[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.904113] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.959658] random: sshd: uninitialized urandom read (32 bytes read) [ 29.249248] random: sshd: uninitialized urandom read (32 bytes read) [ 29.821011] random: sshd: uninitialized urandom read (32 bytes read) [ 46.289086] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. [ 52.009792] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 52.123934] ================================================================== [ 52.131621] BUG: KASAN: double-free or invalid-free in p9stat_free+0x35/0x100 [ 52.138884] [ 52.140503] CPU: 0 PID: 4499 Comm: syz-executor922 Not tainted 4.18.0-next-20180824+ #47 [ 52.148721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.158072] Call Trace: [ 52.160650] dump_stack+0x1c9/0x2b4 [ 52.164267] ? dump_stack_print_info.cold.2+0x52/0x52 [ 52.169448] ? printk+0xa7/0xcf [ 52.172719] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 52.177639] ? p9stat_free+0x35/0x100 [ 52.181424] ? p9stat_free+0x35/0x100 [ 52.185210] print_address_description+0x6c/0x20b [ 52.190064] ? p9stat_free+0x35/0x100 [ 52.193855] ? p9stat_free+0x35/0x100 [ 52.197646] kasan_report_invalid_free+0x64/0xa0 [ 52.202395] __kasan_slab_free+0x150/0x170 [ 52.206618] ? p9stat_free+0x35/0x100 [ 52.210411] kasan_slab_free+0xe/0x10 [ 52.214208] kfree+0xd9/0x210 [ 52.217305] p9stat_free+0x35/0x100 [ 52.221065] v9fs_dir_readdir+0x68e/0xbc0 [ 52.225219] ? v9fs_dir_release+0x60/0x60 [ 52.229359] ? lock_release+0x9f0/0x9f0 [ 52.233322] ? check_same_owner+0x340/0x340 [ 52.237628] ? fsnotify+0xbac/0x14e0 [ 52.241338] ? down_read_killable+0xb4/0x200 [ 52.245734] ? iterate_dir+0xce/0x5d0 [ 52.249528] ? fsnotify+0x14e0/0x14e0 [ 52.253323] ? security_file_permission+0x1ba/0x230 [ 52.258438] iterate_dir+0x48b/0x5d0 [ 52.262145] __x64_sys_getdents+0x29f/0x510 [ 52.266461] ? __ia32_sys_old_readdir+0x2c0/0x2c0 [ 52.271304] ? fillonedir+0x2a0/0x2a0 [ 52.275095] ? ksys_mount+0xa8/0x140 [ 52.278802] do_syscall_64+0x1b9/0x820 [ 52.282674] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.288024] ? syscall_return_slowpath+0x5e0/0x5e0 [ 52.293041] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.297884] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 52.302890] ? prepare_exit_to_usermode+0x291/0x3b0 [ 52.307893] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.312727] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.317901] RIP: 0033:0x4406a9 [ 52.322735] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.341635] RSP: 002b:00007fffc1b13808 EFLAGS: 00000217 ORIG_RAX: 000000000000004e [ 52.349387] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9 [ 52.356656] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005 [ 52.364024] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30 [ 52.371287] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30 [ 52.378546] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000 [ 52.385846] [ 52.387462] Allocated by task 4499: [ 52.391129] save_stack+0x43/0xd0 [ 52.394582] kasan_kmalloc+0xc4/0xe0 [ 52.398281] __kmalloc+0x14e/0x720 [ 52.401997] p9pdu_readf+0x526/0x2170 [ 52.405789] p9pdu_readf+0xd5c/0x2170 [ 52.409614] p9stat_read+0x194/0x5d0 [ 52.413321] v9fs_dir_readdir+0x63d/0xbc0 [ 52.417460] iterate_dir+0x48b/0x5d0 [ 52.421174] __x64_sys_getdents+0x29f/0x510 [ 52.425483] do_syscall_64+0x1b9/0x820 [ 52.429360] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.434528] [ 52.436143] Freed by task 4499: [ 52.439418] save_stack+0x43/0xd0 [ 52.442908] __kasan_slab_free+0x11a/0x170 [ 52.447190] kasan_slab_free+0xe/0x10 [ 52.450990] kfree+0xd9/0x210 [ 52.454080] p9stat_free+0x35/0x100 [ 52.457696] p9pdu_readf+0xd90/0x2170 [ 52.461484] p9stat_read+0x194/0x5d0 [ 52.465189] v9fs_dir_readdir+0x63d/0xbc0 [ 52.469324] iterate_dir+0x48b/0x5d0 [ 52.473208] __x64_sys_getdents+0x29f/0x510 [ 52.477641] do_syscall_64+0x1b9/0x820 [ 52.481520] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.486692] [ 52.488309] The buggy address belongs to the object at ffff8801b3006700 [ 52.488309] which belongs to the cache kmalloc-32 of size 32 [ 52.500790] The buggy address is located 0 bytes inside of [ 52.500790] 32-byte region [ffff8801b3006700, ffff8801b3006720) [ 52.512470] The buggy address belongs to the page: [ 52.517403] page:ffffea0006cc0180 count:1 mapcount:0 mapping:ffff8801dac001c0 index:0xffff8801b3006fc1 [ 52.526845] flags: 0x2fffc0000000100(slab) [ 52.531092] raw: 02fffc0000000100 ffff8801dac01238 ffffea0006cc6548 ffff8801dac001c0 [ 52.538962] raw: ffff8801b3006fc1 ffff8801b3006000 0000000100000037 0000000000000000 [ 52.546833] page dumped because: kasan: bad access detected [ 52.552528] [ 52.554140] Memory state around the buggy address: [ 52.559051] ffff8801b3006600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 52.566407] ffff8801b3006680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 52.573763] >ffff8801b3006700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 52.581108] ^ [ 52.584458] ffff8801b3006780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 52.591803] ffff8801b3006800: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc [ 52.599145] ================================================================== [ 52.606488] Disabling lock debugging due to kernel taint [ 52.611922] Kernel panic - not syncing: panic_on_warn set ... [ 52.611922] [ 52.619278] CPU: 0 PID: 4499 Comm: syz-executor922 Tainted: G B 4.18.0-next-20180824+ #47 [ 52.628880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.638227] Call Trace: [ 52.640803] dump_stack+0x1c9/0x2b4 [ 52.644425] ? dump_stack_print_info.cold.2+0x52/0x52 [ 52.649600] ? lock_downgrade+0x8f0/0x8f0 [ 52.653838] ? p9_idpool_get+0x70/0x70 [ 52.657712] panic+0x238/0x4e7 [ 52.660886] ? add_taint.cold.5+0x16/0x16 [ 52.665021] ? add_taint.cold.5+0x5/0x16 [ 52.669071] ? trace_hardirqs_off+0xaf/0x2b0 [ 52.673465] ? trace_hardirqs_off+0x77/0x2b0 [ 52.679431] ? p9stat_free+0x35/0x100 [ 52.683226] ? p9stat_free+0x35/0x100 [ 52.687015] kasan_end_report+0x47/0x4f [ 52.690978] kasan_report_invalid_free+0x81/0xa0 [ 52.695728] __kasan_slab_free+0x150/0x170 [ 52.699951] ? p9stat_free+0x35/0x100 [ 52.703740] kasan_slab_free+0xe/0x10 [ 52.707537] kfree+0xd9/0x210 [ 52.710637] p9stat_free+0x35/0x100 [ 52.714264] v9fs_dir_readdir+0x68e/0xbc0 [ 52.718403] ? v9fs_dir_release+0x60/0x60 [ 52.722542] ? lock_release+0x9f0/0x9f0 [ 52.726505] ? check_same_owner+0x340/0x340 [ 52.730816] ? fsnotify+0xbac/0x14e0 [ 52.734582] ? down_read_killable+0xb4/0x200 [ 52.739147] ? iterate_dir+0xce/0x5d0 [ 52.742943] ? fsnotify+0x14e0/0x14e0 [ 52.746736] ? security_file_permission+0x1ba/0x230 [ 52.751826] iterate_dir+0x48b/0x5d0 [ 52.755525] __x64_sys_getdents+0x29f/0x510 [ 52.759840] ? __ia32_sys_old_readdir+0x2c0/0x2c0 [ 52.764677] ? fillonedir+0x2a0/0x2a0 [ 52.768645] ? ksys_mount+0xa8/0x140 [ 52.772350] do_syscall_64+0x1b9/0x820 [ 52.776227] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.781591] ? syscall_return_slowpath+0x5e0/0x5e0 [ 52.786511] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.791339] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 52.796345] ? prepare_exit_to_usermode+0x291/0x3b0 [ 52.801352] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.806243] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.811439] RIP: 0033:0x4406a9 [ 52.814623] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.833622] RSP: 002b:00007fffc1b13808 EFLAGS: 00000217 ORIG_RAX: 000000000000004e [ 52.841363] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406a9 [ 52.848671] RDX: 0000000000000008 RSI: 0000000020000180 RDI: 0000000000000005 [ 52.855929] RBP: 64663d736e617274 R08: 0000000000401f30 R09: 0000000000401f30 [ 52.864671] R10: 0000000000401f30 R11: 0000000000000217 R12: 0000000000401f30 [ 52.871933] R13: 0000000000401fc0 R14: 0000000000000000 R15: 0000000000000000 [ 52.879539] Dumping ftrace buffer: [ 52.883074] (ftrace buffer empty) [ 52.886808] Kernel Offset: disabled [ 52.890432] Rebooting in 86400 seconds..