[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.089048] random: sshd: uninitialized urandom read (32 bytes read, 32 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.029819] random: sshd: uninitialized urandom read (32 bytes read, 36 bits of entropy available) [ 24.369912] random: sshd: uninitialized urandom read (32 bytes read, 37 bits of entropy available) [ 25.313502] random: sshd: uninitialized urandom read (32 bytes read, 108 bits of entropy available) [ 30.911912] random: sshd: uninitialized urandom read (32 bytes read, 117 bits of entropy available) Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. [ 36.327949] random: sshd: uninitialized urandom read (32 bytes read, 119 bits of entropy available) 2018/03/08 19:08:05 parsed 1 programs 2018/03/08 19:08:05 executed programs: 0 [ 36.664974] IPVS: Creating netns size=2552 id=1 [ 36.696404] ================================================================== [ 36.703771] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x270e/0x3490 [ 36.710317] Read of size 4096 at addr ffff8801c5286540 by task syz-executor0/3800 [ 36.717907] [ 36.719507] CPU: 1 PID: 3800 Comm: syz-executor0 Not tainted 4.4.120-gd63fdf6 #29 [ 36.727090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.736409] 0000000000000000 02e6116245fdcda7 ffff8801c5b176f8 ffffffff81d0408d [ 36.744376] ffffea000714a180 ffff8801c5286540 0000000000000000 ffff8801c5286700 [ 36.752340] ffff8801c5b17938 ffff8801c5b17730 ffffffff814fe143 ffff8801c5286540 [ 36.760298] Call Trace: [ 36.762858] [] dump_stack+0xc1/0x124 [ 36.768188] [] print_address_description+0x73/0x260 [ 36.774819] [] kasan_report+0x285/0x370 [ 36.780407] [] ? pfkey_add+0x270e/0x3490 [ 36.786087] [] check_memory_region+0x137/0x190 [ 36.792283] [] memcpy+0x23/0x50 [ 36.797179] [] pfkey_add+0x270e/0x3490 [ 36.802681] [] ? pfkey_delete+0x370/0x370 [ 36.808444] [] ? pfkey_add+0x3490/0x3490 [ 36.814122] [] ? __skb_clone+0x24a/0x7d0 [ 36.819802] [] ? pfkey_delete+0x370/0x370 [ 36.825568] [] pfkey_process+0x68b/0x750 [ 36.831246] [] ? pfkey_send_new_mapping+0x11b0/0x11b0 [ 36.838052] [] pfkey_sendmsg+0x3a9/0x760 [ 36.843726] [] ? pfkey_spdget+0x820/0x820 [ 36.849491] [] sock_sendmsg+0xca/0x110 [ 36.854992] [] ___sys_sendmsg+0x6c1/0x7c0 [ 36.860755] [] ? copy_msghdr_from_user+0x550/0x550 [ 36.867301] [] ? __alloc_pages_direct_compact+0x250/0x250 [ 36.874454] [] ? do_futex+0x3f4/0x15d0 [ 36.879956] [] ? __lock_is_held+0xa1/0xf0 [ 36.885718] [] ? exit_robust_list+0x240/0x240 [ 36.891828] [] ? do_huge_pmd_anonymous_page+0x549/0xa10 [ 36.898806] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.905522] [] ? __fget_light+0xa3/0x1e0 [ 36.911196] [] ? __fdget+0x18/0x20 [ 36.916349] [] ? sockfd_lookup_light+0x118/0x160 [ 36.922719] [] __sys_sendmsg+0xd3/0x190 [ 36.928310] [] ? SyS_shutdown+0x1b0/0x1b0 [ 36.934071] [] ? compat_SyS_futex+0x1f9/0x2a0 [ 36.940185] [] ? __do_page_fault+0x380/0xa00 [ 36.946213] [] compat_SyS_sendmsg+0x2a/0x40 [ 36.952151] [] ? compat_SyS_getsockopt+0x2a0/0x2a0 [ 36.958694] [] do_fast_syscall_32+0x321/0x8a0 [ 36.964804] [] sysenter_flags_fixed+0xd/0x17 [ 36.970825] [ 36.972420] Allocated by task 3800: [ 36.976012] [] save_stack_trace+0x26/0x50 [ 36.981893] [] save_stack+0x43/0xd0 [ 36.987265] [] kasan_kmalloc+0xad/0xe0 [ 36.992883] [] kasan_krealloc+0x64/0x80 [ 36.998584] [] ksize+0x92/0xf0 [ 37.003513] [] __alloc_skb+0x132/0x600 [ 37.009130] [] pfkey_sendmsg+0x135/0x760 [ 37.014918] [] sock_sendmsg+0xca/0x110 [ 37.020537] [] ___sys_sendmsg+0x6c1/0x7c0 [ 37.026419] [] __sys_sendmsg+0xd3/0x190 [ 37.032124] [] compat_SyS_sendmsg+0x2a/0x40 [ 37.038172] [] do_fast_syscall_32+0x321/0x8a0 [ 37.044395] [] sysenter_flags_fixed+0xd/0x17 [ 37.050534] [ 37.052127] Freed by task 0: [ 37.055109] (stack is not available) [ 37.058784] [ 37.060378] The buggy address belongs to the object at ffff8801c5286500 [ 37.060378] which belongs to the cache kmalloc-512 of size 512 [ 37.073000] The buggy address is located 64 bytes inside of [ 37.073000] 512-byte region [ffff8801c5286500, ffff8801c5286700) [ 37.084749] The buggy address belongs to the page: [ 37.657274] BUG: unable to handle kernel NULL pointer dereference at 0000000000000062 [ 37.665481] IP: [] str__compaction__trace_system_name+0x56b/0xfa0 [ 37.673362] PGD 80000000afaaf067 PUD afa15067 PMD 0 [ 37.678774] Oops: 0002 [#1] PREEMPT SMP KASAN [ 37.683697] Dumping ftrace buffer: [ 37.687203] (ftrace buffer empty) [ 37.690881] Modules linked in: [ 37.694157] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.120-gd63fdf6 #29 [ 37.701133] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.710454] task: ffffffff84217840 task.stack: ffffffff84200000 [ 37.716475] RIP: 0010:[] [] str__compaction__trace_system_name+0x56b/0xfa0 [ 37.726793] RSP: 0018:ffff8801db207d18 EFLAGS: 00010206 [ 37.732207] RAX: ffffffff838a9060 RBX: ffff8801db207d68 RCX: ffffffff812a0eeb [ 37.739454] RDX: 0000000000000100 RSI: ffffffff842bdb60 RDI: ffffffff812a0efb [ 37.747046] RBP: ffff8801db207df0 R08: 0000000000000001 R09: ffffffff850e4930 [ 37.754284] R10: 0000000000000000 R11: 1ffff1003b640f70 R12: 1ffff1003b640fa9 [ 37.761531] R13: ffff8801c51d85e8 R14: 0000000000000101 R15: ffff8801db207df0 [ 37.768770] FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 37.776972] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.782823] CR2: 0000000000000062 CR3: 00000000b2324000 CR4: 0000000000160670 [ 37.790060] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 37.797298] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 37.804534] Stack: [ 37.806652] ffffffff838a9060 ffffffff812a0e4c 0000000000000000 ffffffff842c35a0 [ 37.814611] 0000000000000000 ffffffff838a9060 0000000041b58ab3 ffffffff83faab59 [ 37.822940] ffffffff812a0d70 ffffffff84218110 ffff8801db207d68 ffffffff851bf390 [ 37.830902] Call Trace: [ 37.833454] [ 37.835488] [] ? call_timer_fn+0xdc/0x860 [ 37.841542] [] ? process_timeout+0x20/0x20 [ 37.847401] [] ? _raw_spin_unlock_irq+0x27/0x50 [ 37.854388] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 37.861194] [] run_timer_softirq+0x604/0xbb0 [ 37.867217] [] ? kvm_clock_read+0x23/0x40 [ 37.872978] [] ? msleep+0xc0/0xc0 [ 37.878047] [] __do_softirq+0x227/0xa38 [ 37.883636] [] irq_exit+0x119/0x140 [ 37.888878] [] smp_apic_timer_interrupt+0x7b/0xa0 [ 37.895337] [] apic_timer_interrupt+0xa0/0xb0 [ 37.901465] [ 37.903498] [] ? native_safe_halt+0x6/0x10 [ 37.909724] [] default_idle+0x55/0x3c0 [ 37.915225] [] arch_cpu_idle+0xa/0x10 [ 37.920644] [] default_idle_call+0x48/0x70 [ 37.926493] [] cpu_startup_entry+0x5fd/0x8f0 [ 37.932515] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 37.939408] [] ? call_cpuidle+0xe0/0xe0 [ 37.945007] [] rest_init+0x189/0x190 [ 37.950347] [] start_kernel+0x6b9/0x6ee [ 37.955938] [] ? thread_stack_cache_init+0xb/0xb [ 37.962311] [] ? early_idt_handler_array+0x120/0x120 [ 37.969027] [] ? early_idt_handler_array+0x120/0x120 [ 37.975746] [] x86_64_start_reservations+0x2a/0x2c [ 37.982292] [] x86_64_start_kernel+0x140/0x163 [ 37.988488] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 4d 5f 42 55 47 5f 4f 4e 5f 50 <41> 47 45 28 50 61 67 65 53 6c 61 62 28 70 61 67 65 29 29 00 00 [ 38.014921] RIP [] str__compaction__trace_system_name+0x56b/0xfa0 [ 38.022887] RSP [ 38.026479] CR2: 0000000000000062 [ 38.029903] ---[ end trace c7394356da621878 ]--- [ 38.034622] Kernel panic - not syncing: Fatal exception in interrupt [ 38.390778] PANIC: double fault, error_code: 0x0 [ 38.395537] CPU: 1 PID: 3800 Comm: syz-executor0 Tainted: G D 4.4.120-gd63fdf6 #29 [ 38.404339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.413662] task: ffff8800bb106000 task.stack: ffff8801c5b10000 [ 38.419686] RIP: 0010:[] [] dump_page_badflags+0xd/0x250 [ 38.428433] RSP: 0018:ffff880100000000 EFLAGS: 00010046 [ 38.433847] RAX: ffff8800bb106000 RBX: ffffea000714a180 RCX: ffffffff814909b0 [ 38.441082] RDX: 0000000000000000 RSI: ffffffff838a9060 RDI: ffffea000714a180 [ 38.448318] RBP: ffff880100000018 R08: 0000000000000001 R09: 0000000000000000 [ 38.455556] R10: 0000000000000002 R11: fffffbfff0ad7e1e R12: 0000000000000000 [ 38.462793] R13: ffffffff838a9060 R14: 0000000000000000 R15: 0000000000000000 [ 38.470030] FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000008a26900 [ 38.478220] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 38.484066] CR2: ffff8800fffffff8 CR3: 00000001d9736000 CR4: 0000000000160670 [ 38.491302] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 38.498536] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 38.505770] Stack: [ 38.507884] [ 38.509475] Call Trace: [ 38.512026] [ 38.514054] Code: ff e8 88 df 06 00 e9 50 fd ff ff e8 7e df 06 00 e9 1d fd ff ff 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 49 89 f5 <41> 54 49 89 d4 53 48 89 fb 48 83 ec 08 e8 01 05 ed ff 48 8d 7b [ 39.114505] Shutting down cpus with NMI [ 39.118916] Dumping ftrace buffer: [ 39.122424] (ftrace buffer empty) [ 39.126101] Kernel Offset: disabled [ 39.129696] Rebooting in 86400 seconds..