[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.334374] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.912255] random: sshd: uninitialized urandom read (32 bytes read) [ 19.295326] random: sshd: uninitialized urandom read (32 bytes read) [ 20.274334] random: sshd: uninitialized urandom read (32 bytes read) [ 54.439537] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 59.902893] random: sshd: uninitialized urandom read (32 bytes read) [ 66.786921] ================================================================== [ 66.794336] BUG: KASAN: use-after-free in p9_conn_cancel+0x464/0x4c0 [ 66.800805] Read of size 8 at addr ffff8801da103420 by task kworker/1:1/24 [ 66.807793] [ 66.809421] CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.9.113-g9905591 #14 [ 66.816678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.826019] Workqueue: events p9_poll_workfn [ 66.830529] ffff8801d940faa0 ffffffff81eb32a9 ffffea0007684080 ffff8801da103420 [ 66.838530] 0000000000000000 ffff8801da103420 00000000ffffff98 ffff8801d940fad8 [ 66.846514] ffffffff81567bd9 ffff8801da103420 0000000000000008 0000000000000000 [ 66.854501] Call Trace: [ 66.857067] [] dump_stack+0xc1/0x128 [ 66.862443] [] print_address_description+0x6c/0x234 [ 66.869086] [] kasan_report.cold.6+0x242/0x2fe [ 66.875307] [] ? p9_conn_cancel+0x464/0x4c0 [ 66.881399] [] __asan_report_load8_noabort+0x14/0x20 [ 66.888131] [] p9_conn_cancel+0x464/0x4c0 [ 66.893928] [] ? mark_held_locks+0xc7/0x130 [ 66.899889] [] ? p9_pollwake+0x110/0x110 [ 66.905594] [] ? p9_fd_poll+0x246/0x310 [ 66.911278] [] p9_poll_workfn+0x222/0x330 [ 66.917051] [] process_one_work+0x7e1/0x1500 [ 66.923081] [] ? process_one_work+0x728/0x1500 [ 66.929285] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 66.935750] [] worker_thread+0xd6/0x10a0 [ 66.941452] [] ? __schedule+0x655/0x1bd0 [ 66.947152] [] kthread+0x26d/0x300 [ 66.952327] [] ? process_one_work+0x1500/0x1500 [ 66.958633] [] ? kthread_park+0xa0/0xa0 [ 66.964242] [] ? kthread_park+0xa0/0xa0 [ 66.969871] [] ? kthread_park+0xa0/0xa0 [ 66.975485] [] ret_from_fork+0x5c/0x70 [ 66.981011] [ 66.982634] Allocated by task 3965: [ 66.986238] save_stack_trace+0x16/0x20 [ 66.990195] save_stack+0x43/0xd0 [ 66.993621] kasan_kmalloc+0xc7/0xe0 [ 66.997324] kmem_cache_alloc_trace+0xfd/0x2b0 [ 67.001897] p9_fd_create+0xf3/0x330 [ 67.005589] p9_client_create+0x6ff/0x10a0 [ 67.009803] v9fs_session_init+0x333/0x13a0 [ 67.014117] v9fs_mount+0x7d/0x810 [ 67.017645] mount_fs+0x28c/0x370 [ 67.021086] vfs_kern_mount.part.29+0xd1/0x3d0 [ 67.025659] do_mount+0x3c9/0x2740 [ 67.029375] SyS_mount+0xfe/0x110 [ 67.032822] do_syscall_64+0x1a6/0x490 [ 67.036863] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 67.042047] [ 67.043653] Freed by task 3965: [ 67.046908] save_stack_trace+0x16/0x20 [ 67.050864] save_stack+0x43/0xd0 [ 67.054288] kasan_slab_free+0x72/0xc0 [ 67.058148] kfree+0xfb/0x310 [ 67.061229] p9_fd_close+0x298/0x330 [ 67.064926] p9_client_create+0x825/0x10a0 [ 67.069137] v9fs_session_init+0x333/0x13a0 [ 67.073694] v9fs_mount+0x7d/0x810 [ 67.077219] mount_fs+0x28c/0x370 [ 67.080747] vfs_kern_mount.part.29+0xd1/0x3d0 [ 67.085301] do_mount+0x3c9/0x2740 [ 67.088819] SyS_mount+0xfe/0x110 [ 67.092353] do_syscall_64+0x1a6/0x490 [ 67.096236] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 67.101309] [ 67.102914] The buggy address belongs to the object at ffff8801da103400 [ 67.102914] which belongs to the cache kmalloc-512 of size 512 [ 67.115635] The buggy address is located 32 bytes inside of [ 67.115635] 512-byte region [ffff8801da103400, ffff8801da103600) [ 67.127417] The buggy address belongs to the page: [ 67.132338] page:ffffea0007684080 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 67.142696] flags: 0x8000000000004080(slab|head) [ 67.147431] page dumped because: kasan: bad access detected [ 67.153116] [ 67.154726] Memory state around the buggy address: [ 67.159627] ffff8801da103300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.166971] ffff8801da103380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.174303] >ffff8801da103400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.181643] ^ [ 67.186046] ffff8801da103480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.193391] ffff8801da103500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.200821] ================================================================== [ 67.208238] Disabling lock debugging due to kernel taint [ 67.216324] Kernel panic - not syncing: panic_on_warn set ... [ 67.216324] [ 67.223693] CPU: 1 PID: 24 Comm: kworker/1:1 Tainted: G B 4.9.113-g9905591 #14 [ 67.232168] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.241696] Workqueue: events p9_poll_workfn [ 67.246212] ffff8801d940fa00 ffffffff81eb32a9 ffffffff843c806f 00000000ffffffff [ 67.254233] 0000000000000000 0000000000000001 00000000ffffff98 ffff8801d940fac0 [ 67.262249] ffffffff81421a55 0000000041b58ab3 ffffffff843bb788 ffffffff81421896 [ 67.270262] Call Trace: [ 67.272847] [] dump_stack+0xc1/0x128 [ 67.278194] [] panic+0x1bf/0x3bc [ 67.283198] [] ? add_taint.cold.6+0x16/0x16 [ 67.289157] [] ? ___preempt_schedule+0x16/0x18 [ 67.295369] [] kasan_end_report+0x47/0x4f [ 67.301230] [] kasan_report.cold.6+0x76/0x2fe [ 67.307361] [] ? p9_conn_cancel+0x464/0x4c0 [ 67.316010] [] __asan_report_load8_noabort+0x14/0x20 [ 67.322843] [] p9_conn_cancel+0x464/0x4c0 [ 67.328612] [] ? mark_held_locks+0xc7/0x130 [ 67.334558] [] ? p9_pollwake+0x110/0x110 [ 67.340238] [] ? p9_fd_poll+0x246/0x310 [ 67.345841] [] p9_poll_workfn+0x222/0x330 [ 67.351627] [] process_one_work+0x7e1/0x1500 [ 67.357655] [] ? process_one_work+0x728/0x1500 [ 67.363943] [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 [ 67.370404] [] worker_thread+0xd6/0x10a0 [ 67.376097] [] ? __schedule+0x655/0x1bd0 [ 67.381778] [] kthread+0x26d/0x300 [ 67.386943] [] ? process_one_work+0x1500/0x1500 [ 67.393231] [] ? kthread_park+0xa0/0xa0 [ 67.399005] [] ? kthread_park+0xa0/0xa0 [ 67.404617] [] ? kthread_park+0xa0/0xa0 [ 67.410299] [] ret_from_fork+0x5c/0x70 [ 67.416438] Dumping ftrace buffer: [ 67.419965] (ftrace buffer empty) [ 67.423647] Kernel Offset: disabled [ 67.427246] Rebooting in 86400 seconds..