[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.009006] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.481353] random: sshd: uninitialized urandom read (32 bytes read) [ 23.850848] random: sshd: uninitialized urandom read (32 bytes read) [ 24.756131] random: sshd: uninitialized urandom read (32 bytes read) [ 33.945948] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. [ 39.494147] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program [ 39.667253] ================================================================== [ 39.674723] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 39.681628] Read of size 8 at addr ffff8801ce481960 by task kworker/0:2/27 [ 39.688632] [ 39.690243] CPU: 0 PID: 27 Comm: kworker/0:2 Not tainted 4.18.0-rc3+ #137 [ 39.697157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.706535] Workqueue: events p9_poll_workfn [ 39.710952] Call Trace: [ 39.713530] dump_stack+0x1c9/0x2b4 executing program executing program [ 39.717140] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.722309] ? printk+0xa7/0xcf [ 39.725570] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.730324] ? work_is_static_object+0x39/0x40 [ 39.734886] print_address_description+0x6c/0x20b [ 39.739706] ? work_is_static_object+0x39/0x40 [ 39.744267] kasan_report.cold.7+0x242/0x2fe [ 39.748658] __asan_report_load8_noabort+0x14/0x20 [ 39.753564] work_is_static_object+0x39/0x40 [ 39.757951] debug_object_activate+0x2fc/0x690 [ 39.762523] ? __wake_up_common+0x740/0x740 executing program [ 39.766834] ? debug_object_assert_init+0x4b0/0x4b0 [ 39.771850] ? mark_held_locks+0xc9/0x160 [ 39.776068] __queue_work+0x1ca/0x1410 [ 39.779953] ? __wake_up+0xe/0x10 [ 39.783391] ? p9_client_cb+0x62/0x80 [ 39.787264] ? flush_rcu_work+0x90/0x90 [ 39.791219] ? p9_fd_cancelled+0x2f0/0x2f0 [ 39.795445] ? ep_eventpoll_poll+0x192/0x200 [ 39.800365] ? mounts_poll+0x1f9/0x290 [ 39.804233] ? mark_held_locks+0xc9/0x160 [ 39.808362] queue_work_on+0x19a/0x1e0 [ 39.812232] p9_poll_workfn+0x55e/0x6d0 executing program [ 39.816192] ? p9_read_work+0x1060/0x1060 [ 39.820940] ? graph_lock+0x170/0x170 [ 39.824723] ? lock_acquire+0x1e4/0x540 [ 39.828679] ? process_one_work+0xb9b/0x1ba0 [ 39.833070] ? kasan_check_read+0x11/0x20 [ 39.837650] ? __lock_is_held+0xb5/0x140 [ 39.841696] process_one_work+0xc73/0x1ba0 [ 39.845909] ? trace_hardirqs_on+0x10/0x10 [ 39.850128] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 39.854777] ? lock_repin_lock+0x430/0x430 [ 39.858999] ? __sched_text_start+0x8/0x8 [ 39.863130] ? lock_downgrade+0x8f0/0x8f0 [ 39.867267] ? graph_lock+0x170/0x170 [ 39.871840] ? graph_lock+0x170/0x170 [ 39.875630] ? lock_acquire+0x1e4/0x540 [ 39.879582] ? worker_thread+0x3dc/0x13c0 [ 39.883714] ? lock_downgrade+0x8f0/0x8f0 [ 39.887839] ? lock_release+0xa30/0xa30 [ 39.891798] ? kasan_check_read+0x11/0x20 [ 39.896020] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.900406] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.904969] ? kasan_check_write+0x14/0x20 [ 39.909181] ? do_raw_spin_lock+0xc1/0x200 [ 39.913395] worker_thread+0x189/0x13c0 [ 39.917356] ? process_one_work+0x1ba0/0x1ba0 [ 39.921840] ? graph_lock+0x170/0x170 [ 39.925624] ? graph_lock+0x170/0x170 [ 39.929417] ? find_held_lock+0x36/0x1c0 [ 39.933465] ? find_held_lock+0x36/0x1c0 [ 39.937613] ? lock_downgrade+0x8f0/0x8f0 [ 39.941745] ? kasan_check_read+0x11/0x20 [ 39.945872] ? do_raw_spin_unlock+0xa7/0x2f0 [ 39.950703] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 39.955785] ? __kthread_parkme+0x58/0x1b0 [ 39.960008] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 39.965025] ? trace_hardirqs_on+0xd/0x10 [ 39.969154] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.974762] ? __kthread_parkme+0x106/0x1b0 [ 39.979069] kthread+0x345/0x410 [ 39.982589] ? process_one_work+0x1ba0/0x1ba0 [ 39.987061] ? kthread_bind+0x40/0x40 [ 39.990846] ret_from_fork+0x3a/0x50 [ 39.994541] [ 39.996148] Allocated by task 4535: [ 39.999756] save_stack+0x43/0xd0 [ 40.003195] kasan_kmalloc+0xc4/0xe0 [ 40.006887] kmem_cache_alloc_trace+0x152/0x780 [ 40.011883] p9_fd_create+0x1a7/0x3f0 [ 40.015661] p9_client_create+0x915/0x16c9 [ 40.019873] v9fs_session_init+0x21a/0x1a80 [ 40.024176] v9fs_mount+0x7c/0x900 [ 40.027698] mount_fs+0xae/0x328 [ 40.031044] vfs_kern_mount.part.34+0xdc/0x4e0 [ 40.035864] do_mount+0x581/0x30e0 [ 40.039390] ksys_mount+0x12d/0x140 [ 40.043258] __x64_sys_mount+0xbe/0x150 [ 40.047232] do_syscall_64+0x1b9/0x820 [ 40.051108] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.056272] [ 40.057879] Freed by task 4535: [ 40.061934] save_stack+0x43/0xd0 [ 40.065367] __kasan_slab_free+0x11a/0x170 [ 40.069580] kasan_slab_free+0xe/0x10 [ 40.073357] kfree+0xd9/0x260 [ 40.076470] p9_fd_close+0x416/0x5b0 [ 40.080181] p9_client_create+0xac2/0x16c9 [ 40.084410] v9fs_session_init+0x21a/0x1a80 [ 40.088740] v9fs_mount+0x7c/0x900 [ 40.092263] mount_fs+0xae/0x328 [ 40.095610] vfs_kern_mount.part.34+0xdc/0x4e0 [ 40.100174] do_mount+0x581/0x30e0 [ 40.103693] ksys_mount+0x12d/0x140 [ 40.107298] __x64_sys_mount+0xbe/0x150 [ 40.111253] do_syscall_64+0x1b9/0x820 [ 40.115120] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.120282] [ 40.121892] The buggy address belongs to the object at ffff8801ce481840 [ 40.121892] which belongs to the cache kmalloc-512 of size 512 [ 40.134537] The buggy address is located 288 bytes inside of [ 40.134537] 512-byte region [ffff8801ce481840, ffff8801ce481a40) [ 40.146388] The buggy address belongs to the page: [ 40.151314] page:ffffea0007392040 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 40.159436] flags: 0x2fffc0000000100(slab) [ 40.163653] raw: 02fffc0000000100 ffffea0006bad5c8 ffffea0007645ac8 ffff8801da800940 [ 40.171512] raw: 0000000000000000 ffff8801ce4810c0 0000000100000006 0000000000000000 [ 40.179458] page dumped because: kasan: bad access detected [ 40.185143] [ 40.186749] Memory state around the buggy address: [ 40.191658] ffff8801ce481800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.198996] ffff8801ce481880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.206345] >ffff8801ce481900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.213679] ^ [ 40.220162] ffff8801ce481980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.227502] ffff8801ce481a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.234844] ================================================================== [ 40.242181] Disabling lock debugging due to kernel taint [ 40.247606] Kernel panic - not syncing: panic_on_warn set ... [ 40.247606] [ 40.255043] CPU: 0 PID: 27 Comm: kworker/0:2 Tainted: G B 4.18.0-rc3+ #137 [ 40.263337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.273116] Workqueue: events p9_poll_workfn [ 40.277509] Call Trace: [ 40.280074] dump_stack+0x1c9/0x2b4 [ 40.283680] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.288849] ? lock_downgrade+0x8f0/0x8f0 [ 40.292975] panic+0x238/0x4e7 [ 40.296145] ? add_taint.cold.5+0x16/0x16 [ 40.300271] ? add_taint.cold.5+0x5/0x16 [ 40.304310] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.308701] ? work_is_static_object+0x39/0x40 [ 40.313269] kasan_end_report+0x47/0x4f [ 40.317227] kasan_report.cold.7+0x76/0x2fe [ 40.321527] __asan_report_load8_noabort+0x14/0x20 [ 40.326433] work_is_static_object+0x39/0x40 [ 40.330830] debug_object_activate+0x2fc/0x690 [ 40.335391] ? __wake_up_common+0x740/0x740 [ 40.339699] ? debug_object_assert_init+0x4b0/0x4b0 [ 40.344704] ? mark_held_locks+0xc9/0x160 [ 40.348834] __queue_work+0x1ca/0x1410 [ 40.352699] ? __wake_up+0xe/0x10 [ 40.356130] ? p9_client_cb+0x62/0x80 [ 40.359908] ? flush_rcu_work+0x90/0x90 [ 40.363863] ? p9_fd_cancelled+0x2f0/0x2f0 [ 40.368083] ? ep_eventpoll_poll+0x192/0x200 [ 40.372467] ? mounts_poll+0x1f9/0x290 [ 40.376335] ? mark_held_locks+0xc9/0x160 [ 40.380463] queue_work_on+0x19a/0x1e0 [ 40.384331] p9_poll_workfn+0x55e/0x6d0 [ 40.388286] ? p9_read_work+0x1060/0x1060 [ 40.392425] ? graph_lock+0x170/0x170 [ 40.396213] ? lock_acquire+0x1e4/0x540 [ 40.400341] ? process_one_work+0xb9b/0x1ba0 [ 40.404741] ? kasan_check_read+0x11/0x20 [ 40.408879] ? __lock_is_held+0xb5/0x140 [ 40.412932] process_one_work+0xc73/0x1ba0 [ 40.417154] ? trace_hardirqs_on+0x10/0x10 [ 40.421368] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 40.426016] ? lock_repin_lock+0x430/0x430 [ 40.430235] ? __sched_text_start+0x8/0x8 [ 40.434360] ? lock_downgrade+0x8f0/0x8f0 [ 40.438488] ? graph_lock+0x170/0x170 [ 40.442263] ? graph_lock+0x170/0x170 [ 40.446050] ? lock_acquire+0x1e4/0x540 [ 40.450014] ? worker_thread+0x3dc/0x13c0 [ 40.454143] ? lock_downgrade+0x8f0/0x8f0 [ 40.458272] ? lock_release+0xa30/0xa30 [ 40.462228] ? kasan_check_read+0x11/0x20 [ 40.466442] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.470831] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.475402] ? kasan_check_write+0x14/0x20 [ 40.479615] ? do_raw_spin_lock+0xc1/0x200 [ 40.483831] worker_thread+0x189/0x13c0 [ 40.487789] ? process_one_work+0x1ba0/0x1ba0 [ 40.492262] ? graph_lock+0x170/0x170 [ 40.496040] ? graph_lock+0x170/0x170 [ 40.499827] ? find_held_lock+0x36/0x1c0 [ 40.503873] ? find_held_lock+0x36/0x1c0 [ 40.507921] ? lock_downgrade+0x8f0/0x8f0 [ 40.512050] ? kasan_check_read+0x11/0x20 [ 40.516657] ? do_raw_spin_unlock+0xa7/0x2f0 [ 40.521052] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 40.526133] ? __kthread_parkme+0x58/0x1b0 [ 40.530357] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 40.535825] ? trace_hardirqs_on+0xd/0x10 [ 40.539962] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.545484] ? __kthread_parkme+0x106/0x1b0 [ 40.549795] kthread+0x345/0x410 [ 40.553506] ? process_one_work+0x1ba0/0x1ba0 [ 40.557986] ? kthread_bind+0x40/0x40 [ 40.561853] ret_from_fork+0x3a/0x50 [ 40.566075] Dumping ftrace buffer: [ 40.569589] (ftrace buffer empty) [ 40.573278] Kernel Offset: disabled [ 40.576883] Rebooting in 86400 seconds..