[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.983381] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.564444] random: sshd: uninitialized urandom read (32 bytes read)
[   23.878622] random: sshd: uninitialized urandom read (32 bytes read)
[   24.769729] random: sshd: uninitialized urandom read (32 bytes read)
[   24.929438] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
[   30.387100] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   30.759433] ==================================================================
[   30.766911] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   30.773402] Read of size 4 at addr ffff8801d9110d44 by task kworker/1:0/19
[   30.780445] 
[   30.782062] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc6+ #160
[   30.788978] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.798333] Workqueue: events p9_poll_workfn
[   30.802725] Call Trace:
[   30.805302]  dump_stack+0x1c9/0x2b4
[   30.808919]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.814093]  ? printk+0xa7/0xcf
[   30.817357]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.822102]  ? p9_poll_workfn+0x660/0x6d0
[   30.826237]  print_address_description+0x6c/0x20b
[   30.831068]  ? p9_poll_workfn+0x660/0x6d0
[   30.835211]  kasan_report.cold.7+0x242/0x2fe
[   30.839609]  __asan_report_load4_noabort+0x14/0x20
[   30.844523]  p9_poll_workfn+0x660/0x6d0
[   30.848487]  ? p9_read_work+0x1060/0x1060
[   30.852622]  ? graph_lock+0x170/0x170
[   30.856410]  ? lock_acquire+0x1e4/0x540
[   30.860371]  ? process_one_work+0xb9b/0x1ba0
[   30.864767]  ? kasan_check_read+0x11/0x20
[   30.868907]  ? __lock_is_held+0xb5/0x140
[   30.872963]  process_one_work+0xc73/0x1ba0
[   30.877187]  ? trace_hardirqs_on+0x10/0x10
[   30.881413]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   30.886071]  ? lock_repin_lock+0x430/0x430
[   30.890302]  ? __sched_text_start+0x8/0x8
[   30.894439]  ? graph_lock+0x170/0x170
[   30.898227]  ? lock_downgrade+0x8f0/0x8f0
[   30.902367]  ? kasan_check_read+0x11/0x20
[   30.906507]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.910913]  ? lock_acquire+0x1e4/0x540
[   30.914878]  ? worker_thread+0x3dc/0x13c0
[   30.919025]  ? lock_downgrade+0x8f0/0x8f0
[   30.923162]  ? lock_release+0xa30/0xa30
[   30.927121]  ? kasan_check_read+0x11/0x20
[   30.931253]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.935656]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   30.940226]  ? kasan_check_write+0x14/0x20
[   30.944462]  ? do_raw_spin_lock+0xc1/0x200
[   30.948687]  worker_thread+0x189/0x13c0
[   30.952657]  ? process_one_work+0x1ba0/0x1ba0
[   30.957160]  ? graph_lock+0x170/0x170
[   30.960949]  ? graph_lock+0x170/0x170
[   30.964737]  ? find_held_lock+0x36/0x1c0
[   30.968792]  ? find_held_lock+0x36/0x1c0
[   30.972855]  ? kasan_check_read+0x11/0x20
[   30.976990]  ? do_raw_spin_unlock+0xa7/0x2f0
[   30.981390]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   30.986478]  ? __kthread_parkme+0x58/0x1b0
[   30.990700]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   30.995720]  ? trace_hardirqs_on+0xd/0x10
[   30.999856]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.005384]  ? __kthread_parkme+0x106/0x1b0
[   31.009703]  kthread+0x345/0x410
[   31.013058]  ? process_one_work+0x1ba0/0x1ba0
[   31.017538]  ? kthread_bind+0x40/0x40
[   31.021325]  ret_from_fork+0x3a/0x50
[   31.025030] 
[   31.026641] Allocated by task 4554:
[   31.030255]  save_stack+0x43/0xd0
[   31.033692]  kasan_kmalloc+0xc4/0xe0
[   31.037391]  kmem_cache_alloc_trace+0x152/0x780
[   31.042045]  p9_fd_create+0x1a7/0x3f0
[   31.045831]  p9_client_create+0x8ed/0x1770
[   31.050051]  v9fs_session_init+0x21a/0x1a80
[   31.054357]  v9fs_mount+0x7c/0x900
[   31.057884]  mount_fs+0xae/0x328
[   31.061233]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.065797]  do_mount+0x581/0x30e0
[   31.069322]  ksys_mount+0x12d/0x140
[   31.072940]  __x64_sys_mount+0xbe/0x150
[   31.076901]  do_syscall_64+0x1b9/0x820
[   31.080772]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.085938] 
[   31.087545] Freed by task 4554:
[   31.090820]  save_stack+0x43/0xd0
[   31.094265]  __kasan_slab_free+0x11a/0x170
[   31.098480]  kasan_slab_free+0xe/0x10
[   31.102276]  kfree+0xd9/0x260
[   31.105368]  p9_fd_close+0x416/0x5b0
[   31.109066]  p9_client_create+0xa9a/0x1770
[   31.113283]  v9fs_session_init+0x21a/0x1a80
[   31.117589]  v9fs_mount+0x7c/0x900
[   31.121126]  mount_fs+0xae/0x328
[   31.124479]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.129044]  do_mount+0x581/0x30e0
[   31.132567]  ksys_mount+0x12d/0x140
[   31.136179]  __x64_sys_mount+0xbe/0x150
[   31.140136]  do_syscall_64+0x1b9/0x820
[   31.144014]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.149183] 
[   31.150796] The buggy address belongs to the object at ffff8801d9110cc0
[   31.150796]  which belongs to the cache kmalloc-512 of size 512
[   31.163441] The buggy address is located 132 bytes inside of
[   31.163441]  512-byte region [ffff8801d9110cc0, ffff8801d9110ec0)
[   31.175296] The buggy address belongs to the page:
[   31.180211] page:ffffea0007644400 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   31.188355] flags: 0x2fffc0000000100(slab)
[   31.192580] raw: 02fffc0000000100 ffffea0006b30448 ffff8801da801748 ffff8801da800940
[   31.200461] raw: 0000000000000000 ffff8801d9110040 0000000100000006 0000000000000000
[   31.208333] page dumped because: kasan: bad access detected
[   31.214036] 
[   31.215644] Memory state around the buggy address:
[   31.220557]  ffff8801d9110c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.227915]  ffff8801d9110c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   31.235261] >ffff8801d9110d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.242601]                                            ^
[   31.248035]  ffff8801d9110d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   31.255394]  ffff8801d9110e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.262733] ==================================================================
[   31.270071] Disabling lock debugging due to kernel taint
[   31.275615] Kernel panic - not syncing: panic_on_warn set ...
[   31.275615] 
[   31.282986] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G    B             4.18.0-rc6+ #160
[   31.291296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.300656] Workqueue: events p9_poll_workfn
[   31.305083] Call Trace:
[   31.307672]  dump_stack+0x1c9/0x2b4
[   31.311304]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.316487]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.321240]  panic+0x238/0x4e7
[   31.324432]  ? add_taint.cold.5+0x16/0x16
[   31.328581]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.332979]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.337389]  ? p9_poll_workfn+0x660/0x6d0
[   31.341534]  kasan_end_report+0x47/0x4f
[   31.345506]  kasan_report.cold.7+0x76/0x2fe
[   31.349827]  __asan_report_load4_noabort+0x14/0x20
[   31.354750]  p9_poll_workfn+0x660/0x6d0
[   31.358716]  ? p9_read_work+0x1060/0x1060
[   31.362864]  ? graph_lock+0x170/0x170
[   31.366659]  ? lock_acquire+0x1e4/0x540
[   31.370629]  ? process_one_work+0xb9b/0x1ba0
[   31.375047]  ? kasan_check_read+0x11/0x20
[   31.379194]  ? __lock_is_held+0xb5/0x140
[   31.383253]  process_one_work+0xc73/0x1ba0
[   31.387492]  ? trace_hardirqs_on+0x10/0x10
[   31.391753]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.396430]  ? lock_repin_lock+0x430/0x430
[   31.400668]  ? __sched_text_start+0x8/0x8
[   31.404808]  ? graph_lock+0x170/0x170
[   31.408603]  ? lock_downgrade+0x8f0/0x8f0
[   31.412775]  ? kasan_check_read+0x11/0x20
[   31.416912]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.421313]  ? lock_acquire+0x1e4/0x540
[   31.425277]  ? worker_thread+0x3dc/0x13c0
[   31.429423]  ? lock_downgrade+0x8f0/0x8f0
[   31.433578]  ? lock_release+0xa30/0xa30
[   31.437559]  ? kasan_check_read+0x11/0x20
[   31.441701]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.446093]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.450658]  ? kasan_check_write+0x14/0x20
[   31.454880]  ? do_raw_spin_lock+0xc1/0x200
[   31.459102]  worker_thread+0x189/0x13c0
[   31.463063]  ? process_one_work+0x1ba0/0x1ba0
[   31.467544]  ? graph_lock+0x170/0x170
[   31.471325]  ? graph_lock+0x170/0x170
[   31.475106]  ? find_held_lock+0x36/0x1c0
[   31.479150]  ? find_held_lock+0x36/0x1c0
[   31.483202]  ? kasan_check_read+0x11/0x20
[   31.487333]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.491737]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   31.496819]  ? __kthread_parkme+0x58/0x1b0
[   31.501037]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.506045]  ? trace_hardirqs_on+0xd/0x10
[   31.510183]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.515710]  ? __kthread_parkme+0x106/0x1b0
[   31.520035]  kthread+0x345/0x410
[   31.523424]  ? process_one_work+0x1ba0/0x1ba0
[   31.527905]  ? kthread_bind+0x40/0x40
[   31.531692]  ret_from_fork+0x3a/0x50
[   31.535993] Dumping ftrace buffer:
[   31.539527]    (ftrace buffer empty)
[   31.543217] Kernel Offset: disabled
[   31.546824] Rebooting in 86400 seconds..