[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.509504] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   25.259840] random: sshd: uninitialized urandom read (32 bytes read)
[   25.804760] random: sshd: uninitialized urandom read (32 bytes read)
[   26.678438] random: sshd: uninitialized urandom read (32 bytes read)
[   26.837466] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.42' (ECDSA) to the list of known hosts.
[   32.298390] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   32.392592] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   32.973244] ==================================================================
[   32.980751] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   32.987230] Read of size 4 at addr ffff8801ac7b8844 by task kworker/1:2/2134
[   32.994389] 
[   32.996018] CPU: 1 PID: 2134 Comm: kworker/1:2 Not tainted 4.18.0-rc5+ #158
[   33.003099] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.012442] Workqueue: events p9_poll_workfn
[   33.016841] Call Trace:
[   33.019416]  dump_stack+0x1c9/0x2b4
[   33.023030]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.028207]  ? printk+0xa7/0xcf
[   33.031472]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.036221]  ? p9_poll_workfn+0x660/0x6d0
[   33.040455]  print_address_description+0x6c/0x20b
[   33.045308]  ? p9_poll_workfn+0x660/0x6d0
[   33.049437]  kasan_report.cold.7+0x242/0x2fe
[   33.053831]  __asan_report_load4_noabort+0x14/0x20
[   33.058744]  p9_poll_workfn+0x660/0x6d0
[   33.062707]  ? p9_read_work+0x1060/0x1060
[   33.066840]  ? graph_lock+0x170/0x170
[   33.070625]  ? lock_acquire+0x1e4/0x540
[   33.074585]  ? process_one_work+0xb9b/0x1ba0
[   33.078975]  ? kasan_check_read+0x11/0x20
[   33.083113]  ? __lock_is_held+0xb5/0x140
[   33.087163]  process_one_work+0xc73/0x1ba0
[   33.091383]  ? trace_hardirqs_on+0x10/0x10
[   33.095608]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   33.100259]  ? lock_repin_lock+0x430/0x430
[   33.104499]  ? __sched_text_start+0x8/0x8
[   33.108628]  ? lock_downgrade+0x8f0/0x8f0
[   33.112759]  ? graph_lock+0x170/0x170
[   33.117233]  ? lock_acquire+0x1e4/0x540
[   33.121193]  ? worker_thread+0x3dc/0x13c0
[   33.125327]  ? lock_downgrade+0x8f0/0x8f0
[   33.129459]  ? lock_release+0xa30/0xa30
[   33.133417]  ? kasan_check_read+0x11/0x20
[   33.137547]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.141938]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.146590]  ? kasan_check_write+0x14/0x20
[   33.150894]  ? do_raw_spin_lock+0xc1/0x200
[   33.155117]  worker_thread+0x189/0x13c0
[   33.159083]  ? process_one_work+0x1ba0/0x1ba0
[   33.163565]  ? graph_lock+0x170/0x170
[   33.167349]  ? graph_lock+0x170/0x170
[   33.171142]  ? find_held_lock+0x36/0x1c0
[   33.175191]  ? lock_downgrade+0x8f0/0x8f0
[   33.179328]  ? kasan_check_read+0x11/0x20
[   33.183459]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.187867]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.192954]  ? __kthread_parkme+0x58/0x1b0
[   33.197171]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.202199]  ? trace_hardirqs_on+0xd/0x10
[   33.206341]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.211860]  ? __kthread_parkme+0x106/0x1b0
[   33.216177]  kthread+0x345/0x410
[   33.219540]  ? process_one_work+0x1ba0/0x1ba0
[   33.224022]  ? kthread_bind+0x40/0x40
[   33.227810]  ret_from_fork+0x3a/0x50
[   33.231518] 
[   33.233128] Allocated by task 4614:
[   33.236737]  save_stack+0x43/0xd0
[   33.240182]  kasan_kmalloc+0xc4/0xe0
[   33.243890]  kmem_cache_alloc_trace+0x152/0x780
[   33.248540]  p9_fd_create+0x1a7/0x3f0
[   33.252320]  p9_client_create+0x8ed/0x1770
[   33.256536]  v9fs_session_init+0x21a/0x1a80
[   33.260836]  v9fs_mount+0x7c/0x900
[   33.264360]  mount_fs+0xae/0x328
[   33.267712]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.272275]  do_mount+0x581/0x30e0
[   33.275796]  ksys_mount+0x12d/0x140
[   33.279404]  __x64_sys_mount+0xbe/0x150
[   33.283373]  do_syscall_64+0x1b9/0x820
[   33.287251]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.292430] 
[   33.294038] Freed by task 4614:
[   33.297302]  save_stack+0x43/0xd0
[   33.300737]  __kasan_slab_free+0x11a/0x170
[   33.304949]  kasan_slab_free+0xe/0x10
[   33.308729]  kfree+0xd9/0x260
[   33.311819]  p9_fd_close+0x416/0x5b0
[   33.315515]  p9_client_create+0xa9a/0x1770
[   33.319733]  v9fs_session_init+0x21a/0x1a80
[   33.324035]  v9fs_mount+0x7c/0x900
[   33.327579]  mount_fs+0xae/0x328
[   33.330931]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.335497]  do_mount+0x581/0x30e0
[   33.339025]  ksys_mount+0x12d/0x140
[   33.342635]  __x64_sys_mount+0xbe/0x150
[   33.346592]  do_syscall_64+0x1b9/0x820
[   33.350464]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.355637] 
[   33.357256] The buggy address belongs to the object at ffff8801ac7b87c0
[   33.357256]  which belongs to the cache kmalloc-512 of size 512
[   33.369896] The buggy address is located 132 bytes inside of
[   33.369896]  512-byte region [ffff8801ac7b87c0, ffff8801ac7b89c0)
[   33.381750] The buggy address belongs to the page:
[   33.386668] page:ffffea0006b1ee00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   33.394803] flags: 0x2fffc0000000100(slab)
[   33.399029] raw: 02fffc0000000100 ffffea0006b14e88 ffffea0006b23408 ffff8801da800940
[   33.406894] raw: 0000000000000000 ffff8801ac7b8040 0000000100000006 0000000000000000
[   33.414754] page dumped because: kasan: bad access detected
[   33.420448] 
[   33.422063] Memory state around the buggy address:
[   33.426973]  ffff8801ac7b8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.434315]  ffff8801ac7b8780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.441657] >ffff8801ac7b8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.448993]                                            ^
[   33.454425]  ffff8801ac7b8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.461776]  ffff8801ac7b8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   33.469112] ==================================================================
[   33.476459] Disabling lock debugging due to kernel taint
[   33.482000] Kernel panic - not syncing: panic_on_warn set ...
[   33.482000] 
[   33.489371] CPU: 1 PID: 2134 Comm: kworker/1:2 Tainted: G    B             4.18.0-rc5+ #158
[   33.497849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.507194] Workqueue: events p9_poll_workfn
[   33.511576] Call Trace:
[   33.514142]  dump_stack+0x1c9/0x2b4
[   33.517751]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.522936]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.527674]  panic+0x238/0x4e7
[   33.530847]  ? add_taint.cold.5+0x16/0x16
[   33.534977]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.539364]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.543752]  ? p9_poll_workfn+0x660/0x6d0
[   33.547889]  kasan_end_report+0x47/0x4f
[   33.551846]  kasan_report.cold.7+0x76/0x2fe
[   33.556146]  __asan_report_load4_noabort+0x14/0x20
[   33.561070]  p9_poll_workfn+0x660/0x6d0
[   33.565032]  ? p9_read_work+0x1060/0x1060
[   33.569165]  ? graph_lock+0x170/0x170
[   33.572945]  ? lock_acquire+0x1e4/0x540
[   33.576908]  ? process_one_work+0xb9b/0x1ba0
[   33.581297]  ? kasan_check_read+0x11/0x20
[   33.585432]  ? __lock_is_held+0xb5/0x140
[   33.589472]  process_one_work+0xc73/0x1ba0
[   33.593686]  ? trace_hardirqs_on+0x10/0x10
[   33.597900]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   33.602554]  ? lock_repin_lock+0x430/0x430
[   33.606771]  ? __sched_text_start+0x8/0x8
[   33.610902]  ? lock_downgrade+0x8f0/0x8f0
[   33.615033]  ? graph_lock+0x170/0x170
[   33.618826]  ? lock_acquire+0x1e4/0x540
[   33.622779]  ? worker_thread+0x3dc/0x13c0
[   33.626905]  ? lock_downgrade+0x8f0/0x8f0
[   33.631036]  ? lock_release+0xa30/0xa30
[   33.634998]  ? kasan_check_read+0x11/0x20
[   33.639130]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.643512]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.648074]  ? kasan_check_write+0x14/0x20
[   33.652287]  ? do_raw_spin_lock+0xc1/0x200
[   33.656511]  worker_thread+0x189/0x13c0
[   33.660467]  ? process_one_work+0x1ba0/0x1ba0
[   33.664940]  ? graph_lock+0x170/0x170
[   33.668720]  ? graph_lock+0x170/0x170
[   33.672508]  ? find_held_lock+0x36/0x1c0
[   33.676552]  ? lock_downgrade+0x8f0/0x8f0
[   33.680679]  ? kasan_check_read+0x11/0x20
[   33.684804]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.689193]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.694284]  ? __kthread_parkme+0x58/0x1b0
[   33.698495]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.703487]  ? trace_hardirqs_on+0xd/0x10
[   33.707611]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.713124]  ? __kthread_parkme+0x106/0x1b0
[   33.717423]  kthread+0x345/0x410
[   33.720767]  ? process_one_work+0x1ba0/0x1ba0
[   33.725239]  ? kthread_bind+0x40/0x40
[   33.729024]  ret_from_fork+0x3a/0x50
[   33.733161] Dumping ftrace buffer:
[   33.736686]    (ftrace buffer empty)
[   33.740369] Kernel Offset: disabled
[   33.743971] Rebooting in 86400 seconds..