[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.846103] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.749886] random: sshd: uninitialized urandom read (32 bytes read) [ 24.027776] random: sshd: uninitialized urandom read (32 bytes read) [ 24.849598] random: sshd: uninitialized urandom read (32 bytes read) [ 39.390396] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. [ 44.856828] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.988128] ================================================================== [ 44.995592] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 [ 45.002515] Read of size 8 at addr ffff8801ac678da0 by task kworker/1:2/2135 [ 45.009691] [ 45.011304] CPU: 1 PID: 2135 Comm: kworker/1:2 Not tainted 4.18.0-rc4+ #138 [ 45.018385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.027741] Workqueue: events p9_poll_workfn [ 45.032127] Call Trace: [ 45.034698] dump_stack+0x1c9/0x2b4 [ 45.038318] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.043499] ? printk+0xa7/0xcf [ 45.046771] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 45.051523] ? work_is_static_object+0x39/0x40 [ 45.056097] print_address_description+0x6c/0x20b [ 45.060932] ? work_is_static_object+0x39/0x40 [ 45.065492] kasan_report.cold.7+0x242/0x2fe [ 45.069885] __asan_report_load8_noabort+0x14/0x20 [ 45.074804] work_is_static_object+0x39/0x40 [ 45.079193] debug_object_activate+0x2fc/0x690 [ 45.083757] ? __wake_up_common+0x740/0x740 [ 45.088068] ? debug_object_assert_init+0x4b0/0x4b0 [ 45.093071] ? mark_held_locks+0xc9/0x160 [ 45.097207] __queue_work+0x1ca/0x1410 [ 45.101073] ? __wake_up+0xe/0x10 [ 45.104508] ? p9_client_cb+0x62/0x80 [ 45.108294] ? flush_rcu_work+0x90/0x90 [ 45.112252] ? p9_fd_cancelled+0x2f0/0x2f0 [ 45.116469] ? dccp_close+0xe70/0xe70 [ 45.120262] ? lock_downgrade+0x8f0/0x8f0 [ 45.124399] ? sock_poll+0x274/0x4b0 [ 45.128105] ? mark_held_locks+0xc9/0x160 [ 45.132237] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.136803] queue_work_on+0x19a/0x1e0 [ 45.140672] p9_poll_workfn+0x55e/0x6d0 [ 45.144628] ? p9_read_work+0x1060/0x1060 [ 45.148760] ? graph_lock+0x170/0x170 [ 45.152546] ? lock_acquire+0x1e4/0x540 [ 45.156508] ? process_one_work+0xb9b/0x1ba0 [ 45.160909] ? kasan_check_read+0x11/0x20 [ 45.165045] ? __lock_is_held+0xb5/0x140 [ 45.169116] process_one_work+0xc73/0x1ba0 [ 45.173335] ? trace_hardirqs_on+0x10/0x10 [ 45.177555] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 45.182213] ? lock_repin_lock+0x430/0x430 [ 45.186440] ? __sched_text_start+0x8/0x8 [ 45.190584] ? lock_downgrade+0x8f0/0x8f0 [ 45.194717] ? graph_lock+0x170/0x170 [ 45.198509] ? lock_acquire+0x1e4/0x540 [ 45.202469] ? worker_thread+0x3dc/0x13c0 [ 45.206604] ? lock_downgrade+0x8f0/0x8f0 [ 45.210736] ? lock_release+0xa30/0xa30 [ 45.214691] ? kasan_check_read+0x11/0x20 [ 45.218821] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.223210] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.227774] ? kasan_check_write+0x14/0x20 [ 45.231987] ? do_raw_spin_lock+0xc1/0x200 [ 45.236203] worker_thread+0x189/0x13c0 [ 45.240172] ? process_one_work+0x1ba0/0x1ba0 [ 45.244662] ? graph_lock+0x170/0x170 [ 45.248445] ? graph_lock+0x170/0x170 [ 45.252232] ? find_held_lock+0x36/0x1c0 [ 45.256278] ? lock_downgrade+0x8f0/0x8f0 [ 45.260415] ? kasan_check_read+0x11/0x20 [ 45.264552] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.268946] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 45.274025] ? __kthread_parkme+0x58/0x1b0 [ 45.278246] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.283263] ? trace_hardirqs_on+0xd/0x10 [ 45.287408] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 45.292927] ? __kthread_parkme+0x106/0x1b0 [ 45.297228] kthread+0x345/0x410 [ 45.300573] ? process_one_work+0x1ba0/0x1ba0 [ 45.305046] ? kthread_bind+0x40/0x40 [ 45.308827] ret_from_fork+0x3a/0x50 [ 45.312520] [ 45.314127] Allocated by task 4559: [ 45.317734] save_stack+0x43/0xd0 [ 45.321165] kasan_kmalloc+0xc4/0xe0 [ 45.324858] kmem_cache_alloc_trace+0x152/0x780 [ 45.329516] p9_fd_create+0x1a7/0x3f0 [ 45.333314] p9_client_create+0x915/0x16c9 [ 45.337529] v9fs_session_init+0x21a/0x1a80 [ 45.341826] v9fs_mount+0x7c/0x900 [ 45.345344] mount_fs+0xae/0x328 [ 45.348694] vfs_kern_mount.part.34+0xdc/0x4e0 [ 45.353256] do_mount+0x581/0x30e0 [ 45.356773] ksys_mount+0x12d/0x140 [ 45.360378] __x64_sys_mount+0xbe/0x150 [ 45.364344] do_syscall_64+0x1b9/0x820 [ 45.368213] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.373379] [ 45.374987] Freed by task 4559: [ 45.378255] save_stack+0x43/0xd0 [ 45.381717] __kasan_slab_free+0x11a/0x170 [ 45.385929] kasan_slab_free+0xe/0x10 [ 45.389705] kfree+0xd9/0x260 [ 45.392790] p9_fd_close+0x416/0x5b0 [ 45.396484] p9_client_create+0xac2/0x16c9 [ 45.400704] v9fs_session_init+0x21a/0x1a80 [ 45.405012] v9fs_mount+0x7c/0x900 [ 45.408529] mount_fs+0xae/0x328 [ 45.411872] vfs_kern_mount.part.34+0xdc/0x4e0 [ 45.416430] do_mount+0x581/0x30e0 [ 45.419948] ksys_mount+0x12d/0x140 [ 45.423556] __x64_sys_mount+0xbe/0x150 [ 45.427509] do_syscall_64+0x1b9/0x820 [ 45.431378] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.436558] [ 45.438168] The buggy address belongs to the object at ffff8801ac678c80 [ 45.438168] which belongs to the cache kmalloc-512 of size 512 [ 45.450810] The buggy address is located 288 bytes inside of [ 45.450810] 512-byte region [ffff8801ac678c80, ffff8801ac678e80) [ 45.462668] The buggy address belongs to the page: [ 45.467601] page:ffffea0006b19e00 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 45.475727] flags: 0x2fffc0000000100(slab) [ 45.479948] raw: 02fffc0000000100 ffffea000765be48 ffff8801da801748 ffff8801da800940 [ 45.487835] raw: 0000000000000000 ffff8801ac678000 0000000100000006 0000000000000000 [ 45.495691] page dumped because: kasan: bad access detected [ 45.501378] [ 45.502983] Memory state around the buggy address: [ 45.507893] ffff8801ac678c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.515232] ffff8801ac678d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.522580] >ffff8801ac678d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.529926] ^ [ 45.534318] ffff8801ac678e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.541655] ffff8801ac678e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.549080] ================================================================== [ 45.556423] Disabling lock debugging due to kernel taint [ 45.561848] Kernel panic - not syncing: panic_on_warn set ... [ 45.561848] [ 45.569193] CPU: 1 PID: 2135 Comm: kworker/1:2 Tainted: G B 4.18.0-rc4+ #138 [ 45.577676] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.587018] Workqueue: events p9_poll_workfn [ 45.591413] Call Trace: [ 45.593993] dump_stack+0x1c9/0x2b4 [ 45.597600] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.602768] ? lock_downgrade+0x8f0/0x8f0 [ 45.606896] panic+0x238/0x4e7 [ 45.610067] ? add_taint.cold.5+0x16/0x16 [ 45.614194] ? add_taint.cold.5+0x5/0x16 [ 45.618235] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.622621] ? work_is_static_object+0x39/0x40 [ 45.627186] kasan_end_report+0x47/0x4f [ 45.631137] kasan_report.cold.7+0x76/0x2fe [ 45.635447] __asan_report_load8_noabort+0x14/0x20 [ 45.640378] work_is_static_object+0x39/0x40 [ 45.644768] debug_object_activate+0x2fc/0x690 [ 45.649338] ? __wake_up_common+0x740/0x740 [ 45.653644] ? debug_object_assert_init+0x4b0/0x4b0 [ 45.658643] ? mark_held_locks+0xc9/0x160 [ 45.662789] __queue_work+0x1ca/0x1410 [ 45.666653] ? __wake_up+0xe/0x10 [ 45.670087] ? p9_client_cb+0x62/0x80 [ 45.673868] ? flush_rcu_work+0x90/0x90 [ 45.677820] ? p9_fd_cancelled+0x2f0/0x2f0 [ 45.682032] ? dccp_close+0xe70/0xe70 [ 45.685811] ? lock_downgrade+0x8f0/0x8f0 [ 45.689940] ? sock_poll+0x274/0x4b0 [ 45.693633] ? mark_held_locks+0xc9/0x160 [ 45.697759] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.702320] queue_work_on+0x19a/0x1e0 [ 45.706184] p9_poll_workfn+0x55e/0x6d0 [ 45.710138] ? p9_read_work+0x1060/0x1060 [ 45.714262] ? graph_lock+0x170/0x170 [ 45.718038] ? lock_acquire+0x1e4/0x540 [ 45.721989] ? process_one_work+0xb9b/0x1ba0 [ 45.726378] ? kasan_check_read+0x11/0x20 [ 45.730504] ? __lock_is_held+0xb5/0x140 [ 45.734547] process_one_work+0xc73/0x1ba0 [ 45.738762] ? trace_hardirqs_on+0x10/0x10 [ 45.742975] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 45.747619] ? lock_repin_lock+0x430/0x430 [ 45.751840] ? __sched_text_start+0x8/0x8 [ 45.755986] ? lock_downgrade+0x8f0/0x8f0 [ 45.760114] ? graph_lock+0x170/0x170 [ 45.763910] ? lock_acquire+0x1e4/0x540 [ 45.767861] ? worker_thread+0x3dc/0x13c0 [ 45.771986] ? lock_downgrade+0x8f0/0x8f0 [ 45.776113] ? lock_release+0xa30/0xa30 [ 45.780066] ? kasan_check_read+0x11/0x20 [ 45.784191] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.788578] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.793138] ? kasan_check_write+0x14/0x20 [ 45.797352] ? do_raw_spin_lock+0xc1/0x200 [ 45.801566] worker_thread+0x189/0x13c0 [ 45.805521] ? process_one_work+0x1ba0/0x1ba0 [ 45.810004] ? graph_lock+0x170/0x170 [ 45.813789] ? graph_lock+0x170/0x170 [ 45.817586] ? find_held_lock+0x36/0x1c0 [ 45.821626] ? lock_downgrade+0x8f0/0x8f0 [ 45.825761] ? kasan_check_read+0x11/0x20 [ 45.829905] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.834306] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 45.839399] ? __kthread_parkme+0x58/0x1b0 [ 45.843625] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 45.848632] ? trace_hardirqs_on+0xd/0x10 [ 45.852774] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 45.858305] ? __kthread_parkme+0x106/0x1b0 [ 45.862633] kthread+0x345/0x410 [ 45.866003] ? process_one_work+0x1ba0/0x1ba0 [ 45.870485] ? kthread_bind+0x40/0x40 [ 45.874284] ret_from_fork+0x3a/0x50 [ 45.878384] Dumping ftrace buffer: [ 45.881902] (ftrace buffer empty) [ 45.885588] Kernel Offset: disabled [ 45.889191] Rebooting in 86400 seconds..