[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.079068] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.941846] random: sshd: uninitialized urandom read (32 bytes read)
[   24.344555] random: sshd: uninitialized urandom read (32 bytes read)
[   25.231250] random: sshd: uninitialized urandom read (32 bytes read)
[   25.391130] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts.
[   30.817488] random: sshd: uninitialized urandom read (32 bytes read)
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   31.264238] ==================================================================
[   31.271746] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   31.278225] Read of size 4 at addr ffff8801d0363084 by task kworker/0:1/25
[   31.285214] 
[   31.287207] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.18.0-rc5+ #157
[   31.294113] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.303459] Workqueue: events p9_poll_workfn
[   31.307850] Call Trace:
[   31.310423]  dump_stack+0x1c9/0x2b4
[   31.314040]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.319217]  ? printk+0xa7/0xcf
[   31.322496]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.327250]  ? p9_poll_workfn+0x660/0x6d0
[   31.331383]  print_address_description+0x6c/0x20b
[   31.336238]  ? p9_poll_workfn+0x660/0x6d0
[   31.340370]  kasan_report.cold.7+0x242/0x2fe
[   31.344768]  __asan_report_load4_noabort+0x14/0x20
[   31.349680]  p9_poll_workfn+0x660/0x6d0
[   31.353644]  ? p9_read_work+0x1060/0x1060
[   31.357778]  ? graph_lock+0x170/0x170
[   31.361563]  ? lock_acquire+0x1e4/0x540
[   31.365521]  ? process_one_work+0xb9b/0x1ba0
[   31.369913]  ? kasan_check_read+0x11/0x20
[   31.374052]  ? __lock_is_held+0xb5/0x140
[   31.378106]  process_one_work+0xc73/0x1ba0
[   31.382326]  ? trace_hardirqs_on+0x10/0x10
[   31.386556]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.391222]  ? lock_repin_lock+0x430/0x430
[   31.395455]  ? __sched_text_start+0x8/0x8
[   31.399591]  ? graph_lock+0x170/0x170
[   31.403398]  ? lock_downgrade+0x8f0/0x8f0
[   31.407537]  ? kasan_check_read+0x11/0x20
[   31.411668]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.416072]  ? lock_acquire+0x1e4/0x540
[   31.420031]  ? worker_thread+0x3dc/0x13c0
[   31.424176]  ? lock_downgrade+0x8f0/0x8f0
[   31.428318]  ? lock_release+0xa30/0xa30
[   31.432281]  ? kasan_check_read+0x11/0x20
[   31.436424]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.440820]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.445387]  ? kasan_check_write+0x14/0x20
[   31.449606]  ? do_raw_spin_lock+0xc1/0x200
[   31.453830]  worker_thread+0x189/0x13c0
[   31.457809]  ? process_one_work+0x1ba0/0x1ba0
[   31.462291]  ? graph_lock+0x170/0x170
[   31.466079]  ? graph_lock+0x170/0x170
[   31.469866]  ? find_held_lock+0x36/0x1c0
[   31.473917]  ? find_held_lock+0x36/0x1c0
[   31.478074]  ? lock_downgrade+0x8f0/0x8f0
[   31.482216]  ? kasan_check_read+0x11/0x20
[   31.486369]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.490779]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   31.495878]  ? __kthread_parkme+0x58/0x1b0
[   31.500978]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   31.505979]  ? trace_hardirqs_on+0xd/0x10
[   31.510126]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.515647]  ? __kthread_parkme+0x106/0x1b0
[   31.519956]  kthread+0x345/0x410
[   31.523309]  ? process_one_work+0x1ba0/0x1ba0
[   31.527787]  ? kthread_bind+0x40/0x40
[   31.531575]  ret_from_fork+0x3a/0x50
[   31.535274] 
[   31.536882] Allocated by task 4571:
[   31.540494]  save_stack+0x43/0xd0
[   31.543929]  kasan_kmalloc+0xc4/0xe0
[   31.547640]  kmem_cache_alloc_trace+0x152/0x780
[   31.552294]  p9_fd_create+0x1a7/0x3f0
[   31.556078]  p9_client_create+0x8ed/0x1770
[   31.560308]  v9fs_session_init+0x21a/0x1a80
[   31.564613]  v9fs_mount+0x7c/0x900
[   31.568137]  mount_fs+0xae/0x328
[   31.571489]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.576057]  do_mount+0x581/0x30e0
[   31.579590]  ksys_mount+0x12d/0x140
[   31.583209]  __x64_sys_mount+0xbe/0x150
[   31.587180]  do_syscall_64+0x1b9/0x820
[   31.591062]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.596230] 
[   31.597840] Freed by task 4571:
[   31.601120]  save_stack+0x43/0xd0
[   31.604557]  __kasan_slab_free+0x11a/0x170
[   31.608776]  kasan_slab_free+0xe/0x10
[   31.612560]  kfree+0xd9/0x260
[   31.615653]  p9_fd_close+0x416/0x5b0
[   31.619364]  p9_client_create+0xa9a/0x1770
[   31.623602]  v9fs_session_init+0x21a/0x1a80
[   31.627922]  v9fs_mount+0x7c/0x900
[   31.631458]  mount_fs+0xae/0x328
[   31.634809]  vfs_kern_mount.part.34+0xdc/0x4e0
[   31.639374]  do_mount+0x581/0x30e0
[   31.642908]  ksys_mount+0x12d/0x140
[   31.646521]  __x64_sys_mount+0xbe/0x150
[   31.650492]  do_syscall_64+0x1b9/0x820
[   31.654368]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.659537] 
[   31.661165] The buggy address belongs to the object at ffff8801d0363000
[   31.661165]  which belongs to the cache kmalloc-512 of size 512
[   31.673813] The buggy address is located 132 bytes inside of
[   31.673813]  512-byte region [ffff8801d0363000, ffff8801d0363200)
[   31.685670] The buggy address belongs to the page:
[   31.690587] page:ffffea000740d8c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   31.698729] flags: 0x2fffc0000000100(slab)
[   31.702973] raw: 02fffc0000000100 ffffea000765ee88 ffff8801da801748 ffff8801da800940
[   31.710842] raw: 0000000000000000 ffff8801d0363000 0000000100000006 0000000000000000
[   31.718703] page dumped because: kasan: bad access detected
[   31.724407] 
[   31.726018] Memory state around the buggy address:
[   31.730941]  ffff8801d0362f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.738295]  ffff8801d0363000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.745638] >ffff8801d0363080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.752989]                    ^
[   31.756343]  ffff8801d0363100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
[   31.763688]  ffff8801d0363180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.771049] ==================================================================
[   31.778387] Disabling lock debugging due to kernel taint
[   31.783924] Kernel panic - not syncing: panic_on_warn set ...
[   31.783924] 
[   31.791324] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G    B             4.18.0-rc5+ #157
[   31.799638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.808997] Workqueue: events p9_poll_workfn
[   31.813395] Call Trace:
[   31.815981]  dump_stack+0x1c9/0x2b4
[   31.819617]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.824795]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.829556]  panic+0x238/0x4e7
[   31.832734]  ? add_taint.cold.5+0x16/0x16
[   31.836873]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.841271]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.845667]  ? p9_poll_workfn+0x660/0x6d0
[   31.849801]  kasan_end_report+0x47/0x4f
[   31.853777]  kasan_report.cold.7+0x76/0x2fe
[   31.858096]  __asan_report_load4_noabort+0x14/0x20
[   31.863017]  p9_poll_workfn+0x660/0x6d0
[   31.866997]  ? p9_read_work+0x1060/0x1060
[   31.871144]  ? graph_lock+0x170/0x170
[   31.874942]  ? lock_acquire+0x1e4/0x540
[   31.878912]  ? process_one_work+0xb9b/0x1ba0
[   31.883305]  ? kasan_check_read+0x11/0x20
[   31.887451]  ? __lock_is_held+0xb5/0x140
[   31.891507]  process_one_work+0xc73/0x1ba0
[   31.895726]  ? trace_hardirqs_on+0x10/0x10
[   31.899947]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   31.904599]  ? lock_repin_lock+0x430/0x430
[   31.908824]  ? __sched_text_start+0x8/0x8
[   31.912955]  ? graph_lock+0x170/0x170
[   31.916759]  ? lock_downgrade+0x8f0/0x8f0
[   31.920916]  ? kasan_check_read+0x11/0x20
[   31.925055]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.929470]  ? lock_acquire+0x1e4/0x540
[   31.933429]  ? worker_thread+0x3dc/0x13c0
[   31.937562]  ? lock_downgrade+0x8f0/0x8f0
[   31.941691]  ? lock_release+0xa30/0xa30
[   31.945649]  ? kasan_check_read+0x11/0x20
[   31.949806]  ? do_raw_spin_unlock+0xa7/0x2f0
[   31.954214]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   31.958782]  ? kasan_check_write+0x14/0x20
[   31.963032]  ? do_raw_spin_lock+0xc1/0x200
[   31.967268]  worker_thread+0x189/0x13c0
[   31.971503]  ? process_one_work+0x1ba0/0x1ba0
[   31.975994]  ? graph_lock+0x170/0x170
[   31.979784]  ? graph_lock+0x170/0x170
[   31.983568]  ? find_held_lock+0x36/0x1c0
[   31.987613]  ? find_held_lock+0x36/0x1c0
[   31.991682]  ? lock_downgrade+0x8f0/0x8f0
[   31.995815]  ? kasan_check_read+0x11/0x20
[   31.999949]  ? do_raw_spin_unlock+0xa7/0x2f0
[   32.004343]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.009603]  ? __kthread_parkme+0x58/0x1b0
[   32.013822]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.019569]  ? trace_hardirqs_on+0xd/0x10
[   32.023703]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.029227]  ? __kthread_parkme+0x106/0x1b0
[   32.033535]  kthread+0x345/0x410
[   32.036883]  ? process_one_work+0x1ba0/0x1ba0
[   32.041361]  ? kthread_bind+0x40/0x40
[   32.045144]  ret_from_fork+0x3a/0x50
[   32.049382] Dumping ftrace buffer:
[   32.052910]    (ftrace buffer empty)
[   32.056610] Kernel Offset: disabled
[   32.060235] Rebooting in 86400 seconds..