[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   22.681431] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.367985] random: sshd: uninitialized urandom read (32 bytes read)
[   26.810953] random: sshd: uninitialized urandom read (32 bytes read)
[   27.382191] random: sshd: uninitialized urandom read (32 bytes read)
[   27.554271] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts.
[   33.066516] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.164681] ==================================================================
[   33.172143] BUG: KASAN: double-free or invalid-free in p9stat_free+0x35/0x100
[   33.179406] 
[   33.181037] CPU: 0 PID: 4442 Comm: syz-executor725 Not tainted 4.18.0+ #209
[   33.188129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.197474] Call Trace:
[   33.200056]  dump_stack+0x1c9/0x2b4
[   33.203671]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.208846]  ? printk+0xa7/0xcf
[   33.212112]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   33.216855]  ? p9stat_free+0x35/0x100
[   33.220698]  ? p9stat_free+0x35/0x100
[   33.224489]  print_address_description+0x6c/0x20b
[   33.229319]  ? p9stat_free+0x35/0x100
[   33.233106]  ? p9stat_free+0x35/0x100
[   33.236894]  kasan_report_invalid_free+0x64/0xa0
[   33.241639]  __kasan_slab_free+0x150/0x170
[   33.245863]  ? p9stat_free+0x35/0x100
[   33.249652]  kasan_slab_free+0xe/0x10
[   33.253439]  kfree+0xd9/0x210
[   33.256556]  p9stat_free+0x35/0x100
[   33.260183]  v9fs_dir_readdir+0x68e/0xbc0
[   33.264327]  ? v9fs_dir_release+0x60/0x60
[   33.268463]  ? lock_release+0x9f0/0x9f0
[   33.272434]  ? check_same_owner+0x340/0x340
[   33.276762]  ? fsnotify+0xbac/0x14e0
[   33.280473]  ? down_read_killable+0xb4/0x200
[   33.284866]  ? iterate_dir+0xce/0x5d0
[   33.288652]  ? fsnotify+0x14e0/0x14e0
[   33.292446]  ? security_file_permission+0x1ba/0x230
[   33.297453]  iterate_dir+0x48b/0x5d0
[   33.301167]  __x64_sys_getdents+0x29f/0x510
[   33.305488]  ? __ia32_sys_old_readdir+0x2c0/0x2c0
[   33.310316]  ? fillonedir+0x2a0/0x2a0
[   33.314105]  ? ksys_mount+0xa8/0x140
[   33.317811]  do_syscall_64+0x1b9/0x820
[   33.321689]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   33.327047]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.331962]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.336796]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   33.341798]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   33.346801]  ? prepare_exit_to_usermode+0x291/0x3b0
[   33.351807]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.356663]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.361839] RIP: 0033:0x4406a9
[   33.365033] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   33.383941] RSP: 002b:00007fffc67864f8 EFLAGS: 00000217 ORIG_RAX: 000000000000004e
[   33.391638] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9
[   33.398891] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005
[   33.406147] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30
[   33.413417] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30
[   33.420674] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000
[   33.427939] 
[   33.429550] Allocated by task 4442:
[   33.433173]  save_stack+0x43/0xd0
[   33.436611]  kasan_kmalloc+0xc4/0xe0
[   33.440308]  __kmalloc+0x14e/0x720
[   33.443836]  p9pdu_readf+0x526/0x2170
[   33.447623]  p9pdu_readf+0xd5c/0x2170
[   33.451419]  p9stat_read+0x194/0x5d0
[   33.455119]  v9fs_dir_readdir+0x63d/0xbc0
[   33.459275]  iterate_dir+0x48b/0x5d0
[   33.462975]  __x64_sys_getdents+0x29f/0x510
[   33.467322]  do_syscall_64+0x1b9/0x820
[   33.471199]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.476366] 
[   33.477983] Freed by task 4442:
[   33.481261]  save_stack+0x43/0xd0
[   33.484703]  __kasan_slab_free+0x11a/0x170
[   33.488924]  kasan_slab_free+0xe/0x10
[   33.492707]  kfree+0xd9/0x210
[   33.495800]  p9stat_free+0x35/0x100
[   33.499410]  p9pdu_readf+0xd90/0x2170
[   33.503227]  p9stat_read+0x194/0x5d0
[   33.506928]  v9fs_dir_readdir+0x63d/0xbc0
[   33.511063]  iterate_dir+0x48b/0x5d0
[   33.514762]  __x64_sys_getdents+0x29f/0x510
[   33.519071]  do_syscall_64+0x1b9/0x820
[   33.522947]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.528114] 
[   33.529728] The buggy address belongs to the object at ffff8801d7975500
[   33.529728]  which belongs to the cache kmalloc-32 of size 32
[   33.542194] The buggy address is located 0 bytes inside of
[   33.542194]  32-byte region [ffff8801d7975500, ffff8801d7975520)
[   33.553808] The buggy address belongs to the page:
[   33.558726] page:ffffea00075e5d40 count:1 mapcount:0 mapping:ffff8801dac001c0 index:0xffff8801d7975fc1
[   33.568182] flags: 0x2fffc0000000100(slab)
[   33.572404] raw: 02fffc0000000100 ffffea00075e6408 ffffea0006c2f848 ffff8801dac001c0
[   33.580279] raw: ffff8801d7975fc1 ffff8801d7975000 000000010000002d 0000000000000000
[   33.588139] page dumped because: kasan: bad access detected
[   33.593836] 
[   33.595446] Memory state around the buggy address:
[   33.600357]  ffff8801d7975400: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
[   33.607699]  ffff8801d7975480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.615048] >ffff8801d7975500: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.622386]                    ^
[   33.625738]  ffff8801d7975580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.633085]  ffff8801d7975600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   33.640425] ==================================================================
[   33.647764] Disabling lock debugging due to kernel taint
[   33.653193] Kernel panic - not syncing: panic_on_warn set ...
[   33.653193] 
[   33.660539] CPU: 0 PID: 4442 Comm: syz-executor725 Tainted: G    B             4.18.0+ #209
[   33.669013] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.678360] Call Trace:
[   33.680935]  dump_stack+0x1c9/0x2b4
[   33.684549]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.689723]  ? lock_downgrade+0x8f0/0x8f0
[   33.693857]  ? p9_idpool_get+0x60/0x70
[   33.697728]  panic+0x238/0x4e7
[   33.700902]  ? add_taint.cold.5+0x16/0x16
[   33.705043]  ? add_taint.cold.5+0x5/0x16
[   33.709095]  ? trace_hardirqs_off+0xaf/0x2b0
[   33.713486]  ? trace_hardirqs_off+0x77/0x2b0
[   33.717880]  ? p9stat_free+0x35/0x100
[   33.721662]  ? p9stat_free+0x35/0x100
[   33.725450]  kasan_end_report+0x47/0x4f
[   33.731237]  kasan_report_invalid_free+0x81/0xa0
[   33.735977]  __kasan_slab_free+0x150/0x170
[   33.740207]  ? p9stat_free+0x35/0x100
[   33.744003]  kasan_slab_free+0xe/0x10
[   33.747796]  kfree+0xd9/0x210
[   33.750906]  p9stat_free+0x35/0x100
[   33.754523]  v9fs_dir_readdir+0x68e/0xbc0
[   33.758660]  ? v9fs_dir_release+0x60/0x60
[   33.762794]  ? lock_release+0x9f0/0x9f0
[   33.766754]  ? check_same_owner+0x340/0x340
[   33.771061]  ? fsnotify+0xbac/0x14e0
[   33.774764]  ? down_read_killable+0xb4/0x200
[   33.779163]  ? iterate_dir+0xce/0x5d0
[   33.782957]  ? fsnotify+0x14e0/0x14e0
[   33.786747]  ? security_file_permission+0x1ba/0x230
[   33.791750]  iterate_dir+0x48b/0x5d0
[   33.795449]  __x64_sys_getdents+0x29f/0x510
[   33.799756]  ? __ia32_sys_old_readdir+0x2c0/0x2c0
[   33.804581]  ? fillonedir+0x2a0/0x2a0
[   33.808367]  ? ksys_mount+0xa8/0x140
[   33.812069]  do_syscall_64+0x1b9/0x820
[   33.815941]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   33.821291]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.826204]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.831036]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   33.836041]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   33.841048]  ? prepare_exit_to_usermode+0x291/0x3b0
[   33.846055]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.850884]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.856056] RIP: 0033:0x4406a9
[   33.859233] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   33.878116] RSP: 002b:00007fffc67864f8 EFLAGS: 00000217 ORIG_RAX: 000000000000004e
[   33.885807] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9
[   33.893061] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005
[   33.900314] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30
[   33.907567] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30
[   33.914819] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000
[   33.922456] Dumping ftrace buffer:
[   33.925988]    (ftrace buffer empty)
[   33.929679] Kernel Offset: disabled
[   33.933289] Rebooting in 86400 seconds..