[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   15.949235] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.474499] random: sshd: uninitialized urandom read (32 bytes read)
[   24.011900] random: sshd: uninitialized urandom read (32 bytes read)
[   24.717313] random: sshd: uninitialized urandom read (32 bytes read)
[   25.173222] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   30.798108] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   31.402477] ==================================================================
[   31.409882] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40
[   31.416797] Read of size 8 at addr ffff8801c17ba6a0 by task kworker/0:1/13
[   31.424044] 
[   31.425652] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 4.18.0-rc5-next-20180718+ #10
[   31.433681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.443032] Workqueue: events p9_poll_workfn
[   31.447418] Call Trace:
[   31.449987]  dump_stack+0x1c9/0x2b4
[   31.453593]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.458782]  ? printk+0xa7/0xcf
[   31.462048]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.466787]  ? work_is_static_object+0x39/0x40
[   31.471368]  print_address_description+0x6c/0x20b
[   31.476200]  ? work_is_static_object+0x39/0x40
[   31.480760]  kasan_report.cold.7+0x242/0x30d
[   31.485159]  __asan_report_load8_noabort+0x14/0x20
[   31.490067]  work_is_static_object+0x39/0x40
[   31.494456]  debug_object_activate+0x2fc/0x690
[   31.499016]  ? __wake_up_common+0x740/0x740
[   31.503317]  ? debug_object_assert_init+0x4b0/0x4b0
[   31.508314]  __queue_work+0x1ca/0x1410
[   31.512179]  ? __wake_up+0xe/0x10
[   31.515612]  ? p9_client_cb+0x62/0x80
[   31.519396]  ? flush_rcu_work+0x90/0x90
[   31.523370]  ? p9_fd_cancelled+0x2f0/0x2f0
[   31.527584]  ? p9_conn_cancel+0x920/0xd30
[   31.531713]  ? lock_acquire+0x1e4/0x540
[   31.535664]  ? p9_poll_workfn+0x3ec/0x6d0
[   31.539788]  ? lock_downgrade+0x8f0/0x8f0
[   31.543924]  ? kasan_check_read+0x11/0x20
[   31.548054]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.552442]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.557001]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.562531]  queue_work_on+0x19a/0x1e0
[   31.566403]  p9_poll_workfn+0x55e/0x6d0
[   31.570356]  ? p9_read_work+0x1060/0x1060
[   31.574500]  ? lock_acquire+0x1e4/0x540
[   31.578452]  ? process_one_work+0xb9b/0x1ba0
[   31.582846]  ? kasan_check_read+0x11/0x20
[   31.586981]  ? lock_release+0xa30/0xa30
[   31.590931]  ? kasan_check_read+0x11/0x20
[   31.595062]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.599444]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.604002]  ? read_word_at_a_time+0x20/0x20
[   31.608392]  ? compat_start_thread+0x80/0x80
[   31.612796]  ? dequeue_entity+0x15e0/0x15e0
[   31.617113]  process_one_work+0xc73/0x1ba0
[   31.621328]  ? trace_hardirqs_on+0x10/0x10
[   31.625550]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.630196]  ? lock_repin_lock+0x430/0x430
[   31.634424]  ? __sched_text_start+0x8/0x8
[   31.638550]  ? lock_downgrade+0x8f0/0x8f0
[   31.642674]  ? graph_lock+0x170/0x170
[   31.646460]  ? graph_lock+0x170/0x170
[   31.650258]  ? lock_acquire+0x1e4/0x540
[   31.654210]  ? worker_thread+0x3dc/0x13c0
[   31.658336]  ? lock_downgrade+0x8f0/0x8f0
[   31.662460]  ? lock_release+0xa30/0xa30
[   31.666421]  ? kasan_check_read+0x11/0x20
[   31.670544]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.674929]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.679490]  ? kasan_check_write+0x14/0x20
[   31.683703]  ? do_raw_spin_lock+0xc1/0x200
[   31.687926]  worker_thread+0x189/0x13c0
[   31.691881]  ? process_one_work+0x1ba0/0x1ba0
[   31.696356]  ? graph_lock+0x170/0x170
[   31.700135]  ? graph_lock+0x170/0x170
[   31.703919]  ? find_held_lock+0x36/0x1c0
[   31.707968]  ? find_held_lock+0x36/0x1c0
[   31.712012]  ? kasan_check_read+0x11/0x20
[   31.716136]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.720528]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   31.725610]  ? __kthread_parkme+0x58/0x1b0
[   31.729820]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.734815]  ? trace_hardirqs_on+0xd/0x10
[   31.738945]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.744461]  ? __kthread_parkme+0x106/0x1b0
[   31.748772]  kthread+0x345/0x410
[   31.752117]  ? process_one_work+0x1ba0/0x1ba0
[   31.756589]  ? kthread_bind+0x40/0x40
[   31.760377]  ret_from_fork+0x3a/0x50
[   31.764075] 
[   31.765697] Allocated by task 4515:
[   31.769319]  save_stack+0x43/0xd0
[   31.772758]  kasan_kmalloc+0xc4/0xe0
[   31.776452]  kmem_cache_alloc_trace+0x152/0x780
[   31.781098]  p9_fd_create+0x1a7/0x3f0
[   31.784872]  p9_client_create+0x8ed/0x177c
[   31.789081]  v9fs_session_init+0x21a/0x1a80
[   31.793385]  v9fs_mount+0x7c/0x900
[   31.796912]  legacy_get_tree+0x118/0x440
[   31.800950]  vfs_get_tree+0x1cb/0x5c0
[   31.804728]  do_mount+0x6c1/0x1fb0
[   31.808242]  ksys_mount+0x12d/0x140
[   31.811845]  __x64_sys_mount+0xbe/0x150
[   31.815797]  do_syscall_64+0x1b9/0x820
[   31.819667]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.824827] 
[   31.826427] Freed by task 4515:
[   31.829684]  save_stack+0x43/0xd0
[   31.833112]  __kasan_slab_free+0x11a/0x170
[   31.837322]  kasan_slab_free+0xe/0x10
[   31.841097]  kfree+0xd9/0x260
[   31.844179]  p9_fd_close+0x416/0x5b0
[   31.847878]  p9_client_create+0xaa6/0x177c
[   31.852088]  v9fs_session_init+0x21a/0x1a80
[   31.856387]  v9fs_mount+0x7c/0x900
[   31.859906]  legacy_get_tree+0x118/0x440
[   31.863942]  vfs_get_tree+0x1cb/0x5c0
[   31.868501]  do_mount+0x6c1/0x1fb0
[   31.872031]  ksys_mount+0x12d/0x140
[   31.875637]  __x64_sys_mount+0xbe/0x150
[   31.879588]  do_syscall_64+0x1b9/0x820
[   31.883466]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.888633] 
[   31.890247] The buggy address belongs to the object at ffff8801c17ba580
[   31.890247]  which belongs to the cache kmalloc-512 of size 512
[   31.902880] The buggy address is located 288 bytes inside of
[   31.902880]  512-byte region [ffff8801c17ba580, ffff8801c17ba780)
[   31.914727] The buggy address belongs to the page:
[   31.919633] page:ffffea000705ee80 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   31.927751] flags: 0x2fffc0000000200(slab)
[   31.931962] raw: 02fffc0000000200 ffffea0007150dc8 ffffea0006e6c488 ffff8801da800940
[   31.939819] raw: 0000000000000000 ffff8801c17ba080 0000000100000006 0000000000000000
[   31.947670] page dumped because: kasan: bad access detected
[   31.953369] 
[   31.954970] Memory state around the buggy address:
[   31.959876]  ffff8801c17ba580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.967210]  ffff8801c17ba600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.974545] >ffff8801c17ba680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.981876]                                ^
[   31.986260]  ffff8801c17ba700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.993604]  ffff8801c17ba780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.000936] ==================================================================
[   32.008271] Kernel panic - not syncing: panic_on_warn set ...
[   32.008271] 
[   32.015613] CPU: 0 PID: 13 Comm: kworker/0:1 Tainted: G    B             4.18.0-rc5-next-20180718+ #10
[   32.025030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.034381] Workqueue: events p9_poll_workfn
[   32.038765] Call Trace:
[   32.041333]  dump_stack+0x1c9/0x2b4
[   32.044955]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.050214]  ? lock_downgrade+0x8f0/0x8f0
[   32.054336]  ? work_is_static_object+0x39/0x40
[   32.058897]  panic+0x238/0x4e7
[   32.062065]  ? add_taint.cold.5+0x16/0x16
[   32.066201]  ? print_shadow_for_address+0xba/0x116
[   32.071115]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.075497]  ? work_is_static_object+0x39/0x40
[   32.080055]  kasan_end_report+0x47/0x4f
[   32.084003]  kasan_report.cold.7+0x76/0x30d
[   32.088299]  __asan_report_load8_noabort+0x14/0x20
[   32.093205]  work_is_static_object+0x39/0x40
[   32.097605]  debug_object_activate+0x2fc/0x690
[   32.102163]  ? __wake_up_common+0x740/0x740
[   32.106464]  ? debug_object_assert_init+0x4b0/0x4b0
[   32.111468]  __queue_work+0x1ca/0x1410
[   32.115345]  ? __wake_up+0xe/0x10
[   32.118824]  ? p9_client_cb+0x62/0x80
[   32.122600]  ? flush_rcu_work+0x90/0x90
[   32.126549]  ? p9_fd_cancelled+0x2f0/0x2f0
[   32.130758]  ? p9_conn_cancel+0x920/0xd30
[   32.134888]  ? lock_acquire+0x1e4/0x540
[   32.138839]  ? p9_poll_workfn+0x3ec/0x6d0
[   32.142963]  ? lock_downgrade+0x8f0/0x8f0
[   32.147091]  ? kasan_check_read+0x11/0x20
[   32.151211]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.155595]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   32.160155]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.165671]  queue_work_on+0x19a/0x1e0
[   32.169536]  p9_poll_workfn+0x55e/0x6d0
[   32.173497]  ? p9_read_work+0x1060/0x1060
[   32.177626]  ? lock_acquire+0x1e4/0x540
[   32.181577]  ? process_one_work+0xb9b/0x1ba0
[   32.185961]  ? kasan_check_read+0x11/0x20
[   32.190084]  ? lock_release+0xa30/0xa30
[   32.194034]  ? kasan_check_read+0x11/0x20
[   32.198167]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.202563]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   32.207124]  ? read_word_at_a_time+0x20/0x20
[   32.211518]  ? compat_start_thread+0x80/0x80
[   32.215905]  ? dequeue_entity+0x15e0/0x15e0
[   32.220233]  process_one_work+0xc73/0x1ba0
[   32.224457]  ? trace_hardirqs_on+0x10/0x10
[   32.228681]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   32.233347]  ? lock_repin_lock+0x430/0x430
[   32.237567]  ? __sched_text_start+0x8/0x8
[   32.241696]  ? lock_downgrade+0x8f0/0x8f0
[   32.245825]  ? graph_lock+0x170/0x170
[   32.249607]  ? graph_lock+0x170/0x170
[   32.253390]  ? lock_acquire+0x1e4/0x540
[   32.257344]  ? worker_thread+0x3dc/0x13c0
[   32.261475]  ? lock_downgrade+0x8f0/0x8f0
[   32.265599]  ? lock_release+0xa30/0xa30
[   32.269553]  ? kasan_check_read+0x11/0x20
[   32.273676]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.278063]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   32.282624]  ? kasan_check_write+0x14/0x20
[   32.286834]  ? do_raw_spin_lock+0xc1/0x200
[   32.291054]  worker_thread+0x189/0x13c0
[   32.295011]  ? process_one_work+0x1ba0/0x1ba0
[   32.299486]  ? graph_lock+0x170/0x170
[   32.303271]  ? graph_lock+0x170/0x170
[   32.307049]  ? find_held_lock+0x36/0x1c0
[   32.311088]  ? find_held_lock+0x36/0x1c0
[   32.315132]  ? kasan_check_read+0x11/0x20
[   32.319267]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.323655]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.328734]  ? __kthread_parkme+0x58/0x1b0
[   32.332944]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.337936]  ? trace_hardirqs_on+0xd/0x10
[   32.342065]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.347576]  ? __kthread_parkme+0x106/0x1b0
[   32.351876]  kthread+0x345/0x410
[   32.355219]  ? process_one_work+0x1ba0/0x1ba0
[   32.359745]  ? kthread_bind+0x40/0x40
[   32.363532]  ret_from_fork+0x3a/0x50
[   32.367588] Dumping ftrace buffer:
[   32.371104]    (ftrace buffer empty)
[   32.374790] Kernel Offset: disabled
[   32.378395] Rebooting in 86400 seconds..