[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   18.998526] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.352818] random: sshd: uninitialized urandom read (32 bytes read)
[   23.594944] random: sshd: uninitialized urandom read (32 bytes read)
[   24.523954] random: sshd: uninitialized urandom read (32 bytes read)
[   24.684872] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts.
[   30.195194] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/23 06:47:33 parsed 1 programs
[   31.246579] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/23 06:47:35 executed programs: 0
[   32.435546] IPVS: ftp: loaded support on port[0] = 21
[   32.439788] IPVS: ftp: loaded support on port[0] = 21
[   32.441074] IPVS: ftp: loaded support on port[0] = 21
[   32.458271] IPVS: ftp: loaded support on port[0] = 21
[   32.462567] IPVS: ftp: loaded support on port[0] = 21
[   32.471122] IPVS: ftp: loaded support on port[0] = 21
[   32.484550] IPVS: ftp: loaded support on port[0] = 21
[   32.504271] IPVS: ftp: loaded support on port[0] = 21
[   33.999462] ==================================================================
[   34.006975] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   34.013477] Read of size 4 at addr ffff8801d6f21a84 by task kworker/1:0/19
[   34.020482] 
[   34.022101] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc6+ #160
[   34.029010] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.038363] Workqueue: events p9_poll_workfn
[   34.042766] Call Trace:
[   34.045347]  dump_stack+0x1c9/0x2b4
[   34.048983]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.054162]  ? printk+0xa7/0xcf
[   34.057430]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.062187]  ? p9_poll_workfn+0x660/0x6d0
[   34.066323]  print_address_description+0x6c/0x20b
[   34.071153]  ? p9_poll_workfn+0x660/0x6d0
[   34.075287]  kasan_report.cold.7+0x242/0x2fe
[   34.079685]  __asan_report_load4_noabort+0x14/0x20
[   34.084611]  p9_poll_workfn+0x660/0x6d0
[   34.088579]  ? p9_read_work+0x1060/0x1060
[   34.092731]  ? graph_lock+0x170/0x170
[   34.096534]  ? lock_acquire+0x1e4/0x540
[   34.100497]  ? process_one_work+0xb9b/0x1ba0
[   34.104911]  ? kasan_check_read+0x11/0x20
[   34.109054]  ? __lock_is_held+0xb5/0x140
[   34.113109]  process_one_work+0xc73/0x1ba0
[   34.117339]  ? trace_hardirqs_on+0x10/0x10
[   34.121584]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   34.126243]  ? lock_repin_lock+0x430/0x430
[   34.131432]  ? __sched_text_start+0x8/0x8
[   34.135572]  ? graph_lock+0x170/0x170
[   34.139363]  ? lock_downgrade+0x8f0/0x8f0
[   34.143516]  ? kasan_check_read+0x11/0x20
[   34.147652]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.152056]  ? lock_acquire+0x1e4/0x540
[   34.156021]  ? worker_thread+0x3dc/0x13c0
[   34.160158]  ? lock_downgrade+0x8f0/0x8f0
[   34.164294]  ? lock_release+0xa30/0xa30
[   34.168345]  ? kasan_check_read+0x11/0x20
[   34.172479]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.176875]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.181448]  ? kasan_check_write+0x14/0x20
[   34.185666]  ? do_raw_spin_lock+0xc1/0x200
[   34.189892]  worker_thread+0x189/0x13c0
[   34.193882]  ? process_one_work+0x1ba0/0x1ba0
[   34.198370]  ? graph_lock+0x170/0x170
[   34.202158]  ? graph_lock+0x170/0x170
[   34.205946]  ? find_held_lock+0x36/0x1c0
[   34.210005]  ? find_held_lock+0x36/0x1c0
[   34.214075]  ? kasan_check_read+0x11/0x20
[   34.218211]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.222627]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.227718]  ? __kthread_parkme+0x58/0x1b0
[   34.231957]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.236961]  ? trace_hardirqs_on+0xd/0x10
[   34.241099]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.246630]  ? __kthread_parkme+0x106/0x1b0
[   34.250942]  kthread+0x345/0x410
[   34.254297]  ? process_one_work+0x1ba0/0x1ba0
[   34.258776]  ? kthread_bind+0x40/0x40
[   34.262582]  ret_from_fork+0x3a/0x50
[   34.266287] 
[   34.267898] Allocated by task 4703:
[   34.271532]  save_stack+0x43/0xd0
[   34.274969]  kasan_kmalloc+0xc4/0xe0
[   34.278668]  kmem_cache_alloc_trace+0x152/0x780
[   34.283339]  p9_fd_create+0x1a7/0x3f0
[   34.287144]  p9_client_create+0x8ed/0x1770
[   34.291365]  v9fs_session_init+0x21a/0x1a80
[   34.295697]  v9fs_mount+0x7c/0x900
[   34.299227]  mount_fs+0xae/0x328
[   34.302580]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.307149]  do_mount+0x581/0x30e0
[   34.310677]  ksys_mount+0x12d/0x140
[   34.314293]  __x64_sys_mount+0xbe/0x150
[   34.318256]  do_syscall_64+0x1b9/0x820
[   34.322136]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.327304] 
[   34.328916] Freed by task 4703:
[   34.332182]  save_stack+0x43/0xd0
[   34.335635]  __kasan_slab_free+0x11a/0x170
[   34.339853]  kasan_slab_free+0xe/0x10
[   34.343637]  kfree+0xd9/0x260
[   34.346745]  p9_fd_close+0x416/0x5b0
[   34.350445]  p9_client_create+0xa9a/0x1770
[   34.354667]  v9fs_session_init+0x21a/0x1a80
[   34.358988]  v9fs_mount+0x7c/0x900
[   34.362515]  mount_fs+0xae/0x328
[   34.365881]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.370455]  do_mount+0x581/0x30e0
[   34.373998]  ksys_mount+0x12d/0x140
[   34.377638]  __x64_sys_mount+0xbe/0x150
[   34.382033]  do_syscall_64+0x1b9/0x820
[   34.385913]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.391082] 
[   34.392703] The buggy address belongs to the object at ffff8801d6f21a00
[   34.392703]  which belongs to the cache kmalloc-512 of size 512
[   34.405366] The buggy address is located 132 bytes inside of
[   34.405366]  512-byte region [ffff8801d6f21a00, ffff8801d6f21c00)
[   34.417239] The buggy address belongs to the page:
[   34.422175] page:ffffea00075bc840 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   34.430318] flags: 0x2fffc0000000100(slab)
[   34.434546] raw: 02fffc0000000100 ffffea00075b86c8 ffffea0006ae8248 ffff8801da800940
[   34.442418] raw: 0000000000000000 ffff8801d6f21000 0000000100000006 0000000000000000
[   34.450298] page dumped because: kasan: bad access detected
[   34.456000] 
[   34.457637] Memory state around the buggy address:
[   34.462552]  ffff8801d6f21980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.469911]  ffff8801d6f21a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.477259] >ffff8801d6f21a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.484597]                    ^
[   34.487962]  ffff8801d6f21b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.495321]  ffff8801d6f21b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.502659] ==================================================================
[   34.509997] Disabling lock debugging due to kernel taint
[   34.515829] Kernel panic - not syncing: panic_on_warn set ...
[   34.515829] 
[   34.523249] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G    B             4.18.0-rc6+ #160
[   34.531568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.540943] Workqueue: events p9_poll_workfn
[   34.545377] Call Trace:
[   34.547967]  dump_stack+0x1c9/0x2b4
[   34.551603]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.556806]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.561567]  panic+0x238/0x4e7
[   34.564764]  ? add_taint.cold.5+0x16/0x16
[   34.573018]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.577437]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.581839]  ? p9_poll_workfn+0x660/0x6d0
[   34.585997]  kasan_end_report+0x47/0x4f
[   34.589987]  kasan_report.cold.7+0x76/0x2fe
[   34.594304]  __asan_report_load4_noabort+0x14/0x20
[   34.599229]  p9_poll_workfn+0x660/0x6d0
[   34.603213]  ? p9_read_work+0x1060/0x1060
[   34.607357]  ? graph_lock+0x170/0x170
[   34.611155]  ? lock_acquire+0x1e4/0x540
[   34.615134]  ? process_one_work+0xb9b/0x1ba0
[   34.619547]  ? kasan_check_read+0x11/0x20
[   34.623688]  ? __lock_is_held+0xb5/0x140
[   34.627748]  process_one_work+0xc73/0x1ba0
[   34.631969]  ? trace_hardirqs_on+0x10/0x10
[   34.636205]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   34.640870]  ? lock_repin_lock+0x430/0x430
[   34.645122]  ? __sched_text_start+0x8/0x8
[   34.649266]  ? graph_lock+0x170/0x170
[   34.653076]  ? lock_downgrade+0x8f0/0x8f0
[   34.657221]  ? kasan_check_read+0x11/0x20
[   34.661351]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.665746]  ? lock_acquire+0x1e4/0x540
[   34.669722]  ? worker_thread+0x3dc/0x13c0
[   34.673875]  ? lock_downgrade+0x8f0/0x8f0
[   34.678016]  ? lock_release+0xa30/0xa30
[   34.681985]  ? kasan_check_read+0x11/0x20
[   34.686128]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.690607]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.695182]  ? kasan_check_write+0x14/0x20
[   34.699422]  ? do_raw_spin_lock+0xc1/0x200
[   34.703643]  worker_thread+0x189/0x13c0
[   34.707605]  ? process_one_work+0x1ba0/0x1ba0
[   34.712111]  ? graph_lock+0x170/0x170
[   34.715911]  ? graph_lock+0x170/0x170
[   34.719703]  ? find_held_lock+0x36/0x1c0
[   34.723755]  ? find_held_lock+0x36/0x1c0
[   34.727805]  ? kasan_check_read+0x11/0x20
[   34.731935]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.736333]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.741433]  ? __kthread_parkme+0x58/0x1b0
[   34.745677]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.751239]  ? trace_hardirqs_on+0xd/0x10
[   34.755381]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.760902]  ? __kthread_parkme+0x106/0x1b0
[   34.765224]  kthread+0x345/0x410
[   34.768685]  ? process_one_work+0x1ba0/0x1ba0
[   34.773174]  ? kthread_bind+0x40/0x40
[   34.776979]  ret_from_fork+0x3a/0x50
[   34.781137] Dumping ftrace buffer:
[   34.784656]    (ftrace buffer empty)
[   34.788345] Kernel Offset: disabled
[   34.791952] Rebooting in 86400 seconds..