[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.944858] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 20.953391] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.349634] random: sshd: uninitialized urandom read (32 bytes read) [ 22.317528] random: sshd: uninitialized urandom read (32 bytes read) [ 62.632296] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. [ 68.159915] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program [ 68.422233] ================================================================== [ 68.429703] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 68.436626] Read of size 8 at addr ffff8801ac4e61e0 by task kworker/1:0/19 [ 68.443631] [ 68.445248] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc4+ #141 [ 68.452154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.461521] Workqueue: events p9_poll_workfn [ 68.465927] Call Trace: [ 68.468506] dump_stack+0x1c9/0x2b4 [ 68.472120] ? dump_stack_print_info.cold.2+0x52/0x52 [ 68.477296] ? printk+0xa7/0xcf [ 68.480580] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 68.485354] ? work_is_static_object+0x39/0x40 [ 68.490184] print_address_description+0x6c/0x20b [ 68.495081] ? work_is_static_object+0x39/0x40 [ 68.499654] kasan_report.cold.7+0x242/0x2fe [ 68.504057] __asan_report_load8_noabort+0x14/0x20 [ 68.508977] work_is_static_object+0x39/0x40 [ 68.513379] debug_object_activate+0x2fc/0x690 [ 68.517953] ? __wake_up_common+0x740/0x740 [ 68.522266] ? debug_object_assert_init+0x4b0/0x4b0 [ 68.527279] ? mark_held_locks+0xc9/0x160 [ 68.531423] __queue_work+0x1ca/0x1410 [ 68.535295] ? __wake_up+0xe/0x10 [ 68.538736] ? p9_client_cb+0x62/0x80 [ 68.542524] ? flush_rcu_work+0x90/0x90 [ 68.546491] ? p9_fd_cancelled+0x2f0/0x2f0 [ 68.550718] ? lock_downgrade+0x8f0/0x8f0 [ 68.554854] ? mark_held_locks+0xc9/0x160 [ 68.558988] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 68.563577] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.569116] queue_work_on+0x19a/0x1e0 [ 68.573009] p9_poll_workfn+0x55e/0x6d0 [ 68.576972] ? p9_read_work+0x1060/0x1060 [ 68.581127] ? graph_lock+0x170/0x170 [ 68.584918] ? lock_acquire+0x1e4/0x540 [ 68.588887] ? process_one_work+0xb9b/0x1ba0 [ 68.593286] ? kasan_check_read+0x11/0x20 [ 68.597428] ? __lock_is_held+0xb5/0x140 [ 68.601494] process_one_work+0xc73/0x1ba0 [ 68.605725] ? trace_hardirqs_on+0x10/0x10 [ 68.609949] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 68.614603] ? lock_repin_lock+0x430/0x430 [ 68.618835] ? __sched_text_start+0x8/0x8 [ 68.622972] ? graph_lock+0x170/0x170 [ 68.626760] ? lock_downgrade+0x8f0/0x8f0 [ 68.630902] ? kasan_check_read+0x11/0x20 [ 68.635059] ? do_raw_spin_unlock+0xa7/0x2f0 [ 68.639459] ? lock_acquire+0x1e4/0x540 [ 68.643433] ? worker_thread+0x3dc/0x13c0 [ 68.647589] ? lock_downgrade+0x8f0/0x8f0 [ 68.651746] ? lock_release+0xa30/0xa30 [ 68.656283] ? kasan_check_read+0x11/0x20 [ 68.660440] ? do_raw_spin_unlock+0xa7/0x2f0 [ 68.664852] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 68.669457] ? kasan_check_write+0x14/0x20 [ 68.673682] ? do_raw_spin_lock+0xc1/0x200 [ 68.677906] worker_thread+0x189/0x13c0 [ 68.681881] ? process_one_work+0x1ba0/0x1ba0 [ 68.686374] ? graph_lock+0x170/0x170 [ 68.690170] ? graph_lock+0x170/0x170 [ 68.693952] ? find_held_lock+0x36/0x1c0 [ 68.698006] ? find_held_lock+0x36/0x1c0 [ 68.702065] ? kasan_check_read+0x11/0x20 [ 68.706210] ? do_raw_spin_unlock+0xa7/0x2f0 [ 68.710616] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 68.715746] ? __kthread_parkme+0x58/0x1b0 [ 68.719982] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 68.725068] ? trace_hardirqs_on+0xd/0x10 [ 68.729377] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 68.734901] ? __kthread_parkme+0x106/0x1b0 [ 68.739313] kthread+0x345/0x410 [ 68.742662] ? process_one_work+0x1ba0/0x1ba0 [ 68.747146] ? kthread_bind+0x40/0x40 [ 68.750938] ret_from_fork+0x3a/0x50 [ 68.754854] [ 68.756473] Allocated by task 4556: [ 68.760106] save_stack+0x43/0xd0 [ 68.763556] kasan_kmalloc+0xc4/0xe0 [ 68.767262] kmem_cache_alloc_trace+0x152/0x780 [ 68.771927] p9_fd_create+0x1a7/0x3f0 [ 68.775735] p9_client_create+0x915/0x16c9 [ 68.780051] v9fs_session_init+0x21a/0x1a80 [ 68.784355] v9fs_mount+0x7c/0x900 [ 68.787893] mount_fs+0xae/0x328 [ 68.791264] vfs_kern_mount.part.34+0xdc/0x4e0 [ 68.795840] do_mount+0x581/0x30e0 [ 68.799372] ksys_mount+0x12d/0x140 [ 68.802979] __x64_sys_mount+0xbe/0x150 [ 68.806935] do_syscall_64+0x1b9/0x820 [ 68.810807] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.815978] [ 68.817676] Freed by task 4556: [ 68.820947] save_stack+0x43/0xd0 [ 68.824393] __kasan_slab_free+0x11a/0x170 [ 68.828617] kasan_slab_free+0xe/0x10 [ 68.832597] kfree+0xd9/0x260 [ 68.835690] p9_fd_close+0x416/0x5b0 [ 68.839396] p9_client_create+0xac2/0x16c9 [ 68.843720] v9fs_session_init+0x21a/0x1a80 [ 68.848050] v9fs_mount+0x7c/0x900 [ 68.852304] mount_fs+0xae/0x328 [ 68.856287] vfs_kern_mount.part.34+0xdc/0x4e0 [ 68.861027] do_mount+0x581/0x30e0 [ 68.864548] ksys_mount+0x12d/0x140 [ 68.868156] __x64_sys_mount+0xbe/0x150 [ 68.872112] do_syscall_64+0x1b9/0x820 [ 68.875990] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.881164] [ 68.882775] The buggy address belongs to the object at ffff8801ac4e60c0 [ 68.882775] which belongs to the cache kmalloc-512 of size 512 [ 68.896472] The buggy address is located 288 bytes inside of [ 68.896472] 512-byte region [ffff8801ac4e60c0, ffff8801ac4e62c0) [ 68.908325] The buggy address belongs to the page: [ 68.913243] page:ffffea0006b13980 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 68.921379] flags: 0x2fffc0000000100(slab) [ 68.925605] raw: 02fffc0000000100 ffffea0006bdf448 ffff8801da801748 ffff8801da800940 [ 68.933476] raw: 0000000000000000 ffff8801ac4e60c0 0000000100000006 0000000000000000 [ 68.941339] page dumped because: kasan: bad access detected [ 68.947029] [ 68.948648] Memory state around the buggy address: [ 68.953562] ffff8801ac4e6080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 68.960908] ffff8801ac4e6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.968259] >ffff8801ac4e6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.975603] ^ [ 68.982085] ffff8801ac4e6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.989432] ffff8801ac4e6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.996777] ================================================================== [ 69.004739] Disabling lock debugging due to kernel taint [ 69.010270] Kernel panic - not syncing: panic_on_warn set ... [ 69.010270] [ 69.017704] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.18.0-rc4+ #141 [ 69.026088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.035471] Workqueue: events p9_poll_workfn [ 69.039871] Call Trace: [ 69.042449] dump_stack+0x1c9/0x2b4 [ 69.046077] ? dump_stack_print_info.cold.2+0x52/0x52 [ 69.051254] ? lock_downgrade+0x8f0/0x8f0 [ 69.055384] panic+0x238/0x4e7 [ 69.058561] ? add_taint.cold.5+0x16/0x16 [ 69.062691] ? add_taint.cold.5+0x5/0x16 [ 69.066733] ? do_raw_spin_unlock+0xa7/0x2f0 [ 69.071121] ? work_is_static_object+0x39/0x40 [ 69.075681] kasan_end_report+0x47/0x4f [ 69.079634] kasan_report.cold.7+0x76/0x2fe [ 69.083935] __asan_report_load8_noabort+0x14/0x20 [ 69.088852] work_is_static_object+0x39/0x40 [ 69.093240] debug_object_activate+0x2fc/0x690 [ 69.097813] ? __wake_up_common+0x740/0x740 [ 69.102127] ? debug_object_assert_init+0x4b0/0x4b0 [ 69.107125] ? mark_held_locks+0xc9/0x160 [ 69.111254] __queue_work+0x1ca/0x1410 [ 69.115209] ? __wake_up+0xe/0x10 [ 69.118654] ? p9_client_cb+0x62/0x80 [ 69.122443] ? flush_rcu_work+0x90/0x90 [ 69.126398] ? p9_fd_cancelled+0x2f0/0x2f0 [ 69.130617] ? lock_downgrade+0x8f0/0x8f0 [ 69.134753] ? mark_held_locks+0xc9/0x160 [ 69.138878] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 69.143446] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.148973] queue_work_on+0x19a/0x1e0 [ 69.152846] p9_poll_workfn+0x55e/0x6d0 [ 69.156805] ? p9_read_work+0x1060/0x1060 [ 69.160932] ? graph_lock+0x170/0x170 [ 69.164712] ? lock_acquire+0x1e4/0x540 [ 69.168664] ? process_one_work+0xb9b/0x1ba0 [ 69.173068] ? kasan_check_read+0x11/0x20 [ 69.177203] ? __lock_is_held+0xb5/0x140 [ 69.181247] process_one_work+0xc73/0x1ba0 [ 69.185462] ? trace_hardirqs_on+0x10/0x10 [ 69.189679] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 69.194330] ? lock_repin_lock+0x430/0x430 [ 69.198568] ? __sched_text_start+0x8/0x8 [ 69.202696] ? graph_lock+0x170/0x170 [ 69.206476] ? lock_downgrade+0x8f0/0x8f0 [ 69.210618] ? kasan_check_read+0x11/0x20 [ 69.214770] ? do_raw_spin_unlock+0xa7/0x2f0 [ 69.219183] ? lock_acquire+0x1e4/0x540 [ 69.223156] ? worker_thread+0x3dc/0x13c0 [ 69.227308] ? lock_downgrade+0x8f0/0x8f0 [ 69.231457] ? lock_release+0xa30/0xa30 [ 69.235438] ? kasan_check_read+0x11/0x20 [ 69.239591] ? do_raw_spin_unlock+0xa7/0x2f0 [ 69.243987] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 69.248572] ? kasan_check_write+0x14/0x20 [ 69.252885] ? do_raw_spin_lock+0xc1/0x200 [ 69.257283] worker_thread+0x189/0x13c0 [ 69.261243] ? process_one_work+0x1ba0/0x1ba0 [ 69.265722] ? graph_lock+0x170/0x170 [ 69.269591] ? graph_lock+0x170/0x170 [ 69.273382] ? find_held_lock+0x36/0x1c0 [ 69.277432] ? find_held_lock+0x36/0x1c0 [ 69.281493] ? kasan_check_read+0x11/0x20 [ 69.285621] ? do_raw_spin_unlock+0xa7/0x2f0 [ 69.290024] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 69.295131] ? __kthread_parkme+0x58/0x1b0 [ 69.299358] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 69.304357] ? trace_hardirqs_on+0xd/0x10 [ 69.308499] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 69.314017] ? __kthread_parkme+0x106/0x1b0 [ 69.318319] kthread+0x345/0x410 [ 69.321667] ? process_one_work+0x1ba0/0x1ba0 [ 69.326141] ? kthread_bind+0x40/0x40 [ 69.329925] ret_from_fork+0x3a/0x50 [ 69.334191] Dumping ftrace buffer: [ 69.337708] (ftrace buffer empty) [ 69.341398] Kernel Offset: disabled [ 69.345533] Rebooting in 86400 seconds..