[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 19.694399] random: sshd: uninitialized urandom read (32 bytes read)
�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 23.132865] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.379421] random: sshd: uninitialized urandom read (32 bytes read)
[ 24.228008] random: sshd: uninitialized urandom read (32 bytes read)
[ 24.384750] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
[ 29.904127] random: sshd: uninitialized urandom read (32 bytes read)
net.ipv6.conf.syz_tun.accept_dad = 0
net.ipv6.conf.syz_tun.router_solicitations = 0
[ 29.997125] IPVS: ftp: loaded support on port[0] = 21
[ 30.188213] bridge0: port 1(bridge_slave_0) entered blocking state
[ 30.194677] bridge0: port 1(bridge_slave_0) entered disabled state
[ 30.202110] device bridge_slave_0 entered promiscuous mode
[ 30.217838] bridge0: port 2(bridge_slave_1) entered blocking state
[ 30.224250] bridge0: port 2(bridge_slave_1) entered disabled state
[ 30.231382] device bridge_slave_1 entered promiscuous mode
[ 30.246518] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[ 30.262514] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[ 30.302321] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 30.324224] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 30.383772] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 30.390982] team0: Port device team_slave_0 added
[ 30.405143] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 30.412799] team0: Port device team_slave_1 added
[ 30.427795] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 30.445520] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 30.461757] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[ 30.478815] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
RTNETLINK answers: Operation not supported
RTNETLINK answers: No buffer space available
RTNETLINK answers: Operation not supported
[ 30.591727] bridge0: port 2(bridge_slave_1) entered blocking state
[ 30.598184] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 30.605123] bridge0: port 1(bridge_slave_0) entered blocking state
[ 30.611477] bridge0: port 1(bridge_slave_0) entered forwarding state
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Operation not supported
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
RTNETLINK answers: Invalid argument
[ 31.012362] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 31.018497] 8021q: adding VLAN 0 to HW filter on device bond0
[ 31.061588] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 31.103603] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 31.111747] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 31.152258] 8021q: adding VLAN 0 to HW filter on device team0
executing program
[ 31.395187] ==================================================================
[ 31.402656] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40
[ 31.409615] Read of size 8 at addr ffff8801cd277160 by task kworker/0:1/26
[ 31.416617]
[ 31.418235] CPU: 0 PID: 26 Comm: kworker/0:1 Not tainted 4.18.0-rc4+ #140
[ 31.425141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.434492] Workqueue: events p9_poll_workfn
[ 31.438896] Call Trace:
[ 31.441468] dump_stack+0x1c9/0x2b4
[ 31.445082] ? dump_stack_print_info.cold.2+0x52/0x52
[ 31.450255] ? printk+0xa7/0xcf
[ 31.453543] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 31.458287] ? work_is_static_object+0x39/0x40
[ 31.462855] print_address_description+0x6c/0x20b
[ 31.467684] ? work_is_static_object+0x39/0x40
[ 31.472250] kasan_report.cold.7+0x242/0x2fe
[ 31.476644] __asan_report_load8_noabort+0x14/0x20
[ 31.481558] work_is_static_object+0x39/0x40
[ 31.485957] debug_object_activate+0x2fc/0x690
[ 31.490534] ? __wake_up_common+0x740/0x740
[ 31.494842] ? debug_object_assert_init+0x4b0/0x4b0
[ 31.499846] ? mark_held_locks+0xc9/0x160
[ 31.503987] __queue_work+0x1ca/0x1410
[ 31.507862] ? __wake_up+0xe/0x10
[ 31.511301] ? p9_client_cb+0x62/0x80
[ 31.515101] ? flush_rcu_work+0x90/0x90
[ 31.519065] ? p9_fd_cancelled+0x2f0/0x2f0
[ 31.523295] ? ep_eventpoll_poll+0x192/0x200
[ 31.527685] ? mounts_poll+0x1f9/0x290
[ 31.531559] ? mark_held_locks+0xc9/0x160
[ 31.535694] queue_work_on+0x19a/0x1e0
[ 31.539579] p9_poll_workfn+0x55e/0x6d0
[ 31.543543] ? p9_read_work+0x1060/0x1060
[ 31.547674] ? graph_lock+0x170/0x170
[ 31.551462] ? lock_acquire+0x1e4/0x540
[ 31.555420] ? process_one_work+0xb9b/0x1ba0
[ 31.559828] ? kasan_check_read+0x11/0x20
[ 31.563968] ? __lock_is_held+0xb5/0x140
[ 31.568030] process_one_work+0xc73/0x1ba0
[ 31.572248] ? trace_hardirqs_on+0x10/0x10
[ 31.576472] ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[ 31.581124] ? lock_repin_lock+0x430/0x430
[ 31.585354] ? __sched_text_start+0x8/0x8
[ 31.589486] ? lock_downgrade+0x8f0/0x8f0
[ 31.593631] ? graph_lock+0x170/0x170
[ 31.597458] ? lock_acquire+0x1e4/0x540
[ 31.601427] ? worker_thread+0x3dc/0x13c0
[ 31.605559] ? lock_downgrade+0x8f0/0x8f0
[ 31.609695] ? lock_release+0xa30/0xa30
[ 31.613668] ? kasan_check_read+0x11/0x20
[ 31.617801] ? do_raw_spin_unlock+0xa7/0x2f0
[ 31.622192] ? do_raw_spin_trylock+0x1c0/0x1c0
[ 31.626770] ? kasan_check_write+0x14/0x20
[ 31.631076] ? do_raw_spin_lock+0xc1/0x200
[ 31.635300] worker_thread+0x189/0x13c0
[ 31.639279] ? process_one_work+0x1ba0/0x1ba0
[ 31.643760] ? graph_lock+0x170/0x170
[ 31.647544] ? graph_lock+0x170/0x170
[ 31.651329] ? find_held_lock+0x36/0x1c0
[ 31.655382] ? find_held_lock+0x36/0x1c0
[ 31.659433] ? lock_downgrade+0x8f0/0x8f0
[ 31.663570] ? kasan_check_read+0x11/0x20
[ 31.667703] ? do_raw_spin_unlock+0xa7/0x2f0
[ 31.672099] ? _raw_spin_unlock_irqrestore+0x74/0xc0
[ 31.677186] ? __kthread_parkme+0x58/0x1b0
[ 31.681406] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 31.686409] ? trace_hardirqs_on+0xd/0x10
[ 31.690557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 31.696077] ? __kthread_parkme+0x106/0x1b0
[ 31.700383] kthread+0x345/0x410
[ 31.703733] ? process_one_work+0x1ba0/0x1ba0
[ 31.708210] ? kthread_bind+0x40/0x40
[ 31.711999] ret_from_fork+0x3a/0x50
[ 31.715703]
[ 31.717312] Allocated by task 4805:
[ 31.720925] save_stack+0x43/0xd0
[ 31.724367] kasan_kmalloc+0xc4/0xe0
[ 31.728067] kmem_cache_alloc_trace+0x152/0x780
[ 31.732718] p9_fd_create+0x1a7/0x3f0
[ 31.736502] p9_client_create+0x915/0x16c9
[ 31.740720] v9fs_session_init+0x21a/0x1a80
[ 31.745027] v9fs_mount+0x7c/0x900
[ 31.748550] mount_fs+0xae/0x328
[ 31.751913] vfs_kern_mount.part.34+0xdc/0x4e0
[ 31.756483] do_mount+0x581/0x30e0
[ 31.760008] ksys_mount+0x12d/0x140
[ 31.763622] __x64_sys_mount+0xbe/0x150
[ 31.767582] do_syscall_64+0x1b9/0x820
[ 31.771454] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 31.776623]
[ 31.778232] Freed by task 4805:
[ 31.781499] save_stack+0x43/0xd0
[ 31.784941] __kasan_slab_free+0x11a/0x170
[ 31.789159] kasan_slab_free+0xe/0x10
[ 31.792946] kfree+0xd9/0x260
[ 31.796041] p9_fd_close+0x416/0x5b0
[ 31.799739] p9_client_create+0xac2/0x16c9
[ 31.803957] v9fs_session_init+0x21a/0x1a80
[ 31.808262] v9fs_mount+0x7c/0x900
[ 31.811803] mount_fs+0xae/0x328
[ 31.815151] vfs_kern_mount.part.34+0xdc/0x4e0
[ 31.819726] do_mount+0x581/0x30e0
[ 31.823262] ksys_mount+0x12d/0x140
[ 31.826875] __x64_sys_mount+0xbe/0x150
[ 31.830837] do_syscall_64+0x1b9/0x820
[ 31.834713] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 31.839879]
[ 31.841494] The buggy address belongs to the object at ffff8801cd277040
[ 31.841494] which belongs to the cache kmalloc-512 of size 512
[ 31.854137] The buggy address is located 288 bytes inside of
[ 31.854137] 512-byte region [ffff8801cd277040, ffff8801cd277240)
[ 31.865994] The buggy address belongs to the page:
[ 31.870911] page:ffffea0007349dc0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[ 31.879044] flags: 0x2fffc0000000100(slab)
[ 31.883281] raw: 02fffc0000000100 ffffea0007347008 ffffea000734a0c8 ffff8801da800940
[ 31.891149] raw: 0000000000000000 ffff8801cd277040 0000000100000006 0000000000000000
[ 31.899023] page dumped because: kasan: bad access detected
[ 31.904711]
[ 31.906321] Memory state around the buggy address:
[ 31.911230] ffff8801cd277000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 31.918571] ffff8801cd277080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.925938] >ffff8801cd277100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.933274] ^
[ 31.939747] ffff8801cd277180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 31.947087] ffff8801cd277200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 31.954426] ==================================================================
[ 31.961774] Disabling lock debugging due to kernel taint
[ 31.967203] Kernel panic - not syncing: panic_on_warn set ...
[ 31.967203]
[ 31.974552] CPU: 0 PID: 26 Comm: kworker/0:1 Tainted: G B 4.18.0-rc4+ #140
[ 31.982863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 31.992213] Workqueue: events p9_poll_workfn
[ 31.996600] Call Trace:
[ 31.999174] dump_stack+0x1c9/0x2b4
[ 32.002786] ? dump_stack_print_info.cold.2+0x52/0x52
[ 32.007972] ? lock_downgrade+0x8f0/0x8f0
[ 32.012105] panic+0x238/0x4e7
[ 32.015280] ? add_taint.cold.5+0x16/0x16
[ 32.019412] ? add_taint.cold.5+0x5/0x16
[ 32.023453] ? do_raw_spin_unlock+0xa7/0x2f0
[ 32.027848] ? work_is_static_object+0x39/0x40
[ 32.032418] kasan_end_report+0x47/0x4f
[ 32.036375] kasan_report.cold.7+0x76/0x2fe
[ 32.040680] __asan_report_load8_noabort+0x14/0x20
[ 32.045590] work_is_static_object+0x39/0x40
[ 32.049981] debug_object_activate+0x2fc/0x690
[ 32.054546] ? __wake_up_common+0x740/0x740
[ 32.058852] ? debug_object_assert_init+0x4b0/0x4b0
[ 32.063852] ? mark_held_locks+0xc9/0x160
[ 32.067997] __queue_work+0x1ca/0x1410
[ 32.071872] ? __wake_up+0xe/0x10
[ 32.075310] ? p9_client_cb+0x62/0x80
[ 32.079094] ? flush_rcu_work+0x90/0x90
[ 32.083054] ? p9_fd_cancelled+0x2f0/0x2f0
[ 32.087280] ? ep_eventpoll_poll+0x192/0x200
[ 32.091673] ? mounts_poll+0x1f9/0x290
[ 32.095545] ? mark_held_locks+0xc9/0x160
[ 32.099784] queue_work_on+0x19a/0x1e0
[ 32.103663] p9_poll_workfn+0x55e/0x6d0
[ 32.107624] ? p9_read_work+0x1060/0x1060
[ 32.111754] ? graph_lock+0x170/0x170
[ 32.115548] ? lock_acquire+0x1e4/0x540
[ 32.119505] ? process_one_work+0xb9b/0x1ba0
[ 32.123901] ? kasan_check_read+0x11/0x20
[ 32.128036] ? __lock_is_held+0xb5/0x140
[ 32.132083] process_one_work+0xc73/0x1ba0
[ 32.136303] ? trace_hardirqs_on+0x10/0x10
[ 32.140538] ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[ 32.145190] ? lock_repin_lock+0x430/0x430
[ 32.149416] ? __sched_text_start+0x8/0x8
[ 32.153545] ? lock_downgrade+0x8f0/0x8f0
[ 32.157677] ? graph_lock+0x170/0x170
[ 32.161470] ? lock_acquire+0x1e4/0x540
[ 32.165425] ? worker_thread+0x3dc/0x13c0
[ 32.169566] ? lock_downgrade+0x8f0/0x8f0
[ 32.173697] ? lock_release+0xa30/0xa30
[ 32.177656] ? kasan_check_read+0x11/0x20
[ 32.181785] ? do_raw_spin_unlock+0xa7/0x2f0
[ 32.186173] ? do_raw_spin_trylock+0x1c0/0x1c0
[ 32.190752] ? kasan_check_write+0x14/0x20
[ 32.194988] ? do_raw_spin_lock+0xc1/0x200
[ 32.199217] worker_thread+0x189/0x13c0
[ 32.203179] ? process_one_work+0x1ba0/0x1ba0
[ 32.207657] ? graph_lock+0x170/0x170
[ 32.211442] ? graph_lock+0x170/0x170
[ 32.215227] ? find_held_lock+0x36/0x1c0
[ 32.219285] ? find_held_lock+0x36/0x1c0
[ 32.223333] ? lock_downgrade+0x8f0/0x8f0
[ 32.227468] ? kasan_check_read+0x11/0x20
[ 32.231600] ? do_raw_spin_unlock+0xa7/0x2f0
[ 32.235996] ? _raw_spin_unlock_irqrestore+0x74/0xc0
[ 32.241082] ? __kthread_parkme+0x58/0x1b0
[ 32.245301] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 32.250300] ? trace_hardirqs_on+0xd/0x10
[ 32.254432] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 32.260039] ? __kthread_parkme+0x106/0x1b0
[ 32.264342] kthread+0x345/0x410
[ 32.267691] ? process_one_work+0x1ba0/0x1ba0
[ 32.272165] ? kthread_bind+0x40/0x40
[ 32.275962] ret_from_fork+0x3a/0x50
[ 32.280117] Dumping ftrace buffer:
[ 32.283645] (ftrace buffer empty)
[ 32.287331] Kernel Offset: disabled
[ 32.290938] Rebooting in 86400 seconds..