[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.773159] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   20.313272] random: sshd: uninitialized urandom read (32 bytes read)
[   20.625795] random: sshd: uninitialized urandom read (32 bytes read)

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.508092] random: sshd: uninitialized urandom read (32 bytes read)
[   21.660302] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.39' (ECDSA) to the list of known hosts.
[   27.098060] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/10 22:00:29 parsed 1 programs
[   28.875390] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/10 22:00:31 executed programs: 0
[   30.263862] IPVS: ftp: loaded support on port[0] = 21
[   30.469097] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.475590] bridge0: port 1(bridge_slave_0) entered disabled state
[   30.483331] device bridge_slave_0 entered promiscuous mode
[   30.501128] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.507503] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.514726] device bridge_slave_1 entered promiscuous mode
[   30.530761] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   30.546775] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   30.590715] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   30.609591] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   30.676612] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   30.686341] team0: Port device team_slave_0 added
[   30.701562] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   30.708716] team0: Port device team_slave_1 added
[   30.724610] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   30.742558] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   30.761597] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   30.779109] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   30.904251] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.910920] bridge0: port 2(bridge_slave_1) entered forwarding state
[   30.918073] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.924444] bridge0: port 1(bridge_slave_0) entered forwarding state
[   31.361621] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   31.367768] 8021q: adding VLAN 0 to HW filter on device bond0
[   31.412384] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   31.457374] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   31.466678] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   31.473199] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   31.480806] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   31.520087] 8021q: adding VLAN 0 to HW filter on device team0
[   33.412530] ==================================================================
[   33.421045] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   33.427537] Read of size 4 at addr ffff8801c7a26844 by task kworker/0:1/26
[   33.434534] 
[   33.436154] CPU: 0 PID: 26 Comm: kworker/0:1 Not tainted 4.18.0-rc4+ #43
[   33.442975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.452342] Workqueue: events p9_poll_workfn
[   33.456735] Call Trace:
[   33.459316]  dump_stack+0x1c9/0x2b4
[   33.462933]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.468110]  ? printk+0xa7/0xcf
[   33.471376]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.476122]  ? p9_poll_workfn+0x660/0x6d0
[   33.480257]  print_address_description+0x6c/0x20b
[   33.485087]  ? p9_poll_workfn+0x660/0x6d0
[   33.489232]  kasan_report.cold.7+0x242/0x2fe
[   33.493631]  __asan_report_load4_noabort+0x14/0x20
[   33.498553]  p9_poll_workfn+0x660/0x6d0
[   33.502522]  ? p9_read_work+0x1060/0x1060
[   33.506663]  ? graph_lock+0x170/0x170
[   33.510452]  ? lock_acquire+0x1e4/0x540
[   33.514414]  ? process_one_work+0xb9b/0x1ba0
[   33.518810]  ? kasan_check_read+0x11/0x20
[   33.522950]  ? __lock_is_held+0xb5/0x140
[   33.527008]  process_one_work+0xc73/0x1ba0
[   33.531235]  ? trace_hardirqs_on+0x10/0x10
[   33.535477]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   33.540146]  ? lock_repin_lock+0x430/0x430
[   33.544390]  ? __sched_text_start+0x8/0x8
[   33.548522]  ? lock_downgrade+0x8f0/0x8f0
[   33.552682]  ? graph_lock+0x170/0x170
[   33.556486]  ? lock_acquire+0x1e4/0x540
[   33.560450]  ? worker_thread+0x3dc/0x13c0
[   33.564602]  ? lock_downgrade+0x8f0/0x8f0
[   33.568742]  ? lock_release+0xa30/0xa30
[   33.572720]  ? kasan_check_read+0x11/0x20
[   33.576859]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.581346]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.585932]  ? kasan_check_write+0x14/0x20
[   33.590153]  ? do_raw_spin_lock+0xc1/0x200
[   33.594386]  worker_thread+0x189/0x13c0
[   33.598363]  ? process_one_work+0x1ba0/0x1ba0
[   33.602868]  ? graph_lock+0x170/0x170
[   33.606655]  ? graph_lock+0x170/0x170
[   33.610443]  ? find_held_lock+0x36/0x1c0
[   33.614498]  ? find_held_lock+0x36/0x1c0
[   33.618559]  ? kasan_check_read+0x11/0x20
[   33.622708]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.627107]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.632196]  ? __kthread_parkme+0x58/0x1b0
[   33.636417]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.641437]  ? trace_hardirqs_on+0xd/0x10
[   33.645574]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   33.651121]  ? __kthread_parkme+0x106/0x1b0
[   33.655444]  kthread+0x345/0x410
[   33.658798]  ? process_one_work+0x1ba0/0x1ba0
[   33.663299]  ? kthread_bind+0x40/0x40
[   33.667095]  ret_from_fork+0x3a/0x50
[   33.670800] 
[   33.672431] Allocated by task 4810:
[   33.676057]  save_stack+0x43/0xd0
[   33.679515]  kasan_kmalloc+0xc4/0xe0
[   33.683248]  kmem_cache_alloc_trace+0x152/0x780
[   33.687906]  p9_fd_create+0x1a7/0x3f0
[   33.691695]  p9_client_create+0x915/0x16c9
[   33.695917]  v9fs_session_init+0x21a/0x1a80
[   33.700224]  v9fs_mount+0x7c/0x900
[   33.703753]  mount_fs+0xae/0x328
[   33.707112]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.711680]  do_mount+0x581/0x30e0
[   33.715213]  __ia32_compat_sys_mount+0x5d5/0x860
[   33.719977]  do_fast_syscall_32+0x34d/0xfb2
[   33.724290]  entry_SYSENTER_compat+0x70/0x7f
[   33.728680] 
[   33.730290] Freed by task 4810:
[   33.733572]  save_stack+0x43/0xd0
[   33.737016]  __kasan_slab_free+0x11a/0x170
[   33.741239]  kasan_slab_free+0xe/0x10
[   33.745036]  kfree+0xd9/0x260
[   33.748130]  p9_fd_close+0x416/0x5b0
[   33.751845]  p9_client_create+0xac2/0x16c9
[   33.756065]  v9fs_session_init+0x21a/0x1a80
[   33.760368]  v9fs_mount+0x7c/0x900
[   33.763895]  mount_fs+0xae/0x328
[   33.767248]  vfs_kern_mount.part.34+0xdc/0x4e0
[   33.771826]  do_mount+0x581/0x30e0
[   33.775352]  __ia32_compat_sys_mount+0x5d5/0x860
[   33.780105]  do_fast_syscall_32+0x34d/0xfb2
[   33.784419]  entry_SYSENTER_compat+0x70/0x7f
[   33.788891] 
[   33.790504] The buggy address belongs to the object at ffff8801c7a267c0
[   33.790504]  which belongs to the cache kmalloc-512 of size 512
[   33.803679] The buggy address is located 132 bytes inside of
[   33.803679]  512-byte region [ffff8801c7a267c0, ffff8801c7a269c0)
[   33.815627] The buggy address belongs to the page:
[   33.820541] page:ffffea00071e8980 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   33.828668] flags: 0x2fffc0000000100(slab)
[   33.832891] raw: 02fffc0000000100 ffffea0007276e48 ffffea00071a0248 ffff8801da800940
[   33.840759] raw: 0000000000000000 ffff8801c7a26040 0000000100000006 0000000000000000
[   33.849629] page dumped because: kasan: bad access detected
[   33.855326] 
[   33.856938] Memory state around the buggy address:
[   33.861853]  ffff8801c7a26700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.869193]  ffff8801c7a26780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.876545] >ffff8801c7a26800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.883884]                                            ^
[   33.889329]  ffff8801c7a26880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.896673]  ffff8801c7a26900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.904019] ==================================================================
[   33.911357] Disabling lock debugging due to kernel taint
[   33.917122] Kernel panic - not syncing: panic_on_warn set ...
[   33.917122] 
[   33.924593] CPU: 0 PID: 26 Comm: kworker/0:1 Tainted: G    B             4.18.0-rc4+ #43
[   33.932828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.942210] Workqueue: events p9_poll_workfn
[   33.946624] Call Trace:
[   33.949225]  dump_stack+0x1c9/0x2b4
[   33.952868]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.958069]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   33.962815]  panic+0x238/0x4e7
[   33.965998]  ? add_taint.cold.5+0x16/0x16
[   33.970163]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.974563]  ? do_raw_spin_unlock+0xa7/0x2f0
[   33.978963]  ? p9_poll_workfn+0x660/0x6d0
[   33.983098]  kasan_end_report+0x47/0x4f
[   33.987063]  kasan_report.cold.7+0x76/0x2fe
[   33.991387]  __asan_report_load4_noabort+0x14/0x20
[   33.996313]  p9_poll_workfn+0x660/0x6d0
[   34.000281]  ? p9_read_work+0x1060/0x1060
[   34.004421]  ? graph_lock+0x170/0x170
[   34.008228]  ? lock_acquire+0x1e4/0x540
[   34.012211]  ? process_one_work+0xb9b/0x1ba0
[   34.016617]  ? kasan_check_read+0x11/0x20
[   34.020753]  ? __lock_is_held+0xb5/0x140
[   34.024804]  process_one_work+0xc73/0x1ba0
[   34.029044]  ? trace_hardirqs_on+0x10/0x10
[   34.033283]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   34.037946]  ? lock_repin_lock+0x430/0x430
[   34.042174]  ? __sched_text_start+0x8/0x8
[   34.046367]  ? lock_downgrade+0x8f0/0x8f0
[   34.050530]  ? graph_lock+0x170/0x170
[   34.054327]  ? lock_acquire+0x1e4/0x540
[   34.058300]  ? worker_thread+0x3dc/0x13c0
[   34.062444]  ? lock_downgrade+0x8f0/0x8f0
[   34.066586]  ? lock_release+0xa30/0xa30
[   34.070566]  ? kasan_check_read+0x11/0x20
[   34.074717]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.079112]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.083683]  ? kasan_check_write+0x14/0x20
[   34.087990]  ? do_raw_spin_lock+0xc1/0x200
[   34.092228]  worker_thread+0x189/0x13c0
[   34.096205]  ? process_one_work+0x1ba0/0x1ba0
[   34.100690]  ? graph_lock+0x170/0x170
[   34.104473]  ? graph_lock+0x170/0x170
[   34.108257]  ? find_held_lock+0x36/0x1c0
[   34.112315]  ? find_held_lock+0x36/0x1c0
[   34.116369]  ? kasan_check_read+0x11/0x20
[   34.120501]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.124898]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.130004]  ? __kthread_parkme+0x58/0x1b0
[   34.134232]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.139239]  ? trace_hardirqs_on+0xd/0x10
[   34.143375]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.148892]  ? __kthread_parkme+0x106/0x1b0
[   34.153206]  kthread+0x345/0x410
[   34.156563]  ? process_one_work+0x1ba0/0x1ba0
[   34.161047]  ? kthread_bind+0x40/0x40
[   34.164857]  ret_from_fork+0x3a/0x50
[   34.169150] Dumping ftrace buffer:
[   34.172680]    (ftrace buffer empty)
[   34.176369] Kernel Offset: disabled
[   34.179985] Rebooting in 86400 seconds..