[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.268532] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.511875] random: sshd: uninitialized urandom read (32 bytes read) [ 23.800247] random: sshd: uninitialized urandom read (32 bytes read) [ 24.654565] random: sshd: uninitialized urandom read (32 bytes read) [ 24.814139] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. [ 30.578453] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program [ 31.210249] ================================================================== [ 31.217730] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 31.224647] Read of size 8 at addr ffff8801ad06b920 by task kworker/1:0/19 [ 31.231652] [ 31.233272] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc5+ #149 [ 31.240181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.249542] Workqueue: events p9_poll_workfn [ 31.253943] Call Trace: [ 31.256526] dump_stack+0x1c9/0x2b4 [ 31.260149] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.265325] ? printk+0xa7/0xcf [ 31.268603] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.273348] ? work_is_static_object+0x39/0x40 [ 31.277912] print_address_description+0x6c/0x20b [ 31.282749] ? work_is_static_object+0x39/0x40 [ 31.287321] kasan_report.cold.7+0x242/0x2fe [ 31.291716] __asan_report_load8_noabort+0x14/0x20 [ 31.296625] work_is_static_object+0x39/0x40 [ 31.301018] debug_object_activate+0x2fc/0x690 [ 31.305586] ? __wake_up_common+0x740/0x740 [ 31.309897] ? debug_object_assert_init+0x4b0/0x4b0 [ 31.314911] ? mark_held_locks+0xc9/0x160 [ 31.319054] __queue_work+0x1ca/0x1410 [ 31.322947] ? __wake_up+0xe/0x10 [ 31.326389] ? p9_client_cb+0x62/0x80 [ 31.330173] ? flush_rcu_work+0x90/0x90 [ 31.334132] ? p9_fd_cancelled+0x2f0/0x2f0 [ 31.338371] ? lock_downgrade+0x8f0/0x8f0 [ 31.342507] ? mark_held_locks+0xc9/0x160 [ 31.346635] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.351198] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.356730] queue_work_on+0x19a/0x1e0 [ 31.360613] p9_poll_workfn+0x55e/0x6d0 [ 31.364585] ? p9_read_work+0x1060/0x1060 [ 31.368724] ? graph_lock+0x170/0x170 [ 31.372509] ? lock_acquire+0x1e4/0x540 [ 31.376476] ? process_one_work+0xb9b/0x1ba0 [ 31.380878] ? kasan_check_read+0x11/0x20 [ 31.385024] ? __lock_is_held+0xb5/0x140 [ 31.389082] process_one_work+0xc73/0x1ba0 [ 31.393299] ? trace_hardirqs_on+0x10/0x10 [ 31.397521] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 31.402174] ? lock_repin_lock+0x430/0x430 [ 31.406397] ? __sched_text_start+0x8/0x8 [ 31.410527] ? graph_lock+0x170/0x170 [ 31.414318] ? lock_downgrade+0x8f0/0x8f0 [ 31.418555] ? kasan_check_read+0x11/0x20 [ 31.422700] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.427117] ? lock_acquire+0x1e4/0x540 [ 31.431079] ? worker_thread+0x3dc/0x13c0 [ 31.435211] ? lock_downgrade+0x8f0/0x8f0 [ 31.439344] ? lock_release+0xa30/0xa30 [ 31.443316] ? kasan_check_read+0x11/0x20 [ 31.447455] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.451853] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.456431] ? kasan_check_write+0x14/0x20 [ 31.460650] ? do_raw_spin_lock+0xc1/0x200 [ 31.464881] worker_thread+0x189/0x13c0 [ 31.468852] ? process_one_work+0x1ba0/0x1ba0 [ 31.473334] ? graph_lock+0x170/0x170 [ 31.477119] ? graph_lock+0x170/0x170 [ 31.480907] ? find_held_lock+0x36/0x1c0 [ 31.484986] ? find_held_lock+0x36/0x1c0 [ 31.489050] ? kasan_check_read+0x11/0x20 [ 31.494101] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.498501] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 31.503584] ? __kthread_parkme+0x58/0x1b0 [ 31.507804] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.512804] ? trace_hardirqs_on+0xd/0x10 [ 31.516934] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.522457] ? __kthread_parkme+0x106/0x1b0 [ 31.526767] kthread+0x345/0x410 [ 31.530116] ? process_one_work+0x1ba0/0x1ba0 [ 31.534602] ? kthread_bind+0x40/0x40 [ 31.538389] ret_from_fork+0x3a/0x50 [ 31.542091] [ 31.543715] Allocated by task 4587: [ 31.547328] save_stack+0x43/0xd0 [ 31.550761] kasan_kmalloc+0xc4/0xe0 [ 31.554461] kmem_cache_alloc_trace+0x152/0x780 [ 31.559113] p9_fd_create+0x1a7/0x3f0 [ 31.562896] p9_client_create+0x8ed/0x1770 [ 31.567116] v9fs_session_init+0x21a/0x1a80 [ 31.571416] v9fs_mount+0x7c/0x900 [ 31.574937] mount_fs+0xae/0x328 [ 31.578286] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.582858] do_mount+0x581/0x30e0 [ 31.586385] ksys_mount+0x12d/0x140 [ 31.589999] __x64_sys_mount+0xbe/0x150 [ 31.593959] do_syscall_64+0x1b9/0x820 [ 31.597828] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.602991] [ 31.604605] Freed by task 4587: [ 31.607864] save_stack+0x43/0xd0 [ 31.611295] __kasan_slab_free+0x11a/0x170 [ 31.615513] kasan_slab_free+0xe/0x10 [ 31.619293] kfree+0xd9/0x260 [ 31.622391] p9_fd_close+0x416/0x5b0 [ 31.626088] p9_client_create+0xa9a/0x1770 [ 31.630308] v9fs_session_init+0x21a/0x1a80 [ 31.634610] v9fs_mount+0x7c/0x900 [ 31.638144] mount_fs+0xae/0x328 [ 31.641580] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.646161] do_mount+0x581/0x30e0 [ 31.649689] ksys_mount+0x12d/0x140 [ 31.653306] __x64_sys_mount+0xbe/0x150 [ 31.657271] do_syscall_64+0x1b9/0x820 [ 31.661142] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.666320] [ 31.667928] The buggy address belongs to the object at ffff8801ad06b800 [ 31.667928] which belongs to the cache kmalloc-512 of size 512 [ 31.680572] The buggy address is located 288 bytes inside of [ 31.680572] 512-byte region [ffff8801ad06b800, ffff8801ad06ba00) [ 31.692433] The buggy address belongs to the page: [ 31.697356] page:ffffea0006b41ac0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 31.705481] flags: 0x2fffc0000000100(slab) [ 31.709698] raw: 02fffc0000000100 ffffea0007644c08 ffffea0006baf8c8 ffff8801da800940 [ 31.717569] raw: 0000000000000000 ffff8801ad06b080 0000000100000006 0000000000000000 [ 31.725429] page dumped because: kasan: bad access detected [ 31.731115] [ 31.732721] Memory state around the buggy address: [ 31.737639] ffff8801ad06b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.744980] ffff8801ad06b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.752327] >ffff8801ad06b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.759668] ^ [ 31.764060] ffff8801ad06b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.771398] ffff8801ad06ba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.778734] ================================================================== [ 31.786069] Disabling lock debugging due to kernel taint [ 31.791505] Kernel panic - not syncing: panic_on_warn set ... [ 31.791505] [ 31.798849] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 4.18.0-rc5+ #149 [ 31.807138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.816483] Workqueue: events p9_poll_workfn [ 31.820870] Call Trace: [ 31.823449] dump_stack+0x1c9/0x2b4 [ 31.827075] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.832250] ? lock_downgrade+0x8f0/0x8f0 [ 31.836388] panic+0x238/0x4e7 [ 31.839570] ? add_taint.cold.5+0x16/0x16 [ 31.843698] ? add_taint.cold.5+0x5/0x16 [ 31.847737] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.852126] ? work_is_static_object+0x39/0x40 [ 31.856688] kasan_end_report+0x47/0x4f [ 31.860644] kasan_report.cold.7+0x76/0x2fe [ 31.864946] __asan_report_load8_noabort+0x14/0x20 [ 31.869855] work_is_static_object+0x39/0x40 [ 31.874243] debug_object_activate+0x2fc/0x690 [ 31.878805] ? __wake_up_common+0x740/0x740 [ 31.883108] ? debug_object_assert_init+0x4b0/0x4b0 [ 31.888125] ? mark_held_locks+0xc9/0x160 [ 31.892269] __queue_work+0x1ca/0x1410 [ 31.896142] ? __wake_up+0xe/0x10 [ 31.899582] ? p9_client_cb+0x62/0x80 [ 31.903361] ? flush_rcu_work+0x90/0x90 [ 31.907315] ? p9_fd_cancelled+0x2f0/0x2f0 [ 31.911533] ? lock_downgrade+0x8f0/0x8f0 [ 31.915665] ? mark_held_locks+0xc9/0x160 [ 31.919794] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.924376] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.929893] queue_work_on+0x19a/0x1e0 [ 31.933772] p9_poll_workfn+0x55e/0x6d0 [ 31.937732] ? p9_read_work+0x1060/0x1060 [ 31.941862] ? graph_lock+0x170/0x170 [ 31.945653] ? lock_acquire+0x1e4/0x540 [ 31.949613] ? process_one_work+0xb9b/0x1ba0 [ 31.954005] ? kasan_check_read+0x11/0x20 [ 31.958151] ? __lock_is_held+0xb5/0x140 [ 31.962201] process_one_work+0xc73/0x1ba0 [ 31.966415] ? trace_hardirqs_on+0x10/0x10 [ 31.970632] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 31.975281] ? lock_repin_lock+0x430/0x430 [ 31.979502] ? __sched_text_start+0x8/0x8 [ 31.983644] ? graph_lock+0x170/0x170 [ 31.987425] ? lock_downgrade+0x8f0/0x8f0 [ 31.991641] ? kasan_check_read+0x11/0x20 [ 31.995773] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.000171] ? lock_acquire+0x1e4/0x540 [ 32.004126] ? worker_thread+0x3dc/0x13c0 [ 32.008253] ? lock_downgrade+0x8f0/0x8f0 [ 32.012381] ? lock_release+0xa30/0xa30 [ 32.016512] ? kasan_check_read+0x11/0x20 [ 32.020652] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.025049] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.029616] ? kasan_check_write+0x14/0x20 [ 32.033829] ? do_raw_spin_lock+0xc1/0x200 [ 32.038055] worker_thread+0x189/0x13c0 [ 32.042027] ? process_one_work+0x1ba0/0x1ba0 [ 32.046505] ? graph_lock+0x170/0x170 [ 32.050286] ? graph_lock+0x170/0x170 [ 32.054064] ? find_held_lock+0x36/0x1c0 [ 32.058119] ? find_held_lock+0x36/0x1c0 [ 32.062167] ? kasan_check_read+0x11/0x20 [ 32.066303] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.070692] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.075774] ? __kthread_parkme+0x58/0x1b0 [ 32.080002] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.085026] ? trace_hardirqs_on+0xd/0x10 [ 32.089175] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.094689] ? __kthread_parkme+0x106/0x1b0 [ 32.098989] kthread+0x345/0x410 [ 32.102340] ? process_one_work+0x1ba0/0x1ba0 [ 32.106812] ? kthread_bind+0x40/0x40 [ 32.110592] ret_from_fork+0x3a/0x50 [ 32.114785] Dumping ftrace buffer: [ 32.118312] (ftrace buffer empty) [ 32.121999] Kernel Offset: disabled [ 32.125607] Rebooting in 86400 seconds..