[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.899758] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.772280] random: sshd: uninitialized urandom read (32 bytes read) [ 19.152285] random: sshd: uninitialized urandom read (32 bytes read) [ 20.032675] random: sshd: uninitialized urandom read (32 bytes read) [ 20.167500] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. [ 25.627359] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program [ 25.881990] ================================================================== [ 25.889390] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 25.896291] Read of size 8 at addr ffff8801b68bb2a0 by task kworker/0:1/25 [ 25.903278] [ 25.904888] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.111-g03c70fe #58 [ 25.912132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.921473] Workqueue: events p9_poll_workfn [ 25.925969] ffff8801d941f9c8 ffffffff81eb2729 ffffea0006da2e80 ffff8801b68bb2a0 [ 25.933969] 0000000000000000 ffff8801b68bb2a0 0000000000000000 ffff8801d941fa00 [ 25.941975] ffffffff81567b59 ffff8801b68bb2a0 0000000000000008 0000000000000000 [ 25.949994] Call Trace: [ 25.952557] [] dump_stack+0xc1/0x128 [ 25.957897] [] print_address_description+0x6c/0x234 [ 25.964551] [] kasan_report.cold.6+0x242/0x2fe [ 25.970759] [] ? work_is_static_object+0x39/0x40 [ 25.977138] [] __asan_report_load8_noabort+0x14/0x20 [ 25.983865] [] work_is_static_object+0x39/0x40 [ 25.990082] [] debug_object_activate+0x22d/0x4e0 [ 25.996464] [] ? debug_object_assert_init+0x380/0x380 [ 26.003384] [] ? ep_eventpoll_poll+0x15e/0x1d0 [ 26.009587] [] __queue_work+0x48/0xf10 [ 26.015098] [] ? mark_held_locks+0xc7/0x130 [ 26.021046] [] ? mounts_poll+0x157/0x1b0 [ 26.026737] [] queue_work_on+0x97/0xa0 [ 26.032246] [] p9_poll_workfn+0x28a/0x330 [ 26.038018] [] process_one_work+0x7e1/0x1500 [ 26.044047] [] ? process_one_work+0x728/0x1500 [ 26.050254] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 26.056734] [] worker_thread+0xd6/0x10a0 [ 26.062515] [] ? __schedule+0x655/0x1bd0 [ 26.068206] [] kthread+0x26d/0x300 [ 26.073367] [] ? process_one_work+0x1500/0x1500 [ 26.079657] [] ? kthread_park+0xa0/0xa0 [ 26.085258] [] ? kthread_park+0xa0/0xa0 [ 26.090857] [] ? kthread_park+0xa0/0xa0 [ 26.096452] [] ret_from_fork+0x5c/0x70 [ 26.101956] [ 26.103574] Allocated by task 3807: [ 26.107175] save_stack_trace+0x16/0x20 [ 26.111128] save_stack+0x43/0xd0 [ 26.114556] kasan_kmalloc+0xc7/0xe0 [ 26.118249] kmem_cache_alloc_trace+0xfd/0x2b0 [ 26.122811] p9_fd_create+0xf3/0x330 [ 26.126511] p9_client_create+0x6ff/0x10a0 [ 26.130719] v9fs_session_init+0x333/0x13a0 [ 26.135013] v9fs_mount+0x7d/0x810 [ 26.138529] mount_fs+0x28c/0x370 [ 26.141960] vfs_kern_mount.part.29+0xd1/0x3d0 [ 26.146521] do_mount+0x3c9/0x2740 [ 26.150035] SyS_mount+0xfe/0x110 [ 26.153462] do_syscall_64+0x1a6/0x490 [ 26.157332] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.162401] [ 26.164002] Freed by task 3807: [ 26.167256] save_stack_trace+0x16/0x20 [ 26.171217] save_stack+0x43/0xd0 [ 26.174647] kasan_slab_free+0x72/0xc0 [ 26.178507] kfree+0xfb/0x310 [ 26.181592] p9_fd_close+0x298/0x330 [ 26.185282] p9_client_create+0x825/0x10a0 [ 26.189498] v9fs_session_init+0x333/0x13a0 [ 26.193807] v9fs_mount+0x7d/0x810 [ 26.197335] mount_fs+0x28c/0x370 [ 26.200767] vfs_kern_mount.part.29+0xd1/0x3d0 [ 26.205322] do_mount+0x3c9/0x2740 [ 26.208832] SyS_mount+0xfe/0x110 [ 26.212272] do_syscall_64+0x1a6/0x490 [ 26.216144] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 26.221216] [ 26.222831] The buggy address belongs to the object at ffff8801b68bb180 [ 26.222831] which belongs to the cache kmalloc-512 of size 512 [ 26.235467] The buggy address is located 288 bytes inside of [ 26.235467] 512-byte region [ffff8801b68bb180, ffff8801b68bb380) [ 26.247317] The buggy address belongs to the page: [ 26.252222] page:ffffea0006da2e80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 26.262398] flags: 0x8000000000004080(slab|head) [ 26.267130] page dumped because: kasan: bad access detected [ 26.272821] [ 26.274419] Memory state around the buggy address: [ 26.279322] ffff8801b68bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.286655] ffff8801b68bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.293989] >ffff8801b68bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.301322] ^ [ 26.305704] ffff8801b68bb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.313571] ffff8801b68bb380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.320915] ================================================================== [ 26.328254] Disabling lock debugging due to kernel taint [ 26.333679] Kernel panic - not syncing: panic_on_warn set ... [ 26.333679] [ 26.341016] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G B 4.9.111-g03c70fe #58 [ 26.349480] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.358906] Workqueue: events p9_poll_workfn [ 26.363406] ffff8801d941f928 ffffffff81eb2729 ffffffff843c71a7 00000000ffffffff [ 26.371395] 0000000000000000 0000000000000000 0000000000000000 ffff8801d941f9e8 [ 26.379394] ffffffff814219f5 0000000041b58ab3 ffffffff843ba8c0 ffffffff81421836 [ 26.387384] Call Trace: [ 26.389944] [] dump_stack+0xc1/0x128 [ 26.395287] [] panic+0x1bf/0x3bc [ 26.400283] [] ? add_taint.cold.6+0x16/0x16 [ 26.406228] [] ? kasan_end_report+0x32/0x4f [ 26.412615] [] kasan_end_report+0x47/0x4f [ 26.418401] [] kasan_report.cold.6+0x76/0x2fe [ 26.424535] [] ? work_is_static_object+0x39/0x40 [ 26.430920] [] __asan_report_load8_noabort+0x14/0x20 [ 26.437648] [] work_is_static_object+0x39/0x40 [ 26.443852] [] debug_object_activate+0x22d/0x4e0 [ 26.450239] [] ? debug_object_assert_init+0x380/0x380 [ 26.457055] [] ? ep_eventpoll_poll+0x15e/0x1d0 [ 26.463258] [] __queue_work+0x48/0xf10 [ 26.468768] [] ? mark_held_locks+0xc7/0x130 [ 26.474715] [] ? mounts_poll+0x157/0x1b0 [ 26.480399] [] queue_work_on+0x97/0xa0 [ 26.485909] [] p9_poll_workfn+0x28a/0x330 [ 26.491691] [] process_one_work+0x7e1/0x1500 [ 26.497723] [] ? process_one_work+0x728/0x1500 [ 26.503927] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 26.510397] [] worker_thread+0xd6/0x10a0 [ 26.516082] [] ? __schedule+0x655/0x1bd0 [ 26.521769] [] kthread+0x26d/0x300 [ 26.526931] [] ? process_one_work+0x1500/0x1500 [ 26.533230] [] ? kthread_park+0xa0/0xa0 [ 26.538832] [] ? kthread_park+0xa0/0xa0 [ 26.544429] [] ? kthread_park+0xa0/0xa0 [ 26.550031] [] ret_from_fork+0x5c/0x70 [ 26.556006] Dumping ftrace buffer: [ 26.559519] (ftrace buffer empty) [ 26.563208] Kernel Offset: disabled [ 26.566806] Rebooting in 86400 seconds..