[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.492727] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.966487] random: sshd: uninitialized urandom read (32 bytes read)
[   25.420421] random: sshd: uninitialized urandom read (32 bytes read)
[   26.297056] random: sshd: uninitialized urandom read (32 bytes read)
[   26.456885] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts.
[   31.877606] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
[   31.970306] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
[   32.015978] ==================================================================
[   32.023493] BUG: KASAN: slab-out-of-bounds in pdu_read+0x90/0xd0
[   32.029626] Read of size 54501 at addr ffff8801c9f487ad by task syz-executor899/4570
[   32.037484] 
[   32.039100] CPU: 0 PID: 4570 Comm: syz-executor899 Not tainted 4.18.0-rc3+ #137
[   32.046527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.055870] Call Trace:
[   32.058452]  dump_stack+0x1c9/0x2b4
[   32.062069]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.067259]  ? printk+0xa7/0xcf
[   32.070526]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   32.075268]  ? pdu_read+0x90/0xd0
[   32.078714]  print_address_description+0x6c/0x20b
[   32.083552]  ? pdu_read+0x90/0xd0
[   32.087002]  kasan_report.cold.7+0x242/0x2fe
[   32.091415]  check_memory_region+0x13e/0x1b0
[   32.095815]  memcpy+0x23/0x50
[   32.098909]  pdu_read+0x90/0xd0
[   32.102787]  p9pdu_readf+0x579/0x2170
[   32.106582]  ? p9pdu_writef+0xe0/0xe0
[   32.110384]  ? __fget+0x414/0x670
[   32.113831]  ? rcu_is_watching+0x61/0x150
[   32.117966]  ? expand_files.part.8+0x9c0/0x9c0
[   32.122549]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.127561]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.132132]  p9_client_create+0xde0/0x16c9
[   32.136389]  ? p9_client_read+0xc60/0xc60
[   32.140560]  ? find_held_lock+0x36/0x1c0
[   32.144623]  ? __lockdep_init_map+0x105/0x590
[   32.149111]  ? kasan_check_write+0x14/0x20
[   32.153328]  ? __init_rwsem+0x1cc/0x2a0
[   32.157287]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.162293]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.167303]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.172143]  ? save_stack+0xa9/0xd0
[   32.175757]  ? save_stack+0x43/0xd0
[   32.179400]  ? kasan_kmalloc+0xc4/0xe0
[   32.183288]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.188134]  ? memcpy+0x45/0x50
[   32.191413]  v9fs_session_init+0x21a/0x1a80
[   32.195725]  ? find_held_lock+0x36/0x1c0
[   32.199773]  ? v9fs_show_options+0x7e0/0x7e0
[   32.204167]  ? kasan_check_read+0x11/0x20
[   32.208316]  ? rcu_is_watching+0x8c/0x150
[   32.212447]  ? rcu_pm_notify+0xc0/0xc0
[   32.216321]  ? v9fs_mount+0x61/0x900
[   32.220042]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.225053]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.229885]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.235409]  v9fs_mount+0x7c/0x900
[   32.238954]  mount_fs+0xae/0x328
[   32.242312]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.247406]  ? may_umount+0xb0/0xb0
[   32.251026]  ? _raw_read_unlock+0x22/0x30
[   32.255174]  ? __get_fs_type+0x97/0xc0
[   32.259070]  do_mount+0x581/0x30e0
[   32.262625]  ? copy_mount_string+0x40/0x40
[   32.266874]  ? copy_mount_options+0x5f/0x380
[   32.271292]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.276323]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.281171]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.286710]  ? copy_mount_options+0x285/0x380
[   32.291200]  ksys_mount+0x12d/0x140
[   32.294818]  __x64_sys_mount+0xbe/0x150
[   32.298793]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.303829]  do_syscall_64+0x1b9/0x820
[   32.307712]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.312641]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.317570]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.323103]  ? retint_user+0x18/0x18
[   32.326804]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.331636]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.336808] RIP: 0033:0x440959
[   32.339975] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.359269] RSP: 002b:00007ffea98ffdd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   32.366968] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.374940] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.382293] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.389547] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007d08
[   32.396806] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.404079] 
[   32.405698] Allocated by task 4570:
[   32.409317]  save_stack+0x43/0xd0
[   32.412756]  kasan_kmalloc+0xc4/0xe0
[   32.416474]  __kmalloc+0x14e/0x760
[   32.420442]  p9_fcall_alloc+0x1e/0x90
[   32.424234]  p9_client_prepare_req.part.8+0x754/0xcd0
[   32.429418]  p9_client_rpc+0x1bd/0x1400
[   32.433392]  p9_client_create+0xd09/0x16c9
[   32.437618]  v9fs_session_init+0x21a/0x1a80
[   32.441946]  v9fs_mount+0x7c/0x900
[   32.445489]  mount_fs+0xae/0x328
[   32.448851]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.453433]  do_mount+0x581/0x30e0
[   32.456971]  ksys_mount+0x12d/0x140
[   32.460585]  __x64_sys_mount+0xbe/0x150
[   32.464551]  do_syscall_64+0x1b9/0x820
[   32.468437]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.473616] 
[   32.475225] Freed by task 0:
[   32.478227] (stack is not available)
[   32.481917] 
[   32.483527] The buggy address belongs to the object at ffff8801c9f48780
[   32.483527]  which belongs to the cache kmalloc-16384 of size 16384
[   32.496529] The buggy address is located 45 bytes inside of
[   32.496529]  16384-byte region [ffff8801c9f48780, ffff8801c9f4c780)
[   32.508692] The buggy address belongs to the page:
[   32.513622] page:ffffea000727d200 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   32.523582] flags: 0x2fffc0000008100(slab|head)
[   32.528244] raw: 02fffc0000008100 ffffea0007215a08 ffff8801da801c48 ffff8801da802200
[   32.536112] raw: 0000000000000000 ffff8801c9f48780 0000000100000001 0000000000000000
[   32.543981] page dumped because: kasan: bad access detected
[   32.549689] 
[   32.551304] Memory state around the buggy address:
[   32.556218]  ffff8801c9f4a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.563564]  ffff8801c9f4a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.570922] >ffff8801c9f4a780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   32.578279]                                ^
[   32.582680]  ffff8801c9f4a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.590032]  ffff8801c9f4a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.597479] ==================================================================
[   32.604824] Disabling lock debugging due to kernel taint
[   32.610369] Kernel panic - not syncing: panic_on_warn set ...
[   32.610369] 
[   32.617746] CPU: 0 PID: 4570 Comm: syz-executor899 Tainted: G    B             4.18.0-rc3+ #137
[   32.627032] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.636391] Call Trace:
[   32.639153]  dump_stack+0x1c9/0x2b4
[   32.642774]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.648106]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.652863]  panic+0x238/0x4e7
[   32.656048]  ? add_taint.cold.5+0x16/0x16
[   32.660186]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.664592]  ? pdu_read+0x90/0xd0
[   32.668041]  kasan_end_report+0x47/0x4f
[   32.672000]  kasan_report.cold.7+0x76/0x2fe
[   32.676319]  check_memory_region+0x13e/0x1b0
[   32.680721]  memcpy+0x23/0x50
[   32.683959]  pdu_read+0x90/0xd0
[   32.687224]  p9pdu_readf+0x579/0x2170
[   32.691036]  ? p9pdu_writef+0xe0/0xe0
[   32.694824]  ? __fget+0x414/0x670
[   32.698387]  ? rcu_is_watching+0x61/0x150
[   32.702523]  ? expand_files.part.8+0x9c0/0x9c0
[   32.707180]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.712211]  ? p9_fd_show_options+0x1c0/0x1c0
[   32.716720]  p9_client_create+0xde0/0x16c9
[   32.720957]  ? p9_client_read+0xc60/0xc60
[   32.725105]  ? find_held_lock+0x36/0x1c0
[   32.729177]  ? __lockdep_init_map+0x105/0x590
[   32.733678]  ? kasan_check_write+0x14/0x20
[   32.737893]  ? __init_rwsem+0x1cc/0x2a0
[   32.741850]  ? do_raw_write_unlock.cold.8+0x49/0x49
[   32.746851]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.752048]  ? __kmalloc_track_caller+0x5f5/0x760
[   32.757138]  ? save_stack+0xa9/0xd0
[   32.760749]  ? save_stack+0x43/0xd0
[   32.764359]  ? kasan_kmalloc+0xc4/0xe0
[   32.768225]  ? kmem_cache_alloc_trace+0x152/0x780
[   32.773049]  ? memcpy+0x45/0x50
[   32.776310]  v9fs_session_init+0x21a/0x1a80
[   32.780619]  ? find_held_lock+0x36/0x1c0
[   32.784667]  ? v9fs_show_options+0x7e0/0x7e0
[   32.789071]  ? kasan_check_read+0x11/0x20
[   32.793199]  ? rcu_is_watching+0x8c/0x150
[   32.797336]  ? rcu_pm_notify+0xc0/0xc0
[   32.801229]  ? v9fs_mount+0x61/0x900
[   32.804925]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.809922]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.814751]  ? __sanitizer_cov_trace_const_cmp2+0x18/0x20
[   32.820448]  v9fs_mount+0x7c/0x900
[   32.823986]  mount_fs+0xae/0x328
[   32.827364]  vfs_kern_mount.part.34+0xdc/0x4e0
[   32.831929]  ? may_umount+0xb0/0xb0
[   32.835544]  ? _raw_read_unlock+0x22/0x30
[   32.840195]  ? __get_fs_type+0x97/0xc0
[   32.844066]  do_mount+0x581/0x30e0
[   32.847590]  ? copy_mount_string+0x40/0x40
[   32.851810]  ? copy_mount_options+0x5f/0x380
[   32.856207]  ? rcu_read_lock_sched_held+0x108/0x120
[   32.861204]  ? kmem_cache_alloc_trace+0x616/0x780
[   32.866047]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.871567]  ? copy_mount_options+0x285/0x380
[   32.876044]  ksys_mount+0x12d/0x140
[   32.879670]  __x64_sys_mount+0xbe/0x150
[   32.884397]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.889413]  do_syscall_64+0x1b9/0x820
[   32.893286]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.898196]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.903215]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.908744]  ? retint_user+0x18/0x18
[   32.912443]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.917272]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.922446] RIP: 0033:0x440959
[   32.925610] Code: e8 8c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.944736] RSP: 002b:00007ffea98ffdd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   32.952428] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440959
[   32.959681] RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
[   32.966941] RBP: 0000000000000000 R08: 0000000020000180 R09: 00000000004002c8
[   32.974196] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000007d08
[   32.981454] R13: 0000000000401eb0 R14: 0000000000000000 R15: 0000000000000000
[   32.989379] Dumping ftrace buffer:
[   32.992907]    (ftrace buffer empty)
[   32.996597] Kernel Offset: disabled
[   33.000206] Rebooting in 86400 seconds..