[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.916903] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.610656] random: sshd: uninitialized urandom read (32 bytes read) [ 27.865642] random: sshd: uninitialized urandom read (32 bytes read) [ 28.387727] random: sshd: uninitialized urandom read (32 bytes read) [ 45.102134] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. [ 50.871362] random: sshd: uninitialized urandom read (32 bytes read) [ 50.985148] IPVS: ftp: loaded support on port[0] = 21 [ 51.123529] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.130000] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.137162] device bridge_slave_0 entered promiscuous mode [ 51.153678] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.160040] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.166956] device bridge_slave_1 entered promiscuous mode [ 51.182734] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 51.199250] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 51.242568] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 51.261032] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 51.328950] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 51.336283] team0: Port device team_slave_0 added [ 51.351837] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 51.358995] team0: Port device team_slave_1 added [ 51.376030] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 51.394000] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 51.411663] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 51.428845] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 51.554973] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.561469] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.568443] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.574847] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 52.021635] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 52.027774] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.073217] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.109226] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.127199] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.133369] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.140209] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.179753] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 52.432038] ================================================================== [ 52.439521] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0 [ 52.446697] Read of size 1 at addr ffff8801d7351487 by task syz-executor998/4685 [ 52.454211] [ 52.455842] CPU: 0 PID: 4685 Comm: syz-executor998 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 52.464414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.473761] Call Trace: [ 52.476449] dump_stack+0x1c9/0x2b4 [ 52.480069] ? dump_stack_print_info.cold.2+0x52/0x52 [ 52.485259] ? printk+0xa7/0xcf [ 52.488531] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 52.493276] ? _decode_session6+0x1331/0x14e0 [ 52.497860] print_address_description+0x6c/0x20b [ 52.502738] ? _decode_session6+0x1331/0x14e0 [ 52.507228] kasan_report.cold.7+0x242/0x30d [ 52.511627] __asan_report_load1_noabort+0x14/0x20 [ 52.516684] _decode_session6+0x1331/0x14e0 [ 52.521000] __xfrm_decode_session+0x71/0x140 [ 52.525487] vti6_tnl_xmit+0x3fc/0x1bb1 [ 52.529456] ? vti6_rcv+0x8f0/0x8f0 [ 52.533069] ? graph_lock+0x170/0x170 [ 52.536973] ? find_held_lock+0x36/0x1c0 [ 52.541147] dev_hard_start_xmit+0x272/0xc10 [ 52.545601] ? dev_direct_xmit+0x6b0/0x6b0 [ 52.549839] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 52.555492] ? netif_skb_features+0x690/0xb70 [ 52.559985] ? lock_acquire+0x1e4/0x4f0 [ 52.563965] ? __dev_queue_xmit+0x22cd/0x3870 [ 52.568550] ? lock_release+0x9f0/0x9f0 [ 52.572517] ? validate_xmit_skb+0x80c/0xf30 [ 52.576921] ? kasan_check_write+0x14/0x20 [ 52.581149] ? do_raw_spin_lock+0xc1/0x200 [ 52.585470] __dev_queue_xmit+0x2ab2/0x3870 [ 52.589787] ? save_stack+0x43/0xd0 [ 52.593404] ? kasan_kmalloc+0xc4/0xe0 [ 52.597280] ? pskb_expand_head+0x230/0x10e0 [ 52.601679] ? netdev_pick_tx+0x2d0/0x2d0 [ 52.605817] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 52.611088] ? __lock_is_held+0xb5/0x140 [ 52.615141] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 52.620159] ? skb_release_data+0x1c4/0x880 [ 52.624471] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 52.629735] ? kasan_unpoison_shadow+0x35/0x50 [ 52.634308] ? skb_tx_error+0x2f0/0x2f0 [ 52.638287] ? kasan_kmalloc+0xc4/0xe0 [ 52.642169] ? __kmalloc_node_track_caller+0x47/0x70 [ 52.647267] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 52.653002] ? kasan_check_write+0x14/0x20 [ 52.657244] ? pskb_expand_head+0x6b3/0x10e0 [ 52.661638] ? find_held_lock+0x36/0x1c0 [ 52.665694] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 52.670269] ? sock_spd_release+0x2e0/0x2e0 [ 52.674588] ? __lock_is_held+0xb5/0x140 [ 52.678643] ? kasan_check_write+0x14/0x20 [ 52.682883] ? __skb_clone+0x6c7/0xa00 [ 52.686756] ? __copy_skb_header+0x6b0/0x6b0 [ 52.691270] ? depot_save_stack+0x291/0x470 [ 52.695595] ? skb_ensure_writable+0x15e/0x640 [ 52.700360] dev_queue_xmit+0x17/0x20 [ 52.704242] ? dev_queue_xmit+0x17/0x20 [ 52.708224] __bpf_redirect+0x5b7/0xae0 [ 52.712193] bpf_clone_redirect+0x2f6/0x490 [ 52.716516] bpf_prog_c39d1ba309a769f7+0xe9f/0x1000 [ 52.721568] ? lock_downgrade+0x8f0/0x8f0 [ 52.725727] ? ktime_get+0x352/0x440 [ 52.729441] ? ktime_get+0x352/0x440 [ 52.733154] ? find_held_lock+0x36/0x1c0 [ 52.737210] ? lock_acquire+0x1e4/0x4f0 [ 52.741177] ? bpf_test_run+0x319/0x5b0 [ 52.745138] ? lock_downgrade+0x8f0/0x8f0 [ 52.749404] ? kasan_check_read+0x11/0x20 [ 52.753546] ? rcu_is_watching+0x8c/0x150 [ 52.757678] ? kasan_check_write+0x14/0x20 [ 52.761907] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 52.766696] ? skb_try_coalesce+0x1c80/0x1c80 [ 52.771182] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 52.776196] ? __check_object_size+0xa3/0x5d7 [ 52.780695] ? bpf_test_run+0x1ab/0x5b0 [ 52.784670] ? genl_pernet_init.cold.16+0x18/0x18 [ 52.789515] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.795063] ? bpf_test_init.isra.9+0x70/0x100 [ 52.799654] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 52.804524] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 52.809364] ? bpf_prog_add+0x69/0xd0 [ 52.813156] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.818808] ? __bpf_prog_get+0x9b/0x290 [ 52.822863] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 52.827699] ? bpf_prog_test_run+0x130/0x1a0 [ 52.832100] ? __x64_sys_bpf+0x3d8/0x510 [ 52.836202] ? bpf_prog_get+0x20/0x20 [ 52.840009] ? do_page_fault+0xf6/0x7a4 [ 52.843979] ? do_syscall_64+0x1b9/0x820 [ 52.848133] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 52.853490] ? syscall_return_slowpath+0x5e0/0x5e0 [ 52.858407] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.863237] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 52.868371] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 52.873392] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.878943] ? prepare_exit_to_usermode+0x291/0x3b0 [ 52.883960] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.888944] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.894301] [ 52.895929] Allocated by task 4685: [ 52.899545] save_stack+0x43/0xd0 [ 52.903008] kasan_kmalloc+0xc4/0xe0 [ 52.906731] __kmalloc_node_track_caller+0x47/0x70 [ 52.911662] __kmalloc_reserve.isra.41+0x3a/0xe0 [ 52.916404] pskb_expand_head+0x230/0x10e0 [ 52.920743] skb_ensure_writable+0x3dd/0x640 [ 52.925156] bpf_clone_redirect+0x14a/0x490 [ 52.929552] bpf_prog_c39d1ba309a769f7+0xe9f/0x1000 [ 52.934696] [ 52.936313] Freed by task 3288: [ 52.939598] save_stack+0x43/0xd0 [ 52.943149] __kasan_slab_free+0x11a/0x170 [ 52.947378] kasan_slab_free+0xe/0x10 [ 52.951184] kfree+0xd9/0x210 [ 52.954293] load_elf_binary+0x255d/0x5610 [ 52.958544] search_binary_handler+0x17d/0x570 [ 52.963132] load_script+0x77f/0x900 [ 52.966831] search_binary_handler+0x17d/0x570 [ 52.971398] __do_execve_file.isra.35+0x15ff/0x2460 [ 52.976405] __x64_sys_execve+0x8f/0xc0 [ 52.980719] do_syscall_64+0x1b9/0x820 [ 52.984605] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.989775] [ 52.991394] The buggy address belongs to the object at ffff8801d7351280 [ 52.991394] which belongs to the cache kmalloc-512 of size 512 [ 53.004044] The buggy address is located 7 bytes to the right of [ 53.004044] 512-byte region [ffff8801d7351280, ffff8801d7351480) [ 53.016258] The buggy address belongs to the page: [ 53.021186] page:ffffea00075cd440 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0 [ 53.029397] flags: 0x2fffc0000000100(slab) [ 53.033632] raw: 02fffc0000000100 ffffea00075bd4c8 ffffea00075a34c8 ffff8801dac00940 [ 53.041517] raw: 0000000000000000 ffff8801d7351000 0000000100000006 0000000000000000 [ 53.049384] page dumped because: kasan: bad access detected [ 53.055173] [ 53.056792] Memory state around the buggy address: [ 53.061810] ffff8801d7351380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.069155] ffff8801d7351400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.076538] >ffff8801d7351480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.083880] ^ [ 53.087234] ffff8801d7351500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.094585] ffff8801d7351580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.101930] ================================================================== [ 53.109277] Disabling lock debugging due to kernel taint [ 53.114785] Kernel panic - not syncing: panic_on_warn set ... [ 53.114785] [ 53.122165] CPU: 0 PID: 4685 Comm: syz-executor998 Tainted: G B 4.19.0-rc2-next-20180904+ #55 [ 53.132126] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.141463] Call Trace: [ 53.144040] dump_stack+0x1c9/0x2b4 [ 53.147653] ? dump_stack_print_info.cold.2+0x52/0x52 [ 53.152827] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.157567] panic+0x238/0x4e7 [ 53.160739] ? add_taint.cold.5+0x16/0x16 [ 53.164869] ? trace_hardirqs_on+0x9a/0x2c0 [ 53.169171] ? trace_hardirqs_on+0xb4/0x2c0 [ 53.173476] ? trace_hardirqs_on+0xb4/0x2c0 [ 53.177777] ? trace_hardirqs_on+0x9a/0x2c0 [ 53.182083] ? _decode_session6+0x1331/0x14e0 [ 53.186575] kasan_end_report+0x47/0x4f [ 53.190533] kasan_report.cold.7+0x76/0x30d [ 53.194850] __asan_report_load1_noabort+0x14/0x20 [ 53.199766] _decode_session6+0x1331/0x14e0 [ 53.204082] __xfrm_decode_session+0x71/0x140 [ 53.208561] vti6_tnl_xmit+0x3fc/0x1bb1 [ 53.212520] ? vti6_rcv+0x8f0/0x8f0 [ 53.216125] ? graph_lock+0x170/0x170 [ 53.219906] ? find_held_lock+0x36/0x1c0 [ 53.223957] dev_hard_start_xmit+0x272/0xc10 [ 53.228353] ? dev_direct_xmit+0x6b0/0x6b0 [ 53.232571] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.238095] ? netif_skb_features+0x690/0xb70 [ 53.242613] ? lock_acquire+0x1e4/0x4f0 [ 53.246570] ? __dev_queue_xmit+0x22cd/0x3870 [ 53.251052] ? lock_release+0x9f0/0x9f0 [ 53.255010] ? validate_xmit_skb+0x80c/0xf30 [ 53.259406] ? kasan_check_write+0x14/0x20 [ 53.263624] ? do_raw_spin_lock+0xc1/0x200 [ 53.267840] __dev_queue_xmit+0x2ab2/0x3870 [ 53.272157] ? save_stack+0x43/0xd0 [ 53.275762] ? kasan_kmalloc+0xc4/0xe0 [ 53.279644] ? pskb_expand_head+0x230/0x10e0 [ 53.284034] ? netdev_pick_tx+0x2d0/0x2d0 [ 53.288168] ? kmem_cache_alloc_node_trace+0x219/0x720 [ 53.293457] ? __lock_is_held+0xb5/0x140 [ 53.297504] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 53.302500] ? skb_release_data+0x1c4/0x880 [ 53.306801] ? kmem_cache_alloc_node_trace+0x320/0x720 [ 53.312064] ? kasan_unpoison_shadow+0x35/0x50 [ 53.316630] ? skb_tx_error+0x2f0/0x2f0 [ 53.320587] ? kasan_kmalloc+0xc4/0xe0 [ 53.324457] ? __kmalloc_node_track_caller+0x47/0x70 [ 53.329546] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 53.335067] ? kasan_check_write+0x14/0x20 [ 53.339285] ? pskb_expand_head+0x6b3/0x10e0 [ 53.343681] ? find_held_lock+0x36/0x1c0 [ 53.347746] ? __pskb_copy_fclone+0xeb0/0xeb0 [ 53.352234] ? sock_spd_release+0x2e0/0x2e0 [ 53.356537] ? __lock_is_held+0xb5/0x140 [ 53.360583] ? kasan_check_write+0x14/0x20 [ 53.364797] ? __skb_clone+0x6c7/0xa00 [ 53.368666] ? __copy_skb_header+0x6b0/0x6b0 [ 53.373059] ? depot_save_stack+0x291/0x470 [ 53.377362] ? skb_ensure_writable+0x15e/0x640 [ 53.381928] dev_queue_xmit+0x17/0x20 [ 53.385715] ? dev_queue_xmit+0x17/0x20 [ 53.389672] __bpf_redirect+0x5b7/0xae0 [ 53.393632] bpf_clone_redirect+0x2f6/0x490 [ 53.397935] bpf_prog_c39d1ba309a769f7+0xe9f/0x1000 [ 53.402930] ? lock_downgrade+0x8f0/0x8f0 [ 53.407085] ? ktime_get+0x352/0x440 [ 53.410780] ? ktime_get+0x352/0x440 [ 53.414480] ? find_held_lock+0x36/0x1c0 [ 53.418526] ? lock_acquire+0x1e4/0x4f0 [ 53.422485] ? bpf_test_run+0x319/0x5b0 [ 53.426443] ? lock_downgrade+0x8f0/0x8f0 [ 53.430578] ? kasan_check_read+0x11/0x20 [ 53.434722] ? rcu_is_watching+0x8c/0x150 [ 53.438884] ? kasan_check_write+0x14/0x20 [ 53.443108] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 53.447779] ? skb_try_coalesce+0x1c80/0x1c80 [ 53.452261] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 53.457266] ? __check_object_size+0xa3/0x5d7 [ 53.461748] ? bpf_test_run+0x1ab/0x5b0 [ 53.465715] ? genl_pernet_init.cold.16+0x18/0x18 [ 53.470558] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.476078] ? bpf_test_init.isra.9+0x70/0x100 [ 53.480649] ? bpf_prog_test_run_skb+0x62f/0xb40 [ 53.485393] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 53.490219] ? bpf_prog_add+0x69/0xd0 [ 53.494003] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.499523] ? __bpf_prog_get+0x9b/0x290 [ 53.503569] ? bpf_test_finish.isra.8+0x1f0/0x1f0 [ 53.508406] ? bpf_prog_test_run+0x130/0x1a0 [ 53.512800] ? __x64_sys_bpf+0x3d8/0x510 [ 53.516856] ? bpf_prog_get+0x20/0x20 [ 53.520646] ? do_page_fault+0xf6/0x7a4 [ 53.524603] ? do_syscall_64+0x1b9/0x820 [ 53.528646] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.533991] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.538905] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.543732] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 53.548742] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.553769] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.559326] ? prepare_exit_to_usermode+0x291/0x3b0 [ 53.564366] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.569194] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.574832] Dumping ftrace buffer: [ 53.578358] (ftrace buffer empty) [ 53.582046] Kernel Offset: disabled [ 53.585659] Rebooting in 86400 seconds..