[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.115766] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.803661] random: sshd: uninitialized urandom read (32 bytes read)
[   21.088534] random: sshd: uninitialized urandom read (32 bytes read)
[   21.959135] random: sshd: uninitialized urandom read (32 bytes read)
[   22.111400] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts.
[   27.512809] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/23 07:52:41 parsed 1 programs
[   28.711279] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/23 07:52:43 executed programs: 0
[   29.869139] IPVS: ftp: loaded support on port[0] = 21
[   30.788136] ==================================================================
[   30.795609] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   30.802083] Read of size 4 at addr ffff8801d8974804 by task kworker/0:1/25
[   30.809072] 
[   30.810682] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.18.0-rc6+ #160
[   30.817583] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.826934] Workqueue: events p9_poll_workfn
[   30.831321] Call Trace:
[   30.833893]  dump_stack+0x1c9/0x2b4
[   30.837502]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.842679]  ? printk+0xa7/0xcf
[   30.845940]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.850686]  ? p9_poll_workfn+0x660/0x6d0
[   30.854821]  print_address_description+0x6c/0x20b
[   30.859648]  ? p9_poll_workfn+0x660/0x6d0
[   30.863773]  kasan_report.cold.7+0x242/0x2fe
[   30.868164]  __asan_report_load4_noabort+0x14/0x20
[   30.873084]  p9_poll_workfn+0x660/0x6d0
[   30.877049]  ? p9_read_work+0x1060/0x1060
[   30.881180]  ? graph_lock+0x170/0x170
[   30.884969]  ? lock_acquire+0x1e4/0x540
[   30.888927]  ? process_one_work+0xb9b/0x1ba0
[   30.893320]  ? kasan_check_read+0x11/0x20
[   30.897457]  ? __lock_is_held+0xb5/0x140
[   30.901505]  process_one_work+0xc73/0x1ba0
[   30.905719]  ? trace_hardirqs_on+0x10/0x10
[   30.909938]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   30.914589]  ? lock_repin_lock+0x430/0x430
[   30.918813]  ? __sched_text_start+0x8/0x8
[   30.922943]  ? graph_lock+0x170/0x170
[   30.926722]  ? lock_downgrade+0x8f0/0x8f0
[   30.930851]  ? kasan_check_read+0x11/0x20
[   30.934980]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.939373]  ? lock_acquire+0x1e4/0x540
[   30.943337]  ? worker_thread+0x3dc/0x13c0
[   30.947465]  ? lock_downgrade+0x8f0/0x8f0
[   30.951593]  ? lock_release+0xa30/0xa30
[   30.955550]  ? kasan_check_read+0x11/0x20
[   30.959682]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.964070]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   30.968635]  ? kasan_check_write+0x14/0x20
[   30.972856]  ? do_raw_spin_lock+0xc1/0x200
[   30.977076]  worker_thread+0x189/0x13c0
[   30.981044]  ? process_one_work+0x1ba0/0x1ba0
[   30.985521]  ? graph_lock+0x170/0x170
[   30.989301]  ? graph_lock+0x170/0x170
[   30.993083]  ? find_held_lock+0x36/0x1c0
[   30.997130]  ? find_held_lock+0x36/0x1c0
[   31.001175]  ? lock_downgrade+0x8f0/0x8f0
[   31.005306]  ? kasan_check_read+0x11/0x20
[   31.009432]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.013920]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   31.019013]  ? __kthread_parkme+0x58/0x1b0
[   31.023237]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.028233]  ? trace_hardirqs_on+0xd/0x10
[   31.032376]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.038356]  ? __kthread_parkme+0x106/0x1b0
[   31.042661]  kthread+0x345/0x410
[   31.046015]  ? process_one_work+0x1ba0/0x1ba0
[   31.050494]  ? kthread_bind+0x40/0x40
[   31.054277]  ret_from_fork+0x3a/0x50
[   31.057973] 
[   31.059584] Allocated by task 4556:
[   31.063195]  save_stack+0x43/0xd0
[   31.066630]  kasan_kmalloc+0xc4/0xe0
[   31.070324]  kmem_cache_alloc_trace+0x152/0x780
[   31.074975]  p9_fd_create+0x1a7/0x3f0
[   31.078754]  p9_client_create+0x8ed/0x1770
[   31.082970]  v9fs_session_init+0x21a/0x1a80
[   31.087270]  v9fs_mount+0x7c/0x900
[   31.090788]  mount_fs+0xae/0x328
[   31.094134]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.098692]  do_mount+0x581/0x30e0
[   31.102216]  ksys_mount+0x12d/0x140
[   31.105821]  __x64_sys_mount+0xbe/0x150
[   31.109775]  do_syscall_64+0x1b9/0x820
[   31.113652]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.118817] 
[   31.120435] Freed by task 4556:
[   31.123702]  save_stack+0x43/0xd0
[   31.127141]  __kasan_slab_free+0x11a/0x170
[   31.131356]  kasan_slab_free+0xe/0x10
[   31.135155]  kfree+0xd9/0x260
[   31.138241]  p9_fd_close+0x416/0x5b0
[   31.141933]  p9_client_create+0xa9a/0x1770
[   31.146148]  v9fs_session_init+0x21a/0x1a80
[   31.150456]  v9fs_mount+0x7c/0x900
[   31.153977]  mount_fs+0xae/0x328
[   31.157325]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.161885]  do_mount+0x581/0x30e0
[   31.165403]  ksys_mount+0x12d/0x140
[   31.169013]  __x64_sys_mount+0xbe/0x150
[   31.172975]  do_syscall_64+0x1b9/0x820
[   31.176844]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.182010] 
[   31.183629] The buggy address belongs to the object at ffff8801d8974780
[   31.183629]  which belongs to the cache kmalloc-512 of size 512
[   31.196270] The buggy address is located 132 bytes inside of
[   31.196270]  512-byte region [ffff8801d8974780, ffff8801d8974980)
[   31.208125] The buggy address belongs to the page:
[   31.213048] page:ffffea0007625d00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   31.221172] flags: 0x2fffc0000000100(slab)
[   31.225390] raw: 02fffc0000000100 ffffea0007628b08 ffffea0006b22c88 ffff8801da800940
[   31.233254] raw: 0000000000000000 ffff8801d8974000 0000000100000006 0000000000000000
[   31.241112] page dumped because: kasan: bad access detected
[   31.246797] 
[   31.248399] Memory state around the buggy address:
[   31.253306]  ffff8801d8974700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.260653]  ffff8801d8974780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.267990] >ffff8801d8974800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.275333]                    ^
[   31.278683]  ffff8801d8974880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.286029]  ffff8801d8974900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.293375] ==================================================================
[   31.300720] Disabling lock debugging due to kernel taint
[   31.306313] Kernel panic - not syncing: panic_on_warn set ...
[   31.306313] 
[   31.313686] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G    B             4.18.0-rc6+ #160
[   31.322002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.331352] Workqueue: events p9_poll_workfn
[   31.335737] Call Trace:
[   31.338305]  dump_stack+0x1c9/0x2b4
[   31.341913]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.347092]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.351835]  panic+0x238/0x4e7
[   31.355008]  ? add_taint.cold.5+0x16/0x16
[   31.359141]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.363527]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.367925]  ? p9_poll_workfn+0x660/0x6d0
[   31.372051]  kasan_end_report+0x47/0x4f
[   31.376009]  kasan_report.cold.7+0x76/0x2fe
[   31.380315]  __asan_report_load4_noabort+0x14/0x20
[   31.385224]  p9_poll_workfn+0x660/0x6d0
[   31.389178]  ? p9_read_work+0x1060/0x1060
[   31.393304]  ? graph_lock+0x170/0x170
[   31.397086]  ? lock_acquire+0x1e4/0x540
[   31.401043]  ? process_one_work+0xb9b/0x1ba0
[   31.405432]  ? kasan_check_read+0x11/0x20
[   31.409562]  ? __lock_is_held+0xb5/0x140
[   31.413607]  process_one_work+0xc73/0x1ba0
[   31.417821]  ? trace_hardirqs_on+0x10/0x10
[   31.422045]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.426695]  ? lock_repin_lock+0x430/0x430
[   31.430914]  ? __sched_text_start+0x8/0x8
[   31.435049]  ? graph_lock+0x170/0x170
[   31.438831]  ? lock_downgrade+0x8f0/0x8f0
[   31.442957]  ? kasan_check_read+0x11/0x20
[   31.447082]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.451473]  ? lock_acquire+0x1e4/0x540
[   31.455429]  ? worker_thread+0x3dc/0x13c0
[   31.459556]  ? lock_downgrade+0x8f0/0x8f0
[   31.463684]  ? lock_release+0xa30/0xa30
[   31.467635]  ? kasan_check_read+0x11/0x20
[   31.471759]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.476144]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.480705]  ? kasan_check_write+0x14/0x20
[   31.484923]  ? do_raw_spin_lock+0xc1/0x200
[   31.489135]  worker_thread+0x189/0x13c0
[   31.493096]  ? process_one_work+0x1ba0/0x1ba0
[   31.497590]  ? graph_lock+0x170/0x170
[   31.501367]  ? graph_lock+0x170/0x170
[   31.505146]  ? find_held_lock+0x36/0x1c0
[   31.509197]  ? find_held_lock+0x36/0x1c0
[   31.513247]  ? lock_downgrade+0x8f0/0x8f0
[   31.517376]  ? kasan_check_read+0x11/0x20
[   31.521505]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.525895]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   31.530980]  ? __kthread_parkme+0x58/0x1b0
[   31.535192]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.540184]  ? trace_hardirqs_on+0xd/0x10
[   31.544311]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.549823]  ? __kthread_parkme+0x106/0x1b0
[   31.554122]  kthread+0x345/0x410
[   31.557467]  ? process_one_work+0x1ba0/0x1ba0
[   31.561938]  ? kthread_bind+0x40/0x40
[   31.565729]  ret_from_fork+0x3a/0x50
[   31.569835] Dumping ftrace buffer:
[   31.573357]    (ftrace buffer empty)
[   31.577039] Kernel Offset: disabled
[   31.580643] Rebooting in 86400 seconds..