[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.991538] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.131297] random: sshd: uninitialized urandom read (32 bytes read) [ 19.467563] random: sshd: uninitialized urandom read (32 bytes read) [ 20.492211] random: sshd: uninitialized urandom read (32 bytes read) [ 68.180683] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.53' (ECDSA) to the list of known hosts. [ 73.800587] random: sshd: uninitialized urandom read (32 bytes read) 2018/07/09 15:57:30 parsed 1 programs [ 75.508377] random: cc1: uninitialized urandom read (8 bytes read) 2018/07/09 15:57:32 executed programs: 0 [ 76.623709] IPVS: Creating netns size=2536 id=1 [ 76.660860] IPVS: Creating netns size=2536 id=2 [ 76.688383] IPVS: Creating netns size=2536 id=3 [ 76.710003] IPVS: Creating netns size=2536 id=4 [ 76.750736] IPVS: Creating netns size=2536 id=5 [ 76.802661] IPVS: Creating netns size=2536 id=6 [ 76.852550] IPVS: Creating netns size=2536 id=7 [ 76.911541] IPVS: Creating netns size=2536 id=8 [ 77.113835] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.133325] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.144771] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.177641] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.333263] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.346451] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.377067] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.396890] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.426762] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.457947] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.470501] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.480454] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.489833] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.510963] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.538072] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.549452] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.578708] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.627060] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.646597] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.689922] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.703442] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 77.719334] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.734451] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.754904] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.764666] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 77.771705] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 77.781856] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.792223] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 77.809403] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 77.832592] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 77.853302] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 77.864566] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 77.871878] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.901198] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 77.918489] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 77.927953] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 77.939352] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 77.950404] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 77.960637] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 77.970223] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 77.982553] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 77.993017] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.003317] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.021381] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 78.029713] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.039670] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 78.058563] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.066770] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.076722] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 78.085721] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 78.099600] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 78.107317] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.117457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.125936] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.140811] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 78.148037] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.159381] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.172146] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.181039] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.188783] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.196739] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.204893] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 78.213865] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 78.222515] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.231850] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.243156] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.252282] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.260204] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.268081] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.278964] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 78.290160] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 78.309593] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 78.325694] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.333351] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.346175] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.359890] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.376519] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.384716] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.392216] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.403623] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.411570] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.429601] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.437900] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.449549] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 78.511650] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 78.552032] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 78.591878] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 78.605495] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.613259] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 78.629191] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 78.646036] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.656426] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 81.061962] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.079425] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.213146] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.226924] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.233695] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.241294] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.248070] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.255283] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.306357] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.313531] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.366634] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.426354] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.437879] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.447629] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.455902] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.475427] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.485062] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.492934] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.511166] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.537610] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.543757] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.551986] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.569661] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.580158] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.588554] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.620126] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 81.664524] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.679921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.691436] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.772124] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 81.779791] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 81.787718] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 2018/07/09 15:57:38 executed programs: 8 2018/07/09 15:57:43 executed programs: 58 2018/07/09 15:57:49 executed programs: 112 2018/07/09 15:57:54 executed programs: 162 2018/07/09 15:57:59 executed programs: 216 [ 106.772715] ================================================================== [ 106.780111] BUG: KASAN: use-after-free in p9_conn_cancel+0x411/0x4c0 [ 106.786574] Read of size 8 at addr ffff8801d87b87a0 by task kworker/0:0/4 [ 106.793479] [ 106.795097] CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.9.111-g03c70fe #10 [ 106.803495] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.813095] Workqueue: events p9_poll_workfn [ 106.817596] ffff8801d99ffaa0 ffffffff81eb2729 ffffea000761ee00 ffff8801d87b87a0 [ 106.825589] 0000000000000000 ffff8801d87b87a0 dffffc0000000000 ffff8801d99ffad8 [ 106.833603] ffffffff81567b59 ffff8801d87b87a0 0000000000000008 0000000000000000 [ 106.841604] Call Trace: [ 106.844168] [] dump_stack+0xc1/0x128 [ 106.849507] [] print_address_description+0x6c/0x234 [ 106.856143] [] kasan_report.cold.6+0x242/0x2fe [ 106.862348] [] ? p9_conn_cancel+0x411/0x4c0 [ 106.868289] [] __asan_report_load8_noabort+0x14/0x20 [ 106.875012] [] p9_conn_cancel+0x411/0x4c0 [ 106.880781] [] ? p9_pollwake+0x110/0x110 [ 106.886462] [] ? sock_poll+0x1d5/0x260 [ 106.891971] [] ? p9_fd_poll+0x246/0x310 [ 106.897565] [] p9_poll_workfn+0x222/0x330 [ 106.903332] [] process_one_work+0x7e1/0x1500 [ 106.909362] [] ? process_one_work+0x728/0x1500 [ 106.915580] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 106.922051] [] worker_thread+0xd6/0x10a0 [ 106.927730] [] kthread+0x26d/0x300 [ 106.932891] [] ? process_one_work+0x1500/0x1500 [ 106.939188] [] ? kthread_park+0xa0/0xa0 [ 106.944784] [] ? kthread_park+0xa0/0xa0 [ 106.950377] [] ? kthread_park+0xa0/0xa0 [ 106.955977] [] ret_from_fork+0x5c/0x70 [ 106.961488] [ 106.963089] Allocated by task 7564: [ 106.966698] save_stack_trace+0x16/0x20 [ 106.970653] save_stack+0x43/0xd0 [ 106.974073] kasan_kmalloc+0xc7/0xe0 [ 106.977757] kmem_cache_alloc_trace+0xfd/0x2b0 [ 106.982310] p9_fd_create+0xf3/0x330 [ 106.985992] p9_client_create+0x6ff/0x10a0 [ 106.990198] v9fs_session_init+0x333/0x13a0 [ 106.994490] v9fs_mount+0x7d/0x810 [ 106.998001] mount_fs+0x28c/0x370 [ 107.001424] vfs_kern_mount.part.29+0xd1/0x3d0 [ 107.005978] do_mount+0x3c9/0x2740 [ 107.009502] compat_SyS_mount+0x4fc/0xff0 [ 107.013622] do_fast_syscall_32+0x2f7/0x870 [ 107.017914] entry_SYSENTER_compat+0x90/0xa2 [ 107.022289] [ 107.023885] Freed by task 7564: [ 107.027142] save_stack_trace+0x16/0x20 [ 107.031087] save_stack+0x43/0xd0 [ 107.034510] kasan_slab_free+0x72/0xc0 [ 107.038368] kfree+0xfb/0x310 [ 107.041476] p9_fd_close+0x298/0x330 [ 107.045160] p9_client_create+0x825/0x10a0 [ 107.049363] v9fs_session_init+0x333/0x13a0 [ 107.053653] v9fs_mount+0x7d/0x810 [ 107.057164] mount_fs+0x28c/0x370 [ 107.060587] vfs_kern_mount.part.29+0xd1/0x3d0 [ 107.065163] do_mount+0x3c9/0x2740 [ 107.068675] compat_SyS_mount+0x4fc/0xff0 [ 107.072795] do_fast_syscall_32+0x2f7/0x870 [ 107.077085] entry_SYSENTER_compat+0x90/0xa2 [ 107.081460] [ 107.083062] The buggy address belongs to the object at ffff8801d87b8780 [ 107.083062] which belongs to the cache kmalloc-512 of size 512 [ 107.095697] The buggy address is located 32 bytes inside of [ 107.095697] 512-byte region [ffff8801d87b8780, ffff8801d87b8980) [ 107.107469] The buggy address belongs to the page: [ 107.112386] page:ffffea000761ee00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 107.122596] flags: 0x8000000000004080(slab|head) [ 107.127331] page dumped because: kasan: bad access detected [ 107.133020] [ 107.134627] Memory state around the buggy address: [ 107.139539] ffff8801d87b8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.146882] ffff8801d87b8700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 107.154240] >ffff8801d87b8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.161582] ^ [ 107.165974] ffff8801d87b8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.173302] ffff8801d87b8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.180888] ================================================================== [ 107.188214] Disabling lock debugging due to kernel taint [ 107.194170] Kernel panic - not syncing: panic_on_warn set ... [ 107.194170] [ 107.201528] CPU: 0 PID: 4 Comm: kworker/0:0 Tainted: G B 4.9.111-g03c70fe #10 [ 107.210158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.219680] Workqueue: events p9_poll_workfn [ 107.224190] ffff8801d99ffa00 ffffffff81eb2729 ffffffff843c71a7 00000000ffffffff [ 107.232167] 0000000000000000 0000000000000000 dffffc0000000000 ffff8801d99ffac0 [ 107.240159] ffffffff814219f5 0000000041b58ab3 ffffffff843ba8c0 ffffffff81421836 [ 107.248182] Call Trace: [ 107.250756] [] dump_stack+0xc1/0x128 [ 107.256102] [] panic+0x1bf/0x3bc [ 107.261098] [] ? add_taint.cold.6+0x16/0x16 [ 107.267042] [] ? ___preempt_schedule+0x16/0x18 [ 107.273245] [] kasan_end_report+0x47/0x4f [ 107.279016] [] kasan_report.cold.6+0x76/0x2fe [ 107.285134] [] ? p9_conn_cancel+0x411/0x4c0 [ 107.291075] [] __asan_report_load8_noabort+0x14/0x20 [ 107.297802] [] p9_conn_cancel+0x411/0x4c0 [ 107.303572] [] ? p9_pollwake+0x110/0x110 [ 107.309261] [] ? sock_poll+0x1d5/0x260 [ 107.315906] [] ? p9_fd_poll+0x246/0x310 [ 107.321499] [] p9_poll_workfn+0x222/0x330 [ 107.327269] [] process_one_work+0x7e1/0x1500 [ 107.333297] [] ? process_one_work+0x728/0x1500 [ 107.339498] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 107.347089] [] worker_thread+0xd6/0x10a0 [ 107.352769] [] kthread+0x26d/0x300 [ 107.357942] [] ? process_one_work+0x1500/0x1500 [ 107.364237] [] ? kthread_park+0xa0/0xa0 [ 107.369840] [] ? kthread_park+0xa0/0xa0 [ 107.375435] [] ? kthread_park+0xa0/0xa0 [ 107.381029] [] ret_from_fork+0x5c/0x70 [ 107.387063] Dumping ftrace buffer: [ 107.390572] (ftrace buffer empty) [ 107.394255] Kernel Offset: disabled [ 107.397854] Rebooting in 86400 seconds..