[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.442300] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.191567] random: sshd: uninitialized urandom read (32 bytes read)
[   23.517156] random: sshd: uninitialized urandom read (32 bytes read)
[   24.387332] random: sshd: uninitialized urandom read (32 bytes read)
[   24.546723] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts.
[   29.995590] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
[   30.085582] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   30.120071] ==================================================================
[   30.127548] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   30.133677] Read of size 20409 at addr ffff8801c42e066d by task syz-executor236/4557
[   30.141534] 
[   30.143163] CPU: 0 PID: 4557 Comm: syz-executor236 Not tainted 4.18.0-rc4+ #140
[   30.150596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.160586] Call Trace:
[   30.163174]  dump_stack+0x1c9/0x2b4
[   30.166797]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.171971]  ? printk+0xa7/0xcf
[   30.175235]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.179998]  ? pdu_read+0x90/0xd0
[   30.183448]  print_address_description+0x6c/0x20b
[   30.188460]  ? pdu_read+0x90/0xd0
[   30.191908]  kasan_report.cold.7+0x242/0x2fe
[   30.196304]  check_memory_region+0x13e/0x1b0
[   30.200833]  memcpy+0x23/0x50
[   30.203943]  pdu_read+0x90/0xd0
[   30.207218]  p9pdu_readf+0x579/0x2170
[   30.211005]  ? p9pdu_writef+0xe0/0xe0
[   30.215019]  ? __fget+0x414/0x670
[   30.218545]  ? rcu_is_watching+0x61/0x150
[   30.222692]  ? expand_files.part.8+0x9c0/0x9c0
[   30.227273]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.232292]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.236785]  p9_client_create+0xde0/0x16c9
[   30.241218]  ? p9_client_read+0xc60/0xc60
[   30.245361]  ? find_held_lock+0x36/0x1c0
[   30.249416]  ? __lockdep_init_map+0x105/0x590
[   30.253899]  ? kasan_check_write+0x14/0x20
[   30.258115]  ? __init_rwsem+0x1cc/0x2a0
[   30.262083]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.267097]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.272107]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.276961]  ? save_stack+0xa9/0xd0
[   30.280576]  ? save_stack+0x43/0xd0
[   30.284182]  ? kasan_kmalloc+0xc4/0xe0
[   30.288064]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.292980]  ? memcpy+0x45/0x50
[   30.296249]  v9fs_session_init+0x21a/0x1a80
[   30.300555]  ? find_held_lock+0x36/0x1c0
[   30.304601]  ? v9fs_show_options+0x7e0/0x7e0
[   30.308997]  ? kasan_check_read+0x11/0x20
[   30.313127]  ? rcu_is_watching+0x8c/0x150
[   30.317257]  ? rcu_pm_notify+0xc0/0xc0
[   30.321139]  ? v9fs_mount+0x61/0x900
[   30.324850]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.329852]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.334679]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.340211]  v9fs_mount+0x7c/0x900
[   30.343737]  mount_fs+0xae/0x328
[   30.347102]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.351669]  ? may_umount+0xb0/0xb0
[   30.355282]  ? _raw_read_unlock+0x22/0x30
[   30.359421]  ? __get_fs_type+0x97/0xc0
[   30.363294]  do_mount+0x581/0x30e0
[   30.366829]  ? copy_mount_string+0x40/0x40
[   30.371062]  ? copy_mount_options+0x5f/0x380
[   30.375454]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.380714]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.385542]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.391076]  ? _copy_from_user+0xdf/0x150
[   30.395222]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.400746]  ? copy_mount_options+0x285/0x380
[   30.405225]  ksys_mount+0x12d/0x140
[   30.408851]  __x64_sys_mount+0xbe/0x150
[   30.412812]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.417813]  do_syscall_64+0x1b9/0x820
[   30.421700]  ? syscall_return_slowpath+0x5e0/0x5e0
[   30.426627]  ? syscall_return_slowpath+0x31d/0x5e0
[   30.431552]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.437094]  ? retint_user+0x18/0x18
[   30.440795]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.445626]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.450798] RIP: 0033:0x440979
[   30.453973] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   30.473150] RSP: 002b:00007fff7f59bcf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   30.480847] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   30.488103] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   30.495357] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   30.502621] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000075a0
[   30.509995] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   30.517264] 
[   30.518893] Allocated by task 4557:
[   30.522678]  save_stack+0x43/0xd0
[   30.526127]  kasan_kmalloc+0xc4/0xe0
[   30.529822]  __kmalloc+0x14e/0x760
[   30.533344]  p9_fcall_alloc+0x1e/0x90
[   30.537142]  p9_client_prepare_req.part.8+0x754/0xcd0
[   30.542322]  p9_client_rpc+0x1bd/0x1400
[   30.546277]  p9_client_create+0xd09/0x16c9
[   30.550494]  v9fs_session_init+0x21a/0x1a80
[   30.554795]  v9fs_mount+0x7c/0x900
[   30.558316]  mount_fs+0xae/0x328
[   30.561664]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.566227]  do_mount+0x581/0x30e0
[   30.569747]  ksys_mount+0x12d/0x140
[   30.573365]  __x64_sys_mount+0xbe/0x150
[   30.577531]  do_syscall_64+0x1b9/0x820
[   30.581414]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.586580] 
[   30.588194] Freed by task 0:
[   30.591286] (stack is not available)
[   30.594974] 
[   30.596584] The buggy address belongs to the object at ffff8801c42e0640
[   30.596584]  which belongs to the cache kmalloc-16384 of size 16384
[   30.609586] The buggy address is located 45 bytes inside of
[   30.609586]  16384-byte region [ffff8801c42e0640, ffff8801c42e4640)
[   30.621525] The buggy address belongs to the page:
[   30.626447] page:ffffea000710b800 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   30.636398] flags: 0x2fffc0000008100(slab|head)
[   30.641067] raw: 02fffc0000008100 ffffea0007095c08 ffff8801da801c48 ffff8801da802200
[   30.648934] raw: 0000000000000000 ffff8801c42e0640 0000000100000001 0000000000000000
[   30.656799] page dumped because: kasan: bad access detected
[   30.662490] 
[   30.664113] Memory state around the buggy address:
[   30.669037]  ffff8801c42e2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.676380]  ffff8801c42e2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.683736] >ffff8801c42e2600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   30.691088]                                                        ^
[   30.697577]  ffff8801c42e2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.704944]  ffff8801c42e2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.712299] ==================================================================
[   30.719650] Disabling lock debugging due to kernel taint
[   30.725187] Kernel panic - not syncing: panic_on_warn set ...
[   30.725187] 
[   30.732556] CPU: 0 PID: 4557 Comm: syz-executor236 Tainted: G    B             4.18.0-rc4+ #140
[   30.741375] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.750729] Call Trace:
[   30.753304]  dump_stack+0x1c9/0x2b4
[   30.756946]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.762121]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   30.766858]  panic+0x238/0x4e7
[   30.770043]  ? add_taint.cold.5+0x16/0x16
[   30.774175]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.778566]  ? pdu_read+0x90/0xd0
[   30.782016]  kasan_end_report+0x47/0x4f
[   30.785971]  kasan_report.cold.7+0x76/0x2fe
[   30.790466]  check_memory_region+0x13e/0x1b0
[   30.794858]  memcpy+0x23/0x50
[   30.797965]  pdu_read+0x90/0xd0
[   30.801240]  p9pdu_readf+0x579/0x2170
[   30.805031]  ? p9pdu_writef+0xe0/0xe0
[   30.808817]  ? __fget+0x414/0x670
[   30.812258]  ? rcu_is_watching+0x61/0x150
[   30.816476]  ? expand_files.part.8+0x9c0/0x9c0
[   30.821047]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.826067]  ? p9_fd_show_options+0x1c0/0x1c0
[   30.830561]  p9_client_create+0xde0/0x16c9
[   30.834783]  ? p9_client_read+0xc60/0xc60
[   30.838913]  ? find_held_lock+0x36/0x1c0
[   30.842968]  ? __lockdep_init_map+0x105/0x590
[   30.847450]  ? kasan_check_write+0x14/0x20
[   30.851678]  ? __init_rwsem+0x1cc/0x2a0
[   30.855636]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   30.860650]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.865835]  ? __kmalloc_track_caller+0x5f5/0x760
[   30.870661]  ? save_stack+0xa9/0xd0
[   30.874445]  ? save_stack+0x43/0xd0
[   30.878055]  ? kasan_kmalloc+0xc4/0xe0
[   30.881946]  ? kmem_cache_alloc_trace+0x152/0x780
[   30.886773]  ? memcpy+0x45/0x50
[   30.890346]  v9fs_session_init+0x21a/0x1a80
[   30.894654]  ? find_held_lock+0x36/0x1c0
[   30.898717]  ? v9fs_show_options+0x7e0/0x7e0
[   30.903109]  ? kasan_check_read+0x11/0x20
[   30.907255]  ? rcu_is_watching+0x8c/0x150
[   30.911397]  ? rcu_pm_notify+0xc0/0xc0
[   30.915268]  ? v9fs_mount+0x61/0x900
[   30.918966]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.923978]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.928821]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   30.934349]  v9fs_mount+0x7c/0x900
[   30.937922]  mount_fs+0xae/0x328
[   30.941358]  vfs_kern_mount.part.34+0xdc/0x4e0
[   30.945942]  ? may_umount+0xb0/0xb0
[   30.949551]  ? _raw_read_unlock+0x22/0x30
[   30.953691]  ? __get_fs_type+0x97/0xc0
[   30.957562]  do_mount+0x581/0x30e0
[   30.961098]  ? copy_mount_string+0x40/0x40
[   30.965329]  ? copy_mount_options+0x5f/0x380
[   30.969732]  ? rcu_read_lock_sched_held+0x108/0x120
[   30.974736]  ? kmem_cache_alloc_trace+0x616/0x780
[   30.979566]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.985100]  ? _copy_from_user+0xdf/0x150
[   30.989231]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.994760]  ? copy_mount_options+0x285/0x380
[   30.999247]  ksys_mount+0x12d/0x140
[   31.002871]  __x64_sys_mount+0xbe/0x150
[   31.006861]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.011861]  do_syscall_64+0x1b9/0x820
[   31.015744]  ? syscall_return_slowpath+0x5e0/0x5e0
[   31.020654]  ? syscall_return_slowpath+0x31d/0x5e0
[   31.025579]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.031096]  ? retint_user+0x18/0x18
[   31.034792]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.039629]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.044924] RIP: 0033:0x440979
[   31.048094] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   31.067227] RSP: 002b:00007fff7f59bcf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   31.074929] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440979
[   31.082191] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   31.089442] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   31.096700] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000075a0
[   31.103951] R13: 0000000000401ed0 R14: 0000000000000000 R15: 0000000000000000
[   31.111628] Dumping ftrace buffer:
[   31.115148]    (ftrace buffer empty)
[   31.118840] Kernel Offset: disabled
[   31.122448] Rebooting in 86400 seconds..