[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.707269] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.307835] random: sshd: uninitialized urandom read (32 bytes read) [ 25.796908] random: sshd: uninitialized urandom read (32 bytes read) [ 26.706332] random: sshd: uninitialized urandom read (32 bytes read) [ 26.862429] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts. [ 32.278235] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.400150] ================================================================== [ 32.407622] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 32.414531] Read of size 8 at addr ffff8801ad39a960 by task kworker/1:0/19 [ 32.421523] [ 32.423147] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc5+ #156 [ 32.430055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.439408] Workqueue: events p9_poll_workfn [ 32.443794] Call Trace: [ 32.446364] dump_stack+0x1c9/0x2b4 [ 32.449974] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.455154] ? printk+0xa7/0xcf [ 32.458915] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.463669] ? work_is_static_object+0x39/0x40 [ 32.468242] print_address_description+0x6c/0x20b [ 32.473068] ? work_is_static_object+0x39/0x40 [ 32.477633] kasan_report.cold.7+0x242/0x2fe [ 32.482041] __asan_report_load8_noabort+0x14/0x20 [ 32.486952] work_is_static_object+0x39/0x40 [ 32.491343] debug_object_activate+0x2fc/0x690 [ 32.495913] ? __wake_up_common+0x740/0x740 [ 32.500227] ? debug_object_assert_init+0x4b0/0x4b0 [ 32.505227] ? mark_held_locks+0xc9/0x160 [ 32.509357] __queue_work+0x1ca/0x1410 [ 32.513224] ? __wake_up+0xe/0x10 [ 32.516660] ? p9_client_cb+0x62/0x80 [ 32.520444] ? flush_rcu_work+0x90/0x90 [ 32.524404] ? p9_fd_cancelled+0x2f0/0x2f0 [ 32.528632] ? lock_downgrade+0x8f0/0x8f0 [ 32.532766] ? mark_held_locks+0xc9/0x160 [ 32.536898] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.541475] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.546995] queue_work_on+0x19a/0x1e0 [ 32.550871] p9_poll_workfn+0x55e/0x6d0 [ 32.554841] ? p9_read_work+0x1060/0x1060 [ 32.558970] ? graph_lock+0x170/0x170 [ 32.562754] ? lock_acquire+0x1e4/0x540 [ 32.566707] ? process_one_work+0xb9b/0x1ba0 [ 32.571094] ? kasan_check_read+0x11/0x20 [ 32.575232] ? __lock_is_held+0xb5/0x140 [ 32.579278] process_one_work+0xc73/0x1ba0 [ 32.583494] ? trace_hardirqs_on+0x10/0x10 [ 32.587720] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 32.592367] ? lock_repin_lock+0x430/0x430 [ 32.596592] ? __sched_text_start+0x8/0x8 [ 32.600723] ? graph_lock+0x170/0x170 [ 32.604503] ? lock_downgrade+0x8f0/0x8f0 [ 32.608634] ? kasan_check_read+0x11/0x20 [ 32.612762] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.617158] ? lock_acquire+0x1e4/0x540 [ 32.621117] ? worker_thread+0x3dc/0x13c0 [ 32.625262] ? lock_downgrade+0x8f0/0x8f0 [ 32.629394] ? lock_release+0xa30/0xa30 [ 32.633349] ? kasan_check_read+0x11/0x20 [ 32.637479] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.641884] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.646445] ? kasan_check_write+0x14/0x20 [ 32.650668] ? do_raw_spin_lock+0xc1/0x200 [ 32.654899] worker_thread+0x189/0x13c0 [ 32.658882] ? process_one_work+0x1ba0/0x1ba0 [ 32.663368] ? graph_lock+0x170/0x170 [ 32.667157] ? graph_lock+0x170/0x170 [ 32.670936] ? find_held_lock+0x36/0x1c0 [ 32.674981] ? find_held_lock+0x36/0x1c0 [ 32.679042] ? kasan_check_read+0x11/0x20 [ 32.683171] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.687562] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.692643] ? __kthread_parkme+0x58/0x1b0 [ 32.696859] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.701858] ? trace_hardirqs_on+0xd/0x10 [ 32.705990] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.711510] ? __kthread_parkme+0x106/0x1b0 [ 32.715817] kthread+0x345/0x410 [ 32.719169] ? process_one_work+0x1ba0/0x1ba0 [ 32.723662] ? kthread_bind+0x40/0x40 [ 32.727455] ret_from_fork+0x3a/0x50 [ 32.731161] [ 32.732770] Allocated by task 4531: [ 32.736398] save_stack+0x43/0xd0 [ 32.739851] kasan_kmalloc+0xc4/0xe0 [ 32.743565] kmem_cache_alloc_trace+0x152/0x780 [ 32.748226] p9_fd_create+0x1a7/0x3f0 [ 32.752013] p9_client_create+0x8ed/0x1770 [ 32.756243] v9fs_session_init+0x21a/0x1a80 [ 32.760552] v9fs_mount+0x7c/0x900 [ 32.764083] mount_fs+0xae/0x328 [ 32.767428] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.771989] do_mount+0x581/0x30e0 [ 32.775509] ksys_mount+0x12d/0x140 [ 32.779118] __x64_sys_mount+0xbe/0x150 [ 32.783073] do_syscall_64+0x1b9/0x820 [ 32.786941] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.792108] [ 32.793723] Freed by task 4531: [ 32.796981] save_stack+0x43/0xd0 [ 32.800414] __kasan_slab_free+0x11a/0x170 [ 32.804629] kasan_slab_free+0xe/0x10 [ 32.808423] kfree+0xd9/0x260 [ 32.811515] p9_fd_close+0x416/0x5b0 [ 32.815209] p9_client_create+0xa9a/0x1770 [ 32.819434] v9fs_session_init+0x21a/0x1a80 [ 32.823748] v9fs_mount+0x7c/0x900 [ 32.827274] mount_fs+0xae/0x328 [ 32.830619] vfs_kern_mount.part.34+0xdc/0x4e0 [ 32.835178] do_mount+0x581/0x30e0 [ 32.838697] ksys_mount+0x12d/0x140 [ 32.842304] __x64_sys_mount+0xbe/0x150 [ 32.846260] do_syscall_64+0x1b9/0x820 [ 32.850131] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.855308] [ 32.856916] The buggy address belongs to the object at ffff8801ad39a840 [ 32.856916] which belongs to the cache kmalloc-512 of size 512 [ 32.869558] The buggy address is located 288 bytes inside of [ 32.869558] 512-byte region [ffff8801ad39a840, ffff8801ad39aa40) [ 32.881407] The buggy address belongs to the page: [ 32.886317] page:ffffea0006b4e680 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 32.894435] flags: 0x2fffc0000000100(slab) [ 32.898660] raw: 02fffc0000000100 ffffea0006d7b408 ffff8801da801748 ffff8801da800940 [ 32.906529] raw: 0000000000000000 ffff8801ad39a0c0 0000000100000006 0000000000000000 [ 32.914384] page dumped because: kasan: bad access detected [ 32.920077] [ 32.921692] Memory state around the buggy address: [ 32.926600] ffff8801ad39a800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.933935] ffff8801ad39a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.941273] >ffff8801ad39a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.948622] ^ [ 32.955089] ffff8801ad39a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.962434] ffff8801ad39aa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.969773] ================================================================== [ 32.977105] Disabling lock debugging due to kernel taint [ 32.982529] Kernel panic - not syncing: panic_on_warn set ... [ 32.982529] [ 32.989879] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.18.0-rc5+ #156 [ 32.998174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.007516] Workqueue: events p9_poll_workfn [ 33.011898] Call Trace: [ 33.014465] dump_stack+0x1c9/0x2b4 [ 33.018073] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.023252] ? lock_downgrade+0x8f0/0x8f0 [ 33.027383] panic+0x238/0x4e7 [ 33.030556] ? add_taint.cold.5+0x16/0x16 [ 33.034696] ? add_taint.cold.5+0x5/0x16 [ 33.038743] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.043132] ? work_is_static_object+0x39/0x40 [ 33.047692] kasan_end_report+0x47/0x4f [ 33.051643] kasan_report.cold.7+0x76/0x2fe [ 33.055940] __asan_report_load8_noabort+0x14/0x20 [ 33.060859] work_is_static_object+0x39/0x40 [ 33.065248] debug_object_activate+0x2fc/0x690 [ 33.069809] ? __wake_up_common+0x740/0x740 [ 33.074107] ? debug_object_assert_init+0x4b0/0x4b0 [ 33.079102] ? mark_held_locks+0xc9/0x160 [ 33.083232] __queue_work+0x1ca/0x1410 [ 33.087095] ? __wake_up+0xe/0x10 [ 33.090527] ? p9_client_cb+0x62/0x80 [ 33.094306] ? flush_rcu_work+0x90/0x90 [ 33.098265] ? p9_fd_cancelled+0x2f0/0x2f0 [ 33.102484] ? lock_downgrade+0x8f0/0x8f0 [ 33.106613] ? mark_held_locks+0xc9/0x160 [ 33.110739] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.115301] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.120816] queue_work_on+0x19a/0x1e0 [ 33.124688] p9_poll_workfn+0x55e/0x6d0 [ 33.128641] ? p9_read_work+0x1060/0x1060 [ 33.132776] ? graph_lock+0x170/0x170 [ 33.136559] ? lock_acquire+0x1e4/0x540 [ 33.140513] ? process_one_work+0xb9b/0x1ba0 [ 33.144899] ? kasan_check_read+0x11/0x20 [ 33.149037] ? __lock_is_held+0xb5/0x140 [ 33.153084] process_one_work+0xc73/0x1ba0 [ 33.157295] ? trace_hardirqs_on+0x10/0x10 [ 33.161518] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 33.166167] ? lock_repin_lock+0x430/0x430 [ 33.170387] ? __sched_text_start+0x8/0x8 [ 33.174520] ? graph_lock+0x170/0x170 [ 33.178301] ? lock_downgrade+0x8f0/0x8f0 [ 33.182428] ? kasan_check_read+0x11/0x20 [ 33.186556] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.190955] ? lock_acquire+0x1e4/0x540 [ 33.194917] ? worker_thread+0x3dc/0x13c0 [ 33.199046] ? lock_downgrade+0x8f0/0x8f0 [ 33.203171] ? lock_release+0xa30/0xa30 [ 33.207123] ? kasan_check_read+0x11/0x20 [ 33.211248] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.215639] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.220210] ? kasan_check_write+0x14/0x20 [ 33.224429] ? do_raw_spin_lock+0xc1/0x200 [ 33.228643] worker_thread+0x189/0x13c0 [ 33.232610] ? process_one_work+0x1ba0/0x1ba0 [ 33.237092] ? graph_lock+0x170/0x170 [ 33.240872] ? graph_lock+0x170/0x170 [ 33.244648] ? find_held_lock+0x36/0x1c0 [ 33.248689] ? find_held_lock+0x36/0x1c0 [ 33.252733] ? kasan_check_read+0x11/0x20 [ 33.256860] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.261250] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 33.266330] ? __kthread_parkme+0x58/0x1b0 [ 33.270547] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.275559] ? trace_hardirqs_on+0xd/0x10 [ 33.279688] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 33.285204] ? __kthread_parkme+0x106/0x1b0 [ 33.289504] kthread+0x345/0x410 [ 33.292854] ? process_one_work+0x1ba0/0x1ba0 [ 33.297325] ? kthread_bind+0x40/0x40 [ 33.301109] ret_from_fork+0x3a/0x50 [ 33.305281] Dumping ftrace buffer: [ 33.308800] (ftrace buffer empty) [ 33.312488] Kernel Offset: disabled [ 33.316091] Rebooting in 86400 seconds..