[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.151997] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.175740] random: sshd: uninitialized urandom read (32 bytes read)
[   21.667673] random: sshd: uninitialized urandom read (32 bytes read)
[   22.391930] random: sshd: uninitialized urandom read (32 bytes read)
[   22.523940] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts.
[   27.967453] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/16 08:55:47 parsed 1 programs
[   28.928364] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/16 08:55:49 executed programs: 0
[   30.182489] IPVS: ftp: loaded support on port[0] = 21
[   31.200049] ==================================================================
[   31.207565] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   31.214042] Read of size 4 at addr ffff8801ac9a4884 by task kworker/0:2/2137
[   31.221205] 
[   31.222825] CPU: 0 PID: 2137 Comm: kworker/0:2 Not tainted 4.18.0-rc5-next-20180716+ #8
[   31.230941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.240289] Workqueue: events p9_poll_workfn
[   31.244676] Call Trace:
[   31.247250]  dump_stack+0x1c9/0x2b4
[   31.250859]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.256034]  ? printk+0xa7/0xcf
[   31.259298]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.264037]  ? p9_poll_workfn+0x660/0x6d0
[   31.268165]  print_address_description+0x6c/0x20b
[   31.272985]  ? p9_poll_workfn+0x660/0x6d0
[   31.277116]  kasan_report.cold.7+0x242/0x30d
[   31.281508]  __asan_report_load4_noabort+0x14/0x20
[   31.286419]  p9_poll_workfn+0x660/0x6d0
[   31.290377]  ? p9_read_work+0x1060/0x1060
[   31.294518]  ? lock_acquire+0x1e4/0x540
[   31.298470]  ? process_one_work+0xb9b/0x1ba0
[   31.302859]  ? kasan_check_read+0x11/0x20
[   31.307005]  ? lock_release+0xa30/0xa30
[   31.310974]  ? kasan_check_read+0x11/0x20
[   31.315101]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.319494]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.324063]  ? read_word_at_a_time+0x20/0x20
[   31.328450]  ? compat_start_thread+0x80/0x80
[   31.332841]  process_one_work+0xc73/0x1ba0
[   31.337056]  ? trace_hardirqs_on+0x10/0x10
[   31.341287]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.345936]  ? lock_repin_lock+0x430/0x430
[   31.350156]  ? __sched_text_start+0x8/0x8
[   31.354291]  ? lock_downgrade+0x8f0/0x8f0
[   31.358424]  ? lock_acquire+0x1e4/0x540
[   31.362380]  ? __update_idle_core+0x304/0x610
[   31.366961]  ? kasan_check_write+0x14/0x20
[   31.371200]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   31.376125]  ? lock_downgrade+0x8f0/0x8f0
[   31.380259]  ? lock_acquire+0x1e4/0x540
[   31.384224]  ? worker_thread+0x3dc/0x13c0
[   31.388370]  ? lock_downgrade+0x8f0/0x8f0
[   31.392507]  ? lock_release+0xa30/0xa30
[   31.396464]  ? kasan_check_read+0x11/0x20
[   31.400595]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.404982]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.409552]  ? kasan_check_write+0x14/0x20
[   31.413771]  ? do_raw_spin_lock+0xc1/0x200
[   31.417996]  worker_thread+0x189/0x13c0
[   31.421960]  ? process_one_work+0x1ba0/0x1ba0
[   31.426440]  ? finish_task_switch+0x1d3/0x870
[   31.430915]  ? lock_acquire+0x1e4/0x540
[   31.434874]  ? __kthread_parkme+0xd7/0x1b0
[   31.439089]  ? lock_downgrade+0x8f0/0x8f0
[   31.443221]  ? kasan_check_read+0x11/0x20
[   31.447345]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.451733]  ? kasan_check_write+0x14/0x20
[   31.455951]  ? trace_hardirqs_on+0xd/0x10
[   31.460082]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.465596]  ? __kthread_parkme+0x106/0x1b0
[   31.470640]  kthread+0x345/0x410
[   31.473995]  ? process_one_work+0x1ba0/0x1ba0
[   31.478472]  ? kthread_bind+0x40/0x40
[   31.482253]  ret_from_fork+0x3a/0x50
[   31.485944] 
[   31.487548] Allocated by task 4503:
[   31.491154]  save_stack+0x43/0xd0
[   31.494587]  kasan_kmalloc+0xc4/0xe0
[   31.498288]  kmem_cache_alloc_trace+0x152/0x780
[   31.502938]  p9_fd_create+0x1a7/0x3f0
[   31.506720]  p9_client_create+0x8ed/0x177c
[   31.510936]  v9fs_session_init+0x21a/0x1a80
[   31.515237]  v9fs_mount+0x7c/0x900
[   31.518758]  legacy_get_tree+0x118/0x440
[   31.522798]  vfs_get_tree+0x1cb/0x5c0
[   31.526575]  do_mount+0x6c1/0x1fb0
[   31.530095]  ksys_mount+0x12d/0x140
[   31.533703]  __x64_sys_mount+0xbe/0x150
[   31.537670]  do_syscall_64+0x1b9/0x820
[   31.541544]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.546712] 
[   31.548318] Freed by task 4503:
[   31.551579]  save_stack+0x43/0xd0
[   31.555015]  __kasan_slab_free+0x11a/0x170
[   31.559231]  kasan_slab_free+0xe/0x10
[   31.563018]  kfree+0xd9/0x260
[   31.566116]  p9_fd_close+0x416/0x5b0
[   31.569807]  p9_client_create+0xaa6/0x177c
[   31.574026]  v9fs_session_init+0x21a/0x1a80
[   31.578328]  v9fs_mount+0x7c/0x900
[   31.581847]  legacy_get_tree+0x118/0x440
[   31.585887]  vfs_get_tree+0x1cb/0x5c0
[   31.589667]  do_mount+0x6c1/0x1fb0
[   31.593204]  ksys_mount+0x12d/0x140
[   31.596815]  __x64_sys_mount+0xbe/0x150
[   31.600776]  do_syscall_64+0x1b9/0x820
[   31.604647]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.609817] 
[   31.611437] The buggy address belongs to the object at ffff8801ac9a4800
[   31.611437]  which belongs to the cache kmalloc-512 of size 512
[   31.624082] The buggy address is located 132 bytes inside of
[   31.624082]  512-byte region [ffff8801ac9a4800, ffff8801ac9a4a00)
[   31.635935] The buggy address belongs to the page:
[   31.640844] page:ffffea0006b26900 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   31.648965] flags: 0x2fffc0000000200(slab)
[   31.653189] raw: 02fffc0000000200 ffffea0006b30508 ffffea0006b26848 ffff8801da800940
[   31.661051] raw: 0000000000000000 ffff8801ac9a4080 0000000100000006 0000000000000000
[   31.668905] page dumped because: kasan: bad access detected
[   31.674597] 
[   31.676204] Memory state around the buggy address:
[   31.681132]  ffff8801ac9a4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.688469]  ffff8801ac9a4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.695813] >ffff8801ac9a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.703149]                    ^
[   31.706493]  ffff8801ac9a4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.713832]  ffff8801ac9a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.721167] ==================================================================
[   31.728730] Kernel panic - not syncing: panic_on_warn set ...
[   31.728730] 
[   31.736092] CPU: 0 PID: 2137 Comm: kworker/0:2 Tainted: G    B             4.18.0-rc5-next-20180716+ #8
[   31.745597] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.754953] Workqueue: events p9_poll_workfn
[   31.759341] Call Trace:
[   31.761915]  dump_stack+0x1c9/0x2b4
[   31.765526]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.770709]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.775448]  panic+0x238/0x4e7
[   31.778620]  ? add_taint.cold.5+0x16/0x16
[   31.782750]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.787144]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.791541]  ? p9_poll_workfn+0x660/0x6d0
[   31.795668]  kasan_end_report+0x47/0x4f
[   31.799623]  kasan_report.cold.7+0x76/0x30d
[   31.803935]  __asan_report_load4_noabort+0x14/0x20
[   31.808847]  p9_poll_workfn+0x660/0x6d0
[   31.812802]  ? p9_read_work+0x1060/0x1060
[   31.816931]  ? lock_acquire+0x1e4/0x540
[   31.820885]  ? process_one_work+0xb9b/0x1ba0
[   31.825272]  ? kasan_check_read+0x11/0x20
[   31.829400]  ? lock_release+0xa30/0xa30
[   31.833355]  ? kasan_check_read+0x11/0x20
[   31.837480]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.841873]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.846433]  ? read_word_at_a_time+0x20/0x20
[   31.850823]  ? compat_start_thread+0x80/0x80
[   31.855231]  process_one_work+0xc73/0x1ba0
[   31.859447]  ? trace_hardirqs_on+0x10/0x10
[   31.863667]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.868324]  ? lock_repin_lock+0x430/0x430
[   31.872541]  ? __sched_text_start+0x8/0x8
[   31.876671]  ? lock_downgrade+0x8f0/0x8f0
[   31.880818]  ? lock_acquire+0x1e4/0x540
[   31.884775]  ? __update_idle_core+0x304/0x610
[   31.889257]  ? kasan_check_write+0x14/0x20
[   31.893478]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   31.898389]  ? lock_downgrade+0x8f0/0x8f0
[   31.902629]  ? lock_acquire+0x1e4/0x540
[   31.906590]  ? worker_thread+0x3dc/0x13c0
[   31.910793]  ? lock_downgrade+0x8f0/0x8f0
[   31.914931]  ? lock_release+0xa30/0xa30
[   31.918887]  ? kasan_check_read+0x11/0x20
[   31.923026]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.927430]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.932014]  ? kasan_check_write+0x14/0x20
[   31.936248]  ? do_raw_spin_lock+0xc1/0x200
[   31.940466]  worker_thread+0x189/0x13c0
[   31.945561]  ? process_one_work+0x1ba0/0x1ba0
[   31.950051]  ? finish_task_switch+0x1d3/0x870
[   31.954532]  ? lock_acquire+0x1e4/0x540
[   31.958484]  ? __kthread_parkme+0xd7/0x1b0
[   31.962701]  ? lock_downgrade+0x8f0/0x8f0
[   31.966835]  ? kasan_check_read+0x11/0x20
[   31.970962]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.975369]  ? kasan_check_write+0x14/0x20
[   31.979587]  ? trace_hardirqs_on+0xd/0x10
[   31.983716]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.989232]  ? __kthread_parkme+0x106/0x1b0
[   31.993543]  kthread+0x345/0x410
[   31.996893]  ? process_one_work+0x1ba0/0x1ba0
[   32.001368]  ? kthread_bind+0x40/0x40
[   32.005169]  ret_from_fork+0x3a/0x50
[   32.009342] Dumping ftrace buffer:
[   32.012862]    (ftrace buffer empty)
[   32.016554] Kernel Offset: disabled
[   32.020167] Rebooting in 86400 seconds..