[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.694399] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.132865] random: sshd: uninitialized urandom read (32 bytes read) [ 23.379421] random: sshd: uninitialized urandom read (32 bytes read) [ 24.228008] random: sshd: uninitialized urandom read (32 bytes read) [ 24.384750] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 29.904127] random: sshd: uninitialized urandom read (32 bytes read) net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 [ 29.997125] IPVS: ftp: loaded support on port[0] = 21 [ 30.188213] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.194677] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.202110] device bridge_slave_0 entered promiscuous mode [ 30.217838] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.224250] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.231382] device bridge_slave_1 entered promiscuous mode [ 30.246518] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 30.262514] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 30.302321] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 30.324224] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 30.383772] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 30.390982] team0: Port device team_slave_0 added [ 30.405143] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 30.412799] team0: Port device team_slave_1 added [ 30.427795] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.445520] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.461757] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 30.478815] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 30.591727] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.598184] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.605123] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.611477] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 31.012362] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.018497] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.061588] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.103603] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.111747] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 31.152258] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 31.395187] ================================================================== [ 31.402656] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 31.409615] Read of size 8 at addr ffff8801cd277160 by task kworker/0:1/26 [ 31.416617] [ 31.418235] CPU: 0 PID: 26 Comm: kworker/0:1 Not tainted 4.18.0-rc4+ #140 [ 31.425141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.434492] Workqueue: events p9_poll_workfn [ 31.438896] Call Trace: [ 31.441468] dump_stack+0x1c9/0x2b4 [ 31.445082] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.450255] ? printk+0xa7/0xcf [ 31.453543] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.458287] ? work_is_static_object+0x39/0x40 [ 31.462855] print_address_description+0x6c/0x20b [ 31.467684] ? work_is_static_object+0x39/0x40 [ 31.472250] kasan_report.cold.7+0x242/0x2fe [ 31.476644] __asan_report_load8_noabort+0x14/0x20 [ 31.481558] work_is_static_object+0x39/0x40 [ 31.485957] debug_object_activate+0x2fc/0x690 [ 31.490534] ? __wake_up_common+0x740/0x740 [ 31.494842] ? debug_object_assert_init+0x4b0/0x4b0 [ 31.499846] ? mark_held_locks+0xc9/0x160 [ 31.503987] __queue_work+0x1ca/0x1410 [ 31.507862] ? __wake_up+0xe/0x10 [ 31.511301] ? p9_client_cb+0x62/0x80 [ 31.515101] ? flush_rcu_work+0x90/0x90 [ 31.519065] ? p9_fd_cancelled+0x2f0/0x2f0 [ 31.523295] ? ep_eventpoll_poll+0x192/0x200 [ 31.527685] ? mounts_poll+0x1f9/0x290 [ 31.531559] ? mark_held_locks+0xc9/0x160 [ 31.535694] queue_work_on+0x19a/0x1e0 [ 31.539579] p9_poll_workfn+0x55e/0x6d0 [ 31.543543] ? p9_read_work+0x1060/0x1060 [ 31.547674] ? graph_lock+0x170/0x170 [ 31.551462] ? lock_acquire+0x1e4/0x540 [ 31.555420] ? process_one_work+0xb9b/0x1ba0 [ 31.559828] ? kasan_check_read+0x11/0x20 [ 31.563968] ? __lock_is_held+0xb5/0x140 [ 31.568030] process_one_work+0xc73/0x1ba0 [ 31.572248] ? trace_hardirqs_on+0x10/0x10 [ 31.576472] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 31.581124] ? lock_repin_lock+0x430/0x430 [ 31.585354] ? __sched_text_start+0x8/0x8 [ 31.589486] ? lock_downgrade+0x8f0/0x8f0 [ 31.593631] ? graph_lock+0x170/0x170 [ 31.597458] ? lock_acquire+0x1e4/0x540 [ 31.601427] ? worker_thread+0x3dc/0x13c0 [ 31.605559] ? lock_downgrade+0x8f0/0x8f0 [ 31.609695] ? lock_release+0xa30/0xa30 [ 31.613668] ? kasan_check_read+0x11/0x20 [ 31.617801] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.622192] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.626770] ? kasan_check_write+0x14/0x20 [ 31.631076] ? do_raw_spin_lock+0xc1/0x200 [ 31.635300] worker_thread+0x189/0x13c0 [ 31.639279] ? process_one_work+0x1ba0/0x1ba0 [ 31.643760] ? graph_lock+0x170/0x170 [ 31.647544] ? graph_lock+0x170/0x170 [ 31.651329] ? find_held_lock+0x36/0x1c0 [ 31.655382] ? find_held_lock+0x36/0x1c0 [ 31.659433] ? lock_downgrade+0x8f0/0x8f0 [ 31.663570] ? kasan_check_read+0x11/0x20 [ 31.667703] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.672099] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 31.677186] ? __kthread_parkme+0x58/0x1b0 [ 31.681406] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.686409] ? trace_hardirqs_on+0xd/0x10 [ 31.690557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.696077] ? __kthread_parkme+0x106/0x1b0 [ 31.700383] kthread+0x345/0x410 [ 31.703733] ? process_one_work+0x1ba0/0x1ba0 [ 31.708210] ? kthread_bind+0x40/0x40 [ 31.711999] ret_from_fork+0x3a/0x50 [ 31.715703] [ 31.717312] Allocated by task 4805: [ 31.720925] save_stack+0x43/0xd0 [ 31.724367] kasan_kmalloc+0xc4/0xe0 [ 31.728067] kmem_cache_alloc_trace+0x152/0x780 [ 31.732718] p9_fd_create+0x1a7/0x3f0 [ 31.736502] p9_client_create+0x915/0x16c9 [ 31.740720] v9fs_session_init+0x21a/0x1a80 [ 31.745027] v9fs_mount+0x7c/0x900 [ 31.748550] mount_fs+0xae/0x328 [ 31.751913] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.756483] do_mount+0x581/0x30e0 [ 31.760008] ksys_mount+0x12d/0x140 [ 31.763622] __x64_sys_mount+0xbe/0x150 [ 31.767582] do_syscall_64+0x1b9/0x820 [ 31.771454] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.776623] [ 31.778232] Freed by task 4805: [ 31.781499] save_stack+0x43/0xd0 [ 31.784941] __kasan_slab_free+0x11a/0x170 [ 31.789159] kasan_slab_free+0xe/0x10 [ 31.792946] kfree+0xd9/0x260 [ 31.796041] p9_fd_close+0x416/0x5b0 [ 31.799739] p9_client_create+0xac2/0x16c9 [ 31.803957] v9fs_session_init+0x21a/0x1a80 [ 31.808262] v9fs_mount+0x7c/0x900 [ 31.811803] mount_fs+0xae/0x328 [ 31.815151] vfs_kern_mount.part.34+0xdc/0x4e0 [ 31.819726] do_mount+0x581/0x30e0 [ 31.823262] ksys_mount+0x12d/0x140 [ 31.826875] __x64_sys_mount+0xbe/0x150 [ 31.830837] do_syscall_64+0x1b9/0x820 [ 31.834713] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.839879] [ 31.841494] The buggy address belongs to the object at ffff8801cd277040 [ 31.841494] which belongs to the cache kmalloc-512 of size 512 [ 31.854137] The buggy address is located 288 bytes inside of [ 31.854137] 512-byte region [ffff8801cd277040, ffff8801cd277240) [ 31.865994] The buggy address belongs to the page: [ 31.870911] page:ffffea0007349dc0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 31.879044] flags: 0x2fffc0000000100(slab) [ 31.883281] raw: 02fffc0000000100 ffffea0007347008 ffffea000734a0c8 ffff8801da800940 [ 31.891149] raw: 0000000000000000 ffff8801cd277040 0000000100000006 0000000000000000 [ 31.899023] page dumped because: kasan: bad access detected [ 31.904711] [ 31.906321] Memory state around the buggy address: [ 31.911230] ffff8801cd277000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 31.918571] ffff8801cd277080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.925938] >ffff8801cd277100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.933274] ^ [ 31.939747] ffff8801cd277180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.947087] ffff8801cd277200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.954426] ================================================================== [ 31.961774] Disabling lock debugging due to kernel taint [ 31.967203] Kernel panic - not syncing: panic_on_warn set ... [ 31.967203] [ 31.974552] CPU: 0 PID: 26 Comm: kworker/0:1 Tainted: G B 4.18.0-rc4+ #140 [ 31.982863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.992213] Workqueue: events p9_poll_workfn [ 31.996600] Call Trace: [ 31.999174] dump_stack+0x1c9/0x2b4 [ 32.002786] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.007972] ? lock_downgrade+0x8f0/0x8f0 [ 32.012105] panic+0x238/0x4e7 [ 32.015280] ? add_taint.cold.5+0x16/0x16 [ 32.019412] ? add_taint.cold.5+0x5/0x16 [ 32.023453] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.027848] ? work_is_static_object+0x39/0x40 [ 32.032418] kasan_end_report+0x47/0x4f [ 32.036375] kasan_report.cold.7+0x76/0x2fe [ 32.040680] __asan_report_load8_noabort+0x14/0x20 [ 32.045590] work_is_static_object+0x39/0x40 [ 32.049981] debug_object_activate+0x2fc/0x690 [ 32.054546] ? __wake_up_common+0x740/0x740 [ 32.058852] ? debug_object_assert_init+0x4b0/0x4b0 [ 32.063852] ? mark_held_locks+0xc9/0x160 [ 32.067997] __queue_work+0x1ca/0x1410 [ 32.071872] ? __wake_up+0xe/0x10 [ 32.075310] ? p9_client_cb+0x62/0x80 [ 32.079094] ? flush_rcu_work+0x90/0x90 [ 32.083054] ? p9_fd_cancelled+0x2f0/0x2f0 [ 32.087280] ? ep_eventpoll_poll+0x192/0x200 [ 32.091673] ? mounts_poll+0x1f9/0x290 [ 32.095545] ? mark_held_locks+0xc9/0x160 [ 32.099784] queue_work_on+0x19a/0x1e0 [ 32.103663] p9_poll_workfn+0x55e/0x6d0 [ 32.107624] ? p9_read_work+0x1060/0x1060 [ 32.111754] ? graph_lock+0x170/0x170 [ 32.115548] ? lock_acquire+0x1e4/0x540 [ 32.119505] ? process_one_work+0xb9b/0x1ba0 [ 32.123901] ? kasan_check_read+0x11/0x20 [ 32.128036] ? __lock_is_held+0xb5/0x140 [ 32.132083] process_one_work+0xc73/0x1ba0 [ 32.136303] ? trace_hardirqs_on+0x10/0x10 [ 32.140538] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 32.145190] ? lock_repin_lock+0x430/0x430 [ 32.149416] ? __sched_text_start+0x8/0x8 [ 32.153545] ? lock_downgrade+0x8f0/0x8f0 [ 32.157677] ? graph_lock+0x170/0x170 [ 32.161470] ? lock_acquire+0x1e4/0x540 [ 32.165425] ? worker_thread+0x3dc/0x13c0 [ 32.169566] ? lock_downgrade+0x8f0/0x8f0 [ 32.173697] ? lock_release+0xa30/0xa30 [ 32.177656] ? kasan_check_read+0x11/0x20 [ 32.181785] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.186173] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.190752] ? kasan_check_write+0x14/0x20 [ 32.194988] ? do_raw_spin_lock+0xc1/0x200 [ 32.199217] worker_thread+0x189/0x13c0 [ 32.203179] ? process_one_work+0x1ba0/0x1ba0 [ 32.207657] ? graph_lock+0x170/0x170 [ 32.211442] ? graph_lock+0x170/0x170 [ 32.215227] ? find_held_lock+0x36/0x1c0 [ 32.219285] ? find_held_lock+0x36/0x1c0 [ 32.223333] ? lock_downgrade+0x8f0/0x8f0 [ 32.227468] ? kasan_check_read+0x11/0x20 [ 32.231600] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.235996] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.241082] ? __kthread_parkme+0x58/0x1b0 [ 32.245301] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.250300] ? trace_hardirqs_on+0xd/0x10 [ 32.254432] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.260039] ? __kthread_parkme+0x106/0x1b0 [ 32.264342] kthread+0x345/0x410 [ 32.267691] ? process_one_work+0x1ba0/0x1ba0 [ 32.272165] ? kthread_bind+0x40/0x40 [ 32.275962] ret_from_fork+0x3a/0x50 [ 32.280117] Dumping ftrace buffer: [ 32.283645] (ftrace buffer empty) [ 32.287331] Kernel Offset: disabled [ 32.290938] Rebooting in 86400 seconds..