[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.416146] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   21.838195] random: sshd: uninitialized urandom read (32 bytes read)
[   22.160535] random: sshd: uninitialized urandom read (32 bytes read)
[   23.026079] random: sshd: uninitialized urandom read (32 bytes read)
[   23.206551] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts.
[   28.704533] random: sshd: uninitialized urandom read (32 bytes read)
2018/07/20 18:31:36 parsed 1 programs
[   29.938963] random: cc1: uninitialized urandom read (8 bytes read)
2018/07/20 18:31:38 executed programs: 0
[   31.314702] IPVS: ftp: loaded support on port[0] = 21
[   31.410435] ip (4572) used greatest stack depth: 16952 bytes left
2018/07/20 18:31:44 executed programs: 6
[   40.919256] ==================================================================
[   40.926803] BUG: KASAN: use-after-free in p9_poll_workfn+0x660/0x6d0
[   40.933288] Read of size 4 at addr ffff8801d7894144 by task kworker/1:0/19
[   40.940276] 
[   40.941887] CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.18.0-rc5+ #156
[   40.948790] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.958133] Workqueue: events p9_poll_workfn
[   40.962692] Call Trace:
[   40.965263]  dump_stack+0x1c9/0x2b4
[   40.968871]  ? dump_stack_print_info.cold.2+0x52/0x52
[   40.974039]  ? printk+0xa7/0xcf
[   40.977308]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   40.982056]  ? p9_poll_workfn+0x660/0x6d0
[   40.986192]  print_address_description+0x6c/0x20b
[   40.991023]  ? p9_poll_workfn+0x660/0x6d0
[   40.995152]  kasan_report.cold.7+0x242/0x2fe
[   40.999546]  __asan_report_load4_noabort+0x14/0x20
[   41.004469]  p9_poll_workfn+0x660/0x6d0
[   41.008430]  ? p9_read_work+0x1060/0x1060
[   41.012570]  ? graph_lock+0x170/0x170
[   41.016358]  ? lock_acquire+0x1e4/0x540
[   41.020318]  ? process_one_work+0xb9b/0x1ba0
[   41.024729]  ? kasan_check_read+0x11/0x20
[   41.028882]  ? __lock_is_held+0xb5/0x140
[   41.033113]  process_one_work+0xc73/0x1ba0
[   41.037331]  ? trace_hardirqs_on+0x10/0x10
[   41.041553]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   41.046221]  ? lock_repin_lock+0x430/0x430
[   41.050453]  ? __sched_text_start+0x8/0x8
[   41.054585]  ? graph_lock+0x170/0x170
[   41.058365]  ? lock_downgrade+0x8f0/0x8f0
[   41.062498]  ? kasan_check_read+0x11/0x20
[   41.066625]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.071021]  ? lock_acquire+0x1e4/0x540
[   41.074977]  ? worker_thread+0x3dc/0x13c0
[   41.079109]  ? lock_downgrade+0x8f0/0x8f0
[   41.083240]  ? lock_release+0xa30/0xa30
[   41.087204]  ? kasan_check_read+0x11/0x20
[   41.091341]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.095733]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   41.100303]  ? kasan_check_write+0x14/0x20
[   41.104522]  ? do_raw_spin_lock+0xc1/0x200
[   41.108746]  worker_thread+0x189/0x13c0
[   41.112716]  ? process_one_work+0x1ba0/0x1ba0
[   41.117212]  ? graph_lock+0x170/0x170
[   41.121090]  ? graph_lock+0x170/0x170
[   41.124869]  ? find_held_lock+0x36/0x1c0
[   41.128914]  ? find_held_lock+0x36/0x1c0
[   41.132980]  ? kasan_check_read+0x11/0x20
[   41.137109]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.141507]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   41.146596]  ? __kthread_parkme+0x58/0x1b0
[   41.150817]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.155818]  ? trace_hardirqs_on+0xd/0x10
[   41.159951]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   41.165481]  ? __kthread_parkme+0x106/0x1b0
[   41.169788]  kthread+0x345/0x410
[   41.173165]  ? process_one_work+0x1ba0/0x1ba0
[   41.177639]  ? kthread_bind+0x40/0x40
[   41.181424]  ret_from_fork+0x3a/0x50
[   41.185122] 
[   41.186741] Allocated by task 4622:
[   41.190355]  save_stack+0x43/0xd0
[   41.193818]  kasan_kmalloc+0xc4/0xe0
[   41.197513]  kmem_cache_alloc_trace+0x152/0x780
[   41.202167]  p9_fd_create+0x1a7/0x3f0
[   41.205950]  p9_client_create+0x8ed/0x1770
[   41.210167]  v9fs_session_init+0x21a/0x1a80
[   41.214480]  v9fs_mount+0x7c/0x900
[   41.218006]  mount_fs+0xae/0x328
[   41.221360]  vfs_kern_mount.part.34+0xdc/0x4e0
[   41.225920]  do_mount+0x581/0x30e0
[   41.229436]  ksys_mount+0x12d/0x140
[   41.233049]  __x64_sys_mount+0xbe/0x150
[   41.237003]  do_syscall_64+0x1b9/0x820
[   41.240887]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   41.246062] 
[   41.247675] Freed by task 4622:
[   41.250936]  save_stack+0x43/0xd0
[   41.254372]  __kasan_slab_free+0x11a/0x170
[   41.258604]  kasan_slab_free+0xe/0x10
[   41.262384]  kfree+0xd9/0x260
[   41.265477]  p9_fd_close+0x416/0x5b0
[   41.269169]  p9_client_create+0xa9a/0x1770
[   41.273391]  v9fs_session_init+0x21a/0x1a80
[   41.277693]  v9fs_mount+0x7c/0x900
[   41.281212]  mount_fs+0xae/0x328
[   41.284555]  vfs_kern_mount.part.34+0xdc/0x4e0
[   41.289115]  do_mount+0x581/0x30e0
[   41.292648]  ksys_mount+0x12d/0x140
[   41.296253]  __x64_sys_mount+0xbe/0x150
[   41.300207]  do_syscall_64+0x1b9/0x820
[   41.304085]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   41.309248] 
[   41.310855] The buggy address belongs to the object at ffff8801d78940c0
[   41.310855]  which belongs to the cache kmalloc-512 of size 512
[   41.323493] The buggy address is located 132 bytes inside of
[   41.323493]  512-byte region [ffff8801d78940c0, ffff8801d78942c0)
[   41.335353] The buggy address belongs to the page:
[   41.340263] page:ffffea00075e2500 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
[   41.348385] flags: 0x2fffc0000000100(slab)
[   41.352621] raw: 02fffc0000000100 ffffea00073eb948 ffffea0007621e88 ffff8801da800940
[   41.360481] raw: 0000000000000000 ffff8801d78940c0 0000000100000006 0000000000000000
[   41.368342] page dumped because: kasan: bad access detected
[   41.374045] 
[   41.375648] Memory state around the buggy address:
[   41.380558]  ffff8801d7894000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.387897]  ffff8801d7894080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   41.395241] >ffff8801d7894100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.402585]                                            ^
[   41.408285]  ffff8801d7894180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.415636]  ffff8801d7894200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.422995] ==================================================================
[   41.430630] Disabling lock debugging due to kernel taint
[   41.436155] Kernel panic - not syncing: panic_on_warn set ...
[   41.436155] 
[   41.443509] CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G    B             4.18.0-rc5+ #156
[   41.451825] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.461177] Workqueue: events p9_poll_workfn
[   41.465559] Call Trace:
[   41.468132]  dump_stack+0x1c9/0x2b4
[   41.471753]  ? dump_stack_print_info.cold.2+0x52/0x52
[   41.476927]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   41.481664]  panic+0x238/0x4e7
[   41.484838]  ? add_taint.cold.5+0x16/0x16
[   41.488975]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.493362]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.497750]  ? p9_poll_workfn+0x660/0x6d0
[   41.501876]  kasan_end_report+0x47/0x4f
[   41.505846]  kasan_report.cold.7+0x76/0x2fe
[   41.510163]  __asan_report_load4_noabort+0x14/0x20
[   41.515096]  p9_poll_workfn+0x660/0x6d0
[   41.519064]  ? p9_read_work+0x1060/0x1060
[   41.523193]  ? graph_lock+0x170/0x170
[   41.526972]  ? lock_acquire+0x1e4/0x540
[   41.530928]  ? process_one_work+0xb9b/0x1ba0
[   41.535313]  ? kasan_check_read+0x11/0x20
[   41.539437]  ? __lock_is_held+0xb5/0x140
[   41.543479]  process_one_work+0xc73/0x1ba0
[   41.547689]  ? trace_hardirqs_on+0x10/0x10
[   41.551902]  ? pwq_dec_nr_in_flight+0x4a0/0x4a0
[   41.556555]  ? lock_repin_lock+0x430/0x430
[   41.560775]  ? __sched_text_start+0x8/0x8
[   41.564899]  ? graph_lock+0x170/0x170
[   41.568686]  ? lock_downgrade+0x8f0/0x8f0
[   41.572816]  ? kasan_check_read+0x11/0x20
[   41.576941]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.581338]  ? lock_acquire+0x1e4/0x540
[   41.585291]  ? worker_thread+0x3dc/0x13c0
[   41.589425]  ? lock_downgrade+0x8f0/0x8f0
[   41.593551]  ? lock_release+0xa30/0xa30
[   41.597501]  ? kasan_check_read+0x11/0x20
[   41.601626]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.606012]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   41.610569]  ? kasan_check_write+0x14/0x20
[   41.614800]  ? do_raw_spin_lock+0xc1/0x200
[   41.619013]  worker_thread+0x189/0x13c0
[   41.622969]  ? process_one_work+0x1ba0/0x1ba0
[   41.627443]  ? graph_lock+0x170/0x170
[   41.631222]  ? graph_lock+0x170/0x170
[   41.634999]  ? find_held_lock+0x36/0x1c0
[   41.639041]  ? find_held_lock+0x36/0x1c0
[   41.643092]  ? kasan_check_read+0x11/0x20
[   41.647217]  ? do_raw_spin_unlock+0xa7/0x2f0
[   41.651608]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   41.656773]  ? __kthread_parkme+0x58/0x1b0
[   41.661001]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   41.666009]  ? trace_hardirqs_on+0xd/0x10
[   41.670155]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   41.675697]  ? __kthread_parkme+0x106/0x1b0
[   41.680001]  kthread+0x345/0x410
[   41.683354]  ? process_one_work+0x1ba0/0x1ba0
[   41.687829]  ? kthread_bind+0x40/0x40
[   41.691611]  ret_from_fork+0x3a/0x50
[   41.695942] Dumping ftrace buffer:
[   41.699467]    (ftrace buffer empty)
[   41.703175] Kernel Offset: disabled
[   41.706801] Rebooting in 86400 seconds..