[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   24.904113] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   28.959658] random: sshd: uninitialized urandom read (32 bytes read)
[   29.249248] random: sshd: uninitialized urandom read (32 bytes read)
[   29.821011] random: sshd: uninitialized urandom read (32 bytes read)
[   46.289086] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts.
[   52.009792] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   52.123934] ==================================================================
[   52.131621] BUG: KASAN: double-free or invalid-free in p9stat_free+0x35/0x100
[   52.138884] 
[   52.140503] CPU: 0 PID: 4499 Comm: syz-executor922 Not tainted 4.18.0-next-20180824+ #47
[   52.148721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.158072] Call Trace:
[   52.160650]  dump_stack+0x1c9/0x2b4
[   52.164267]  ? dump_stack_print_info.cold.2+0x52/0x52
[   52.169448]  ? printk+0xa7/0xcf
[   52.172719]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   52.177639]  ? p9stat_free+0x35/0x100
[   52.181424]  ? p9stat_free+0x35/0x100
[   52.185210]  print_address_description+0x6c/0x20b
[   52.190064]  ? p9stat_free+0x35/0x100
[   52.193855]  ? p9stat_free+0x35/0x100
[   52.197646]  kasan_report_invalid_free+0x64/0xa0
[   52.202395]  __kasan_slab_free+0x150/0x170
[   52.206618]  ? p9stat_free+0x35/0x100
[   52.210411]  kasan_slab_free+0xe/0x10
[   52.214208]  kfree+0xd9/0x210
[   52.217305]  p9stat_free+0x35/0x100
[   52.221065]  v9fs_dir_readdir+0x68e/0xbc0
[   52.225219]  ? v9fs_dir_release+0x60/0x60
[   52.229359]  ? lock_release+0x9f0/0x9f0
[   52.233322]  ? check_same_owner+0x340/0x340
[   52.237628]  ? fsnotify+0xbac/0x14e0
[   52.241338]  ? down_read_killable+0xb4/0x200
[   52.245734]  ? iterate_dir+0xce/0x5d0
[   52.249528]  ? fsnotify+0x14e0/0x14e0
[   52.253323]  ? security_file_permission+0x1ba/0x230
[   52.258438]  iterate_dir+0x48b/0x5d0
[   52.262145]  __x64_sys_getdents+0x29f/0x510
[   52.266461]  ? __ia32_sys_old_readdir+0x2c0/0x2c0
[   52.271304]  ? fillonedir+0x2a0/0x2a0
[   52.275095]  ? ksys_mount+0xa8/0x140
[   52.278802]  do_syscall_64+0x1b9/0x820
[   52.282674]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   52.288024]  ? syscall_return_slowpath+0x5e0/0x5e0
[   52.293041]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.297884]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   52.302890]  ? prepare_exit_to_usermode+0x291/0x3b0
[   52.307893]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.312727]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.317901] RIP: 0033:0x4406a9
[   52.322735] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   52.341635] RSP: 002b:00007fffc1b13808 EFLAGS: 00000217 ORIG_RAX: 000000000000004e
[   52.349387] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9
[   52.356656] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005
[   52.364024] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30
[   52.371287] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30
[   52.378546] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000
[   52.385846] 
[   52.387462] Allocated by task 4499:
[   52.391129]  save_stack+0x43/0xd0
[   52.394582]  kasan_kmalloc+0xc4/0xe0
[   52.398281]  __kmalloc+0x14e/0x720
[   52.401997]  p9pdu_readf+0x526/0x2170
[   52.405789]  p9pdu_readf+0xd5c/0x2170
[   52.409614]  p9stat_read+0x194/0x5d0
[   52.413321]  v9fs_dir_readdir+0x63d/0xbc0
[   52.417460]  iterate_dir+0x48b/0x5d0
[   52.421174]  __x64_sys_getdents+0x29f/0x510
[   52.425483]  do_syscall_64+0x1b9/0x820
[   52.429360]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.434528] 
[   52.436143] Freed by task 4499:
[   52.439418]  save_stack+0x43/0xd0
[   52.442908]  __kasan_slab_free+0x11a/0x170
[   52.447190]  kasan_slab_free+0xe/0x10
[   52.450990]  kfree+0xd9/0x210
[   52.454080]  p9stat_free+0x35/0x100
[   52.457696]  p9pdu_readf+0xd90/0x2170
[   52.461484]  p9stat_read+0x194/0x5d0
[   52.465189]  v9fs_dir_readdir+0x63d/0xbc0
[   52.469324]  iterate_dir+0x48b/0x5d0
[   52.473208]  __x64_sys_getdents+0x29f/0x510
[   52.477641]  do_syscall_64+0x1b9/0x820
[   52.481520]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.486692] 
[   52.488309] The buggy address belongs to the object at ffff8801b3006700
[   52.488309]  which belongs to the cache kmalloc-32 of size 32
[   52.500790] The buggy address is located 0 bytes inside of
[   52.500790]  32-byte region [ffff8801b3006700, ffff8801b3006720)
[   52.512470] The buggy address belongs to the page:
[   52.517403] page:ffffea0006cc0180 count:1 mapcount:0 mapping:ffff8801dac001c0 index:0xffff8801b3006fc1
[   52.526845] flags: 0x2fffc0000000100(slab)
[   52.531092] raw: 02fffc0000000100 ffff8801dac01238 ffffea0006cc6548 ffff8801dac001c0
[   52.538962] raw: ffff8801b3006fc1 ffff8801b3006000 0000000100000037 0000000000000000
[   52.546833] page dumped because: kasan: bad access detected
[   52.552528] 
[   52.554140] Memory state around the buggy address:
[   52.559051]  ffff8801b3006600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.566407]  ffff8801b3006680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.573763] >ffff8801b3006700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.581108]                    ^
[   52.584458]  ffff8801b3006780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   52.591803]  ffff8801b3006800: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc
[   52.599145] ==================================================================
[   52.606488] Disabling lock debugging due to kernel taint
[   52.611922] Kernel panic - not syncing: panic_on_warn set ...
[   52.611922] 
[   52.619278] CPU: 0 PID: 4499 Comm: syz-executor922 Tainted: G    B             4.18.0-next-20180824+ #47
[   52.628880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   52.638227] Call Trace:
[   52.640803]  dump_stack+0x1c9/0x2b4
[   52.644425]  ? dump_stack_print_info.cold.2+0x52/0x52
[   52.649600]  ? lock_downgrade+0x8f0/0x8f0
[   52.653838]  ? p9_idpool_get+0x70/0x70
[   52.657712]  panic+0x238/0x4e7
[   52.660886]  ? add_taint.cold.5+0x16/0x16
[   52.665021]  ? add_taint.cold.5+0x5/0x16
[   52.669071]  ? trace_hardirqs_off+0xaf/0x2b0
[   52.673465]  ? trace_hardirqs_off+0x77/0x2b0
[   52.679431]  ? p9stat_free+0x35/0x100
[   52.683226]  ? p9stat_free+0x35/0x100
[   52.687015]  kasan_end_report+0x47/0x4f
[   52.690978]  kasan_report_invalid_free+0x81/0xa0
[   52.695728]  __kasan_slab_free+0x150/0x170
[   52.699951]  ? p9stat_free+0x35/0x100
[   52.703740]  kasan_slab_free+0xe/0x10
[   52.707537]  kfree+0xd9/0x210
[   52.710637]  p9stat_free+0x35/0x100
[   52.714264]  v9fs_dir_readdir+0x68e/0xbc0
[   52.718403]  ? v9fs_dir_release+0x60/0x60
[   52.722542]  ? lock_release+0x9f0/0x9f0
[   52.726505]  ? check_same_owner+0x340/0x340
[   52.730816]  ? fsnotify+0xbac/0x14e0
[   52.734582]  ? down_read_killable+0xb4/0x200
[   52.739147]  ? iterate_dir+0xce/0x5d0
[   52.742943]  ? fsnotify+0x14e0/0x14e0
[   52.746736]  ? security_file_permission+0x1ba/0x230
[   52.751826]  iterate_dir+0x48b/0x5d0
[   52.755525]  __x64_sys_getdents+0x29f/0x510
[   52.759840]  ? __ia32_sys_old_readdir+0x2c0/0x2c0
[   52.764677]  ? fillonedir+0x2a0/0x2a0
[   52.768645]  ? ksys_mount+0xa8/0x140
[   52.772350]  do_syscall_64+0x1b9/0x820
[   52.776227]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   52.781591]  ? syscall_return_slowpath+0x5e0/0x5e0
[   52.786511]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.791339]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   52.796345]  ? prepare_exit_to_usermode+0x291/0x3b0
[   52.801352]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   52.806243]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   52.811439] RIP: 0033:0x4406a9
[   52.814623] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   52.833622] RSP: 002b:00007fffc1b13808 EFLAGS: 00000217 ORIG_RAX: 000000000000004e
[   52.841363] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9
[   52.848671] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005
[   52.855929] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30
[   52.864671] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30
[   52.871933] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000
[   52.879539] Dumping ftrace buffer:
[   52.883074]    (ftrace buffer empty)
[   52.886808] Kernel Offset: disabled
[   52.890432] Rebooting in 86400 seconds..