[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.129506] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   18.387500] random: sshd: uninitialized urandom read (32 bytes read)
[   18.575078] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.517877] random: sshd: uninitialized urandom read (32 bytes read)
[   31.936428] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts.
[   37.381588] random: sshd: uninitialized urandom read (32 bytes read)
[   37.482249] IPVS: ftp: loaded support on port[0] = 21
[   37.606988] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.613450] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.620673] device bridge_slave_0 entered promiscuous mode
[   37.636670] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.643501] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.650459] device bridge_slave_1 entered promiscuous mode
[   37.665539] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   37.682108] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   37.723370] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   37.741367] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   37.806091] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   37.813786] team0: Port device team_slave_0 added
[   37.829532] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   37.836753] team0: Port device team_slave_1 added
[   37.852009] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   37.870259] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   37.887160] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   37.903340] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[   38.020016] bridge0: port 2(bridge_slave_1) entered blocking state
[   38.026497] bridge0: port 2(bridge_slave_1) entered forwarding state
[   38.033346] bridge0: port 1(bridge_slave_0) entered blocking state
[   38.039714] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[   38.461167] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   38.467300] 8021q: adding VLAN 0 to HW filter on device bond0
[   38.513466] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   38.557142] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   38.565059] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   38.601990] 8021q: adding VLAN 0 to HW filter on device team0
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   39.237212] ==================================================================
[   39.244869] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   39.251365] Read of size 4 at addr ffff8801d3c690c4 by task kworker/0:1/25
[   39.258353] 
[   39.259965] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.18.0-rc6+ #160
[   39.266868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.276210] Workqueue: events p9_poll_workfn
[   39.280597] Call Trace:
[   39.283204]  dump_stack+0x1c9/0x2b4
[   39.286827]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.292000]  ? printk+0xa7/0xcf
[   39.295261]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.300001]  ? p9_poll_workfn+0x660/0x6d0
[   39.304143]  print_address_description+0x6c/0x20b
[   39.308971]  ? p9_poll_workfn+0x660/0x6d0
[   39.313113]  kasan_report.cold.7+0x242/0x2fe
[   39.317506]  __asan_report_load4_noabort+0x14/0x20
[   39.322416]  p9_poll_workfn+0x660/0x6d0
[   39.326376]  ? p9_read_work+0x1060/0x1060
[   39.330506]  ? graph_lock+0x170/0x170
[   39.334292]  ? lock_acquire+0x1e4/0x540
[   39.338247]  ? process_one_work+0xb9b/0x1ba0
[   39.342660]  ? kasan_check_read+0x11/0x20
[   39.346794]  ? __lock_is_held+0xb5/0x140
[   39.350866]  process_one_work+0xc73/0x1ba0
[   39.355106]  ? trace_hardirqs_on+0x10/0x10
[   39.359327]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   39.363976]  ? lock_repin_lock+0x430/0x430
[   39.368209]  ? __sched_text_start+0x8/0x8
[   39.372352]  ? graph_lock+0x170/0x170
[   39.376136]  ? lock_downgrade+0x8f0/0x8f0
[   39.380272]  ? kasan_check_read+0x11/0x20
[   39.384400]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.388796]  ? lock_acquire+0x1e4/0x540
[   39.392763]  ? worker_thread+0x3dc/0x13c0
[   39.396890]  ? lock_downgrade+0x8f0/0x8f0
[   39.401032]  ? lock_release+0xa30/0xa30
[   39.404991]  ? kasan_check_read+0x11/0x20
[   39.409123]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.413514]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   39.418084]  ? kasan_check_write+0x14/0x20
[   39.422303]  ? do_raw_spin_lock+0xc1/0x200
[   39.426532]  worker_thread+0x189/0x13c0
[   39.430498]  ? process_one_work+0x1ba0/0x1ba0
[   39.434981]  ? graph_lock+0x170/0x170
[   39.438766]  ? graph_lock+0x170/0x170
[   39.442549]  ? find_held_lock+0x36/0x1c0
[   39.446600]  ? find_held_lock+0x36/0x1c0
[   39.450659]  ? lock_downgrade+0x8f0/0x8f0
[   39.454797]  ? kasan_check_read+0x11/0x20
[   39.458927]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.463325]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   39.468416]  ? __kthread_parkme+0x58/0x1b0
[   39.472638]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   39.477639]  ? trace_hardirqs_on+0xd/0x10
[   39.481772]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   39.487294]  ? __kthread_parkme+0x106/0x1b0
[   39.492130]  kthread+0x345/0x410
[   39.495502]  ? process_one_work+0x1ba0/0x1ba0
[   39.499979]  ? kthread_bind+0x40/0x40
[   39.503772]  ret_from_fork+0x3a/0x50
[   39.507478] 
[   39.509094] Allocated by task 4742:
[   39.512724]  save_stack+0x43/0xd0
[   39.516162]  kasan_kmalloc+0xc4/0xe0
[   39.520034]  kmem_cache_alloc_trace+0x152/0x780
[   39.524774]  p9_fd_create+0x1a7/0x3f0
[   39.529869]  p9_client_create+0x8ed/0x1770
[   39.534088]  v9fs_session_init+0x21a/0x1a80
[   39.538390]  v9fs_mount+0x7c/0x900
[   39.541911]  mount_fs+0xae/0x328
[   39.545265]  vfs_kern_mount.part.34+0xdc/0x4e0
[   39.549833]  do_mount+0x581/0x30e0
[   39.553358]  ksys_mount+0x12d/0x140
[   39.556971]  __x64_sys_mount+0xbe/0x150
[   39.560930]  do_syscall_64+0x1b9/0x820
[   39.564813]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.569988] 
[   39.571613] Freed by task 4742:
[   39.574888]  save_stack+0x43/0xd0
[   39.578324]  __kasan_slab_free+0x11a/0x170
[   39.582533]  kasan_slab_free+0xe/0x10
[   39.586319]  kfree+0xd9/0x260
[   39.589405]  p9_fd_close+0x416/0x5b0
[   39.593105]  p9_client_create+0xa9a/0x1770
[   39.597323]  v9fs_session_init+0x21a/0x1a80
[   39.601631]  v9fs_mount+0x7c/0x900
[   39.605181]  mount_fs+0xae/0x328
[   39.608533]  vfs_kern_mount.part.34+0xdc/0x4e0
[   39.613101]  do_mount+0x581/0x30e0
[   39.616626]  ksys_mount+0x12d/0x140
[   39.620235]  __x64_sys_mount+0xbe/0x150
[   39.624202]  do_syscall_64+0x1b9/0x820
[   39.628073]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.633239] 
[   39.635065] The buggy address belongs to the object at ffff8801d3c69040
[   39.635065]  which belongs to the cache kmalloc-512 of size 512
[   39.647703] The buggy address is located 132 bytes inside of
[   39.647703]  512-byte region [ffff8801d3c69040, ffff8801d3c69240)
[   39.659559] The buggy address belongs to the page:
[   39.664483] page:ffffea00074f1a40 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   39.672612] flags: 0x2fffc0000000100(slab)
[   39.677179] raw: 02fffc0000000100 ffffea00074f1a08 ffffea00074f1b08 ffff8801da800940
[   39.685054] raw: 0000000000000000 ffff8801d3c69040 0000000100000006 0000000000000000
[   39.692916] page dumped because: kasan: bad access detected
[   39.698605] 
[   39.700220] Memory state around the buggy address:
[   39.705311]  ffff8801d3c68f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.712648]  ffff8801d3c69000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   39.719996] >ffff8801d3c69080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.727342]                                            ^
[   39.732788]  ffff8801d3c69100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.740135]  ffff8801d3c69180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   39.747469] ==================================================================
[   39.754802] Disabling lock debugging due to kernel taint
[   39.760683] Kernel panic - not syncing: panic_on_warn set ...
[   39.760683] 
[   39.768043] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G    B             4.18.0-rc6+ #160
[   39.776445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.785789] Workqueue: events p9_poll_workfn
[   39.790173] Call Trace:
[   39.792740]  dump_stack+0x1c9/0x2b4
[   39.796349]  ? dump_stack_print_info.cold.2+0x52/0x52
[   39.801524]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   39.806263]  panic+0x238/0x4e7
[   39.809434]  ? add_taint.cold.5+0x16/0x16
[   39.813564]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.817964]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.822366]  ? p9_poll_workfn+0x660/0x6d0
[   39.826493]  kasan_end_report+0x47/0x4f
[   39.830549]  kasan_report.cold.7+0x76/0x2fe
[   39.834851]  __asan_report_load4_noabort+0x14/0x20
[   39.839766]  p9_poll_workfn+0x660/0x6d0
[   39.843739]  ? p9_read_work+0x1060/0x1060
[   39.847870]  ? graph_lock+0x170/0x170
[   39.851753]  ? lock_acquire+0x1e4/0x540
[   39.855719]  ? process_one_work+0xb9b/0x1ba0
[   39.860124]  ? kasan_check_read+0x11/0x20
[   39.864352]  ? __lock_is_held+0xb5/0x140
[   39.868398]  process_one_work+0xc73/0x1ba0
[   39.872616]  ? trace_hardirqs_on+0x10/0x10
[   39.876920]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   39.881569]  ? lock_repin_lock+0x430/0x430
[   39.885788]  ? __sched_text_start+0x8/0x8
[   39.889915]  ? graph_lock+0x170/0x170
[   39.894010]  ? lock_downgrade+0x8f0/0x8f0
[   39.898147]  ? kasan_check_read+0x11/0x20
[   39.902274]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.906677]  ? lock_acquire+0x1e4/0x540
[   39.910642]  ? worker_thread+0x3dc/0x13c0
[   39.914773]  ? lock_downgrade+0x8f0/0x8f0
[   39.918904]  ? lock_release+0xa30/0xa30
[   39.922858]  ? kasan_check_read+0x11/0x20
[   39.926991]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.931377]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   39.935943]  ? kasan_check_write+0x14/0x20
[   39.940167]  ? do_raw_spin_lock+0xc1/0x200
[   39.944382]  worker_thread+0x189/0x13c0
[   39.948340]  ? process_one_work+0x1ba0/0x1ba0
[   39.952817]  ? graph_lock+0x170/0x170
[   39.956607]  ? graph_lock+0x170/0x170
[   39.960386]  ? find_held_lock+0x36/0x1c0
[   39.964430]  ? find_held_lock+0x36/0x1c0
[   39.968474]  ? lock_downgrade+0x8f0/0x8f0
[   39.972613]  ? kasan_check_read+0x11/0x20
[   39.976738]  ? do_raw_spin_unlock+0xa7/0x2f0
[   39.981127]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   39.986216]  ? __kthread_parkme+0x58/0x1b0
[   39.990439]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   39.995435]  ? trace_hardirqs_on+0xd/0x10
[   39.999565]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.005085]  ? __kthread_parkme+0x106/0x1b0
[   40.009386]  kthread+0x345/0x410
[   40.012735]  ? process_one_work+0x1ba0/0x1ba0
[   40.017210]  ? kthread_bind+0x40/0x40
[   40.021000]  ret_from_fork+0x3a/0x50
[   40.025115] Dumping ftrace buffer:
[   40.028631]    (ftrace buffer empty)
[   40.032329] Kernel Offset: disabled
[   40.035935] Rebooting in 86400 seconds..