[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.213973] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.421891] random: sshd: uninitialized urandom read (32 bytes read) [ 23.998382] random: sshd: uninitialized urandom read (32 bytes read) [ 24.986879] random: sshd: uninitialized urandom read (32 bytes read) [ 31.086318] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.56' (ECDSA) to the list of known hosts. [ 36.541963] random: sshd: uninitialized urandom read (32 bytes read) [ 36.652421] IPVS: ftp: loaded support on port[0] = 21 [ 36.820185] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.827019] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.834911] device bridge_slave_0 entered promiscuous mode [ 36.859326] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.868133] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.876264] device bridge_slave_1 entered promiscuous mode [ 36.903063] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 36.927772] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 36.996698] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.022532] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.124964] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.134088] team0: Port device team_slave_0 added [ 37.152663] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.160810] team0: Port device team_slave_1 added [ 37.184423] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 37.206623] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 37.225621] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 37.245717] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 37.398876] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.406495] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.413722] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.420317] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 38.025786] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.086854] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.143097] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 38.149396] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 38.157287] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.207661] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 38.574661] ================================================================== [ 38.582456] BUG: KASAN: use-after-free in p9_conn_cancel+0x9fc/0xd30 [ 38.589002] Read of size 8 at addr ffff8801cb2f85a0 by task kworker/0:3/4631 [ 38.596252] [ 38.597918] CPU: 0 PID: 4631 Comm: kworker/0:3 Not tainted 4.18.0-rc5+ #159 [ 38.605071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.614447] Workqueue: events p9_poll_workfn [ 38.618853] Call Trace: [ 38.621750] dump_stack+0x1c9/0x2b4 [ 38.625441] ? dump_stack_print_info.cold.2+0x52/0x52 [ 38.630664] ? printk+0xa7/0xcf [ 38.633979] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 38.638777] ? p9_conn_cancel+0x9fc/0xd30 [ 38.642970] print_address_description+0x6c/0x20b [ 38.647904] ? p9_conn_cancel+0x9fc/0xd30 [ 38.652329] kasan_report.cold.7+0x242/0x2fe [ 38.657104] __asan_report_load8_noabort+0x14/0x20 [ 38.662042] p9_conn_cancel+0x9fc/0xd30 [ 38.666031] ? p9_fd_cancelled+0x2f0/0x2f0 [ 38.670289] ? lock_downgrade+0x8f0/0x8f0 [ 38.674453] ? mark_held_locks+0xc9/0x160 [ 38.678610] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 38.683205] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 38.688748] ? generic_pipe_buf_confirm+0x10/0x10 [ 38.694078] p9_poll_workfn+0x4b2/0x6d0 [ 38.698068] ? p9_read_work+0x1060/0x1060 [ 38.702821] ? graph_lock+0x170/0x170 [ 38.706673] ? lock_acquire+0x1e4/0x540 [ 38.710651] ? process_one_work+0xb9b/0x1ba0 [ 38.715069] ? kasan_check_read+0x11/0x20 [ 38.719245] ? __lock_is_held+0xb5/0x140 [ 38.723432] process_one_work+0xc73/0x1ba0 [ 38.727682] ? trace_hardirqs_on+0x10/0x10 [ 38.732478] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 38.737424] ? lock_repin_lock+0x430/0x430 [ 38.741695] ? __sched_text_start+0x8/0x8 [ 38.745859] ? graph_lock+0x170/0x170 [ 38.749655] ? lock_downgrade+0x8f0/0x8f0 [ 38.753804] ? kasan_check_read+0x11/0x20 [ 38.757946] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.762355] ? lock_acquire+0x1e4/0x540 [ 38.766327] ? worker_thread+0x3dc/0x13c0 [ 38.770502] ? lock_downgrade+0x8f0/0x8f0 [ 38.774771] ? lock_release+0xa30/0xa30 [ 38.778842] ? kasan_check_read+0x11/0x20 [ 38.782991] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.787408] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 38.792016] ? kasan_check_write+0x14/0x20 [ 38.796286] ? do_raw_spin_lock+0xc1/0x200 [ 38.800553] worker_thread+0x189/0x13c0 [ 38.804683] ? process_one_work+0x1ba0/0x1ba0 [ 38.809210] ? graph_lock+0x170/0x170 [ 38.813043] ? graph_lock+0x170/0x170 [ 38.816893] ? find_held_lock+0x36/0x1c0 [ 38.820985] ? find_held_lock+0x36/0x1c0 [ 38.825073] ? lock_downgrade+0x8f0/0x8f0 [ 38.829219] ? kasan_check_read+0x11/0x20 [ 38.833384] ? do_raw_spin_unlock+0xa7/0x2f0 [ 38.837905] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 38.843041] ? __kthread_parkme+0x58/0x1b0 [ 38.847317] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 38.852360] ? trace_hardirqs_on+0xd/0x10 [ 38.856538] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 38.862104] ? __kthread_parkme+0x106/0x1b0 [ 38.866453] kthread+0x345/0x410 [ 38.869842] ? process_one_work+0x1ba0/0x1ba0 [ 38.874356] ? kthread_bind+0x40/0x40 [ 38.878193] ret_from_fork+0x3a/0x50 [ 38.881918] [ 38.883543] Allocated by task 4836: [ 38.887213] save_stack+0x43/0xd0 [ 38.890701] kasan_kmalloc+0xc4/0xe0 [ 38.894421] kmem_cache_alloc_trace+0x152/0x780 [ 38.899119] p9_fd_create+0x1a7/0x3f0 [ 38.902954] p9_client_create+0x8ed/0x1770 [ 38.907209] v9fs_session_init+0x21a/0x1a80 [ 38.911636] v9fs_mount+0x7c/0x900 [ 38.915211] mount_fs+0xae/0x328 [ 38.918594] vfs_kern_mount.part.34+0xdc/0x4e0 [ 38.923215] do_mount+0x581/0x30e0 [ 38.926764] ksys_mount+0x12d/0x140 [ 38.930413] __x64_sys_mount+0xbe/0x150 [ 38.934402] do_syscall_64+0x1b9/0x820 [ 38.938311] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.943492] [ 38.945131] Freed by task 4836: [ 38.948434] save_stack+0x43/0xd0 [ 38.951910] __kasan_slab_free+0x11a/0x170 [ 38.956309] kasan_slab_free+0xe/0x10 [ 38.960181] kfree+0xd9/0x260 [ 38.963307] p9_fd_close+0x416/0x5b0 [ 38.967054] p9_client_create+0xa9a/0x1770 [ 38.971322] v9fs_session_init+0x21a/0x1a80 [ 38.975663] v9fs_mount+0x7c/0x900 [ 38.979229] mount_fs+0xae/0x328 [ 38.982655] vfs_kern_mount.part.34+0xdc/0x4e0 [ 38.987235] do_mount+0x581/0x30e0 [ 38.990792] ksys_mount+0x12d/0x140 [ 38.994430] __x64_sys_mount+0xbe/0x150 [ 38.998633] do_syscall_64+0x1b9/0x820 [ 39.002564] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.007744] [ 39.009373] The buggy address belongs to the object at ffff8801cb2f8580 [ 39.009373] which belongs to the cache kmalloc-512 of size 512 [ 39.022069] The buggy address is located 32 bytes inside of [ 39.022069] 512-byte region [ffff8801cb2f8580, ffff8801cb2f8780) [ 39.033976] The buggy address belongs to the page: [ 39.039049] page:ffffea00072cbe00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 39.047228] flags: 0x2fffc0000000100(slab) [ 39.051573] raw: 02fffc0000000100 ffffea00072ec1c8 ffffea000730f108 ffff8801da800940 [ 39.059468] raw: 0000000000000000 ffff8801cb2f8080 0000000100000006 0000000000000000 [ 39.067360] page dumped because: kasan: bad access detected [ 39.073085] [ 39.074702] Memory state around the buggy address: [ 39.079635] ffff8801cb2f8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.087008] ffff8801cb2f8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.094390] >ffff8801cb2f8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.101762] ^ [ 39.106176] ffff8801cb2f8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.113551] ffff8801cb2f8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.120910] ================================================================== [ 39.128376] Disabling lock debugging due to kernel taint [ 39.134286] Kernel panic - not syncing: panic_on_warn set ... [ 39.134286] [ 39.141681] CPU: 0 PID: 4631 Comm: kworker/0:3 Tainted: G B 4.18.0-rc5+ #159 [ 39.150172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.159534] Workqueue: events p9_poll_workfn [ 39.163949] Call Trace: [ 39.166543] dump_stack+0x1c9/0x2b4 [ 39.170172] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.175382] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.180152] panic+0x238/0x4e7 [ 39.183348] ? add_taint.cold.5+0x16/0x16 [ 39.187495] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.191898] ? p9_conn_cancel+0x9fc/0xd30 [ 39.196065] kasan_end_report+0x47/0x4f [ 39.200048] kasan_report.cold.7+0x76/0x2fe [ 39.204373] __asan_report_load8_noabort+0x14/0x20 [ 39.209313] p9_conn_cancel+0x9fc/0xd30 [ 39.213301] ? p9_fd_cancelled+0x2f0/0x2f0 [ 39.217547] ? lock_downgrade+0x8f0/0x8f0 [ 39.221693] ? mark_held_locks+0xc9/0x160 [ 39.225848] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.230458] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.236000] ? generic_pipe_buf_confirm+0x10/0x10 [ 39.240854] p9_poll_workfn+0x4b2/0x6d0 [ 39.244828] ? p9_read_work+0x1060/0x1060 [ 39.248968] ? graph_lock+0x170/0x170 [ 39.252757] ? lock_acquire+0x1e4/0x540 [ 39.256725] ? process_one_work+0xb9b/0x1ba0 [ 39.261136] ? kasan_check_read+0x11/0x20 [ 39.265294] ? __lock_is_held+0xb5/0x140 [ 39.269357] process_one_work+0xc73/0x1ba0 [ 39.274318] ? trace_hardirqs_on+0x10/0x10 [ 39.278554] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 39.283249] ? lock_repin_lock+0x430/0x430 [ 39.287492] ? __sched_text_start+0x8/0x8 [ 39.291645] ? graph_lock+0x170/0x170 [ 39.295448] ? lock_downgrade+0x8f0/0x8f0 [ 39.299630] ? kasan_check_read+0x11/0x20 [ 39.303770] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.308174] ? lock_acquire+0x1e4/0x540 [ 39.312155] ? worker_thread+0x3dc/0x13c0 [ 39.316293] ? lock_downgrade+0x8f0/0x8f0 [ 39.320518] ? lock_release+0xa30/0xa30 [ 39.324520] ? kasan_check_read+0x11/0x20 [ 39.328665] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.333078] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.337685] ? kasan_check_write+0x14/0x20 [ 39.341914] ? do_raw_spin_lock+0xc1/0x200 [ 39.346143] worker_thread+0x189/0x13c0 [ 39.350114] ? process_one_work+0x1ba0/0x1ba0 [ 39.354624] ? graph_lock+0x170/0x170 [ 39.358425] ? graph_lock+0x170/0x170 [ 39.362232] ? find_held_lock+0x36/0x1c0 [ 39.366301] ? find_held_lock+0x36/0x1c0 [ 39.370373] ? lock_downgrade+0x8f0/0x8f0 [ 39.374523] ? kasan_check_read+0x11/0x20 [ 39.378678] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.383081] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 39.388202] ? __kthread_parkme+0x58/0x1b0 [ 39.392446] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 39.397485] ? trace_hardirqs_on+0xd/0x10 [ 39.401642] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.407186] ? __kthread_parkme+0x106/0x1b0 [ 39.411520] kthread+0x345/0x410 [ 39.414892] ? process_one_work+0x1ba0/0x1ba0 [ 39.419380] ? kthread_bind+0x40/0x40 [ 39.423187] ret_from_fork+0x3a/0x50 [ 39.427445] Dumping ftrace buffer: [ 39.431037] (ftrace buffer empty) [ 39.434740] Kernel Offset: disabled [ 39.438364] Rebooting in 86400 seconds..