[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   16.559182] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   18.433460] random: sshd: uninitialized urandom read (32 bytes read)
[   18.842135] random: sshd: uninitialized urandom read (32 bytes read)
[   19.589551] random: sshd: uninitialized urandom read (32 bytes read)
[   19.723606] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.57' (ECDSA) to the list of known hosts.
[   25.234823] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   25.360652] ==================================================================
[   25.368058] BUG: KASAN: use-after-free in _copy_from_iter+0x9ea/0x1090
[   25.374766] Read of size 21 at addr ffff8801abd90360 by task kworker/0:2/2142
[   25.382023] 
[   25.383652] CPU: 0 PID: 2142 Comm: kworker/0:2 Not tainted 4.18.0-rc5-next-20180719+ #11
[   25.391862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   25.401223] Workqueue: events p9_write_work
[   25.405621] Call Trace:
[   25.408215]  dump_stack+0x1c9/0x2b4
[   25.411851]  ? dump_stack_print_info.cold.2+0x52/0x52
[   25.417057]  ? printk+0xa7/0xcf
[   25.420358]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   25.425125]  ? _copy_from_iter+0x9ea/0x1090
[   25.429540]  print_address_description+0x6c/0x20b
[   25.434375]  ? _copy_from_iter+0x9ea/0x1090
[   25.439049]  kasan_report.cold.7+0x242/0x30d
[   25.443472]  check_memory_region+0x13e/0x1b0
[   25.447893]  memcpy+0x23/0x50
[   25.451080]  _copy_from_iter+0x9ea/0x1090
[   25.455244]  ? schedule+0xfb/0x450
[   25.458786]  ? __schedule+0x1ea0/0x1ea0
[   25.462760]  ? _copy_from_iter_nocache+0x1050/0x1050
[   25.467885]  ? insert_work+0x375/0x4f0
[   25.472020]  ? __queue_work+0x688/0x1410
[   25.476094]  copy_page_from_iter+0x576/0x890
[   25.480522]  ? mutex_lock_nested+0x16/0x20
[   25.484850]  ? pipe_wait+0x1ff/0x2c0
[   25.488647]  ? _copy_from_iter+0x1090/0x1090
[   25.493141]  pipe_write+0x235/0xeb0
[   25.497741]  __vfs_write+0x6af/0x9d0
[   25.501731]  ? kernel_read+0x120/0x120
[   25.507957]  ? lock_acquire+0x1e4/0x540
[   25.511934]  ? p9_poll_workfn+0x4cb/0x6d0
[   25.516081]  ? lock_acquire+0x1e4/0x540
[   25.520055]  ? p9_write_work+0x554/0xd50
[   25.524125]  ? rw_verify_area+0x118/0x360
[   25.528366]  vfs_write+0x1fc/0x560
[   25.532066]  kernel_write+0xab/0x120
[   25.535786]  p9_write_work+0x6f1/0xd50
[   25.539663]  ? p9_fd_create_tcp+0x8a0/0x8a0
[   25.543969]  ? lock_acquire+0x1e4/0x540
[   25.547941]  ? process_one_work+0xb9b/0x1ba0
[   25.552336]  ? kasan_check_read+0x11/0x20
[   25.556468]  ? lock_release+0xa30/0xa30
[   25.560426]  ? kasan_check_read+0x11/0x20
[   25.564559]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   25.569125]  ? read_word_at_a_time+0x20/0x20
[   25.573525]  ? do_raw_spin_lock+0xc1/0x200
[   25.577745]  process_one_work+0xc73/0x1ba0
[   25.581965]  ? trace_hardirqs_on+0x10/0x10
[   25.586191]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   25.590846]  ? lock_repin_lock+0x430/0x430
[   25.595074]  ? __sched_text_start+0x8/0x8
[   25.599391]  ? lock_downgrade+0x8f0/0x8f0
[   25.603529]  ? lock_acquire+0x1e4/0x540
[   25.607499]  ? __update_idle_core+0x304/0x610
[   25.611997]  ? kasan_check_write+0x14/0x20
[   25.616397]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   25.621585]  ? lock_downgrade+0x8f0/0x8f0
[   25.625836]  ? lock_acquire+0x1e4/0x540
[   25.629799]  ? worker_thread+0x3dc/0x13c0
[   25.633937]  ? lock_downgrade+0x8f0/0x8f0
[   25.638085]  ? lock_release+0xa30/0xa30
[   25.642064]  ? kasan_check_read+0x11/0x20
[   25.646210]  ? do_raw_spin_unlock+0xa7/0x2f0
[   25.650613]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   25.655194]  ? kasan_check_write+0x14/0x20
[   25.659426]  ? do_raw_spin_lock+0xc1/0x200
[   25.663752]  worker_thread+0x189/0x13c0
[   25.667820]  ? process_one_work+0x1ba0/0x1ba0
[   25.672599]  ? finish_task_switch+0x1d3/0x870
[   25.677093]  ? lock_acquire+0x1e4/0x540
[   25.681165]  ? __kthread_parkme+0xd7/0x1b0
[   25.685842]  ? lock_downgrade+0x8f0/0x8f0
[   25.690249]  ? kasan_check_read+0x11/0x20
[   25.694829]  ? do_raw_spin_unlock+0xa7/0x2f0
[   25.699248]  ? kasan_check_write+0x14/0x20
[   25.703673]  ? trace_hardirqs_on+0xd/0x10
[   25.708178]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   25.714404]  ? __kthread_parkme+0x106/0x1b0
[   25.718818]  kthread+0x345/0x410
[   25.722207]  ? process_one_work+0x1ba0/0x1ba0
[   25.726964]  ? kthread_bind+0x40/0x40
[   25.731036]  ret_from_fork+0x3a/0x50
[   25.734745] 
[   25.736366] Allocated by task 4465:
[   25.740071]  save_stack+0x43/0xd0
[   25.743796]  kasan_kmalloc+0xc4/0xe0
[   25.747498]  __kmalloc+0x14e/0x760
[   25.751459]  p9_fcall_alloc+0x1e/0x90
[   25.755356]  p9_client_prepare_req.part.8+0x107/0xa00
[   25.760819]  p9_client_rpc+0x242/0x1330
[   25.765044]  p9_client_create+0xca4/0x1537
[   25.769277]  v9fs_session_init+0x21a/0x1a80
[   25.773715]  v9fs_mount+0x7c/0x900
[   25.777264]  legacy_get_tree+0x131/0x460
[   25.781346]  vfs_get_tree+0x1cb/0x5c0
[   25.785202]  do_mount+0x6f2/0x1e20
[   25.789276]  ksys_mount+0x12d/0x140
[   25.793023]  __x64_sys_mount+0xbe/0x150
[   25.797034]  do_syscall_64+0x1b9/0x820
[   25.800940]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   25.806123] 
[   25.807740] Freed by task 4465:
[   25.811032]  save_stack+0x43/0xd0
[   25.814481]  __kasan_slab_free+0x11a/0x170
[   25.818805]  kasan_slab_free+0xe/0x10
[   25.822628]  kfree+0xd9/0x260
[   25.825840]  p9_free_req+0xb5/0x120
[   25.829697]  p9_client_rpc+0xa8e/0x1330
[   25.833886]  p9_client_create+0xca4/0x1537
[   25.838269]  v9fs_session_init+0x21a/0x1a80
[   25.842623]  v9fs_mount+0x7c/0x900
[   25.846188]  legacy_get_tree+0x131/0x460
[   25.850823]  vfs_get_tree+0x1cb/0x5c0
[   25.855393]  do_mount+0x6f2/0x1e20
[   25.858951]  ksys_mount+0x12d/0x140
[   25.863120]  __x64_sys_mount+0xbe/0x150
[   25.867117]  do_syscall_64+0x1b9/0x820
[   25.871143]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   25.876509] 
[   25.878147] The buggy address belongs to the object at ffff8801abd90340
[   25.878147]  which belongs to the cache kmalloc-16384 of size 16384
[   25.891152] The buggy address is located 32 bytes inside of
[   25.891152]  16384-byte region [ffff8801abd90340, ffff8801abd94340)
[   25.903801] The buggy address belongs to the page:
[   25.908763] page:ffffea0006af6400 count:1 mapcount:0 mapping:ffff8801da802200 index:0x0 compound_mapcount: 0
[   25.918945] flags: 0x2fffc0000010200(slab|head)
[   25.923948] raw: 02fffc0000010200 ffffea0006c75e08 ffffea0006afaa08 ffff8801da802200
[   25.932130] raw: 0000000000000000 ffff8801abd90340 0000000100000001 0000000000000000
[   25.940473] page dumped because: kasan: bad access detected
[   25.947844] 
[   25.949999] Memory state around the buggy address:
[   25.954951]  ffff8801abd90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.962429]  ffff8801abd90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.970182] >ffff8801abd90300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   25.978404]                                                        ^
[   25.985353]  ffff8801abd90380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.993029]  ffff8801abd90400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.000519] ==================================================================
[   26.008170] Kernel panic - not syncing: panic_on_warn set ...
[   26.008170] 
[   26.015548] CPU: 0 PID: 2142 Comm: kworker/0:2 Tainted: G    B             4.18.0-rc5-next-20180719+ #11
[   26.025336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.034866] Workqueue: events p9_write_work
[   26.039200] Call Trace:
[   26.041833]  dump_stack+0x1c9/0x2b4
[   26.045484]  ? dump_stack_print_info.cold.2+0x52/0x52
[   26.050697]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   26.055462]  panic+0x238/0x4e7
[   26.058685]  ? add_taint.cold.5+0x16/0x16
[   26.062846]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.067353]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.071789]  ? _copy_from_iter+0x9ea/0x1090
[   26.076132]  kasan_end_report+0x47/0x4f
[   26.080114]  kasan_report.cold.7+0x76/0x30d
[   26.084455]  check_memory_region+0x13e/0x1b0
[   26.088876]  memcpy+0x23/0x50
[   26.091982]  _copy_from_iter+0x9ea/0x1090
[   26.096122]  ? schedule+0xfb/0x450
[   26.099654]  ? __schedule+0x1ea0/0x1ea0
[   26.103625]  ? _copy_from_iter_nocache+0x1050/0x1050
[   26.108709]  ? insert_work+0x375/0x4f0
[   26.112584]  ? __queue_work+0x688/0x1410
[   26.116633]  copy_page_from_iter+0x576/0x890
[   26.121038]  ? mutex_lock_nested+0x16/0x20
[   26.125257]  ? pipe_wait+0x1ff/0x2c0
[   26.128953]  ? _copy_from_iter+0x1090/0x1090
[   26.133342]  pipe_write+0x235/0xeb0
[   26.136958]  __vfs_write+0x6af/0x9d0
[   26.140661]  ? kernel_read+0x120/0x120
[   26.144534]  ? lock_acquire+0x1e4/0x540
[   26.148603]  ? p9_poll_workfn+0x4cb/0x6d0
[   26.152744]  ? lock_acquire+0x1e4/0x540
[   26.156701]  ? p9_write_work+0x554/0xd50
[   26.160746]  ? rw_verify_area+0x118/0x360
[   26.164879]  vfs_write+0x1fc/0x560
[   26.168488]  kernel_write+0xab/0x120
[   26.172184]  p9_write_work+0x6f1/0xd50
[   26.176057]  ? p9_fd_create_tcp+0x8a0/0x8a0
[   26.180374]  ? lock_acquire+0x1e4/0x540
[   26.184327]  ? process_one_work+0xb9b/0x1ba0
[   26.188720]  ? kasan_check_read+0x11/0x20
[   26.192849]  ? lock_release+0xa30/0xa30
[   26.196810]  ? kasan_check_read+0x11/0x20
[   26.200944]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   26.205510]  ? read_word_at_a_time+0x20/0x20
[   26.209897]  ? do_raw_spin_lock+0xc1/0x200
[   26.214114]  process_one_work+0xc73/0x1ba0
[   26.218861]  ? trace_hardirqs_on+0x10/0x10
[   26.223083]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   26.227736]  ? lock_repin_lock+0x430/0x430
[   26.231959]  ? __sched_text_start+0x8/0x8
[   26.236087]  ? lock_downgrade+0x8f0/0x8f0
[   26.240224]  ? lock_acquire+0x1e4/0x540
[   26.244198]  ? __update_idle_core+0x304/0x610
[   26.248682]  ? kasan_check_write+0x14/0x20
[   26.252907]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   26.257818]  ? lock_downgrade+0x8f0/0x8f0
[   26.261947]  ? lock_acquire+0x1e4/0x540
[   26.265900]  ? worker_thread+0x3dc/0x13c0
[   26.270039]  ? lock_downgrade+0x8f0/0x8f0
[   26.274176]  ? lock_release+0xa30/0xa30
[   26.278130]  ? kasan_check_read+0x11/0x20
[   26.282268]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.286684]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   26.291252]  ? kasan_check_write+0x14/0x20
[   26.295475]  ? do_raw_spin_lock+0xc1/0x200
[   26.299704]  worker_thread+0x189/0x13c0
[   26.303665]  ? process_one_work+0x1ba0/0x1ba0
[   26.308145]  ? finish_task_switch+0x1d3/0x870
[   26.312626]  ? lock_acquire+0x1e4/0x540
[   26.316820]  ? __kthread_parkme+0xd7/0x1b0
[   26.321057]  ? lock_downgrade+0x8f0/0x8f0
[   26.325211]  ? kasan_check_read+0x11/0x20
[   26.329355]  ? do_raw_spin_unlock+0xa7/0x2f0
[   26.333756]  ? kasan_check_write+0x14/0x20
[   26.337973]  ? trace_hardirqs_on+0xd/0x10
[   26.342103]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   26.347628]  ? __kthread_parkme+0x106/0x1b0
[   26.351938]  kthread+0x345/0x410
[   26.355286]  ? process_one_work+0x1ba0/0x1ba0
[   26.359755]  ? kthread_bind+0x40/0x40
[   26.363539]  ret_from_fork+0x3a/0x50
[   26.367719] Dumping ftrace buffer:
[   26.371233]    (ftrace buffer empty)
[   26.374921] Kernel Offset: disabled
[   26.378526] Rebooting in 86400 seconds..