[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.309251] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.917907] random: sshd: uninitialized urandom read (32 bytes read) [ 23.289992] random: sshd: uninitialized urandom read (32 bytes read) [ 24.228070] random: sshd: uninitialized urandom read (32 bytes read) [ 24.387591] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. [ 29.798114] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/20 21:05:08 parsed 1 programs [ 31.175159] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/20 21:05:10 executed programs: 0 [ 32.755825] IPVS: ftp: loaded support on port[0] = 21 [ 32.766578] IPVS: ftp: loaded support on port[0] = 21 [ 32.783577] IPVS: ftp: loaded support on port[0] = 21 [ 32.787830] IPVS: ftp: loaded support on port[0] = 21 [ 32.816290] IPVS: ftp: loaded support on port[0] = 21 [ 32.819377] IPVS: ftp: loaded support on port[0] = 21 [ 32.827054] IPVS: ftp: loaded support on port[0] = 21 [ 32.838903] IPVS: ftp: loaded support on port[0] = 21 [ 33.261977] ip (4638) used greatest stack depth: 17000 bytes left 2018/07/20 21:05:16 executed programs: 45 [ 40.247343] ================================================================== [ 40.254970] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0 [ 40.261566] Read of size 4 at addr ffff8801c02e5844 by task kworker/1:0/19 [ 40.268584] [ 40.270208] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc5+ #156 [ 40.277136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.286487] Workqueue: events p9_poll_workfn [ 40.290900] Call Trace: [ 40.293476] dump_stack+0x1c9/0x2b4 [ 40.297094] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.302276] ? printk+0xa7/0xcf [ 40.305541] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.310295] ? p9_poll_workfn+0x660/0x6d0 [ 40.314428] print_address_description+0x6c/0x20b [ 40.319267] ? p9_poll_workfn+0x660/0x6d0 [ 40.323399] kasan_report.cold.7+0x242/0x2fe [ 40.327797] __asan_report_load4_noabort+0x14/0x20 [ 40.332714] p9_poll_workfn+0x660/0x6d0 [ 40.336770] ? p9_read_work+0x1060/0x1060 [ 40.340905] ? graph_lock+0x170/0x170 [ 40.344694] ? lock_acquire+0x1e4/0x540 [ 40.348652] ? process_one_work+0xb9b/0x1ba0 [ 40.353053] ? kasan_check_read+0x11/0x20 [ 40.357199] ? __lock_is_held+0xb5/0x140 [ 40.361251] process_one_work+0xc73/0x1ba0 [ 40.365480] ? trace_hardirqs_on+0x10/0x10 [ 40.369704] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 40.374358] ? lock_repin_lock+0x430/0x430 [ 40.378597] ? __sched_text_start+0x8/0x8 [ 40.382819] ? graph_lock+0x170/0x170 [ 40.386831] ? lock_downgrade+0x8f0/0x8f0 [ 40.391055] ? kasan_check_read+0x11/0x20 [ 40.395186] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.399590] ? lock_acquire+0x1e4/0x540 [ 40.403641] ? worker_thread+0x3dc/0x13c0 [ 40.407791] ? lock_downgrade+0x8f0/0x8f0 [ 40.411925] ? lock_release+0xa30/0xa30 [ 40.415897] ? kasan_check_read+0x11/0x20 [ 40.420031] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.424425] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.429085] ? kasan_check_write+0x14/0x20 [ 40.433304] ? do_raw_spin_lock+0xc1/0x200 [ 40.437527] worker_thread+0x189/0x13c0 [ 40.441507] ? process_one_work+0x1ba0/0x1ba0 [ 40.445992] ? graph_lock+0x170/0x170 [ 40.449783] ? graph_lock+0x170/0x170 [ 40.453570] ? find_held_lock+0x36/0x1c0 [ 40.457718] ? find_held_lock+0x36/0x1c0 [ 40.461775] ? kasan_check_read+0x11/0x20 [ 40.465991] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.470391] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 40.475478] ? __kthread_parkme+0x58/0x1b0 [ 40.479698] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.484698] ? trace_hardirqs_on+0xd/0x10 [ 40.488841] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.494448] ? __kthread_parkme+0x106/0x1b0 [ 40.498774] kthread+0x345/0x410 [ 40.502134] ? process_one_work+0x1ba0/0x1ba0 [ 40.506628] ? kthread_bind+0x40/0x40 [ 40.510416] ret_from_fork+0x3a/0x50 [ 40.514119] [ 40.515730] Allocated by task 5022: [ 40.519343] save_stack+0x43/0xd0 [ 40.522782] kasan_kmalloc+0xc4/0xe0 [ 40.526482] kmem_cache_alloc_trace+0x152/0x780 [ 40.531142] p9_fd_create+0x1a7/0x3f0 [ 40.535025] p9_client_create+0x8ed/0x1770 [ 40.539245] v9fs_session_init+0x21a/0x1a80 [ 40.543640] v9fs_mount+0x7c/0x900 [ 40.547173] mount_fs+0xae/0x328 [ 40.550619] vfs_kern_mount.part.34+0xdc/0x4e0 [ 40.555188] do_mount+0x581/0x30e0 [ 40.558709] ksys_mount+0x12d/0x140 [ 40.562327] __x64_sys_mount+0xbe/0x150 [ 40.566305] do_syscall_64+0x1b9/0x820 [ 40.570270] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.575436] [ 40.577045] Freed by task 5022: [ 40.580314] save_stack+0x43/0xd0 [ 40.583756] __kasan_slab_free+0x11a/0x170 [ 40.587979] kasan_slab_free+0xe/0x10 [ 40.591765] kfree+0xd9/0x260 [ 40.594857] p9_fd_close+0x416/0x5b0 [ 40.598554] p9_client_create+0xa9a/0x1770 [ 40.602775] v9fs_session_init+0x21a/0x1a80 [ 40.607109] v9fs_mount+0x7c/0x900 [ 40.610639] mount_fs+0xae/0x328 [ 40.613995] vfs_kern_mount.part.34+0xdc/0x4e0 [ 40.618588] do_mount+0x581/0x30e0 [ 40.622111] ksys_mount+0x12d/0x140 [ 40.625722] __x64_sys_mount+0xbe/0x150 [ 40.629684] do_syscall_64+0x1b9/0x820 [ 40.633557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.638733] [ 40.640348] The buggy address belongs to the object at ffff8801c02e57c0 [ 40.640348] which belongs to the cache kmalloc-512 of size 512 [ 40.652999] The buggy address is located 132 bytes inside of [ 40.652999] 512-byte region [ffff8801c02e57c0, ffff8801c02e59c0) [ 40.665041] The buggy address belongs to the page: [ 40.669953] page:ffffea000700b940 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 40.678086] flags: 0x2fffc0000000100(slab) [ 40.682317] raw: 02fffc0000000100 ffffea000700b2c8 ffffea000700ac88 ffff8801da800940 [ 40.690192] raw: 0000000000000000 ffff8801c02e5040 0000000100000006 0000000000000000 [ 40.698052] page dumped because: kasan: bad access detected [ 40.703825] [ 40.705487] Memory state around the buggy address: [ 40.710399] ffff8801c02e5700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.717741] ffff8801c02e5780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.725085] >ffff8801c02e5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.732511] ^ [ 40.737951] ffff8801c02e5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.745301] ffff8801c02e5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.752636] ================================================================== [ 40.759973] Disabling lock debugging due to kernel taint [ 40.765629] Kernel panic - not syncing: panic_on_warn set ... [ 40.765629] [ 40.773003] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.18.0-rc5+ #156 [ 40.781316] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.790684] Workqueue: events p9_poll_workfn [ 40.795134] Call Trace: [ 40.797739] dump_stack+0x1c9/0x2b4 [ 40.801363] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.806636] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 40.811400] panic+0x238/0x4e7 [ 40.814686] ? add_taint.cold.5+0x16/0x16 [ 40.818930] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.823331] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.827750] ? p9_poll_workfn+0x660/0x6d0 [ 40.831981] kasan_end_report+0x47/0x4f [ 40.836131] kasan_report.cold.7+0x76/0x2fe [ 40.840463] __asan_report_load4_noabort+0x14/0x20 [ 40.845390] p9_poll_workfn+0x660/0x6d0 [ 40.849370] ? p9_read_work+0x1060/0x1060 [ 40.853524] ? graph_lock+0x170/0x170 [ 40.857321] ? lock_acquire+0x1e4/0x540 [ 40.861292] ? process_one_work+0xb9b/0x1ba0 [ 40.865724] ? kasan_check_read+0x11/0x20 [ 40.869873] ? __lock_is_held+0xb5/0x140 [ 40.873940] process_one_work+0xc73/0x1ba0 [ 40.878176] ? trace_hardirqs_on+0x10/0x10 [ 40.882428] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 40.887106] ? lock_repin_lock+0x430/0x430 [ 40.891342] ? __sched_text_start+0x8/0x8 [ 40.895485] ? graph_lock+0x170/0x170 [ 40.899276] ? lock_downgrade+0x8f0/0x8f0 [ 40.903417] ? kasan_check_read+0x11/0x20 [ 40.907557] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.911959] ? lock_acquire+0x1e4/0x540 [ 40.915918] ? worker_thread+0x3dc/0x13c0 [ 40.920052] ? lock_downgrade+0x8f0/0x8f0 [ 40.924298] ? lock_release+0xa30/0xa30 [ 40.928259] ? kasan_check_read+0x11/0x20 [ 40.932439] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.936844] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.941424] ? kasan_check_write+0x14/0x20 [ 40.945646] ? do_raw_spin_lock+0xc1/0x200 [ 40.949892] worker_thread+0x189/0x13c0 [ 40.953856] ? process_one_work+0x1ba0/0x1ba0 [ 40.958340] ? graph_lock+0x170/0x170 [ 40.962317] ? graph_lock+0x170/0x170 [ 40.966115] ? find_held_lock+0x36/0x1c0 [ 40.970177] ? find_held_lock+0x36/0x1c0 [ 40.974252] ? kasan_check_read+0x11/0x20 [ 40.978392] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.982802] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 40.987995] ? __kthread_parkme+0x58/0x1b0 [ 40.992257] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.997286] ? trace_hardirqs_on+0xd/0x10 [ 41.001424] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.006963] ? __kthread_parkme+0x106/0x1b0 [ 41.011281] kthread+0x345/0x410 [ 41.014729] ? process_one_work+0x1ba0/0x1ba0 [ 41.019232] ? kthread_bind+0x40/0x40 [ 41.023027] ret_from_fork+0x3a/0x50 [ 41.027334] Dumping ftrace buffer: [ 41.030864] (ftrace buffer empty) [ 41.034580] Kernel Offset: disabled [ 41.038193] Rebooting in 86400 seconds..