[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.568472] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.966052] random: sshd: uninitialized urandom read (32 bytes read)
[   23.396757] random: sshd: uninitialized urandom read (32 bytes read)
[   24.259919] random: sshd: uninitialized urandom read (32 bytes read)
[   42.167921] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts.
[   47.661893] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
[   47.765813] 9pnet_virtio: no channels available for device (null)
executing program
[   47.807830] 9pnet_virtio: no channels available for device (null)
executing program
[   47.848849] 9pnet_virtio: no channels available for device (null)
executing program
[   47.889913] 9pnet_virtio: no channels available for device (null)
executing program
[   47.930858] 9pnet_virtio: no channels available for device (null)
executing program
[   47.971646] 9pnet_virtio: no channels available for device (null)
executing program
[   48.012425] 9pnet_virtio: no channels available for device (null)
executing program
[   48.053312] 9pnet_virtio: no channels available for device (null)
executing program
[   48.094394] 9pnet_virtio: no channels available for device (null)
executing program
[   48.135470] 9pnet_virtio: no channels available for device (null)
executing program
[   48.176209] 9pnet_virtio: no channels available for device (null)
executing program
[   48.217042] 9pnet_virtio: no channels available for device (null)
executing program
[   48.257899] 9pnet_virtio: no channels available for device (null)
executing program
[   48.298777] 9pnet_virtio: no channels available for device (null)
executing program
[   48.339758] 9pnet_virtio: no channels available for device (null)
executing program
[   48.380737] 9pnet_virtio: no channels available for device (null)
executing program
[   48.422061] 9pnet_virtio: no channels available for device (null)
executing program
[   48.462490] 9pnet_virtio: no channels available for device (null)
executing program
[   48.503874] 9pnet_virtio: no channels available for device (null)
executing program
[   48.544898] 9pnet_virtio: no channels available for device (null)
executing program
[   48.585628] 9pnet_virtio: no channels available for device (null)
executing program
[   48.626536] 9pnet_virtio: no channels available for device (null)
executing program
[   48.667822] 9pnet_virtio: no channels available for device (null)
executing program
[   48.708779] 9pnet_virtio: no channels available for device (null)
executing program
[   48.749936] 9pnet_virtio: no channels available for device (null)
executing program
[   48.790828] 9pnet_virtio: no channels available for device (null)
executing program
executing program
[   48.831050] 9pnet_virtio: no channels available for device (null)
[   48.871092] 9pnet_virtio: no channels available for device (null)
executing program
[   48.913247] 9pnet_virtio: no channels available for device (null)
executing program
[   48.953641] 9pnet_virtio: no channels available for device (null)
executing program
[   48.994779] 9pnet_virtio: no channels available for device (null)
executing program
[   49.035739] 9pnet_virtio: no channels available for device (null)
executing program
[   49.076682] 9pnet_virtio: no channels available for device (null)
executing program
[   49.117530] 9pnet_virtio: no channels available for device (null)
executing program
[   49.158329] 9pnet_virtio: no channels available for device (null)
executing program
[   49.199363] 9pnet_virtio: no channels available for device (null)
executing program
[   49.240135] 9pnet_virtio: no channels available for device (null)
executing program
[   49.280740] 9pnet_virtio: no channels available for device (null)
executing program
[   49.321495] 9pnet_virtio: no channels available for device (null)
executing program
[   49.362239] 9pnet_virtio: no channels available for device (null)
executing program
[   49.402987] 9pnet_virtio: no channels available for device (null)
executing program
[   49.444053] 9pnet_virtio: no channels available for device (null)
executing program
[   49.484880] 9pnet_virtio: no channels available for device (null)
executing program
[   49.525372] 9pnet_virtio: no channels available for device (null)
executing program
[   49.565920] 9pnet_virtio: no channels available for device (null)
executing program
[   49.606714] 9pnet_virtio: no channels available for device (null)
executing program
[   49.647510] 9pnet_virtio: no channels available for device (null)
executing program
[   49.688391] 9pnet_virtio: no channels available for device (null)
executing program
[   49.729128] 9pnet_virtio: no channels available for device (null)
executing program
[   49.769715] 9pnet_virtio: no channels available for device (null)
executing program
[   49.810540] 9pnet_virtio: no channels available for device (null)
executing program
[   49.850883] 9pnet_virtio: no channels available for device (null)
executing program
[   49.891842] 9pnet_virtio: no channels available for device (null)
executing program
[   49.933129] 9pnet_virtio: no channels available for device (null)
executing program
[   49.974938] 9pnet_virtio: no channels available for device (null)
[   50.016287] 9pnet_virtio: no channels available for device (null)
[   50.053227] ==================================================================
[   50.060704] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40
[   50.067611] Read of size 8 at addr ffff8801cf3011a0 by task kworker/1:0/19
[   50.074599] 
[   50.076215] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc4+ #141
[   50.083126] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.092516] Workqueue: events p9_poll_workfn
[   50.096915] Call Trace:
[   50.099498]  dump_stack+0x1c9/0x2b4
[   50.103157]  ? dump_stack_print_info.cold.2+0x52/0x52
[   50.108329]  ? printk+0xa7/0xcf
[   50.111602]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   50.116344]  ? work_is_static_object+0x39/0x40
[   50.120924]  print_address_description+0x6c/0x20b
[   50.125754]  ? work_is_static_object+0x39/0x40
[   50.130354]  kasan_report.cold.7+0x242/0x2fe
[   50.134769]  __asan_report_load8_noabort+0x14/0x20
[   50.139710]  work_is_static_object+0x39/0x40
[   50.144134]  debug_object_activate+0x2fc/0x690
[   50.149060]  ? __wake_up_common+0x740/0x740
[   50.153382]  ? debug_object_assert_init+0x4b0/0x4b0
[   50.159442]  ? mark_held_locks+0xc9/0x160
[   50.163595]  __queue_work+0x1ca/0x1410
[   50.167471]  ? __wake_up+0xe/0x10
[   50.170912]  ? p9_client_cb+0x62/0x80
[   50.174701]  ? flush_rcu_work+0x90/0x90
[   50.178665]  ? p9_fd_cancelled+0x2f0/0x2f0
[   50.182903]  ? lock_downgrade+0x8f0/0x8f0
[   50.187042]  ? mark_held_locks+0xc9/0x160
[   50.191172]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   50.195755]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.201279]  queue_work_on+0x19a/0x1e0
[   50.205154]  p9_poll_workfn+0x55e/0x6d0
[   50.209113]  ? p9_read_work+0x1060/0x1060
[   50.213263]  ? graph_lock+0x170/0x170
[   50.217050]  ? lock_acquire+0x1e4/0x540
[   50.221004]  ? process_one_work+0xb9b/0x1ba0
[   50.225398]  ? kasan_check_read+0x11/0x20
[   50.229529]  ? __lock_is_held+0xb5/0x140
[   50.233577]  process_one_work+0xc73/0x1ba0
[   50.237799]  ? trace_hardirqs_on+0x10/0x10
[   50.242018]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   50.246664]  ? lock_repin_lock+0x430/0x430
[   50.250888]  ? __sched_text_start+0x8/0x8
[   50.255016]  ? graph_lock+0x170/0x170
[   50.258794]  ? lock_downgrade+0x8f0/0x8f0
[   50.262925]  ? kasan_check_read+0x11/0x20
[   50.267052]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.271444]  ? lock_acquire+0x1e4/0x540
[   50.275406]  ? worker_thread+0x3dc/0x13c0
[   50.279554]  ? lock_downgrade+0x8f0/0x8f0
[   50.283699]  ? lock_release+0xa30/0xa30
[   50.287664]  ? kasan_check_read+0x11/0x20
[   50.291798]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.296196]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   50.300767]  ? kasan_check_write+0x14/0x20
[   50.304987]  ? do_raw_spin_lock+0xc1/0x200
[   50.309210]  worker_thread+0x189/0x13c0
[   50.313176]  ? process_one_work+0x1ba0/0x1ba0
[   50.317658]  ? graph_lock+0x170/0x170
[   50.321440]  ? graph_lock+0x170/0x170
[   50.325220]  ? find_held_lock+0x36/0x1c0
[   50.329268]  ? find_held_lock+0x36/0x1c0
[   50.333325]  ? lock_downgrade+0x8f0/0x8f0
[   50.337457]  ? kasan_check_read+0x11/0x20
[   50.341585]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.345978]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   50.351061]  ? __kthread_parkme+0x58/0x1b0
[   50.355278]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   50.360273]  ? trace_hardirqs_on+0xd/0x10
[   50.364403]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.369917]  ? __kthread_parkme+0x106/0x1b0
[   50.374218]  kthread+0x345/0x410
[   50.377564]  ? process_one_work+0x1ba0/0x1ba0
[   50.382034]  ? kthread_bind+0x40/0x40
[   50.385816]  ret_from_fork+0x3a/0x50
[   50.389610] 
[   50.391218] Allocated by task 4632:
[   50.394825]  save_stack+0x43/0xd0
[   50.398257]  kasan_kmalloc+0xc4/0xe0
[   50.401949]  kmem_cache_alloc_trace+0x152/0x780
[   50.406600]  p9_fd_create+0x1a7/0x3f0
[   50.410379]  p9_client_create+0x915/0x16c9
[   50.414593]  v9fs_session_init+0x21a/0x1a80
[   50.418893]  v9fs_mount+0x7c/0x900
[   50.422421]  mount_fs+0xae/0x328
[   50.425768]  vfs_kern_mount.part.34+0xdc/0x4e0
[   50.430327]  do_mount+0x581/0x30e0
[   50.433845]  ksys_mount+0x12d/0x140
[   50.437452]  __x64_sys_mount+0xbe/0x150
[   50.441408]  do_syscall_64+0x1b9/0x820
[   50.445277]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.450440] 
[   50.452046] Freed by task 4632:
[   50.455315]  save_stack+0x43/0xd0
[   50.458749]  __kasan_slab_free+0x11a/0x170
[   50.462963]  kasan_slab_free+0xe/0x10
[   50.466749]  kfree+0xd9/0x260
[   50.469834]  p9_fd_close+0x416/0x5b0
[   50.473529]  p9_client_create+0xac2/0x16c9
[   50.477743]  v9fs_session_init+0x21a/0x1a80
[   50.482043]  v9fs_mount+0x7c/0x900
[   50.485563]  mount_fs+0xae/0x328
[   50.488911]  vfs_kern_mount.part.34+0xdc/0x4e0
[   50.493471]  do_mount+0x581/0x30e0
[   50.497003]  ksys_mount+0x12d/0x140
[   50.500608]  __x64_sys_mount+0xbe/0x150
[   50.504562]  do_syscall_64+0x1b9/0x820
[   50.508430]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   50.513609] 
[   50.515218] The buggy address belongs to the object at ffff8801cf301080
[   50.515218]  which belongs to the cache kmalloc-512 of size 512
[   50.527866] The buggy address is located 288 bytes inside of
[   50.527866]  512-byte region [ffff8801cf301080, ffff8801cf301280)
[   50.539716] The buggy address belongs to the page:
[   50.544626] page:ffffea00073cc040 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   50.552745] flags: 0x2fffc0000000100(slab)
[   50.556963] raw: 02fffc0000000100 ffffea0007630388 ffff8801da801748 ffff8801da800940
[   50.564826] raw: 0000000000000000 ffff8801cf301080 0000000100000006 0000000000000000
[   50.572684] page dumped because: kasan: bad access detected
[   50.578367] 
[   50.579971] Memory state around the buggy address:
[   50.584899]  ffff8801cf301080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.592235]  ffff8801cf301100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.599571] >ffff8801cf301180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.606905]                                ^
[   50.611292]  ffff8801cf301200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.618628]  ffff8801cf301280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.625963] ==================================================================
[   50.633299] Disabling lock debugging due to kernel taint
[   50.638722] Kernel panic - not syncing: panic_on_warn set ...
[   50.638722] 
[   50.646076] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G    B             4.18.0-rc4+ #141
[   50.654365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.663706] Workqueue: events p9_poll_workfn
[   50.668091] Call Trace:
[   50.670661]  dump_stack+0x1c9/0x2b4
[   50.674267]  ? dump_stack_print_info.cold.2+0x52/0x52
[   50.679444]  ? lock_downgrade+0x8f0/0x8f0
[   50.683572]  panic+0x238/0x4e7
[   50.686743]  ? add_taint.cold.5+0x16/0x16
[   50.690869]  ? add_taint.cold.5+0x5/0x16
[   50.694907]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.699295]  ? work_is_static_object+0x39/0x40
[   50.703859]  kasan_end_report+0x47/0x4f
[   50.707809]  kasan_report.cold.7+0x76/0x2fe
[   50.712112]  __asan_report_load8_noabort+0x14/0x20
[   50.717020]  work_is_static_object+0x39/0x40
[   50.721408]  debug_object_activate+0x2fc/0x690
[   50.725976]  ? __wake_up_common+0x740/0x740
[   50.730275]  ? debug_object_assert_init+0x4b0/0x4b0
[   50.735271]  ? mark_held_locks+0xc9/0x160
[   50.739396]  __queue_work+0x1ca/0x1410
[   50.743258]  ? __wake_up+0xe/0x10
[   50.746690]  ? p9_client_cb+0x62/0x80
[   50.750468]  ? flush_rcu_work+0x90/0x90
[   50.754421]  ? p9_fd_cancelled+0x2f0/0x2f0
[   50.758646]  ? lock_downgrade+0x8f0/0x8f0
[   50.762774]  ? mark_held_locks+0xc9/0x160
[   50.766897]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   50.771457]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   50.776974]  queue_work_on+0x19a/0x1e0
[   50.780857]  p9_poll_workfn+0x55e/0x6d0
[   50.784987]  ? p9_read_work+0x1060/0x1060
[   50.789121]  ? graph_lock+0x170/0x170
[   50.792898]  ? lock_acquire+0x1e4/0x540
[   50.796848]  ? process_one_work+0xb9b/0x1ba0
[   50.801260]  ? kasan_check_read+0x11/0x20
[   50.805388]  ? __lock_is_held+0xb5/0x140
[   50.809429]  process_one_work+0xc73/0x1ba0
[   50.813644]  ? trace_hardirqs_on+0x10/0x10
[   50.817857]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   50.822502]  ? lock_repin_lock+0x430/0x430
[   50.826721]  ? __sched_text_start+0x8/0x8
[   50.830859]  ? graph_lock+0x170/0x170
[   50.834636]  ? lock_downgrade+0x8f0/0x8f0
[   50.838766]  ? kasan_check_read+0x11/0x20
[   50.842891]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.847281]  ? lock_acquire+0x1e4/0x540
[   50.851232]  ? worker_thread+0x3dc/0x13c0
[   50.855358]  ? lock_downgrade+0x8f0/0x8f0
[   50.859486]  ? lock_release+0xa30/0xa30
[   50.863441]  ? kasan_check_read+0x11/0x20
[   50.867589]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.871975]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   50.876535]  ? kasan_check_write+0x14/0x20
[   50.880746]  ? do_raw_spin_lock+0xc1/0x200
[   50.884958]  worker_thread+0x189/0x13c0
[   50.888914]  ? process_one_work+0x1ba0/0x1ba0
[   50.893389]  ? graph_lock+0x170/0x170
[   50.897167]  ? graph_lock+0x170/0x170
[   50.900953]  ? find_held_lock+0x36/0x1c0
[   50.904994]  ? find_held_lock+0x36/0x1c0
[   50.909035]  ? lock_downgrade+0x8f0/0x8f0
[   50.913163]  ? kasan_check_read+0x11/0x20
[   50.917289]  ? do_raw_spin_unlock+0xa7/0x2f0
[   50.921678]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   50.926755]  ? __kthread_parkme+0x58/0x1b0
[   50.930966]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   50.935957]  ? trace_hardirqs_on+0xd/0x10
[   50.940086]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.945608]  ? __kthread_parkme+0x106/0x1b0
[   50.949905]  kthread+0x345/0x410
[   50.953251]  ? process_one_work+0x1ba0/0x1ba0
[   50.957720]  ? kthread_bind+0x40/0x40
[   50.961499]  ret_from_fork+0x3a/0x50
[   50.965695] Dumping ftrace buffer:
[   50.969208]    (ftrace buffer empty)
[   50.972894] Kernel Offset: disabled
[   50.976495] Rebooting in 86400 seconds..