[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.632948] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.458488] random: sshd: uninitialized urandom read (32 bytes read) [ 23.713082] random: sshd: uninitialized urandom read (32 bytes read) [ 24.602473] random: sshd: uninitialized urandom read (32 bytes read) [ 37.771192] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. [ 43.223270] random: sshd: uninitialized urandom read (32 bytes read) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 43.404672] ================================================================== [ 43.412188] BUG: KASAN: use-after-free in p9_fd_poll+0x280/0x2b0 [ 43.418318] Read of size 8 at addr ffff8801d6ddf340 by task kworker/0:2/26 [ 43.425308] [ 43.426921] CPU: 0 PID: 26 Comm: kworker/0:2 Not tainted 4.18.0-rc6+ #160 [ 43.433830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.443181] Workqueue: events p9_poll_workfn [ 43.447835] Call Trace: [ 43.450596] dump_stack+0x1c9/0x2b4 [ 43.454221] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.459397] ? printk+0xa7/0xcf [ 43.462718] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 43.467500] ? p9_fd_poll+0x280/0x2b0 [ 43.471326] print_address_description+0x6c/0x20b [ 43.476171] ? p9_fd_poll+0x280/0x2b0 [ 43.479957] kasan_report.cold.7+0x242/0x2fe [ 43.484351] __asan_report_load8_noabort+0x14/0x20 [ 43.489261] p9_fd_poll+0x280/0x2b0 [ 43.492870] p9_poll_workfn+0x463/0x6d0 [ 43.496826] ? p9_read_work+0x1060/0x1060 [ 43.500959] ? graph_lock+0x170/0x170 [ 43.504755] ? lock_acquire+0x1e4/0x540 [ 43.508721] ? process_one_work+0xb9b/0x1ba0 [ 43.513111] ? kasan_check_read+0x11/0x20 [ 43.517251] ? __lock_is_held+0xb5/0x140 [ 43.521310] process_one_work+0xc73/0x1ba0 [ 43.525526] ? trace_hardirqs_on+0x10/0x10 [ 43.529748] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 43.534418] ? lock_repin_lock+0x430/0x430 [ 43.538654] ? __sched_text_start+0x8/0x8 [ 43.542786] ? lock_downgrade+0x8f0/0x8f0 [ 43.546915] ? graph_lock+0x170/0x170 [ 43.550707] ? graph_lock+0x170/0x170 [ 43.554510] ? lock_acquire+0x1e4/0x540 [ 43.558469] ? worker_thread+0x3dc/0x13c0 [ 43.562688] ? lock_downgrade+0x8f0/0x8f0 [ 43.566818] ? lock_release+0xa30/0xa30 [ 43.570776] ? kasan_check_read+0x11/0x20 [ 43.574906] ? do_raw_spin_unlock+0xa7/0x2f0 [ 43.579295] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 43.583870] ? kasan_check_write+0x14/0x20 [ 43.588084] ? do_raw_spin_lock+0xc1/0x200 [ 43.592315] worker_thread+0x189/0x13c0 [ 43.596279] ? process_one_work+0x1ba0/0x1ba0 [ 43.600760] ? graph_lock+0x170/0x170 [ 43.604549] ? graph_lock+0x170/0x170 [ 43.608344] ? find_held_lock+0x36/0x1c0 [ 43.612389] ? find_held_lock+0x36/0x1c0 [ 43.616455] ? kasan_check_read+0x11/0x20 [ 43.620585] ? do_raw_spin_unlock+0xa7/0x2f0 [ 43.624990] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 43.630072] ? __kthread_parkme+0x58/0x1b0 [ 43.634286] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.639286] ? trace_hardirqs_on+0xd/0x10 [ 43.643418] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.648935] ? __kthread_parkme+0x106/0x1b0 [ 43.653238] kthread+0x345/0x410 [ 43.656586] ? process_one_work+0x1ba0/0x1ba0 [ 43.661057] ? kthread_bind+0x40/0x40 [ 43.664851] ret_from_fork+0x3a/0x50 [ 43.668557] [ 43.670174] Allocated by task 4581: [ 43.673798] save_stack+0x43/0xd0 [ 43.677230] kasan_kmalloc+0xc4/0xe0 [ 43.680921] kmem_cache_alloc_trace+0x152/0x780 [ 43.685580] p9_fd_create+0x1a7/0x3f0 [ 43.689360] p9_client_create+0x8ed/0x1770 [ 43.693586] v9fs_session_init+0x21a/0x1a80 [ 43.697882] v9fs_mount+0x7c/0x900 [ 43.701400] mount_fs+0xae/0x328 [ 43.704745] vfs_kern_mount.part.34+0xdc/0x4e0 [ 43.709315] do_mount+0x581/0x30e0 [ 43.712832] ksys_mount+0x12d/0x140 [ 43.716447] __x64_sys_mount+0xbe/0x150 [ 43.720403] do_syscall_64+0x1b9/0x820 [ 43.724268] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.729432] [ 43.731038] Freed by task 4581: [ 43.734301] save_stack+0x43/0xd0 [ 43.737733] __kasan_slab_free+0x11a/0x170 [ 43.741947] kasan_slab_free+0xe/0x10 [ 43.745822] kfree+0xd9/0x260 [ 43.748905] p9_fd_close+0x416/0x5b0 [ 43.752605] p9_client_create+0xa9a/0x1770 [ 43.756818] v9fs_session_init+0x21a/0x1a80 [ 43.761118] v9fs_mount+0x7c/0x900 [ 43.764646] mount_fs+0xae/0x328 [ 43.767992] vfs_kern_mount.part.34+0xdc/0x4e0 [ 43.772553] do_mount+0x581/0x30e0 [ 43.776072] ksys_mount+0x12d/0x140 [ 43.779679] __x64_sys_mount+0xbe/0x150 [ 43.783635] do_syscall_64+0x1b9/0x820 [ 43.787520] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.792684] [ 43.794291] The buggy address belongs to the object at ffff8801d6ddf340 [ 43.794291] which belongs to the cache kmalloc-512 of size 512 [ 43.806939] The buggy address is located 0 bytes inside of [ 43.806939] 512-byte region [ffff8801d6ddf340, ffff8801d6ddf540) [ 43.818619] The buggy address belongs to the page: [ 43.823529] page:ffffea00075b77c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 43.831662] flags: 0x2fffc0000000100(slab) [ 43.835888] raw: 02fffc0000000100 ffffea0007398548 ffffea0006c59188 ffff8801da800940 [ 43.843767] raw: 0000000000000000 ffff8801d6ddf0c0 0000000100000006 0000000000000000 [ 43.851633] page dumped because: kasan: bad access detected [ 43.857320] [ 43.858944] Memory state around the buggy address: [ 43.863853] ffff8801d6ddf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.871201] ffff8801d6ddf280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.878541] >ffff8801d6ddf300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.885879] ^ [ 43.891308] ffff8801d6ddf380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.898651] ffff8801d6ddf400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program [ 43.905996] ================================================================== [ 43.913340] Disabling lock debugging due to kernel taint [ 43.918944] Kernel panic - not syncing: panic_on_warn set ... [ 43.918944] [ 43.926296] CPU: 0 PID: 26 Comm: kworker/0:2 Tainted: G B 4.18.0-rc6+ #160 [ 43.934587] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.943933] Workqueue: events p9_poll_workfn [ 43.948672] Call Trace: [ 43.951268] dump_stack+0x1c9/0x2b4 executing program executing program executing program executing program executing program executing program [ 43.954877] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.960050] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.964792] panic+0x238/0x4e7 [ 43.967968] ? add_taint.cold.5+0x16/0x16 [ 43.972271] ? do_raw_spin_unlock+0xa7/0x2f0 [ 43.976657] ? do_raw_spin_unlock+0xa7/0x2f0 [ 43.981053] ? p9_fd_poll+0x280/0x2b0 [ 43.984830] kasan_end_report+0x47/0x4f [ 43.988784] kasan_report.cold.7+0x76/0x2fe [ 43.993088] __asan_report_load8_noabort+0x14/0x20 [ 43.998032] p9_fd_poll+0x280/0x2b0 [ 44.001641] p9_poll_workfn+0x463/0x6d0 executing program executing program executing program executing program executing program executing program [ 44.005597] ? p9_read_work+0x1060/0x1060 [ 44.009727] ? graph_lock+0x170/0x170 [ 44.013511] ? lock_acquire+0x1e4/0x540 [ 44.017469] ? process_one_work+0xb9b/0x1ba0 [ 44.021892] ? kasan_check_read+0x11/0x20 [ 44.026045] ? __lock_is_held+0xb5/0x140 [ 44.030088] process_one_work+0xc73/0x1ba0 [ 44.034313] ? trace_hardirqs_on+0x10/0x10 [ 44.038558] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 44.043206] ? lock_repin_lock+0x430/0x430 [ 44.047436] ? __sched_text_start+0x8/0x8 [ 44.051563] ? lock_downgrade+0x8f0/0x8f0 executing program executing program executing program executing program executing program executing program [ 44.055690] ? graph_lock+0x170/0x170 [ 44.059471] ? graph_lock+0x170/0x170 [ 44.063280] ? lock_acquire+0x1e4/0x540 [ 44.067231] ? worker_thread+0x3dc/0x13c0 [ 44.071365] ? lock_downgrade+0x8f0/0x8f0 [ 44.075524] ? lock_release+0xa30/0xa30 [ 44.079482] ? kasan_check_read+0x11/0x20 [ 44.083634] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.088021] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 44.092583] ? kasan_check_write+0x14/0x20 [ 44.096796] ? do_raw_spin_lock+0xc1/0x200 [ 44.101014] worker_thread+0x189/0x13c0 executing program executing program executing program [ 44.104970] ? process_one_work+0x1ba0/0x1ba0 [ 44.109445] ? graph_lock+0x170/0x170 [ 44.113224] ? graph_lock+0x170/0x170 [ 44.117010] ? find_held_lock+0x36/0x1c0 [ 44.121055] ? find_held_lock+0x36/0x1c0 [ 44.125111] ? kasan_check_read+0x11/0x20 [ 44.129241] ? do_raw_spin_unlock+0xa7/0x2f0 [ 44.133634] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 44.138713] ? __kthread_parkme+0x58/0x1b0 [ 44.142939] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.147935] ? trace_hardirqs_on+0xd/0x10 [ 44.152061] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.157574] ? __kthread_parkme+0x106/0x1b0 [ 44.161872] kthread+0x345/0x410 [ 44.165216] ? process_one_work+0x1ba0/0x1ba0 [ 44.169691] ? kthread_bind+0x40/0x40 [ 44.173475] ret_from_fork+0x3a/0x50 [ 44.177551] Dumping ftrace buffer: [ 44.181066] (ftrace buffer empty) [ 44.184765] Kernel Offset: disabled [ 44.188370] Rebooting in 86400 seconds..