[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.614564] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.362508] random: sshd: uninitialized urandom read (32 bytes read)
[   23.775216] random: sshd: uninitialized urandom read (32 bytes read)
[   24.738272] random: sshd: uninitialized urandom read (32 bytes read)
[   24.898300] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts.
[   30.327966] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/23 04:16:44 parsed 1 programs
[   31.451710] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/23 04:16:46 executed programs: 0
[   32.611858] IPVS: ftp: loaded support on port[0] = 21
[   32.613884] IPVS: ftp: loaded support on port[0] = 21
[   32.624260] IPVS: ftp: loaded support on port[0] = 21
[   32.661466] IPVS: ftp: loaded support on port[0] = 21
[   32.664277] IPVS: ftp: loaded support on port[0] = 21
[   32.670582] IPVS: ftp: loaded support on port[0] = 21
[   32.672650] IPVS: ftp: loaded support on port[0] = 21
[   32.690712] IPVS: ftp: loaded support on port[0] = 21
[   33.075696] ip (4670) used greatest stack depth: 17128 bytes left
[   33.990814] ==================================================================
[   33.998275] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   34.004754] Read of size 4 at addr ffff8801d3cde604 by task kworker/1:2/2131
[   34.011916] 
[   34.013536] CPU: 1 PID: 2131 Comm: kworker/1:2 Not tainted 4.18.0-rc6+ #160
[   34.020618] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.029969] Workqueue: events p9_poll_workfn
[   34.034371] Call Trace:
[   34.036943]  dump_stack+0x1c9/0x2b4
[   34.040556]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.045731]  ? printk+0xa7/0xcf
[   34.049000]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.053750]  ? p9_poll_workfn+0x660/0x6d0
[   34.057886]  print_address_description+0x6c/0x20b
[   34.062712]  ? p9_poll_workfn+0x660/0x6d0
[   34.066844]  kasan_report.cold.7+0x242/0x2fe
[   34.071243]  __asan_report_load4_noabort+0x14/0x20
[   34.076165]  p9_poll_workfn+0x660/0x6d0
[   34.080217]  ? p9_read_work+0x1060/0x1060
[   34.084360]  ? graph_lock+0x170/0x170
[   34.088145]  ? lock_acquire+0x1e4/0x540
[   34.092103]  ? process_one_work+0xb9b/0x1ba0
[   34.096500]  ? kasan_check_read+0x11/0x20
[   34.100635]  ? __lock_is_held+0xb5/0x140
[   34.104691]  process_one_work+0xc73/0x1ba0
[   34.108910]  ? trace_hardirqs_on+0x10/0x10
[   34.113142]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   34.117795]  ? lock_repin_lock+0x430/0x430
[   34.122032]  ? __sched_text_start+0x8/0x8
[   34.126167]  ? lock_downgrade+0x8f0/0x8f0
[   34.130303]  ? graph_lock+0x170/0x170
[   34.134103]  ? lock_acquire+0x1e4/0x540
[   34.138067]  ? worker_thread+0x3dc/0x13c0
[   34.142204]  ? lock_downgrade+0x8f0/0x8f0
[   34.146339]  ? lock_release+0xa30/0xa30
[   34.150308]  ? kasan_check_read+0x11/0x20
[   34.154447]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.158859]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.163427]  ? kasan_check_write+0x14/0x20
[   34.167643]  ? do_raw_spin_lock+0xc1/0x200
[   34.171875]  worker_thread+0x189/0x13c0
[   34.175852]  ? process_one_work+0x1ba0/0x1ba0
[   34.180335]  ? graph_lock+0x170/0x170
[   34.184120]  ? graph_lock+0x170/0x170
[   34.188000]  ? find_held_lock+0x36/0x1c0
[   34.192056]  ? lock_downgrade+0x8f0/0x8f0
[   34.196193]  ? kasan_check_read+0x11/0x20
[   34.200322]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.204717]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.209804]  ? __kthread_parkme+0x58/0x1b0
[   34.214032]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.219036]  ? trace_hardirqs_on+0xd/0x10
[   34.223173]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.228695]  ? __kthread_parkme+0x106/0x1b0
[   34.233005]  kthread+0x345/0x410
[   34.236362]  ? process_one_work+0x1ba0/0x1ba0
[   34.240852]  ? kthread_bind+0x40/0x40
[   34.244648]  ret_from_fork+0x3a/0x50
[   34.248354] 
[   34.249965] Allocated by task 4760:
[   34.253586]  save_stack+0x43/0xd0
[   34.257027]  kasan_kmalloc+0xc4/0xe0
[   34.260723]  kmem_cache_alloc_trace+0x152/0x780
[   34.265377]  p9_fd_create+0x1a7/0x3f0
[   34.269160]  p9_client_create+0x8ed/0x1770
[   34.273379]  v9fs_session_init+0x21a/0x1a80
[   34.277692]  v9fs_mount+0x7c/0x900
[   34.281216]  mount_fs+0xae/0x328
[   34.284564]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.289131]  do_mount+0x581/0x30e0
[   34.292654]  ksys_mount+0x12d/0x140
[   34.296261]  __x64_sys_mount+0xbe/0x150
[   34.300233]  do_syscall_64+0x1b9/0x820
[   34.304196]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.309363] 
[   34.310991] Freed by task 4760:
[   34.314256]  save_stack+0x43/0xd0
[   34.317693]  __kasan_slab_free+0x11a/0x170
[   34.321926]  kasan_slab_free+0xe/0x10
[   34.325709]  kfree+0xd9/0x260
[   34.328803]  p9_fd_close+0x416/0x5b0
[   34.332502]  p9_client_create+0xa9a/0x1770
[   34.336739]  v9fs_session_init+0x21a/0x1a80
[   34.341047]  v9fs_mount+0x7c/0x900
[   34.344585]  mount_fs+0xae/0x328
[   34.347935]  vfs_kern_mount.part.34+0xdc/0x4e0
[   34.352680]  do_mount+0x581/0x30e0
[   34.356204]  ksys_mount+0x12d/0x140
[   34.359815]  __x64_sys_mount+0xbe/0x150
[   34.363773]  do_syscall_64+0x1b9/0x820
[   34.367657]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.372831] 
[   34.374447] The buggy address belongs to the object at ffff8801d3cde580
[   34.374447]  which belongs to the cache kmalloc-512 of size 512
[   34.387092] The buggy address is located 132 bytes inside of
[   34.387092]  512-byte region [ffff8801d3cde580, ffff8801d3cde780)
[   34.398961] The buggy address belongs to the page:
[   34.404056] page:ffffea00074f3780 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   34.412183] flags: 0x2fffc0000000100(slab)
[   34.416405] raw: 02fffc0000000100 ffffea00074f3748 ffffea00074f3808 ffff8801da800940
[   34.424281] raw: 0000000000000000 ffff8801d3cde080 0000000100000006 0000000000000000
[   34.432142] page dumped because: kasan: bad access detected
[   34.437827] 
[   34.439436] Memory state around the buggy address:
[   34.444351]  ffff8801d3cde500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.451696]  ffff8801d3cde580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.459044] >ffff8801d3cde600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.466383]                    ^
[   34.469733]  ffff8801d3cde680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.477083]  ffff8801d3cde700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.484424] ==================================================================
[   34.491760] Disabling lock debugging due to kernel taint
[   34.497497] Kernel panic - not syncing: panic_on_warn set ...
[   34.497497] 
[   34.505055] CPU: 1 PID: 2131 Comm: kworker/1:2 Tainted: G    B             4.18.0-rc6+ #160
[   34.513543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.523013] Workqueue: events p9_poll_workfn
[   34.527423] Call Trace:
[   34.530020]  dump_stack+0x1c9/0x2b4
[   34.533653]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.538854]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.543625]  panic+0x238/0x4e7
[   34.546830]  ? add_taint.cold.5+0x16/0x16
[   34.550989]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.555404]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.559818]  ? p9_poll_workfn+0x660/0x6d0
[   34.563966]  kasan_end_report+0x47/0x4f
[   34.567923]  kasan_report.cold.7+0x76/0x2fe
[   34.572239]  __asan_report_load4_noabort+0x14/0x20
[   34.577163]  p9_poll_workfn+0x660/0x6d0
[   34.581132]  ? p9_read_work+0x1060/0x1060
[   34.585358]  ? graph_lock+0x170/0x170
[   34.589160]  ? lock_acquire+0x1e4/0x540
[   34.593124]  ? process_one_work+0xb9b/0x1ba0
[   34.597516]  ? kasan_check_read+0x11/0x20
[   34.601652]  ? __lock_is_held+0xb5/0x140
[   34.605704]  process_one_work+0xc73/0x1ba0
[   34.609928]  ? trace_hardirqs_on+0x10/0x10
[   34.614165]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   34.618834]  ? lock_repin_lock+0x430/0x430
[   34.623087]  ? __sched_text_start+0x8/0x8
[   34.627269]  ? lock_downgrade+0x8f0/0x8f0
[   34.631401]  ? graph_lock+0x170/0x170
[   34.635193]  ? lock_acquire+0x1e4/0x540
[   34.639158]  ? worker_thread+0x3dc/0x13c0
[   34.648423]  ? lock_downgrade+0x8f0/0x8f0
[   34.652566]  ? lock_release+0xa30/0xa30
[   34.656534]  ? kasan_check_read+0x11/0x20
[   34.660669]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.665066]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   34.669634]  ? kasan_check_write+0x14/0x20
[   34.673852]  ? do_raw_spin_lock+0xc1/0x200
[   34.678073]  worker_thread+0x189/0x13c0
[   34.682044]  ? process_one_work+0x1ba0/0x1ba0
[   34.686538]  ? graph_lock+0x170/0x170
[   34.690334]  ? graph_lock+0x170/0x170
[   34.694132]  ? find_held_lock+0x36/0x1c0
[   34.698196]  ? lock_downgrade+0x8f0/0x8f0
[   34.702333]  ? kasan_check_read+0x11/0x20
[   34.706469]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.710865]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   34.715969]  ? __kthread_parkme+0x58/0x1b0
[   34.720192]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   34.725195]  ? trace_hardirqs_on+0xd/0x10
[   34.729330]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.734853]  ? __kthread_parkme+0x106/0x1b0
[   34.739171]  kthread+0x345/0x410
[   34.742531]  ? process_one_work+0x1ba0/0x1ba0
[   34.747030]  ? kthread_bind+0x40/0x40
[   34.750816]  ret_from_fork+0x3a/0x50
[   34.755045] Dumping ftrace buffer:
[   34.758578]    (ftrace buffer empty)
[   34.762272] Kernel Offset: disabled
[   34.765880] Rebooting in 86400 seconds..