map+0x105/0x590
[   26.375282]  ? kasan_check_write+0x14/0x20
[   26.379511]  ? __init_rwsem+0x1cc/0x2a0
[   26.383473]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   26.388488]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.393504]  ? __kmalloc_track_caller+0x5f5/0x760
[   26.398331]  ? save_stack+0xa9/0xd0
[   26.401949]  ? save_stack+0x43/0xd0
[   26.405576]  ? kasan_kmalloc+0xc4/0xe0
[   26.409466]  ? kmem_cache_alloc_trace+0x152/0x780
[   26.414303]  ? memcpy+0x45/0x50
[   26.417575]  v9fs_session_init+0x21a/0x1a80
[   26.421887]  ? find_held_lock+0x36/0x1c0
[   26.425943]  ? v9fs_show_options+0x7e0/0x7e0
[   26.430341]  ? kasan_check_read+0x11/0x20
[   26.434472]  ? rcu_is_watching+0x8c/0x150
[   26.438616]  ? rcu_pm_notify+0xc0/0xc0
[   26.442503]  ? v9fs_mount+0x61/0x900
[   26.446212]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.451234]  ? kmem_cache_alloc_trace+0x616/0x780
[   26.456075]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   26.461629]  v9fs_mount+0x7c/0x900
[   26.465168]  mount_fs+0xae/0x328
[   26.468527]  vfs_kern_mount.part.34+0xdc/0x4e0
[   26.473092]  ? may_umount+0xb0/0xb0
[   26.476704]  ? _raw_read_unlock+0x22/0x30
[   26.480835]  ? __get_fs_type+0x97/0xc0
[   26.484709]  do_mount+0x581/0x30e0
[   26.488249]  ? copy_mount_string+0x40/0x40
[   26.492486]  ? copy_mount_options+0x5f/0x380
[   26.496877]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.501887]  ? kmem_cache_alloc_trace+0x616/0x780
[   26.506713]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   26.512238]  ? _copy_from_user+0xdf/0x150
[   26.516373]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.521895]  ? copy_mount_options+0x285/0x380
[   26.526401]  ksys_mount+0x12d/0x140
[   26.530034]  __x64_sys_mount+0xbe/0x150
[   26.533995]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   26.539006]  do_syscall_64+0x1b9/0x820
[   26.542905]  ? syscall_return_slowpath+0x5e0/0x5e0
[   26.547817]  ? syscall_return_slowpath+0x31d/0x5e0
[   26.552735]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   26.558270]  ? retint_user+0x18/0x18
[   26.561981]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   26.566817]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.572014] RIP: 0033:0x4408d9
[   26.575191] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   26.594381] RSP: 002b:00007ffefaa64da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   26.602089] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   26.609436] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   26.616689] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   26.623939] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000667b
[   26.631197] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   26.638460] 
[   26.640069] Allocated by task 4546:
[   26.643689]  save_stack+0x43/0xd0
[   26.647134]  kasan_kmalloc+0xc4/0xe0
[   26.650829]  __kmalloc+0x14e/0x760
[   26.654352]  p9_fcall_alloc+0x1e/0x90
[   26.658148]  p9_client_prepare_req.part.8+0x754/0xcd0
[   26.663318]  p9_client_rpc+0x1bd/0x1400
[   26.667272]  p9_client_create+0xd09/0x16c9
[   26.671487]  v9fs_session_init+0x21a/0x1a80
[   26.675789]  v9fs_mount+0x7c/0x900
[   26.679310]  mount_fs+0xae/0x328
[   26.682657]  vfs_kern_mount.part.34+0xdc/0x4e0
[   26.687219]  do_mount+0x581/0x30e0
[   26.690745]  ksys_mount+0x12d/0x140
[   26.694360]  __x64_sys_mount+0xbe/0x150
[   26.698322]  do_syscall_64+0x1b9/0x820
[   26.702193]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.707358] 
[   26.708963] Freed by task 0:
[   26.711967] (stack is not available)
[   26.715659] 
[   26.717288] The buggy address belongs to the object at ffff8801d97284c0
[   26.717288]  which belongs to the cache kmalloc-16384 of size 16384
[   26.730280] The buggy address is located 45 bytes inside of
[   26.730280]  16384-byte region [ffff8801d97284c0, ffff8801d972c4c0)
[   26.742225] The buggy address belongs to the page:
[   26.747139] page:ffffea000765ca00 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   26.757092] flags: 0x2fffc0000008100(slab|head)
[   26.761756] raw: 02fffc0000008100 ffffea0007645808 ffff8801da801c48 ffff8801da802200
[   26.769623] raw: 0000000000000000 ffff8801d97284c0 0000000100000001 0000000000000000
[   26.777496] page dumped because: kasan: bad access detected
[   26.783191] 
[   26.784807] Memory state around the buggy address:
[   26.789717]  ffff8801d972a380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.797059]  ffff8801d972a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   26.804399] >ffff8801d972a480: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   26.811744]                                                        ^
[   26.818228]  ffff8801d972a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.825568]  ffff8801d972a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.832907] ==================================================================
[   26.840252] Disabling lock debugging due to kernel taint
[   26.845787] Kernel panic - not syncing: panic_on_warn set ...
[   26.845787] 
[   26.853161] CPU: 0 PID: 4546 Comm: syz-executor706 Tainted: G    B             4.18.0-rc3+ #137
[   26.861986] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.871331] Call Trace:
[   26.873905]  dump_stack+0x1c9/0x2b4
[   26.877516]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.883393]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.888134]  panic+0x238/0x4e7
[   26.891333]  ? add_taint.cold.5+0x16/0x16
[   26.895489]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.899899]  ? pdu_read+0x90/0xd0
[   26.903440]  kasan_end_report+0x47/0x4f
[   26.907426]  kasan_report.cold.7+0x76/0x2fe
[   26.911741]  check_memory_region+0x13e/0x1b0
[   26.916225]  memcpy+0x23/0x50
[   26.919324]  pdu_read+0x90/0xd0
[   26.922602]  p9pdu_readf+0x579/0x2170
[   26.926408]  ? p9pdu_writef+0xe0/0xe0
[   26.930193]  ? __fget+0x414/0x670
[   26.933625]  ? rcu_is_watching+0x61/0x150
[   26.937753]  ? expand_files.part.8+0x9c0/0x9c0
[   26.942350]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.947358]  ? p9_fd_show_options+0x1c0/0x1c0
[   26.951849]  p9_client_create+0xde0/0x16c9
[   26.956071]  ? p9_client_read+0xc60/0xc60
[   26.960212]  ? find_held_lock+0x36/0x1c0
[   26.964263]  ? __lockdep_init_map+0x105/0x590
[   26.968749]  ? kasan_check_write+0x14/0x20
[   26.972964]  ? __init_rwsem+0x1cc/0x2a0
[   26.976936]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   26.981934]  ? rcu_read_lock_sched_held+0x108/0x120
[   26.986935]  ? __kmalloc_track_caller+0x5f5/0x760
[   26.991756]  ? save_stack+0xa9/0xd0
[   26.995364]  ? save_stack+0x43/0xd0
[   26.999321]  ? kasan_kmalloc+0xc4/0xe0
[   27.003191]  ? kmem_cache_alloc_trace+0x152/0x780
[   27.008026]  ? memcpy+0x45/0x50
[   27.011292]  v9fs_session_init+0x21a/0x1a80
[   27.015594]  ? find_held_lock+0x36/0x1c0
[   27.019640]  ? v9fs_show_options+0x7e0/0x7e0
[   27.024039]  ? kasan_check_read+0x11/0x20
[   27.028180]  ? rcu_is_watching+0x8c/0x150
[   27.032316]  ? rcu_pm_notify+0xc0/0xc0
[   27.036210]  ? v9fs_mount+0x61/0x900
[   27.039905]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.044900]  ? kmem_cache_alloc_trace+0x616/0x780
[   27.049740]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   27.055260]  v9fs_mount+0x7c/0x900
[   27.058796]  mount_fs+0xae/0x328
[   27.062160]  vfs_kern_mount.part.34+0xdc/0x4e0
[   27.066724]  ? may_umount+0xb0/0xb0
[   27.070332]  ? _raw_read_unlock+0x22/0x30
[   27.074470]  ? __get_fs_type+0x97/0xc0
[   27.078338]  do_mount+0x581/0x30e0
[   27.081858]  ? copy_mount_string+0x40/0x40
[   27.086088]  ? copy_mount_options+0x5f/0x380
[   27.090486]  ? rcu_read_lock_sched_held+0x108/0x120
[   27.095482]  ? kmem_cache_alloc_trace+0x616/0x780
[   27.100317]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   27.105838]  ? _copy_from_user+0xdf/0x150
[   27.109991]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.115511]  ? copy_mount_options+0x285/0x380
[   27.119997]  ksys_mount+0x12d/0x140
[   27.123610]  __x64_sys_mount+0xbe/0x150
[   27.127571]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   27.132590]  do_syscall_64+0x1b9/0x820
[   27.136476]  ? syscall_return_slowpath+0x5e0/0x5e0
[   27.141392]  ? syscall_return_slowpath+0x31d/0x5e0
[   27.146332]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   27.151854]  ? retint_user+0x18/0x18
[   27.155598]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   27.160437]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   27.165614] RIP: 0033:0x4408d9
[   27.168782] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   27.187907] RSP: 002b:00007ffefaa64da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   27.195601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004408d9
[   27.202853] RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000000000000
[   27.210108] RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002c8
[   27.217363] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000667b
[   27.224625] R13: 0000000000401e30 R14: 0000000000000000 R15: 0000000000000000
[   27.232421] Dumping ftrace buffer:
[   27.235960]    (ftrace buffer empty)
[   27.239645] Kernel Offset: disabled
[   27.243253] Rebooting in 86400 seconds..