[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.769838] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.084067] random: sshd: uninitialized urandom read (32 bytes read)
[   24.378431] random: sshd: uninitialized urandom read (32 bytes read)
[   25.244417] random: sshd: uninitialized urandom read (32 bytes read)
[   58.737907] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
[   64.272217] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   64.385122] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
[   64.563359] ==================================================================
[   64.571913] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   64.578516] Read of size 4 at addr ffff8801ad812344 by task kworker/0:2/26
[   64.585654] 
[   64.587280] CPU: 0 PID: 26 Comm: kworker/0:2 Not tainted 4.18.0-rc5+ #159
[   64.594371] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.603814] Workqueue: events p9_poll_workfn
[   64.608202] Call Trace:
[   64.610784]  dump_stack+0x1c9/0x2b4
[   64.614490]  ? dump_stack_print_info.cold.2+0x52/0x52
[   64.619662]  ? printk+0xa7/0xcf
[   64.622942]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   64.627692]  ? p9_poll_workfn+0x660/0x6d0
[   64.631856]  print_address_description+0x6c/0x20b
[   64.636693]  ? p9_poll_workfn+0x660/0x6d0
[   64.640824]  kasan_report.cold.7+0x242/0x2fe
[   64.645218]  __asan_report_load4_noabort+0x14/0x20
[   64.650144]  p9_poll_workfn+0x660/0x6d0
[   64.654111]  ? p9_read_work+0x1060/0x1060
[   64.658240]  ? graph_lock+0x170/0x170
[   64.662045]  ? lock_acquire+0x1e4/0x540
[   64.666006]  ? process_one_work+0xb9b/0x1ba0
[   64.670434]  ? kasan_check_read+0x11/0x20
[   64.674569]  ? __lock_is_held+0xb5/0x140
[   64.678744]  process_one_work+0xc73/0x1ba0
[   64.682983]  ? trace_hardirqs_on+0x10/0x10
[   64.687203]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   64.691874]  ? lock_repin_lock+0x430/0x430
[   64.696164]  ? __sched_text_start+0x8/0x8
[   64.700303]  ? lock_downgrade+0x8f0/0x8f0
[   64.704448]  ? graph_lock+0x170/0x170
[   64.708250]  ? graph_lock+0x170/0x170
[   64.712045]  ? lock_acquire+0x1e4/0x540
[   64.716092]  ? worker_thread+0x3dc/0x13c0
[   64.720225]  ? lock_downgrade+0x8f0/0x8f0
[   64.724363]  ? lock_release+0xa30/0xa30
[   64.728324]  ? kasan_check_read+0x11/0x20
[   64.732462]  ? do_raw_spin_unlock+0xa7/0x2f0
[   64.736858]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   64.741431]  ? kasan_check_write+0x14/0x20
[   64.745647]  ? do_raw_spin_lock+0xc1/0x200
[   64.749883]  worker_thread+0x189/0x13c0
[   64.753855]  ? process_one_work+0x1ba0/0x1ba0
[   64.758348]  ? graph_lock+0x170/0x170
[   64.762153]  ? graph_lock+0x170/0x170
[   64.766029]  ? find_held_lock+0x36/0x1c0
[   64.770079]  ? find_held_lock+0x36/0x1c0
[   64.774141]  ? kasan_check_read+0x11/0x20
[   64.778276]  ? do_raw_spin_unlock+0xa7/0x2f0
[   64.782759]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   64.787845]  ? __kthread_parkme+0x58/0x1b0
[   64.792061]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   64.797057]  ? trace_hardirqs_on+0xd/0x10
[   64.801193]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   64.806721]  ? __kthread_parkme+0x106/0x1b0
[   64.811022]  kthread+0x345/0x410
[   64.814380]  ? process_one_work+0x1ba0/0x1ba0
[   64.818954]  ? kthread_bind+0x40/0x40
[   64.822750]  ret_from_fork+0x3a/0x50
[   64.826459] 
[   64.828073] Allocated by task 4589:
[   64.831890]  save_stack+0x43/0xd0
[   64.835348]  kasan_kmalloc+0xc4/0xe0
[   64.839047]  kmem_cache_alloc_trace+0x152/0x780
[   64.844312]  p9_fd_create+0x1a7/0x3f0
[   64.848133]  p9_client_create+0x8ed/0x1770
[   64.852444]  v9fs_session_init+0x21a/0x1a80
[   64.856760]  v9fs_mount+0x7c/0x900
[   64.860292]  mount_fs+0xae/0x328
[   64.863648]  vfs_kern_mount.part.34+0xdc/0x4e0
[   64.868398]  do_mount+0x581/0x30e0
[   64.872278]  ksys_mount+0x12d/0x140
[   64.875888]  __x64_sys_mount+0xbe/0x150
[   64.879848]  do_syscall_64+0x1b9/0x820
[   64.883718]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   64.888883] 
[   64.890490] Freed by task 4589:
[   64.893765]  save_stack+0x43/0xd0
[   64.897200]  __kasan_slab_free+0x11a/0x170
[   64.901413]  kasan_slab_free+0xe/0x10
[   64.905197]  kfree+0xd9/0x260
[   64.908298]  p9_fd_close+0x416/0x5b0
[   64.912001]  p9_client_create+0xa9a/0x1770
[   64.916216]  v9fs_session_init+0x21a/0x1a80
[   64.920522]  v9fs_mount+0x7c/0x900
[   64.924048]  mount_fs+0xae/0x328
[   64.927418]  vfs_kern_mount.part.34+0xdc/0x4e0
[   64.931986]  do_mount+0x581/0x30e0
[   64.935514]  ksys_mount+0x12d/0x140
[   64.939481]  __x64_sys_mount+0xbe/0x150
[   64.943439]  do_syscall_64+0x1b9/0x820
[   64.947320]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   64.952484] 
[   64.954109] The buggy address belongs to the object at ffff8801ad8122c0
[   64.954109]  which belongs to the cache kmalloc-512 of size 512
[   64.967034] The buggy address is located 132 bytes inside of
[   64.967034]  512-byte region [ffff8801ad8122c0, ffff8801ad8124c0)
[   64.978909] The buggy address belongs to the page:
[   64.983838] page:ffffea0006b60480 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   64.992063] flags: 0x2fffc0000000100(slab)
[   64.996284] raw: 02fffc0000000100 ffffea0007632d88 ffffea0007638c48 ffff8801da800940
[   65.004246] raw: 0000000000000000 ffff8801ad812040 0000000100000006 0000000000000000
[   65.012124] page dumped because: kasan: bad access detected
[   65.017836] 
[   65.019463] Memory state around the buggy address:
[   65.024473]  ffff8801ad812200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   65.031842]  ffff8801ad812280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   65.039363] >ffff8801ad812300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.046706]                                            ^
[   65.052156]  ffff8801ad812380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   65.059512]  ffff8801ad812400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.066864] ==================================================================
[   65.074307] Disabling lock debugging due to kernel taint
[   65.079957] Kernel panic - not syncing: panic_on_warn set ...
[   65.079957] 
[   65.087583] CPU: 0 PID: 26 Comm: kworker/0:2 Tainted: G    B             4.18.0-rc5+ #159
[   65.095961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.105403] Workqueue: events p9_poll_workfn
[   65.109796] Call Trace:
[   65.112388]  dump_stack+0x1c9/0x2b4
[   65.116006]  ? dump_stack_print_info.cold.2+0x52/0x52
[   65.121193]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   65.125936]  panic+0x238/0x4e7
[   65.129109]  ? add_taint.cold.5+0x16/0x16
[   65.133733]  ? do_raw_spin_unlock+0xa7/0x2f0
[   65.138209]  ? do_raw_spin_unlock+0xa7/0x2f0
[   65.142602]  ? p9_poll_workfn+0x660/0x6d0
[   65.146746]  kasan_end_report+0x47/0x4f
[   65.150715]  kasan_report.cold.7+0x76/0x2fe
[   65.155027]  __asan_report_load4_noabort+0x14/0x20
[   65.159946]  p9_poll_workfn+0x660/0x6d0
[   65.163903]  ? p9_read_work+0x1060/0x1060
[   65.168205]  ? graph_lock+0x170/0x170
[   65.171987]  ? lock_acquire+0x1e4/0x540
[   65.175943]  ? process_one_work+0xb9b/0x1ba0
[   65.180349]  ? kasan_check_read+0x11/0x20
[   65.184519]  ? __lock_is_held+0xb5/0x140
[   65.188651]  process_one_work+0xc73/0x1ba0
[   65.192895]  ? trace_hardirqs_on+0x10/0x10
[   65.197122]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   65.201773]  ? lock_repin_lock+0x430/0x430
[   65.206087]  ? __sched_text_start+0x8/0x8
[   65.210215]  ? lock_downgrade+0x8f0/0x8f0
[   65.214432]  ? graph_lock+0x170/0x170
[   65.218221]  ? graph_lock+0x170/0x170
[   65.222011]  ? lock_acquire+0x1e4/0x540
[   65.225972]  ? worker_thread+0x3dc/0x13c0
[   65.230105]  ? lock_downgrade+0x8f0/0x8f0
[   65.234242]  ? lock_release+0xa30/0xa30
[   65.238210]  ? kasan_check_read+0x11/0x20
[   65.242600]  ? do_raw_spin_unlock+0xa7/0x2f0
[   65.247006]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   65.251586]  ? kasan_check_write+0x14/0x20
[   65.255809]  ? do_raw_spin_lock+0xc1/0x200
[   65.260296]  worker_thread+0x189/0x13c0
[   65.266332]  ? process_one_work+0x1ba0/0x1ba0
[   65.270824]  ? graph_lock+0x170/0x170
[   65.274601]  ? graph_lock+0x170/0x170
[   65.278385]  ? find_held_lock+0x36/0x1c0
[   65.282785]  ? find_held_lock+0x36/0x1c0
[   65.286842]  ? kasan_check_read+0x11/0x20
[   65.290976]  ? do_raw_spin_unlock+0xa7/0x2f0
[   65.295367]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   65.300453]  ? __kthread_parkme+0x58/0x1b0
[   65.304669]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   65.309669]  ? trace_hardirqs_on+0xd/0x10
[   65.313799]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   65.319317]  ? __kthread_parkme+0x106/0x1b0
[   65.323632]  kthread+0x345/0x410
[   65.326988]  ? process_one_work+0x1ba0/0x1ba0
[   65.331465]  ? kthread_bind+0x40/0x40
[   65.335252]  ret_from_fork+0x3a/0x50
[   65.339589] Dumping ftrace buffer:
[   65.343130]    (ftrace buffer empty)
[   65.346823] Kernel Offset: disabled
[   65.350431] Rebooting in 86400 seconds..