[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 18.915219] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 20.561384] random: sshd: uninitialized urandom read (32 bytes read) [ 20.860958] random: sshd: uninitialized urandom read (32 bytes read) [ 21.770279] random: sshd: uninitialized urandom read (32 bytes read) [ 27.706263] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 33.098919] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/21 08:58:10 parsed 1 programs [ 34.275735] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/21 08:58:11 executed programs: 0 [ 35.269568] IPVS: ftp: loaded support on port[0] = 21 [ 36.195101] ================================================================== [ 36.202533] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0 [ 36.209006] Read of size 4 at addr ffff8801ad2f98c4 by task kworker/1:1/27 [ 36.215991] [ 36.217608] CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 4.18.0-rc5+ #157 [ 36.224523] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.233861] Workqueue: events p9_poll_workfn [ 36.238244] Call Trace: [ 36.240812] dump_stack+0x1c9/0x2b4 [ 36.244417] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.249582] ? printk+0xa7/0xcf [ 36.252839] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 36.257574] ? p9_poll_workfn+0x660/0x6d0 [ 36.261701] print_address_description+0x6c/0x20b [ 36.266529] ? p9_poll_workfn+0x660/0x6d0 [ 36.270655] kasan_report.cold.7+0x242/0x2fe [ 36.275047] __asan_report_load4_noabort+0x14/0x20 [ 36.279954] p9_poll_workfn+0x660/0x6d0 [ 36.283910] ? p9_read_work+0x1060/0x1060 [ 36.288036] ? graph_lock+0x170/0x170 [ 36.291830] ? kasan_check_read+0x11/0x20 [ 36.295963] ? __lock_is_held+0xb5/0x140 [ 36.300013] process_one_work+0xc73/0x1ba0 [ 36.304226] ? trace_hardirqs_on+0x10/0x10 [ 36.308444] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 36.313110] ? lock_repin_lock+0x430/0x430 [ 36.317342] ? __sched_text_start+0x8/0x8 [ 36.321474] ? lock_downgrade+0x8f0/0x8f0 [ 36.325601] ? prepare_to_swait_event+0xc0/0xc0 [ 36.330264] ? graph_lock+0x170/0x170 [ 36.334054] ? lock_acquire+0x1e4/0x540 [ 36.338016] ? worker_thread+0x3dc/0x13c0 [ 36.342152] ? lock_downgrade+0x8f0/0x8f0 [ 36.346280] ? lock_release+0xa30/0xa30 [ 36.350233] ? kasan_check_read+0x11/0x20 [ 36.354363] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.358758] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.363331] ? kasan_check_write+0x14/0x20 [ 36.367550] ? do_raw_spin_lock+0xc1/0x200 [ 36.371767] worker_thread+0x189/0x13c0 [ 36.375729] ? process_one_work+0x1ba0/0x1ba0 [ 36.380212] ? graph_lock+0x170/0x170 [ 36.384009] ? graph_lock+0x170/0x170 [ 36.387799] ? find_held_lock+0x36/0x1c0 [ 36.391846] ? find_held_lock+0x36/0x1c0 [ 36.395896] ? kasan_check_read+0x11/0x20 [ 36.400022] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.404412] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 36.409491] ? __kthread_parkme+0x58/0x1b0 [ 36.413713] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.418709] ? trace_hardirqs_on+0xd/0x10 [ 36.422838] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.428353] ? __kthread_parkme+0x106/0x1b0 [ 36.432741] kthread+0x345/0x410 [ 36.436087] ? process_one_work+0x1ba0/0x1ba0 [ 36.440558] ? kthread_bind+0x40/0x40 [ 36.444340] ret_from_fork+0x3a/0x50 [ 36.448032] [ 36.449638] Allocated by task 4559: [ 36.453243] save_stack+0x43/0xd0 [ 36.456673] kasan_kmalloc+0xc4/0xe0 [ 36.460362] kmem_cache_alloc_trace+0x152/0x780 [ 36.465017] p9_fd_create+0x1a7/0x3f0 [ 36.468795] p9_client_create+0x8ed/0x1770 [ 36.473008] v9fs_session_init+0x21a/0x1a80 [ 36.477319] v9fs_mount+0x7c/0x900 [ 36.480838] mount_fs+0xae/0x328 [ 36.484191] vfs_kern_mount.part.34+0xdc/0x4e0 [ 36.488753] do_mount+0x581/0x30e0 [ 36.492270] ksys_mount+0x12d/0x140 [ 36.495873] __x64_sys_mount+0xbe/0x150 [ 36.499826] do_syscall_64+0x1b9/0x820 [ 36.503694] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.508856] [ 36.510461] Freed by task 4559: [ 36.513720] save_stack+0x43/0xd0 [ 36.517152] __kasan_slab_free+0x11a/0x170 [ 36.521368] kasan_slab_free+0xe/0x10 [ 36.525148] kfree+0xd9/0x260 [ 36.528234] p9_fd_close+0x416/0x5b0 [ 36.531929] p9_client_create+0xa9a/0x1770 [ 36.536150] v9fs_session_init+0x21a/0x1a80 [ 36.540470] v9fs_mount+0x7c/0x900 [ 36.544009] mount_fs+0xae/0x328 [ 36.547355] vfs_kern_mount.part.34+0xdc/0x4e0 [ 36.551917] do_mount+0x581/0x30e0 [ 36.555444] ksys_mount+0x12d/0x140 [ 36.560192] __x64_sys_mount+0xbe/0x150 [ 36.564147] do_syscall_64+0x1b9/0x820 [ 36.568026] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.573191] [ 36.574807] The buggy address belongs to the object at ffff8801ad2f9840 [ 36.574807] which belongs to the cache kmalloc-512 of size 512 [ 36.595951] The buggy address is located 132 bytes inside of [ 36.595951] 512-byte region [ffff8801ad2f9840, ffff8801ad2f9a40) [ 36.607803] The buggy address belongs to the page: [ 36.612716] page:ffffea0006b4be40 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 36.620842] flags: 0x2fffc0000000100(slab) [ 36.625062] raw: 02fffc0000000100 ffffea000763fa88 ffff8801da801748 ffff8801da800940 [ 36.632926] raw: 0000000000000000 ffff8801ad2f90c0 0000000100000006 0000000000000000 [ 36.640790] page dumped because: kasan: bad access detected [ 36.646472] [ 36.648077] Memory state around the buggy address: [ 36.652986] ffff8801ad2f9780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.660327] ffff8801ad2f9800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.667674] >ffff8801ad2f9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.675021] ^ [ 36.680451] ffff8801ad2f9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.687788] ffff8801ad2f9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.695125] ================================================================== [ 36.702468] Disabling lock debugging due to kernel taint [ 36.707975] Kernel panic - not syncing: panic_on_warn set ... [ 36.707975] [ 36.715329] CPU: 1 PID: 27 Comm: kworker/1:1 Tainted: G B 4.18.0-rc5+ #157 [ 36.723631] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.732975] Workqueue: events p9_poll_workfn [ 36.737357] Call Trace: [ 36.739926] dump_stack+0x1c9/0x2b4 [ 36.743531] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.748698] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 36.753434] panic+0x238/0x4e7 [ 36.756605] ? add_taint.cold.5+0x16/0x16 [ 36.760742] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.765128] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.769518] ? p9_poll_workfn+0x660/0x6d0 [ 36.773655] kasan_end_report+0x47/0x4f [ 36.777618] kasan_report.cold.7+0x76/0x2fe [ 36.781917] __asan_report_load4_noabort+0x14/0x20 [ 36.786824] p9_poll_workfn+0x660/0x6d0 [ 36.790777] ? p9_read_work+0x1060/0x1060 [ 36.794904] ? graph_lock+0x170/0x170 [ 36.798684] ? kasan_check_read+0x11/0x20 [ 36.802843] ? __lock_is_held+0xb5/0x140 [ 36.806893] process_one_work+0xc73/0x1ba0 [ 36.811114] ? trace_hardirqs_on+0x10/0x10 [ 36.815328] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 36.819982] ? lock_repin_lock+0x430/0x430 [ 36.824201] ? __sched_text_start+0x8/0x8 [ 36.828329] ? lock_downgrade+0x8f0/0x8f0 [ 36.832454] ? prepare_to_swait_event+0xc0/0xc0 [ 36.837101] ? graph_lock+0x170/0x170 [ 36.840890] ? lock_acquire+0x1e4/0x540 [ 36.844844] ? worker_thread+0x3dc/0x13c0 [ 36.848981] ? lock_downgrade+0x8f0/0x8f0 [ 36.853108] ? lock_release+0xa30/0xa30 [ 36.857070] ? kasan_check_read+0x11/0x20 [ 36.861195] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.865592] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.870155] ? kasan_check_write+0x14/0x20 [ 36.874365] ? do_raw_spin_lock+0xc1/0x200 [ 36.878580] worker_thread+0x189/0x13c0 [ 36.882539] ? process_one_work+0x1ba0/0x1ba0 [ 36.887022] ? graph_lock+0x170/0x170 [ 36.890803] ? graph_lock+0x170/0x170 [ 36.894581] ? find_held_lock+0x36/0x1c0 [ 36.898620] ? find_held_lock+0x36/0x1c0 [ 36.902663] ? kasan_check_read+0x11/0x20 [ 36.906799] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.911192] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 36.916288] ? __kthread_parkme+0x58/0x1b0 [ 36.920515] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 36.925509] ? trace_hardirqs_on+0xd/0x10 [ 36.929637] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.935152] ? __kthread_parkme+0x106/0x1b0 [ 36.939452] kthread+0x345/0x410 [ 36.942799] ? process_one_work+0x1ba0/0x1ba0 [ 36.947279] ? kthread_bind+0x40/0x40 [ 36.951065] ret_from_fork+0x3a/0x50 [ 36.955161] Dumping ftrace buffer: [ 36.958677] (ftrace buffer empty) [ 36.962364] Kernel Offset: disabled [ 36.965970] Rebooting in 86400 seconds..