[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.209425] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.904674] random: sshd: uninitialized urandom read (32 bytes read) [ 24.169176] random: sshd: uninitialized urandom read (32 bytes read) [ 25.038365] random: sshd: uninitialized urandom read (32 bytes read) [ 49.546805] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. [ 55.095119] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program [ 65.190041] ================================================================== [ 65.197539] BUG: KASAN: use-after-free in p9_conn_cancel+0x9de/0xd30 [ 65.204020] Read of size 4 at addr ffff8801cf034068 by task kworker/1:0/19 [ 65.211009] [ 65.212630] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc4+ #142 [ 65.219534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.228884] Workqueue: events p9_poll_workfn [ 65.233280] Call Trace: [ 65.235852] dump_stack+0x1c9/0x2b4 [ 65.239463] ? dump_stack_print_info.cold.2+0x52/0x52 [ 65.244652] ? printk+0xa7/0xcf [ 65.247916] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 65.252661] ? p9_conn_cancel+0x9de/0xd30 [ 65.256793] print_address_description+0x6c/0x20b [ 65.261624] ? p9_conn_cancel+0x9de/0xd30 [ 65.265757] kasan_report.cold.7+0x242/0x2fe [ 65.270157] __asan_report_load4_noabort+0x14/0x20 [ 65.275071] p9_conn_cancel+0x9de/0xd30 [ 65.279033] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.283794] ? p9_fd_cancelled+0x2f0/0x2f0 [ 65.288030] ? lock_downgrade+0x8f0/0x8f0 [ 65.292175] ? mark_held_locks+0xc9/0x160 [ 65.296306] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 65.300876] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 65.306038] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.311040] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.316565] p9_poll_workfn+0x4b2/0x6d0 [ 65.320528] ? p9_read_work+0x1060/0x1060 [ 65.324659] ? graph_lock+0x170/0x170 [ 65.328454] ? lock_acquire+0x1e4/0x540 [ 65.332411] ? process_one_work+0xb9b/0x1ba0 [ 65.336814] ? kasan_check_read+0x11/0x20 [ 65.340949] ? __lock_is_held+0xb5/0x140 [ 65.344998] process_one_work+0xc73/0x1ba0 [ 65.349219] ? trace_hardirqs_on+0x10/0x10 [ 65.353442] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 65.358095] ? lock_repin_lock+0x430/0x430 [ 65.362325] ? __sched_text_start+0x8/0x8 [ 65.366462] ? graph_lock+0x170/0x170 [ 65.370255] ? lock_downgrade+0x8f0/0x8f0 [ 65.374391] ? kasan_check_read+0x11/0x20 [ 65.378529] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.382933] ? lock_acquire+0x1e4/0x540 [ 65.386899] ? worker_thread+0x3dc/0x13c0 [ 65.391551] ? lock_downgrade+0x8f0/0x8f0 [ 65.395683] ? lock_release+0xa30/0xa30 [ 65.399650] ? kasan_check_read+0x11/0x20 [ 65.403797] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.408198] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 65.412763] ? kasan_check_write+0x14/0x20 [ 65.416985] ? do_raw_spin_lock+0xc1/0x200 [ 65.421211] worker_thread+0x189/0x13c0 [ 65.425187] ? process_one_work+0x1ba0/0x1ba0 [ 65.429667] ? graph_lock+0x170/0x170 [ 65.433454] ? graph_lock+0x170/0x170 [ 65.437240] ? find_held_lock+0x36/0x1c0 [ 65.441304] ? find_held_lock+0x36/0x1c0 [ 65.445358] ? lock_downgrade+0x8f0/0x8f0 [ 65.449494] ? kasan_check_read+0x11/0x20 [ 65.453626] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.458028] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 65.463131] ? __kthread_parkme+0x58/0x1b0 [ 65.467353] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.472353] ? trace_hardirqs_on+0xd/0x10 [ 65.476487] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 65.482005] ? __kthread_parkme+0x106/0x1b0 [ 65.486314] kthread+0x345/0x410 [ 65.489665] ? process_one_work+0x1ba0/0x1ba0 [ 65.494153] ? kthread_bind+0x40/0x40 [ 65.497940] ret_from_fork+0x3a/0x50 [ 65.501639] [ 65.503246] Allocated by task 4524: [ 65.506868] save_stack+0x43/0xd0 [ 65.510303] kasan_kmalloc+0xc4/0xe0 [ 65.514000] kmem_cache_alloc_trace+0x152/0x780 [ 65.518664] p9_fd_create+0x1a7/0x3f0 [ 65.522446] p9_client_create+0x915/0x16c9 [ 65.526666] v9fs_session_init+0x21a/0x1a80 [ 65.530966] v9fs_mount+0x7c/0x900 [ 65.534487] mount_fs+0xae/0x328 [ 65.537835] vfs_kern_mount.part.34+0xdc/0x4e0 [ 65.542402] do_mount+0x581/0x30e0 [ 65.545927] ksys_mount+0x12d/0x140 [ 65.549537] __x64_sys_mount+0xbe/0x150 [ 65.553505] do_syscall_64+0x1b9/0x820 [ 65.557395] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.562559] [ 65.564166] Freed by task 4524: [ 65.567428] save_stack+0x43/0xd0 [ 65.570863] __kasan_slab_free+0x11a/0x170 [ 65.575087] kasan_slab_free+0xe/0x10 [ 65.578875] kfree+0xd9/0x260 [ 65.581963] p9_fd_close+0x416/0x5b0 [ 65.585661] p9_client_create+0xac2/0x16c9 [ 65.589877] v9fs_session_init+0x21a/0x1a80 [ 65.594192] v9fs_mount+0x7c/0x900 [ 65.597714] mount_fs+0xae/0x328 [ 65.601062] vfs_kern_mount.part.34+0xdc/0x4e0 [ 65.605626] do_mount+0x581/0x30e0 [ 65.609147] ksys_mount+0x12d/0x140 [ 65.612754] __x64_sys_mount+0xbe/0x150 [ 65.616712] do_syscall_64+0x1b9/0x820 [ 65.620582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.625754] [ 65.627367] The buggy address belongs to the object at ffff8801cf034040 [ 65.627367] which belongs to the cache kmalloc-512 of size 512 [ 65.640008] The buggy address is located 40 bytes inside of [ 65.640008] 512-byte region [ffff8801cf034040, ffff8801cf034240) [ 65.651779] The buggy address belongs to the page: [ 65.656706] page:ffffea00073c0d00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 65.664835] flags: 0x2fffc0000000100(slab) [ 65.669056] raw: 02fffc0000000100 ffffea000762e488 ffffea00076201c8 ffff8801da800940 [ 65.676921] raw: 0000000000000000 ffff8801cf034040 0000000100000006 0000000000000000 [ 65.684788] page dumped because: kasan: bad access detected [ 65.690474] [ 65.692080] Memory state around the buggy address: [ 65.696989] ffff8801cf033f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 65.704425] ffff8801cf033f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.711766] >ffff8801cf034000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 65.719224] ^ [ 65.725961] ffff8801cf034080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.733303] ffff8801cf034100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.740756] ================================================================== [ 65.748094] Disabling lock debugging due to kernel taint [ 65.753523] Kernel panic - not syncing: panic_on_warn set ... [ 65.753523] [ 65.760877] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.18.0-rc4+ #142 [ 65.769171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.778524] Workqueue: events p9_poll_workfn [ 65.782911] Call Trace: [ 65.785482] dump_stack+0x1c9/0x2b4 [ 65.789091] ? dump_stack_print_info.cold.2+0x52/0x52 [ 65.794266] ? lock_downgrade+0x8f0/0x8f0 [ 65.798400] panic+0x238/0x4e7 [ 65.801579] ? add_taint.cold.5+0x16/0x16 [ 65.805718] ? add_taint.cold.5+0x5/0x16 [ 65.809759] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.814152] ? p9_conn_cancel+0x9de/0xd30 [ 65.818282] kasan_end_report+0x47/0x4f [ 65.822238] kasan_report.cold.7+0x76/0x2fe [ 65.826540] __asan_report_load4_noabort+0x14/0x20 [ 65.831448] p9_conn_cancel+0x9de/0xd30 [ 65.835414] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.840160] ? p9_fd_cancelled+0x2f0/0x2f0 [ 65.844383] ? lock_downgrade+0x8f0/0x8f0 [ 65.848516] ? mark_held_locks+0xc9/0x160 [ 65.852643] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 65.857208] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 65.862294] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 65.867304] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.872824] p9_poll_workfn+0x4b2/0x6d0 [ 65.876782] ? p9_read_work+0x1060/0x1060 [ 65.880912] ? graph_lock+0x170/0x170 [ 65.884700] ? lock_acquire+0x1e4/0x540 [ 65.888657] ? process_one_work+0xb9b/0x1ba0 [ 65.893050] ? kasan_check_read+0x11/0x20 [ 65.897182] ? __lock_is_held+0xb5/0x140 [ 65.901240] process_one_work+0xc73/0x1ba0 [ 65.905456] ? trace_hardirqs_on+0x10/0x10 [ 65.909677] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 65.914341] ? lock_repin_lock+0x430/0x430 [ 65.918568] ? __sched_text_start+0x8/0x8 [ 65.922700] ? graph_lock+0x170/0x170 [ 65.926481] ? lock_downgrade+0x8f0/0x8f0 [ 65.930708] ? kasan_check_read+0x11/0x20 [ 65.934839] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.939235] ? lock_acquire+0x1e4/0x540 [ 65.943189] ? worker_thread+0x3dc/0x13c0 [ 65.947321] ? lock_downgrade+0x8f0/0x8f0 [ 65.951451] ? lock_release+0xa30/0xa30 [ 65.955493] ? kasan_check_read+0x11/0x20 [ 65.959621] ? do_raw_spin_unlock+0xa7/0x2f0 [ 65.964014] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 65.968586] ? kasan_check_write+0x14/0x20 [ 65.972817] ? do_raw_spin_lock+0xc1/0x200 [ 65.977035] worker_thread+0x189/0x13c0 [ 65.980996] ? process_one_work+0x1ba0/0x1ba0 [ 65.985474] ? graph_lock+0x170/0x170 [ 65.989255] ? graph_lock+0x170/0x170 [ 65.993037] ? find_held_lock+0x36/0x1c0 [ 65.997086] ? find_held_lock+0x36/0x1c0 [ 66.001133] ? lock_downgrade+0x8f0/0x8f0 [ 66.005265] ? kasan_check_read+0x11/0x20 [ 66.009393] ? do_raw_spin_unlock+0xa7/0x2f0 [ 66.013789] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 66.018888] ? __kthread_parkme+0x58/0x1b0 [ 66.023106] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 66.028108] ? trace_hardirqs_on+0xd/0x10 [ 66.032239] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 66.037762] ? __kthread_parkme+0x106/0x1b0 [ 66.042073] kthread+0x345/0x410 [ 66.045420] ? process_one_work+0x1ba0/0x1ba0 [ 66.049898] ? kthread_bind+0x40/0x40 [ 66.053682] ret_from_fork+0x3a/0x50 [ 66.058001] Dumping ftrace buffer: [ 66.061522] (ftrace buffer empty) [ 66.065209] Kernel Offset: disabled [ 66.068829] Rebooting in 86400 seconds..